SpamHaus Behind .mail Top-Level Domain

securitas writes "The SpamHaus Project is the group pushing ICANN to create a new trusted-sender system and the .mail top-level domain. SpamHaus proposes that registrants under the .mail TLD would pay at least $2000 per year to and 'agree to abide by certain anti-spam mailing practices.' The interesting twist is that companies that comply with the US CAN-SPAM act - which SpamHaus opposed due to the legalization of bulk unsolicited commercial e-mail - would not be eligibile to register a .mail address. The .mail TLD proposal was recently discussed on Slashdot."

Goodby home mail server

[HaeMaker]

This is bad, as I host my own domain and send mail from it. I don't want to have to pay someone to host my mail server, and you know that plenty of ISPs will block mail that doesn't come from a .mail domain.

I certainly can't pay $2000 a year.

Re:Goodby home mail server

I certainly can't pay $2000 a year.While spammers certainly can afford the fee.

Disclamer : I didn't read the article, so take this (as usual) with a grain of salt (at least as most as you do with the slashdot news reports - you know how much it can be misleading sometimes).

I suppose the system would be efficient enough to suppress abuse quickly enough. Yet, I wonder how big players like yahoo or hotmail could become members of this, without resetting their whole user bases and restricting their membership policies. So I guess this is not aimed at free mail account providers, nor small enterprises like yours.
OTOH, Perhaps there's a business opportunity for new mail account providers targeting small and medium societies.

Re:Goodby home mail server

[mdfst13]

I used to administer a mail server that had 40,000 users give or take (IMAP only, not web). The hardware cost about $200,000. I wouldn't be surprised to find out that the support contract was $2000 a year.

Yahoo/Hotmail both have far more users than that. $2000 is not going to be a big deal for them (for example, with 2 million users, it would be a tenth of a penny per person). I'm sure that they are already spending far more than that on hardware, software, and administration.

Re:Goodby home mail server

[tverbeek]

Heh one domain? You're lucky. I host 5 and handle email for all of them.

I'll see your 5 and raise you another 7. A few of those are actual paying customers; the rest are a personal domain, domains I and some friends use to do business with, and a few domains I host as freebies for organisations I like. This scheme would make the cut of my gross income that I give to Uncle Sam (and his state and local nephews) seem rather small in comparison... and at least for that I get free police service, road construction, and tobacco subsidies. For this I'd get nothing I don't currently have.

Re:Goodby home mail server

[XorNand]

I've used InstantSSL. It works, no question about that. However, I was able to get it without really doing anything more than providing a credit card number. I hate Verisign with a passion, but I have to admit that their SSL certs mean a hell of a lot more to the end-user. An applicant has to jump through a lot of hoops to get a cert with them. I've had to fax them business verification paperwork and other ID. They then take the time to verify that this paperwork is kosher by cross-referencing it with state records. (At least this is how it was a few years ago--maybe things have changed). Verisign should market this aspect of their certs to the general internet-using public more. Or better yet, a less evil CA should enforce a strict verification process and then market it like crazy.

Re:Goodby home mail server

[jnicholson]

Spammers can't afford to pay that every time they have to register a new domain because the old one got taken down due to violation of the spam rules of the hoster. And you can bet they would be taken down, if SpamHaus has anything to do with writing the rules.

So basically, this is a $2000 whitelist.

[Bombcar]

Because the cost of entry is high, and perhaps policed, it basically becomes a way of saying, "It's from a .mail domain, so it must NOT be spam."

Whatever. Just like many whitelist methods, it has the standard flaws.

But I guess it couldn't hurt! Companies with the big bucks or with donors (I'm thinking Samba mailing lists, etc), could afford it.

The rest of us slobs would continue to crawl around in the .com, .net, .org, and .dust domains.

As an aside, could you have the same problem with this domain as with AOL's spam filtering, i.e., false reports? What are the punishments for violating the rules of the .mail domain? Death?

$2000 - one time, or per year?

[That's+Unpossible!]

The register article says $2000+ per year, the spamhaus faq just says they will cost $2000+. So is it a one-time fee (sounds good), or an annual fee?

I am guessing it is a one-time fee, and the renewal will be less. Spamhaus states the up front cost is high as the first roadblock for spammers -- why pay $2000 for the domain when you are going to get shutdown almost immediately after using it to send spam? It also is going to cost them more than normal to run this sTLD. So a large one-time fee makes sense.

Re:US $2000 for .mail domain!

[athakur999]

And who exactly gets this $2000? And why do they deserve the $2000? I'm not paying a $2000 registration fee just to have a domain name, there had better be more to the deal.

Why a TLD?

[The+Famous+Brett+Wat]

Why do they need the .mail TLD to pull this off? Why not just go right ahead and do it under mail.spamhaus.org? Is it the air of official legitimacy associated with a TLD that they're after?

Need to get stories strait

[madweb]

Ok, then they need to update their FAQ, question 9 "What does a domain cost and why?":

The use of each domain will cost over US$2000. The price may vary depending on the registrar one uses.

This high cost will insure that most spammers will not bother and attempt to sign up for one, and if they do, it will be a high cost for what will be a very short time period of spamming.

The cost also pays for the much greater than normal vetting procedures places requesting this domain will go though before one is granted to them.

Emphasis mine. Sounds to me like $2000 is the lower limit.

2000 per year?

[fdawg]

Wouldnt that cost be pushed to the end user? Doesnt that mean we're going to have to pay for email?

Sounds like a recipe for email tax. I think the only way to really stop this is to stop the 200 or so people per spam message that actually respond to spam and make it a profitable business.

Re:Maybe a Good Thing?

[slither_1]

Why don't ISPs force authentication on their SMTP servers to cut down on spam? wouldn't this make sense? I mean, I work for an ISP, and they have a banned IP list from within their domains. When they get a complaint, these userser a put on the list and can't send mail anymore using our servers (or any other SMTP servers on port 25)... the problem with that practice, is that they can only ban people on static IPs, and most of their customers are on DHCP and dynamic IPs. Seems to me, if they force authentication on their SMTP servers, ISPs would have more control when it comes to blocking spammers from withing their network... oh well, just my 2 cents!

Worthless

[macdaddy]

I can't for the life of my figure out what the hell Steve is thinking.

If a company or provider isn't sending or supporting spam then why the hell would give a damn about someone else's spam filters? That is the only reason for this whitelist. I mean if they aren't sending spam then why should they be concerned about loosing mail to someone else's spam filters? Why would they want to drop $2k per domain for another whitelist? If perhaps I was a company that did mass mail customers like Sears, JCPenny's, or Amazon then maybe I would want to get on a popular whitelist. That said, why in the hell would I as an average joe or I as a typical ISP give a hoot about what someone else's spam filters do with my non-spam? If their filters are mistakenly tagging my mail as spam their customers will bitch and the problem will get fixed. It doesn't concern me.

I really don't see the point in a .mail TLD. Steve is a smart guy. Even at that I absolutely can not see his reasoning here. This is really a dumb idea. I make a point to personally blacklist domains that use tools that break email such as TMDA. I guess I'll just have to add another check to my rules.

Re:Worthless

[macdaddy]

Yes, I'm replying to my own post now.

I was just reading the .mail STLD RFP application and am finding myself suprised by the people associated with the hair-brained idea.

Initial Board of Directors

Steve Linford, founder of Spamhaus.org

Joseph E. St. Sauver, Ph. D, Director, User Services and Network Applications Unv of Oregon

Already consented to be special advisors to the SO

John Levine, Chairman of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF)

Wietse Zweitze Venema, Ph.D, Postfix author among other things

Other

Justin Mason or Daniel Quinlan of SpamAssassin.org

Eric Allman of Sendmail.org

Ted Galvin of SpamCon.org

Suresh Ramasubramanian of OutBlaze.com

That list amazes me. I can't believe those people would have anything to do with this project. I also can't believe they are intentionally involving Verislime. I wonder if this is an attempt to counter Microsoft's e-stamp proposal...

Re:This is dumb

[rgmoore]

But this proposal is quite different from SPF. Under SPF, anyone with a domain is allowed to define which computers are valid mail senders for that domain, but there's no further restriction. That would prevent spammers (and email worms) from falsifying their sender address, but it doesn't directly confront the issue of spam. A spammer with his own domain, presumably hosted by a spam-friendly service provider, can still define his own computers as being permitted senders for that domain and send out spam. He'll presumably be stopped once people recognize the domain and start blocking mail from it, but that just makes it a matter of playing whack-a-mole; the spammer just buys new domains in bulk from a cheap registrar and switches every time people start blocking the old one.

What .mail does is different. It defines a known, and defended, whitelist domain. Mail from a .mail address should be safe, because the registrar actually takes steps to make sure that spammers aren't allowed to register there. One part of the proposal that I haven't seen mentioned here is that all mail sent to abuse@somedomain.mail is directed to the .mail registrar, rather than the domain owner. That means that spam complaints will be sent to a third party with the power to revoke the domain if the complaint is valid. Obviously what would be really good would be to combine the two proposals, so that somebody couldn't forge mail from a .mail server, but they do address different points.

When will everybody just implement SPF

[jonwil]

SPF is close to the best anti-spam idea out there.

Does a different job than SPF

[billstewart]

SPF doesn't say you're not a spammer - it just prevents spammers from pretending to be you, at least without doing extra work. That makes it harder for them to impersonate you if you're widely whitelisted (like Dave Farber or Declan) or joe-job you if they're mad at you. Dot-Mail will need to use something like SPF or Reverse-DNS lookups to discourage impersonation, but Spam-R-Us.com can use SPF to tell you that a message really came from Spam-R-Us.com, while they can't be Spam-R-Us.com.mail for very long without losing their $2000 investment. (Neither of these methods will work well without DNSSEC, because spammers who are willing to forge lots of other things will forge DNS records to hide behind other people's SPF or .mail records.)

Yes, it does sound a lot like profiteering, and like Ironport's Bonded Sender or Habeas's Not-A-Spammer Haiku headers. It's a bit easier to check at SMTP Envelope Time instead of parsing headers after receiving an email message (though BondedSender.org has a DNSWL server you could use.) But the big difference between one .MAIL for the entire world vs. many .My-Whitelist.com businesses is that Linford thinks they can talk more receivers into accepting the One Centralized ICANN-Blessed Solution than the crowd of decentralized competitors can, and therefore they can talk more people into paying them to get bonded.

I much prefer decentralized competitive approaches, but if I were running a mail server, I'd rather only put in a couple of whitelist or blacklist checks, rather than needing to keep track of which 50 whitelist services were real, which were out of business, which were bogus fronts for spammers, which were free to mail receivers, which charged money to receivers, which were aggregators of other services' information, etc. It's probably harder to get most mail systems to check N whitelists and accept the message if at least one of them hits than it is to get them to check N blacklists and reject if at least one of them hits, but it's also a lot safer to trust a random whitelist than a random blacklist, because if it goes flaky and over-aggressive like some of the DNSBLs, you're not throwing away real messages - you're accepting messages from people you might not want, and giving them a lower level of spam filtering, but a moderate level of false negatives, while annoying, is much less of a problem than false positives, and it warns you that there's a problem you need to fix.

Re:Maybe a Good Thing?

[Zak3056]

work for an ISP, and they have a banned IP list from within their domains. When they get a complaint, these userser a put on the list and can't send mail anymore using our servers (or any other SMTP servers on port 25)... the problem with that practice, is that they can only ban people on static IPs, and most of their customers are on DHCP and dynamic IPs.

I wonder why they don't take this to the next level and use the information in PPP or DHCP logs to blacklist the ones with dynamic addresses?

Re:why new TLD for paid reputation service?

[cipher+chort]

People don't pay several hundred thousand dollars for Qmail. Obviously, it's not "just a tool" but it's a tool with an extremely specific purpose. Have you seen the interface? It allows extremely granular tracking of the success or failure of each "campaign" and what the specific error codes were. You can configure up to 254 IP addresses per box (hmm, why would you want to do that???), etc...

Now most folks don't have to send 500,000 msgs/hr from one box, which is what IronPort claims to do. They also don't need to have specific breakouts and reports of how their messages to each recipient was transmitted and received.

Don't take my word for it. Look at their customer list, Viacom (advertising), click.doubleclick (hello???), etc...

Qmail and Postfix were designed to generically send and receive e-mail, and their only special purpose was to be more secure than Sendmail. IronPort bends over backwards to put in spammer friendly features like the ability to spread a "campaign" over multiple source IP addresses and tracking how successful they were in delivering their spam.

It's "Goodbye"

[nonameisgood]

You are correct.

Spelling notwithstanding, $2000 is irrelevant if it does not work. The only solution is to make it impossible to SMTP mail without some validation of the sender. This must be done with no expense or unusual hoops to jump through, and let's not let the fascists control this one - you know who I mean.

You can't rely on whitelists; automated blacklists don't work since spammers steal our 'net identity to spam us and others, causing innocents to be blacklisted.

As it is, I could spam all day using postfix or sendmail with a random domain name as the sending domain. This is just crazy. It is in a sense criminal, since my bandwidth is being used without my permission by all of the attachments coming every hour. LIKE I GIVE A RAT'S ASS ABOUT PHARMACEUTICALS, NIGERIA, OR HOT STOCK TIPS!

CAUTION! rant follows:
God Damn It! Get the fuck off the net you cheap-ass cowards. It's like my dog barking at the other dogs until I open the gate - if we can find a way to unmask these spamming motherfuckers, it will stop. (Viral mailings notwithstanding.)

OK, I'm better now.

This will not work.

[rice_burners_suck]

The "agree to abide" thing is probably good. Perhaps there should be some law (or something similar) that those .mail domain name holders who do not abide by the rules are fined, and after so many fines, they are blocked from using a .mail TLD for a period of 100 years or something.

On the other hand, the $2000 a year fee isn't going to do jack. Those who send spam do so because it's really darn profitable. To them, the $2000 a year is peanuts. To a service provider who can barely make ends meet and wants to expand its quality of service and options for customers, $2000 may be the difference between breaking even and going bankrupt. That's kind of like trying to protect individual inventors working in their basement by making the patent fees $200,000 or something. That'll only serve to accomplish the opposite of the intended result.

The bottom line is this: Make it difficult for spammers, not for legitimate users. A certain standard should be devised that includes technical as well as contractual devices to make it extremely difficult for any spammer to last any time at all on the .mail TLD. And mail received from non-.mail TLDs could automatically go into a "bulk mail" folder, or would not be downloaded from the server at all, except for the "From:" address and perhaps a digital signature, so the user (or his filters) can decide what to do with that information. And maybe that needs to happen with ALL mail, not just non-.mail TLD mail.

That just confirms...

[warrax_666]

... to me that the people behind the proposal are complete morons.

As someone pointed out in a thread above there is no good reason to just use a reverse blacklist (like DNSRBL et al.) which identifies certain senders as non-spammers instead of identifying them as spammers.

"[...] set up to be more robust and attack resistant [...]". Oh please. If you get $2k from each and every person/corp. in your whitelist you sure as hell can afford some professional DNS hosting for your whitelist.

Re:SMTP + SPF = DIFFERENT solution

SMTP + SPF identify the sender as being who he says he is.

If the sender happens to be a spammer with an SPF record, it'll pass all the tests.

This proposal adds to an SPF type deal. Now e-mail will not only identify the sender as being who he says he is, but will say "he's not a spammer either".

Now one can let the e-mail pass. I know if all the list-mail sent to our boxes didn't have to churn thought Spam-Assassin and our own Procmail traps, it'd save mucho time.

Re:my idea

[Alioth]

No, I came up with that idea!

In fact, my original MTAs must be licensed was really more of a way to see if I could get a troll modded up to +5 than a serious post. However, over the last year, I've started thinking that it might actually be a good idea. The licensing I had in mind was rather like the way amateur radio operators are licensed, with a fairly heavy technical content (but not aimed at a particular MTA). Email abuse coming from the MTA could result in suspension or revocation of the MTA operator's license. License data (i.e. who's ticket the email went under) would be added to the headers of email in the form of a digital signature, which the receiving MTA would be required to check (under the conditions of its operator license) for validity and against a certificate revocation list.

Re:Maybe a Good Thing?

[TheRaven64]

How about getting a .mail subdomain from an ISP? A few bucks extra and you have yourdomain.yourisp.email ready to go.

The ISP's .mail domain could be revoked if a single one of their subdomain customers broke the conditions of use for the .mail domain. I doubt an ISP would risk this (sell a subdomain to 1000 people, one violates the T&Cs, ISP's domain is revoked, ISP has 999 very irate customers who now can't send mail.)

I doubt AOL, for example, could get a .mail domain, since they would not be able to guarantee that all of their customers would abide by the terms. The same is true of most ISPs. This leaves large corporations as the only ones who could get one, individuals would not, meaning that you would still have to let through other email, completely defeating the point.

Finally what's the response time on closing a .mail domain? A day? Does a spammer make more than $2000 in a day? Probably. So we're left with:

1. Buy .mail domain.
2. Send spam from it solidly for a day, or until it's revoked.
3. Repeat. (Oh and profit. Probably quite a lot)

The people this kind of thing would hurt, are the ones that don't make money from sending email. The people who make the most from sending email are spammers.

This is bad, just like .kids and .xxx

[Fastolfe]

The Internet is not e-mail! It is completely inappropriate to base the DNS name of your organization on what is effectively a content label specific to one particular service. This is the same reason .kids and .xxx are bad.

Heck, let's say I run a porn service, and want to take advantage of this mail feature. I now have to use two different DNS domains? That's stupid.

Just as PICS can give you digitally-signed content ratings for the web, some other service can give you digitally-signed ratings/labels for e-mail. Extend SMTP to, perhaps, operate over TLS or SSL, or at least perform some sort of mutual check that both sides have a SpamHaus certificate that says they're not a spammer, and you can possibly "secure" the connection.

Or just digitally sign your e-mail messages and only accept digitally-signed e-mail. Tweak your trust relationships (for PGP-style signatures) or drop your trust from any roots that are seen to sponsor spammers, and you're all set.