Slashdot Mirror
SpamHaus Behind .mail Top-Level Domain
securitas writes "The SpamHaus Project is the group pushing ICANN to create a new trusted-sender system and the .mail top-level domain. SpamHaus proposes that registrants under the .mail TLD would pay at least $2000 per year to and 'agree to abide by certain anti-spam mailing practices.' The interesting twist is that companies that comply with the US CAN-SPAM act - which SpamHaus opposed due to the legalization of bulk unsolicited commercial e-mail - would not be eligibile to register a .mail address.
The .mail TLD proposal was recently discussed on Slashdot."
This could probably be worded a little more clearly. Complying with the CAN-SPAM act is as easy as not doing anything at all. I think what the submitter means, correct me if I'm wrong, is the "one-shot" bulk mail that a company is allowed to send you under CAN-SPAM. Obviously, SpamHaus considers this spam, still, even though it's technically legal (I would tend to agree).
This new TLD proposal, according to their FAQ, is not aimed at stopping spam, or replacing the email infrastructure from the ground up. It's more towards legitimizing non-spam email. It may not be technically possible (not my area of expertise, I remember some nay-sayers in the last article discussion who at least sounded like they knew what they were talking about), but I still think their hearts are in the right place. Am I wrong?
I'm looking forward to the whitepaper they've promised on it.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
That's not quite correct. The SpamHaus rules wouldn't ban anyone who obeyed the CAN-SPAM act. Presumably most ordinary companies obey CAN-SPAM by refusing to do anything that vaguely resembles spamming, and they'd be just fine under the SpamHaus rules. What SpamHaus wants to do is to use a stricter definition of what constitutes spam, so that some senders who meet the terms of CAN-SPAM still wouldn't qualify.
There's no point in questioning authority if you aren't going to listen to the answers.
This is bad, as I host my own domain and send mail from it. I don't want to have to pay someone to host my mail server, and you know that plenty of ISPs will block mail that doesn't come from a .mail domain.
I certainly can't pay $2000 a year.
Set up a .spam level, and we can block everything from that if we want.
This is a retarded idea from the get-go.
We already have a perfectly good, workable proposal for sender validation. It's called SPF. It's free. It will work, like this proposal, when people adopt it.
Seriously, $2k to prove that you're not a spammer, by one organisation's definition of the phrase? That sounds like profiteering to me, much along the lines of Ironport's dodgy Bonded Sender (tm) program.
No thanks.
You're doing it wrong.
Because the cost of entry is high, and perhaps policed, it basically becomes a way of saying, "It's from a .mail domain, so it must NOT be spam."
.com, .net, .org, and .dust domains.
.mail domain? Death?
Whatever. Just like many whitelist methods, it has the standard flaws.
But I guess it couldn't hurt! Companies with the big bucks or with donors (I'm thinking Samba mailing lists, etc), could afford it.
The rest of us slobs would continue to crawl around in the
As an aside, could you have the same problem with this domain as with AOL's spam filtering, i.e., false reports? What are the punishments for violating the rules of the
Fellowship 9/11
The register article says $2000+ per year, the spamhaus faq just says they will cost $2000+. So is it a one-time fee (sounds good), or an annual fee?
I am guessing it is a one-time fee, and the renewal will be less. Spamhaus states the up front cost is high as the first roadblock for spammers -- why pay $2000 for the domain when you are going to get shutdown almost immediately after using it to send spam? It also is going to cost them more than normal to run this sTLD. So a large one-time fee makes sense.
Ironically, the word ironically is often used incorrectly.
This is just great... create a two-tiered system with "trusted" and "untrusted" e-mail servers. Guess who will own the "trusted" servers... corporations who can afford to pay the fee!
I would like the ability to run my own servers and web sites as an individual, please. We don't need ANY system of top level domains that favor corporations over non-corporations. Find another way around the problem, please.
Why don't you embrace your slashbotness instead of living in a dreamworld?
Registration fees to send mail via .mail?! No way, I know lots of small shots that wouldn't be able to afford that.
Beyond that $2000 is chump change for spammers. It hurts no one but the honest guy, which is what government lately seems to be for, so perhaps it'll get pushed as a law. *sigh*
Oh, wait, that's the divorce tactic.
What the heck, it'd probably work for spammers, too.
A feeling of having made the same mistake before: Deja Foobar
I wouldn't pay it either, but Id be happy to accept all mail from www.*.mail if I could be sure it wasn't spam. It would be good for Yahoo, MSN, and other web mail places to get a .mail domain.
--
Hot deal search engine. Better than google, froogle, pricewatch, pricegrabber, etc!
And who exactly gets this $2000? And why do they deserve the $2000? I'm not paying a $2000 registration fee just to have a domain name, there had better be more to the deal.
"People that quote themselves in their signatures bother me" - athakur999
Why not just create a paid whitelist (or lists) along the same lines as a dnsbl, charge companies to register and require that they abide by certain practices for being listed? What does a new TLD add other than additional ICANN bureaucracy?
I think recent innovations -- SPF being my favorite so far -- offer a lot more promise than a new TLD. But that's just me :-)
If it's not one thing it's your mother.
Why do they need the .mail TLD to pull this off? Why not just go right ahead and do it under mail.spamhaus.org? Is it the air of official legitimacy associated with a TLD that they're after?
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
Yup. And Varisign will LOVE slurping up those .mail fees, too. By the way, Varisign is in the process of trying to destroy ICANN, which by itself would not be a bad thing *IF* ICANN's responsibilities shifted to the UN. But I'm sure that has zero chance of reality.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I have a server of my own, hosting my personal site, some sites for family and for a few charity organisations. Total income for hosting: $0. If I would need to buy another domain like this, just to be able to send mail, my costs will triple.
.mail is NOT an option if it costs more than $5!!!
I cannot afford this. Meaning I will have to close all sites.
Personally, I think SPF is the best solution so far. It may not stop spam, but at least it stops forging headers, like the headers of 99,9% of spam in my inbox are.
.sig: No such file or directory
for a major schizm of internet mail protocols.
Which will leave "companies able to pay $2k/year" on one side, and "individuals capable of installing their own mail server" on the other.
This will cause a bit of disruption at first, as a few competing standards emerge, but in the long run, it will make blocking corporate traffic far easier (yeah, I get soooo much legit email from non-individuals... I think I can count the past year's on one hand). And with a bit of care, the non-corporate protocol will finally include several of the oft-discussed but as-yet-unimplemented techniques for completely locking out spam (or at least making it trivial to identify the source).
And encryption. Don't forget encryption. The non-corporate protocol should include end-to-end crypto, now that Big Brother can watch us on a whim right from the privacy of our own ISP's back door.
Ok, then they need to update their FAQ, question 9 "What does a domain cost and why?":
The use of each domain will cost over US$2000. The price may vary depending on the registrar one uses.
This high cost will insure that most spammers will not bother and attempt to sign up for one, and if they do, it will be a high cost for what will be a very short time period of spamming.
The cost also pays for the much greater than normal vetting procedures places requesting this domain will go though before one is granted to them.
Emphasis mine. Sounds to me like $2000 is the lower limit.
Wouldnt that cost be pushed to the end user? Doesnt that mean we're going to have to pay for email?
Sounds like a recipe for email tax. I think the only way to really stop this is to stop the 200 or so people per spam message that actually respond to spam and make it a profitable business.
Perhaps not. But at least it get's it out of the grubby hands of VariSign and the corporate dog ICANN.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Do you think that Yahoo! or Microsoft's Hotmail would pay that $2,000 just so people could send email from them. Would smaller free e-mail companies even be able to afford it?
.mail domain, would that stop spam? How much spam do you get already that comes from Yahoo! or Hotmail or some other free email survice.
Even if those free email places did pay for a
This would either get rid of free email or let spam live, both while closing down the small free email services. I don't like either option, we should do something else.
the only email that'll make it past everyone's spamfilters would be that from MXes in the .mail TLD. ...and those of us who can't shell out $2k/year just to have our private domain in .mail are just screwed.
Brilliant idea. While we're at it, why don't we just let ICANN authoritatively say who can and can't send mail, and be done with it? It's not like their board is captured or anything.
.@.
If a company or provider isn't sending or supporting spam then why the hell would give a damn about someone else's spam filters? That is the only reason for this whitelist. I mean if they aren't sending spam then why should they be concerned about loosing mail to someone else's spam filters? Why would they want to drop $2k per domain for another whitelist? If perhaps I was a company that did mass mail customers like Sears, JCPenny's, or Amazon then maybe I would want to get on a popular whitelist. That said, why in the hell would I as an average joe or I as a typical ISP give a hoot about what someone else's spam filters do with my non-spam? If their filters are mistakenly tagging my mail as spam their customers will bitch and the problem will get fixed. It doesn't concern me.
I really don't see the point in a .mail TLD. Steve is a smart guy. Even at that I absolutely can not see his reasoning here. This is really a dumb idea. I make a point to personally blacklist domains that use tools that break email such as TMDA. I guess I'll just have to add another check to my rules.
This is the most asinine thing ever. First of all no one is every going to implement something like this that requires someone not to comply with US law. It just won't happen.
Secondly, wtf. $2000 a year? That's insane. Right now, I can use my own mail server and only pay the $8/year domain registration fee. And that's the way it should be. People with enough tech savvy (and it doesn't take much these days) should be running their own mail servers. Open relays aren't an issue with modern mail servers (you have to work pretty hard to create one these days), and running your own mail server gives you a lot of fine-grained control over how you filter Spam for yourself (for example, using a catch-all email and using a different email for everything, letting you track how your address gets disseminated, and blocking addresses that get 'liberated')
It seems like some of these anti-Spam people hate Spam so much they completely lose track of what Email is for and the people it's supposed to be used by, everyone. Email black holes are one thing, but it's wrong to apply them as filters for people without their knowledge or consent. I read a salon article about a woman who, when roadrunner implemented RTBL she lost out on tons of email, including email from potential employers (she was a freelance author). She still got tons of Spam, of course.
I don't believe that technical solutions alone will stop Spam, but they, with real legal enforcement can probably reduce it a lot.
I'm also tired of these top-down authoritarian systems that put a few people in control of email (like e-stamps, or this insane plan, etc) before we even get good solutions like SPF working. Once people start checking SPF records a lot of this crap will get a lot better.
autopr0n is like, down and stuff.
Check out my sci-fi/humor trilogy at PatriotsBooks.
SPF is close to the best anti-spam idea out there.
Everyone on Slashdot sends one email to spamhaus.org.
So I buy personal.mail and then I sell you
lastname.net.personal.mail for $1. I sell freakiedeakie.org.personal.mail to someone else for $1 and so on and so forth until I get my $2000 back?
I could hack bind so that I can throttle reverse lookups per domain so that I can keep my bandwidth low and target the small market.
Since ANYONE could do this, there is no reason to jack up the price. However, for SLA would be best-effort only (since I am not a real company)
And if I get my 2001st subscriber, I would be in the black (Woo hoo)
That should have been "might not be eligible to register a .mail address.
In all probability, most people would be compliant with both CAN-SPAM and the .mail requirements (modulo being willing to pay $2K/year to send email).
Free Software: Like love, it grows best when given away.
Someone please explain to me exactly how a smal/mid-size locally owned bussines can afford 2k to send mail ? They claim spammers wont pay the 2 grand on their webpage, thats bullshit. Spammers can and will pay this. You will however be excluding small bussiness's and personal domains.
And also exactly WHERE the money is going to ? The last thing we need is one governing body trying to control mail for the "betterment of all, so long as it helps our bottom line". We dont need a spam czar, or a spam conglomerate. We need the existing people to work together to prevent spam. ALL spam.
This is a half assed idea.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Yes, it does sound a lot like profiteering, and like Ironport's Bonded Sender or Habeas's Not-A-Spammer Haiku headers. It's a bit easier to check at SMTP Envelope Time instead of parsing headers after receiving an email message (though BondedSender.org has a DNSWL server you could use.) But the big difference between one .MAIL for the entire world vs. many .My-Whitelist.com businesses is that Linford thinks they can talk more receivers into accepting the One Centralized ICANN-Blessed Solution than the crowd of decentralized competitors can, and therefore they can talk more people into paying them to get bonded.
I much prefer decentralized competitive approaches, but if I were running a mail server, I'd rather only put in a couple of whitelist or blacklist checks, rather than needing to keep track of which 50 whitelist services were real, which were out of business, which were bogus fronts for spammers, which were free to mail receivers, which charged money to receivers, which were aggregators of other services' information, etc. It's probably harder to get most mail systems to check N whitelists and accept the message if at least one of them hits than it is to get them to check N blacklists and reject if at least one of them hits, but it's also a lot safer to trust a random whitelist than a random blacklist, because if it goes flaky and over-aggressive like some of the DNSBLs, you're not throwing away real messages - you're accepting messages from people you might not want, and giving them a lower level of spam filtering, but a moderate level of false negatives, while annoying, is much less of a problem than false positives, and it warns you that there's a problem you need to fix.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm just not getting how this proposal would do much. I read through the text of the proposal, which is written in fairly obtuse language I just couldn't quite plod through right now.
Like I mentioned in the prior discussion on this, just because you have a .mail TLD won't stop spammers. TLDs are in DNS, and in the final analysis, it's all arbitrary, as you can use ANY word as a top level domain. That's why you have alternate roots like OpenNIC.
This sig no verb.
What you are referring to is enforceability of those laws. True, the US may not be able to enforce its laws against those resident in other countries who do not have presence or assets in the USA.
But it means anyone connected with such an operation better not have assets in the US. Or even visit the US.
And, depending on how the law is drafted, perhaps no person in the US (or with assets there) better use such an operation to *send* spam, or face being prosecuted, or other consequences. Vide internet gambling.
So that US laws, alone, could stop (a) American spammers; and (b) anyone in or doing business with America or visiting America or with assets there (NYSE shares, anyone?) from *using* overseas spammers who do not comply with US law.
And for those that are left, the US can just lean on other countries to enact similar laws, either as part of international treaties (GATT and TRIPS, anyone?) or bilateral trade treaties, or just by leaning on them.
Methinks that would do a great deal to cut down on spam...
If you doubt this, see how effectively the US is able to export its copyright laws to other countries. Or Sarbanes-Oxley, as applied to foreign lawyers or accountants. And how it is now doing the same thing with bank secrecy laws (with an emphasis on terrorism; it has done the same previously with respect to evasion of US taxes). There are many relevant links.
You are correct.
Spelling notwithstanding, $2000 is irrelevant if it does not work. The only solution is to make it impossible to SMTP mail without some validation of the sender. This must be done with no expense or unusual hoops to jump through, and let's not let the fascists control this one - you know who I mean.
You can't rely on whitelists; automated blacklists don't work since spammers steal our 'net identity to spam us and others, causing innocents to be blacklisted.
As it is, I could spam all day using postfix or sendmail with a random domain name as the sending domain. This is just crazy. It is in a sense criminal, since my bandwidth is being used without my permission by all of the attachments coming every hour. LIKE I GIVE A RAT'S ASS ABOUT PHARMACEUTICALS, NIGERIA, OR HOT STOCK TIPS!
CAUTION! rant follows:
God Damn It! Get the fuck off the net you cheap-ass cowards. It's like my dog barking at the other dogs until I open the gate - if we can find a way to unmask these spamming motherfuckers, it will stop. (Viral mailings notwithstanding.)
OK, I'm better now.
Faith is the very antithesis of reason, injudiciousness a critical component of spiritual devotion. Jon Krakauer
On the other hand, the $2000 a year fee isn't going to do jack. Those who send spam do so because it's really darn profitable. To them, the $2000 a year is peanuts. To a service provider who can barely make ends meet and wants to expand its quality of service and options for customers, $2000 may be the difference between breaking even and going bankrupt. That's kind of like trying to protect individual inventors working in their basement by making the patent fees $200,000 or something. That'll only serve to accomplish the opposite of the intended result.
The bottom line is this: Make it difficult for spammers, not for legitimate users. A certain standard should be devised that includes technical as well as contractual devices to make it extremely difficult for any spammer to last any time at all on the .mail TLD. And mail received from non-.mail TLDs could automatically go into a "bulk mail" folder, or would not be downloaded from the server at all, except for the "From:" address and perhaps a digital signature, so the user (or his filters) can decide what to do with that information. And maybe that needs to happen with ALL mail, not just non-.mail TLD mail.
... to me that the people behind the proposal are complete morons.
As someone pointed out in a thread above there is no good reason to just use a reverse blacklist (like DNSRBL et al.) which identifies certain senders as non-spammers instead of identifying them as spammers.
"[...] set up to be more robust and attack resistant [...]". Oh please. If you get $2k from each and every person/corp. in your whitelist you sure as hell can afford some professional DNS hosting for your whitelist.
HAND.
No, I came up with that idea!
In fact, my original MTAs must be licensed was really more of a way to see if I could get a troll modded up to +5 than a serious post. However, over the last year, I've started thinking that it might actually be a good idea. The licensing I had in mind was rather like the way amateur radio operators are licensed, with a fairly heavy technical content (but not aimed at a particular MTA). Email abuse coming from the MTA could result in suspension or revocation of the MTA operator's license. License data (i.e. who's ticket the email went under) would be added to the headers of email in the form of a digital signature, which the receiving MTA would be required to check (under the conditions of its operator license) for validity and against a certificate revocation list.
Oolite: Elite-like game. For Mac, Linux and Windows
The Internet is not e-mail! It is completely inappropriate to base the DNS name of your organization on what is effectively a content label specific to one particular service. This is the same reason .kids and .xxx are bad.
Heck, let's say I run a porn service, and want to take advantage of this mail feature. I now have to use two different DNS domains? That's stupid.
Just as PICS can give you digitally-signed content ratings for the web, some other service can give you digitally-signed ratings/labels for e-mail. Extend SMTP to, perhaps, operate over TLS or SSL, or at least perform some sort of mutual check that both sides have a SpamHaus certificate that says they're not a spammer, and you can possibly "secure" the connection.
Or just digitally sign your e-mail messages and only accept digitally-signed e-mail. Tweak your trust relationships (for PGP-style signatures) or drop your trust from any roots that are seen to sponsor spammers, and you're all set.
Full story at
.mail TLD and related concept is remarkably similar to a patent I filed in Australia and it could be the answer to all our email problems, if a few changes are made:
http://www.intechcomm.net.au
Originally posted 28/1/04.
Copyright Joshua Leisk. This article may be reproduced, provided it is reproduced in its entirety, without alteration.
I am posting this story, as the
SPAM. Currently unsolicited email from less than 0.2% of the online community wastes time and impacts the productivity of the other 99.8%, as well as impeding network bandwidth and creating traffic costs. SPAM represents over 65% of all email sent.
EMAIL VIRUSES. Mass-mailing viruses cause significant financial damage to organisations and individuals alike. At least 60% of all the services my IT outsourcing company currently performs is virus-related.
I think we have all come to the realization that the problem in eliminating SPAM and email viruses, is that even though it is impossible to verify the legitimacy of all email being exchanged, we still accept mail from any software capable of transmitting mail, as though it were a trusted source of information! Many mail servers are flawed by inept security and administrators, many countries have no anti-SPAM laws, every successful mass-mailing virus has its own SMTP engine and of course we suffer the deliberately configured SPAM email servers employed by dodgy SPAM 'barons' every day to solicit millions of people to buy dodgy 'Viagra', dodgy University degrees and enough porn to humble a veteran pornographic movie star - all for the sake of making a dishonest dollar at every body else's expense.
The simple fact is, you cannot prevent the shady 0.2% of the online community from targeting the remaining 99.8% of us without a global mail exchanging system that has zero-tolerance for unsolicited mail and an effective way of globally policing the system. Message filtering and 'real-time block lists' will never provide an effective solution, because it is a never-ending race to identify, report and 'block' SPAM and 'rogue' mail servers, which then merely rise like a 'phoenix from the ashes' hours later, under a new domain name, or a new IP address, when shut down by Internet authorities. Currently SPAM recipients are always one step behind the SPAM senders and feeling helpless to their plight. Why should we allow ourselves to be victims of our flawed technology, allowing rogue mail servers to financially impair rest of the Internet community?
When SPAM and viruses already makes up more than 50% of all email sent, it becomes more logical and far simpler to protect the legitimate email, rather than trying to filter the illegitimate email!
The only way to permanently eliminate SPAM and email viruses is to establish a mail server authority to register and regulate email servers, in much the same way as the Domain Name System, thus allowing enforceability, financial accountability and liability to those who SPAM, or allow SPAM to propagate. You need a license to own a gun or anything else capable of significantly impacting others, so why not an email server? Currently, Australians pay an average $45 per year to register a '.com.au' domain name, as well as the additional hosting fees to facilitate the DNS system and traffic caused by it, thus creating orderly domain name management. We wouldn't tolerate chaos and anarchy in the Domain Name System, so why should the email system be any different?
I propose that we MUST construct a global registry of certified closed-relay, 'spoof'-proof email servers, married to the verified details of the server's owner, who are possibly placed under a financial security bond, depending on the age of the domain name and previous history, to operate it SPAM-free and then prevent all 'registered' email servers from receiving email from any 'unregistered' email server (or be cleaned and filed separately - see "'Softer' Variation of the Concept"), or accepting email client submi