RMS Weighs In On SPF/Sender-ID License

NW writes "In a recent message to the MARID list RMS weighs in on the licensing issues of Sender-ID/SPF and Microsoft: 'Microsoft's Sender-ID license is directly incompatible with free software regardless of which free software license is used. Free software means users are free to run it, study and modify the source, and to redistribute it with or without changes. Free to do so means there is no requirement to ask or tell anyone that you are doing so.'" "MARID" stands for MTA Authorization Records in DNS; here's the IETF MARID working group's charter. (Read more below.)

Stallman's message continues: "The Microsoft license for Sender-ID directly forbids release of software with all these freedoms, so it is impossible for any program to be free software under Microsoft's regime. I've been expecting to see something like this ever since Gates started talking about spam. This license is an example of Microsoft's strategy for killing off free software as an alternative to Windows. Microsoft first patents something, then incorporates it into a format or protocol, then tries to make it de rigueur while excluding those it wishes to exclude. In the absence of resistance, Microsoft has a good chance of imposing whatever standards it likes. Let us, therefore, resist it here and now."

What's the big deal?

[FyRE666]

I've STFC (Scanned the charter) and from what I can gather, it's simply a new record type on the DNS'. Surely the MTA would then query the DNS responsible for the domain for this record, and act accordingly; so what's the problem? I'm sure Sendmail can be made fully capable of this, or any other lookup tool.

It's pretty simple

[Featureless]

If we let Microsoft, through some machinations during our anti-spam re-engineering or in any other manner, take any measure of control over what has, until now, been an 100% open-standard email infrastructure, email will be fragmented and ultimately ruined, far worse than any cadre of spammers could ruin it.

It is trivial to do what "caller ID" does in an open fashion. And it is absolutely crucial that we do exactly that. No "complicated" licenses, no fancy agreements, no lawyers. Just pick a standard, and follow it.

Letting Microsoft have any involvement in the email infrastructure - other than using it - will be a disaster. And it wll be all the more terrible because of how easily it can be prevented.

Re:It's pretty simple

[nlinecomputers]

[i]It is trivial to do what "caller ID" does in an open fashion. And it is absolutely crucial that we do exactly that. No "complicated" licenses, no fancy agreements, no lawyers. Just pick a standard, and follow it.[/i]

Exactly my thought. So why is this an issue? Can we not write on own code for sendmail and other open email servers? Why does this sound like RMS is FUDing us just a bit? Sure MS' software will be non-GPL be we expect that. How does this stop anyone from writing SenderID checking software that is GPL'd or GPL friendly?

Re:It's pretty simple

[Featureless]

All true, but we can probably stop address forging.

If no one's done it yet, then this is basically the call to arms. If we don't do it now, Microsoft will coopt and destroy email.

Re:It's pretty simple

[Iphtashu+Fitz]

but why do I need to do that much extra work when the existnig DNSBL stuff works and could be used in nearly every MTA as is without doing any extra code

First of all SPF targets an entirely different problem inherent to spam than DNSBL's do. SPF specifically targets forged "From" addresses. DNSBL's target the originating IP of the e-mail. You can't target one type of spam using the other method.

Second, even support for DNSBL's didn't exist in the vast majority of MTA's until spam became a problem and the first DNSBL's like MAPS came along. If SPF becomes more and more widespread in its use then I'm sure you'll start seeing support for it getting rolled direclty into MTA's rather than having to use add-on's.

Re:It's pretty simple

[gaijin99]

How does this stop anyone from writing SenderID checking software that is GPL'd or GPL friendly?

It stops it because MS has patents on some of the critical aspects of the "standard", and their license for using the "standard" can be modified to preclude someone from implementing a GPL'd implementation. It doesn't now, but they explicitly reserve all rights, and state that they can modify the license at any moment, so what keeps them from screwing us with this?

Look at what SCO is doing now, claiming to own ELF, using that as an attempt to demand money from Linux users. If we let MS's non-open "standard" become a real standard they'll wait a few years until everyone depends on it, then use it as a weapon to try and crush competition. I'm not being paranoid here, I'm simply extrapolating from MS's history; they do that sort of thing on a regular basis.

Re:It's pretty simple

[Zeinfeld]

Actually publishing an idea will prevent it from being patentable by others accordingin to the law.

In theory yes, in practice no. Microsoft had a $500 million judgement against them on the Eolas patent before that got squashed. They were not even allowed to present their evidence of prior art. There are plenty of judges who are as stupid as the USPTO examiners.

We spent millions 'winning' a bogus patent case.

The situation in the MARID WG is like the UN weapons inspectors in Iraq. We have given Microsoft a deadline to comply with the request in a satisfactory manner. If the war is started before that deadline expires who exactly is acting in bad faith?

Re:It's pretty simple

[wayne]

PHB?

RMS has made no attempt to talk to anyone in the group to find out the real situation.

I'm not sure how you know this. Apparently he was communicating with Michel Bouissou.

We asked Harry and Jim to take up the licensing issue with their lawyers about a week ago. They are meant to come back with a reply before we have the MARID meeting at the San Diego IETF the week after next.

For those who aren't in on who's-who on the IETF MARID working group, Harry and Jim are two of the folks from Microsoft who are working on the SenderID proposal.

However, I know that I have been asking for resolution for this licensing issue on the working group for much more than a week. This is not a new issue.

Now less than 24 hours after Microsoft go off to talk with their lawyers people start campaigning to take the Microsoft technology out using the licensing issue as an excuse. This came mainly from a group of tourists who had had nothing to do with the group previously. It is very obviously a campaign by people whose priority is not getting the best MARID spec we can.

This is almost completely not true. Microsoft lawyers have been in discussions over the license issue since early June (6 weeks ago). While there were indeed some luckers who posted first about the license issue, many of the active participants in the working group started the license discussion. People who object to the current SenderID license for MS do want the best proposal possible. If no one objected to the license, we would have a bad proposal.

Re:It's pretty simple

[shaitand]

Although not a published standard to my knowledge, they did this de facto with the FAT filesystem.

Mr. Polemic strikes again

[Bender_]

Why cant RMS just try to improve the situation, make a counteroffering, give suggestions instead of ranting about everything that is not exactly along his line of view?

standards and stuff

[gbjbaanb]

its probably a good thing. If anyone could amend the software, they could, for example, add a section that says 'but accpet all spam.com emails'.

I understood that the protocol was to be made into a standard, so how would changing the software help us?

The Licence (pdf) says that MS grants you a non-transferable licence to use it and sell it on to end-users.

If you do redistribute the source code, its fine, but you must add a clause to your licence that says the software may contain IP owned by MS, and that anyone obtaining such derived source must go ask MS for permission to use their bits directly - you can't give that away.

So I can only surmise that when RMS says it is incompatible with free software, he means the GPL. It is acceptable to use the software, look at it, but you can give it to someone else, but they cannot take away the terms MS set. Sounds a bit like the GPL, but with different terms. (hey RMS, you don't want to agree to those terms, you don't have to use the software).

Re:standards and stuff

[Smallpond]

Before you go all Sally Field on Microsoft, can you name another common Internet spec that you have to sign an agreement to use?

You call it a License, which it is not, Microsoft calls it an Agreement.

A License is a one-way set of conditions. Anyone can use the product under the terms of a License. The GPL is a license to use copyright works.

An Agreement (or License Agreement, or Legal Agreement, they all mean the same thing) is a contract with mutual obligations. You can make any set of conditions that you want in a contract as long as both sides agree and sign.

Re:standards and stuff

[Pharmboy]

So it's more BSD-like then, big deal.

Actually, it is a big deal. The old BSD license that had the advertising nag is NOT GPL compatible, per the FSF.

They're both licences that apply to the use of software.

You need to READ the GPL. It flatly says you need NO license to use it, only to distribute it. This is a major difference in Free and non Free licenses.

Newsflash: licences are contracts.

Not according to the law. A license is a grant to someone to use copywrited material. There is more than enough case law on the differences that I won't go into detail here, google it.

Isn't that more of a self-defence clause in case people find bugs and want to sue Microsoft about it?

Yes. And it is so vague and broad in scope that the potential for abuse is a serious concern.

Big deal. Why does everything have to be GPL compatible? What would be wrong with, say, a BSD-style license for this particular application?

That would be fine. A modern BSD license *is* GPL compatible. (without the ad nag). This license is not "Free". Its not the worse license in the world, but its still not Free. When it comes to software that sets standards for the entire internet, it is much better for it to be Free, so that one company does not abuse it. Technically, this license would allow MS to change its mind once the technology is developed, and start charging people to use the technology. THAT is why the license must be free, to protect everyone who uses the internet, including your right to sell the software for any price you want.

I don't care about the license for MS Office, I can choose to use Open Office, but if MS patents this, then gets greedy, I can't run mail servers without paying a royalty (at least the servers wont be able to connect to other servers that require this 'patented' protocol). This is not acceptable to me, even if it is not likely to happen.

Probably shouldn't worry yet...

[Ianoo]

So, we have Microsoft in the distinctly red corner with their proprietary standard.

Let's face it, as vocal as the OSS community is these days, there's not a lot that can be done to stop Microsoft from doing whatever the hell they like, so long as it's legal(!). Sure, sendmail is OSS software, but I got the impression that SPF is pretty much independent of the MTA software anyway.

But, in the blue corner, we have plenty of heavyweight companies who are big on Linux and big on e-mail who have teams of lawyers that have undoutedbly been over this license already, and found the problems.

We have IBM, the people who make Lotus Notes, which is still pretty widely used, IIRC. We have Novell, who now own SuSE/Ximian and are betting the shop on Linux, who produce NetWare. We also have Sun, who are getting vocal on OSS, which produces Solaris, which seems to power a large proportion of MTAs around the globe.

The best defense, surely, is to make sure these companies understand the issues with SPF, and don't implement it in their own products. After all, Microsoft won't get that far without support from other companies, since much as they'd like to, they don't currently control the world's Internet server market....

Because MS will hold the patent

As the inventor, no doubt MS will hold the patent. So you have to license it, whether for GPL or otherwise.

If the license isn't GPL compatible then GPL software can't use it.

Re:Define 'free'

[BenjyD]

The kind of freedom RMS is referring to can't be taken away or used to discriminate between users - free as in zero price can be.

Sounds nasty

[NigelJohnstone]

"If you do redistribute the source code, its fine, but you must add a clause to your licence that says the software may contain IP owned by MS, and that anyone obtaining such derived source must go ask MS for permission to use their bits directly - you can't give that away."

Sounds nasty, an obvious play would be to get this non-standard widely accepted then for MS to refuse permission to new licensee's unless they pay a fee.

That would then lock out free software.

Because you need their permission to get the license, they can tack whetever terms onto the deal they like in order for you to obtain that permission.

Another popular trick of MS's is to claim that a new version of software is a different product. They have done this several times, most famously when they said Windows 98 isn't Windows 95.

So you could find that Sendmail future versions get cut out aswell.

Best to avoid this one.

finally

[CAIMLAS]

Finally, now I know what to think about all this.

I was beginning to wonder if I was supposed to think MS had done something right for once... :P

One question for all of you...

[gillbates]

Why shouldn't free software be the first to implement secure email? Imagine how much easier Linux advocacy would be if we could say: "SPAM? - I thought that was a Windows problem?..."

Imagine this conversation:

Tech: What's the problem?

User: I get all this SPAM, and I can't read my real email.

Tech: Let me guess, you're still using Windows, right?

User: How'd you know?

Tech: Because you're still getting SPAM. If you upgrade to Linux, which uses the SPAM-blocking mail protocol, your SPAM problem will go away... I'll send you a CD in the mail.

What really irks me is that rather than invent new solutions to existing problems, the free software community waits for a commercial vendor to implement a solution, and then copies it. What we should really be doing at this point is implementing a SPAM-free mail protocol in free software, which, once it became the standard, would force commercial companies into compliance, rather than trying to play a game of dodge-the-patent-lawsuit by copying someone else's improperly done anti-SPAM protocol.

Let's face the facts here, folks: if we wait for Microsoft to implement an anti-SPAM protocol, they'll do it wrong, and the free software world will be stuck trying to ensure compatibility with an interface that is fundamentally broken in the first place.

Nothing to see here?

[pandrijeczko]

Correct me if I'm wrong but Microsoft is hardly the majority player when it comes to sending email across the Internet.

Sure, it's big with Exchange in corporate enterprises and in the client arena with Outlook & Outlook express.

But sendmail running on some UNIX-type server provides the majority of backbone email routing, especially at ISP level, and DNS is invariably done with BIND on other UNIX boxes. This does not strike me as an area that MS have much capability of muscling in on with a proprietary protocol.

Or am I missing something here?

Re:Wow, this is shocking

[Kadmium]

*shrugs*. It was a social commentary. I doubt anything I say or do here has any measurable effect whatsoever upon the issue at hand. Also, I don't really have an opinion on the issue, other than the fact that a good portion of the people reading the article (or, indeed, not reading it) will mindlessly dismiss any positive contribution Microsoft are making to the spam problem simply because it's them doing it.

First we wanted them to do something about spam, now we're pissed off that they're not doing it our way. If they did it under the GPL, we'd probably get pissed if they used SourceSafe instead of SourceForge. Maybe we'd be mad that they're writing in C# instead of C. I just wanted to point out that it doesn't matter what the issue is - if it's Microsoft doing it, they're Wrong.

Where forged sender spam comes from

[Skapare]

I think we need to take a look at where forged sender spam comes from before we are willing to consider trying to detect forgery as a means to detect a message as being spam. In the past, small time spammers did forgery to avoid flooding their one mailbox. Now days, bigger spammers have domain names (often thousands of them) and don't have to worry about that issue. But there are still spammers doing forgery. Most of these using the infected zombie machines on insecure home computers often connected 24x7 via "always on" DSL or Cable.

If the providers hosting these users would:

• block outbound port 25 from these users (with certain exceptions)
• require SMTP AUTH to log in to their provided mail server
• rate limit mail sent through that mail server (for example no more than 30 messages per hour)

then this would go a long way to defeat the utilization of these infected machines as a spamming tool.

I mentioned an exception to the port 25 blocking. They should simply allow port 25 for anyone who mentions certain keywords indicating they need it. While there is some spamming that originates at the DSL or Cable user, that doesn't account for much right now. So sure, someone intent on spamming can call in to customer support and ask "please enable SMTP for my access account". But they would be fewer in number than those who ask the same because they just want to run their own home mail server without having to forward through the ISP's mail server. And one simple way to do this is to ship DSL/Cable modems with SMTP access disabled except for the provider mail servers. And manufacturers could do that if providers would set up private IP addresses to access their mail servers (so by default SMTP would be allowed to 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16 and 192.168.0.0/16). Someone who wanted to run their own mail server could simple change the settings. The average user who lets machines become infected would know nothing about it.

Like anything else, this isn't a solution to spam. But it is a viable alternative to forgery detection in terms of catching most of the spam from most of the sources being used by the spammers that do use sender address forgery.

Re:MS license perspective from a SPF developer

[toiletsalmon]

You have to admit though, if the licensing terms are not "drum tight", then Microsoft can just take anyone to court and financially bulldoze their way to a verdict of their choosing.

We've already seen how they "pimped" the US Government, and as far as lawsuits go, that didn't even take that long.

I think that's the thing that scares people.

Re:RMS craziness

[The+Bod]

If you don't like being infected with the GPL, you're perfectly free to reinvent the wheel and rewrite whatever GPLed code you were thinking of using. Or contact the author and cut a deal.

If GPLed code were truely "free", this wouldn't be necessary.

Re:RMS craziness

[Aim+Here]

Well yes, the GPL does deprive us of that most vital and precious of our freedoms - the freedom to use other people's hard work in order to make unfree software that deprives those foolish enough to use it of their freedom.

It was a dark day for freedom indeed when RMS invented the GPL.