RMS Weighs In On SPF/Sender-ID License
Stallman's message continues: "The Microsoft license for Sender-ID directly forbids release of software with all these freedoms, so it is impossible for any program to be free software under Microsoft's regime. I've been expecting to see something like this ever since Gates started talking about spam. This license is an example of Microsoft's strategy for killing off free software as an alternative to Windows. Microsoft first patents something, then incorporates it into a format or protocol, then tries to make it de rigueur while excluding those it wishes to exclude. In the absence of resistance, Microsoft has a good chance of imposing whatever standards it likes. Let us, therefore, resist it here and now."
I've STFC (Scanned the charter) and from what I can gather, it's simply a new record type on the DNS'. Surely the MTA would then query the DNS responsible for the domain for this record, and act accordingly; so what's the problem? I'm sure Sendmail can be made fully capable of this, or any other lookup tool.
Code, Hardware, stuff like that.
If we let Microsoft, through some machinations during our anti-spam re-engineering or in any other manner, take any measure of control over what has, until now, been an 100% open-standard email infrastructure, email will be fragmented and ultimately ruined, far worse than any cadre of spammers could ruin it.
It is trivial to do what "caller ID" does in an open fashion. And it is absolutely crucial that we do exactly that. No "complicated" licenses, no fancy agreements, no lawyers. Just pick a standard, and follow it.
Letting Microsoft have any involvement in the email infrastructure - other than using it - will be a disaster. And it wll be all the more terrible because of how easily it can be prevented.
Want to Know How to Cheat the GPL? Read On!
its probably a good thing. If anyone could amend the software, they could, for example, add a section that says 'but accpet all spam.com emails'.
I understood that the protocol was to be made into a standard, so how would changing the software help us?
The Licence (pdf) says that MS grants you a non-transferable licence to use it and sell it on to end-users.
If you do redistribute the source code, its fine, but you must add a clause to your licence that says the software may contain IP owned by MS, and that anyone obtaining such derived source must go ask MS for permission to use their bits directly - you can't give that away.
So I can only surmise that when RMS says it is incompatible with free software, he means the GPL. It is acceptable to use the software, look at it, but you can give it to someone else, but they cannot take away the terms MS set. Sounds a bit like the GPL, but with different terms. (hey RMS, you don't want to agree to those terms, you don't have to use the software).
So, we have Microsoft in the distinctly red corner with their proprietary standard.
Let's face it, as vocal as the OSS community is these days, there's not a lot that can be done to stop Microsoft from doing whatever the hell they like, so long as it's legal(!). Sure, sendmail is OSS software, but I got the impression that SPF is pretty much independent of the MTA software anyway.
But, in the blue corner, we have plenty of heavyweight companies who are big on Linux and big on e-mail who have teams of lawyers that have undoutedbly been over this license already, and found the problems.
We have IBM, the people who make Lotus Notes, which is still pretty widely used, IIRC. We have Novell, who now own SuSE/Ximian and are betting the shop on Linux, who produce NetWare. We also have Sun, who are getting vocal on OSS, which produces Solaris, which seems to power a large proportion of MTAs around the globe.
The best defense, surely, is to make sure these companies understand the issues with SPF, and don't implement it in their own products. After all, Microsoft won't get that far without support from other companies, since much as they'd like to, they don't currently control the world's Internet server market....
Finally, now I know what to think about all this.
:P
I was beginning to wonder if I was supposed to think MS had done something right for once...
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Why shouldn't free software be the first to implement secure email? Imagine how much easier Linux advocacy would be if we could say: "SPAM? - I thought that was a Windows problem?..."
Imagine this conversation:
Tech: What's the problem?
User: I get all this SPAM, and I can't read my real email.
Tech: Let me guess, you're still using Windows, right?
User: How'd you know?
Tech: Because you're still getting SPAM. If you upgrade to Linux, which uses the SPAM-blocking mail protocol, your SPAM problem will go away... I'll send you a CD in the mail.
What really irks me is that rather than invent new solutions to existing problems, the free software community waits for a commercial vendor to implement a solution, and then copies it. What we should really be doing at this point is implementing a SPAM-free mail protocol in free software, which, once it became the standard, would force commercial companies into compliance, rather than trying to play a game of dodge-the-patent-lawsuit by copying someone else's improperly done anti-SPAM protocol.
Let's face the facts here, folks: if we wait for Microsoft to implement an anti-SPAM protocol, they'll do it wrong, and the free software world will be stuck trying to ensure compatibility with an interface that is fundamentally broken in the first place.
The society for a thought-free internet welcomes you.
I think we need to take a look at where forged sender spam comes from before we are willing to consider trying to detect forgery as a means to detect a message as being spam. In the past, small time spammers did forgery to avoid flooding their one mailbox. Now days, bigger spammers have domain names (often thousands of them) and don't have to worry about that issue. But there are still spammers doing forgery. Most of these using the infected zombie machines on insecure home computers often connected 24x7 via "always on" DSL or Cable.
If the providers hosting these users would:
- block outbound port 25 from these users (with certain exceptions)
- require SMTP AUTH to log in to their provided mail server
- rate limit mail sent through that mail server (for example no more than 30 messages per hour)
then this would go a long way to defeat the utilization of these infected machines as a spamming tool.I mentioned an exception to the port 25 blocking. They should simply allow port 25 for anyone who mentions certain keywords indicating they need it. While there is some spamming that originates at the DSL or Cable user, that doesn't account for much right now. So sure, someone intent on spamming can call in to customer support and ask "please enable SMTP for my access account". But they would be fewer in number than those who ask the same because they just want to run their own home mail server without having to forward through the ISP's mail server. And one simple way to do this is to ship DSL/Cable modems with SMTP access disabled except for the provider mail servers. And manufacturers could do that if providers would set up private IP addresses to access their mail servers (so by default SMTP would be allowed to 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16 and 192.168.0.0/16). Someone who wanted to run their own mail server could simple change the settings. The average user who lets machines become infected would know nothing about it.
Like anything else, this isn't a solution to spam. But it is a viable alternative to forgery detection in terms of catching most of the spam from most of the sources being used by the spammers that do use sender address forgery.
now we need to go OSS in diesel cars
Well yes, the GPL does deprive us of that most vital and precious of our freedoms - the freedom to use other people's hard work in order to make unfree software that deprives those foolish enough to use it of their freedom.
It was a dark day for freedom indeed when RMS invented the GPL.