Slashdot Mirror
Apache Rejects Sender ID
hexene writes "In an open letter to the IETF MARID Working Group, the Apache Software Foundation has rejected the patent-encumbered Sender ID specification. This means no Sender ID support for SpamAssassin, Apache JAMES, etc. They state that the current license is generally incompatible with open source, and contrary to the practice of open Internet standards."
Well done Apache! Surely this must be a big stake in the heart of MS email domination plans ?
Bad analogies are like waxing a monkey with a rainbow.
Will this stop the "standard" from going forward, or just increase the struggle to come to a useful consensus?
My Photography - http://ian-x.com
The Deathlings (comic) - http://thedeathlings.com
Hopefully this is just the start of a string of rejections. If lots of big names in the OSS community and some of the e-mail superpowers (yahoo, gmail, etc...) jump on the bandwagon, maybe it'll get pushed aside.
Wishful thinking? Probably, but a boy can dream...
I don't see any reason to use SPF either. It only benefits big ISPs, by keeping spammers from mentioning them in their return addresses. Even then it only works until the spammers hijack the machine of some dumb sap who's a legitimate customer of such an ISP, and send under his name. It does you and me no good at all, either way.
The whole exercise has been a waste of time and attention for all involved, and the sooner it's forgotten, the better.
Microsoft Sender ID Framework
... and it goes on and on
The Sender ID Framework is an industry standard created to counter e-mail domain spoofing and to provide greater protection against phishing schemes. This combined specification is the result of Microsoft's Caller ID for E-Mail proposal, Meng Wong's Sender Policy Framework (SPF), and a third specification called the Submitter Optimization. These three draft technical specifications were recently submitted to the Internet Engineering Task Force (IETF) and other industry organizations for review and comment.
Is this why the sender ID article on Wikipedia is only a stub?
Please, click "edit this page" and help if you know anything!
We will not be implementing support for Sender ID until such time as the issues with the license are fixed and acceptable to the Apache James and Apache SpamAssassin Project Management Committees.
It's obvious that Apache's concerns are of the utmost importance to both MSFT and those conducting the discussions. If they were SO concerned this would have been taken care of long ago. MSFT figures that either Apache will kowtow after users get pissed that they cannot send to those behind an MS mail solution or that they will end up having to break down themselves later. It's a lot bigger of a gamble for Apache to ignore MSFT than it is for MSFT to ignore Apache.
As an alternative resolution, we would find it acceptable if the pending patents were granted to a non-profit organization such as ISOC and licensed under sufficiently open
terms.
This, OTOH, is a valid option and should be exercised but I highly doubt it will be for obvious reasons.
This means no Sender ID support for SpamAssassin, Apache JAMES, etc.
Funny, I thought Apache supported these things called modules that allowed you to extend Apache.
Just because it doesn't come from the Apache Foundation doesn't mean it wont happen.
I use JAMES for my mail transport, and have found it to be fantastic. A single XML file can configure all the services you need (SMTP, POP3, IMAP), with or without TLS. If you want TLS, you just add an entry for it.
Also, it's really easy to write custom programs for mail processing, called "Matchers" or "Mailets" (many already exist), for things like SPAM detection, custom mail delivery, etc. I highly recommend it over sendmail/qmail.
"standards" that aren't acceptable to the general hacker population of the Internet aren't standards.
Yahoo!'s DomainKeys is free and technically superior, and it's not mutually exclusive with SenderID. That means it will end up all the mail-related software except Microsoft stuff. Now who's the standard?
I rarely criticize things I don't care about.
With the rejection by Apache, hopefully the rest of the FOSS will follow and then the industry at large.
Great ideas often receive violent opposition from mediocre minds. - Albert Einstein
How can anyone mod up a message with 6 fscking line of advertisement??? HALF the message!!!
Finally, as developers of open source e-mail technologies, we are concerned that no company should be permitted IP rights over core Internet infrastructure.
Is any really surprised that MS is trying to build it's patent arsenal around such things? And of course they want to do it quickly because it's much easier to get something underhanded accepted quickly. (PATRIOT Act anyone?)
We are also concerned by the rush to adopt this standard in spite of technical concerns, lack of experience in the field, and a lack of consensus in the IETF MARID WG.
I think again Open Source groups show their strength by not allowing such tactics to take place without notice. It also shows that many major groups are very aware of how the game is being played.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
I'm glad that a major OSS project has seen through the FUD and is speaking out on behalf of the community. I seem to have lost my faith in humanity, but events like this start to restore it.
Ads? What ads?
If you do not like spam, please stop spamming slashdot.
I find it pretty amazing that the IETF accepts encumbered "standards". Protocols should either be industry standards or propietary. It could become interesting if an RFC calls for the use of an encumbered standard and half of the Internet chooses to ignore the standard.
"Sendmail releases open source milter for Sender ID
August 30, 2004
Today, Sendmail, Inc. is releasing an open source implementation of the IETF's Sender ID specification for testing on the Internet. This implementation utilizes the milter interface to plug directly into the sendmail MTA.
Sender ID is a standards-track proposal that merges Meng Wong's SPF and Microsoft's Caller ID for email. Authorizations records are published in DNS in an SPF-compatible format, and then used to validate user-visible message headers using the Caller ID "Purported Responsible Address". This sid-milter release implements the marid-protocol and marid-core draft standards, leaving the marid-submitter SMTP Extension to be implemented directly by the sendmail MTA.
Downloadable source code for sid-milter can be found at: sendmail.net/sid-milter"
RMS E-Mail to IETF MARID WG ML
All listen to the man!
Well.. I don't consider doing that anywhere close to the same thing as spam. I'm 1 person away from getting a free iPod, and you choose to read slashdot. Reading slashdot just kinda implies all the trolls, flamebait, and spam that goes along with it. Besides, someone will be along to mod me down shortly I'm sure.
If you have control of your own domain's DNS server, there's nothing preventing you from publishing an SPF record, and it's a good idea for you to do so.
By publishing an SPF record, you can stop, or at least mitigate, "joe jobs" that use a forged From header trying to implicate you in someone else's spamming, not to mention email worms.
If you have a clue, your SPF record should only allow mail from your outbound mail server(s).
industry standard?
isn't a bit early to be calling it a standard?
especially if apache is rejecting it.
for a minute there, i lost myself...
You're so right, using the $ makes you uber cool.
lOlZ
What's the opinion of the sendmail developers?
C-x C-s C-x k
Good thing this came up. I'm just building a new (replacement for a dying) server now to be used to handle mail for my domain and a couple of non-profit orgs I help with (it'll run their web sites and other things too). I've been running sendmail until now, but am open to suggestions for something better.
Can James integrate with SpamAssassin or something similar? Multiple domains? Forwarding?
It'd be great to find out. I'd much prefer a Java-based solution because I'd be able to put my own skills to good use if I need to extend it somehow.
Generally speaking I just need it to handle SMTP and POP3 and be able to deal with local mailboxes (I'd like have the option to be able to tack on a webmail package).
Maybe someone can also comment on what the best webmail packages are that are freely available?
You can accomplish anything you set your mind to. The impossible just takes a little longer.
This point needs some extra emphasis.
Parent is not all that insightful.
Apache the webserver does.
They are talking about spamassassin and james.
RTFA
Serves you right for registering 'asdf.com'
AC comments get piped to
A few good articles on sender-ID controversy:
8 ,00.asp s p 1 555212 h tml?tid=137
6 78.html
http://www.eweek.com/print_article/0,1761,a=13402
http://www.circleid.com/article/730_0_1_0_C/
http://www.eweek.com/article2/0,1759,1639880,00.a
http://www.newsforge.com/article.pl?sid=04/09/01/
http://trends.newsforge.com/14/04/08/26/1326244.s
Also, here are the opinions of Eben Moglen of FSF and Larry Rosen of OSI:
http://www.imc.org/ietf-mxcomp/mail-archive/msg03
M$
Correct. It's not a standard at all but a proposal. Hopefully SenderID never becomes a standard. Wong should be slapped shitless for ever agreeing to couple SPF with CallerID. What a stupid move to make.
They probably have signatures turned off in their prefs and didn't see it.
Relax.. Modding you down as troll is just showing my appreciation of your humor.
According to this article SenderID in the agreed upon form is nothing new. Indeed it seems that MS has embeaced and extended someone else's IP and put their own claim to it.
Therefore, Apache maybe abandoning something that it needs not to abandon.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Isn't Microsoft providing a royalty-free license for everyone to use this patent?
It's funny how some people deride Microsoft for not supporting web standards in their IE browser.. and then turn around and applaud Apache when they say they're not going to support IETF standards. I bet they don't even realize they're contradicting themselves..
I am the maverick of Slashdot
What about us users who are behind the MS mail solutions? I have addresses on both sides of the coin and to think the Microsoft won't let me get mail because someone didn't use their patented technology is crazy....
I know they are trying to ram it through committee, but have they really thought about this? It's crazy. They already put most of my mail in the "Bulk" folder with hotmail, even if it is sent from a friend. And technology is slow to adapt, yet they've already made the announcement that they will not take mail without Sender ID after October 1st (I believe). Who here still uses HTML tags like We were supposed to drop that years ago. It still renders though.
We all hate spam but a "magic bullet" will only kill e-mail altogether IMHO. I've missed out on money actually because something gets marked as spam but I needed it for "business". Let me setup my own spam filters or let me weed through it.
Either way, I resent corporations like Microsoft and even Yahoo getting into the mix and removing me from the situation.
It's easy, don't give out your address. Don't click on links in e-mail that are so long they look like encryption keys. Don't allow images to load (easy with Thunderbird + Sygate Personal Firewall in XP and most webmail). Don't sign up for a freeipod (I want to post my referral link, so bad too.)
Get your Unix fortune now!
Yes, but everyone knows that Micro$oft is all about standards, and since they created all standards, they must be followed.
This sig no verb.
Clearly that's already happened at least once.
Firm positions like this must be applauded and upheld, but once again we also need other professionals to help get the voice out about the truth. We shall not be fanatical, but I humbly believe it is clear Microsoft is not being transparent in this and that does not bode well for the Internet as we've come to know it.
The revolution will not be televised.
Yeah, and you choose to read your email and that implies all the trolls, flamebait and spam that goes along with it. So stop fucking spaming Slashdot with your fucking ponzi schemes, you fuck.
I think this is the first time I've seen a situation where Microsoft is unable to dictate to others on "how things are going to be". The question I have now is "what will Microsoft do next?". Are they willing to be directed by an Open Source project, or will they go their own route to stave off the perception that Microsoft isn't as omnipotent as they want everyone to believe?
Fascinating. Absolutely fascinating.
Ruby on Rails Screencast
I hope Apache wins the day here. However, the entire reason for the RAND proposal in the first place was to allow commerical interest to capture open Internet standards. I don't think they will be easily deflected.
sPh
i have a small email server at home that i use for website signups & imdb movie queries, i have a domain name pointing at it but the reverse dns of my IP gives me not my domain name but my ISP's name of my machine as i dont control the dns for that, so how can i use these email certification systems ? i have complete and correct mail headers and am willing to verify who iam but iam a bit pissed at being denied the use of smtp, whats next ? SSH or [insert port here]
so how will these email schemes protect me ? or is this a case of screw the honest geek on a cable modem and render being in control of my own email useless, forcing me to use "approved server$" from [insert large corp name and another fee here]
Dear ASF, ... and maybe sometimes even yourselves don't know ;-)
Those of us involved in developing application and services on the internet would like to thank you for your vigilance and efforts in keeping the internet as open and accessible as possible.
Not only is this important for all of 'us' here in places that depend on the internet for a variety of our needs, but also keeps this infinite store of information and instant communication open and available to developing nations who arguably will need this more than we do. With access to the internet being more ubiquitous, rural schools can have vast libraries and resources which at one time would have cost a fortune to build and/or aquire.
Your efforts have an impact and are appreciated by people who may not even know/understand
Thank you very much.
Why "big ISPs"? It has the same benefit for small ISPs and anyone operating a mail server.
Even then it only works until the spammers hijack the machine of some dumb sap who's a legitimate customer of such an ISP, and send under his name. It does you and me no good at all, either way.Dumb saps are not particularly good at securing their machines, which is why so much spam is sent from zombies on cable modems. People who operate mail servers for ISPs can be smarter about throttling, outbound-virus-scanning, and generally looking for and cutting off compromised hosts. ISPs and businesses which do a good job of this will be afforded more trust. Right now, being a trustworthy mail server operator wins you nothing, because spammers can forge your address.
I find your FUD suspicious. Are you a spammer?
It seems like ISPs are incredibly hesitant to behave this way. Maybe spam is different than other abusive network traffic, but I still haven't seen any ISPs do anything about their users' worm-infected machines attempting to propogate the infection to every other machine on the network. When I say, 'maybe spam is different,' I mean that maybe it is more of a pinch point for them and they'll take action on their users' compromised boxes.
As for detection, they can see the traffic at the router, so they can already easily identify which customers have sick computers.
$5 / month hosted VPS on linux = awesome!
When are government bodies going to wake up and realize that we have a serious issue on our hands?
right about the same time as they clamp down on pyramid schemes , multi level marketing , advertiser deception and fraud
the only thing free about your ipod pyramid schemes are the creators who are getting free houses,BMW's and a shitload of cash promoted by dumb fools like you
but then you are American so its understandable
Just imagine if future versions of Apache came with a configuration directive "AnnoyIE Yes" that, upon detecting IE, would popup a window with the text:
A true scorched earth battle between MS and the free/open source community, fought with no rules, would leave MS bloodied and torn. There would be no winners of such a battle.
Apache the server supports modules.
Apache the foundation doesn't support modules.
Mod parent down "-1 Uninformed".
Not really, at least not for Microsoft. Their past behavior seems to fall in line with the viewpoint that a Microsoft Standard is automatically "Industry Standard".
I think this largely comes from the view that if you're a what most people are using, you somehow become an industry standard, even though it's really a de facto standard not an industry one.
-Matt
Sender-ID, and in fact any other technology that tries to "fight spam" by restricting some particular technique that spammers are using, is going to be a purely short-term solution... and not much of a solution at all.
Spam is a social problem, and the behaviour that needs to be attacked is the broadcast unsolicited messaging process itself. Any bulk or broadcast communication that the recipient is not in control of (they didn't directly solicit it, or it's not relevant mail from someone they have an ongoing and clear relationship with) has to be explicitly illegal.
Mandate Sender-ID or SPF, and spammers will sign up and continue to spam. Mandate tagging, and spammers will tag and spam *and* people who aren't spammers will be unsure and tag as well... and their mail will be filtered out.
This is already happening, in both cases.
So, it doesn't matter whether anyone implements this technology or not, it's irrelevant to the problem people are hoping it will solve.
Following the United States Patent and Trademarks Office granting of a patent for IBM last year, IBM has relinquished its rights to the patent it received on a method for determining who gets next use of a toilet. The relinquishment came in February after a petition was filed asking the patent of office to re-examine it. The patent was described as a system run by a computer that would assign customers numbers on a first-come-fist-served basis. The system would allow customers an estimate of their waiting time and notify them when the toilet was available - ending waits in the aisles. An IBM representative said the company was unable to explain why the company had thought it was worth while to patent the computer system in the first place.
That method of toilet scheduling is now in public domain. Great, I don't think it would have changed my life either way. However, this issue of creating a unified standard of authenicating the sender and server is too important to have IP claims all over it.
Enjoy life. And relax. Assholes.
Right back at ya, douchebag!
RMS's comments to the MARID list are very pertinent and to accuse him of "politics" is to make the mistake (deliberate or otherwise) of relativism. Open source/free software is not a subjective political opinion. The effects of adopting a petent-encumbered standard go far beyond mere politics. They affect the quality and cost of what issues.
RMS is entirely accurate when he says that Microsoft's is probably aiming to control anti-spam tools by controlling who can develop to the standards.
You may or may not support Microsoft's right to attempt to control a market. What you should not do is ignore the impact such control would have.
Open source and free software has proven to be a significant balancing force in the push for better and cheaper IT. Microsoft have done an excellent job in lowering the cost of certain kinds of software, mainly the user front-ends. Open source and free software have handled the back-ends - the servers - better than anything produced by any company, anywhere.
Spam is not a front-end issue. Locking anti-spam standards into a Microsoft-dominated front-end will make much money for some people but will ultimately end in a monopoly control of email, almost certainly built to the usual Microsoft standards: pretty, charming, and totally insecure.
The IETF is composed of individuals, each with their agendas. Many IETF members work from principle, but many others are paid for their work, and paid by companies with serious commercial interests in the outcome.
It's easy to mock RMS: he is sincere and outspoken. But it is misplaced. RMS is a prophet in the true sense of the word: he has had a vision of the way software should be made, and he has defined a way for this to happen.
Naturally some commercial interests detest him. But it's wrong: cheaper software means opportunity for everyone, especially commercial software firms. The world has an endless appetite for pretty, seductive front-ends.
They just should not be doing anything really, vitally important.
And that includes filtering spam.
Sig for sale or rent. One previous user. Inquire within.
After reading the statement on the ASF web sit, I reluctantly had to agree with the Apache Software Foundation on the issue of Sender ID. The "free license" offered to those that support SenderID in open-source software packages has too many pitfalls, too many places where it could encumber open source projects. The SpamBouncer will therefore not support SenderID either until there are fundamental changes in the license.
This is a shame. Meng Weng Wong's original idea for SPF was quite good, and I was planning to support it.
Catherine
[source:http://www.anti-spamtools.org/SenderIDEmai lPolicyTool/Default.aspx]
No SPF Record has been found for the domain microsoft.com. However, MX and/or A records currently exist for this domain.
The domain's MX and A records contain the following information:
Addresses Listed in A Records
207.46.130.108
207.46.250.119
Mail Servers Listed in MX Records
maila.microsoft.com 131.107.3.124
131.107.3.125
mailb.microsoft.com 131.107.3.122
131.107.3.123
mailc.microsoft.com 131.107.3.121
131.107.3.126
I think the industry term is "eat your own dog food". thanks for the recommendation MS, let me know when you start using your own bloody system.
I don't see any reason to use SPF either. It only benefits big ISPs, by keeping spammers from mentioning them in their return addresses.
Huh? Do you know anything about SPF? Apparently not. Any domain can have an SPF record. It is not limited to the "big ISPs." I have small domains. I have SPF records. That means that spammers forging addresses in my domains will be rejected by any mail server that does an SPF check.
One of my domains has been joe-jobbed. A spammer sent out hundreds of thousands of messages with a forged address in my domain. I had to deal with the ensuing mess. If I had SPF at the time any recipient server would have been able to tell that the spammer was not who he claimed to be in the From: address and would have rejected the e-mail. If every server did SPF checks, not a single one of the spammers messages would have been delivered.
Even then it only works until the spammers hijack the machine of some dumb sap who's a legitimate customer of such an ISP, and send under his name.
ISPs can rate-limit e-mail sent through their servers and port blocking of 25 will prevent their customers from directly connecting to mail servers other than the ones at the ISP. Now the software that hijacks the machine will have to determine the configured e-mail server, the login, the password (if there is one), whether it has to do POP-before-SMTP authentication, whether it needs to use SSL, and whether the server uses secure authentication. Or, the server might be IMAP, and then the hijack software has to include an engine to send through IMAP.
The whole exercise has been a waste of time and attention for all involved, and the sooner it's forgotten, the better.
Spoken like someone who has no understanding of SPF, at all. Look, I understand the technology. I understand the spam problem and have been combatting spammers for years. And I know that SPF is one of the most promising technologies out there. So please don't mislead people by making claims about something with which you clearly have no real experience.
There is nothing against patented standards in the IETF policy guidelines. They've already issued a standard on firewalls which is patented (VRRP).
The OpenBSD created their own protocol (CARP) so they wouldn't have to use patented code in their code base.
Explains some stuff behind the scenes:
http://www.circleid.com/article/730_0_1_0_C/
http://www.circleid.com/article/732_0_1_0_C/
I think we are missing the real danger here. There was never all that much difference between SPF and Microsoft's Caller ID. The differences were in the details of how they were put into the DNS, the use of XML vs text formats, and maybe some issues about exactly which mail headers were checked. But the basic idea was almost identical.
This means that Microsoft's forthcoming Caller ID patents probably cover SPF. That's the real problem here.
We can't just tell Microsoft to get stuffed and then go ahead and use SPF. There's too much risk that Microsoft will surface with a patent in three or four years that covers a technology which is by then widely used on the net.
I think this decision kills SPF and everything along those lines. Some may cheer and some may be upset, but that is the reality we face. Going forward with SPF under these circumstances is far too risky. Microsoft has warned us about the patent applications and we can't ignore them.
No single method will stop all the spam. Well, not unless you set up a white list for only a few, extremely trusted sites ...
/.'s character per line limitation):
The first step is to characterize the problem.
#1. Open relays
#2. Zombies
#3. Spam-friendly ISP's
This doesn't even count the problem you mentioned of forgeries and bounces (mostly from phishing).
I've reduced my spam problem by 50% just by blocking a bunch of open relays at the firewall. Here's a list of them (badly formated because of
4.11.76.148 is an open proxy 4.13.40.162 is an open proxy 4.26.28.164 is an open proxy
4.29.11.151 is an open proxy 12.218.78.176 is an open proxy 24.26.108.125 is an open proxy 24.37.17.190 is an open proxy 24.60.16.110 is an open proxy 24.61.74.173 is an open proxy 24.61.249.216 is an open proxy 24.129.88.117 is an open proxy 24.148.217.79 is an open proxy 24.164.77.154 is an open proxy 24.226.100.52 is an open proxy 61.42.186.118 is an open proxy 61.72.110.114 is an open proxy 61.98.37.130 is an open proxy 62.43.16.10 is an open proxy 62.57.82.180 is an open proxy 62.178.104.91 is an open proxy 62.211.155.246 is an open proxy 64.124.95.62 is an open proxy 64.203.40.98 is an open proxy 67.50.203.27 is an open proxy 67.129.236.145 is an open proxy 68.89.74.139 is an open proxy 68.94.104.97 is an open proxy 68.118.106.24 is an open proxy 68.122.142.207 is an open proxy 68.123.144.173 is an open proxy 68.172.169.236 is an open proxy 68.184.127.31 is an open proxy 68.226.211.28 is an open proxy
69.148.102.54 is an open proxy 69.151.105.214 is an open proxy 70.241.196.123 is an open proxy 80.57.89.8 is an open proxy 81.66.100.223 is an open proxy 81.104.162.84 is an open proxy 81.220.242.3 is an open proxy 82.33.146.142 is an open proxy 82.49.110.4 is an open proxy 82.67.195.173 is an open proxy 82.130.161.230 is an open proxy 82.139.136.174 is an open proxy 82.198.42.54 is an open proxy 141.155.254.147 is an open proxy 200.66.98.40 is an open proxy 200.83.53.139 is an open proxy 200.95.58.47 is an open proxy 200.150.135.200 is an open proxy 200.161.199.184 is an open proxy 200.207.159.156 is an open proxy 200.213.48.41 is an open proxy 200.210.190.148 is an open proxy 200.251.170.82 is an open proxy 200.251.201.82 is an open proxy 202.75.70.26 is an open proxy 203.197.217.142 is an open proxy 203.232.40.169 is an open proxy 211.49.57.110 is an open proxy 211.59.103.16 is an open proxy 211.106.130.186 is an open proxy 211.161.142.9 is an open proxy 211.173.186.138 is an open proxy 211.211.53.9 is an open proxy 211.211.177.206 is an open proxy 211.244.169.34 is an open proxy 212.0.218.14 is an open proxy 213.47.226.19 is an open proxy 213.47.234.37 is an open proxy 217.141.204.90 is an open proxy 218.2.160.132 is an open proxy 218.18.158.134 is an open proxy 218.22.252.146 is an open proxy 218.23.39.171 is an open proxy 218.35.40.90 is an open proxy 218.38.173.213 is an open proxy 218.156.168.56 is an open proxy 218.158.3.100 is an open proxy 218.159.33.222 is an open proxy 218.171.163.37 is an open proxy 218.186.37.118 is an open proxy 218.235.172.91 is an open proxy 218.239.145.199 is an open proxy 219.174.129.36 is an open proxy 220.85.139.91 is an open proxy 220.97.154.85 is an open proxy 220.125.136.137 is an open proxy 221.155.118.15 is an open proxy 222.241.221.101 is an open proxy
Now for the next part of the problem, the ISP's need to block port 25 on their networks. That would stop the zombies from sending spam (and email viruses).
Finally, the ISP's need to limit the amount of eMail that can be sent through their servers.
SPF would help by preventing fogeries.
Slashdot does.
The majority of spam is now sent by zombied Windows PCs. Windows insecurity is now a large part of the spam problem.
It sure looks like Microsoft sold PC users the problem, and now they want to sell us the solution. Should we really encourage OS insecurity by paying for the fix to a problem that never should have been?
>> My ultraviolent Linux switch video.
Yeah, then they went and made their I-tunes clone only run properly if you use ActiveX.
Linux Wireless Hardware in the UK
Everyone's just gonna dump Sender-ID and implement classic SPF records. This whole marid/sender-id thing is ridiculuous, and smart reasonable people know that classic SPF is unencumbered, extremely simple, and does the job just fine. This popular opinion is evidenced by how quick and widespread the adoption of classic SPF has been to date. I suspect eventually we'll see dns servers implementing a custom record type for SPF to replace the current TXT records, but other than that, you don't really need anything else.
Classic SPF = no forgeries. As it's use becomes more widespread, eventually there will come a breaking point in time where "everyone" knows that when they set up an email server and make theri MX record, they better make an SPF record while they're at it too - and most people will reject email that hasn't passed SPF checks.
It doesn't directly stop spam, but it makes spam accountable, which is a large step in the right direction.
11*43+456^2
What if the CTO is allergic to peanuts? Is there a fallback option?
As an alternative resolution, we would find it acceptable if the pending patents were granted to a non-profit organization such as ISOC and licensed under sufficiently open
terms.
This, OTOH, is a valid option and should be exercised but I highly doubt it will be for obvious reasons.
It still wouldn't enable the license to be compatible with the GPL.
No one has a right to their *own* opinion. They have a right to the TRUTH.
The wheel is turning, but the hamster is dead.
This is all about stopping forgery of the From: for domains that have registered their Sender-ID or SPF records. Spammers can still register a domain with authorization for any or all mail servers that they want, and continue sending out spam from zombied systems to their blackened and smoking hearts' content. They can continue to send spam for any other domains that allow forgery, like for alumni accounts or other drop box domains.
Sender-ID is only designed to stop phish-ing emails. So if you get an email from citibank.com, you can be reasonably sure it came from somebody at citibank.com, and not some guy's home pc, as long as citibank.com set up their records appropriately. That's all.
BTW, the reason the IETF is considering Sender-ID over SPF, is because it is highly probable that Microsoft can sue SPF out of existence.
This isn't meant to stop spam. This has nothing to do with stopping spam.
Everyone is entitled to his own opinions, but not his own facts.
In less than a week, IETF Last Call for this standard will be over. As of the moment, there is no consensus on the Microsoft patent issue. This will almost certainly prevent the standard from moving forward. The IETF is too divided on this issue for the standard to progress as it is.
Also, a clarification of how the IETF handles patent claims seems to be in order.
Patents are allowed in IETF standards under any terms that the working group feels are acceptable. In most cases, since the goal is to produce a standard which is useful to the largest group possible, patented methods are only used if the patent holder is willing to grant a very permissive license.
For example: The latest working group I was part of was SEND (SEcure Neighbor Discovery), a part of IPv6. SEND makes use of Cryptographically Generated Addresses, which are patented by Erricson. Erricson agreed to license the patent on the terms below:
In addition, for the CGA submission, if said submission is included in the IETF SEND standard and Ericsson has patents that are essential to the implementation of such included submission in said standard, Ericsson shall not assert any such patent against any company or legal entity using said patents in the IETF SEND standard. The Ericsson non-assertion is conditional upon such company or legal entity not asserting any patents within the IETF SEND standard against Ericsson. For all other purposes Ericsson's general patent license statement as referred to above, shall apply.
This is a fairly normal license for the IETF and was found to be acceptable. In almost every case where a patent is relevant to one of our standards, a licence statement such as this one is provided.
The Microsoft license is different, and has sparked quite a bit of discussion. Since this standard has a very large intended audience and there is significant concern over the terms of the license, unless Microsoft changes the terms of their license, this will stop the standard from progressing as is. Either the standard will be restructured to avoid using the methods claimed in the Microsoft patent, or the working group will terminate without a standard.
A lot of people are irritated about this.
I'm a signature virus. Please copy me to your signature so I can replicate.
Finally, as developers of open source e-mail technologies, we are concerned that no company should be permitted IP rights over core Internet infrastructure. We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered.
Amen to that. But why did the IETF open the door to patent-encumbered, proprietary material in Internet standards in the first place? Sounds to me as though the current IETF needs to be largely replaced.
some apache.org subdomains have txt records:
$ host -t txt xml.apache.org
xml.apache.org TXT "v=spf1 mx -all"
w3.org started rejecting forgeries based on SPF records about a week ago, and has been rejecting about 10000 forgeries/day since then, including:
52 jakarta.apache.org
18 xml.apache.org
a few other domains that have been forged and rejected according to their SPF records:
1628 amazon.com
222 gmail.com
175 redhat.com
129 lists.sourceforge.net
17 sourceforge.net
(numbers above are # of rejections in the first week)
An amusing anecdote from one of the creators of the programming language "Standard-ML" was that they only started calling ML "Standard-ML" to prevent someone else "standardising" it
"This means that Microsoft's forthcoming Caller ID patents probably cover SPF. That's the real problem here"
The ideas sure, they might cover SPF, but the patents cover implementation not ideas so it would be extremely difficult for MS to go after the ideas in SPF.
Also the exact nature of Microsofts claimed 'IP' patent rights is not known yet. Most likely its the same as their other XML patents, covering the layout of the XML, so not relevent to SPF at all.
At this point, MSFT is basically beyond the control of the United States.
I'm not talking about life and death. The Constitution was made to cover life-and-death, and keep those kinds of decisions in balance. We're talking about optimizing life. And within the confines of that issue, MSFT is un-touchable.
Like I've said before, if the revolution ever does break out, MSFT will be the first ones up against the wall. There will be a bunch of hippies up against the wall with MSFT, as well, simply because we know they don't have any guns.
Christ, we'd have a clean nation again. I don't know what we would do with ourselves. Probably, like, making space stations or something. Conquer space. I dunno...
1) That proper HTML can make or break your posts, and
2) You can't teach an overly-assertive and monopolistic monolithic multinational conglomerate new tricks. No matter how hard you try, they just make the DOJ roll over and take their Milkbone for "making an honest effort to cooperate with them."
where did you find the 10,000 number?
The wheel is turning, but the hamster is dead.
My fave MTA, courier also won't do Sender-ID, but sticks with good-ol SPF.
Does everything include nothing?
Nobody can fork the standard. The patent "grant" is for compliant implementations only. So its microsofts document, microsoft controlled and thats the end of it.
SPF also has another deeply fundamental flaw - it requires the ISP to be vaguely competent. That alone is fatal for many of ISPs.
What in the world?
0 40220085910
:-)
Apache... criticizing a bad open source license... Whaaaaaa?
For those with no idea what I'm talking about:
http://www.undeadly.org/cgi?action=article&sid=20
http://yro.slashdot.org/yro/04/02/18/215242.shtml
http://www.apache.org/licenses/GPL-compatibility
On a different note, it's rather funny... In another few years, the OpenBSD guys will be maintaining their own forks of every open source project out there.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
"You're just repeating what I said."
Pretty much, but there are differences. Do you handle the eMail for a company? I'd like to compare methodologies.
"You need a good blacklist (you're maintaining your own, but Spamhaus does too, and you'd probably be better off using theirs at the MTA because at the MTA you can deliver a permanent fatal, but at the router..."
That's one of the differences. I want to drop the entire connection from the open relays. My method saves a bit of bandwidth over the Spamhaus method and saves a bit of Spamhaus' bandwidth. But I do recommend using Spamhaus as the next step in the process.
"Next, you need a way to defend against forgery. SPF does that just fine."
Yep. That would be step #3. Once you've denied connections from the open relays and filtered out the stuff Spamhaus knows, then you have to make sure that the stuff you are getting is legitimate.
And so on. But that is all from the RECEIVING end. Which still means that I'm losing bandwidth and disk space (SpamAssassin going through the spam).
Which is why I also want the ISP's to handle the zombies by cutting off the SENDING portion AND to throttle the amount of eMail that their users can send.
Which is why I listed the categories where the spam message is SENT.
#1. Open relays
#2. Zombies
#3. Spam-friendly ISP's
You've set up 4 levels of defense which handle almost all of your spam. I'm also focusing on defense in depth, but I'm cutting off some of the connections before they're even established.
In the last 24 hours:
13440 messages received
7489 classified as spam
62 identified as viruses
Only 5 false negatives have managed to get through to the users (and one false positive from eTrade talking about instant home mortgages).
Right now, I have a handle on the spam problem. But every day I see the percentage of spam increase. Eventually, this will become a DDoS attack. My pipe will fill up with spam connections. I want to focus on preventing that problem BEFORE it happens.
First, those articles were very interesting.
I am surprised to see MS contributing to a discussion on email security, when they still haven't solved their own problems with Outlook, IE, et. al. yet. IMO they are not qualified (at least in principle) to participate in such a discussion, much less dictate such things as I R in TA. And what were they thinking when they decided to slip the patented stuff onto the open standards discussion table?
1) they haven't secured their own products yet (hypocrisy, presumption)
2) they are trying to introduce patented material into open standards (disregard for open standards, desire to bend them to their own advantage)
If your registrar and your e-mail hoster aren't willing to support this, you should consider switching registrars. You don't need to run your own DNS servers, you just have to use a registrar and/or DNS service provider who does (e.g. EasyDNS, who I've been using for years).
It just comes down to this: if you aren't willing to learn how this stuff works, you need to pay someone who does. That's what you do with your car, your plumbing, your electrical wiring, etc. DNS and other Internet services are no different. It has nothing to do with how small-time you are. Eventually service providers will be brought into line when their customers ask "why does my e-mail keep getting rejected by X?" This sort of thing will, eventually, be no different than requiring licensed electricians to do electrical work (except that market forces, rather than government regulations, will be provide enforcement).
Expanding a vast wasteland since 1996.
On the 27th of last month, the author of the Courier mail system, Sam Varshavchik, announced that Sender ID would not be supported by his MTA software due to the Microsoft patent problems, but that SPF would be. The following is a copy of that eMail.
:-)
--
The purpose of this message is to clarify my plans for any deployment of the Sender-ID specification in Courier (http://www.courier-mta.org).
Microsoft has made certain patent claims on the Sender-ID specification. Microsoft has issued the IPR disclosures and royalty free license required by the IETF. It appears that IETF's contemporary policies do not prevent the sponsor/advocates from including patented IP material into standards-track specifications, without even requiring the sponsor to actually enumerate and identify their intellectual property; a mere claim of the existence of some nebulous IP rights is sufficient, which can be revealed at any point in the future, at the sponsor's discretion.
The current development version of Courier implements the original SPF-classic specification, that predates Sender-ID. This will be rolled into a forthcoming release. I'm quite pleased with the results so far -- there are a lot of classic SPF records in existence, as witnessed by my mail logs
It will not be possible for me to implement Sender ID in Courier. Courier is licensed under the GPL. The FSF already flatly stated that Microsoft's IP license is not GPL compatible. I reviewed the most recent version of Microsoft's proposed IP license, and I've reached the same conclusion. For this reason Sender ID cannot be implemented in Courier; Courier's implementation will be limited to the unencumbered SPF-classic.
--
Sam Varshavchik
http://www.courier-mta.org
Isnt patentable code going to find its way into open source not matter what happens?
How are we going to be able to keep track of all the propratitery code to prevent it from leaking into the Linux codebase?
Seems to me the patent system on software needs to be stopped. Is there anyway to make that happen?
Sorry for the offtopic, but I was just thinking about that while reading bout senderid. Microsoft must have an idea that they can break linux eventually by producing enough propriatery code?
No, instead, they tie it up in legalese and patents because, in Microsoft's eyes, they must make money from it. Consequently, it will not be an Internet standard so Microsoft will either use it and increase their incompatibility with everyone else or just drop the whole thing all together.
Well done to ASF for rejecting it because the moment the Internet standards start becoming controlled is the moment the Internet starts to die.
Gentoo Linux - another day, another USE flag.
> a few other domains that have been forged and
> rejected according to their SPF records:
>
> 1628 amazon.com
> 222 gmail.com
> 175 redhat.com
> 129 lists.sourceforge.net
> 17 sourceforge.net
222 messages with Gmail return addresses blocked by apache.org based on SPF records published by Gmail? How many of these were legitimate gmail users that were blocked?
I don't see how Gmail can publish SPF records that do not allow the whole internet (which would result in no rejected messages). How do they know what SMTP servers their users are sending from? Gmail doesn't provide SMTP service to its users (except thru the web interface that is quite limited). Gmail's publishing any kind of SPF record that does not allow sending from anywhere would break the way some people use it (sending using other services, receiving replies with Gmail). Gmail's TOS doesn't forbid using a Gmail return address on email sent from elsewhere.
It is reasonable for amazon.com or redhat.com to limit the list of servers that can send email with return addresses in their domains, as these domains are used to send email only by these organizations' employees. But an email service provider that serves customers and doesn't publicise any restrictions on the use of return adresses shouldn't employ SPF without making it clear that only their SMTP servers can used to send when a gmail return address is used.
For the average person, the ISP can charge $X.
But a lot of their server ports are blocked. Including outgoing SMTP.
For anyone else, they can pay $X+y(z).
The base price, plus the cost of opening a port times the number of ports opened.
"I run a webserver, I use cable on my home account. I consider it my right to run my webserver because I'm paying for internet access."
You're free to believe whatever you want to believe. But it is the ISP's call on that.
"If they did, or even hinted they were going to, I would be off like a shot to DSL and never look back."
With DSL, you still have an ISP.
woot
http://www.npcgaming.com Dedicated Gaming Servers
Looks like it will take an Apache to bring the Cowboy down.
And sort -u helps avoid unnecessary use of uniq, but is sort -u | grep -c X as fast, as readable and as classy as grep X | sort | uniq | wc -l -- not to even mention perl '-le/X/&&++$_{$_}while;print+0+%_' -- is it? Furthermore, one might argue that avoiding Slashdot helps avoid unnecessary waste of time, but that didn't stop me, now did it?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
And sort -u helps avoid unnecessary use of uniq, but is sort -u | grep -c X as fast, as readable and as classy as grep X | sort | uniq | wc -l -- not to even mention perl '-le/X/&&++$_{$_}while<>;print+0+%_' -- is it? Furthermore, one might argue that avoiding Slashdot helps avoid unnecessary waste of time spent on writing garbage and subsequent correcting said garbage, but that didn't stop me, now did it?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Troll is a badge to be worn with pride. I resent you suggesting otherwise.