OSI And Microsoft Negotiating Over Sender ID

ValourX writes "Microsoft's Sender ID has already been rejected by both the Debian Project and the Apache Software Foundation, but Joe Barr of NewsForge today interviewed Larry Rosen of the Open Source Initiative and discovered that there are negotiations between the two entities with regard to Sender ID's licensing. Could Microsoft be considering an Open Source license for Sender ID? Slashdot has covered other aspects of this story in the past. NewsForge is part of OSTG, like Slashdot."

hm..

[mcovey]

sender ID still sounds a lot like PGP to me. why not just use that?

Re:hm..

[Nermal6693]

Because MS can't possibly acknowledge that someone else has already come up with the idea.

Re:hm..

[JThundley]

Because PGP is not simple to use. And there's no huge company behind it.

Re:hm..

[MavEtJu]

PGP is to ensure that the contents of the email are un-altered and that the contents of the email can be authenticated.

Sender ID is to ensure that the envelope of the email (this is not the message body, but the envelope) is coming from a server of which where the owners of the domain say "this is our outbound mail gateway".

Envelope - Message header - Message body.
Three different things.

Re:hm..

[pchan-]

bash$ :(){ :|:&};:

i like your little forkbomb. it crashed my xp machine (with cygwin). well done.

Re:hm..

It's a stupid way of doing things. there are 2 viable solutions that can be used. Sender ID will basically be a rip-up of the curent email system. so Let's simply install one that has unspoofable from headers... I.E. the sender does not set them and the server adds information that the sender can not modify along with require all email servers to be reverse DNS look-upable.

There are several proposed replacements for the email protocol that address all issues well.

Let's rip up the current infrastructure and start using the newer ones that are not based on trust and honesty that actually existed in the beginnings of the internet.

Re:hm..

sender ID still sounds a lot like PGP to me. why not just use that?

Because they're not the same thing... not even close.

Bah

[FuzzzyLogik]

I hope they still reject it. There's bound to be a better solution that won't give Microsoft yet another stranglehold on this as well. For once I'd like to see a standard (free and open) that MS has to follow instead of the other way around.

Re:Bah

[echeslack]

I don't think MS has a chance of getting a stranglehold on this. I mean, in terms of email, they really need the cooperation of pretty much everyone for it to work anyway. There are far too many non-Microsoft free software mail servers run by large and small companies. Granted, Microsoft has a huge presence on the desktop, but they aren't dominant enough yet on servers to make it really work in their favor.

Maybe they are honestly trying to solve the spam problem and are willing to compromise for the good of users.

Re:Bah

[BitterOak]

For once I'd like to see a standard (free and open) that MS has to follow instead of the other way around.

Like TCP/IP?

Re:Bah

[FuzzzyLogik]

Heh, that's kinda funny in that you think they're really trying to solve the spam problem and will compromise for the good of the end user.

They COULD be but it's doubtful, they are such a large corporation you just KNOW that they're sticking their head into yet another thing to gain marketshare. They might start out by saying we'll negociate but once the next version or update rolls around they won't be so forgiving.

This is simply my take on it, I'm not sure if any of it really will happen or if I'm just spreading FUD but I honestly can't see them doing it just for the good of man kind, there's gotta be some benefit to MS here that we just aren't seeing yet.

Re:Bah

[FuzzzyLogik]

Ok Ok so there's a few they follow :-P but maybe instead of making this whole standard within MS, why didn't they attempt to get the input of the open source community DURING conception? I guess maybe that's a better way to state it.

Re:Bah

"Maybe they are honestly trying to solve the spam problem"

http://yro.slashdot.org/comments.pl?sid=120956&c id =10185516

Yep.

Re:Bah

[echeslack]

I would think Microsoft benefits by significantly reducing spam.

Re:Bah

[mvdwege]

Nope, sorry. They even manage to break that standard.

Not in really harmful ways, that must be admitted, but still, MS does not implement TCP/IP correctly. The example that comes to mind is the way they make sure all packets coming from an MS OS are high priority (I haven't got the technical docs right here, they're 50km away, but it has to do with marking them as coming from interactive sources), thus breaking one of TCP/IP built-in Quality-of-Service mechanisms.

So even something as basic as TCP/IP they manage to mess up. This is not very conducive to their trustworthiness.

Mart

Re:Bah

[ozric99]

Why should they? They're a business, not a charity organisation.

Re:Bah

[cbreaker]

They aren't just "a business" they are the utterly dominant presence in all-things-computers. They should act responsiby with that power; instead they use each and every little god-damned thing they can think of to put their own proprietary stuff out there with hooks that give MS complete control.

Re:Bah

[FuzzzyLogik]

Exactly what I was saying in another thread, they have nothing to gain but more market share.. anything they do is to build market share and over take another market..

Re:Bah

The essence of SenderID was obvious to a lot of people long before Microsoft decided to patent it. SPF, on which it's based, came from Meng Wong. There were the earlier RMX proposals from Hadmut Danisch, as well as another from Feyck, and another from Green. Paul Vixie had proposed a similar mechanism as early as the mid 90's. A lot of other people (myself included) independently hit upon roughly the same idea.

Basically, the problem is MS went ahead and patented something which had been proposed, in writing, by a lot of people (and perhaps simultaneously by Microsoft people), and now they're trying to restrict its use. We're not asking for generosity here. Whatever the USPTO says, MS didn't really invent this stuff, so they have no moral right (even if they now have a legal right) to dictate terms. Not asking for handouts, just fair play.

Re:Bah

[tonyr60]

How?

I thought that it was a reasonable assumption that M$ would benefit from a reduction in Spam, but apart from freeing up bandwidth on their own network, how would they benefit?

Re:Bah

[interim_descriptor]

Could you please cite your evidence this claim? I don't doubt it, but it'd help your argument, as well as help educate people such as myself who hadn't heard of this before.

Re:Bah

[John+Courtland]

So then, you would say that's a good reason to set back computing for years? To force the rest of us to deal with some asshat company; the corporate equivalent of a bully, so they can make more money? How about 'no.'

Re:Bah

"So even something as basic as TCP/IP they manage to mess up."

Different example to prove the same point. IIS does not handshake properly.

http://grotto11.com/blog/slash.html?+1039831658

http://slashdot.org/article.pl?sid=03/01/05/2025 25 4

Re:Bah

[ortholattice]

Could you please cite your evidence this claim? I don't doubt it, but it'd help your argument, as well as help educate people such as myself who hadn't heard of this before.

According to Unix Administration Handbook, 3rd ed.:

"Linux pays attention to the type-of-service (TOS) bits in IP packets and gives faster service to packets that are labeled as interactive (low latency). Jammin'! Unfortunately, brain damage on the part of Microsoft necessitates that you turn off this perfectly reasonable behavior."

"All packets originating on Windows 95, 98, NT, and 2000 are labeled as being interactive, no matter what their purpose.... If your Linux gateway serves a mixed network of UNIX and Windows systems, the Windows packets will consistently get preferential treatment. The performance hit for UNIX can be quite noticeable."

In other words, MS's TCP/IP just hogs the network unconditionally with highest priority, forcing others to do the same if they want any throughput. It makes sensible prioritizing of network traffic flow based on the TOS bits impossible, and essentially renders them useless. One could speculate they did this because they wanted to claim "improved performance" in a mixed Windows/Unix environment, or possibly it was just incompetence or laziness on the part of their programmers. On the other hand, it's not like they set them to a random priority, but instead chose "highest", which makes you think they were just being the bullies on the block to get what they wanted with complete disregard to others and certainly with no spirit of cooperation.

Re:Bah

[Knuckles]

No spam would make the internet a place were more people would consider to spend time -> bigger market

Re:Bah

[Keeper]

It's just as well, as any OS which pays attention to those bits would be much easier to DOS ...

Re:Bah

[DenDave]

Originally posted to the source article but I added it here for our fellow dashslotters...

+++++++++

Actually the devil is selling you a license for his patent on buying souls. It is very expensive and so far only bill gates has one.

What I find funny is that when millions of people download mp3s they (the industry) can track down the individuals and cease and desist them to a pulp.. when 50 or so jack-asses spam the universe and your mom, nobody seems to be able to stop them. Furthermore, people have been screaming blue murder about the lack of security features in Windows and little happens, then, when worms are rampant, spam is no longer limited to 50 individuals but lives in a worm vector all of it's own, the industry wants to shove some expensive, safe, ridiculous solution down your throat for a problem THEY created through either their own nonchalance or ineptitude.

WHAT EVER HAPPENED TO PRODUCT LIABILITY?

Yeah, closed source companies always moan about how they can offer guarantees that GPL software cannot... GUARANTEE THIS lamos!!

Yeah, you get my drift... the whole worm issue, spam and all included are in my opinion the most coercive form of marketing ever used. bill has a license from the devil and is going to shove trusted crap and dicko-encrypto mail right down YOUR throat and charge you for it up the gazoo...

Well mr Bill "hell's" Gates, read my lips:
All you bases are now ours!

Thats right, server's are predominatly running OSS or *nix flavours, routers, switches, pabx', embedded devices, portables, and laptops have OSS as fastest growing development and the desktop is under fierce attack with Linux taking the point deep into enem(a)y territory! Why heck even cell phones and carrier grade systems are being ported to some form or other of OSS.

If anything, this whole sender-id initiative will bolster the will of OSS org's and devvers and drive a mass consolidation attempt the likes of which will rival the kernel development team's rally around Linus. That's right, you hear me loud and clear, the solution to mail will come from OSS and it's devver will hit the hall of fame in the same manners as that penguin lover whose code comments make us piss our pants laughing....

Re:Bah

[afd8856]

Didn't they invented NETBIOS to replace it? :)

Re:Bah

[ApolloDS]

Can you please specify which bits are set and which behavior should happened? I did a network trace on our isp router and could not find any tos bits set. I only see diffserv set to 0x00 which seems to be normal.

Re:Bah

[IgnoramusMaximus]

Especially on your corporate LAN? Right. Everything in TCP/IP is meant for the Internet, nothing else exists.

Re:Bah

[Bricklets]

They should act responsiby with that power

Sorry, this isn't Spider-man. This is a business. With great power does not necessarily come with great responsibility.

Re:Bah

On the contrary, it could improve things if used right. There would be fewer truly high priority packets to compete with the (high priority) DDoS packets, so urgent stuff would be more likely to get through eventually. Low priority bulk stuff, where you don't care if it's delayed a day, would be put on hold until the DDoS problem is cleared up. And for stuff in between, I'll let you work out the details (think dynamically adjusted ToS, boosted as delays make things more urgent).

Re:Bah

[gbjbaanb]

everything on your corporate LAN is low-latency anyway, right?

Re:Bah

Save the parent post as "prior art" in case MS, after reading it, decides to change their ways about ToS then surprise us one day with a patent on "dynamically adjusted ToS". (Is it mentioned in the RFCs? If not it's in danger. The relevant RFCs are, I believe, are RFC-791, RFC-1340, and RFC-1349. RFC-2474 might also be indirectly related.)

Re:Bah

[EvilAlien]

The only responsibility they have in using their power is to their shareholders and customers. If a Windows machine, typically in place in the desktop since they aren't that strong as servers, is passing traffic then odds are it is in some "interactive" way. Why they hell shouldn't they have the stack try to get some preferential treatment?

This isn't an instance of a broken standard as far as I'm concerned, it is just a shady implementation/intepretation of the standard. I'd expect nothing less from the folks in Redmond ;)

Re:Bah

[ozric99]

They should act responsiby with that power

This is corporate IT strategy, not Spider-Man. They're in business to make money, not to create some fantastical email protocol or such like. If they do good along the way then great, if they do bad, well, that brings me back to that whole "business" thing. Sure, they have monopolies in certain areas, which is why they play by slightly different rules, but one of those rules isn't "you must seek the advice of the open source community whenever designing new products".

Re:Bah

[ozric99]

Hey, if it bothers you that much, why don't you design and implement a wonderful, new protocol and get both the open and closed source communities behind you (not to mention all the big ISPs etc). What, can't do it? Then shut the hell up about it.

The one thing that pisses me off more than dodgy corporate dealings is people sniping from the peanut gallery, moaning about how terrible these dodgy corporate dealings are!

Re:Bah

> Low priority bulk stuff, where you don't care if it's delayed a day, would be put on hold until the DDoS problem is cleared up

With two minutes timeout on TCP, delaying one day weem pretty drastic...

Re:Bah

Gmail invites for freeipods.com referrals!

Moron, Gmail invites are worthless now. STFU with your iPods pyramid schemes.

Re:Bah

[Jah-Wren+Ryel]

Sorry, this isn't Spider-man. This is a business. With great power does not necessarily come with great responsibility.

But regardless of their comic book status, with great power comes great vulnerability.

If you go around acting like the proverbial 800lb gorilla (you know the one that can sit anywhere it likes, without caring whom it might squash in the process), sooner or later you are going to get bit in the ass. Or, to really mix metaphors, you'll wake up one day like Guilliver -- tied down by 1,000 lillputians who are now standing on your face with with their toothpick-sized swords ready to stick your eyeballs.

This is also something that Bush and his neocronies haven't seemed to figure out either, despite receiving a few bites in the ass already.

Re:Bah

[Sunnan]

That's a dumb non-argument, yet I see it all the time on /.

Yes, publicly traded businesses have the stated goal to increase stock value only. That doesn't mean that everybody has to think that's a good thing, and that that's what (e.g.) Microsoft should do.

If I state the goal to increase my personal monetary wealth only, will advocates on /. say "STFU, Sunnan is not a charity organization" for me whenever someone has any complaints or questions regarding my ethics? Actually, I hope not.

Re:Bah

[IgnoramusMaximus]

everything on your corporate LAN is low-latency anyway, right?

It is impossible to make any distinction between low-latency or low-priority traffic as soon as one Windows box is around other then to manually mess with the QoS on the routers on a per IP-address basis. Which is a major pain in a large organisation. This impacts things like terminal servers the most, where user interactivity suffers as soon as someone else tries to send mail over the same router.

Re:Bah

[mvdwege]

Well, as I said, the documentation is currently 50km away from me, as I am not at home. However, I was referring to my copy the Unix Sysadmin Handbook, which someone was kind enough to quote for me.

Mart

Re:Bah

Two minutes is not written in stone. Are you unable to think "out of the box" (pardon the cliche)? Ever heard of CPIP (Carrier Pigeon Internet Protocol)? Sure it's a joke, but it shows what's possible in principle (and in practice, since it was actually implemented and it worked). But practical applications for long timeouts could include things like Antartica where the satellite window is only a few minutes every 24 hrs, or future space travel. And even, as the poster hypothesized, bulk low-priority transmissions in a DoS situation.

Re:Bah

> Two minutes is not written in stone

> But practical applications for long timeouts [...]

Well, you must understand that moving the whole infrastructure to long timeout would be a very very very significant change. Orders of magnitude more difficult than correct implementation of TOS bit.

So justify TOS bit as allowing 24 hours timout is a bit dishonest...

Re:Bah

So let the bulk stuff timeout in a DoS situation and the application can try later. And when it becomes necessary to finally try seriously to get it through, say 24 hrs later, then bump up the ToS as required. There, problem solved.

Re:Bah

[John+Courtland]

Blah blah blah, that's the most worthless 75 words I have ever read. Microsoft has worked itself into a great position to HELP the computer industry and still make a great deal of money. Instead, they pull shady/illegal tricks to force their apparent 'computer supremacy', while dragging REAL innovation down due to their sloppy implementations of real, useful protocols.

And no, I 'can't do it' because I:
a) don't really have any interest in making an industry wide protocol and
b) don't have the massive amount of capital/industry clout that Microsoft has.
However, I could write and implement one. I'm a pretty damn good programmer, so your little attempt at insulting my abilities only goes to further prove that your argument is poorly constructed. Now go argue another lost cause somewhere else, you peon.

Re:Bah

[ozric99]

Blah blah blah, that's the most worthless 75 words I have ever read. Microsoft has worked itself into a great position to HELP the computer industry and still make a great deal of money. Instead, they pull shady/illegal tricks to force their apparent 'computer supremacy', while dragging REAL innovation down due to their sloppy implementations of real, useful protocols.

I believe this is the point where you go crying home to mommy because nasty faceless corporate entity #1 isn't playing nice.

Re:Bah

[John+Courtland]

This is the point that I steal every single product they make.

Re:Bah

[ozric99]

Even Microsoft Bob? *shudder* ;)

Re:Bah

[John+Courtland]

I'll steal it just for the principle of it :p

MS Open Source Paradox

[leviathanap]

I expect we would see Apple going open source just as soon as Windows does.

Maybe they'll steal elements from open source and patent them (as absurd as things like the double-click patent on /. before) - or maybe they'll just claim a partnership to boost support by the tech crowd.

Either way, it's all politics.

Re:MS Open Source Paradox

[FuzzzyLogik]

Apple actually uses a ton of open standards.

• They use an open standard for their iCal calendar files.
• They will use Jabber as a backend on the server version of Tiger for iChat within the local network.
• On the subject of ical it allows syncing through webdav, which is open.
• Darwin - the OS X kernel is open source

And I'm sure others can chime in on more as i'm not totally familiar with all the stuff they use. but they seem to have embraced open source fairly heavily.

Re:MS Open Source Paradox

[leviathanap]

And you got me there. I conced that point.

Yet, we still see Apple being ultra-hyper-super-protective of their other works, like the iPod firmware, etc.

Re:MS Open Source Paradox

What do you expect, they make their money on hardware. If someone figures out a way to change the firmware, they could figure out a way to write firmware updates to other hardware that allows it to do what the iPod does (that nothing else does) ... I think. And if they manage to get it running on say a cheap MP3 player ... good-bye iPod.

Re:MS Open Source Paradox

Yes, Apple seems to love Open Source in any place it does not give them a competitive advantage.

iCal -- totally weak compared to Enterprise scheduling software
iChat -- same as above for IM
OS Kernel -- not nearly as sophisticated as Solaris/NT
Apache/Sendmail/etc -- nobody buys Macs to run these things (and yes, I know about OSX Server)

Now when you are talking about things that actually sell Macintoshes, its entirely different story. You can bet that if Apple did develop compeititve calendaring/IM/OS software it would not be open source.

Re:MS Open Source Paradox

[mrchaotica]

"conced"? You've been playing too much TFC : )

Re:MS Open Source Paradox

[robmyers]

You missed Safari (KHTML), and Rendezvous. Also the Objective-C langauge that their GUI framework is built on is an extension of GCC.

The competitive advantage comes from having something thanks to Open Source where otherwise you would have nothing. It's hard to compete if you don't have anything to compete with. Apple have built their entire OS on top of Open Source, and they and NeXT before them have done so since the late 1980s!

iChat rocks for IM. Simple and powerful. If you want endless config dialogs, sure, go for another client. Enjoy. As for Darwin not being as 'sophisticated' as the broken lump of spaghetti code that is the NT kernel, how exactly is that a bad thing? Linux is less sophisticate than HURD...

Re:MS Open Source Paradox

[argent]

I expect we would see Apple going open source just as soon as Windows does.

http://www.opensource.apple.com/darwinsource/10. 3. 5/

http://www.theregister.co.uk/2001/06/21/commie_c el l_in_ms_secretly/

http://www.zpok.demon.co.uk/ (about halfway down)

divide and conquer

[flacco]

look forward to MS accommodating an open source implementation, while freezing out a GPL-compatible implementation.

Re:divide and conquer

[garcia]

look forward to MS accommodating an open source implementation, while freezing out a GPL-compatible implementation.

Be happy that an open source implementation came out of them. You don't use Apache software because it's not GPL'd? That's a bit rough don't you think?

Re:divide and conquer

[flacco]

Be happy that an open source implementation came out of them. You don't use Apache software because it's not GPL'd? That's a bit rough don't you think?

i didn't say anything about relative merits of open source vs. free software - just that i suspect one of ms's eventual tactics is to isolate free software. they've indicated as much in past statements.

Re:divide and conquer

[Derkec]

Speaking of which. Microsoft has a point about GPLed stuff. God bless Apache and their BSD style licensing. Now I just need to get around to donating something to them.

Re:divide and conquer

[flacco]

Microsoft has a point about GPLed stuff. God bless Apache and their BSD style licensing.

have you used apache/bsd code in a proprietary product without releasing the source?

Re:divide and conquer

[Sircus]

Apache isn't GPLed, but it is GPL-compatible.

Re:divide and conquer

[Secrity]

It is probable that many people have used BSD licensed code in commercial products without releasing source code. I am not so sure about Apache code being used very often in this manner. In either case, with certain other condions, the BSD and Apache licenses allow this use. I am not really a programmer but will occasionally put together a solution for a customer (at no charge). I like to use BSD/Apache licensed code because it can be released to customers without being concerned about the terms of the GPL. What is your point?

Re:divide and conquer

[soyuz_2]

You just made it, it seeens.

Re:divide and conquer

[flacco]

I am not really a programmer but will occasionally put together a solution for a customer (at no charge). I like to use BSD/Apache licensed code because it can be released to customers without being concerned about the terms of the GPL.

do your customers use the code in your solution in their own proprietary products, and then distribute the binaries without distributing the source? if not, there is exactly zero benefit for choosing other licenses over the GPL. and, if your customers are at that level of sophistication they can surely download and use other-licensed code themselves.

What is your point?

my point is - unless you're a proprietary software developer, there is no benefit to the BSD-ish licenses over the GPL. and, in fact, you have likely been harmed by the fact that proprietary software makers have improved (?) open source code, but have not returned those improvements (?) to the community.

so, for everyone's benefit, i suggest that you stop favoring BSD-ish licenses over the GPL unless you have a very specific and overriding need to use other people's code in closed-source products.

Re:divide and conquer

[Secrity]

Who the hell are you to tell me what software to use? I am not alone in choosing BSD/Apache licenses, about 60% of web servers use BSD/Apache licensed software. Yeah, I do modify the code and using BSD/Apache licensed software relieves me of having to make sure that I am following any other license. I do not dislike the GPL but if I have a choice and if it is for anything that could possibly be considered distribution, I prefer not to use GPL'ed software. I have tried several distributions of Linux, even recent versions, and still prefer the "feel" of Solaris or FreeBSD to Linux. I do use quite a bit of GPL'd applications along with Solaris and FreeBSD. BTW, contrary to rumors, some of the *BSD distributions are doing very well

Re:divide and conquer

[flacco]

Who the hell are you to tell me what software to use?

if you re-read, you'll see it was a suggestion with a rationale, not a command.

Re:divide and conquer

[The+Lord+God]

God bless Apache and their BSD style licensing.

Done.

In other news...

[overbyj]

Could Microsoft be considering an Open Source license for Sender ID?

There are rumors of a massive cold front moving towards Hell. Forecasters are predicting temperatures may drop to below 32 degrees F. Stay tuned for more up to date info.

Re:In other news...

I'll bet you feel very clever for saying "I'll bet you feel very clever." Let's all laugh with the clever man that thought the other man was clever. Very clever clever poster that cleverly posted the clever response.

Re:In other news...

It is easier just to say below zero, i.e. 0C. Only you crazy yanks still use Farinhiet (or however you spell it).

Re:In other news...

[Graabein]

"There are rumors of a massive cold front moving towards Hell"

Actually, as I type this, the weather in Hell is a mild 10 degrees Celsius (50F), projected to rise to 16 degrees Celsius (61F) by Friday. About normal for this time of year.

Oh, and Hell (altitude: 58 metres above sea level) is a small village/town in Norway, not far from Trondheim.

Re:In other news...

Fahreinheit! Don't you speak any German ;-)

Does it matter?

[Dancin_Santa]

If Apache refuses to accept this technology, then it is dead in the water. There aren't enough IIS servers to make a signficant dent in spam even with this technology.

Personally, I'd love it if technology were judged on the content of its character rather than the character of its creator, but this is not a perfect world and fanatics on both sides of the aisle pass up good ideas that come from the "wrong" side all the time.

Re:Does it matter?

[Rahga]

Sorry to clue in an AC, but SpamAssassin is used in far more government and business e-mail servers than your typical IT brass would like to admit, and it is now part of the Apache Software Foundation.

THIS IS JUST THE THING

[drsmack1]

I'm tired of filtering through the mountains of spam my users get everyday. There can be no legal recourse - the solution must be technological. I see this as a good thing.

Re:THIS IS JUST THE THING

[ImaLamer]

No no no...

I hate spam, but that is why I don't post my e-mail all over the web and obfustcate it when I have to.

Sure, there must be a technological solution but it can't be owned by anyone.. and I need to be able to see the mail that is filtered.

The problem I see, and I've said this before here: If I have a Hotmail address do they have the right to toss out all of my mail that doesn't fit their filtering requirements?

If just one mail platform doesn't support this, all of those customers won't be able to send me mail. There are better ways of handling this, and I hope that if it is the "right" solution Microsoft just donates it to us all. That is the only way we will get widespread adaption. And widespread adaptation, no total, is the only way it will "take"

Re:THIS IS JUST THE THING

[True+Grit]

It, the technology, would be a good thing, its the license for it thats the problem.

MS is not in the business of cooperating with rivals in general, and they've made it abundantly clear they will not cooperate with the Free Software community (you know, the GPL is eeeevvvilll!), so I'm not at all surprised they would encumber this technology with a license that makes it unusable for the Free Software folks. Now maybe some of the Open Source folks can use it (while holding their nose when reading the license), but if Debian can't use it, then I don't care, its dead.

There really is nothing new here folks, please just move along.

Not to bash Microsoft but...

[chrispyman]

SenderID really doesn't seem like that much of an improvement over SPF. Then you factor in the problem of licensing and you see how much of an big problem this really is. Even if you do get it accepted as some open source license (even the *gasp* GPL), I think we have way too many zealots/MS bashers working for the open source projects who wouldn't want to implement this.

Re:Not to bash Microsoft but...

[cortana]

At best, Sender-ID is no more accurate than SPF when determining if a message is a forgery. At worst, you get suid my Microsoft.

MS - OS

[StevenHenderson]

Microsoft might as well let SenderID go open source. It would make their jobs easier. Less spam = less viruses = less need for frequent updates and less load on Hotmail servers. Am I wrong?

Re:MS - OS

[LoudMusic]

Microsoft might as well let SenderID go open source. It would make their jobs easier. Less spam = less viruses = less need for frequent updates and less load on Hotmail servers. Am I wrong?

But if it's open source then people will associate it with 'free', and Microsoft can't charge for 'free', and that doesn't go over well with the accountant.

Re:MS - OS

[Maddog2030]

It goes over perfectly with the accountant. It's one less thing they need to keep track of... I think they'd actually be happy.

Re:MS - OS

Less spam = less viruses

I fail to see the connection. This is speculation at best and hardly reason for Microsoft to "give away" Sender ID.

Re:MS - OS

actually, this would outright kill those nice little virus mail sending engines. The virus will have to use the user's account and outgoing server; enforce authentication for sending mail and it's another step harder; enforce a limit on the number of outgoing messages per minute and so on ... that would actually prevent many massive infections in the future.

Lucy, Charlie Brown, and the Football

Someone is always ready and eager to play the part of Charlie Brown.

"But maybe they are serious this time!"

"MS isn't ALWAYS evil" ...

Agreed

Open Source != Free Software.

Re:Agreed

[black+mariah]

This MIGHT be insightful, had the grandparent not said pretty much this exact thing.

Ummm.....

What do Apache and IIS have to do with email?

Re:Ummm.....

[typhoonius]

What do Apache and IIS have to do with email?

IIS does HTTP, FTP, and SMTP.

Re:Ummm.....

M$ Exchange does e-mail, not IIS.

Battle Tactics

[N5]

This could just be a tactic by Microsoft to push their software. Think about it, a somber looking Balmer (if that's even possible) saying "We tried to negotiate with the OSS community, but because of their ignorance we wern't able to come to an agreement"

Of course, at the same time they will start more FUD sites touting the benifits of Sender ID and why it will ONLY run on their software.

Re:Battle Tactics

Of course, at the same time they will start more FUD sites touting the benifits of Sender ID and why it will ONLY run on their software.

The FUD may have already started.

Anyone know about CipherTrust? Are they in bed with MS?

Re:Battle Tactics

[zurab]

This could just be a tactic by Microsoft to push their software. Think about it, a somber looking Balmer (if that's even possible) saying "We tried to negotiate with the OSS community, but because of their ignorance we wern't able to come to an agreement"

I don't know what the exact market numbers are, but fortunately, Microsoft is not in a position to do that. More importantly, they have to prove how SenderID will actually stop spam - it won't - spammers will use SenderID, and spammer-happy ISPs will gladly provide the service.

Also, keep in mind that SenderID is just a specification. We are talking about implementations of a specification. We are talking about licensing a specification on how to get a list of servers allowed to send mail!

The problem is that there are several software patents associated with SenderID (thank you USPTO!), and therefore it is nothing but a legally crippled piece of paper. Imagine if HTTP, SMTP, POP3, etc. were patented and held hostage by several companies who did not allow any open source implementations - where would they be today? Nowhere, probably replaced by different protocols that had non-crippled specifications.

Of course, at the same time they will start more FUD sites touting the benifits of Sender ID and why it will ONLY run on their software.

You won't have to look far for that. Just look at the SenderID FAQ:

Q5: What do I need to do for binary and/or source code distribution?
A5: Many open source licenses require you to include copyright notices distributed in the code itself identifying the authors of the code being distributed. Some open source licenses also require you to include the license under which you received the code with the code that you distribute so that downstream users of the code are made aware of the terms and conditions under which they can use the code. Microsoft does not require any notice or other attribution when you disclose or distribute your implementation in binary form.

Look at them touting themselves for not requiring copyright notices for an implementation of a specification while open source licenses require those for actual programs. Just a piece of MS' usual FUD propaganda.

Prior art by Eric Raymond

[bstadil]

The Linux show just finished and this was discussed in length. Eric was on the show and it turn out that the Patent that MS is claiming has prior art by Eric himself.

Head on over and listen in.

Re:Prior art by Eric Raymond

[Soko]

Eric was on the show and it turn[sic] out that the Patent that MS is claiming has prior art by Eric himself.

*sigh*

Just when we thought ESR's ego couldn't get any bigger...

Soko

Patents and Sender blocking.. Is not pure evil

[chatgris]

I hate patents as much as the next guy... and even more when they are in the hands of a convicted monopolist.. But on the idea of a patented SPF system, consider this.

Wouldn't a patent on a mail mechanism be the perfect legal method of reducing spam? If the patent was held by a benevolent enough organisation, they could revoke spammers rights to use the patented methods to send spam, and not need to worry about new laws being passed.

I know, it has plenty of options for abuse.. but done correctly, it would put the law into the hands of the people receiving mail when it comes to suing spammers..

Re:Patents and Sender blocking.. Is not pure evil

[ScrewMaster]

Same old problem ... who will watch the watchers. The only organization that is theoretically powerful enough to force Microsoft's compliance in such matters has repeatedly proven both its ineptness and impotence. And I don't see spammers (particularly those who aren't subject to the U.S. legal system) being too concerned about patent infringement. No, it seems to me that whatever system eventually gets adopted will have to be both wide-open and completely free of any "intellectual property" components (so that it can be trusted by all those who would have to use it) and implemented on such a massive scale that spam will simply become passe'. One nation isn't going to be able to combat spam all on its own: this will require ISPs the whole world over to co-operate. That is a non-trivial task in and of itself, but any attempt to promulgate a proprietary solution (particularly one controlled by a globally-distrusted entity such as Microsoft) is doomed to failure.

Re:Patents and Sender blocking.. Is not pure evil

[idesofmarch]

Spammers are paying no heed to CAN-SPAM. I do not think they will honor patents either.

Re:Patents and Sender blocking.. Is not pure evil

[ewhac]

Wouldn't a patent on a mail mechanism be the perfect legal method of reducing spam? If the patent was held by a benevolent enough organisation, they could revoke spammers rights to use the patented methods to send spam, and not need to worry about new laws being passed.

Yeah.

Exactly the same way that DVD-CCA's patent on CSS has empowered them to sue all non-conforming DVD player software out of existence.

Exactly the same way SCO's "copyrights" and "patents" on UNIX technology allowed them to sue all non-conforming UNIX and UNIX-like implementations out of existence.

Nice thought; won't work.

Schwab

Re:Patents and Sender blocking.. Is not pure evil

[Tony+Hoyle]

It's been done. Last year (or thereabouts) a company tried to patent a method of including poems in the headers of email, on the basis that to duplicate that a spammer would be in patent violation.

It didn't work, and at last count I got far more spam (50:1 ratio in fact) with the 'patented' poems than legitimate email.

Not Open Systems Interconnection Reference Model

[aardwolf204]

Open Source Initiative - not to be confused with the 7 layer Open Systems Interconnection Reference Model.

At least thats the first thing that came to mind here.

No matter how hard I try, I cant get to Kevin Bacon within 6 links from any random Wikipedia article.

There is no Negotiating

[thogard]

Years ago when X.400 was the in thing, Microsoft wanted to own email. The servers, the clients, the messages and collect a per message fee just like the post office.

Can you explain why they don't think they can do this now?

Now they have a huge patent base thats building up and they are going to use it to kill off the other options.

This stuff scares me because its their way of taking control. They were a major player in the Gossip email systems and they lost out to SMTP. Now they have a sneakly way to undo that.

I'll take spam and forged email over paying MSFT $.25 a message.

Re:There is no Negotiating

[antin]

Provided the fee was much, much lower (say a cent an email or less) I would happily pay per message provided there was absolutely no spam.

And it wouldn't just be Microsoft getting the money (not that anyone other than the paranoid voices in your head have suggested they are going to charge) but any 'service' provider much the same as there are multiple postal companies, multiple phone companies etc...

Forget your whinging about paying $.25 a message and think of the amount of time you spend a day sorting through spam - if it even amounts to a minute a day, then the cost in your time is probably more than the few cents you might pay to send messages. And the cost of spam to most corporations is probably higher than whatever mail costs they might pay... Seems win-win to me.

Re:There is no Negotiating

amounts to a minute a day, then the cost in your time is probably more than the few cents you might pay to send messages.
Minute a day, eak, get a good spam filter.

I get (according to my daily report) about 100 spams a day. I see less than one a week. No false positives thus far.

Re:There is no Negotiating

[CAVE^MAN]

you've got at point that at less than $0.0025 USD it would save me and my employer money it still doesn't add in the time that a pay system would take to use. At 1 minute a day, which is probably high for me with spam filtering, I'm spending less than $0.25 per day verifying that I haven't miss filtered a valid message as spam. Now assuming I send 10 messages a day(probably low) that's $0.025 USD, figure a 30 day month average, that works out to $0.75 USD which isn't too bad until you figure the time to pay the bill and verify that I'm not getting overbilled like my cell does almost every month. Checking my "email bill" means looking at roughly 300 entries, at 10 per day, to make sure everything is correct then signing off on it and passing it on to the business office. Now I'm pulling most of the numbers out of my ass but accepting them for the argument it'd come out to almost the same amount to money spent for me and my employer as what I've got now and it's a lot more hassle. OTOH if you cut that figure by an order of magnititude to $0.00025 it's beyond the realm of normal micro-payments and the the administration costs for me to deal with the problems generated by it(it's a given that any system more complex than currently in use will take more time to adminisiter than the current one which has has a few decades to mature). anyway my point is that even using some sort of micro-payment system doesn't really make sense as a system to simply get rid of spam. To be perfectly honest I can't think of a good reason to use any sort of payment system for email, especially not when the cost of bandwidth is dropping(which is the trend). just think of what would happen to a knowledge workers productivity if they had to pay(even micro) for google. in the long run it simply doesn't work out.
As a counter point to all of this, I'm aware of a number(>3 that I personally know) that have totally dropped off the net because of spam problems. these people were getting in excess of 4000 spams a day and had no idea how to deal with it(change isp?) and it totally destroyed their email capabilities(outlook express or aol) when using a dial-up connection.
Finally, I'd say go for it if Microsoft wants to give a reasonable liscence to *all* free software,GPL included, it'd benefit them too, and regardless of what the zealots say, hey I use linux everywhere i can I'm even posting this from konq on my laptop, Microsoft isn't evil, bad company maybe but not evil. They even have a clear benefit to getting OSS/FS to adopt their standard, marketing. I can see the ads now, mentioning inovation and microsoft setting the standards and all. Hey they'd be getting the world(OSS) to dance to their tune and they are looking for a break like that...

--any spelling or grammar nazi's can blame captian morgan for problems in this post :)

Re:There is no Negotiating

[thogard]

I like the ability to have anyone in the world to be able to send me a message even if I've never heard from them before but I don't like ads. The problem is that there is no way to tell the difference.

Throwing a layer on to make billy more money isn't going to make spam go away, its just going to cost the spamers a bit more and everyone else lots more. Also the way most spam ops work is they find a sucker to pay them $1000 to $10,000 to send out messages so tacking on $.001 would up the top end to $20k to get certified spam into your mail box. No thanks.

As far as bing parinoid, well yes maybe, but a decade ago a team from MSFT were tring to convince me that it would be good to have the entire govt pay them per message. The current stuff only covers a few existing patents. It does not cover all current and future patents they may get (or be processing) and what protections are there that they won't change their minds? To get out of most of their current patent agreements, all they have to do is sell the patents to one of their many parterners and the contracts all end.

As someone that lived through the 1st open source IP wars, I'll take paranoid over naive.

Re:There is no Negotiating

[Baki]

For some parts of the world $.25 per message would effectively prevent 99% of the population to ever send email again. It is principally wrong to introduce a world wide tax on email.

Post is a national thing dealing with physical borders and old (often state owned) companies that have worked out deals for international post. You cannot translate this system to email, which stems naturally from the peer to peer character of the IP protocol and knows nothing about borders. Who would collect the tax, who would decide what is a fair fee for every country in the world?

The idea of paying per message is absurd and self-centered.

Re:There is no Negotiating

[SilentChris]

"I'll take spam and forged email over paying MSFT $.25 a message."

You might. Many of us in the business world certainly wouldn't. This stuff wastes us far more than $.25 a message. I don't care who gets the money -- if the problem was solved let the problem be solved.

Re:There is no Negotiating

[Tony-A]

I like the ability to have anyone in the world to be able to send me a message even if I've never heard from them before but I don't like ads. The problem is that there is no way to tell the difference.

Further, anything that attempts to tell the difference will in reality favor the spammers.

"but I don't like ads"
That's really the key. and savvy companies know it's always a bad idea to antagonize their (potential) customers.
Spam isn't "unsolicited commercial email", it's unwanted junk, especially lots of unwanted junk.

Re:There is no Negotiating

[praedor]

Bah! I don't spend minutes of any day dealing with spam. I use linux, postfix, and a nice little tool called bogofilter. NO spam gets through without getting identified as "SPAM" which causes my filters to pass it neatly into the trash. I never have to look at it and only "deal with it at all" in the manner I deal with messages I manually send to the trash, that is, when I have manually sent defunct messages to the trash, where the spam is automatically sent to, I merely hit the "empty trash" button and all is gone.

An ocassional running of a bogospam script I wrote trains bogofilter on the "UNSURE" messages that get past it (very few). It will only be a few more weeks before I can simply pass the spam directly to /dev/null and not even know it existed in the first place. I don't need, nor want, M$ to step in and become a gatekeeper in any way, shape, or form for open standard email. They don't deserve money for people to simply send/receive email and windoze is in no way required to send/receive email. Screw 'em with a dry splintery dowel.

Re:There is no Negotiating

[antin]

Well to begin with I didn't advocate charging for email, I simply said it wouldn't be an entirely bad thing. In any case I certainly didn't suggest charing $.25 per email.

I also doubt that 99% of the population can send email to begin with, or that introducing a charge for it would suddenly become the thing that prevents them from doing so (the cost of a computer, ISP, etc... might be the deciding factor).

It doesn't matter whether post is a national thing with physical borders (which I would dispute), what matters is that it is a service that is provided. Any service can (and usually is) charged for. The normal postal service is paid for by the purchase of stamps (as well as a government subsidy) which then entitles you to have your letter delivered.

Now as I am not advocating a charge system for email I haven't given great thought to how it would work (although I am sure others have done so, so google for it if you are interested) but I don't see why the stamp system would not be similarly applicable. Purchase a set of 'stamps' and then every email you send is signed with one. Servers only accept and redirect email traffic that is appropriately stamped.

Sure some people might set up servers that allow un-stamped email through, much the same way that you could have somebody other than a postman deliver your letter; but as the majority of the email would go through stamped servers (and perhaps many ISPs would not accept un-stamped email) then effectively you have forced stamps on the world.

Stamps can be sold much the same way as domains are bought and sold - I am not sure who the final payment goes to, but many different companies allow you to purchase domain names, and those companies exist in multiple countries and offer differing prices. Once again as I am not advocating the system I could not tell you with complete accuracy how it would or should work - simply that I see no reason why it cannot work.

Purchasing blocks of stamps also gets around the micropayments argument I saw elsewhere - instead of buying one stamp at a fraction of a cent, you buy a thousand for a few dollars... that covers all your emailing for the year. Or perhaps mailservers would simple add the cost of each email to your monthly bill.

It isn't like paid services over the internet is an unheard of concept...

BTW what is absurd about paying per message? Do you mean the very idea? Which clearly isn't absurd because it is done with paper-mail. Or do you mean the technical problems? Which are not really absurd either - you pay per download from iTunes etc... which is postage in reverse.

And as to self-centered, I am really not sure what you are getting at... Did you mean that I am self-centered for suggesting it (which I actually didn't)? I certainly neither claimed it as my idea, nor pretended that it was an original one.

Re:There is no Negotiating

[antin]

I shouldn't reply because I know I am just asking for trouble... but how many people do you know run a spam filter?

I suppose that question isn't the correct one either - it should be how many people do you think run a spam filter?

The majority of computer users and the majority of email users do not frequent slashdot, nor do they have any idea how to set up a spam filter. The closest they will get is if they use a webmail service that filters it for them.

Not PGP, but something open

[Izaak]

I'm not certain PGP is up to the task, but certainly some sort of public/private key signing tech needs to be used. The most important thing is that it be based on open non-patent encumered algorithms... otherwise it will never be accepted broadly enough.

What really needs to happen is for an open counter proposal to come out, and that needs to be folded into the public code base for sendmail as managed by sendmail.org. Unfortunately sendmail.org is sponsered by Sendmail, Inc. (sendmail.com), a commercial company that has announced support for Microsofts version of Sender ID. This could be a source of conflict perhaps?

Cheers
Thad

Re:Not PGP, but something open

[Jesus_666]

The most important thing is that it be based on open non-patent encumered algorithms... otherwise it will never be accepted broadly enough.

Yeah, right. Microsoft just needs to build it into their programs. Bam, instant adoption. If it's enabled by default the rest of the world will follow or be left behind, as everyone and their mother will be using it, most of them without even knowing that this new feature might be patented - or that that is a Bad Thing.

Brilliant!

So all us techies can get wrapped up in the war against the EVIL M$ of SPF vs Sender ID, rather than realising that they're both massively flawed.

what is ISC doing?

[timmarhy]

the people who need to pull their finger out is ISC, they are the organisation in the best position to be initating the spam solution. think about it, and anti spam solution is going to involve DNS - what the leading DNS server? BIND. IF ISC and sendmail org got together they would have more clout on this issue then MS and be a hell of a lot more trust worthy.

Re:what is ISC doing?

[thogard]

Sendmail is doing stuff but I don't think its the right direction.

Vixie from ISC was involved in many of the early proposals.

The problem is
1) If you can 100% auth a sender, spamers will be authed which is pointless because its easy to go register 100 new domains with keys (once you figure out how to do it) but it will be a real pain for startups and small businesses. So the spamers win on that count.
2) People are hung up on forwarding. All the fast and light systems can't cope with forwarding. The heavy crypto ones can but they are expensive.
3) People want plausible deniability with email and spamers want total deniability.

I'm under the impression that this should have been done by doing a dns lookup on $REV_IP_QUAD.$USER._at.$DOMAIN. The result is that it works (dns bl prove that), its trivial and requires very little work on anyones part (unlike SPF which is far more complex). That would solve the light issue but it breaks forwarding but if I send you a message and you forward it to someone else, my dns can log their system asking me if its legit. I don't see that as a problem.

Re:what is ISC doing?

[Secrity]

Sendmail Inc. http://www.sendmail.com/ is a commercial company that provides an open source Sender-ID (sid-milter) http://www.sendmail.net/ for Sendmail and provides Sendmail source code to the Sendmail Consortium http://www.sendmail.org/. The Sendmail Consortium maintains the open source version of Sendmail (from source code provided by Sendmail Inc.) and does not support Sendmail sid-milter. Guess which Sendmail entity (.com or .org) wins any arguments?

Re:what is ISC doing?

[Mark+Shewmaker]

spamers will be authed which is pointless because its easy to go register 100 new domains with keys (once you figure out how to do it) but it will be a real pain for startups and small businesses

But spammers won't be able to buy reliable accreditation or maintain a good reputation, no matter how many domains they buy. Maybe buying 100's of domains might help them this month, but eventually it won't help them much at all.

Suppose your mailserver gets a piece of email that's fully authenticated. Before accepting the message for delivery, it can ask a reputation service, (or domain name block list, using today's limited version of such), whether this email is from a reputable place, or whether it's from such a spammy or untrustable place that we should reject it, or whether it's from a "new" domain without any real info and thus should greylist it, temporarily rejecting the message for a few hours.

Your mailserver will then use the answer to help decide how to handle the email.

Presumably, a market will spring up to help these new domains and businesses that don't want to put up with many-hours of delays on their mail getting delivered, namely; accreditation agencies.

An accreditation agency can put its own reputation behind new domains. Companies can go to this accreditation agency, sign some forms, pay a fee, pay a bond, and become accredited.

Accreditation companies that do a good job will get a good following, with people paying attention to their claims of trustworthyness and non-spaminess. Of course, no one will listen to accreditation services that say good things of domains that turn out to be spammers, so they'll presumably go out of business.

In any event, this "buy 100's of domains" worry isn't something I'm concerned about being a problem in the long term.

I'm under the impression that this should have been done by doing a dns lookup on $REV_IP_QUAD.$USER._at.$DOMAIN.

You can set that sort of record up with an "exists:" mechanism. (Though $USER has to be turned into xtext, to handle special characters, and of course you have to handle both ipv4 and ipv6.)

SenderID is overhyped

[pdamoc]

Could Microsoft be considering an Open Source license for Sender ID?

I don't know about that but maybe they will release Clippy under an Open Source licence, just to show they care about the movement. :)

Re:SenderID is overhyped

That's just what the world needs: Thousands of geeks turned comedians creating, compiling, and distributing their own fork of Clippy.

Re:SenderID is overhyped

[andreyw]

I am sure that Miguel de Icaza will be the first to release a beta gclippy...

Re:SenderID is overhyped

[JazzXP]

That would probably be their easiest way to kill Open Source!

Re:SenderID is overhyped

[soyuz_2]

Search no more: Clippy for VI... the horror!

As with normal forecasts...

Hell has frozen but it's still burning. More at 10.

From what I can tell

[Effugas]

It's basically like this:

Alot of MS mail environments don't send mail like SPF envisions. Sender-ID basically makes life easier for MS customers. MS is coming to SPF people, saying, heh, can you modify your protocol to be a bit more friendly to our implementations?

And, since there are actually users behind those mail servers, SPF folks say, sure. Lets talk. Lets see how we can better adapt to your architecture.

Then MS turns around and says, oh, you want to adapt to us? You'll have to sign these forms.

At which point, SPF people walk away. They've already got a great way to tell eachother what they need to say, and while they're willing to work with MS, really, Sender-ID really helps MS more than it helps anyone else. A fate where exchange deployments need to either alter their topology or risk getting their mail dropped isn't one that's beneficial to the company.

Indeed, there are these people called customers that'll handle any intransigence on the part of their vendor. Which, uh, is about what's happening right now.

I'm not saying this is exactly what's going on. Neither side is monolithic. But this is, at least from the outside, what appears to be happening. Someone on the inside should feel free to correct me.

--Dan

Nothing like PGP

[ergo98]

I don't think SenderID is anything whatsoever like PGP. Coincidentally I went to Microsoft.com and read about SenderID today to see what the fuss is about. Turns out, and I'm sure someone will correct me if I'm wrong, it's simply an extension record in your DNS MX record that basically lists the possible outgoing IP addresses for email from a certain domain. For instance Citibank would add their outgoing mail servers in their MX record (because presumably only authorized agents will be screwing with the MX record), and any recipient can simply check the MX record and get the possible source IP addresses, rejecting the phish attempt from some server in central Russia. There's a tool to configure the extension block.

As an aside, because invariably someone will mention this, TCP (on which SMTP is based) is connection based, so spoofing isn't an issue.

Re:Nothing like PGP

[mattjb0010]

Slight correction in that it's a separate TXT record, not part of the MX record.

Re:Nothing like PGP

[hey]

MX says where a domain wants to receive mail and SPF and SenderID say were they send it from. Its a start. I'd prefer calling the record XM since its the reverse of MX.

Re:Nothing like PGP

well great... here goes my possibility of running my own mailserver on a dialup with a changing ip. Why me? I never mailed spam to anyone! Why can't Microsoft just let me live? Why do the mark me as a danger to society? Thats simply not fair!

Re:Nothing like PGP

[cortana]

Of course it doesn't. Please understand the issues with SPF and similar systems before spreading FUD. You have several options.

1. Publish a record including "+ptr". If your ISP is bigisp.com, then mail from any machine with a reverse DNS entry ending in "bigisp.com" will result in a Pass during SPF testing.

2. Publish a record stating that mail from your domain is sent via your ISP's servers, and only send mail through your ISPs servers.

3. Don't publish SPF records. No one is making you!

It's all about $$$

[Dalroth]

With millions of dollars in bandwidth costs on the line, and potentially billions of dollars in customer satisfaction, Microsoft may very well want to play nice on this issue. SPAM is a serious problem, and bickering and fighting isn't going to make it go away. Cooperation and hard work will.

Bryan

Re:It's all about $$$

[mrchaotica]

If MS wanted to play nice, they'd just accept SPF.

No, it really is all about the $$$ -- MS already lost, but they still want a piece of the pie. They might make SenderID open source, but will it be Free? And what happens when they get additional patents for SenderID 2.0?

Relevant history

Two articles on the history of Sender-ID:
http://www.circleid.com/article/730_0_1_0_C/
http://www.circleid.com/article/732_0_1_0_C/

Re:Bah Humbug

I don't think any of us have anything to worry about Microsoft. There position is not much unlike a limp biscuit.

Reason one, simple - it it isn't open source it will not be accepted but the world. Sender ID is not new either...

And for the fools that try proprietary solutions, they are destined for the heap as users will not like not being able to send mail to the rest of the world.

This could of course mean....

[baximus]

Note that they're "negotiating". This is MS we're talking about here...

"We'll give you a financial boost if you'll fast-track our application to be an OSI-Approved License. Just ignore the incompatibilities, and here's $100k for your trouble."

Intellectual Property - Only belongs to Microsoft

[joepress]

Never ceases to amaze me that a company like Microsoft which defends it's intellectual property to the death, just expects other company's to surrend their intellectual property.
How about radio stations patent thier playlists? Make as much sense as MS patents, maybe more.

What's to negotiate?

[rhysweatherley]

I'm just curious as to what is there to negotiate? Either they license it royalty-free for all fields of use, or it does not belong in an officially-recognised IETF standard. There is no "middle ground" license that will satisfy the community. Patents are, by definition, incompatible with open standards.

Re:What's to negotiate?

There is no definition of "open standards".

There is a definition of open source, which can include patents, because 'irrevocable free for whatever use' licences can be granted.

Open source can include patented tech (JPEG, for example)

Re:What's to negotiate?

[fingon]

That's what idealists would like to think. However..

The _reality_ is, quite number of recent RFCs, and even larger number of I-Ds that will eventually become RFCs are 'licensed on fair and non-discriminatory basis'.. just like RSA of old, which definitely didn't mean cheap or free :-)

Open Comment to OSI:

[erroneus]

You cannot deal with the devil and win. They want something with which to make more money. And they want your cooperation. They will offer a lot of "free stuff" but since when has it ever amounted to anything but deception from Microsoft. There are countless businesses that have suffered and/or failed due to Microsoft treachery. Some people call it "just doing business." I call it immoral. Slashdot readers might recall what Microsoft did to the ONE cell phone company that made a deal with Microsoft and how badly they got burned where MS forced the company into a breech of contract situation where they lost all rights to the technology they developed for MS. The list is much longer than I know to be sure but that which I do know is already ridiculous.

If you think for even a MOMENT that MS will not use their patent(s) as leverage against OSI later, you're living in a dream world. Furthermore, it has already been shown that Sender-ID is ineffective. We don't need Sender-ID.

Re:Open Comment to OSI:

[BCW2]

Anyone that does not agree with the above should research what happened to Netscape and Stacker, and the many others who tried to deal with M$. They all got consumed by M$ or another large Corp.(AOL got Netscape) or they just folded and dissapeared.

Negotiating with M$ reminds me of a line from the Godfather:
In ten seconds your signature or your brains will be on the paper.

Re:Open Comment to OSI:

There are countless businesses that have suffered and/or failed due to Microsoft treachery.

And there are countless more businesses that have flourished due to Microsoft or have been bought by Microsoft and made the owners/shareholders a handsome profit.

What's your point?

I call it immoral. Slashdot readers might recall what Microsoft did to the ONE cell phone company that made a deal with Microsoft and how badly they got burned where MS forced the company into a breech of contract situation where they lost all rights to the technology they developed for MS.

The cell phone company alleged this happened. Microsoft alleged it didn't. The case isn't public, the case hasn't been decided. You are either wildly speculating or violating some type of NDA. I'll assume the former.

Re:Open Comment to OSI:

So, software patents are bad ... unless they are owned by Stacker. good work slashbot.

Patents != Copyright

[pavon]

Could Microsoft be considering an Open Source license for Sender ID?

Well, looks like a good time to clarify the difference between patents and copyright for the benefit of the new blood here on slashdot. They are very different things, and you must understand what the law says before you can develop educated opinions on the law. Copyright is a government issued monopoly on the distribution, and public performance of a specific work and derivatives of that work. Patents on the other hand are a government issued monopoly on the commercial application of an idea. A book is a specific creative act, and thus falls under copyright. A method of building a tractor is an idea, and is thus patentable. You can't have copyright on an idea, and you can't patent a specific work.

Now onto this specific situation.

When you talk about open source licenses, you are dealing with copyright. A copyright license grants you specific (often limited) rights to distribute, perform, or modify the authors work. Without a copyright license you do not have the right to do any of these things. Open source software gives people the right to redistribute the work, created derivative works, and redistribute those works (possibly with the restriction that the derivative work must also be open source). However, it requires that if a work is distributed it must be available in a useful form - the original source code.

Now Caller-ID is not a piece of software - it is a protocol, a standard, an idea, and thus falls into the realm of patent law. A patent license gives you permission to use an idea in your own works. Without a patent license you do not have a right to use the idea in your own work, even if you thought of it by yourself. Microsoft has patented some of the ideas in Caller-ID, so anyone who wants to create an implementation of Caller-ID must get a patent license from Microsoft. The patent license which Microsoft is currently offering for Caller-ID has several issues that make it impossible to use the patented ideas in Open Source software without violating one of the licenses.

By now you can see what was wrong with the text I quoted - Sender ID is not a piece of software - it is a patented idea, and so it is nonsensical to talk about releasing it under an Open Source (copyright) license. What the submitter should have asked is "Could Microsoft be considering an Open Source friendly patent license for Sender ID".

That said you can read this post if you want to know more about why the current patent license for Caller ID is incompatible with Open Source software.

Re:Patents != Copyright

caller ID has existed for well over 7 years. I remember hacking on it in the late 80's.

caller ID is a very VERY old protocol that is certian to be in the public domain now (see the ability to buy $5.00 caller ID boxes from wing-wang-wong ltd. and every cordless having it.)

Hence caller id is public domain and therefore is extremely compatable with Open Source Software.

Re:Patents != Copyright

[KWTm]

Buddy, have you been following the /. discussions?

"Caller ID" is not the caller identification service that's available on phones right now. They're referring to an email sender verification system that acts sort of like what your caller ID is to phones, so they nicknamed it "caller ID".

Mmm... Trust

[dan+of+the+north]

Rosen: I know the woman that I am working with at Microsoft, and I trust her to be as candid with me as her clients will let her be. And I trust her to negotiate with me honestly, and I have no reason to believe that she is not.

Netscape... etc. It is not in MS' dna to act trustworthy... we're doomed!

Re:MOD ABUSE

[idesofmarch]

Maybe it's your signature.

Halloween Documents Anyone

I may have missed any comments regarding this, but has anyone else drawn a connection between Sender ID and Microsoft's plan of "decommoditizing protocols" as referenced in the infamous "Halloween Documents"? 6 years later it seems their plans have remained the same. It'll be very interesting to see if they do come to some kind of agreement with the open source community.

Re:MOD PARENT DOWN

[typhoonius]

ACs are stupid.

But yes, Exchange also does SMTP (in addition to MAPI, POP3, and IMAP).

Obligatory Simpsons "Buy 'Em out Boys "

[ganhawk]

HOMER
Oh, they have the Internet on computers now!

MARGE
Homer, Bill Gates is here.

HOMER
Bill Gates?! Millionaire computer nerd Bill Gates! Oh my god. Oh my god. Get out of sight, Marge. I don't want this to look like a two-bit operation.

Marge groans and rolls her eyes. Bill Gates and two "associates" enter.

GATES
Mr. Simpson?

HOMER
You don't look so rich.

GATES
Don't let the haircut fool you, I am exceedingly wealthy.

HOMER
(quietly to Marge) Get a load of the bowl-job, Marge!

GATES
Your Internet ad was brought to my attention, but I can't figure out what, if anything, CompuGlobalHyperMegaNet does, so rather than risk competing with you, I've decided simply to buy you out.

Homer and Marge step aside to talk privately.

HOMER
This is it Marge. I've poured my heart and soul into this business and now it's finally paying off. (covering his mouth) We're rich! Richer than astronauts.

MARGE
Homer quiet. Acquire the deal.

HOMER
(to Gates) I reluctantly accept your proposal!

GATES
Well everyone always does. Buy 'em out, boys!

Bill Gates companions begin to trash the "office".

HOMER
Hey, what the hell's going on!

GATES
Oh, I didn't get rich by writing a lot of checks!

Bill Gates lets out a maniacal laugh. Homer and Marge cower in the corner as the room continues to be trashed.

-from www.simpsoncrazy.com

What's the difference between SenderID and SPF?

[Mustang+Matt]

I haven't seen a clear cut explanation of what's different.

Re:What's the difference between SenderID and SPF?

SPF is DNS records. SenderID is XML over DNS.

Re:MOD PARENT DOWN

fscking newbies

IIS installs SMTPD

Exchange does NOT install SMTPD.

Hence, IIS does smtp email, not exchange. Exchange runs happily without that useless public standard, smtp.

Buncha useless whining fscking idiots.

Bleh. Quick, where's that URL for that study about how useless people always think they know more than other people?

Nit-picking

Technically, the process you describe is included in SPF, which is an open/free standard and existed before (but has become integrated in) Sender-ID. Sender-ID provides for a few other things too, but none of them are terribly important imho. Raw SPF would suffice.

Re:Nit-picking

[ergo98]

Sender-ID provides for a few other things too...

Out of honest curiousity, what are those additional features? I'm most certainly not a SenderID expert (or even informed layman), but I've browsed through the SenderID documents and the feature seems to be nothing more than listing outbound IPs in your DNS entries. What else does it offer?

They should resolve it the way ISO does it...

[truth_revealed]

in a wrestling ring with no referee and metal folding chairs conveniantly nearby.

Re:They should resolve it the way ISO does it...

[AceCaseOR]

Better idea: Do it with ECW/CZW rules, but before the wimpy Pennsylvania Athletic Committee forbade wrestling federations from Floricent (sp) light bulbs (the tube type), in wrestling matches, and limited the use of "Death Matches" (matches in which the ropes are replaced with, or supplimented by, barbed wire; or in the case of "Cage of Death" matches, the Cage is supplemented with barbed wire).

No.

Not only have they botched TCP they've managed to try and replace it several times, none of which were particularaly well taken but still.

That said. I don't have a spam problem because I use email responsibly. It's morons and their forwards and honestly someone I know gets over 1000 spam messages a day and they deserve every one of them.

Oh darn I guess I'm nobody

Funny I work for a company that runs OSX servers and loves every bit they push.

iCal ISN'T AN ENTERPRISE SCHEDULING APPLICATION

The Kernel shouldn't be a freaking monster.

Cram it up yer ass.

Commerce Solutions with Technology!

[toupsie]

And less money selling software and services. Microsoft makes money off the issues that face their users with their products. SMS, MOM and ISA are few examples of products that help manage, update, monitor and protect Microsoft's other products. And they make good coin for selling and consulting those "added value" products. You can dupe most of these in linux with nagios, apt-get/emerge/up2date, snort, squid and ip tables but you don't get a nice guy from Microsoft that will hold your hand and tell you its alright you don't understand why it doesn't work exactly like the manual says. You get flamed on a message board and told to RTFM. Plus the Microsoft guy will buy you lunch!

I wonder if SenderID might require some old Exchange installs to be upgraded. When I tried searching Microsoft's web site for "SenderID Exchange 5.5", I got one link. Items I should consider when building "Commerce Solutions with Technology". So I am taking that as a yes. Cha-ching, Microsoft...Commerce Solutions with Technology at work!

Re:Commerce Solutions with Technology!

[Donny+Smith]

That's a totally misguided troll attempt.

First, you yourself say that Sender ID will make Microsoft less money from support and services. Then why would they promote it?
(Actually it won't influence services spending at all - customers will reassign that money to other critical matters. There's never enough money to fix all IT problems, so it's not that they'll use that money to buy new carpet for the meeting room).

Second, customers who're still with Exchange 5.5 are more likely to change to Linux, so it's a double-edged sword, to say the least.

And finally, all that Exchange sites need is one Linux box with Sendmail + Sender ID gateway, they don't have to touch their Exchange servers except route all outgoing traffic to the internal interface of the Linux box.

pgp and domainkeys

[iradik]

A solution to stopping spam is outlined here:

http://antispam.yahoo.com/domainkeys

I picked up this link from here:

http://www.pgp.com/resources/ctocorner/cryptoandsp am.html

This was a discussion about how pgp alone will not stop spam but how yahoo domain keys might. Due to domainkeys ability to actually verify the domain the e-mail is being sent from.

Re:pgp and domainkeys

Yeah, everyone will be crying in their beer when Yahoo's (lesser of several evils) DomainKeys starts being used to control access to Yahoo's large spookable herd of eyeballs.

I have said this before - anyone (Yahoo, HotMail, gmail, MS*) who has large numbers of mail boxes that people want to reach can be billed. How? By Signing outgoing mail you are certifying that _you_ have sent that mail - all yahoo has to do is count the number of mails signed by domain example.com and then autoforward a weekly/monthly bill to the email address in the whois system for domain example.com

You say, never gonna happen, people won't pay, they won't get the billing email - it won't matter to Yahoo - they send bills, if they don't get paid they just blacklist that cert/domain.

The big email box herders would have no reason to do this if Yahoo!DomainKey (tm) is widely deployed. If you disargee please explain why they wouldn't do it.

Re:pgp and domainkeys

I am an idiot previewer...

big email box herders would have no reason not to do this if Yahoo!DomainKey (tm) is widely deployed.

extracts of email sent to ESR

[wayne]

Here are parts of the email I sent Eric last week about the fetchmail vs SenderID patent.

Yakov Shafranovich (the former chair of the IRTF's ASRG) did some digging for prior art and turned up quite a bit. One of the examples that he gave was fetchmail.

I just realized that another way to look at this is not that fetchmail is prior art, but that if the MS patent goes through, fetchmail will be infringing on MS's patent and you will need to get a license from MS to continue to distribute fetchmail.

Mind you, lawyers from places like the OSI, FSF and the Apache Software Foundation have found MS's SenderID license to be incompatbile with various F/OSS licenses, including the GPL. So, if you don't want to run the risk of MS sueing you, you will not only have to get a license from them, but you will need to change your license.

Yeah, there *is* a chance that the USPT might reject MS's license because of the prior art, but, gee, we both know what the chances of that happen are.

Messages of interest to you include:

http://www.imc.org/ietf-mxcomp/mail-archive/msg039 39.html http://www.imc.org/ietf-mxcomp/mail-archive/msg039 30.html

In a followup, I wrote:

In <20040903064727.GE4436@thyrsus.com> "Eric S. Raymond" [snip] writes:

> wayne <wayne@midwestcs.com>:
>> Yakov Shafranovich (the former chair of the IRTF's ASRG) did some
>> digging for prior art [on PRA] and turned up quite a bit. One of the examples
>> that he gave was fetchmail.
>
> Oh, that *is* interesting. So why back down? Let's fight Microsoft on this.

Oh, I just realized. If MS's patent goes through, you (and all distributors of fetchmail) will not be able to get a SenderID license from Microsoft to keep you from risking being sued by MS.

Not only does fetchmail not implement all required aspects of SenderID (a requirement of the license), but fetchmail's use of header checking appears to be used for different purposes than implementing SenderID. MS's license only covers SenderID usage. You will have to negotiate directly with MS to see if they will permit you, and all users of fetchmail, to continue using the functionality that you have had for years.

And, in one more followup, I mentioned:

I had missed interesting detail when I first read the following post by Matt Sergeant:

http://www.imc.org/ietf-mxcomp/mail-archive/msg040 45.html

I pressed [Craig Spietzle of Microsoft]: "Will you fix the license?". I never really got a confirmed yes or no, but my feeling was "no" when we ended the conversation. I suggested that they give their IP to the IETF (such as I believe there is precedence of - I know that IBM has committed patents to the public domain before in a similar act of openness), to which I was told that Craig believed this was a reasonable idea, but that Bill Gates himself had vetoed that idea because of the current focus on patent gathering and IPR issues at Microsoft.

I'll believe it when I see it.

[wayne]

Dan Quinlan (of Spamassassin/ironport) has been working with Larry Rosen (a lawyer for OSI) and Eben Moglen (a lawyer for FSF) for months now. *VERY* little progress has been made, even when it was clear that SenderID would be at risk of not being advanced by the IETF to RFC status. I have *VERY* little hope that Microsoft will make the required changes to their license to be compatible with Free/open source software.

Insight into the current situation can be found in a post by Matt Sergeant (Spamassassin/messagelabs):

http://www.imc.org/ietf-mxcomp/mail-archive/msg040 45.html

I pressed [Craig Spietzle of Microsoft]: "Will you fix the license?". I never really got a confirmed yes or no, but my feeling was "no" when we ended the conversation. I suggested that they give their IP to the IETF (such as I believe there is precedence of - I know that IBM has committed patents to the public domain before in a similar act of openness), to which I was told that Craig believed this was a reasonable idea, but that Bill Gates himself had vetoed that idea because of the current focus on patent gathering and IPR issues at Microsoft.

Re:THIS IS JUST THE THING-try my solution....

[iamcf13]

It autodeletes spam based on simple, user-specified criteria.

It is fast.

It is not Bayesian filtering and doesn't requre the resources of that method of spam filtering.

I use it to check my own email. I am genuinely surprised when I get a email that got past my filtering program. The last email I got that 'beat' the filter and wasn't autodeleted was a legitimate email.

If you are interested, complete details are here.

MS record in DNS?

[AnuradhaRatnaweera]

How about introducing a new MS record (not Microsoft ;-)) to point to Mail Senders? MX server(s) can continue to be the mail recepient(s). This gives the control to more distributed DNS system rather than a single company.

Mail servers need to accept mails from a domain only if they are coming from the MS servers for that domain.

This is not a novel idea. Most mail sersvers have a configurable feature to accept mails only from MX servers for that domain anyway.

S/Mime is a better solution.

[MacDork]

Which would you rather know? Who sent the mail, or where the mail came from? Sender ID only tells you where. With S/Mime you get both. And this sender ID/SPF thing requires that EVERYBODY use it or else. On the other hand, S/Mime can be phased in gradually, one user at a time, and could easily be filtered client side. It looks to me like a major piece of the spam solution is right under your noses.

Re:S/Mime is a better solution.

[MavEtJu]

With S/Mime you don't check the envelope, only the message body and the sender. I don't care if mail has spam, as long as it doesn't have *MY* address as the sender-address.

Re:Patents != Copyright - Link is shock site

[kasin]

Mod this down. Tech news is a shock site (ala tubgirl etc).

What if we just all go for SPF and ignore MS?

[btbo]

I still haven't heard what's wrong with SPF. The only thing seems to be that a decision has to be made that `we' all support it. So if we just take that decision, at some point MS has no choice but to follow, putting them back where they belong, in the back seat.

Re:What if we just all go for SPF and ignore MS?

[Fulcrum+of+Evil]

I still haven't heard what's wrong with SPF.

It doesn't address the problem of spam. With SPF, you get authenticated spam from some throwaway domain.

Do you mean TCP or do you mean IP

[Gnavpot]

I really do not understand why people use the term "TCP/IP".

TCP is just one of the protocols running under IP on a normal computer. The others are UDP and ICMP. So if you want to include that protocal layer in the name, "TCP+UDP+ICMP/IP" would be better. Or you could just say "IP".

To me, this is like calling all four wheels on a car "front wheels".

Re:Do you mean TCP or do you mean IP

[Ianoo]

Well, HTTP works over TCP/IP, not UDP/IP or ICMP/IP. For the majority of Internet traffic, TCP/IP is an accurate description of the underlying protocol. DNS is the only thing used regularly these days that runs over UDP/IP, something like >75% of traffic on transatlantic links is TCP, only 14% UDP.

Re:Do you mean TCP or do you mean IP

[Gnavpot]

Yes, and all the traction and most of the braking happens through the front wheels of my car. So let us just use the term "front wheels" for all wheels since the front wheels are doing most of the work anyway.

Re:Do you mean TCP or do you mean IP

[l3v1]

TCP is just one of the protocols running under IP

Well, you surely ment over.

Re:Do you mean TCP or do you mean IP

[Gnavpot]

Well, you surely ment over.

Perhaps. English is not my first language.

Anyway, I would regard TCP, UDP and ICMP as sub-protocols of IP. And to me, "sub" means "under".

Re:Do you mean TCP or do you mean IP

[True+Grit]

Be very, very, careful here. Using "IP" by itself could get you in real hot water with RMS. :)

Re:Do you mean TCP or do you mean IP

[digitalsushi]

TCP is a suite of protocols including a protocol named TCP.

Re:Do you mean TCP or do you mean IP

[drinkypoo]

I thought TCP/IP was a suite of protocols including a protocol named TCP which runs over IP?

Re:THIS IS JUST THE THING-try my solution....

You're an idiot. SpamAssassin let you assign point values to user-specified criteria from the beginning (long before you even thought of making cf13). It also has pluggable criteria like a bayesian analyzer. Your solution does less than SpamAssassin and is less supported.

Flamebait?

[irongrip]

Well I thought it was funny, if I had mod points I'd help you out.

What Microsoft is considering

[hopethishelps]

Could Microsoft be considering an Open Source license for Sender ID?

I can't tell you what the worker bees at Microsoft are considering, but I can tell you what the movers and shakers at the top are considering. They're considering what course of action will do the most harm to the Free Software community in general, and people's perception of the GPL in particular. When they think they've figured out what that course of action is, they'll tell the troops to do it.

Re:What Microsoft is considering

Have you finished digging your bunker yet?

Open please, not open source

[Oestergaard]

The license better be open - as in, "everyone" can use it. Not just open source projects.

Sure, if open source projects can't use it freely, it's stillborn. But it's almost equally important that ISVs can adopt it as well, without paying MS patent tax.

E-mail is such a fundamental part of what we do with the internet nowadays, that even if MS themselves and all open source projects can use this, it will still hurt an absolutely enormous amount of products and companies, if the license is not truly "open" (free for use, for any purpose what so ever, no strings attached).

Hmm... Somehow I just doubt that this is what the OSI or MS wants ;)

Re: Good! Free market mechanics at work

[Alwin+Henseler]

Microsoft might as well let SenderID go open source.

I really like development of this whole MS initiative so far, being shot down by Apache, Debian, and now reconsidered for open sourcing?

It is pressure being applied to MS. And it's not pressure from Linux zealots, or from FSF supporters, but because it's necessary, and useful for this SenderID to work. In other words: free market pressure.

End users get what they need (nothing at all, or something open, that might even work), and this possible solution to the spam problem is judged on practical and technical merits, rather than a big organisation pushing it.

Open Source Clippy

[maxwell+demon]

Put it into the BIOS!

User inserts Windows install disk and starts his computer.
The BIOS-integrated Tux-Clippy variant starts, detects that you inserted a Windows install disk:
It seems you want to install an operating system. Please click next if you want help.
The user clicks "next".
Looks like a Windows boot disk. Have you considered using Linux instead?
The user clicks "no".
I see you have a working network. It is possible to start a network install of Debian directly from the BIOS. If you don't like it, you can still install Windows instead of it later. Do you want to try Debian?
The user clicks "no".
You don't know what you miss. But maybe you'd prefer to try an ftp install of SuSE?
The user clicks "no".
I see. But maybe you'd like to try Fedora?
The user clicks "no".
Ok, but maybe you want to try Mandrake?
The user gives up and clicks "yes". :-)

Short Memories

The Blog even has a slashdot warning at the top from an earlier barrage :-)

"Pink" contracts are the source of spam.

[GuyFawkes]

All this talk of various new(?) protocols and tags is pure FUD and bullshit.

spam can be eradicated (99%) in 48 hours, this was true years ago when I used to hang out on nanae and it is still true today, because 99% of spam originates from companies with "pink" (no AUP) connectivity / IP block contracts that typically pay the provider several times the market rate per IP / Gb of bandwidth.

I could go out today and buy a block of 255 IP addresses on an OC3 and stick 72U of servers behind it sending out spam 24/7, and NOT lose my connectivity....

Sure, it might suck if you have a close IP to mine and SPEWS lists the company that is providing connectivity to both you and me, but at the end of the day money talks.

And at the end of the day there is more money in marketing (globally) than even bill g can dream of.

_NOTHING_ short of an equivalent to the usenet death penalty (which is different because fuck all providers make 1 cent out of usenet, for 95% of them it is a loss making service bundled with http / smtp etc) SPEWS style will ever stop spam.

As far as OSS goes as far as I can see there is only one way to make this work, and that is to use an electronic analogy of what I do at home.

I get junk (snail) mail every day, lots of it comes with pre-paid return envelopes, most of it doesn't.

The stuff advertising local firms tends not to have pre-paid envelopes, that national stuff tends to have pre-paid envelopes. So I sort my junk mail into local and national, takes about 3 seconds.

The local stuff I just throw out into the street to blow around and litter the place, the residents get pissed off, the council gets pissed off, clear plastic bags containing samples of the litter get placed on council meeting tables and the companies whose names are on said bits of paper get a hard time from the council and everything from business rates increases to bills to clean up litter.

The national stuff I just stuff into the prepaid return envelopes, just not the right envelopes, so each company gets an envelope full of some other companies junk mail, and pays for the postage.

Result, I now get about 4 pieces of junk mail per week, it DOES work IF you work at it for a year or two.

I see a similar thing in the OSS community as being the only solution, it takes a little bit of care to eliminate the joe-jobbed return addresses, but all you need is a spam filter that directs spam back to other spammers addresses, and if they have no smtp ports open then try to send it to them on port 80 every second for 24 hours.

Yes I ___AM___ advocating DDoSing the cunts off the net, because when spam starts costing spammers money and denial of THEIR services they will stop, not before.

Re:"Pink" contracts are the source of spam.

[bo0ork]

Get real, only moronic spammers buy bandwidth and rackspace. The smart ones have hordes of luser zombie machines all over the 'net.

Re:"Pink" contracts are the source of spam.

[GuyFawkes]

tell that to wallace et al

Patent Infringement Here

[KjetilK]

Well, they are patenting something trivial again, and fetchmail has a trivial replacement for MS patented algorithm, it seems. This Perl one-liner is said to implement MS patent:

my $pra = $headers->get('Resent-Sender') || $headers->get('Resent-From')
|| $headers->get('Sender') || $headers->get('From');

It is just wrong that something like that should hold up a programmer one second...

do NOT dance with this devil!

[tweedlebait]

We know already that SID doesn't comply in spirit with the internet we know and love.

We know spammers are already lined up and using SID, so the system is already polluted. "ya want validated spam with that?"

MS doesn't want OSS/Linux/etc. They have made that quite clear. Right now they need us to support this or the whole thing fails- or they start an apache war or something. MS has enough control already. IMHO they should have no say-so about my email.

Some persons at ms are getting *paid* to deploy this successfully & quickly and they will try very hard to do so. This includes convincing everyone else to support it. (for free?) Hold the ropes boys and girls.

Why would the OSS community care about supporting something that is IP encumbered by ms and in litigation, broken, basterdized, and infested with spammers already? err .. and its by our trustworthy future thinking pal microsoft.

So IIRC if they flick the switch on this thing hotmail and msn will be crippled and only work with SID friendly systems. Boo Hoo. maybe hotmail users will complain to ms since they won't be able to complain to me!

Look-- Every time ms does something like this eg: tcp/ip, kerberos, iis,ie,outlook, etc. it's a train wreck of decaying squid parts. Learn from the mistakes. If they need support for SID stall them:
Tell them you'll put it on an Action List or you'll do it as soon as 'counsel gives you the green light'. Tell them you use drugs and therefore cannot be trusted with such thigs until rehab! or Just lie! They'll never expect it! Better yet make them believe it will soon be supported!

Anyway I hereby claim my disgust and lack of support for sender id and beg all the developers working so hard on interesting things being bothered to support this to not waste their time and keep on inventing.

Thank you.

I disagree

[fadir]

To decline any technology because MS developed it is not the right way. Even when I dislike a company I should carefully examine if what they did is a good idea or not. If they change the license to a compatible version and there is no objective reason to decline the offer then it would be stupid not to work together at that point.

We can't preach freedom but on the other hand suppress others.

Re:I disagree

[jedidiah]

Sure it is.

Microsoft is a master at manipulating situations for it's own gain and to the severe detriment of everyone else. This fact should not be ignored when considering their products.

It has been this way since MITS, quite possibly since before you were even born.

Re:Bah - Google result

quick search with Google returns this link among others:

http://www.cmi.univ-mrs.fr/~coulbois/alquds/netw or k/week4/tcpip.html

Now MS also has BITS (Background Intelligent Transfer Service) which may be somewhat based on that.

Cheers.

Debian -- Who Cares?

This isn't meant to be a troll, but honestly, who other than the Debian folks care that they opted not to adopt Sender-ID. I understand they "represent" the purity of libre software, but there's plenty of things they haven't added to their distro based upon their ideologies. Furthermore, it's not as if they would be writing the software. If they want to patch it to remove support from upstream, fine, but that hardly is a threat to Sender-ID (software that wouldn't make it to Stable for a couple years anyway). So, it seems to me this is all a bunch of self-righteousness, and the fact Debian doesn't want to play really is insignificant. If I'm off-base though, please answer the original question and set me straight.

Re:Debian -- Who Cares?

[Aim+Here]

Why pick on Debian? At the moment, the FSF, the OSI and Apache are also against the current proposed licensing arrangement of SenderID, and they're much bigger hitters than those sweet little Debian people.

Banging on about the insignificance of Debian is a bit like spending ages bitching about Ringo Starr's lack of talent and hoping that people will decide that the Beatles suck because of it.

I think I solved the profit equation...

[Zoinks]

Hmmm, let's see if I can get this right....

1) Sell insecure software products that is widely used because of market share
2) Observe as the world suffers under the impact of the insecure aspects
3) Patent new software that solves the problem original product caused????
4) Profit!

beam in your eye

John 3:16 - The easiest way to a BETTER YOU.

Try some humility and better yourself instead of spreading your male godwords.

No one cares...

[denisdekat]

I should say few, as it seems that few to no one cares here in the US about all the voting weirdness in the last couple years (remember Florida)...

I live in SF, during some of the last elections there has been things like not enough ballots, boxes of ballots found in the Bay, etc... It goes on, and I am curious about other areas...

I think people do not care about their rights in the US, most folks I know take them for granted. Hard to believe our previous generations fought so hard for it, because todays generation seems dumb about it. Maybe if we lost the right to vote for a couple years, folks would realize what an important issue it is...

In any case, whether it works or not, people will not care and move on as they are pacified with comforts

http://www.cancelcable.org/

Assimilation Battle

[4of12]

even the *gasp* GPL

It's clear why MS chokes on the enforced "share and share alike" nature of the GPL vs the "whatever" style BSD license.

BSD allows MS to slowly assimilate the best pieces of open source into their own product lines. The GPL allows open source to slowly assimilate them into the free and open community.

It's ironic that the GPL is such a strong driving force for commoditisation, the pure competition ultimate objective of the free market.

DomanKeys

[Russ+Nelson]

Sounds like you want DomainKeys. Sendmail has support for DomainKeys as well, as does qmail.
-russ

Re:MOD PARENT DOWN

[Eristone]

fscking newbies

IIS installs SMTPD

Yep.


Exchange does NOT install SMTPD.


Yep again. Except Exchange (2000/2003) doesn't install without IIS being already installed - it is a pre-requisite.

Hence, IIS does smtp email, not exchange.

Kinda. The smtp engine in IIS is extended when Exchange 200x is installed to support assorted Exchange specific functions.

Exchange runs happily without that useless public standard, smtp.

Exchange 5.5 does indeed. However 200x doesn't - it supports smtp natively as the primary protocol for exchanging traffic between Exchange servers. If smtp isn't running, Exchange doesn't communicate. (yes, there are a few caveats to this, but that discussion can be saved for the next "OSS Exchange Killer" news story).

Buncha useless whining fscking idiots.

Er.. pot. kettle. hmm.

Bleh. Quick, where's that URL for that study about how useless people always think they know more than other people?

In your case, assuming you're running httpd on your local system, try http://127.0.0.1/clue/

I guess I'm just not enough of a prick to agree

[cbreaker]

And so the rule of business is to screw everyone every chance you get?

Naa. I don't think so. While many *people* DO practice business this way (and they ARE people - PEOPLE screw you, the business doesn't act on it's own) there's also a great many that do not. Just because Microsoft is a very large company doesn't mean they are off the hook in the ethical department.

It's the difference between SMTP and email headers

[hadaso]

The original SPF was a method to publish a TXT record with info to be used for matching with the domain part of an email address used in an SMTP "MAIL FROM:" command.

SenderID uses similar syntax but in a new type of DNS record, and uses it not with the SMTP envelope from but instead with a "purported responsible address" derived somehow from the email headers ("RFC822 headers").

As far as I see SenderID will fail with forwarded email if the forwading MTA complies with RFC2822:

"... forwarding is also used to mean when a mail transport program gets a message and forwards it on to a different destination for final delivery. Resent header fields are not intended for use with either type of forwarding." (RFC 2822 sec. 3.6.6)

For some reason SenderID authors think that forwarders should add these headers even though RFC2822 explicitly states that they are not to be added. (Perhaps MS+POBox software add these headers? It is quite clear from RFC 2822 sec. 3.6.6 that resent headers are meant to be used only when email is resent by human intervention). RFC compliant forwarders would not add these headers, so SenderID tests would fail on correctly forwarded email. For SenderID (or SPF) to work with forwarders these would have to wither be non-RFC compliant, or the meaning of resent headers in email should be formally changed and email infrastructure updated to reflect the change (or perhaps it was already chaged and RFC2822 is outdated???)