Sender-ID Back From The Dead

NW writes "Microsoft's Sender-ID standard has been left for the dead since the rejection earlier this fall by the IETF. According to a Reuters story, it has been revised and will be resubmitted to the IETF. Along the way, Microsoft managed to pick up AOL's endorsement of Sender-ID. My humble analysis appears here."

First Post

[SultanCemil]

Sender ID rocks, if its implemented properly. Too bad spammers will just start registering domains and using them semi-legitimately.

Re:First Post

[bcrowell]

Sender ID rocks, if its implemented properly.
SenderID is Microsoft's name for its patent-encumbered variation on SPF.

Too bad spammers will just start registering domains and using them semi-legitimately.
The real point of SPF and Sender ID is to make it hard for spammers to forge their "from" addresses, so that blacklists and whitelists can be more effective. Adoption or lack of adoption by spammers doesn't really have much impact on the success of SPF.

Re:First Post

[mattjb0010]

How, exactly? It can only ever be used to tag spam, since there are quite legitimate uses for sending emails with domain X with a non-domain X sending MTA -- since relaying is a bad thing and SMTP AUTH isn't an option for me as I can't connect directly to the proper MTA due to firewall restrictions. Since it can only be used for tagging, it doesn't mitigate the costs of receiving spam. It's far simpler and cheaper just to 550 reject spammy ISPs. SPEWS anyone?

Re:First Post

Whatever happened to paying to send mail(through cpu time) to a certian server? Regular users wouldnt notice, while mass mailings wouldnt be hampered because they would tell their useres to tell the server not to charge that email address.

Re:First Post

[blowdart]

It can only ever be used to tag spam

What utter tosh.

1. No-one is forcing you to publish SPF/SenderID records, so you can leave your domain unencumbered and SPF filters will never touch you
2. If you have non-domain X sending MTAs you can always add them to your SPF record anyway
3. You can always open that firewall to allow SMTP AUTH
4. Relaying is not, in theory, a bad thing. Open news servers are not, in theory, a bad thing, gun ownership in theory is not a bad thing. But there are always those who will happily abuse facilities.

Just because you can't use SNTP AUTH because of a firewall don't try to dictate how everyone else should use SPF.

Re:First Post

[kwerle]

You forgot [at least] one:

5. You can just add an SPF record for your IP address and you're set.

And a falsehood:
SPF doesn't tag spam, and has nothing to do with it. It just makes it impossible to fake a sender address from a domain with proper SPF records.

Re:First Post

[hools1234]

Perhaps we could call it Microsoft ID instead? Why fluff it up with a name, call it as it is. The government gives us social security numbers so they can know who we and track us.. why not let Microsoft have the same power?... um.. because!!

Re:First Post

[mattjb0010]

I don't get any say over the policies, so none of your "solutions" work. If you want to use SPF to block, that's fine, I'm just pointing out there are cases where legitimate email can only originate at non-SPF Ok'd MTAs. I wouldn't block using SPF, I'd tag, except tagging doesn't stop the costs of spam.

Re:First Post

[mattjb0010]

SPF doesn't tag spam, and has nothing to do with it. It just makes it impossible to fake a sender address from a domain with proper SPF records

Come back when you know how SMTP works. I can set any domain in the from address when I connect to your SMTP server. You have three options: use the SPF records of that domain to block or tag the email, or do nothing.

Re:First Post

[CJF]

You seem to be assuming that everyone who has a legitimate reason to spoof "from" addresses also has control of the firewall and DNS entry, or the ability to influence SenderID policy. This is very rarely the case.

Using the envelope-from seems a better approach to me (as in SPF?), but Microsoft seems to want to cause hassle for many people just because it can find no better way of making its software immune to phising.

Yes, sites can always adopt more teleworking-friendly policies. They can also adopt software that is relatively free from virus infection and phising, and a more enlightened attitude to software patents, support fair trade etc. Unfortunately, influencing corporate and technical policy in all these cases seems equally difficult. Most people will give up trying before they are labelled a "trouble-maker".

By the way, I happen to use something like Microsoft's proposed algorithm for verifying senders (using fetchmail's prior-art algorithm). It is a very poor way of detecting spam these days. When it has detected a sender address mismatch in recent months, it is typically due to someone teleworking, very rarely is it spam.

Re:First Post

[blowdart]

Maybe I didn't explain it very well then. If I can use the example of my local setup.

If you connect to me I do a bunch of dnsBL checks. If you pass those then I'll do an SPF lookup. If, in your case, you don't have an SPF record then the mail goes though (to spam assassin). If you fail an SPF check because you're "spoofing" a from address for a domain which has valid SPF lookups then you get rejected.

Your cases where your MTA has no SPF has no effect, the mail gets passed through because you did not fail. I'm not blocking on a "must pass", that would be insane. So why is blocking like this bad in your eyes? You seem to think that people only tag, wrong. People reject on *fails*. A domain which does not have an SPF record is not a fail.

Re:First Post

[blowdart]

You seem to be assuming that everyone who has a legitimate reason to spoof "from" addresses also has control of the firewall and DNS entry, or the ability to influence SenderID policy. This is very rarely the case.

No I'm not. If you don't have control over the firewall or DNS then you don't have the ability to produce an SPF entry anyway.

I am assuming that if you have the technical ability to have an SPF entry then you also have the ability to setup SMTP AUTH, a VPN to your server or any other way to support remote working.

People seem to be assuming that if you don't have an SPF/Sender ID record your mail gets rejected. That's not the case in most setups, and hell, at the end of the day it's my mail server I'll configure it how I like :)

Re:First Post

Anybody suspected of doing PRA checks against our spfv1 records is going to be blacklisted. These records were published for MAIL FROM checking and not checking message data.

That is all.

Re:First Post

[hedge_death_shootout]

Perhaps we could call it Microsoft ID instead? Why fluff it up with a name, call it as it is. The government gives us social security numbers so they can know who we and track us.. why not let Microsoft have the same power?... um.. because!!

+4 Insightful?
I'd have thought this might make 'Funny' by the admittedly lenient comedic standards of this forum, but... insightful!?
Oh lordy!

Re:First Post

[takeya]

I have a question about this:

what about people like me who use my domain address for sending mail? I send my mail via horde at the domain, via Yahoo! Mail interface, via Opera M2 with my email (not return) address set to my domain address and even sometimes at mail2web.

Yahoo would use Yahoo SMTP servers, Opera would use my ISPs and only Horde would use the real mail.domain.com IMAP server. If they unblocked ISP STMP servers for this sort of thing... wouldn't that just defeat the purpose? Because they're used for more than just @isp email addresses.

Re:First Post

especially since roughly half of americans support the government, while virtually 100% americans support and trust Microsoft.

Re:First Post

[rastachops]

DomainKeys is a much better proposal, using DNS to publish public keys and then signing a hash of the message with the servers private key before sending. The client then looks up the public key via DNS and can verify the senders domain.

It was covered on Slashdot a little while ago, under the heading that GMail has started to use DomainKeys. Link.

Re:First Post

[SillyNickName4me]

> Come back when you know how SMTP works. I can set any domain in the from address when I connect to your SMTP server. You have three options: use the SPF records of that domain to block or tag the email, or do nothing.

So, you can block mail that comes from a 'not authorized to send' smtp server, you can tag it (for exampel for usage by a spam filter later on) or do nothing..

In none of those cases you tag spam, in 2 of those cases you deal with the forged sender issue, and in the 3rd you do nothing.

What again was your argument?

Re:First Post

[SillyNickName4me]

You add those smtp servers to your spf records and you are all set. Alltho, I wouldn't want to have yahoo in there, btu that is just personal I guess.

Re:First Post

[pjt33]

Sender-ID may do that: SPF addresses the authenticity of the MAIL FROM SMTP command rather than the headers.

Re:First Post

[dossen]

And if my server checks the SPF record of the domain in your 'MAIL FROM' against your IP before allowing your SMTP transaction to proceed, how exactly will you be able to fake a message from a SPF-enabled domain? Either the envelope-from is valid or your mail is dropped before you even sent it (provided the SPF-record of the domain is in order). If you set your From: header to be different from your envelope-from, that could be checked at a later time (e.g. procmail or some spam-filter). But the purpose of SPF is to make it impossible to forge the 'MAIL FROM', and if 'MAIL FROM' is correct I can always bother your admin (or the admin of your upstream) if you do something nasty.

Re:First Post

[infra-red]

<Sarcasm>Your so right. Lets put off deploying something that might be able to make a dent until we have the ultimate uber solution that solves all the worlds problems and will get me a date.</Sarcasm>

One thing this could do would be to stop the flow of spam/worms from broadband customers. That right there would have a huge impact on everyone.

The problem that kills simple things like blacklists from working is that most mail comes forged, if you can kill the forged mail, blacklists become effective again.

Re:First Post

[squiggleslash]

The real point of SPF and Sender ID is to make it hard for spammers to forge their "from" addresses, so that blacklists and whitelists can be more effective.

That's probably overstating what these technologies actually do, and bringing a different issue into the system.

SPF/etc doesn't really do anything specific as far as spammers go (that is, it doesn't treat spammers as some special case, and spammers by themselves aren't going to be disproportionally encumbered by this technology), and it doesn't preventing anyone from simply forging addresses (that is, using an address in the From line that doesn't map back to the spammer.) What it does do is prevent someone from using a From address whose domain belongs to someone else without that owner's permission.

The intent is to deal with "Joe Jobs", by ensuring that a domain name owner has the final say over any emails sent out whose From envelope address contains that domain name.

Now, some people are associating this with spam, on the grounds that some spammers send out emails with unauthorized email addresses as the From line. This, I suspect, is being done purely because it's easier than registering a domain. However, registering domain names isn't difficult or particularly expensive, so that spam is simply going to start coming from new domains rather than disappear.

To give you some idea of how ineffectual this is in terms of stopping spam, I registered a new domain for myself last week. Within fifteen minutes of me going to register.com, entering the credit card number, and accepting everything, the domain was live. That is, there was a DNS server under my control pointing at it, and my work DNS (completely unrelated to the DNS server I attached the domain to) was resolving the name correctly. If I were a spammer, I would have been able to start sending out spam under a non-blacklisted domain within fifteen minutes of me registering the domain.

The real major (positive) impact this will have is on certain types of virus. There are many viruses that work on the basis of sending out emails that look like they come from trusted friends (by searching, for example, an address book and sending emails from the owner of the address book, or sending them from addresses in the address book.) SPF has the potential to make that close to impossible.

The downside, of course, is that the technology isn't completely transparent. Roaming (where you use multiple ISPs but want to use one email address) becomes difficult if your choice of email address is from an ISP that uses SPF, and which doesn't have a suitable relay server available for you to send outgoing email via - and suitable can just mean that your email software doesn't support whichever of the myriad of authenticated SMTP systems your ISP uses.

Re:First Post

[eric76]

Sender ID handles nothing that DomainKeys cannot handle better.

One thing this could do would be to stop the flow of spam/worms from broadband customers.

To slow down the spread of viruses/worms, the service providers need to: 1) Block all outward SMTP connections that do not originate from their own mail servers. 2) Scan outbound e-mail through their mail servers for viruses/worms.

The ISP where I work already does the first. We were also one of the early ISPs to close our open relays. We also make sure our customers understand that spamming is forbidden.

As a result, we have never been able to identify even one spam originating from our network.

The problem that kills simple things like blacklists from working is that most mail comes forged, if you can kill the forged mail, blacklists become effective again.

The problem is that there is no global list of legitimate e-mail servers from which to accept e-mail. Creating and maintaining such a list would be a real nightmare. So instead, we have blacklists that try to identify e-mail servers that we can block.

One advantage to these schemes is that they create a kind of distributed list of apparently legitimate e-mail servers. In addition, we can blacklist by domain instead of IP address that can change quite easily.

For example, suppose example.com identifies their servers as mail1.example.com and mail2.example.com. If example.com has a spam problem, we can blacklist all example.com servers and not worry about which specific IP addresses are being used by those servers.

If one accepts e-mail only from servers on that list that are not also blacklisted, then the spam level should drop accordingly.

Re:First Post

#1 is only partially true.

Sure, nobody is forcing you to publish SPF/SenderID records. However if SPF gets good traction in senders that I care about, I'd like my Spamassassin to blacklist everyone not using SPF by a bit, and then more aggressively white and black-list specific domains that I do/don't trust.

If others follow suit, then filters based on SPF records can indeed become a problem for domains that refuse to use SPF.

Re:First Post

[AuMatar]

And if you don't have control of your DNS server? The vast majority of people don't. If my ISP blocks everything but their server and I want to put my work address on an email, do you think I can really get my employer in an 80K employee company to add my ISPs mail server?

Re:First Post

[Arrogant-Bastard]

The real point of SPF and Sender ID is to make it hard for spammers to forge their "from" addresses, so that blacklists and whitelists can be more effective.

1. They don't have to. Spammers have control of
something between 10e7 and 10e8 zombies, and
could easily instruct them to send out properly-SPF
(or SenderID or DomainKeys or whatever) -tagged
messages whenever they feel like it.

Nothing (well, okay, not much) stops them from
acquiring more zombies: the potential pool is comprised
of every Windows system on the 'net, including those
connected only intermittently or behind firewalls.
So unless you're proposing that SOMEONE is going
to secure all those boxes, and I don't see anybody
volunteering for that task, all these technologies are
moot.

2. But let's make a couple of big assumptions -- both
of which are invalid, but let's try them anyway. Suppose
that SPF (or SenderID or Domainkeys, it doesn't
matter which one) was globally deployed and worked
perfectly. Does this get us anywhere?

No it does not.

Because, you see, spammy has already anticipated
this move. And spammy is registering domains by
the thousands -- a task made easier and cheaper
by the fact that at least a couple of registrars are
owned and operated by spammers.

Which means that spammy has, for all practical
purposes, an infinite supply of cheap domains.
And spammy has already demonstrated that he/she
is perfectly happy to burn one per spam run.

So. You get spammed from domain000001.com.
You use SPF and prove to your satisfaction that
yes, it really came from there. You block it.

Tomorrow, you get spammed from domain000002.com.
Same spammer; same payload; different domain.
And you can use SPF on this one too.

Lather. Riinse. Repeat.

I'm up to 135,000 blocked domains and nowhere
near the end. Just building that list has
taken nearly a year -- and there are some definite
scalability and performance issues in using it.

Re:First Post

[tiedemann]

"The real major (positive) impact this will have is on certain types of virus. There are many viruses that work on the basis of sending out emails that look like they come from trusted friends (by searching, for example, an address book and sending emails from the owner of the address book, or sending them from addresses in the address book.) SPF has the potential to make that close to impossible."

Most e-mail based viruses/worms use wscript. It really isn't that hard to script automated sending of messages from Outlook (even easier with Forms in Outlook 2003) using the prefferred e-mail account. As long as one valid sender remains in Outlook it will be vulnerable.
Hell, I use it myself (for sending automated messages to myself).

Re:First Post

This is completely ridicolous. Why would blacklists be more effective? Today we use (see Spamcop et al) -- and has successfully used for several years -- IP-based blacklists. What's easier, get another IP network or register a new domain?

Re:First Post

[bcrowell]

To give you some idea of how ineffectual this is in terms of stopping spam, I registered a new domain for myself last week. Within fifteen minutes of me going to register.com, entering the credit card number, and accepting everything, the domain was live... If I were a spammer, I would have been able to start sending out spam under a non-blacklisted domain within fifteen minutes of me registering the domain.
The reason spam is a huge problem and paper junk mail isn't is that spam is free to send. The postage cost for sending paper junk mail means that there's a limit on how much will get sent to me. It cost you money to register your domain name. If it gets blacklisted within the first 24 hours, then you've spent quite a bit of money just to be able to spam for 24 hours.

We should also expect that ISPs will start to refuse mail when 1,000,000 mails come from a domain that was activated yesterday.

The real major (positive) impact this will have is on certain types of virus. There are many viruses that work on the basis of sending out emails that look like they come from trusted friends (by searching, for example, an address book and sending emails from the owner of the address book, or sending them from addresses in the address book.) SPF has the potential to make that close to impossible.
The problem with SPF as a tool against phishing is that it only works for users who would have been naive enough to click on an executable, but sophisticated enough that they've installed an SPF-aware mail client, and sophisticated enough that they understand what it means when their mail client tells them the mail failed SPF validation.

Re:First Post

[mdfst13]

"sophisticated enough that they've installed an SPF-aware mail client"

SPF is intended to be implemented at the MTA level. I.e. it is an ISP thing, not a user thing. Even if the user is "naive enough to click on an executable," an SPF MTA will prevent them from having the chance.

Btw, SPF proponents believe that domains can be blacklisted within the first hour through the use of honey pot addresses. Further, purchase of a domain requires control of a credit card. The credit card can be traced. If nothing else, this can cost the purchaser use of that credit card (which may be stolen).

Re:First Post

[SillyNickName4me]

> And if you don't have control of your DNS server?

I am aware of that, part of the point of spf and similar solutions is to give the domain owner (which supposedly does control the dns, or can instruct the person/organisation that controls it) control over which servers can send mail on behalf of that domain.

If you don't own the domain, you obviously don't have that control either.

> The vast majority of people don't.

Not over domains they do not own indeed.

> If my ISP blocks everything but their server and I want to put my work address on an email, do you think I can really get my employer in an 80K employee company to add my ISPs mail server?

Nope, your employer is unlikely to do that, not just ebcause it would be kinda silly and a lot of work, but because there is a better solution.

If your employer wants you to be able to do that, then he/she/they can setup an smtp server that allows authenticated mail submission. You point your mail client at it, and it will serve as mail relay for you for mail that has a from address in the domain of your employer. Your employer will then relay the mail to its destination through the proper smtp relay (which is mentioned in spf)

This does give your employer control over who can send mail on their behalf. That may not be what you like, but hinestly, it is their domain, and they should have that control.

Re:First Post

[AuMatar]

You're missing the point. Not if my ISP is blocking it. My employer is quite happy to let me use their SMTP server from home. Thats the preferred method. My ISP is not. A lot of ISPs block all outgoing port 25 these days. Yes, I might be able to SMTP over another port, but my employer is not going to play games to get around wierd ISPs- with all the little ISPs running around with their own rules, that would be a full time job. Nor should they have to. But blocking outgoing port 25 was another "wonderful" anti-spam idea that utterly failed.

Thats the problem with a lot of these spam prevention techniques- they forget the web isn't designed, its a cobbled together connection of hacks. A lot of these fixes break email for people who use features these hacks enable. Such as just changing a field in their mailer to be able to send from their own account at home, or in a library, or a friends house. Claiming that these users can do workarounds with XYZ isn't sufficient, very few users have the knowledge or access to do XYZ.

Its also an effort doomed to fail- in order to stop spam technicly, you'd end up removing all the features that make email useful. Spam is not a technical problem- its a social one. Some people will do anything for profits, including inconvenience large numbers of others. The answer is to make spam unprofitable. You may not be able to track who sent a spam- but if you buy something from one, you can track where the money goes. Track it down, and levy stiff fines and jailtime on the spammers. Make the cost not worth the reward. Thats the only way to curtail it without hamstringing email.

Re:First Post

[SillyNickName4me]

> You're missing the point. Not if my ISP is blocking it. My employer is quite happy to let me use their SMTP server from home. Thats the preferred method. My ISP is not. A lot of ISPs block all outgoing port 25 these days. Yes, I might be able to SMTP over another port, but my employer is not going to play games to get around wierd ISPs- with all the little ISPs running around with their own rules, that would be a full time job. Nor should they have to. But blocking outgoing port 25 was another "wonderful" anti-spam idea that utterly failed.

First of all, I agree completely with regards to your opinion on blockign port 25 by isps (mine doesn't, but then, they have rather nice 'rules' anyway).

However, I suggest takign a peek in /etc/services (if you are on a unix/linux machine), you will find the following line there:

submission 587/tcp

This port is specifically intended for submitting (authenticated) mail that the smtp server should relay for roaming users. Any relatively modern mta supports this and many enable it by default.

So,I think I was quite getting the point, but you didn't know enough about smtp.

Re:First Post

[squiggleslash]

The reason spam is a huge problem and paper junk mail isn't is that spam is free to send. The postage cost for sending paper junk mail means that there's a limit on how much will get sent to me. It cost you money to register your domain name. If it gets blacklisted within the first 24 hours, then you've spent quite a bit of money just to be able to spam for 24 hours.

This is a falacy. The reason spam is a huge problem is that it's unmetered, not that it's free, it certainly isn't free. Spammers already spend a lot of money on subscribing to ISPs, I suspect the $20-30 to register a domain is a drop in the bucket.

We should also expect that ISPs will start to refuse mail when 1,000,000 mails come from a domain that was activated yesterday.

The domain doesn't have to have been activated yesterday. I gave the example to show how quick you can be, ie how quickly SPF can be defeated, but obviously a determined spammer can register "sleeper" domains months in advance, and probably would.

Re:First Post

[squiggleslash]

Btw, SPF proponents believe that domains can be blacklisted within the first hour through the use of honey pot addresses.

...as opposed to IP addresses the spam is coming from. It's a bit more accurate and less susceptable to false positives for ordinary cases, I guess, than something like SPEWS, but more open to abuse.

Further, purchase of a domain requires control of a credit card. The credit card can be traced. If nothing else, this can cost the purchaser use of that credit card (which may be stolen).

This is true of Internet access in general, so if SPF proponents are seriously arguing this, it means they're even less bright than I thought they were.

Remember: Spam isn't free to the spammer, it's just unmetered and cheap. Right now, spammers have to afford to buy a new Internet account for any spam they send. Adding $15-30 to that amount for a new domain name really doesn't significantly increase the amount in costs.

Re:First Post

[mdfst13]

"Right now, spammers have to afford to buy a new Internet account for any spam they send."

How do you figure? This is only true if the spammer is sending from some legitimate source. Very little spam is sent from legitimate sources.

You seem to be claiming that spam can be tracked back to the sender. This is manifestly untrue. Most spam can only be traced back to a proxy (which may be a compromised machine). Sure, you can shut down the proxy, but the spammer is not associated with the proxy (at least not in any trackable fashion). The actual spammer can continue to use the same internet account, no need to change.

Re:First Post

[squiggleslash]

Ok, assuming this is true (and I doubt that for the majority of spam it is - most regular open relays, for instance, are mal-configured Microsoft and Sendmail SMTP servers, which by default include origin information in the email headers), do you think that adding $50 ($20 for an ISP, $30 for a domain name) seriously adds that much to the cost of sending spam?

Re:First Post

[mdfst13]

"most regular open relays, for instance, are mal-configured Microsoft and Sendmail SMTP servers"

Open relays are very 90s. Open relay blacklists have made it much more difficult for open relays to be used. They have moved on to open proxies and virus zombies for exactly that reason: to avoid giving up their unique info. Yes, some still use open relays, but the majority of spammers do not (especially the *successful* spammers; open relay spammers are low impact to the end user because they are usually blocked at the MTA level).

"do you think that adding $50 ($20 for an ISP, $30 for a domain name) seriously adds that much to the cost of sending spam?"

Yes. Costs to spam:

Software: $300, amortized over many spams to become less than $1 per spam. Assumes that more than 300 spams can be sent with the same software (at 1 spam per day, that's less than two years).

Hardware: $1000, amortized over many spams to become less than $3 per spam. Assumes that over 300 spams can be sent with the same hardware.

Bandwidth: $40 per month, amortized over a month of spams to less than $2 per spam. Assumes that at least 20 spams can be sent each month (one each workday).

So for less than $6, one can send out 2,000,000 emails a day (100,000 per hour easily achievable with minimal hardware). Adding $50 to this would substantially increase their costs. Further, if the honeypot blacklists within the hour, that's only 100,000 emails for the $50, not 2,000,000.

Even if the spammer uses a T1 line, that's still only $1000 per month or $50 per spam. Adding $50 to this would still double their costs.

AOL Endorses it, huh?

[mg2]

Being that AOL's marketing strategy is based somewhat on spam (the cds you get in the mail, the "Sign up for AOL" icons that appear on your desktop), doesn't that kind of hurt the legitimacy of that endorsement? I dunno, if the guys offering me home loans and viagra said this was good technology, I might think twice.

Re:AOL Endorses it, huh?

Don't forget both AOL and Hotmail talking head executives testifying before Congressional committee that they have in the past sold their subscriber lists to spammers.

My only thought is, how much did AOL make in the deal?

Re:AOL Endorses it, huh?

[Erik+Hollensbe]

I want to first say that I am one of hte last people to jump to the defense of AOL.

That's hardly an insightful comment.

18 million users means you care a heck a lot more about the impact of spam than pretty much any other network in the world.

And if you write your own little hacked up mail tool (like I have, to send legitimate, solicited email, not spam, heck, not even advertising) and start hitting AOL with bad SMTP envelopes, you're going to find them sending back 550's with a url.

I wish I could remember the url, but it dictates their "friendly mailer" policy. You don't follow this policy, you don't get to send AOL's users email.

To get them to let you send email again, you must call them and have a little chat with an email administrator. It's not a nice chat. It's a "don't fuck up again" chat. Thankfully, my boss made that call for me. :)

I've managed to trip up several large e-mail hosts like Yahoo and Hotmail, but AOL's is by far, the most draconian. Personally, I applaud it. I'd be overjoyed to get an email account with those kinds of practices, that I don't have to administer myself. I just can't stand the rest of the service. Perhaps my intentions were good, but I'm the exception to the rule as far as people who write these kinds of mailers go. I imagine that phone call rarely gets exercised.

This is how it was about a year and a half ago. I don't know how it is today.

Re:AOL Endorses it, huh?

[theCoder]

"Friendly mailer"? That's a laugh.

AOL (and their properties) is the single worst email provider on the planet. They routinely drop email and often bounce legitimate email. They may claim they prevent 10 million quadrillion spams or something, but I'd guess that a good percentage (though not a majority or anything) are legitmate emails falling victim to their "policies".

They use their large size to bully people around, like they did to you. If some small ISP was bouncing your mails for the same reason, would you have begged to get off their bounce list? AOL blocks mail from large swaths of IP space because they "might" be sending spam. Heck, I have RoadRunner (which is an AOL property), and I can't even send mail to other RoadRunner users because as a RoadRunner user I'm probably sending spam!

I've had AOL bounce emails because I PGP signed them, which IMO is the best form of "sender-ID" there is (and anyone serious about getting rid of spam would support this, but very few actually do, probably because it would mean taking responsibility for the problem). But according to AOL, it's probably spam, so it got bounced! (in this case, it was a user setting to bounce mail with attachments, but shame on AOL for not realizing what a PGP signature was and allowing/endorsing it)

AOL's policies are not conducive to a good Internet neighbor. AOL and their arrogant policies have always been bad for the Internet. Anything that AOL endorses automatically raises my suspicion. Nevermind the fact that as the OP stated, AOL popularized the idea of spam with their mass mailings and selling of email addresses (way back in the day before they realized what a bad idea that was).

If you really want your personal email account to be like AOL, just setup a procmail filter that deletes/bounces half your mail.

Re:AOL Endorses it, huh?

[Malc]

From a mailer's perspective, I think the biggest complaint about AOL would be that it's almost easier for recipients to indicate a message is spam than it is to delete it. On the plus side, AOL have implemented a feedback loop mechanism. This way people who think something is spam can be quickly purged from a list and everybody remains happier.

Re:AOL Endorses it, huh?

[nvrrobx]

Heck, I have RoadRunner (which is an AOL property), and I can't even send mail to other RoadRunner users because as a RoadRunner user I'm probably sending spam!

I was a RoadRunner customer for two years (until two months ago) and I regularly email other RoadRunner customers (my mother, for example). Next?

(in this case, it was a user setting to bounce mail with attachments, but shame on AOL for not realizing what a PGP signature was and allowing/endorsing it)

An attachment is an attachment is an attachment. It doesn't matter what it contains. If the user had their account set to block attachments, your email WITH PGP ATTACHMENT should have been blocked.

As for AOL "bullying people around" - guess what - they own their bandwidth. You want to use it after generating bad traffic that interrupts their mail server's ability to process legitimate mail, you have to call them. Sounds somewhat draconian, but reasonable. After all, it's THEIR bandwidth and THEIR servers.

Hell, if I ran an ISP and you did that, you're damned right you'd be begging me to let you back in. Fool me once, shame on you. Fool me twice, shame on me.

Knock it off with the "stick it to the man" ideals. If you were really against AOL, you wouldn't be a RoadRunner customer, would you?

Re:AOL Endorses it, huh?

[Erik+Hollensbe]

I've had people's little client-hugging applications do it with mine, then I get a "hey, why do you keep sending me viruses?" E-Mail. It's not automated.

Clearsign. You do have a MUA that can do that, right?

As far as my email accounts go, if you send me an email that doesn't at least have a text/plain portion, It never even gets queued. Doesn't matter if you're my best damned friend.

So I'm more willing to accept that you and I have different ideas of what acceptable mail policies are.

OTOH, I've seen one spammer (not several, one machine on their end) bring a machine that routes all the mail for a small group of users above 130 load average. It's a single proc AMD 2200 with the full availability of a T3. Mine is not the only machine on this network that repeatedly gets this treatment (it's a colocation facility - my wife works at the ISP so I get it for free, heh).

I was forced to move to lighter front end solutions such as messagewall because even the relatively simplistic QMail could not hold up.

And I have around .... 50 e-mail accounts that belong to myself and various people that I know (a gamer clan). Nowhere near 18 million at the minimum.

So as a mailer recipient that still likes to make things like postmaster@ accessible, I don't know if your position really concerns me. I imagine that AOL feels the same way.

Re:AOL Endorses it, huh?

[feloneous+cat]

18 million users means you care a heck a lot more about the impact of spam than pretty much any other network in the world.

Not exactly how you intuit that!

In fact, I suspect EVERY ISP will argue that they care a lot about spam. I know my local ISP cares (it sez so on their web-site!). I know that Cox Cable does (sez so on their website), yet when I tracked down spam FROM THEIR NETWORK and sent it to them what was the sound I heard?

Silence.

Yeah, they care. Very little.

Re:AOL Endorses it, huh?

[Erik+Hollensbe]

I'm not talking about marketing, you know.

When you have 18 million users, many of them who actually think they'll get something for free and "all they need to do is give out their email address", spam is not a face-saving issue.

It's a real-world network cost issue.

The reason they probably didn't bother with your email (other than your obvious ignorance to the real issue at hand) is because they can't do much about it.

Most of the spam my server is hit with comes from places like Korea and China. What am I going to do, call in the A-Team to bust a spammer?

Re:AOL Endorses it, huh?

[Kent+Recal]

OTOH, I've seen one spammer (not several, one machine on their end) bring a machine that routes all the mail for a small group of users above 130 load average. It's a single proc AMD 2200 with the full availability of a T3. Mine is not the only machine on this network that repeatedly gets this treatment (it's a colocation facility - my wife works at the ISP so I get it for free, heh).
I was forced to move to lighter front end solutions such as messagewall because even the relatively simplistic QMail could not hold up.


I'm curious, what the heck did the spammer do to drive your qmail up to 130 (not missing a dot there?)?!

I regularly send out newsletters to a _very_ bad recipient list (about 80% malformed or bouncing addresses, we're in the process of weeding it out) of ~100000 addresses.

Even while pumping the mail down qmail-injects throat (~20k mails in the queue, sometimes ~10k mails in the "not-yet-processed chain") the machine never goes to any significant load (1.0 maybe but that's it).

And that's also a weak athlon box on a 100mbit link.

Re:AOL Endorses it, huh?

[Lost+Race]

Heck, I have RoadRunner (which is an AOL property), and I can't even send mail to other RoadRunner users because as a RoadRunner user I'm probably sending spam!

I was a RoadRunner customer for two years (until two months ago) and I regularly email other RoadRunner customers (my mother, for example). Next?

He's probably complaining about not being able to run his own MTA on his cable modem. Guess what, 90% of intelligently-run MX hosts won't receive mail direct from cable modems. Looks like RoadRunner is doing something right. Or maybe they're blocking outbound port 25 from their cable customers? That's even better.

Re:AOL Endorses it, huh?

[Erik+Hollensbe]

I was actually talking about recieving mail in that scenario, but it's simple.

Let's establish context:

- Spammers rarely use pipelining.
- My mail host isn't geared to big concurrency (although I am patched to take advantage of it)
- There was nothing stopping tcpserver from going apeshit.

When it takes several minutes to get a list of qmail-smtpd processes, I'm sure you can figure the rest out.

Although, the 130 had SA and qmail-scanner in the mix. The time before that (time #2 meant that I had to re-evaluate my mail system because I wasn't going to deal with this on a daily basis) got it up to around 80.

Licensing changes?

[Fnkmaster]

Humble analysis aside, does anybody have any real information on whether there are licensing changes? If not, this end-run-around attempt should be reacted to with extreme prejudice. Kill these fuckers. Seriously. Or at least killfile them. Blackhole email from AOL if they subscribe to and back Microsoft's standard. A large scale campaign for a few days, and they will change their mind again real fast.

If we have learned nothing from watching AOL feast on Netscape's corpse it's that there are LOTS of execs at AOL with radically different ideas about ways to do things, and they change their mind on a weekly basis. Exert a modest bit of pressure and they can be made to bend over like the fitty cent whores they are.

Re:Licensing changes?

...there are LOTS of execs at AOL with radically different ideas...

Yeah, just watch those stupid commercials they have about how their customers can "help them make the Internet better", like the one with the stupid lady who stands up on the executives table while they are having a meeting. As if they are "the Internet". I know there was a time when they were one of the only big ISPs on the block, and they brainwashed their customers into thinking that they were infact, the Internet. But those days are long gone.

Re:Licensing changes?

[dtfinch]

Blackhole email from AOL

I doubt it'll affect anything. They already blackhole so much of their incoming email, it's near impossible to talk to most AOL users except through AIM. AOL is their own little world.

Re:Licensing changes?

I saw that one. The woman had a 1 year old child and suggested her child's internet experience be monitored... can that kid even type? Seriously, what the hell where they thinking when they made that one?

Re:Licensing changes?

[andywebz]

I wish those days were long gone. And those "we are the internet" ads do piss me off. However, my fiance's father IS one of those people. He comes to our house and asks how to "log on". He can't fathom that just opening the web browser gives him access to the internet. Where is AOL? Prodigy? (Yes, he was a die hard prodigian) How are you already logged on? Is he an exception to the rule, or indicative of the masses?

Re:Licensing changes?

[metlin]

AOL is their own little world.

And... that is bad how?!?!

Do you really want them little tiny-tot AOLers coming at you?

It seems you've been leading two lives, Mr. Finch. In one life, you're a nice Slashdotter, with excellent Karma who even M2Ms reguarly. In another life, you're an AOL user. You use AIM, chat with 14 y.o. with teenage girls and help your landlord find his pr0n.

One of these lives has a future, one of them does not. ;-)

Re:Licensing changes?

Some of us want our intarweb better, thank you very much!

What do I think???

[adam31]

Oh yeah, when I want to know my opinion the first thing I do is see what AOL thinks.

...right after holding my wetted finger to the slashdot wind, of course.

Re:What do I think???

[Zork+the+Almighty]

.. so you can do the opposite ? Seems like good advice for me. Notice how the popularily of Firefox exploded right around the time that AOL adopted IE for their browser.

Re:What do I think???

[codemachine]

Although I think you're somewhat joking, there is more truth to this than you realize.

When AOL signed their deal with MS, they didn't really need the Netscape suite anymore, so they eventually spun off the Mozilla project into the non-profit Mozilla Foundation (and gave them some nice start up money to run with).

With the Mozilla project being further outside the realm of AOL than before, it was possible for Mozilla to shift their attention away from the Mozilla/Netscape suite of internet applications, and towards Firefox and Thunderbird.

Although the Phoenix/Firebird/Firefox browser project had been gaining steam on its own, I'm not so sure it would've become the Mozilla project's centrepiece if it were not for the creation of the Mozilla Foundation.

So we should be thankful that AOL let the project go in its own direction, and gave them the means to do it. It freed Netscape/Mozilla from being just a pawn in negotiations between MS and AOL. In the end, both AOL and Mozilla win out, since AOL finally gets some return on its Netscape purchase, and Mozilla Firefox goes on to start a new browser war. The losers are MS and all of AOL's customers stuck on IE.

AOL is the 90 Chimp

[jm92956n]

AOL is certainly not a highly respected corporation, especially in the tech-world. They've agreed to ally themselves with Microsoft for this particular issue, but until some other notable corporations or organizations (particlarly Yahoo!, Google, and Apache) accept sender-ID as a "standard," there's no way it will make any difference in the fight against spam.

Re:AOL is the 90 Chimp

From what I've seen, AOL has a large amount of respect in the Anti-Spam community.

Re:AOL is the 90 Chimp

[ipfwadm]

AOL is certainly not a highly respected corporation, especially in the tech-world. They've agreed to ally themselves with Microsoft for this particular issue, but until some other notable corporations or organizations (particlarly Yahoo!, Google, and Apache) accept sender-ID as a "standard," there's no way it will make any difference in the fight against spam.

Perhaps their endorsement doesn't mean a whole lot in terms of driving sender-id forward, but given the sheer number of @aol.com mailboxes, their non-endorsement would certainly impede adoption.

Re:AOL is the 90 Chimp

[gujo-odori]

I've been in the anti-spam community for years, currently professionally so, and my respect for AOL is both recent and shallow. As a force against spammers, they're a Johnny-come-lately, and I remember well the days not so long ago when the only spam AOL cared about was inbound spam, but outbound spam was a complete non-issue to them. Inside of AOL was one of the safest places for a spammer to be, once upon a time.

There was a spam ring operating *inside* of AOL in the late 1990s that routinely joe-jobbed the ISP I was working for at the time. Entreaties to AOL fell on deaf ears. This joe-job went on for about a year, almost non-stop. They seem to have chosen us because we were very effective at blocking their spew and our 550s weren't always polite :-)

I believed then, and believe now, that the only way a spam ring could operate so brazenly for so long and in the face of all complaints, was if it was an inside job: a spam ring being run by AOL employees, possibly without the knowledge of AOL management, but almost certainly with the complicity of the AOL abuse department; it could even have been them doing it.

I freely admit that I cannot prove any of this and it is all conjecture based upon circumstantial evidence, but lest you start sniggering about tinfoil hats, let me tell you the final chapter in this saga.

After about a year of this almost constant joe-jobbing, my then-employer was bought by a much larger ISP and hosting company, one with enough guns/money/lawyers to make even AOL pay attention. We, the beleaguered engineering department of this smallish ISP, where I was at the time the especially beleaguered postmaster, took our plight to our new parent company's abuse department, who said they would try to help. After not getting much farther than we did, they put us in touch with our new parent company's legal department, who didn't say they would try to help. They said they *would* help.

And lo and behold, not long after the legal department got involved, the spam just stopped. Not just the job-jobbing, but also the large amount of spam directed at our customers from the same spam ring. It went from thousands of direct messages (for an ISP with less than 50,000 customers that was a lot) and thousands more joe-job bounces every day to nothing. Zero. Not a single mail from that ring ever reared its ugly head on our network again during the further three years I worked there.

How could such a thing happen, after constant whining from AOL that they were powerless to prevent it (that was before they started ignoring us entirely)? I can think of only one plausible way, with two scenarios. In both, it's an inside job.

Variation one: after our new legal department took up our cause, that got AOL's attention to a sufficient degree that an actual investigation was opened, the perps were caught, and they were all fired. The trouble with this scenario is, if they were fired, why did they not joe-job us even harder in retaliation for losing their jobs?

Scenario 2: after our new legal department took up the cause, words were spoken to the proper people and it was made clear that they had to leave us alone and find some other victim because we were no longer some piss-ant regional ISP in a niche market, but now part of a big, strong company that could and would sue them if they didn't back off.

Needless to say, I find one of these scenarios far more likely than the other, and I find my respect for AOL still a bit thin, even though they have gone after some spammers and successfully sued them. Their new embrace of the still patent-encumbered Sender-ID doesn't exactly raise them in my estimation.

Re:AOL is the 90 Chimp

[jonwil]

What reason would Apache have to do anything with Sender-ID?
Sendmail perhaps but not apache...

Re:AOL is the 90 Chimp

Number 3: AOL finally had the impetus to do something about a problem they new about but didn't care to solve due to lack of resources or motivation or typical big corporation "not my problem" attitude. The imminent threat of legal action forced them to realize that your problem was really their problem and they stopped blowing you off and fixed it.

Occam's razor is a bitch.

Re:AOL is the 90 Chimp

[ahodgson]

Of the large ISP's, AOL has done probably the best job of solving their outbound spam problem. Compared to sewers like MCI, SBC or Savvis, they look and act like utter angels.

Re:AOL is the 90 Chimp

[XPisthenewNT]

My thought exactly!

AOL support for this is huge.

[Maul]

With AOL using this standard, Microsoft gets a huge chunk of marketshare for it.

Microsoft has one goal in all of this: To lock Open Source out of a standard, and then launch FUD campaigns about how Open Source refuses to support Sender-ID (because MS will charge an insane fee for licenses, but MS won't mention this) and thus helps spammers.

Re:AOL support for this is huge.

[swillden]

because MS will charge an insane fee for licenses, but MS won't mention this

MS won't charge an insane fee. They won't charge any fee, and they'll use that as part of their argument that the open source community is a bunch of whiners with not-invented-here syndrome.

What they will do license their patent under no-fee terms that nevertheless exclude any Free Software from using it. Packages under BSD-like license, and commerical packages, will be fine but anything similar to the GPL will be incompatible with the MS patent license.

Basically, they're testing a new variation on the tried and true "Embrace-Extend-Extinguish" formula, only the incompatibilities are legal, not technical.

Or not... mabye with their renewed attempt to get Sender ID adopted they'll provide kindlier license terms? I'm not holding my breath.

Re:AOL support for this is huge.

mods mods mods... mod my comment up +5 as well. (since it has just as much support as the parent).

microsoft will hire an assassin to kill linus torvalds as well as his pet tux. then M$'s goal will be to rid the world of any human being who uses open source software. then they will launch FUD about how they should become the president of the united states. after linux is dead, and the GPL is out of existence, MS will make a new GPL that says all money made from software will go to microsoft because they own the world.

Re:AOL support for this is huge.

[lawpoop]

Guys, don't worry, remember that MS can't fight open source. There are too many ways around them. No matter what license they use, or what fee they charge, you make make some kind of module or plugin under that license. If they do have a license that comes out and says you can't have it interoperate with open source, then it will be obvious that they aren't playing fair. They will be openly stating it themselves. They will have no room to blame open source.

Re:AOL support for this is huge.

Yes...everything that happens in the world is all part of the secret plot to destroy open source.

If a butterfly shits in the woods with one wing clapping, the result is more M$-induced anti open source FUD.

Its a massive coverup! An all encompassing conspiracy! Secret societies dedicated to blood rites and ritual suicides!

Come to think of it...last time I was in Redmond, I saw Steve Guttenberg and Mr. Burns leaving M$ HQs. But we're onto them now!

p.s. Trust no one. This troll will self-destruct in 5 seconds.

Re:AOL support for this is huge.

So what you claim Microsoft is saying, in a nutshell is...All your source-code are belong to us.
In Soviet Russia, E-mail Spams YOU!..oh wait.

Re:AOL support for this is huge.

[thogard]

I was told by a M$ exec in 1993 that they want a bit of every email message in the world just like the post office.

I don't think they have changed at all.

Re:AOL support for this is huge.

[_Sprocket_]

Of course, Microsoft doesn't have a history of hiring assassins and experts in mass murder. They just now have awoken to the possibilities of participating in politics - though have no history of interest in actually running for office.

They do, however, have a history of "embrace and extend", FUD, user lock-in, and other such business tactics. Heck - there are even publicly-available memos on some of these subjects.

It would seem that there IS more support for the parent than your comment. Unless, of course, you're getting ready to break the most stunning "Halloween Memo" to date?

Re:AOL support for this is huge.

[_Sprocket_]

Proof that astroturfers have been taking Jedi lessons.

AT: This is not the business practice history you are looking for.

/.: Apparently the past 15 years of corporate history was just some crazy nutjob's black-helicopter theory.

AT: Microsoft is misunderstood.

/.: Ya know what - screw this OSS crap. We should be working on how to send Microsoft more money! They're so cuddly!

Re:AOL support for this is huge.

[Maul]

Sorry, I'll bite.

What do you call their current FUD campaign against Linux (the "Get the Facts" campaign) then, except as an attempt to dissuade people from using Linux and Open Source?

Are you trying to tell me that Microsoft would NOT like Linux and Open Source Software to disappear?

One of Microsoft's major business practices has classically been to lock people into their software through proprietary standards. A clever anti-spam standard would be a huge selling point towards using Microsoft's software, especially with a large ISP like AOL on board.

Do you think Microsoft is going to just allow Open Source to create its own compatible implementation for free?

I can easily envision the campaign. If MS gets their standard widely adopted, they'll spread FUD saying that Spammers prefer Linux and Open Source, and that Spammers want people to use Open Source because it facilitates the spread of spam.

Re:AOL support for this is huge.

They also wanted MSN to be the ONLY network for Windows and the Internet would never take off.

Shows you how good having an MBA is.

Re:AOL support for this is huge.

[scruffy]

A no-fee patent in exchange for BSD licensing sounds like a fair compromise to me. Is this actually the case or are you speculating?

Re:AOL support for this is huge.

[swillden]

A no-fee patent in exchange for BSD licensing sounds like a fair compromise to me.

It does? Sounds like a terrible deal to me, given that there are other options -- including the already-implemented SPF -- that don't require any patents at all.

Is this actually the case or are you speculating?

Assuming MS is offering the same licensing terms they were before, it's really the case. See Larry Rosen's analysis is included in the Apache Foundations position.

Re:AOL support for this is huge.

[Fulcrum+of+Evil]

What they will do license their patent under no-fee terms that nevertheless exclude any Free Software from using it. Packages under BSD-like license, and commerical packages, will be fine but anything similar to the GPL will be incompatible with the MS patent license.

Big whoop. Build a module that implements their patented juju and runs as a daemon, write another module that talks to the first module via some sort of IPC, and release the first module under BSD. We still have the problem of patent-encumbered standards, which really shouldn't be allowed.

Re:AOL support for this is huge.

Yes they're going to allow compatible open source implementations. That's exactly the point of a royalty-free license. The reason that Apache and Debian have rejected Sender ID is not because MS is going to charge for it but because they refuse to distribute implementations of patent encumbered standards due to reasons of licensing (hello GPL!) and idealism.

Do you regularly just make up the "facts" that go into your arguments or do you only practise that when you're karma whoring on slashdot? How the fuck your OP got modded up when it contains such incredible innaccuracies is beyond me.

Re:AOL support for this is huge.

[ahodgson]

Their current license prohibits redistribution of any source code implementing SenderID, regardless of license. BSD vs. GPL this is not.

Re:AOL support for this is huge.

[swillden]

Big whoop. Build a module that implements their patented juju and runs as a daemon, write another module that talks to the first module via some sort of IPC, and release the first module under BSD.

Good point, but it'd still suck. People couldn't redistribute the BSD module, even though the license on the code would permit it, the patent license would not. This would encumber the flow of Free Software mail servers, because although you could get the server code from anywhere, you could only get the Sender ID module from an entity that had executed a patent license agreement with MS.

We still have the problem of patent-encumbered standards, which really shouldn't be allowed.

Absolutely agreed, with the caveat that a standard "encumbered" with a patent whose holder has issued the whole world an irrevocable, royalty-free, sublicenceable license is fine. IOW, a patent-holder who has given up on ever getting anything out of their patent.

AOL's support is solid

[Dancin_Santa]

The reason they, and the rest of the IETF rejected the original Sender ID proposal was because it seemed to go out on its own track with no regard for other schemes that do similar work. To have incorporated and accepted Sender ID at that time would have meant that other ideas like SPF would have been left by the wayside and Microsoft's vision of email would be dominant.

That whole thing was rejected, thankfully.

Now, Microsoft seems to have actually taken a look at the concerns surrounding their original proposal and formulated a new Sender ID scheme that is inclusive of other existing schemes such as SPF. AOL put a lot of effort in developing this kind of technology and now Microsoft's proposal finally includes them too.

What it sounds like from the Yahoo article is that Microsoft's Sender ID is at best a superset of all authentication schemes and at worst a compatible, though competing, technology. Neither of those are bad things. I think AOL realizes this for what it is, Microsoft actually trying to do something useful to help the ailing email system.

The Sender ID scheme seems to allow for further developments that may or may not be based on Microsoft technology but still be fully compatible nonetheless.

Re:AOL's support is solid

[emjoi_gently]

Dancing Santa got a -1 Score for suggesting Microsoft is doing a good thing?

Re:AOL's support is solid

No, Dancin Santa got a -1 score for having really bad karma.

Re:AOL's support is solid

[bcrowell]

Dancing Santa got a -1 Score for suggesting Microsoft is doing a good thing?
You must be new here ;-)

Re:AOL's support is solid

[FifthRaven]

Microsoft's history dosen't suggest any attempt at having their software co-exist with anybody else's. I'd be seriously concerned that they would do some odd thing such as use the ID - standard to open doors for THEIR spam campaigns or sell the loopholes to others. It may be, however, that microsoft ACTUALLY decided to turn out a quality product in order to corner this market.

Re:AOL's support is solid

[dtfinch]

In Soviet Russia, a good thing is doing Microsoft for suggesting a score of -1 that gets new Dancing Santa here who must be You! (-;

Re:AOL's support is solid

Nope. This Guy is New Here. So why don't you STFU.

Re:AOL's support is solid

[emjoi_gently]

I am indeed a new guy. I guess I should have a look at Dancin Santa's history. From what I read, MS's plan might be worthy, or it might be part of some Evil Plan to Take Over Email. Buggered if I know.

Re:AOL's support is solid

[Sein]

MS has always worked on "Some Evil Plan To Take Over Email" - remember epostage?

If not, here's a reminder :http://www.nytimes.com/2004/02/02/technology/02sp am.html

And some comments from a guy I trust:

http://www.talkbiz.net/ramblings/comments.php?id=1 8_0_1_0_C

MS wants consumer lock-in and profits from that lock-in, it's their business model, right? So any time I see anything from MS on this topic, I look for the profit motive first. A possible submarine patent combined with their continued support for epostage paints a nasty picture, don't you think?

Re:AOL's support is solid

Yeah, they'll incorporate SPF until version 2, when some "bugs" in SPF start appearing, and then in version 3, more "bugs" start appearing with other offerings "not working" as planned. Pretty soon you have Sender-ID humming along and the other ideas pretty much nerfed or just not working.

Kinda the way MS breaks all the standards to force everyone down their chosen path.

Re:AOL's support is solid

[philovivero]

I think AOL realizes this for what it is, Microsoft actually trying to do something useful to help the ailing email system.

And why, pray tell, is Microsoft trying to do something useful to help the ailing email system? Where's the profit in that?

Oh, or is this the New Microsoft that is helpful, kind, loving, and forgiving, that doesn't use evil patents and contract trickery to screw over honest businesses?

Hmmm. Riii-ight.

Maybe, and I know this is going out on a limb... but maybe Microsoft is trying to embrace and extend email, such that if you want to send or receive email, you have to go through their systems? Wouldn't that be a treat?

Re:AOL's support is solid

[killjoe]

Yes because it's so hard to believe that MS would do any good thing. They have always made money by embracing and extending standards. They have said many times that that's their strategy. They don't have ONE product on the market that has not either broken a standard or extended one.

So when Dancing Santa says something that is so obviously not true he should be modded down.

Re:AOL's support is solid

[RdsArts]

And why, pray tell, is Microsoft trying to do something useful to help the ailing email system? Where's the profit in that?

In selling OSes. It's rather hard to sell a item that brings little more than annoyance, and when 99% of people do little more than browse or read email, spam can be a major deal breaker.

</advocate class="devil">

Re:AOL's support is solid

[bcrowell]

"You must be new here" is sort of an in-joke on Slashdot. For example, if someone writes a post that makes the correct distinction between "its" and "it's," a reply saying "you must be new here" implies that he who has the true Slash nature would always get it wrong.

Re:AOL's support is solid

you're a dumbass.

problem with Sender ID

Sender ID is flawed in that it fails to address the issue of the inherent insecurities in an unsecured content delivery system. Truly the only way to kill unsolicted drops is a system requiring authentication based on individual originators as opposed a location-based system that ignores the fundamental problem of having such an open-ended system.

Even if this is somehow accepted, it will make little diffence as its effectiveness will prove worthless in actual implementation. I project that this will become a moot point after the election, and even less so by the middle of the 2010's.

wow

that guy's site is going to make some massive revenue via google adsense

Yet the problem has not changed.

[dtfinch]

You can't make a standard anymore if you hold a patent and are unwilling to grant a free license. Submarine tactics are just too popular these days. Fool me once, shame on you. Fool me 20 times, shame on me. Nobody buys into this "don't worry, we're just defending ourselves" crap anymore. They all start out that way, but without a real license we can use, it's just an empty promise.

Re:Yet the problem has not changed.

[thogard]

This one is going to get forced through to the PHB that run the fortune 500. Then everyone will pay in a few years when MS changes their fees. Just because its free now doesn't mean they can't change their mind or nail you with a different patent. As far as I know they may have applied for two patents on the same thing and are sitting on the 1st one and are willing to give away the 2nd. Then all they have to do is sell off the 1st to someone who will go after anyone they don't like.

Its not like this stuff hasn't been tried before.

Re:Yet the problem has not changed.

And that's why the GPL will win out in the end. Because with the GPL, patent shittery like that can't be done.
The sooner more PHB's realise this, the better.

Re:uncomfortable silence....

Microsoft, AOL, Yahoo: Here's how Email is going to work.
Everyone else: Yes sir! How high sir?

Re:Uh oh...What's that sound?

[commodoresloat]

Over half of you don't even know what Sender ID is or how it works.

What are you talking about? Why is that relevant? Didn't you see "Microsoft" in the article summary? And, as if that wasn't a clear enough message what to think, it also said "AOL." Sender ID is bad bad bad. Not only won't it work, it represents the most insidious kind of fascism. An open source solution would obviously be better, and more liberating.

Slashdot.... Fuck yeah!

Matt Daemon.

Re:Uh oh...What's that sound?

[R.Caley]

Over half of you don't even know what Sender ID is or how it works.

This is actually irrelevent. The problem is not with the technical details but the legalities. So long as there is a patented technology included without a universal right to use for any purpose, the proposal stinks and needs to be kicked in the head.

Re:AOL is the 90 pound Chimp

[jm92956n]

From what I've seen, AOL has a large amount of respect in the Anti-Spam community.

Let me first expand on my original statement. Wall Street does not look highly upon AOL: they dramatically overpaid for Netscape, a division that is, for all intensive purposes, dead; they were involved in one of the most under-reported merger scams of the past decade (Time Warner, a long-profitable company was, many believe, duped); and their growth prospects are extremely limited. They've proved their inability to display original content, and the slow atrophy of their user-base has begun.

The user community, too, has a seemingly endless list of complains--those who remember their growth problems (myself included), the constant busy-signals, buggy and bloated software, high prices, and extremely poor technical support--they place the blame soley with AOL, regardless of who is at fault.

But you argue that the anti-spam community respects AOL? I would disagree. True, they've pursued legal action against several high-profile spammers, but I would normally expect far more from a company with legal abilities such as theirs. They've acted in their own interest, and not in the interest of their users (not surprising, of course, as their obligation is to the shareholder, and not the consumer).

AOL could have, and indeed should have done more; they, however, have remained largely apathetic.

Re:uncomfortable silence....

Microsoft: All your SenderID are belong to us...revised!
IETF: Ummm..yea...make your time, buddy! For great justice!
Dubya: DUH....what you say?
BUSH SUX! Vote Kerry and save the planet from terrorists.

Sender-ID? just like an e-mail account

[Wellmont]

the way sender-id works is very similar to a mail severs login protocals. even if the system is legitimate in general spammers will get ahold of legitimate and illegitimate means to aquire valid sender-id's. and unless you block all sender-id's but the one's from people you want to get mail from (which can be currently done with the normal mail filter that comes with most modern mail programs or protocals) your gonna get spam from the sender-id's that haven't been revoked by the oversight companies yet. The problem lies in the fact that the techniques outlined in the sender-id format are alread circumvented in part by the way spammers jump around and use foreign servers to send mail. people need to get ahold of good control programs and set domains, set permissions, and set codephrases. this also brings up some issues with the fact that it's going to be something that's controled by an oversite group that will have the power to sell off exempt sender-id's either that or people are going to have HUGE lists of blocked sender-id's on their computer to combat spam in the first place.

Re:AOL is the 90 pound Chimp

Er... I think the grandparent post should have posted tags for the intelligence-impaired...on the other hand it could be case of feeding the troll...

Unfortunately for Microsoft...

[shaneh0]

Unfortunately for Microsoft many IT decision makers refuse to even weigh the merits of this idea before discounting it.

SenderID is not perfect, but if a more 'neutral' company like Sun, Apple, Google, etc introduced it, it would have at least been given a fair shot.

Instead of saying "SenderID is bad because of XXX and, by the way, M$FT Blows" they would be saying "SenderID is bad because of XXX but here's how it could be made better"

Re:Unfortunately for Microsoft...

[westlake]

Unfortunately for Microsoft many IT decision makers refuse to even weigh the merits of this idea before discounting it.

Decison makers do not ignore a move by a company as rich and powerful as Microsoft, nor do they take at face value the neutrality of potential rivals like Google.

Re:Unfortunately for Microsoft...

[shaneh0]

Are you trying to say with a straight face that there isn't a large technical population that immediately discounts everything Microsoft does just because it's Microsoft that's doing it?

Of course they don't "ignore" it, but they don't evaluate it fairly because they see everything thru their "anti-microsoft" filter.

Of course, most IT professionals don't think this way but you wouldn't know that by reading Slashdot.

I don't know what world you live in where all "Decision makers" balance everything fairly with clear and sound judgement.

Re:Unfortunately for Microsoft...

Ok, how about this: Sender-ID is bad because it's XML over DNS over UDP (except when it gets so bloated that it's forced to TCP).

And to make things worse, instead of registering a record type (like RMX) for the purpose, they hijack the TXT records, making it impossible to use sender-ID if you already use TXT records, unless you rewrite every program that uses the TXT records to filter out the sender-ID garbage.

Re:Unfortunately for Microsoft...

[SillyNickName4me]

> Are you trying to say with a straight face that there isn't a large technical population that immediately discounts everything Microsoft does just because it's Microsoft that's doing it?

I'd think that those are not the people taking decisions however.

Re:Unfortunately for Microsoft...

[ahodgson]

Instead of saying "SenderID is bad because of XXX and, by the way, M$FT Blows" they would be saying "SenderID is bad because of XXX but here's how it could be made better"

They did say that, Microsoft just ignored them. For months. That's why the IETF didn't endorse SenderID.

Sender ID (PRA) is the wrong solution anyway

[linefeed0]

PRA appears to me to have been written because MUAs (as opposed to MTAs) do not consistently deal with envelope addresses, MAIL FROM, and the resulting Return-Path header. It adds complexity to the outgoing MUA to make sure that the PRA is the same as the envelope from. The incoming MUA will have to follow the PRA algorithm to figure out who's responsible for the mail, rather than just make the Return-Path accessible for spam filtering. The overall feeling is that the designers assumed people couldn't understand how to deal with the return path, so they replaced it with something more complicated and broken.

Standards require implementors to implement

[dwheeler]

It's nonsense to think that something should be a standard if the implementors can't implement it. If the patent issues have been removed (say by dropping the absurd requirements, or by the patent office rejecting the patent), then great. But it's not reasonable to try to use a standards body to prevent alternative implementations. The whole purpose of a standards body is to define standard interfaces that everyone can implement. Since there are many important open source software implementations of these interfaces (in this case for MTAs), then the standards need to be implementable by open source software. If not, then the IETF should just send it right back; nothing important has changed. The problem is legal, not technical, and it requires a change in legal situation.

If only AOL would use SPF or S-ID!

[WoodstockJeff]

For many months now, I've published SPF records for all domains under my management. And every day, we get AOL trying to bounce messages allegedly from non-existant addresses within those domains... If AOL were really using SPF to reject spoofed mail as it arrives at their gateways as they've said they were going to, they'd have never accepted the spoofed messages, and I'd knock about 3% off my server load...

Re:If only AOL would use SPF or S-ID!

[mattdm]

They really can't do this until something like SRS is widely adopted. Otherwise, hard-enforced SPF breaks forwarding. (Soft-enforcing -- a warning message, which could be disabled by someone who knows they're forwarding their messages through a non-SRS-aware server -- is an interim step.)

Ob....

Me Too!!!11

Tax dollars at work

Why doesn't the federal government work on something that is meaningful besides writing spam law.

How about writing a law that the US gov't can't invade / take over / combat any foreign gov't we just decide we don't like. I think that's more worthwhile that spending time combatting fucking spam.

Re:Tax dollars at work

[Oligonicella]

God. Can't you people with political axes to grind keep to forums discussing such. Are your brains so tiny that they cannot conceive that there are other discussions going on dealing with other issues?

Naw. That'd be too much to ask.

Re:Tax dollars at work

How about writing a law where idiots aren't allowed to use the internet?

This article has nothing to do with spam law. It does have a lot to do with Sender ID. Perhaps you'd like to talk about the focus of the article?

Re:Tax dollars at work

Never ask for constructive criticism, it just turns into destructive assholes who can't seem to read beyond politics.

Re:AOL is the 90 pound Chimp

[Gondola]

I'm not sure how someone who uses the phrase "for all intensive purposes" could be moderated insightful. It's "for all intents and purposes."

Not that some skepticism isn't justified...

But has anyone looked at this from a cost control perspective? How much does Microsoft spend on spam that doesn't pay them? I bet it's a ton, and then some. To be able to lock out most of the really obnoxious stuff, worms, and what not, while providing an avenue to something of a captive audiance for a more discreet bulk e-mailer could, all by itself, could save them many millions and make a few too.

Re:Not that some skepticism isn't justified...

[_Sprocket_]

And so Microsoft has a golden oportunity. They can help reduce costly spam incoming to their networks (corporate, hotmail, msn, etc.). They can help reduce one of the most popular vectors for malware that has a negative effect on adoption of their software. AND they can pull off a major warm-and-fuzzy PR move to counter the expanding cadre of IT types who have come to distrust, if not lothe them.

What do they do? Play licensing shennanigans.

Sketpicism is very much justified.

Re:Not that some skepticism isn't justified...

In the case of Microsoft, they likely see a strong insentive to let the open source crowd participate in but not guide the discussions.

I imagine at least one of the things that would worry them is a balkanization of sender id. Where, over a long period of time, say a decade, they find themselves spending more resources trying to hit a moving target of an evolving sender id than they would have on a brute force method of dumping spam. Or that if someone does come up with a novel idea that should be widely adopted, they can insure that they'll be able to participate on a level playing field with everyone else, safe from extortion by lawsuit and without having to share more of their toys than they might otherwise want to.

Let's imagine, if you will a scenerio where WiMax just explodes. And Microsoft rolls out an ISP in a box product for a new wave of mom and pops made possible by a fortuitious combination of technological advances, and rare good FCC decisions. Part of their ISP in a box contains the most recent evolution of sender id , including a freely contributed invention of some mysterious coder X that makes micropayments viable secure and completely immune to gaming and abuse. If he licenses it under the GPL they'll at least have to write it as a module seperate from the rest of their toys, and, at least by my understanding, they'd still have to give that improvement away. An improvement a competitor might use against them.

Whatever one's ideology might be, certainly it's something for them to look out for. I think it's pretty hard to blame them for preaching at least a little segregation. Ultimately, this is a business decision which could have a world wide impact for decades. Can you really fault their caution?

Re:Not that some skepticism isn't justified...

[_Sprocket_]

I imagine at least one of the things that would worry them is a balkanization of sender id. Where, over a long period of time, say a decade, they find themselves spending more resources trying to hit a moving target of an evolving sender id than they would have on a brute force method of dumping spam.

If the protocol is open and widely adopted, it will be hard for it to move around too quickly. Oddly enough, changing standards is a well-known and documented Microsoft business practice. Strange that you would imply Open Source involvement would bring this about. If anything, Open Source projects tend to favor open protocols which tend to be easy to implement if not fairly slow-moving and stable.

Or that if someone does come up with a novel idea that should be widely adopted, they can insure that they'll be able to participate on a level playing field with everyone else, safe from extortion by lawsuit and without having to share more of their toys than they might otherwise want to.

A "level playing field" is where nobody has the advantage. Everyone plays by the same rules (whether some are more successful than others is an entirely different issue). What you've described is a playing field where someone gets to alter the rules to their advantage.

If he licenses it under the GPL they'll at least have to write it as a module separate from the rest of their toys, and, at least by my understanding, they'd still have to give that improvement away. An improvement a competitor might use against them.

Who said anything about the GPL? And who even mentioned code? This isn't about licensing software. This an issue with the fundamental protocol involved. The common protocols today are truly open where anybody can adopt them. A none-too-subtle reason for their success and widespread adoption. If Microsoft wants their ideas to be as successful, their proposed protocol must also be just as open and available. Even if that means a competitor implements said protocol in a better product than theirs.

Whatever one's ideology might be, certainly it's something for them to look out for. I think it's pretty hard to blame them for preaching at least a little segregation. Ultimately, this is a business decision which could have a world wide impact for decades. Can you really fault their caution?

The scope of this issue is bigger than Microsoft. Sure, there are good business cases for trying to keep a handle on a piece of technology. But there are times that this can't happen. This is one such time.

SMTP is an open protocol, available to anyone who wishes to implement it - no cost, no restrictions. If Microsoft wishes to introduce a technology that will work in that environment and enjoy the same level of success, it will have to have the same level of openness and availability. Otherwise, their attempts will most likely fail.

The question is exactly what Microsoft's business case is. Are they trying to own a protocol or cut the costs of one of the most fundamental protocols used in IT today - by themselves as well as the rest of the world? If it is the former, then sure... there's no fault in what they're trying to do. But at the same time, I wouldn't be willing to listen to them. But if the case is the later, then there is certainly fault in their methodology.

Re:AOL is the 90 pound Chimp

I've got a purpose for some rebar that might be pretty intensive for your ass.

What does Sender ID add to SPF?

[Nit+Picker]

Could someone please point me to a brief explanation of what Sender ID gives you that SPF doesn't. I thought they both just allowed you to verify that the "From" header line is consistent with the IP that the mail originates from.

Re:What does Sender ID add to SPF?

[Deorus]

Sender ID is just SPF on steroids. E.g.: SPF points out the systems which can be used to send E-mail from a given domain while sender ID adds an additional algorithm (the PRA) which verifies if a given E-mail forwarded by mailing lists, .forward files, or relays (to name a few examples) is legitumate. Mailing list hosts may not have permission to send E-mails from your host, but they can specifically tell who they are and that they are just forwarding agents, thus making themselves responsible for the message and leaving you (the receiver) with an option to block E-mail coming from a particular forwarding domain (e.g.: the mailing list's domain) or from a particular sender domain.

In other words: the sender ID allows you to do almost everything you always did with your MTA but adds some authentication to the process. SPF alone would limit you to a single host or network, or force you to clearly specify which addresses could forward messages from your domain, which is not practical if you are using your ISP's domain to communicate with the Linux Kernel Mailing List, for example. Sender ID addresses this limitation.

Re:What does Sender ID add to SPF?

[Deorus]

Ok, my previous post is rather confusing, so I'll try to rewrite it.

When you send a message from the authenticated host A to host B there may be forwarding agents (such as mailing lists, relays, etc.) routing your message, the message is not always direcly sent from host A to host B. With SPF you would be limited to that. You would have to mention (for example) all mailing lists in whom you are subscribed, which is not practical if you are not controlling the domain from where you send your messages. Sender ID addresses this limitation with PRA, an algorithm that computes the last responsible token, which may or may not be the sender MTA, thus allowing messages to be routed the same way they always have been.

For more information about the PRA algorithm, check this PDF. I am sorry for my last post. Should use the preview button more often. Please do NOT mod my last post up.

Re:What does Sender ID add to SPF?

[Phatmanotoo]

Forwarders can use SRS. This thread might clear up some things:

Re: [spf-discuss] Article on Microsoft patents and Caller ID

offtopic?

Moderator: Did you even bother to check if this was true? If you had, you'd see that the claim is absolutely correct.

Actually, I'm having my doubts that it was actually a moderator than moderated this down.

Re:uncomfortable silence....

[yanestra]

Give them alcoholics a chance!

Re:AOL is the 90 pound Chimp

Yay, one of my favourite grammar mistakes. for all intensive purposes. Not flaming (posting AC to avoid karma backlash though), trying to be informative.

Re:Uh oh...What's that sound?

Uh oh. What's that sound? The sound of hundreds of trolls, astroturfers, and MS fanboys clacking at their keyboards! If MS is being criticized, they must be the martyr.

Over half of you won't even acknowlege Microsoft's history. Those of you do simply idolize Microsoft and will simply regurgitate what other trolls and fanboys have found annoys /. readers.

Don't go ahead and admit that Microsoft might be forced to now lay in the bed that they made. Because /. just wouldn't be the same... ...but it WOULD be a bit less noisy.

By the by... I'm all for opposing views. It's not like /. posters are free of stupidity. We all need a sanity check. But if all you're going to do is drone on about poor Microsoft and how they're the victom and anybody distrusting them are just unthinking "slashbots" then you're wasting your breath. Not to mention coming off like a complete tool.

Here's what bothered me...

[Mike+deVice]

From Netwizard's Blog:

The FTC and NIST are holding a joint summit on email authentication in two weeks in Washington, DC (during the same week as IETF's 61st conference). They hinted earlier this year that if the industry does not come up with a standard for authentication, the feds might impose one.

Could the FTC actually do this? I wasn't aware that they had any authority over internet standards. The internet isn't some corporation, or the sole property of any business, even if some companies wish it were.

Re:Here's what bothered me...

In a limited sense, yes. They have the authority to regulate commercial communication. Thus, they can simply mandate that all interstate commercial e-mail within the US use Federal Protocol X. You can bet the state legislatures would then pass similar laws mandating the same standard for intrastate commercial e-mail.

At that point, they simply fine/arrest those who send commercial e-mail without using the standard. All reputable ISPs would adopt the standard, and they would probably use it exclusively rather than try to determine what e-mail is commercial and what is not.

If you had your own server, you would not have to use the federal standard if your e-mail was not commercial in nature. Thus, some spam would still get though the system. Also, the FTC couldn't do much to enforce US regulations in foreign countries, and there would still be some time lag between detecting a noncompliant mail server in the US and prosecuting its owner.

Re:Here's what bothered me...

[Secrity]

If a company or organization gives the right people enough money, the US government will create any law or "standard" made to order. First there were bespoke shirts and suits, now we have bespoke US laws and "standards". I wonder how much it would cost Microsoft to get the US Government to make a law declaring MS Windows as the "standard" OS?

Of course, there would be some question as to whether other countries would adopt these imposed "standards" and whether these "standards" could even be enforced in the US.

Re:AOL is the 90 pound Chimp

[fatphil]

Yeah, the "moderators" should of noticed that. If they had, probably they all of the sudden would have changed their minds about moderating. I have a deep-seeded hatred for such errors, they make me loose my mind. However, moderators do have free reign.

However, attacking the intended payload due to presentation issues (inability use a pat phrase correctly) is a classic Logical Fallacy. Some people spend so little time with authoratitive written material that the correct forms may never have been seen, and only the spoken version encountered.

FP.

Need Sender ID

[PyraX]

Loke alot of people when using a mobile phone I simply dont answer people who dont use sender ID.
But wait, it could be important...

killing open source through hassles

[geg81]

This is what Microsoft says:

It s important to note that the license is only relevant to those organizations (ISP, large enterprises)who will be checking e-mails using the PRA check alternative of the Sender ID Framework need to secure a license.

Think about the consequences of that. Even if Microsoft follows through on its promise to make the license available "for free" to anybody, it means that if you buy a Microsoft mailer or a mailer from a sublicensee, you can just install it and run it. If you install an "open source" mailer, however, your legal department needs to execute a licensing agreement with Microsoft's legal department. The costs and delays resulting from that alone make the "open source" mailer uncompetitive, no matter how much better it may be than Microsoft's products.

That is why the official open source definition does not allow such patents: if software implements such a patented invention and requires a licensing agreement with Microsoft, that software simply is not "open source", even if it it is distributed under the text of an open source license--the existence of the patent and licensing requirement makes it not open source.

Re:killing open source through hassles

[Bunyip+Redgum]

If Microsoft don't change the licence from their last 'offer' Microsoft may use the same anti-gpl tactic on a host of other things the have patented!

They could easily licence every patent they have that allegedly covers the linux kernel for 'free' with the everyone has to get a licence to re-distribute catch.

it maybe a good solution

[Exter-C]

It maybe a good solution but isnt the whole point of email that its globally compatible with open standards. Yes that may have been the failings of smtp/standard email delivery with the massive increase in spam. But realistically having a patent based email system inhibits the majority of email on the internet.

I personally dont know of any ISPs that use exchange as thier ISPs platform. the only large scale internet exchange setup that I know of is hotmail...

So in microsoft and aol trying to adopt this system whats going to happen to email in the future?

slashdotted

[webgit]

Here is a mirror of the authors slashdotted web page:

My humble analysis appears here

The rest appear to be fine since they are not easily slashdotable personal sites.

Re:slashdotted

He is using nyud as the link to his site, so it is already protected from the SlashDot effect.

Sender-ID back from the dead ...

[ggvaidya]

... just in time for halloween! :D

Patents are the problem

[gilesjuk]

Nobody should have patents on core protocols and mechanisms of the Internet. It's just likely to end up becoming a cash cow.

Someone at Microsoft already stated they liked the idea of email stamps, paying a nominal charge per email.

noddy explanation

[smallguy78]

Can anyone explain to a non-sys admin how sender-id will work, or a link to a noddy explanation

Sender-ID is not Microsoft's

[james_couzens]

Sender-ID is not Microsoft's. Sender-ID is SPF with a patent encumbered (and useless) technology known as PRA. Here is my speculation. Microsoft has been trying to (and successfully has it appears) the SPF vehicle to use for their own purposes, which is to compete with Yahoo's Domain Keys. Props to Yahoo for at least a decent and aptly named technology. Microsoft's competetive *cough* copy cat *cough* technology is called "Email Postmarks". The continued association of electronic mail with real mail is disturbing -- as is Microsoft's use of "CallerID for E-mail". Man they really know how to label those projects so absolute fucking morons can understand... oh wait, thats right, thats most MS lusers... MS wants to shove this postmarks crap down your throat and Verislime wants to sell you certificates for this. The idea being that in order for mail from your server to be respected you'll need to buy a certificate. If you have one, then people won't reject your e-mail. What a novel idea! They are trying to do to SMTP what Verislime did to HTTPS.

nah

[aLEczapKA]

Lets assume, the Sender-ID got accepted and every1 is using it. Just wonder how long would it take to discover a 'security hole' in MS implementation so you can fake your sender-id...

It's always the same, MS sounds awesome in theory and in press releases, but when it comes to real life they suck, and not because they are MS, but because they do things like MS. Which in the end is the same, I guess.

SenderID was never dead

[wayne]

About a month ago, I posted the following message to the MARID list:

http://www.imc.org/ietf-mxcomp/mail-archive/msg051 35.html

The war, of course, is not over. The IETF (Ted, and maybe the former co-chairs?), Meng, and MS (Harry, Jim, Bob, et al) appear to have learned nothing from what has happened. They have done an end-run around the working group last call by closing down the working group, but they are still pushing ahead with the PRA under the current license. Apparently, they think that when the "individual" I-Ds are submitted to the IESG and there is an IETF-wide last-call, things will go better. I don't see it.

One definition of insanity is doing the same thing again and again and expecting different results. Under this definition, Ted, Meng, Harry, Jim, et al, are acting quite insane.

I see four choices:

1) Forget about getting a de-jure standard.

2) Drop the PRA.

3) Change the PRA license to be compatible with F/OSS MTAs.

4) Find one or more widely accepted alternative to the PRA that covers the 2822.From: identity so that people can reasonably choose between the PRA and the alternatives.

Ted, Meng, Harry, Jim et al: PLEASE! Wake up and smell the coffee! We need a anti-forgery system that protects the 2822.From: identity, we don't need another two-week blowup when the IESG last-call happens.

It appears that my predictions are coming true. Meng, MS and the IETF shut down the MARID WG so that they could more easily push the patent encumbered SenderID through. They no longer have to deal with a WG last call.

Expect more steps to happen after IETF-61 when the individual drafts will be "reviewed".

What is a standard?

Forget about getting a de-jure standard.

Am I misunderstanding what a standard is? To the best of my knowledge, a standard is a published set of specifications that can be implemented by others. I don't see where a license ever enters the picture. For example, Intel's page on the USB standard never mentions anything about a license http://www.intel.com/technology/usb/ . What am I missing?

Re:What is a standard?

[TiggsPanther]

From what I can tell, it looks like MS want their idea to be the standard, yet they also want their idea to be one that you have to pay for a license to use.
Basically having what everyone uses and getting paid for it. Plus if, as it seems, the license is incompatible with F/OSS MTAs then suddenly any non-commercial offering has a damn hard time competing with "what everyone else uses".

It's like MP3 or ISO-MPEG4. Both are, I believe, published standards. Both also require a license to use. Which is why some Linux distros have issues with supporting MP3 out of the box (trivial to fix, but still requires post-installation steps), or that XViD (at last check) would only distribute source and not binaries from their official site.

from senderid faq

[smallguy78]

Q2: Doesn't having a patent on Sender ID complicate the process of getting it adopted as an IETF standard? A: No. It should not. There are dozens and dozens of patent rights that have been disclosed to the IETF that may cover IETF standards. See http://www.ietf.org/ipr.html for a complete list. We are not aware of any of these patents complicating the standards process especially where the patent owner has provided an assurance that it would make licenses available on a royalty-free basis with other reasonable and non-discriminatory terms and conditions as Microsoft has done here.

SpamAssassin

[Deorus]

> What reason would Apache have to do anything with Sender-ID?

Perhaps because of SpamAssassin?

Quoting ASF:

Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API so it can be integrated anywhere in the email stream. The Mail::SpamAssassin classes can be used on a wide variety of email systems including procmail, sendmail, Postfix, qmail, and many others.

Since SpamAssassin is not limited to only one MTA and its purpose is to filter spam, the Apache Software Foundation needs to ensure proper domain validation is performed.

Re:AOL is the 90 pound Chimp

[Darren+Winsper]

And yet you used the phrase "should of."

Re:AOL is the 90 pound Chimp

[putaro]

Pedantic authoritative written material:

should of noticed

should have noticed (notice that this is grammatical and makes sense. "Should of noticed" makes no sense and is a result of listening to people who do not enunciate)

authoratitive written material
authoritative written material

Re:AOL is the 90 pound Chimp

[pjt33]

I have a deep-seeded hatred for such errors, they make me loose my mind.

Where's the +0 Ironic mod when you want it?

You've misquoted that saying

[lakcaj]

Fool me once, shame on you. Fool me 20 times, shame on me.

Actually -- it's, "Fool me once, shame on -- shame on you. Fool me -- you can't get fooled again."

Re:You've misquoted that saying

[haruchai]

It's only a misquote if your source of wisdom is George W. Bush.

If so, God help you.

Re:Uh oh...What's that sound?

Slashdot.... Fuck yeah!

Lick my butt and suck on my balls!

Re:AOL is the 90 pound Chimp

should have noticed (notice that this is grammatical and makes sense. "Should of noticed" makes no sense . . .)

Nonsense. You knew exactly what "should of" meant. So does every native speaker of English in the world, and probably a large proportion of non-native speakers too. Fact is, neither form is inherently meaningful. And the one you're championing is not the one the majority of people either use or sound like they use in everyday speech...

By the way, if you want to be a pedant, I suggest you try writing full sentences instead of fragments, and work on your punctuation a little.

Re:AOL is the 90 pound Chimp

That kind of phonetic reinterpretation is what the Language Log guys are trying to get people to call an eggcorn.

If you don't read Language Log, you should, BTW.

This is getting dumb

[SamMichaels]

Why are we still going back and forth over this? MS tried to take another idea, tweak it, and make it their own.

SPF, while not perfect, is already used in production servers (AOL anybody?) and with the advent of SRS, works pretty well.

My meaningless, insignificant, 2 domain email system:

mojo:/usr/exim# cat exim_mainlog.0 | grep SPF | wc -l
97

Most are AOL, earthlink or netzero. Funny how I don't see SPF records for microsoft, hotmail, etc.

but there _is_ no point.

[nblender]

What's the point of knowing that a piece of incoming mail is coming from a mail server that is registered to come from the domain it is reportedly coming from? Since 90% of spam is being sent by zombie PC's these days; the virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox. Voila; instant spam from a legitimate mail server. Oh but I'm wrong, you're going to tell me; because the user needs to authenticate with the mail server for every piece of mail he sends. Well, show me someone who types in their SASL password _every_single_time_they_send_a_mail. So now the virus writers just have to exploit bugs in the MUA (probably by passing a draft message to the "send_mail" function in some DLL; that will dutifully pull the stored password out of the MUA configuration, and send the mail. Even if you force someone to type in their password for every piece of mail, there are keyloggers that will happily sit there and wait for the password to appear, and then communicate that to the waiting spam-engine..

This isn't that hard to do. sender-id, spf, etc, does nothing. We already know most semi-legitimate spammers are publishing SPF records on their throwaway domains which takes care of the other 10% of spam...

Fix this properly. Declare it within the law to assassinate anyone who sends a piece of spam. Then merely wait.

Re:but there _is_ no point.

[ergo98]

This isn't that hard to do. sender-id, spf, etc, does nothing.

These most certainly aren't total solutions, but they are gradual steps in the right direction (and really SMTP has always been the most absurdly abusable protocol. It's time to harden it a bit). ...virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox...

When a company like AOL or GMail commits to schemes like SenderID, SPF, or DomainKeys, they are effectively declaring their total responsibility over that mail source -- no longer is there confusion or deniability over whether a piece of mail was just sent direct or actually went through the Gmail system, for instance. As such, you can be sure that they will ensure that minimal amounts of spam are sent from their system -- so when Joe Blow downloads MonkeyPunchTM and it starts spamming out of his gmail account, they'll just shut the account down (detecting spam being sent from a source is pretty easy). I doubt virus writers will find much value in sending a couple of emails from each owned PC before the accounts are locked out. On the flip side the big providers no longer would have to deal with billions of spam returns for messages that were never sent from their system in the first place. Win win win.

We already know most semi-legitimate spammers are publishing SPF records on their throwaway domains which takes care of the other 10% of spam...

Obviously we're just getting started. Undoubtedly these systems, particularly DomainKeys, will develop into whitelist trust chains eventually, so it'll be rather easy to cut abusers out. It's also incredibly easy to build a "blacklist" of spamming domains, and again it's obvious that spammer will find little return in setting up domains for the sole purpose of spamming when it just gets cut out of the global loop in no time (not to mention that they're not stepping on legitimate email accounts in their from).

Re:but there _is_ no point.

[Fulcrum+of+Evil]

Since 90% of spam is being sent by zombie PC's these days;

The really big spamhauses have dedicated facilities, TYVM. Makes you wonder exactly why they are so hot for SPF.

Re:but there _is_ no point.

[jerdenn]

Most ISP's throttle the SMTP connection severely when >100 messages are sent at any given time. So, sending through the ISP's mail server isn't usually a viable option for spammers.

Re:but there _is_ no point.

[mdfst13]

"the virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox"

And then you will know whose PCs are infected. Further, you can complain to the sending ISP's abuse department and get their email sending capability pulled. Not to mention that many ISPs do virus checks that would catch outgoing viruses, limiting the utility of the emails.

Why do you think they weren't *already* doing this? Remember that you can send a message to 100 recipients with a single message, and the ISP would do all the work of splitting it out to them.

"resubmitting" means nothing to IETF

[keithmoore]

Vendors are always issuing press releases that they're "submitting" or "resubmitting" something to IETF. As far as IETF is concerned, this means exactly nothing. Anybody can submit an internet-draft on any topic related to Internet protocols, and it has exactly the same effect as if Microsoft does so. Just because you submit a draft doesn't mean that anybody is going to look at it. In this case, there isn't even an open working group to consider the topic. So the significance of Microsoft resubmitting a SenderID draft to IETF is minimal at best.

Re:AOL is the 90 pound Chimp

[Des+Herriott]

Not to mention "they all of the sudden" and "loose my mind" (why, was it too tight?)

Re:AOL is the 90 pound Chimp

[xigxag]

1) Inappropriate scare quotes around "moderators."
2) Should of -> should have
3) All of the sudden -> all of a sudden
4) Deep-seeded -> deep-seated
5) Loose -> lose
6) Free reign -> Free rein
7) Authoratitive -> authoritative (probably a typo)

Do you think, maybe, this was supposed to be funny?

PRA side issue

[NigelJohnstone]

PRA is a side issue, it derives from the message header and so cannot be trusted since it could be faked.

Can I suggest this approach to handle relayed mail:

It doesn't matter if a message from A to B goes via C.

When you accept messages from 'C' and the header says its relayed mail, it is either:

1. A known blacklisted spammer relay.
2. An unknown relay in which case content filtering is used.
3. A relay that implements SPF itself and so messages from it can be treated as already having passed the SPF check.

Determining 3 isn't as difficult as you might guess. You can promote a relay server from 2 to 3 if you never receive spam with a faked origin, from it.

Since the whole point of SPF is to reduce the number of content checks, reducing the filtering load and improving the reliability, this is a reasonable strategy.

Re:AOL is the 90 pound Chimp

[Gallowglass]

Splendid rebuttal. What is a whoop is how you've suckered other pedants into the trap. As I write this, 4 out of 5 respondents who felt the need to comment on your amusing reply have missed the point. Currently, only xigxag (167441) got it, and came up with an appropriate reply.

Well done, fatphil and xigxag.

Special mention to Des Herriott (6508) who, although he missed the point as well, made an excellent comment on the inappropriate use of the word "loose" in place of "lose". Pity it wasn't better aimed.

Re:AOL is the 90 pound Chimp

[cbiltcliffe]

Well, he could have meant the Netscape division doesn't have an intense purpose within AOL anymore.
It's just a lame advertising division, with no intensive purpose. :)

Ok, ok...I'm stretching, there. His grammar sucks. Really.

Re:AOL is the 90 pound Chimp

YHBT. HTH. HAND.

Sender-ID is dead

Microsoft should accept that their sender-ID scheme is dead and not try to further push it on everyone. With continuously improving spam filters nobody needs or wants that scheme anymore. In fact, what we need is less centralized power and control that will be abused by evil companies like Microsoft.

I don't need to talk to 'em

So where are the milter mods that allow you to not talk to Windows based mail servers?

Not just AOL

[stimey]

There's a dozen other companties that support microsoft.
You can see a list here
Funny thing to see AOL is not in that list.

Re:Uh oh...What's that sound?

Not only won't it work, it represents the most insidious kind of fascism. An open source solution would obviously be better, and more liberating.

So what you are saying is that the good ol' "American Way" is now fascism and the Open Source ideaology represents the new "American Way".

Netcraft confirms.....
The USA is now a third world country

Email stamps

[The+Famous+Brett+Wat]

Someone at Microsoft already stated they liked the idea of email stamps, paying a nominal charge per email.

That would be Bill Gates.

Maybe It Isn't...

[EXTomar]

"Sender-ID" is like a digital signature which is fine and dandy except when you read to much into it. Knowing an email comes from a particular server doesn't indicate whether or not it is spam just like signing "malware.exe" with a signature doesn't mean it is okay to run.

Signatures only verify it comes "blessed" from a source. If the source is bogus then it doesn't matter if it is signed or not. Putting too much faith in "Sender-ID" opens a whole lot of problems. For instance "Sender-ID" from "spamster@hotmail.com" just means it comes from a legit hotmail.com server. It does not clear it from being spam. I can see how malware will take over zombie machines co-oping their email servers. Instead of sending spam from the infected machine, it will just use its email settings back to "isp.com" which uses "Sender-ID" and we are back to chasing down infected machines.

Besides, isn't "Sender-ID" patented? How much will it cost to implement "Sender-ID" for my little email server so I can actually email people? The last thing the Internet needs is more patented technology running around solving social problems.

Well, it does show their true colors

[rspress]

The idea of Sender ID is a good one and it should have been a chance for Microsoft to give back to the community at large by making this a free, open standard. Of course most of the malformed email spam is sent from Microsoft based operating systems so I guess MS should make money on both side of the issue.

The fact that Microsoft is pushing this is one of the reasons it will never work. No one will trust Microsoft not to abuse their own system. If some company were taking on Microsoft all they would have to is invalidate their competitors senderID and none of their email gets through. I don't think many people will like the fact that for their email to be passed through the system it has to be okayed by Microsoft. Also add to the fact that MS does seem to understand the words "security" and "Internet" and this further dooms senderID.

Re:AOL is the 90 pound Chimp

[Fulcrum+of+Evil]

have a deep-seeded hatred for such errors, they make me loose my mind.

Um, 'Deep seated' and 'lose'. Grammer flames must include an error - it's the law.

Re:AOL is the 90 pound Chimp

[Darren+Winsper]

OK, good point, I just got stuck on the first thing I noticed :)

Re:AOL is the 90 pound Chimp

From a moderator's point of view . . .

If I mod that down, I'll get m2'ed into oblivion. Also note that there is no appropriate downmod for things that are just "wrong" or "stupid". There's "troll", "flamebait", "redundant", and "offtopic".

There is "overrated", but that gets groused about.

Microsoft Deserves Scepticism

[twitter]

Instead of saying "SenderID is bad because of XXX and, by the way, M$FT Blows" they would be saying "SenderID is bad because of XXX but here's how it could be made better"

No, people say things more like, "companies, like Microsoft, Hashcash, and Goodwill Systems, are more interested in making money off of the volume than in solving the problem." Microsoft has earned distrust again and again. It's not what they say, it's what they do that counts. People can see and remember how Microsoft performs. That they rarely do what they say is more of the same as well.

Microsoft's junk is patent encumbered and is not suitable as a standard. That would apply regardless of the company.

In Microsoft's case, it's more outrageous because their software has already failed to compete in the marketplace. Sendmail, Exim and others are what moves email and M$ has nothing to do with it. Indeed, their greatest success produces generates 80% of the world's spam. This bout of standards manipulation is an attempt to foist inferior software onto people with better judgement and charge them for the mistake.

I'd be happier if they concentrated on fixing whats broken rather than breaking what other people do that works. They are the problem, not the solution. Can you imagine what a field day the spammers would have if every mailserver was running some kind of M$ OS?

Alternate URL

http://www.shaftek.org/blog/archives/000160.html

Re:AOL is the 90 pound Chimp

[Em+Adespoton]

they make me loose my mind

well, actually, maybe not, as this is exactly what he just did on here :D

How to ride a Dead Horse

[RealBorg]

Old tribal wisdom says that when you discover you are riding a dead horse, the best strategy is to dismount. Businesses, however, often try other strategies. These include...

1. Buying a stronger whip.

2. Changing riders.

3. Saying things like "This is the way we always have ridden this horse"

4. Appointing a committee to study the horse.

5. Arranging to visit other sites to see how they ride dead horses.

6. Increasing the standards to ride dead horses.

7. Appointing a tiger team to revive the dead horse.

8. Creating a training session to increase our riding ability.

9. Comparing the state of dead horses in today's environment.

10. Change the requirements declaring that "This horse is not dead".

11. Hire contractors to ride the dead horse.

12. Harnessing several dead horses together for increased speed.

13. Declaring that "No horse is too dead to beat."

14. Providing additional funding to increase the horse's performance.

15. Do a CA Study to see if contractors can ride it cheaper.

16. Purchase a product to make dead horses run faster.

17. Declare the horse is now "better, faster and cheaper."

18. Form a quality circle to find uses for dead horses.

19. Revisit the performance requirements for horses.

20. Say this horse was procured with cost as an independent variable.

21. Promote the dead horse to a supervisory position.

Re:How to ride a Dead Horse

[perdu]

22. Spin off dog food division

Re:AOL is the 90 pound Chimp

[fatphil]

We have a winner!

(Actually, I use so-called scare quotes as an short-cut for "so-called".)

FP.

the MS licence is NOT bsd-licence compatible

[dmoen]

Packages under BSD-like license ... will be fine

That's not true. The MS licence is NOT compatible with a BSD licence, or with any open source licence. The licence is incompatible with both the Open Source Definition and the Free Software Definition. And that's why Sender-ID was rejected as a standard the first time through.

Specifically, the problem is that if you want to run an open source MTA that contains microsoft's patent-pending algorithm, then you have to first execute a signed licence agreement with Microsoft. And that means the MTA is not open source. The most fundamental freedom provided by any free or open source program is the freedom to run the program, for any purpose, without getting first getting permission. The fact that you don't have to pay MS money to get permission does not make it "free" or "open".

Doug Moen

Re:the MS licence is NOT bsd-licence compatible

[swillden]

That's not true. The MS licence is NOT compatible with a BSD licence, or with any open source licence.

It is compatible with a BSD license, actually. In legal terms although perhaps not in practical terms. It's incompatible with Free Software licenses, like the GPL, because those specifically require that anyone you distribute the software be able to redistribute without any additional restrictions. Because the BSD license places no requirements at all on what you may or may not do, you can write and distribute BSD-licensed software containing Sender ID code as long as you execute a license agreement with Microsoft. Whoever you give that code will be unable to redistribute it without also executing a license agreement, but the BSD license doesn't care about that. The same applies to most any Open Source license that is not also a Free Software license.

The most fundamental freedom provided by any free or open source program is the freedom to run the program, for any purpose, without getting first getting permission.

You're confusing Open Source and Free Software. Y'know there really is a reason that RMS harps on the difference :-)

Re:the MS licence is NOT bsd-licence compatible

[dmoen]

I am not confusing Open Source and Free Software.
You need to read the open source definition at OpenSource.org:

7. Distribution of License

The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.

Doug Moen

Re:the MS licence is NOT bsd-licence compatible

[swillden]

Interesting.

The BSD license is not an Open Source license per the OSI's definition of the Open Source, because it does not require redistributors to pass along the rights, and it does not prohibit redistribution in the presence of other license requirements.

Yet it is an OSI "Approved" License.

I can't explain the contradiction. Can you?

Re:the MS licence is NOT bsd-licence compatible

[dmoen]

The BSD license is not an Open Source license per the OSI's definition of the Open Source, because it does not require redistributors to pass along the rights, and it does not prohibit redistribution in the presence of other license requirements.

My understanding of this is different.

The BSD licence is Open Source because it contains no terms or restrictions that violate the Open Source Definition. And note that RMS accepts the 3 clause BSD licence as a Free Software Licence. So RMS and Bruce Perrins are in agreement about the acceptability of the BSD licence.

The BSD licence has no clause that requires distributors to pass along certain rights. If it did, then in RMS's terminology, it would be a form of CopyLeft Licence. The GPL is a CopyLeft Licence. But RMS makes it clear that a licence can be Free without imposing CopyLeft.

It may be that my original post was confusing. Perhaps I should have said that when the BSD licence is combined with the MS licence, then the resulting combination is not Free or Open Source.

Doug Moen

SPF/SenderID cannot stop Joe jobs, phishing etc.

[hadaso]

> The real point of SPF and Sender ID is to make it hard
> for spammers to forge their "from" addresses

Neither SPF nor SenderID can do that without new email client software to use them, and then these specification do not specify how the info is communicated to the email client.

Both specifications DO NOT check the RFC822 "From" header, so there's no problem "forging" that, and that is what all current email clients display. SPF checks the SMTP envelope from. SenderID checks the "PRA" which is something derived in a somewhat complicated way from the email headers, and MS thinks it should be required to match the sending server because probably that is how MS does email, so everyone else should do the same.

Anyway, it is trivial to use a "sender" header with matching envelope from that passes SPF (through registering a throwaway domain, possibly with stolen credit card number) and use whatever from header one wishes.

BTW, in the older MS "CallerID for email" proposal they wanted to include a requirement that a domain owner has to keep old server info in the CllerID DNS record several months after stopping using the server. So I think this tells us how MS thinks the info should be communicated to the email client (the client performs its own tests, even if several months passed since the email was received...)

And forget about these schemes stopping spam. They will not, and they are not designed to do this. They were supposed to make it harder to forge the "from" field, but they fail even in this unless the way email clients display email is changed, and a standard is created for the email server to communicate sender validation info to the email client.

It takes 2 to tango!

[Aloaha]

It takes 2 to tango! ALOAHA promotes SPF and Sender ID as complementary technologies! ALOAHA SPAM Rejecter is the first recognized Windows based AntiSPAM Solution which makes SPF and Sender ID available as freeware for all windows based Servers such as Microsoft Exchange, Lotus Notes, iMail and others. ALOAHA, a Madrid, SPAIN-based email protection organization, has begun shipping free versions of SPF (Sender Policy Framework) and Sender ID as well as a POP3 Connector as part of its larger AntiSPAM Framework which is able to protect basically all Windows based Mailserver. "I applaud Aloaha for releasing a solution which supports both SPF and Sender ID. Sender authentication promises to be a major advance in the war on spam, and Aloaha's timely support for these emerging standards leverages the existing base of hundreds of thousands of existing records to offer better spam protection for their customers," said Meng Weng Wong, CTO and Founder of Pobox.com and author of SPF To get the freeware modules, companies must download the free, 30-day trial version of Aloaha. However, modules like SPF and RBL Lists will continue to be fully operational for free even if no licenses are being purchased after 30 days. ALOAHA and its Modules work on every Windows based Mailserver such as Microsoft Exchange, Lotus Notes and iMail. Due to its innovative transparent proxy design Aloaha rejects SPAM before it reaches the SMTP Server. Optional the customer can also opt to use it as a SINK Plug-in in Microsoft Exchange or Internet Information Server. According to Aloaha CEO Frank Hellmann, Aloaha includes a number of anti-spam features in addition to the SPF and other DNS based modules. For example, incoming emails are checked against Active Directory or other Databases to verify if the recipient exists in the organization. Aloaha brings along also other innovative technologies like relaxed greylisting to the Mailserver. "With thousands of downloads we will contribute our share to help to stop the global SPAM Problem" Hellmann said. "Of course we hope that some of these downloads actually will become paid installations" he added later. Contact Information: Frank Hellmann Aloaha email: info@aloaha.com