Slashdot Mirror
Sender-ID Back From The Dead
NW writes "Microsoft's Sender-ID standard has been left for the dead since the rejection earlier this fall by the IETF. According to a Reuters story, it has been revised and will be resubmitted to the IETF. Along the way, Microsoft managed to pick up AOL's endorsement of Sender-ID. My humble analysis appears here."
...there are LOTS of execs at AOL with radically different ideas...
Yeah, just watch those stupid commercials they have about how their customers can "help them make the Internet better", like the one with the stupid lady who stands up on the executives table while they are having a meeting. As if they are "the Internet". I know there was a time when they were one of the only big ISPs on the block, and they brainwashed their customers into thinking that they were infact, the Internet. But those days are long gone.
SenderID is Microsoft's name for its patent-encumbered variation on SPF.
Too bad spammers will just start registering domains and using them semi-legitimately.
The real point of SPF and Sender ID is to make it hard for spammers to forge their "from" addresses, so that blacklists and whitelists can be more effective. Adoption or lack of adoption by spammers doesn't really have much impact on the success of SPF.
Find free books.
Guys, don't worry, remember that MS can't fight open source. There are too many ways around them. No matter what license they use, or what fee they charge, you make make some kind of module or plugin under that license. If they do have a license that comes out and says you can't have it interoperate with open source, then it will be obvious that they aren't playing fair. They will be openly stating it themselves. They will have no room to blame open source.
Computers are useless. They can only give you answers.
-- Pablo Picasso
From what I've seen, AOL has a large amount of respect in the Anti-Spam community.
Let me first expand on my original statement. Wall Street does not look highly upon AOL: they dramatically overpaid for Netscape, a division that is, for all intensive purposes, dead; they were involved in one of the most under-reported merger scams of the past decade (Time Warner, a long-profitable company was, many believe, duped); and their growth prospects are extremely limited. They've proved their inability to display original content, and the slow atrophy of their user-base has begun.
The user community, too, has a seemingly endless list of complains--those who remember their growth problems (myself included), the constant busy-signals, buggy and bloated software, high prices, and extremely poor technical support--they place the blame soley with AOL, regardless of who is at fault.
But you argue that the anti-spam community respects AOL? I would disagree. True, they've pursued legal action against several high-profile spammers, but I would normally expect far more from a company with legal abilities such as theirs. They've acted in their own interest, and not in the interest of their users (not surprising, of course, as their obligation is to the shareholder, and not the consumer).
AOL could have, and indeed should have done more; they, however, have remained largely apathetic.
An effective signature identifies a particular user amongst a base of thousands.
I wish those days were long gone. And those "we are the internet" ads do piss me off. However, my fiance's father IS one of those people. He comes to our house and asks how to "log on". He can't fathom that just opening the web browser gives him access to the internet. Where is AOL? Prodigy? (Yes, he was a die hard prodigian) How are you already logged on? Is he an exception to the rule, or indicative of the masses?
Saying "I'll probably get modded down for this", is a magnet for my -1 mod token. I hate to disappoint.
Could someone please point me to a brief explanation of what Sender ID gives you that SPF doesn't. I thought they both just allowed you to verify that the "From" header line is consistent with the IP that the mail originates from.
I don't get any say over the policies, so none of your "solutions" work. If you want to use SPF to block, that's fine, I'm just pointing out there are cases where legitimate email can only originate at non-SPF Ok'd MTAs. I wouldn't block using SPF, I'd tag, except tagging doesn't stop the costs of spam.
SPF doesn't tag spam, and has nothing to do with it. It just makes it impossible to fake a sender address from a domain with proper SPF records
Come back when you know how SMTP works. I can set any domain in the from address when I connect to your SMTP server. You have three options: use the SPF records of that domain to block or tag the email, or do nothing.
From Netwizard's Blog:
The FTC and NIST are holding a joint summit on email authentication in two weeks in Washington, DC (during the same week as IETF's 61st conference). They hinted earlier this year that if the industry does not come up with a standard for authentication, the feds might impose one.
Could the FTC actually do this? I wasn't aware that they had any authority over internet standards. The internet isn't some corporation, or the sole property of any business, even if some companies wish it were.
Think about the consequences of that. Even if Microsoft follows through on its promise to make the license available "for free" to anybody, it means that if you buy a Microsoft mailer or a mailer from a sublicensee, you can just install it and run it. If you install an "open source" mailer, however, your legal department needs to execute a licensing agreement with Microsoft's legal department. The costs and delays resulting from that alone make the "open source" mailer uncompetitive, no matter how much better it may be than Microsoft's products.
That is why the official open source definition does not allow such patents: if software implements such a patented invention and requires a licensing agreement with Microsoft, that software simply is not "open source", even if it it is distributed under the text of an open source license--the existence of the patent and licensing requirement makes it not open source.
I've been in the anti-spam community for years, currently professionally so, and my respect for AOL is both recent and shallow. As a force against spammers, they're a Johnny-come-lately, and I remember well the days not so long ago when the only spam AOL cared about was inbound spam, but outbound spam was a complete non-issue to them. Inside of AOL was one of the safest places for a spammer to be, once upon a time.
:-)
There was a spam ring operating *inside* of AOL in the late 1990s that routinely joe-jobbed the ISP I was working for at the time. Entreaties to AOL fell on deaf ears. This joe-job went on for about a year, almost non-stop. They seem to have chosen us because we were very effective at blocking their spew and our 550s weren't always polite
I believed then, and believe now, that the only way a spam ring could operate so brazenly for so long and in the face of all complaints, was if it was an inside job: a spam ring being run by AOL employees, possibly without the knowledge of AOL management, but almost certainly with the complicity of the AOL abuse department; it could even have been them doing it.
I freely admit that I cannot prove any of this and it is all conjecture based upon circumstantial evidence, but lest you start sniggering about tinfoil hats, let me tell you the final chapter in this saga.
After about a year of this almost constant joe-jobbing, my then-employer was bought by a much larger ISP and hosting company, one with enough guns/money/lawyers to make even AOL pay attention. We, the beleaguered engineering department of this smallish ISP, where I was at the time the especially beleaguered postmaster, took our plight to our new parent company's abuse department, who said they would try to help. After not getting much farther than we did, they put us in touch with our new parent company's legal department, who didn't say they would try to help. They said they *would* help.
And lo and behold, not long after the legal department got involved, the spam just stopped. Not just the job-jobbing, but also the large amount of spam directed at our customers from the same spam ring. It went from thousands of direct messages (for an ISP with less than 50,000 customers that was a lot) and thousands more joe-job bounces every day to nothing. Zero. Not a single mail from that ring ever reared its ugly head on our network again during the further three years I worked there.
How could such a thing happen, after constant whining from AOL that they were powerless to prevent it (that was before they started ignoring us entirely)? I can think of only one plausible way, with two scenarios. In both, it's an inside job.
Variation one: after our new legal department took up our cause, that got AOL's attention to a sufficient degree that an actual investigation was opened, the perps were caught, and they were all fired. The trouble with this scenario is, if they were fired, why did they not joe-job us even harder in retaliation for losing their jobs?
Scenario 2: after our new legal department took up the cause, words were spoken to the proper people and it was made clear that they had to leave us alone and find some other victim because we were no longer some piss-ant regional ISP in a niche market, but now part of a big, strong company that could and would sue them if they didn't back off.
Needless to say, I find one of these scenarios far more likely than the other, and I find my respect for AOL still a bit thin, even though they have gone after some spammers and successfully sued them. Their new embrace of the still patent-encumbered Sender-ID doesn't exactly raise them in my estimation.
http://www.imc.org/ietf-mxcomp/mail-archive/msg051 35.html
It appears that my predictions are coming true. Meng, MS and the IETF shut down the MARID WG so that they could more easily push the patent encumbered SenderID through. They no longer have to deal with a WG last call.
Expect more steps to happen after IETF-61 when the individual drafts will be "reviewed".
SPF support for most open source mail servers can be found at libspf2.
I have a question about this:
what about people like me who use my domain address for sending mail? I send my mail via horde at the domain, via Yahoo! Mail interface, via Opera M2 with my email (not return) address set to my domain address and even sometimes at mail2web.
Yahoo would use Yahoo SMTP servers, Opera would use my ISPs and only Horde would use the real mail.domain.com IMAP server. If they unblocked ISP STMP servers for this sort of thing... wouldn't that just defeat the purpose? Because they're used for more than just @isp email addresses.
SPF/etc doesn't really do anything specific as far as spammers go (that is, it doesn't treat spammers as some special case, and spammers by themselves aren't going to be disproportionally encumbered by this technology), and it doesn't preventing anyone from simply forging addresses (that is, using an address in the From line that doesn't map back to the spammer.) What it does do is prevent someone from using a From address whose domain belongs to someone else without that owner's permission.
The intent is to deal with "Joe Jobs", by ensuring that a domain name owner has the final say over any emails sent out whose From envelope address contains that domain name.
Now, some people are associating this with spam, on the grounds that some spammers send out emails with unauthorized email addresses as the From line. This, I suspect, is being done purely because it's easier than registering a domain. However, registering domain names isn't difficult or particularly expensive, so that spam is simply going to start coming from new domains rather than disappear.
To give you some idea of how ineffectual this is in terms of stopping spam, I registered a new domain for myself last week. Within fifteen minutes of me going to register.com, entering the credit card number, and accepting everything, the domain was live. That is, there was a DNS server under my control pointing at it, and my work DNS (completely unrelated to the DNS server I attached the domain to) was resolving the name correctly. If I were a spammer, I would have been able to start sending out spam under a non-blacklisted domain within fifteen minutes of me registering the domain.
The real major (positive) impact this will have is on certain types of virus. There are many viruses that work on the basis of sending out emails that look like they come from trusted friends (by searching, for example, an address book and sending emails from the owner of the address book, or sending them from addresses in the address book.) SPF has the potential to make that close to impossible.
The downside, of course, is that the technology isn't completely transparent. Roaming (where you use multiple ISPs but want to use one email address) becomes difficult if your choice of email address is from an ISP that uses SPF, and which doesn't have a suitable relay server available for you to send outgoing email via - and suitable can just mean that your email software doesn't support whichever of the myriad of authenticated SMTP systems your ISP uses.
You are not alone. This is not normal. None of this is normal.
Since 90% of spam is being sent by zombie PC's these days;
The really big spamhauses have dedicated facilities, TYVM. Makes you wonder exactly why they are so hot for SPF.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"