Slashdot Mirror
Krebs on Microsoft Suspending "Patch Tuesday" Emails and Blaming Canada
tsu doh nimh writes In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company's recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Some anti-spam experts who worked very closely on Canada's Anti-Spam Law (CASL) say they are baffled by Microsoft's response to a law which has been almost a decade in the making. Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide "warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased." Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.
Seems like a no brainer
Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.
Wait, what? I thought Email was cheap, 'cause, you know ... spam.
It must have been something you assimilated. . . .
for the windows crowd: Unix Linux and BSD sending and receiving an email is pretty mundane business (even to millions of people.) Sendmail begat postfix, which tidied up the nuts and bolts of SMTP in the land of penguins neckbeards and that cartoon blowfish you occasionally see.
sending email from Exchange is orders of magnitude more complex by the nature of Exchange as a monolithic communications product. Because exchange does scheduling, calendaring, contacts, unified messaging, failover management, automatic load balancing, remote configuration management, archival, database storage, advanced RBAC permission delegation and cool stuff like shadow redundancy, outlook servers themselves have become increasingly divorced from the RFC for the SMTP. It isnt a bad thing for businesses that rely on being constantly connected, but it does mean the simple act of sending an email means relying on what for us would be an OS in itself. Exchange 2013 requires 2 gigabytes of free disk and recommends 16 gigabytes of free RAM. To compare and contrast, many in the BSD community can handle millions of messages per day with 2 gigabytes of ram and 1 gigabyte of free disk. that includes storage for the message being sent.
I think microsoft is doing this because exchange wasnt designed to just "send an email" anymore. it expects interactivity, redundancy, and universal access to the information being sent by default. the *nix solution runs hard and fast, but as an SMTP implementation requires significantly more engineering to provide the same level of service and feature set as outlook.
Good people go to bed earlier.
Specifically,
Basic Alerts: http://technet.microsoft.com/en-us/security/rss/bulletin
Comprehensive Alerts: http://technet.microsoft.com/en-us/security/rss/comprehensive
Security Advisories Alerts: http://technet.microsoft.com/en-us/security/rss/advisory
Microsoft Security Response Center Blog Alerts: http://blogs.technet.com/b/msrc/rss.aspx
Canadian IT head here. Just spent the morning reading over the law that this is in knee-jerk reaction to. I think Microsoft's reaction is warranted. According to the new law, a company can be charged up to 10 Million dollars for an infraction (read single email) of un-solicited email. The law is poorly formed, and not well thought out, as well as lengthy and vague enough to create a broad swatch of culpable people.
What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable. Also if you install software on someone's computer without explicit, but easy to understand examples of what the software is/does you can also be held culpable.
All email a company produces in Canada form this point on have to include a link in the bottom or ability to opt out of all future email.
Canadian businesses, no matter how small, are beholden to this law. Small companies are going to fold left and right because they cannot afford to comply wiht the new regulations, and those that don't try to comply run the risk of paying a huge penalty.
In my personal opinion this is a grab at trying to make Canada Post relevant again (and financially viable). At the moment bulk mail is the only thing keeping Canada post afloat, and if you couldn't send an email to try to drum up business, you can always send a mailer...
While anti-spam law is well intentioned, in it's current form it is so broken it should not have seen the light of day.
Is there no reason they couldn't just use Twitter?
Using RSS instead of Twitter allows Microsoft not to rely on the single point of failure that is Twitter Inc.
And besides, isn't this solved by Windows Update?
For one thing, having thousands of PCs in a company individually download multi-megabytes updates from Windows Update wastes the bandwidth compared to use of WSUS. For another, some administrators prefer to test Windows patches before deploying them because Windows patches some are known to break programs that inadvertently rely on underspecified behavior.
This law or not, any recurring e-mails are spammy. E-mail should be reserved for one time interactions like order confirmations and of course personal communication. With RSS feeds, user can unsubscribe, suspend and resume viewing updates at their convenience.
The Canada Anti Spam Law requires very specific opt in from the people recieving emails. It requires that certian content not be in the email. It has fines. Microsoft is going to have to train its people and change its templates. It is going to have to get its emails approved by Canadian lawyers. It will take time for it to get in complience of the law. But the deadline is tommorow. So they will RSS feeds instead. It is very easy for an expert to say the emails are exsempt to the press. But I bet if you showed them a few emails they would find a few problems. Things Microsoft needs to fix or get fined.
I automated this a while ago, using Powershell to query the RSS feed, pull out the details, and send the proper parties an email if there's a new message relevant to us.
It probably seems like reinventing the wheel, but allowed us to split out the emails to relevant for each group, rather than one monolithic email. Which meant each affected party was liable to actually read it.
Overall though, anything that shows how useful RSS is, is a good thing.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
Limiting number of RCPT TO lines is a fucking awful way to handle spam, and explicitly discouraged by RFC 2821:
All that says is that you should not reject the message based on the number of recipients. You can, however, temporarily reject (using a 4xx status code) recipients after some set number. Any good MTA will retry the tempfails.
I currently have a variation of this in place where any e-mail to a "special" address (like postmaster or webmaster) can't have any other recipients at my mail server. Right now, it's a log-only rule, and hasn't been triggered very often, but I wanted to make sure I don't reject or filter messages to those addresses, but I also don't want them to be used to allow unfiltered spam to be sent to everyone else in the domain.
OTOH, if the e-mail is a bounce (defined as from ""), I do reject it if it has multiple recipients, directly in violation of the RFC portion you quote. The is because a bounce is to notify the sender that something went wrong, and it's impossible to have more than one sender.