While I'm sure the amateurs at MessageLabs actually believe that they can measure
a distributed, fluctuating, multivariate event such as "spam" to three significant digits,
perhaps their efforts would be more effective if they directed them toward stopping
the spam that's coming FROM MessageLabs -- the most recent example of which seen here
is barely a week old. Of course, "MessageLabs works to stop gaping security hole
in their own infrastructure" isn't nearly as catchy a headline.
...off the install media into a scratch area, just so I
can run your obfuscated, opaque Java application, just so
it can copy everything into the real installation directory.
Instead, why not try using, oh, I dunno, "tar" and "make"
and friends -- you know, the standard 'nix tools that every
system administrator has been working with quite happily
for decades and which suffice nicely to install tens of
thousands of software packages ranging from the dirt-simple
to the incredibly complex.
...it should read "Silverpop spammers". They have a LONG history which is
well known to everyone working in the field, and be readily accessed by anyone
who can use a search engine (or check the Internet Archive).
Note carefully:
This doesn't mean that every message they've sent is spam -- most competent spammers these days mix spam and non-spam because it's a highly effective tactic. This also doesn't mean that every customer of theirs hired them to spam -- again, most competent spammers have a mix of customers because that also is a highly effective tactic.
Absolutely true -- any estimate of total botnet populations that isn't in excess of 100 million can safely be disregarded as the product of either (a) poor methodology or (b) creative public relations.
Moreover, since these statistics are allegedly based on the number supposedly cleaned up, they've severely biased toward "systems which happen to have the appropriate cleanup tool installed AND which happen to have malware that the cleanup tool knows about". Given that the bad guys have copies of the cleanup tool as well, it's certain that they've undertaken significant engineering effort to craft their malware to avoid it.
The only things we really know about bots at this point are (a) they're already epidemic (b) there are more every day (c) no effective countermeasure exists (d) botnet disruption does not remediate bots (e) botnet C&C mechanisms are improving continuously and (f) we are approaching the point in time where any Windows system, chosen randomly, will have a 50-50 chance of being a bot.
There have been so many amazingly stupid approaches that it's difficult to know where to begin.
But let's start with "Spam as a technical problem is solved by SPF", one of the most
spectacularly blatant bits of hype ever published. The idiot responsible for this had,
and has, no anti-spam credentials -- yet he managed to convince a large number of
very stupid people that he had The Answer. Never mind that many people with superior
credentials and superior minds said it wouldn't work: it was the panacea!
Of course, spammers were the earliest and most prolific adopters of SPF, which has
since -- finally -- been recognized as pure snake oil with no value whatsoever.
Then we could turn our attention to Bayesian filtering, another technology hyped
as The Answer. Never mind that it was obvious on inspection that spammers could
defeat it at will -- and that they have, for years. There are STILL people out
burning CPU cycles at ever-increasing rates, in a self-defeating exercise in
futility, because they haven't realized yet that spammers can run the same
algorithms against the same rulesets and pre-vet their spam. And many do.
And then there's sender address verification (SAV), used only by selfish jerks
who think it's okay to use others' resources and -- worse -- who think it's
just fine to do their part to help spammers conduct DoS attacks. This method
has of course been completely discredited for years, but the cargo cult out
there will still cluelessly claim that it's a good idea.
And then there are the vendors, selling hastily-thrown-together crap that
puts perfectly good open source software on lousy hardware and pastes a
web interface over it for the inferior people who can't use a command line,
and therefore have absolutely no business attempting system administration.
Is there any wonder that these systems are incredibly expensive, wildly
inaccurate, poorly maintained, and quite often SOURCES of spam?
Our problems are bad enough, thanks to spammers. But the people responsible
for these have made them worse, and in the case of the vendors, they've done
it for profit. I'm sure they'll try to cash in on the next problem too,
even if they have to help make it worse.
Spammers have many methods of acquiring addresses, including but not
limited to:
subscribing to mailing lists
acquiring Usenet news feeds
querying mail servers
acquiring corporate directories (sometimes from their web sites)
insecure LDAP servers
insecure AD servers
use of backscatter/outscatter
use of auto-responders
use of mailing list mechanisms
use of abusive "callback" mechanisms
dictionary attacks
purchase of addresses in bulk on the open market.
purchase of addresses from vendors, web sites, etc.
purchase of addresses from registrars, ISPs, web hosts, etc.
domain registration (some registrars are spammers
AND harvesting of the mail, address books and any other files
present on any of the hundreds of millions of compromised
Windows systems.
There's thus no point whatsoever in any form of address obfuscation
or munging: it's a complete waste of time indulged in only by the
clueless, delusional few who haven't been paying attention to what's
gone in during the past decade. What's truly ironic is how many of
these people are actually running Windows and thus stand a reasonably
good chance of having their own system be the point at which their
address(es) are harvested.
A far better point to critique Google on would be their pointless
munging of addresses in Usenet news articles -- spammers have had
their own Usenet feeds for MANY years and all Google's done is make
the archives less useful for everyone else.
No one meted out extra-legal justice -- all that happened was the extremely-belated enforcement of contractual provisions.
The term "vigilantism" has been bandied about for years by spam-supporting organizations like the DMA as a way of shifting the argument. That attempt should of course be wholly rejected, as it is obvious from first principles that nobody on the 'net is under any obligation to provide services to anyone else absent a contractual agreement; thus, for example, refusal by X to accept Y's mail is merely assertion of X's control over X's own resources. The same reasoning applies in this case; there is no positive obligation on anyone's part to continue to passively accept abuse from another network.
And having read "The Shockwave Rider", had some idea of what we were up against. My role that day is described elsewhere and is of little importance, however. What IS important is that it provided a wake-up call that was badly needed, and that it taught us one of our early lessons in reactive self-defense, full disclosure, and cooperation. We're still learning.
Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services.
It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.
The naive (but sometimes well-meaning) fools who continue to persist in their delusional belief that legislative or executive action will have any meaningful impact on spam always seem surprised that their latest "triumph" is nothing of the kind. These well-publicized busts are all about positive PR for the entity making them, and career advancement for the politicians who trumpet them. They have nothing to do with actually stopping spammers, so it's no surprise that spammers merely laugh at these feeble charades and carry right on doing what they've always done.
In addition to all those lying idle because of excessive address space allocation, there are huge swaths of space which have been hijacked.
Recent discussion on the NANOG list has highlighted some of these; the
Spamhaus DROP list features others. And other researchers have found still more that are obviously no longer under the control of their putative owners, and are being use for spam, spyware, phishing, and worse.
Attempts to get network operators, registrars, ICANN, ARIN, and others to effectively disable these resources -- and eventually to reclaim them -- have been largely unsuccessful. Yes, in some isolated cases, limited action eventualy takes place, but it's far too little far too late to be considered anything close to "effective". We need a concerted, worldwide effort to not only reclaim this space, but to blacklist for life those found currently possessing that -- because (as we've seen repeatedly) they won't be deterred by anything else.
"Spam and other forms of abuse are not speech, just as a brick with an
attached note thrown through a window is not publication."
If that's correct, then the 1st Amend. doesn't apply and the whole argument can be tossed.
Thomson has obviously come to the conclusion that they cannot
compete against a superior piece of software -- so rather than
admitting this, they are going to try to use their legal thugs
to crush it.
We have seen this strategy many times before, so it is nothing new.
But it is still a pathetic, transparently desperate action deserving
only of our contempt.
I'm aware of several people who refer to the company as "The GoDaddy Spam Support Service" due to the earnest embrace and willingness to work with the worst people on the Internet. It's pretty obvious that they have no ethics of any kind and will do ANYTHING to make money -- including ripping off their own customers. The sooner people abandon them entirely (not that some of their competitors are much better), the better it'll be. (And don't even get me started on their offensively sexist commercials.)
Registrars are in favor of ANYTHING that will make money for them, no matter how much damage it does to the Internet. That's why they back domain tasting -- a completely abusive practice. That's why they back domain selling -- another completely abusive practice. That's why they backed the creation of.info (now so completely overrun with spammers that an increasing number of people have blacklisted the entire TLD),.mobi (pointless, since anyone offering mobile-only services could use a subdomain),.biz (so heavily blacklisted that not even spammers are registering domains there any more), and so on. It's why they continue to sell domains to spammers by the thousands. It's why they provide anonymized domain registration -- yet another abusive practice.
So expect the registrars to get behind this quickly and completely. It'll make their cash registers ring, as typosquatters try to register variants of well-known domains and sell them to phishers, and legitimate domain owners race to beat them to it. In the end, a large amount of money will flow to registrars, every TLD except a few gTLDs and the ccTLDs will be blacklisted by default, and lots of people will own worthless domains that nobody really wants.
And ICANN will congratulate itself on a job well done.
Word has gotten out that DARPA is run by political appointees selected for their blind loyalty to the present administration, not for their intelligence and expertise. The best and brightest are of course aware of this, and few of them relish the prospect of working for a pack of first-class morons who report up a chain of command which terminates in someone far too stupid to deserve the compliment "moron". It's possible that this will change once President Obama takes office and does some serious house-cleaning, although frankly, any institution so badly mismanaged for so many years can't be put right quickly no matter how competent and sustained the effort. It's a pity that this has been allowed to happen -- or rather, that this has been deliberately made to happen -- but that philosophical note aside, the practical impact is that anyone choosing to work for DARPA at the moment really needs a full psychiatric evaluation with particular emphasis on latent self-destructive tendencies.
The spam run that your boss is considering WILL be detected by a variety of automated, semi-automated, and manual observers. This will cause some combination of your domain, your mail server, your IP address, your IP address block to be added to various lists. Those lists in turn will be used to either reject mail outright or to score it differently, with the former becoming much more prevalent as more people come around to the realization that there is absolutely no such thing as an "ex-spammer". I trust it's obvious that the consequences of this are negative, and that it's only a matter of how negative.
I recommend looking for other employment, as your boss has clearly aligned himself with spammer, phishers, scammers, typosquatters, child pornographers, and the other scum of the Internet. Such an unethical person -- who clearly values profit far above rudimentary ethics -- will obviously not hesitate to engage in other illicit activities, given that he's already enthusiastically in favor of large-scale Internet abuse. There's no reason for you to go along for the ride -- just publish the domain name so that we can all permanently blacklist it and file your resignation.
It is clear that readnotify and their ilk are engaged in abusive activities: we would not tolerate the equivalent with snail-mail, and so we should of course not tolerate it with email, either. These abusers are only one step removed from spam and spyware, and should therefore of course be blacklisted permanently.
I therefore recommend blacklisting (in your MTA and web proxy) readnotify.com, pointofmail.com, e-mail-servers.com, didtheyreadit.com, mailinfo.com, and msgtag.com. I welcome any additions to this list.
I should also mention that those who use superior mail clients -- e.g., mutt -- can avoid being spied on by these abusers. I strongly recommend using such clients, or configuring other lesser clients so that they do not cooperate.
...who are calling for a Constitutional amendment to bypass this decision. It's clear that their grasp of the fundamental human rights which pre-date and transcend even the Constitution's sweeping reach is limited, and that in their mindless fear, they've lost sight of why those rights are critically important.
They have failed to live up to their sworn oaths to uphold and defend the Constitution of the United States -- and yet they have the audacity to wrap themselves in the flag and call themselves "patriots".
They're the farthest thing from it. Real patriots understand why we must defend these rights, even at the cost of our lives -- because without them, we aren't the United States of America; we're just another transient tinpot dictatorship of no value and no lasting importance.
It is clear to all sufficiently-experienced observers that the CAN-SPAM act was designed and intended to provide a legal pretext for spam. The earnest support and widespread participation of some of the largest and most notorious spammers provided ample evidence of that, even before the precise language was agreed to. Everyone who is actually anti-spam opposed CAN-SPAM and continues to do so -- they recognize that the bill is utterly worthless, e.g., it fails to even use the correct definition of spam. (To wit, "unsolicited bulk email"; all other definitions are put forth by ignorant newbies or spammers; there are no exceptions.) Best practice is to instantly and permanently blacklist anyone or anything citing CAN-SPAM compliance for their actions: they are the enemy.
Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.
I think the question then becomes which government? By now there are any number which have taken note of their existence (and some which have acted upon that knowledge), so my guess would be that more will do the same.
I think "an hour a day" on average is entirely reasonable. I don't think an hour a day, every day, is.
The reason I take this stance is that shifts in spammer tactics and strategies require measurement and evaluation so that appropriate countermeasures can be deployed. As one trivial example: if a domain you handle mail for is the target of a concentrated backscatter attack, you may have to adjust SMTP connection acceptance rates or throttle back SMTP clients attempting delivery to many nonexistent addresses. Figuring out that this is happening, deciding what to do about, implementing that decision, etc. all takes time.
Granted, this is a limited example, but similar things happen relatively often, and effort needs to be expended to deal with them. This has become, unfortunately, part of the normal role of postmasters, which represents a marked shift from 10 or 20 years ago, when mail systems were somewhat set-and-forget. There's no good way around it though: the threat keeps changing and evolving, so defenses need to as well. That need -- the requirement to keep up with spammers -- is one reason why I strongly recommend open-source solutions, as they offer the best chance.
There are multiple, very serious problems with Barracuda appliances. I've already commented on their propensity to generate backscatter elsewhere in this thread. They're also poorly supported, have systemic security issues, may have privacy implications (since Barracuda personnel have unauditable access to your mail stream), are expensive, use community resources such as DNSBLs in ways contrary to those resources' policies, and do not use current best practices in spam control. (This last is unsurprising given that Barracuda personnel do not participate in the discussions and consensus-building which generates those BCPs.)
Consider as well that the Barracuda appliances consist of (a) an open-source operating system (b) an open-source MTA (c) an open-source web server (d) an open-source spam scanner (e) an open-source virus scanner (f) other pieces of open-source software and (g) use community-mintained DNSBLs and RHSBLs. This is all held together with proprietary (closed-source) code, mostly for the purpose of providing a poorly-designed GUI interface. Any competent email system administrator should be able to create their own near-equivalent in an afternoon; it's not difficult. Such homebrewed creations have repeatedly been shown to vastly outperform Barracudas on multiple metrics, including cost, scalability, customization, security, and perhaps most importantly -- adaptability to new spammer techniques. (Barracuda is years behind the times and falling further back.)
It's very tempting to "just buy an appliance" and consider the problem solved, but it doesn't work. There's no substitute for expertise -- and given that much of that expertise is available for free, for the asking, on lists such as spam-l and spamtools and so on, it's difficult to understand why anyone would choose not to avail themselves of it.
We know. We've known for years, and in fact it is the advocacy of the professional members of the anti-spam community which directly led to Barracuda's reluctant decision to change the default state of that checkbox. The problem is that this should not even be an option because -- as we are painfully well aware -- many people who do not fully understand the consequences of that checkbox will set it to the incorrect state, promptly begin spewing spam, and soon after get themselves blacklisted.
This is by no means the only problem with Barracuda systems (their miserably poor security is another, for example) but it's the one that directly impacts everyone else on the Internet, since it results in an anti-spam strategy consisting largely of "throw your garbage at someone else".
As an aside, it's quite telling that across all the mailing lists used by experienced professionals to discuss spam -- spam-l, ietf-asrg, spamtools, etc. -- that there are no active participants from Barracuda. This speaks volumes not only about their systemic failure to learn from the far-more-experienced members of the community but about their willingness to explore solutions beyond merely stopping spam. (After all: if the spam problem were actually significantly reduced in scope, what would Barracuda sell?)
Slashdot Mirror
While I'm sure the amateurs at MessageLabs actually believe that they can measure a distributed, fluctuating, multivariate event such as "spam" to three significant digits, perhaps their efforts would be more effective if they directed them toward stopping the spam that's coming FROM MessageLabs -- the most recent example of which seen here is barely a week old. Of course, "MessageLabs works to stop gaping security hole in their own infrastructure" isn't nearly as catchy a headline.
Instead, why not try using, oh, I dunno, "tar" and "make" and friends -- you know, the standard 'nix tools that every system administrator has been working with quite happily for decades and which suffice nicely to install tens of thousands of software packages ranging from the dirt-simple to the incredibly complex.
I'm looking at you, SAS.
...it should read "Silverpop spammers". They have a LONG history which is well known to everyone working in the field, and be readily accessed by anyone who can use a search engine (or check the Internet Archive).
Note carefully: This doesn't mean that every message they've sent is spam -- most competent spammers these days mix spam and non-spam because it's a highly effective tactic. This also doesn't mean that every customer of theirs hired them to spam -- again, most competent spammers have a mix of customers because that also is a highly effective tactic.
But they ARE spammers.
Absolutely true -- any estimate of total botnet populations that isn't in excess of 100 million can safely be disregarded as the product of either (a) poor methodology or (b) creative public relations.
Moreover, since these statistics are allegedly based on the number supposedly cleaned up, they've severely biased toward "systems which happen to have the appropriate cleanup tool installed AND which happen to have malware that the cleanup tool knows about". Given that the bad guys have copies of the cleanup tool as well, it's certain that they've undertaken significant engineering effort to craft their malware to avoid it.
The only things we really know about bots at this point are (a) they're already epidemic (b) there are more every day (c) no effective countermeasure exists (d) botnet disruption does not remediate bots (e) botnet C&C mechanisms are improving continuously and (f) we are approaching the point in time where any Windows system, chosen randomly, will have a 50-50 chance of being a bot.
But let's start with "Spam as a technical problem is solved by SPF", one of the most spectacularly blatant bits of hype ever published. The idiot responsible for this had, and has, no anti-spam credentials -- yet he managed to convince a large number of very stupid people that he had The Answer. Never mind that many people with superior credentials and superior minds said it wouldn't work: it was the panacea!
Of course, spammers were the earliest and most prolific adopters of SPF, which has since -- finally -- been recognized as pure snake oil with no value whatsoever.
Then we could turn our attention to Bayesian filtering, another technology hyped as The Answer. Never mind that it was obvious on inspection that spammers could defeat it at will -- and that they have, for years. There are STILL people out burning CPU cycles at ever-increasing rates, in a self-defeating exercise in futility, because they haven't realized yet that spammers can run the same algorithms against the same rulesets and pre-vet their spam. And many do.
And then there's sender address verification (SAV), used only by selfish jerks who think it's okay to use others' resources and -- worse -- who think it's just fine to do their part to help spammers conduct DoS attacks. This method has of course been completely discredited for years, but the cargo cult out there will still cluelessly claim that it's a good idea.
And then there are the vendors, selling hastily-thrown-together crap that puts perfectly good open source software on lousy hardware and pastes a web interface over it for the inferior people who can't use a command line, and therefore have absolutely no business attempting system administration. Is there any wonder that these systems are incredibly expensive, wildly inaccurate, poorly maintained, and quite often SOURCES of spam?
Our problems are bad enough, thanks to spammers. But the people responsible for these have made them worse, and in the case of the vendors, they've done it for profit. I'm sure they'll try to cash in on the next problem too, even if they have to help make it worse.
There's thus no point whatsoever in any form of address obfuscation or munging: it's a complete waste of time indulged in only by the clueless, delusional few who haven't been paying attention to what's gone in during the past decade. What's truly ironic is how many of these people are actually running Windows and thus stand a reasonably good chance of having their own system be the point at which their address(es) are harvested.
A far better point to critique Google on would be their pointless munging of addresses in Usenet news articles -- spammers have had their own Usenet feeds for MANY years and all Google's done is make the archives less useful for everyone else.
No one meted out extra-legal justice -- all that happened was the extremely-belated enforcement of contractual provisions. The term "vigilantism" has been bandied about for years by spam-supporting organizations like the DMA as a way of shifting the argument. That attempt should of course be wholly rejected, as it is obvious from first principles that nobody on the 'net is under any obligation to provide services to anyone else absent a contractual agreement; thus, for example, refusal by X to accept Y's mail is merely assertion of X's control over X's own resources. The same reasoning applies in this case; there is no positive obligation on anyone's part to continue to passively accept abuse from another network.
And having read "The Shockwave Rider", had some idea of what we were up against. My role that day is described elsewhere and is of little importance, however. What IS important is that it provided a wake-up call that was badly needed, and that it taught us one of our early lessons in reactive self-defense, full disclosure, and cooperation. We're still learning.
Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.
The naive (but sometimes well-meaning) fools who continue to persist in their delusional belief that legislative or executive action will have any meaningful impact on spam always seem surprised that their latest "triumph" is nothing of the kind. These well-publicized busts are all about positive PR for the entity making them, and career advancement for the politicians who trumpet them. They have nothing to do with actually stopping spammers, so it's no surprise that spammers merely laugh at these feeble charades and carry right on doing what they've always done.
In addition to all those lying idle because of excessive address space allocation, there are huge swaths of space which have been hijacked. Recent discussion on the NANOG list has highlighted some of these; the Spamhaus DROP list features others. And other researchers have found still more that are obviously no longer under the control of their putative owners, and are being use for spam, spyware, phishing, and worse. Attempts to get network operators, registrars, ICANN, ARIN, and others to effectively disable these resources -- and eventually to reclaim them -- have been largely unsuccessful. Yes, in some isolated cases, limited action eventualy takes place, but it's far too little far too late to be considered anything close to "effective". We need a concerted, worldwide effort to not only reclaim this space, but to blacklist for life those found currently possessing that -- because (as we've seen repeatedly) they won't be deterred by anything else.
"Spam and other forms of abuse are not speech, just as a brick with an attached note thrown through a window is not publication." If that's correct, then the 1st Amend. doesn't apply and the whole argument can be tossed.
Thomson has obviously come to the conclusion that they cannot compete against a superior piece of software -- so rather than admitting this, they are going to try to use their legal thugs to crush it. We have seen this strategy many times before, so it is nothing new. But it is still a pathetic, transparently desperate action deserving only of our contempt.
I'm aware of several people who refer to the company as "The GoDaddy Spam Support Service" due to the earnest embrace and willingness to work with the worst people on the Internet. It's pretty obvious that they have no ethics of any kind and will do ANYTHING to make money -- including ripping off their own customers. The sooner people abandon them entirely (not that some of their competitors are much better), the better it'll be. (And don't even get me started on their offensively sexist commercials.)
So expect the registrars to get behind this quickly and completely. It'll make their cash registers ring, as typosquatters try to register variants of well-known domains and sell them to phishers, and legitimate domain owners race to beat them to it. In the end, a large amount of money will flow to registrars, every TLD except a few gTLDs and the ccTLDs will be blacklisted by default, and lots of people will own worthless domains that nobody really wants.
And ICANN will congratulate itself on a job well done.
Word has gotten out that DARPA is run by political appointees selected for their blind loyalty to the present administration, not for their intelligence and expertise. The best and brightest are of course aware of this, and few of them relish the prospect of working for a pack of first-class morons who report up a chain of command which terminates in someone far too stupid to deserve the compliment "moron". It's possible that this will change once President Obama takes office and does some serious house-cleaning, although frankly, any institution so badly mismanaged for so many years can't be put right quickly no matter how competent and sustained the effort. It's a pity that this has been allowed to happen -- or rather, that this has been deliberately made to happen -- but that philosophical note aside, the practical impact is that anyone choosing to work for DARPA at the moment really needs a full psychiatric evaluation with particular emphasis on latent self-destructive tendencies.
I recommend looking for other employment, as your boss has clearly aligned himself with spammer, phishers, scammers, typosquatters, child pornographers, and the other scum of the Internet. Such an unethical person -- who clearly values profit far above rudimentary ethics -- will obviously not hesitate to engage in other illicit activities, given that he's already enthusiastically in favor of large-scale Internet abuse. There's no reason for you to go along for the ride -- just publish the domain name so that we can all permanently blacklist it and file your resignation.
I therefore recommend blacklisting (in your MTA and web proxy) readnotify.com, pointofmail.com, e-mail-servers.com, didtheyreadit.com, mailinfo.com, and msgtag.com. I welcome any additions to this list.
I should also mention that those who use superior mail clients -- e.g., mutt -- can avoid being spied on by these abusers. I strongly recommend using such clients, or configuring other lesser clients so that they do not cooperate.
They're the farthest thing from it. Real patriots understand why we must defend these rights, even at the cost of our lives -- because without them, we aren't the United States of America; we're just another transient tinpot dictatorship of no value and no lasting importance.
It is clear to all sufficiently-experienced observers that the CAN-SPAM act was designed and intended to provide a legal pretext for spam. The earnest support and widespread participation of some of the largest and most notorious spammers provided ample evidence of that, even before the precise language was agreed to. Everyone who is actually anti-spam opposed CAN-SPAM and continues to do so -- they recognize that the bill is utterly worthless, e.g., it fails to even use the correct definition of spam. (To wit, "unsolicited bulk email"; all other definitions are put forth by ignorant newbies or spammers; there are no exceptions.) Best practice is to instantly and permanently blacklist anyone or anything citing CAN-SPAM compliance for their actions: they are the enemy.
Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.
I think the question then becomes which government? By now there are any number which have taken note of their existence (and some which have acted upon that knowledge), so my guess would be that more will do the same.
The reason I take this stance is that shifts in spammer tactics and strategies require measurement and evaluation so that appropriate countermeasures can be deployed. As one trivial example: if a domain you handle mail for is the target of a concentrated backscatter attack, you may have to adjust SMTP connection acceptance rates or throttle back SMTP clients attempting delivery to many nonexistent addresses. Figuring out that this is happening, deciding what to do about, implementing that decision, etc. all takes time.
Granted, this is a limited example, but similar things happen relatively often, and effort needs to be expended to deal with them. This has become, unfortunately, part of the normal role of postmasters, which represents a marked shift from 10 or 20 years ago, when mail systems were somewhat set-and-forget. There's no good way around it though: the threat keeps changing and evolving, so defenses need to as well. That need -- the requirement to keep up with spammers -- is one reason why I strongly recommend open-source solutions, as they offer the best chance.
Consider as well that the Barracuda appliances consist of (a) an open-source operating system (b) an open-source MTA (c) an open-source web server (d) an open-source spam scanner (e) an open-source virus scanner (f) other pieces of open-source software and (g) use community-mintained DNSBLs and RHSBLs. This is all held together with proprietary (closed-source) code, mostly for the purpose of providing a poorly-designed GUI interface. Any competent email system administrator should be able to create their own near-equivalent in an afternoon; it's not difficult. Such homebrewed creations have repeatedly been shown to vastly outperform Barracudas on multiple metrics, including cost, scalability, customization, security, and perhaps most importantly -- adaptability to new spammer techniques. (Barracuda is years behind the times and falling further back.)
It's very tempting to "just buy an appliance" and consider the problem solved, but it doesn't work. There's no substitute for expertise -- and given that much of that expertise is available for free, for the asking, on lists such as spam-l and spamtools and so on, it's difficult to understand why anyone would choose not to avail themselves of it.
This is by no means the only problem with Barracuda systems (their miserably poor security is another, for example) but it's the one that directly impacts everyone else on the Internet, since it results in an anti-spam strategy consisting largely of "throw your garbage at someone else".
As an aside, it's quite telling that across all the mailing lists used by experienced professionals to discuss spam -- spam-l, ietf-asrg, spamtools, etc. -- that there are no active participants from Barracuda. This speaks volumes not only about their systemic failure to learn from the far-more-experienced members of the community but about their willingness to explore solutions beyond merely stopping spam. (After all: if the spam problem were actually significantly reduced in scope, what would Barracuda sell?)