Instead, the IESG is actively working to push through this patented technology by shutting down the MARID WG so that they can advance the SenderID proposal without any public review. More over, the IESG has declared that it is ok for the SenderID spec to re-use SPF records in incompatible ways, that the SPF RFC must be held back until MS is ready ("to be fair to MS"), and the IESG is going to ignore the last 1.5 years of SPF deployment experience and start fresh with collecting data since MS has only recently started doing SenderID checking (again "to be fair to MS").
The IETF needs to take the "E" out of their name and become the Internet Political Task Force.
MX logic does seem to quite grasp the concept that spammers identifying themselves as the true senders of the spam is a good thing, not a bad thing
Would be a fair point if the "identity" of the spammers was static. But it is not; domain registration is automated and turnover is massive, sites lasting maybe a few hours. It's no coincidence that the biggest take-up of SPF has been amongst spammers.
Even with throw-away domains, an SPF pass will not help spammers. A domain that has no record of sending significant quantities of email and which has other spam indicators such as who their authoratative name servers are or their whois/registration information can have a negative reputation from the very start.
Again, I can understand spammers being stupid enough to think they need to get an SPF pass, but I can't understand MX logic claiming that this is in any way a problem.
Quite apart from which, even the proponents of SPF, when tackled head-on with hard questions (eg about how SPF deals with null envelope-sender (bounces)), will tell you that SPF is *not* a spam prevention mechanism.
Meng Wong once used the analogy of "SPF is an anti-spam system like flour is a food." SPF alone doesn't do much for you, but SPF plus reputations systems do stop spam. The "problem" with null envelope-froms is not a problem. SPF falls back to the HELO domain, since it is the MTA at the HELO domain that is generating the bounce.
DKIM and PGP do different things and are complementary technologies. In fact, Jon Callas, the founder of PGP Inc, is one of the co-authors of the DKIM draft.
DKIM lets domain owners "easily" sign all email coming from them as valid. DKIM does not do encryption or per-user authentication. PGP and S/MIME can do both encryption and per-user authentication, but it requires certs and public-key infrastructure (PKI) stuff that makes it much more complicated.
So, if you want to know if the email you received from ebay is legit, use DKIM (or SPF). If you want to know if the secret contract you are negotiating with is really from the CEO of ebay, use PGP (or S/MIME).
MX logic does seem to quite grasp the concept that spammers identifying themselves as the true senders of the spam is a good thing, not a bad thing.
I know of no significant anti-spam product that uses SPF pass, by itself, in a way that makes the email less likely to be marked as spam. Every major anti-spam product that I know of uses the results of SPF pass checks to feed into reputation systems. If your domain has a good reputation and the email passes, then great, you are less likely to be marked as spam. If your domain has a bad reputation and the SPF check passes, then great, you are *MORE* likely to be marked as spam.
Spammers are stupid. They gain nothing from getting an SPF pass. Why folks like "MX logic" can't figure this out reflects poorly on them, not on SPF.
I like the concept of using cryptographic methods to protect the mail headers and body. I think that is the most promising approach. That said, crypto solutions like DomainKeys is not without problems.
Crypto solutions breaks on way too many mailing lists and more than a few email forwarders because content is often added (ads on the bottom) or changed (spam/virus filtering), and this breaks the crypto signatures.
Also, there is also a real problem with replaying a message. You just can't distinguish a Yahoo customer sending a message to a large mailing list, and a spammer who signs up with Yahoo, sends a message to themselves, and then redistributes that correctly signed email to their list of 50 million victims.
There are various ways to try and solve to both of these problems, but none of the solutions are very clean and probably not very effective.
I think that if there was a nice, clean solution to the forged email problem, it would have been discovered many years ago.
I think the crypto solutions, and things like SPF (or DMP, or RMX, or any of the other LMAP-type solutions) can help each other out. SPF primarily fails on forwarded email, while the crypto solutions primarily fail on mailing lists. If all email uses both, it can help automate the detection of forwarders and mailing lists, and then you can know which system to use for each email.
DomainKeys is not the only crypto solution, there is also IIM, and META-signatures. I actually like the latter two better because I think they handle the problems with mailing lists better. Yahoo and Cisco have announced that they are merging DK and IIM into a single spec, but they haven't released the spec yet, and the details will be very important.
Domainkeys, like SenderID, has two other problems that could cause problems for the F/OSS world of email. First off, Yahoo has patents on DomainKeys and their license isn't (currently) compatible with many F/OSS software. I suspect that Y! will be much more willing to make changes to their license than MS was, but who knows. Secondly, like SenderID, it turns out that DomainKeys is already trademarked by someone else and this could cause lots of legal fun for the parties involved.
I am the current editor of the SPF specification. Both Meng Wong and I agree that SenderID is a horrible idea, that it doesn't work as well as SPF, and that SenderID is abusing current SPF records in incompatible way.
While both SPF and SenderID break on many forwarded emails, SenderID breaks on many mailing lists also. Moreover, one of the most promising solutions to the SPF forwarding problem (a specialized DNS server, as outlined in section 9.3.1.2 in the SPF spec) breaks when SenderID uses it.
So, SenderID is a patented system that is incompatible with many of the F/OSS mail servers that currently dominate the internet, it doesn't work as well as other technologies, it damages the use of SPF, and outside of MS, it is being used by almost no one.
If this was just a matter of hotmail and MSN hurting themselves, then I wouldn't have any problems with it. However, this appears to be a case of Microsoft working hard to hurt the entire internet email environment.
Some domains get a LOT more spam than others. One example is striker. Back in 2001, Alan DeKok was getting 300,000 spams per day. I suspect that if he tried to measure it now, he would easily get several million, or maybe even tens of millions of spams per day.
And, no, having the domain disabled for a long period of time doesn't help. There are several domains that are being used as spam traps now a days after having been disabled for years.
Can you point me to anywhere in RFC1034/RFC1035/RFC2308/etc that says that the SOA record has anything to do with the TTL?
I can't because it's not there. [...] The fact that DNS cache's rely on the SOA serial changing to determine whether to expire old records or honor the TTL does not go against the RFC, but it's not explicity stated.
Might be a good idea to look at the DNS servers from an administrative point of view. There's a lot you don't get from just reading RFC's and looking at packets.
One advantage of looking at the packets and the source to things like bind, is that you will discover that (*except in a few cases like NXDOMAIN) the SOA record is not sent with the answer. Therefore, no matter what you might believe, it is impossible for most DNS caching software to depend on the SOA values.
Feel free to show me where in bind/djbdns/etc. that this SOA cache dependancy happens, or to show an actual test case. I would love to see it. Maybe there are DNS servers that do an extra query for the SOA record, but I kind of doubt it.
what I meant was that if you don't bump the TTL then your own nameserver if you do a SIGHUP won't show the changes and you can set the TTL to whatever you want and it won't do a bit of good. Classic newbie mistake.
I'm pretty sure you meant to say that if you don't bump the serial number, not the TTL.
Also while we're on the subject of TTL's I that our nameserver is actually setup to increase TTL's less than 24 hours to 24 hours. I believe thats in an RFC or best practices guide I read somewhere.
Yes, RFC1033 and RFC1912 recommend a minimum TTL of one day, but that is just a recommendation. There are times when shorter TTLs are very important, for example many anti-spam DNSBLs have very short TTLs so that machines can be delisted quickly.
I can understand having minimum and maximum TTL values for caching purposes, but I think 1 hour is probably far more appropriate than 1 day. The bandwidth savings for a 1 day minimum isn't going to be very much but the problems caused could be fairly large.
To the best of my knowledge, all of the information you provided is BS.
I will ask you the same thing I asked the grandparent:
Can you point me to anywhere in RFC1034/RFC1035/RFC2308/etc that says that the SOA record has anything to do with the TTL?
I have read most of the DNS RFCs, and the important ones very closely. I have looked carefully at DNS packets and I am working on a proposed RFC that will create a new DNS record type (for SPF).
I don't know everything about DNS, so I'm always willing to learn more, but if you can't back up what you say with references to RFCs, I'm not going to believe you. Especially when you claim such bizarre things like a caching name server will know the serial number for all domain names that it has cached.
Listen -- We are SOA for around 11,000 domains. Both myself and the other uber-admins get tickets like this "escalated" when some clueless newbie wet behind the ears freaking junior admin DOESN'T RTFM and doesn't realize that if the serial #'s don't change then TTL is ignored.
Ok, can you point me to anywhere in RFC1034/RFC1035/RFC2308/etc that says that the SOA record has anything to do with the TTL? The nTTL, yes, but not the TTL. Yeah, if they don't change the serial number, their secondary name servers will take a long time to expire (could be weeks), but again, this doesn't have anything to do with your claim that if the serial number doesn't change, then the TTL is ignored.
I just recently switched ISPs and hence IP addresses. I found that most name servers obeyed the 3 day DNS TTL that I have been using for a very long time.
I used the Linux Advanced Routing & Traffic Control utilities to set up the split access stuff. This allowed me to send all packets from the old ISP back through their link, while packets from the new ISP went on the new link. I changed the DNS entries and then I monitored the traffic going through the old link. After one TTL period, almost all of my traffic was using the new link. The main exception was NTP clients, which run for a very long time and only do their DNS lookups on startup.
I run a (non-tech) website that is used by many people, and also a the authoratiatve name server for a domain that gets a couple million lookups per day from tens of thousands of caching name servers. If there were widespread problems, I think I would have noticed it.
I'm not saying that there aren't a lot of really broken name servers out there, just that they don't appear to be rampant.
I've been using mozilla's image blocking feature for a very long time. If a website has a really annoying ad, I block that host. If the ads aren't annoying, I don't bother. So, in effect, advertisers have a one strike and you are out rule with me.
On the other hand, a website I developed for fun started using enough bandwidth to start costing me money. I added google ads a while back and I now get around 1.5-2% click through rate and it returns hundreds of dollars per month over its costs. I personally don't find text ads (like google) annoying and obviously many of my visitors think the ads are worth looking at. My friends who use adblocker don't even see the ads and I suspect that if everyone automatically used adblocker, not only would they not see ads that they are interested in, but I may well have taken down my website.
Actually, I really think that making money through ads is the WRONG way to pay for things. I would much rather have very small micro-payments from each visitor. The reason is very simple: I should be motivagted to provide content that vistors feel is worth paying for, rather than content that other companies/people feel it is worth paying to advertise on.
For example, on one web page, I recommend using certain companies because I think they are good, and that web page ranks pretty high on google. How many advertizers would want to pay to get on that page? The current payment model encourages me to get rid of those recommendations.
1) The admin email address is setup to be an auto@domains.jumpdomain.com (or something similar) which doesn't end up being delivered to the actual admin of the domain. This causes all of the automated transfer emails to not get delivered. You can update this information through OpenSRS at www.adminchange.com. I haven't needed to do this with eNom, but I'm guessing they have a similar process.
Yes, I had the very same problem with jumpdomain and tucows. Jumpdomain changed my admin contact with out notifying me and without my permission. I tried using their adminchange website, which says that you can get the admin contact for my domain changed back, but they require you to print out a form, and then scan it back in, and then email it. Unfortunately, the email address is just a bot that consistently says that you didn't give any attachments, even when you did!
I was eventually able to email "Paul Karkas" <pkarkas@tucows.com> with the attachments, and then just last week, my.com domain's admin contact was fixed. Any day now, GoDaddy will have control of all of my domains.
1) get a front page article on Slashdot slandering said registrar with negative publicity.
Truth is a 100% defense against charges of slander and libel. I can't speak for the submitter, but I am very willing to testify in court that almost the exact thing has happened with me and jumpdomain.
I am *JUST* *NOW* managing to get my last five domains away from jumpdomain after a 6 month process. I'll post the messages I've sent at the end, but I'll give you a quick run down now.
I tried contacting jumpdomain many times via many different methods, including email, filing problem reports and phoning. Every such attempt failed to reach a human. The problem reports were never responded to and eventually they were deleted.
I have filed a complaint with internic earlier this year. It didn't do any good.
The contact point for eNom on the internic website is an email address that now bounces and used to go into a black hole.
I have *JUST* *TODAY* gotten good response to transfers@enom.com. Jason Cluphf was most helpful.
I had problems contacting tucows also, but fortunately the domains that I registered via jumpdomain that ended up at tucows were all.com and.net, and there is a new rule that by default, the transfers have to go through. The domains that I had with jumpdomain/enom were.org domains.
Ok, the following is an email that I've sent in various forms to about a dozen different emails over the last 4 months.
To: matt@enom.com, transfers@enom.com, abuse@enom.com
Subject: I am having problems with your reseller, jumpdomain.com
From: wayne
Date: Mon, 11 Apr 2005 16:05:17 -0500
Message-ID:
Help!
I got your email address from
http://www.internic.net/registrars/registrar-48.ht ml
Your eNom reseller, jumpdomain.com, appears to have dropped off the
face of the earth. I have been using jumpdomain.com since the mid
90's, but now I'm having big problems with them.
I need auth codes to transfer the following domains:
elgin-watches.org
elginwatch.org
libspf2.org
trusted-forwarder.org
This is the second time this year I've tried to transfer these domains
away from you and your reseller. The last time, I not only didn't get
any response from your reseller, but I didn't get any response from
you and the transfer timed out.
I *WAS* able to transfer my.com domains away from you last January
because when you didn't respond, the transfer went through by
default. Unfortunately, there is no such policy for.org domains
(yet).
*** PLEASE DO SOMETHING ***
On Oct 2, 2004, I renewed several domains, including elginwatches.org.
All the other domains went through fine, but elginwatches.org remained
in a "Pending" status. I didn't notice this until late Oct, but that
wasn't a problem elginwatches.org didn't come up for renewal until Jan
11, 2005.
On Nov 10, the domain still hadn't finished the renewal process, so I
filed a trouble ticket with jumpdomain's support system. Nothing
happened, but hey, there was still a couple of months. On Dec 02, I
updated the trouble ticket pointing out that this needed to be fixed,
but still nothing. No response from jumpdomain, and elginwatches.org
was still "pending".
On Dec 8, I still had no response from jumpdomain, so I filed another
trouble ticket with a higher priority. On Dec 11, I got a 30-day
warning about my From jumpdomain that and I replied to that message,
filing another trouble ticket. Still no response.
Unfortunately, I was busy during the holidays and didn't file another
bug report until early Jan. A couple of days later, I notice that the
bug report hadn't shown up, so I filed another one on Jan 8, this time
marked as "urgent." I tried calling the Jumpdomain support line, even
though they said that for domain registration, I was only supposed to
use the web forms. Even during their limited support hours, I never
was able to reach anyone.
On Jan 10, I tried transfering my domains away from jumpdomain, but I am
unable to complete the transaction because I can't get the "auth codes".
Jumpdomain has no place on the their website to request them, and they
haven't responded to my request for them via their web support system.
I have continued to try and contact jumpdomain.com, but have still had
zero luck getting *any* response from them.
If he paid his taxes on $750K a month, he is doing more societal good than harm. I figure that'd be about 2.4M/year in federal taxes - more than 1000 average Joe's pay.
There is no way he is doing "society more good than harm". Just because he received $750k per month, doesn't mean he delivered $750k worth of products to people. That is a big part of the problem with spammers.
The cost to send email is *FAR* cheaper than the cost to receive it, even when you don't take into account the spam filters, the lost time spent deleting the spam, the lost email due to mistakes made by the spam filters, etc.
Actual, detailed analysis of the costs of spam are around $0.10-$1.00/spam. Yes, that is much higher than you might initially guess, but that is because so much of the cost his hidden and spread over so many different people involved with each spam. This person was costing society tens of millions of dollars per month, and "earning" only $750k.
Consider the fact that here in New Jersey, a Rapist gets out in 3 years with good behavior. (They don't even call it rape here, it's 'sexual assault')
His crime was not a violent one, he shouldn't go to jail for 9 years. He should have to pay an insane fine, and be barred from going online for 10-20 years and give him 10 years probation. If he violates any of this, throw him in jail.
Which is worse, hurting a huge number of people a little bit, or hurting a one or a few people a huge amount?
Anyone who has is on the internet has had to deal with the costs that these spammers shift onto you. It costs you in terms of your time, the cost of bandwidth, the cost of more email servers and email admins, lost email due to spam filtering, etc. There are also the people who lost money because the products they bought from the spammers either never arrived or weren't as advertised. Yeah, I've seen a lot of comments about "serves people right for buying from spammers", but blaming the victim of spammers is no different than blaming a rape victim for wearing the wrong clothes or being in the wrong part of town.
The world would be a whole heck of a lot better if billions of dollars per year didn't need to be spent on blocking spam. And no, there is no way that spammers can pay a huge fine. The amount of damage spammers cost society per dollar "earned" is far worse the amount of damage people who break car windows to get coin change do.
9 years! That's an awful long time if you think about it. Especially for doing something that's pretty much being a mass annoyance.
Sure, spam, like most forms of theft, is really just annoying. Someone steals your car? Well, there is a whole bunch of paper work to go through, but eventually you will get a new car from your insurance company. Sure, a huge amount of money has to be poured into the system in order to make the car theft just an annoyance, but it isn't like anyone was really hurt.
The same thing goes for almost all white collar crime. Embezzlement, fraud, stock manipulation, they only cost money, which is just an annoyance.
Yeah, mail admins and anti-spammers have sunk a HUGE amount of time, effort and money into trying to reach the unattainable goal of 100% spam recognized and 0% ham rejected. And, when they do a really good job at it, people say things like "spam really isn't that much of a problem", and "my lost email is way more of a problem than spam".
If you add up all the money that 10 million spams/day costs, I think 9 years is pretty reasonable, if not on the short side. But then, I think a lot of white collar criminals get away with far too little jail time also.
Re:live performances vs. commercial product
on
EZTree Shuts Down
·
· Score: 1
Or are live performances automatically free of copyright?
Copyrights are start when a creative work is fixed in a tangable medium. The person who fixes the work in the medium owns the copyright. So, the bootlegger owns the copyright to the recordings they make at a live performance.
Now, there are often also copyrights on the lyrics and music and the owner of those copyrights can control the public performance of those works. So, while the bootlegger of a live performance may own the copyrights on the recording they made, it would be a derivative work of the song's author. If the song is already in the public domain, there isn't a problem, but if not, the bootlegger will have to get permission to copy their recording. Similarly, the song's author would have to get the bootlegger's permission to copy the recording.
There are also generally restrictions about no recording at live events as part of the conditions of sale of the tickets. So, even if the bootlegger recorded a song that is in the public domain, they may well have broken their contract by making the recording and hence can't sell it.
demands money for a settlement, even though the amount is far less than the law allows.
notes that info about this case will not just disappear (google cache, etc).
outlines ways of catching spammers by creating effective traps that document the details rather than "just hitting delete".
Of course, as the article points out, none of this is actually illegal, even if it does make the victim look a bit less like a white knight.
Why does any of this make Mumma "look a bit less like a white night"?
This is exactly what these anti-spam laws were intended to do. Get individual people and companies to enforce the law instead of making the police/government enforce the law. The penalties allowed in the law are high enough to make it worth people's time to fight the spammers.
Forcing people to opt-out is a horrible idea because it does not scale. You can not require everyone to opt-out of every company in the US, let alone the world. Worse, spammers would just create a new "company" every time you opt-out of another one.
We want more people suing spammers, of all sorts. We want more people acting like Mumma.
The strangest part of this whole affair is that spamming ultimately originates as a form of advertising. [...] Instead of complying, the company is now going to try to sue his pants off to show him who's boss. Supposing in some bizarro world they win, and are granted permission to keep sending him ads? [...]
The point the spammer is trying to make is not that they have the right to send Mumma spam, but that they have the right to send everyone spam. If they concede this case to Mumma, they open themselves up to everyone they have spammed to drop by and ask to pay either the fine or to settle. They can't afford to pay the penalties for what they are doing, and if they stop spamming, they would have to compete against legitimate travel agents.
Ok, I've seen lots of posts from people saying that certs are a rip off. Getting a cert from someone means that they trust you enough to accept money from you, and that is about it.
I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.
It appears to me that cert.startcom.org is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.
You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.
"Slows the planet's rotation?" Please cite your source for THAT one, I'd love to see who came up with it.
Yes, tidal forces DO cause the earth's rotation to slow down.
The tidal forces created by the earth on the moon have slowed the rotation of the moon down to the point that we only see one side of the moon. That is, the moon rotates about once a month. Similarly, the tidal forces of the moon are slowing the earth's rotation down, and it will eventually reach one about one rotation per month also. Assuming that the sun doesn't become a red giant first. And, speaking of the sun, there is also a tidal force that from the sun that will eventually cause the earth to rotate once per year. I'm not sure who this conflict between the moon's and the sun's tidal forces work out.
Conservation of angular momentum means that the tidal forces are causing the moon to orbit the earth faster, and thus further away.
While all these tidal forces are very small and only add up over very long periods of time, they can be measured. In particular, things like variations of the amount of snow on mountains, the amount of water in man-made lakes, the force of huricanes, and variations in the shape of the earth caused by earthquakes all add up to enough to cause the need for leap seconds.
Leap years keep the seasons from rotating through the calendar. Leap seconds keep the zenith of the sun ("noon") from rotating through the day. I forget the exact value, but there is something like an accumulated 20-30 seconds difference caused by these forces over the last 50 years, and therefore there have been 20-30 leap seconds added since then.
Slashdot Mirror
AMEN!
As someone who has recent scars (SPF, MARID) from dealing with the IETF, it is clear to me that they are no longer an engineering organization, but rather a highly political one. No longer is there much concern about adopting patent encumbered technology into key Internet protocols (MS SenderID) like they used to object to things like the RSA patents.
Instead, the IESG is actively working to push through this patented technology by shutting down the MARID WG so that they can advance the SenderID proposal without any public review. More over, the IESG has declared that it is ok for the SenderID spec to re-use SPF records in incompatible ways, that the SPF RFC must be held back until MS is ready ("to be fair to MS"), and the IESG is going to ignore the last 1.5 years of SPF deployment experience and start fresh with collecting data since MS has only recently started doing SenderID checking (again "to be fair to MS").
The IETF needs to take the "E" out of their name and become the Internet Political Task Force.
Would be a fair point if the "identity" of the spammers was static. But it is not; domain registration is automated and turnover is massive, sites lasting maybe a few hours. It's no coincidence that the biggest take-up of SPF has been amongst spammers.
Even with throw-away domains, an SPF pass will not help spammers. A domain that has no record of sending significant quantities of email and which has other spam indicators such as who their authoratative name servers are or their whois/registration information can have a negative reputation from the very start.
Again, I can understand spammers being stupid enough to think they need to get an SPF pass, but I can't understand MX logic claiming that this is in any way a problem.
Quite apart from which, even the proponents of SPF, when tackled head-on with hard questions (eg about how SPF deals with null envelope-sender (bounces)), will tell you that SPF is *not* a spam prevention mechanism.
Meng Wong once used the analogy of "SPF is an anti-spam system like flour is a food." SPF alone doesn't do much for you, but SPF plus reputations systems do stop spam. The "problem" with null envelope-froms is not a problem. SPF falls back to the HELO domain, since it is the MTA at the HELO domain that is generating the bounce.
DKIM lets domain owners "easily" sign all email coming from them as valid. DKIM does not do encryption or per-user authentication. PGP and S/MIME can do both encryption and per-user authentication, but it requires certs and public-key infrastructure (PKI) stuff that makes it much more complicated.
So, if you want to know if the email you received from ebay is legit, use DKIM (or SPF). If you want to know if the secret contract you are negotiating with is really from the CEO of ebay, use PGP (or S/MIME).
[links to stupid studies deleted]
MX logic does seem to quite grasp the concept that spammers identifying themselves as the true senders of the spam is a good thing, not a bad thing.
I know of no significant anti-spam product that uses SPF pass, by itself, in a way that makes the email less likely to be marked as spam. Every major anti-spam product that I know of uses the results of SPF pass checks to feed into reputation systems. If your domain has a good reputation and the email passes, then great, you are less likely to be marked as spam. If your domain has a bad reputation and the SPF check passes, then great, you are *MORE* likely to be marked as spam.
Spammers are stupid. They gain nothing from getting an SPF pass. Why folks like "MX logic" can't figure this out reflects poorly on them, not on SPF.
I like the concept of using cryptographic methods to protect the mail headers and body. I think that is the most promising approach. That said, crypto solutions like DomainKeys is not without problems.
Crypto solutions breaks on way too many mailing lists and more than a few email forwarders because content is often added (ads on the bottom) or changed (spam/virus filtering), and this breaks the crypto signatures.
Also, there is also a real problem with replaying a message. You just can't distinguish a Yahoo customer sending a message to a large mailing list, and a spammer who signs up with Yahoo, sends a message to themselves, and then redistributes that correctly signed email to their list of 50 million victims.
There are various ways to try and solve to both of these problems, but none of the solutions are very clean and probably not very effective.
I think that if there was a nice, clean solution to the forged email problem, it would have been discovered many years ago.
I think the crypto solutions, and things like SPF (or DMP, or RMX, or any of the other LMAP-type solutions) can help each other out. SPF primarily fails on forwarded email, while the crypto solutions primarily fail on mailing lists. If all email uses both, it can help automate the detection of forwarders and mailing lists, and then you can know which system to use for each email.
DomainKeys is not the only crypto solution, there is also IIM, and META-signatures. I actually like the latter two better because I think they handle the problems with mailing lists better. Yahoo and Cisco have announced that they are merging DK and IIM into a single spec, but they haven't released the spec yet, and the details will be very important.
Domainkeys, like SenderID, has two other problems that could cause problems for the F/OSS world of email. First off, Yahoo has patents on DomainKeys and their license isn't (currently) compatible with many F/OSS software. I suspect that Y! will be much more willing to make changes to their license than MS was, but who knows. Secondly, like SenderID, it turns out that DomainKeys is already trademarked by someone else and this could cause lots of legal fun for the parties involved.
While both SPF and SenderID break on many forwarded emails, SenderID breaks on many mailing lists also. Moreover, one of the most promising solutions to the SPF forwarding problem (a specialized DNS server, as outlined in section 9.3.1.2 in the SPF spec) breaks when SenderID uses it.
So, SenderID is a patented system that is incompatible with many of the F/OSS mail servers that currently dominate the internet, it doesn't work as well as other technologies, it damages the use of SPF, and outside of MS, it is being used by almost no one.
If this was just a matter of hotmail and MSN hurting themselves, then I wouldn't have any problems with it. However, this appears to be a case of Microsoft working hard to hurt the entire internet email environment.
And, no, having the domain disabled for a long period of time doesn't help. There are several domains that are being used as spam traps now a days after having been disabled for years.
One advantage of looking at the packets and the source to things like bind, is that you will discover that (*except in a few cases like NXDOMAIN) the SOA record is not sent with the answer. Therefore, no matter what you might believe, it is impossible for most DNS caching software to depend on the SOA values.
Feel free to show me where in bind/djbdns/etc. that this SOA cache dependancy happens, or to show an actual test case. I would love to see it. Maybe there are DNS servers that do an extra query for the SOA record, but I kind of doubt it.
no problem...
what I meant was that if you don't bump the TTL then your own nameserver if you do a SIGHUP won't show the changes and you can set the TTL to whatever you want and it won't do a bit of good. Classic newbie mistake.
I'm pretty sure you meant to say that if you don't bump the serial number, not the TTL.
Also while we're on the subject of TTL's I that our nameserver is actually setup to increase TTL's less than 24 hours to 24 hours. I believe thats in an RFC or best practices guide I read somewhere.
Yes, RFC1033 and RFC1912 recommend a minimum TTL of one day, but that is just a recommendation. There are times when shorter TTLs are very important, for example many anti-spam DNSBLs have very short TTLs so that machines can be delisted quickly.
I can understand having minimum and maximum TTL values for caching purposes, but I think 1 hour is probably far more appropriate than 1 day. The bandwidth savings for a 1 day minimum isn't going to be very much but the problems caused could be fairly large.
I will ask you the same thing I asked the grandparent:
Can you point me to anywhere in RFC1034/RFC1035/RFC2308/etc that says that the SOA record has anything to do with the TTL?
I have read most of the DNS RFCs, and the important ones very closely. I have looked carefully at DNS packets and I am working on a proposed RFC that will create a new DNS record type (for SPF).
I don't know everything about DNS, so I'm always willing to learn more, but if you can't back up what you say with references to RFCs, I'm not going to believe you. Especially when you claim such bizarre things like a caching name server will know the serial number for all domain names that it has cached.
Ok, can you point me to anywhere in RFC1034/RFC1035/RFC2308/etc that says that the SOA record has anything to do with the TTL? The nTTL, yes, but not the TTL. Yeah, if they don't change the serial number, their secondary name servers will take a long time to expire (could be weeks), but again, this doesn't have anything to do with your claim that if the serial number doesn't change, then the TTL is ignored.
Have I just been trolled?
I used the Linux Advanced Routing & Traffic Control utilities to set up the split access stuff. This allowed me to send all packets from the old ISP back through their link, while packets from the new ISP went on the new link. I changed the DNS entries and then I monitored the traffic going through the old link. After one TTL period, almost all of my traffic was using the new link. The main exception was NTP clients, which run for a very long time and only do their DNS lookups on startup.
I run a (non-tech) website that is used by many people, and also a the authoratiatve name server for a domain that gets a couple million lookups per day from tens of thousands of caching name servers. If there were widespread problems, I think I would have noticed it.
I'm not saying that there aren't a lot of really broken name servers out there, just that they don't appear to be rampant.
On the other hand, a website I developed for fun started using enough bandwidth to start costing me money. I added google ads a while back and I now get around 1.5-2% click through rate and it returns hundreds of dollars per month over its costs. I personally don't find text ads (like google) annoying and obviously many of my visitors think the ads are worth looking at. My friends who use adblocker don't even see the ads and I suspect that if everyone automatically used adblocker, not only would they not see ads that they are interested in, but I may well have taken down my website.
Actually, I really think that making money through ads is the WRONG way to pay for things. I would much rather have very small micro-payments from each visitor. The reason is very simple: I should be motivagted to provide content that vistors feel is worth paying for, rather than content that other companies/people feel it is worth paying to advertise on.
For example, on one web page, I recommend using certain companies because I think they are good, and that web page ranks pretty high on google. How many advertizers would want to pay to get on that page? The current payment model encourages me to get rid of those recommendations.
Yes, I had the very same problem with jumpdomain and tucows. Jumpdomain changed my admin contact with out notifying me and without my permission. I tried using their adminchange website, which says that you can get the admin contact for my domain changed back, but they require you to print out a form, and then scan it back in, and then email it. Unfortunately, the email address is just a bot that consistently says that you didn't give any attachments, even when you did!
I was eventually able to email "Paul Karkas" <pkarkas@tucows.com> with the attachments, and then just last week, my .com domain's admin contact was fixed. Any day now, GoDaddy will have control of all of my domains.
Truth is a 100% defense against charges of slander and libel. I can't speak for the submitter, but I am very willing to testify in court that almost the exact thing has happened with me and jumpdomain.
See this slashdot post for more details of my case.
I am *JUST* *NOW* managing to get my last five domains away from jumpdomain after a 6 month process. I'll post the messages I've sent at the end, but I'll give you a quick run down now.
- I tried contacting jumpdomain many times via many different methods, including email, filing problem reports and phoning. Every such attempt failed to reach a human. The problem reports were never responded to and eventually they were deleted.
- I have filed a complaint with internic earlier this year. It didn't do any good.
- The contact point for eNom on the internic website is an email address that now bounces and used to go into a black hole.
- I have *JUST* *TODAY* gotten good response to transfers@enom.com. Jason Cluphf was most helpful.
- I had problems contacting tucows also, but fortunately the domains that I registered via jumpdomain that ended up at tucows were all
.com and .net, and there is a new rule that by default, the transfers have to go through. The domains that I had with jumpdomain/enom were .org domains.
Ok, the following is an email that I've sent in various forms to about a dozen different emails over the last 4 months.To: matt@enom.com, transfers@enom.com, abuse@enom.com
Subject: I am having problems with your reseller, jumpdomain.com
From: wayne
Date: Mon, 11 Apr 2005 16:05:17 -0500
Message-ID:
Help!
I got your email address from http://www.internic.net/registrars/registrar-48.ht ml
Your eNom reseller, jumpdomain.com, appears to have dropped off the face of the earth. I have been using jumpdomain.com since the mid 90's, but now I'm having big problems with them.
I need auth codes to transfer the following domains: elgin-watches.org elginwatch.org libspf2.org trusted-forwarder.org
This is the second time this year I've tried to transfer these domains away from you and your reseller. The last time, I not only didn't get any response from your reseller, but I didn't get any response from you and the transfer timed out.
I *WAS* able to transfer my .com domains away from you last January
because when you didn't respond, the transfer went through by
default. Unfortunately, there is no such policy for .org domains
(yet).
*** PLEASE DO SOMETHING ***
On Oct 2, 2004, I renewed several domains, including elginwatches.org. All the other domains went through fine, but elginwatches.org remained in a "Pending" status. I didn't notice this until late Oct, but that wasn't a problem elginwatches.org didn't come up for renewal until Jan 11, 2005.
On Nov 10, the domain still hadn't finished the renewal process, so I filed a trouble ticket with jumpdomain's support system. Nothing happened, but hey, there was still a couple of months. On Dec 02, I updated the trouble ticket pointing out that this needed to be fixed, but still nothing. No response from jumpdomain, and elginwatches.org was still "pending".
On Dec 8, I still had no response from jumpdomain, so I filed another trouble ticket with a higher priority. On Dec 11, I got a 30-day warning about my From jumpdomain that and I replied to that message, filing another trouble ticket. Still no response.
Unfortunately, I was busy during the holidays and didn't file another bug report until early Jan. A couple of days later, I notice that the bug report hadn't shown up, so I filed another one on Jan 8, this time marked as "urgent." I tried calling the Jumpdomain support line, even though they said that for domain registration, I was only supposed to use the web forms. Even during their limited support hours, I never was able to reach anyone.
On Jan 10, I tried transfering my domains away from jumpdomain, but I am unable to complete the transaction because I can't get the "auth codes". Jumpdomain has no place on the their website to request them, and they haven't responded to my request for them via their web support system.
I have continued to try and contact jumpdomain.com, but have still had zero luck getting *any* response from them.
There is no way he is doing "society more good than harm". Just because he received $750k per month, doesn't mean he delivered $750k worth of products to people. That is a big part of the problem with spammers.
The cost to send email is *FAR* cheaper than the cost to receive it, even when you don't take into account the spam filters, the lost time spent deleting the spam, the lost email due to mistakes made by the spam filters, etc.
Actual, detailed analysis of the costs of spam are around $0.10-$1.00/spam. Yes, that is much higher than you might initially guess, but that is because so much of the cost his hidden and spread over so many different people involved with each spam. This person was costing society tens of millions of dollars per month, and "earning" only $750k.
Consider the fact that here in New Jersey, a Rapist gets out in 3 years with good behavior. (They don't even call it rape here, it's 'sexual assault')
His crime was not a violent one, he shouldn't go to jail for 9 years. He should have to pay an insane fine, and be barred from going online for 10-20 years and give him 10 years probation. If he violates any of this, throw him in jail.
Which is worse, hurting a huge number of people a little bit, or hurting a one or a few people a huge amount?
Anyone who has is on the internet has had to deal with the costs that these spammers shift onto you. It costs you in terms of your time, the cost of bandwidth, the cost of more email servers and email admins, lost email due to spam filtering, etc. There are also the people who lost money because the products they bought from the spammers either never arrived or weren't as advertised. Yeah, I've seen a lot of comments about "serves people right for buying from spammers", but blaming the victim of spammers is no different than blaming a rape victim for wearing the wrong clothes or being in the wrong part of town.
The world would be a whole heck of a lot better if billions of dollars per year didn't need to be spent on blocking spam. And no, there is no way that spammers can pay a huge fine. The amount of damage spammers cost society per dollar "earned" is far worse the amount of damage people who break car windows to get coin change do.
Sure, spam, like most forms of theft, is really just annoying. Someone steals your car? Well, there is a whole bunch of paper work to go through, but eventually you will get a new car from your insurance company. Sure, a huge amount of money has to be poured into the system in order to make the car theft just an annoyance, but it isn't like anyone was really hurt.
The same thing goes for almost all white collar crime. Embezzlement, fraud, stock manipulation, they only cost money, which is just an annoyance.
Yeah, mail admins and anti-spammers have sunk a HUGE amount of time, effort and money into trying to reach the unattainable goal of 100% spam recognized and 0% ham rejected. And, when they do a really good job at it, people say things like "spam really isn't that much of a problem", and "my lost email is way more of a problem than spam".
If you add up all the money that 10 million spams/day costs, I think 9 years is pretty reasonable, if not on the short side. But then, I think a lot of white collar criminals get away with far too little jail time also.
Copyrights are start when a creative work is fixed in a tangable medium. The person who fixes the work in the medium owns the copyright. So, the bootlegger owns the copyright to the recordings they make at a live performance.
Now, there are often also copyrights on the lyrics and music and the owner of those copyrights can control the public performance of those works. So, while the bootlegger of a live performance may own the copyrights on the recording they made, it would be a derivative work of the song's author. If the song is already in the public domain, there isn't a problem, but if not, the bootlegger will have to get permission to copy their recording. Similarly, the song's author would have to get the bootlegger's permission to copy the recording.
There are also generally restrictions about no recording at live events as part of the conditions of sale of the tickets. So, even if the bootlegger recorded a song that is in the public domain, they may well have broken their contract by making the recording and hence can't sell it.
copyrights are so much fun.
hamers1 (35MB)
hamers1 (11MB)
[paraphrasing]
Of course, as the article points out, none of this is actually illegal, even if it does make the victim look a bit less like a white knight.
Why does any of this make Mumma "look a bit less like a white night"?
This is exactly what these anti-spam laws were intended to do. Get individual people and companies to enforce the law instead of making the police/government enforce the law. The penalties allowed in the law are high enough to make it worth people's time to fight the spammers.
Forcing people to opt-out is a horrible idea because it does not scale. You can not require everyone to opt-out of every company in the US, let alone the world. Worse, spammers would just create a new "company" every time you opt-out of another one.
We want more people suing spammers, of all sorts. We want more people acting like Mumma.
The strangest part of this whole affair is that spamming ultimately originates as a form of advertising. [...] Instead of complying, the company is now going to try to sue his pants off to show him who's boss. Supposing in some bizarro world they win, and are granted permission to keep sending him ads? [...]
The point the spammer is trying to make is not that they have the right to send Mumma spam, but that they have the right to send everyone spam. If they concede this case to Mumma, they open themselves up to everyone they have spammed to drop by and ask to pay either the fine or to settle. They can't afford to pay the penalties for what they are doing, and if they stop spamming, they would have to compete against legitimate travel agents.Given their respective track records, I trust startcom.org far more than verislime. I would probably trust identitythieves.ru more than verislime.
Really, who do you think verislime would refuse money from and deny giving them a cert?
I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.
It appears to me that cert.startcom.org is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.
You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.
Yes, tidal forces DO cause the earth's rotation to slow down.
The tidal forces created by the earth on the moon have slowed the rotation of the moon down to the point that we only see one side of the moon. That is, the moon rotates about once a month. Similarly, the tidal forces of the moon are slowing the earth's rotation down, and it will eventually reach one about one rotation per month also. Assuming that the sun doesn't become a red giant first. And, speaking of the sun, there is also a tidal force that from the sun that will eventually cause the earth to rotate once per year. I'm not sure who this conflict between the moon's and the sun's tidal forces work out.
Conservation of angular momentum means that the tidal forces are causing the moon to orbit the earth faster, and thus further away.
While all these tidal forces are very small and only add up over very long periods of time, they can be measured. In particular, things like variations of the amount of snow on mountains, the amount of water in man-made lakes, the force of huricanes, and variations in the shape of the earth caused by earthquakes all add up to enough to cause the need for leap seconds.
Leap years keep the seasons from rotating through the calendar. Leap seconds keep the zenith of the sun ("noon") from rotating through the day. I forget the exact value, but there is something like an accumulated 20-30 seconds difference caused by these forces over the last 50 years, and therefore there have been 20-30 leap seconds added since then.