Port 25 is not the port you should be using to submit mail through a 3rd party outgoing mail service. Use the message submission service, which is SMTPS compatible running over port 587. M$ Outlook even supports it (just put in port 587). If your 3rd party mail provider does not support this, then they are behind the times.
It seems didtheyreadit.com is looking at the same thing with a different view in mind. Their new domain name is: isyourrecipienttotallyignorantaboutsecurity.com.
Be conservative in what you produce; be liberal in what you accept.
Well, sticking strictly to a standard... and the minimal standard that accomplishes your goals... would be considered conservative in what you produce. And a browser accepting deviations, even extreme ones, from the standard, would be considered liberal in what you accept. The real issue is that IE won't be accepting the newest standards for quite some time, and Microsoft will be forcing an OS upgrade to get a browser upgrade.
Go back to old standards if you want. You'll be going there without the bulk of the world, the clueless people, the corporate CEOs, the spammers, the...
In most cases, web sites developed with Microsoft tools renders better on NS4 than sites developed strictly to "web standards". Part of the problem, though, is that the "web standards" movement isn't just about improving things; it's also about abandoning things. That is, they espouse that new designs should intentionally stop using older ways of doing things so that pages look like crap on older browsers to force people to upgrade so they can see all the glitz of the new page designs under the new standards. But along they way they forgot that such upgrades also require upgrading the operating system and hardware (CPU and memory). The culprit is not the goal of the web designers (the goal to improve is good), but rather, it is that they are keeping their eyes closed to the problem of sloppy programming that results in browsers with twice the functionality, but requires 10 times the CPU and 20 or more times the memory just to work.
Until people make better browsers that aren't 20 times as obese and 10 times slower for 2 times the functionality, maybe I'll start using something beyond NS4, and start designing sites without trying to be compatible with NS3, NS4, IE4, etc.
The really sad part of this is that some scammer now has a really excellent work of art. It will probably sell for several million pounds in a couple hundred years. That would be about the price of a cup of coffee.
I think it is coincidence. The level of spam is still on the rise. And I have gotten much via Spain and Telefonica.es, and have found there is rampant incompetency there (in Telefonica, not Spain). The fact that one ISP is so large in Spain probably is the reason there is so much impact. That might also be why it has been delayed so long (I've blocked Telefonica.es for over a year, now).
If you are in Spain, and speak the language, then you are in a better position than I am to get the problem corrected. Maybe Telefonica will respond now that they are blocked on a larger scale? Maybe it takes actually getting blocked for top level management to realize there is a problem? Will they respond now? Why don't you call up the top management at Telefonica and explain it to them?
I have gotten much spam from both countries. But it's not the spam by itself that usually gets ISPs and countries blocked; it's the way they handle it. If they never respond, or respond showing incompetency, they will soon get blocked. And I always add a note: If there are too many complaints to respond to, that shows you are running your network incompetently and you will get blocked.
So organize the protest in front of the Telefonica offices, with people marching up and down the street, carrying signs demanding the replacement of all managers with people who are competent.
They are definitely incompetent. Over a year ago, when I started blocking them on my network, I actually got a response from them once the blocking started. The person who did respond at first asked why they were being blocked. It seems he had never even heard of spam. He had heard of SMTP, but had no idea how it worked. He could not read RFC822 headers correctly, though. Also, he had no idea how DNS even played a role in email. When I finally got fed up with him (that didn't take long) I asked him to forward email to the person who actually administered the mail servers. He said he was that person.
I didn't respond at that point, but I wonder what would have happened had I responded, and had I told him "You are an incompetent bastard, and should ask your manager to fire you immediately, and to find someone who knows what they are doing and hire them to replace your sorry ass". But by then it was obvious that he wasn't really the problem there; it was the management.
The problem with your theory is that management, and the recruiters they hire, just don't know how to differentiate between the mediocre and the excellent. All the terminology and buzzwords on the resume mean nothing to them (they pretend it does because they've seen those words before). And everyone is selling themselves... though the mediocre are doing that more (because their skills are shifted more to the social interaction than the technical). And even when they do manage to get someone who is an excellent designer or coder, management too often doesn't like them personally and socially. A few are social outcasts and primadonnas. But most aren't, yet managers don't like them anyway because they don't fit into the same social circles managers are accustomed to. It's fundamentally a bias on lifestyles.
The solution is to stop all the production of mediocre people. Direct them to some other profession, like retail sales, where they might do better. That will correct the problems of business managers who are unable to differentiate. Shutting down the low end schools will be a big start. Educators whining about a shortage of high tech people need to be silenced (e.g. tell them to STFU).
Just have a fake password ready. Some day, maybe even today, someone may offer you that bar of chocolate, or a night of hot wet sex, in exchange for your password. By making up one now, and memorizing it every day, you can answer instantly when asked, and that will make it sound so real. Hint: include upper and lower case letters, digits, and maybe even some punctuation. That way it will sound secure and more valuable.
Just be sure you don't get fake chocolate, fake sex, or whatever.
Lots of spam comes from lots of places. America is probably the biggest source of spam, and Florida is probably biggest source within America. Part of the problem of this is because there is a mentality among lots of business people, and politicians that run the country, that the prime purpose government is here to support is business, with people just being a source of labor to support business. While spam programs from other countries is a genuine problem, too, American politicians tend to think it is only from there. They think that if an American business sends a spam run of 500 million messages, then that's just doing business and should be allowed.
Even the link to the site isn't perfectly real. If it comes to pass that people start DoS-ing the sites mentioned in spam, then spammers will start to put sites in there which are not their own, to get people to DoS other sites, like maybe some anti-spam site. The only piece of information you can really trust is the IP address your (ISP's) mail server had the SMTP session with to get the mail from, and the reverse DNS name only if the forward lookup returns a matching IP address. Everything else is under the sender's control.
Given that many spammers are using exploited home computers to send spam, and they use a wide variety of them to send each spam run, simply DoS-ing the source of the spam won't be very effective because very few people will actually be getting the spam from any one location. I call this technique "exploit balancing". Sending only one email every few minutes from an exploited machine (possible to do if you have control of enough machines) reduces the chance that machine would be discovered as exploited, or that an ISP doing email rate throttling would notice.
What I think really sucks is that the spammers have made it difficult for me to do my mail, even when I go about things the right way.
You have to distinguish yourself from the spammers in some way. And you have to do this while spammers are trying to make their mail look as legit as they can.
Spammers have made a lot of things difficult. They make running mail servers difficult, too. That's why I and lots of other people believe no ISP should choose to allow spammers on their network. That's why I and lots of other people choose to refuse email from any address in those ISPs that do choose to host spammers so that maybe they will lose legitimate customers and go out of business, or maybe see the light (on the financial sheets) and kick out the spammers and go clean. That's why I and lots of other people use the broad brush when blocking spammers.
Does anyone else find having entire Cybercafes blacklisted by anti-spam filters a bit worrying?
I find that having to accept mass quantities of spam from cybercafes more than a bit worrying.
So you figured out that the blocking is based on the IP address. Of course it is. If you make direct SMTP connections, it's going to be blocked from zillions (well, realistically, a few myriads... that's tens of thousands) of networks around the world. If you submit your mail via web pages on some free mail sites, such as Hotmail, you can still end up getting blocked by some of those networks because they scan the headers and look for the HTTP client IP address that the sites add on. Most don't go this far, but many definitely do that (I don't for free mail sites that are working to fight spam being submitted through their service).
E-mails sent from Hotmail accounts are immune to spam-filters, but not from Freeserve accounts.
That's not entirely true, but since Hotmail does make a big effort to stop submitted spam abuse, very few networks are checking its headers for blacklisted IPs. Hotmail is therefore more usable. Perhaps Freeserve isn't doing as well as Hotmail. I don't scan either of them for blacklisted client IPs at this point.
Do all spam-rejecting filters give out an automated rejection-reply? If not, then I won't know that my e-mail has been rejected by an anti-spam filter, and I won't try to mail it again from my Hotmail account or another place with Internet access.
Some do, some don't, and some have limitations. Because of the fact that spammers are using forged sender/from address in their mail so much, it has become necessary to avoid bounce back messages. Many networks (including mine) do block networks that bounce spam to forged addresses (they are just as much a part of the problem as open relays, open proxies, and infected always-on home machines). Some networks solve the problem by ensuring that all spam checking is doing during the SMTP session so it can be rejected by a 5XX response code, instead of sending back (to the forged address) a bounce message (this is the strategy I use). Some others who can't make that happen in all cases (because of their unfortunate choice of mail server software) might change things so the bounces are simply not sent (these are the cases where you won't know to retry an other way). This is one of the advantages of block-by-IP (which I do) as opposed to block-by-content (which I do not do)... it happens at SMTP session time, and you get a rejection (which if you connected directly should result in your mail program leaving you a failure notice of some kind).
Be aware of this crucial point. My objective (and that for many network operators) is more about reducing the spam attempt workload for my network and servers, rather than reducing the exposure of the messages to human eyes and the excessive wear and tear on the "D" or "Delete" keys. Blocking the sources of spam does not eliminate the costs... it only reduces it to about 1/4 of what it otherwise would be. But I still see an average of 2 to 3 SMTP connection attempts that turn out to be blocked as probable spam... per second. Sometimes the peaks go over 100 (and the mail server bogs down briefly when that happens). What that means is I can't really cut the costs any further without also breaking the ability to override that blocking for specifically whitelisted email addresses (e.g. if I block at the packet level, I won't establish the SMTP connection at all, and won't know what the sender/from email address is to use that to check the whitelist database). So that means spam fighting has to go to the next level to further get it reduced, and that means doing stuff like blocking whole cafes, and large chunks or entire ISPs, to "encourage" them to do something to stop
Being unable to send e-mail from the application of my choice would not make for any of my repeat business at said cafe.
So, they leave it wide open, spammers infiltrate, the address space gets blacklisted, and now you come in and use the "application of your choice" and voila, you are unable to send mail. Duh!
What cheesy ass application are you using, anyway, that can't be configured to use a specified mail server?
If you're using SMTP-Auth, presuably that means you are injecting mail into the outbound server for your email address. So why aren't they using MSA (which is essentially SMTP-Auth over a port designated for mail submission only)?
Another option is for email volume throttling. By feeding the SMTP (to various MX port 25 hosts around the world) through a specific server that watches the volume, you can at least limit the damage by limiting the number of messages going out. Intercept each connection and tarpit them at a rate such that no more than 1 connection is passed on per N seconds (such as 1 per 120 seconds as an example). And if you can track IP address to account (e.g. the account used to access services at the cafe), you can set this limit per account. That should be a reasonable compromise if the cafe wants to allow direct SMTP out for customers that don't abuse the net, while discouraging the spammers from coming back.
However, that process of getting the program directly from the development web site, while very cool from a geek perspective, is totally uncool in a business environment, where management is already reluctant about shifting from the model of buying everything from a vendor in the northwest, to buying/downloading things from scattered vendors and non-vendor developers. The way things have to work is that every application the end users are authorized to run on the office computers is already installed on the central servers, and things are set up so the usual way to run programs (e.g. find icon and click or type in simple program name) gets them only from those central servers. Of course, someone could run some program they personally download from the net. But the objective is that whatever means they are trained to use to start a program will always result in the correct program being run, which is the program the system administrator has installed for them to run (and presumably vetted for security and suitability for the business purposes).
For Linux to make its way into business offices, geek coolness is not going to help. The goals are different, there. It has to be cool in the way management sees it, and that requires that they have control over what is done by a set of users that are relatively unsophisticated. A diskless desktop/workstation which mounts/usr via NFS from a file server can do this, but has some drawbacks, too. Linux caches the NFS data a little bit, but not enough. A system that replicates applications which are actually being used over to a ramfs/tmpfs filesystem on the user's desktop would be nice to have. That's why Zero-Install looked interesting. But doing this transparently would be way better. Asking the user to drag the application into a folder (which happens to be tmpfs running in RAM on that diskless machine) is not the answer. What's needed is something that effectively makes it happen without the user having to know (even if this means using a front end starter script for each application).
Anyway, Zero-Install looks like it could do things like a business needs, but what is needed is for it to really say that it does those specific detailed things that are needed. People doing evaluations do not have the time to dig deep into each possible tool; they need to see up front enough information to let them move that tool to their short list, and from there dig further to make sure it really will do as it says. That means one simple web page describing the features that are relevant to business needs (even if it is a different page than the one that geeks would be attracted to it for).
Yes, users can do that. But why would they? The issue isn't about what location they choose to get code from to run, but rather, what location the code does come from when they run it thinking it's just something local. In other words I want to be certain that no security exposures exist that the user didn't cause themselves (if they do cause one, that's dealt with in other ways). So basically that means all apps must come from the local LAN servers, only, just as if they had run them on a machine that had/usr mounted from a master file server, or maybe even / itself (diskless workstations).
My plan is to actually have each desktop be diskless, and boot from either CDROM or network, and access all file space over the network. Caching recently used applications would be the speedup. Whether that is via NFS caching in RAM, or loading applications into a tmpfs filesystem or something else, is the question.
I access WHOIS data about 50 to 100 times a day most days while dealing with spam issues. I sure as hell won't be paying a dollar a hit to access it. It's problematic with a small few domains with bogus info, but your idea will make it totally unusable for me.
Correcting the spam problem does not involve hiding email addresses from spammers. If they don't get it from WHOIS, they'll most of them, eventually, from somewhere else, anyway. The real solution to the spam problem is to split the internet into two parts, one where all the spam is, and one where none is, and only let the non-spammers to come over to the good side.
Oh wait, I already hear the echos of whines that splitting the internet into the spam and clean parts will result in net fragmenting. Well, duh!
Port 25 is not the port you should be using to submit mail through a 3rd party outgoing mail service. Use the message submission service, which is SMTPS compatible running over port 587. M$ Outlook even supports it (just put in port 587). If your 3rd party mail provider does not support this, then they are behind the times.
It seems didtheyreadit.com is looking at the same thing with a different view in mind. Their new domain name is: isyourrecipienttotallyignorantaboutsecurity.com.
The link you gave is bad. There is a DNS lookup failure. Maybe you meant to link here instead.
You've surely heard the axiom:
Well, sticking strictly to a standard ... and the minimal standard that accomplishes your goals ... would be considered conservative in what you produce. And a browser accepting deviations, even extreme ones, from the standard, would be considered liberal in what you accept. The real issue is that IE won't be accepting the newest standards for quite some time, and Microsoft will be forcing an OS upgrade to get a browser upgrade.
Go back to old standards if you want. You'll be going there without the bulk of the world, the clueless people, the corporate CEOs, the spammers, the ...
... oh wait
... wait for me!
In most cases, web sites developed with Microsoft tools renders better on NS4 than sites developed strictly to "web standards". Part of the problem, though, is that the "web standards" movement isn't just about improving things; it's also about abandoning things. That is, they espouse that new designs should intentionally stop using older ways of doing things so that pages look like crap on older browsers to force people to upgrade so they can see all the glitz of the new page designs under the new standards. But along they way they forgot that such upgrades also require upgrading the operating system and hardware (CPU and memory). The culprit is not the goal of the web designers (the goal to improve is good), but rather, it is that they are keeping their eyes closed to the problem of sloppy programming that results in browsers with twice the functionality, but requires 10 times the CPU and 20 or more times the memory just to work.
It is Microsoft that is trying to make the future exit.
Until people make better browsers that aren't 20 times as obese and 10 times slower for 2 times the functionality, maybe I'll start using something beyond NS4, and start designing sites without trying to be compatible with NS3, NS4, IE4, etc.
The really sad part of this is that some scammer now has a really excellent work of art. It will probably sell for several million pounds in a couple hundred years. That would be about the price of a cup of coffee.
That bluetooth mouse just cracks me up!
Here is a sampling of a few of the thosaunds of patents issued on 4 May 2004:
I think it is coincidence. The level of spam is still on the rise. And I have gotten much via Spain and Telefonica.es, and have found there is rampant incompetency there (in Telefonica, not Spain). The fact that one ISP is so large in Spain probably is the reason there is so much impact. That might also be why it has been delayed so long (I've blocked Telefonica.es for over a year, now).
If you are in Spain, and speak the language, then you are in a better position than I am to get the problem corrected. Maybe Telefonica will respond now that they are blocked on a larger scale? Maybe it takes actually getting blocked for top level management to realize there is a problem? Will they respond now? Why don't you call up the top management at Telefonica and explain it to them?
I have gotten much spam from both countries. But it's not the spam by itself that usually gets ISPs and countries blocked; it's the way they handle it. If they never respond, or respond showing incompetency, they will soon get blocked. And I always add a note: If there are too many complaints to respond to, that shows you are running your network incompetently and you will get blocked.
So organize the protest in front of the Telefonica offices, with people marching up and down the street, carrying signs demanding the replacement of all managers with people who are competent.
They are definitely incompetent. Over a year ago, when I started blocking them on my network, I actually got a response from them once the blocking started. The person who did respond at first asked why they were being blocked. It seems he had never even heard of spam. He had heard of SMTP, but had no idea how it worked. He could not read RFC822 headers correctly, though. Also, he had no idea how DNS even played a role in email. When I finally got fed up with him (that didn't take long) I asked him to forward email to the person who actually administered the mail servers. He said he was that person.
I didn't respond at that point, but I wonder what would have happened had I responded, and had I told him "You are an incompetent bastard, and should ask your manager to fire you immediately, and to find someone who knows what they are doing and hire them to replace your sorry ass". But by then it was obvious that he wasn't really the problem there; it was the management.
Your theory is absolutely correct.
The problem with your theory is that management, and the recruiters they hire, just don't know how to differentiate between the mediocre and the excellent. All the terminology and buzzwords on the resume mean nothing to them (they pretend it does because they've seen those words before). And everyone is selling themselves ... though the mediocre are doing that more (because their skills are shifted more to the social interaction than the technical). And even when they do manage to get someone who is an excellent designer or coder, management too often doesn't like them personally and socially. A few are social outcasts and primadonnas. But most aren't, yet managers don't like them anyway because they don't fit into the same social circles managers are accustomed to. It's fundamentally a bias on lifestyles.
The solution is to stop all the production of mediocre people. Direct them to some other profession, like retail sales, where they might do better. That will correct the problems of business managers who are unable to differentiate. Shutting down the low end schools will be a big start. Educators whining about a shortage of high tech people need to be silenced (e.g. tell them to STFU).
Just have a fake password ready. Some day, maybe even today, someone may offer you that bar of chocolate, or a night of hot wet sex, in exchange for your password. By making up one now, and memorizing it every day, you can answer instantly when asked, and that will make it sound so real. Hint: include upper and lower case letters, digits, and maybe even some punctuation. That way it will sound secure and more valuable.
Just be sure you don't get fake chocolate, fake sex, or whatever.
It's not free speech if I have to pay to receive it. In such cases it is theft.
Lots of spam comes from lots of places. America is probably the biggest source of spam, and Florida is probably biggest source within America. Part of the problem of this is because there is a mentality among lots of business people, and politicians that run the country, that the prime purpose government is here to support is business, with people just being a source of labor to support business. While spam programs from other countries is a genuine problem, too, American politicians tend to think it is only from there. They think that if an American business sends a spam run of 500 million messages, then that's just doing business and should be allowed.
Even the link to the site isn't perfectly real. If it comes to pass that people start DoS-ing the sites mentioned in spam, then spammers will start to put sites in there which are not their own, to get people to DoS other sites, like maybe some anti-spam site. The only piece of information you can really trust is the IP address your (ISP's) mail server had the SMTP session with to get the mail from, and the reverse DNS name only if the forward lookup returns a matching IP address. Everything else is under the sender's control.
Given that many spammers are using exploited home computers to send spam, and they use a wide variety of them to send each spam run, simply DoS-ing the source of the spam won't be very effective because very few people will actually be getting the spam from any one location. I call this technique "exploit balancing". Sending only one email every few minutes from an exploited machine (possible to do if you have control of enough machines) reduces the chance that machine would be discovered as exploited, or that an ISP doing email rate throttling would notice.
You have to distinguish yourself from the spammers in some way. And you have to do this while spammers are trying to make their mail look as legit as they can.
Spammers have made a lot of things difficult. They make running mail servers difficult, too. That's why I and lots of other people believe no ISP should choose to allow spammers on their network. That's why I and lots of other people choose to refuse email from any address in those ISPs that do choose to host spammers so that maybe they will lose legitimate customers and go out of business, or maybe see the light (on the financial sheets) and kick out the spammers and go clean. That's why I and lots of other people use the broad brush when blocking spammers.
I find that having to accept mass quantities of spam from cybercafes more than a bit worrying.
So you figured out that the blocking is based on the IP address. Of course it is. If you make direct SMTP connections, it's going to be blocked from zillions (well, realistically, a few myriads ... that's tens of thousands) of networks around the world. If you submit your mail via web pages on some free mail sites, such as Hotmail, you can still end up getting blocked by some of those networks because they scan the headers and look for the HTTP client IP address that the sites add on. Most don't go this far, but many definitely do that (I don't for free mail sites that are working to fight spam being submitted through their service).
That's not entirely true, but since Hotmail does make a big effort to stop submitted spam abuse, very few networks are checking its headers for blacklisted IPs. Hotmail is therefore more usable. Perhaps Freeserve isn't doing as well as Hotmail. I don't scan either of them for blacklisted client IPs at this point.
Some do, some don't, and some have limitations. Because of the fact that spammers are using forged sender/from address in their mail so much, it has become necessary to avoid bounce back messages. Many networks (including mine) do block networks that bounce spam to forged addresses (they are just as much a part of the problem as open relays, open proxies, and infected always-on home machines). Some networks solve the problem by ensuring that all spam checking is doing during the SMTP session so it can be rejected by a 5XX response code, instead of sending back (to the forged address) a bounce message (this is the strategy I use). Some others who can't make that happen in all cases (because of their unfortunate choice of mail server software) might change things so the bounces are simply not sent (these are the cases where you won't know to retry an other way). This is one of the advantages of block-by-IP (which I do) as opposed to block-by-content (which I do not do) ... it happens at SMTP session time, and you get a rejection (which if you connected directly should result in your mail program leaving you a failure notice of some kind).
Be aware of this crucial point. My objective (and that for many network operators) is more about reducing the spam attempt workload for my network and servers, rather than reducing the exposure of the messages to human eyes and the excessive wear and tear on the "D" or "Delete" keys. Blocking the sources of spam does not eliminate the costs ... it only reduces it to about 1/4 of what it otherwise would be. But I still see an average of 2 to 3 SMTP connection attempts that turn out to be blocked as probable spam ... per second. Sometimes the peaks go over 100 (and the mail server bogs down briefly when that happens). What that means is I can't really cut the costs any further without also breaking the ability to override that blocking for specifically whitelisted email addresses (e.g. if I block at the packet level, I won't establish the SMTP connection at all, and won't know what the sender/from email address is to use that to check the whitelist database). So that means spam fighting has to go to the next level to further get it reduced, and that means doing stuff like blocking whole cafes, and large chunks or entire ISPs, to "encourage" them to do something to stop
So, they leave it wide open, spammers infiltrate, the address space gets blacklisted, and now you come in and use the "application of your choice" and voila, you are unable to send mail. Duh!
What cheesy ass application are you using, anyway, that can't be configured to use a specified mail server?
If you're using SMTP-Auth, presuably that means you are injecting mail into the outbound server for your email address. So why aren't they using MSA (which is essentially SMTP-Auth over a port designated for mail submission only)?
Another option is for email volume throttling. By feeding the SMTP (to various MX port 25 hosts around the world) through a specific server that watches the volume, you can at least limit the damage by limiting the number of messages going out. Intercept each connection and tarpit them at a rate such that no more than 1 connection is passed on per N seconds (such as 1 per 120 seconds as an example). And if you can track IP address to account (e.g. the account used to access services at the cafe), you can set this limit per account. That should be a reasonable compromise if the cafe wants to allow direct SMTP out for customers that don't abuse the net, while discouraging the spammers from coming back.
However, that process of getting the program directly from the development web site, while very cool from a geek perspective, is totally uncool in a business environment, where management is already reluctant about shifting from the model of buying everything from a vendor in the northwest, to buying/downloading things from scattered vendors and non-vendor developers. The way things have to work is that every application the end users are authorized to run on the office computers is already installed on the central servers, and things are set up so the usual way to run programs (e.g. find icon and click or type in simple program name) gets them only from those central servers. Of course, someone could run some program they personally download from the net. But the objective is that whatever means they are trained to use to start a program will always result in the correct program being run, which is the program the system administrator has installed for them to run (and presumably vetted for security and suitability for the business purposes).
For Linux to make its way into business offices, geek coolness is not going to help. The goals are different, there. It has to be cool in the way management sees it, and that requires that they have control over what is done by a set of users that are relatively unsophisticated. A diskless desktop/workstation which mounts /usr via NFS from a file server can do this, but has some drawbacks, too. Linux caches the NFS data a little bit, but not enough. A system that replicates applications which are actually being used over to a ramfs/tmpfs filesystem on the user's desktop would be nice to have. That's why Zero-Install looked interesting. But doing this transparently would be way better. Asking the user to drag the application into a folder (which happens to be tmpfs running in RAM on that diskless machine) is not the answer. What's needed is something that effectively makes it happen without the user having to know (even if this means using a front end starter script for each application).
Anyway, Zero-Install looks like it could do things like a business needs, but what is needed is for it to really say that it does those specific detailed things that are needed. People doing evaluations do not have the time to dig deep into each possible tool; they need to see up front enough information to let them move that tool to their short list, and from there dig further to make sure it really will do as it says. That means one simple web page describing the features that are relevant to business needs (even if it is a different page than the one that geeks would be attracted to it for).
Yes, users can do that. But why would they? The issue isn't about what location they choose to get code from to run, but rather, what location the code does come from when they run it thinking it's just something local. In other words I want to be certain that no security exposures exist that the user didn't cause themselves (if they do cause one, that's dealt with in other ways). So basically that means all apps must come from the local LAN servers, only, just as if they had run them on a machine that had /usr mounted from a master file server, or maybe even / itself (diskless workstations).
My plan is to actually have each desktop be diskless, and boot from either CDROM or network, and access all file space over the network. Caching recently used applications would be the speedup. Whether that is via NFS caching in RAM, or loading applications into a tmpfs filesystem or something else, is the question.
I access WHOIS data about 50 to 100 times a day most days while dealing with spam issues. I sure as hell won't be paying a dollar a hit to access it. It's problematic with a small few domains with bogus info, but your idea will make it totally unusable for me.
Correcting the spam problem does not involve hiding email addresses from spammers. If they don't get it from WHOIS, they'll most of them, eventually, from somewhere else, anyway. The real solution to the spam problem is to split the internet into two parts, one where all the spam is, and one where none is, and only let the non-spammers to come over to the good side.
Oh wait, I already hear the echos of whines that splitting the internet into the spam and clean parts will result in net fragmenting. Well, duh!