There are a couple of ccTLDs that have supported wildcards, as well as.museum doing that. I can't check which ones any more because my ISPs seem to have all installed the BIND patch that makes them disappear:-) I'm not aware of any of them besides Verisign's.com and.net that have catchall mail servers as opposed to just catchall web servers, but there may be some, and it's a problem either way.
But yes, spammers can do this with those ccTLDs, and the fact that it's an obvious problem when.com and.net do it doesn't mean we shouldn't have realized it was a problem when.museum and those ccTLDs did it. (oops...)
There have been some studies recently that have found that unsubscribing does, on the average, tend to reduce the amount of spam you get. That's partly because some spammers find it's a more effective business technique (either because they're paid based on the number of positive responses, not emails sent, or because it reduces the speed at which they get thrown off their ISPs), and partly because some spammers are merely clueless as opposed to sociopathic, and partly because most of the remove-me addresses are bogus.
One obvious technique for using remove-me addresses is, if you're using spambait addresses to feed your spam filtering system, to send unsubscribes for those addresses rather than your real ones. (Obviously you only do this for removal addresses that don't appear to have your real address encoded in them.) Worst case is that some spammer gets his time wasted by removing addresses that weren't on his list.
Worse - Nigerians abusing Internet Deaf Relay
on
Interview With a Spammer
·
· Score: 2, Interesting
A couple of months ago I got a call on my cellphone from the AT&T-run deaf relay service, which has expanded from relaying TDDs to relaying from some Internet interface (I think web?). It was, as near as I could tell, a Nigerian scammer. It was obviously not an American, because they were calling me on a Sunday evening on Memorial Day weekend to talk about a business opportunity, and I asked what time zone they were in and it was compatible with being daytime in Nigeria... I asked the operator if she could trace the call but apparently she couldn't.
Originally SCO's claims seemed to be that IBM has used some mentally-contaminated-by-SCO-owned-UNIX-code capability to develop code that they included in Linux kernels after 2.2 (maybe after 2.4.13?), and that they therefore owned copyrights to those (unspecified) parts. Since IBM definitely did develop some code in those sections, it's reasonable for them to sue SCO for GPL violation if SCO distributed Linux products including IBM's code, but as far as I can tell, that wouldn't block SCO from distributing other GPL'd products, e.g. earlier versions of Linux. So if SCO is only claiming ownership of parts newer than 2.4.13, they could still distributed products based on 2.4.13 or 2.2.
However, SCO's display of Greek-fonted malloc() as an example of possibly stolen code might be able to trash their GPL-redistribution rights for anything newer than whenever Linux got GPL'd or included that malloc(). Their claims have been way too fuzzy to tell exactly what they meant, and of course they've been asserting that they can't reveal their trade secrets except under NDA and therefore can't show anybody anything.
IBM's lawsuit might make it possible for IBM to do discovery to force SCO to clarify their claims on exactly what they think they own. SCO's lawsuit against IBM can also do that. It's probably lots of fun to be an IBM lawyer right now, and I bet it's not too often that it's been possible to say that:-)
The BSD and X Windows parts are important. After all, you're not just trying to annoy RMS, you're trying to trip up SCO's lawyers, who don't really understand the issues that were quasi-resolved by the AT&T vs. BSD lawsuits or the technology involved in them, and don't appear to have a very deep understanding of any of the research IBM or companies it had bought did that they implemented in a Unix operating system environment.
I downloaded 2.4.13 from SCO a month or so ago. Their main assertion has been that IBM's additions to newer Linux versions, I think by 2.4.19(?), are what violates IBM's licenses, and they could continue to distribute 2.4.13 without jeopardizing that. It interferes with their FUD campaign a bit, but doesn't break either their lawsuit positions or (presumably) their contracts.
On the other hand, the code they showed other people in Greek fonts which they claimed was an exact copy of Unix code that they own included a BSD version of malloc(), which says they've pretty much toasted their ability to distribute or copy just about anything since Linus adopted the GPL (or since Linus included the BSD-like malloc(), whichever came second.)
So they're in a maze of twisty little self-contradictory statements, all different. (Oh, wait, adventure was in V7 or at least 4.1BSD, which makes this parody a derivative work? Arrrrgh!)
Yes, I know it's tacky to follow up your own articles, but at least it lets me contradict myself a bit;-)
There are a couple of approaches that might make sense for distributed collection of Spammer and RBL data. The Vipul's Razor / Cloudmark approach is good of having real humans read spam messages and distribute pointers so that other humans don't need to read them, but that doesn't cut down on their transmission (at least from spammer to mailbox; it can prevent the mailbox-to-user transmission which is more annoying to the user.) But it doesn't identify open relays, open proxies, and other attractive nuisances.
However, you could build a distributed system that splits up the IPv4 address space and gives out chunks of it to the users for relay/proxy checking, and uses P2P mechanisms to share the results. You'd definitely have to have multiple users check each address space, and do some sort of karma system, and have some kind of randomization method for who gets which address space, because otherwise spammers and their pet zombies will put out false negatives for the relays they're using and false positives for machines they do use and DDOS the users who are checking up on them. Perhaps something out of the control of the individual user, like a Diffie-Hellman key exchange with peer systems, would reduce the ability of evil users to do false negatives on the systems they report on? On the other hand, it would encourage them to scan the systems they're responsible for reporting on to see if there are any that are exploitable, but a reputation system still helps minimize the damage from that/
There are still problems with any active-probing system. How do you tell the difference between a good spam-prevention-bot user probing systems for abusable weaknesses and an evil spammer's bot probing systems for weaknesses? Can some chain of digital signatures help any? Is there any obvious way to implement automated trustable distributed karma?
SCO's Plan? World Domination! Bwahhahaha!!
on
SCO's Plan Examined
·
· Score: 1
Oh, wait, that's Linux's plans. Fear the Penguins!
I normally abbreviate X/BSD/GCC/Linux as "Linux", but once in a while the "GNU/GPL" part is at least as relevant as the "BSD" part. After all, SCO was distributing 2.4.13 under the GPL, and the BSD parts have already had their relationships with AT&T Unix intellectual property somewhat defined.
Accountability, Competence, and Collectability
on
SCO's Plan Examined
·
· Score: 1
SCO ought to be held accountable here - either for malice or incompetence. However, other than whacking the individuals involved, and disappointing any stockholders who still think their stock is worth anything, there's not too much that Ren can do to SCO if they beat them in court, because at that point it's about recovering money, and SCO isn't going to have a lot of that left since the expected revenues from shaking down Linux users won't show up and their other customers are likely to dry up pretty fast.
Signed, "Happy Customer of SCO Linux 2.4.13 distribution, downloaded for free but not actually installed."
Distributing an RBL list is the easy part. There are a variety of methods in place that can provide sufficient reliability and are sufficiently anonymous or difficult to attack, such as Usenet and Freenet and Gnutella and probably Kazaa, and it's not too hard to develop efficient data formats for baseline and incremental update and detail records (easier for IPv4 blocking than IPv6:-), and you can use PGP or other digital signatures to protect the integrity of the transmission. A Simple Matter of Programming (SMOP)...
There are some problems with broadcasting the list as opposed to doing transactional interaction - a list of "mis-configured open relays or proxies with updates" is not much different from the spamware spammers' products of list of new still-usable open relays. (It's a bit less useful, because they know that some people are blocking them, but they also know that lots of people aren't.)
The other half of the communications process is harder - getting the information on spammers to the list maintainer without exposing the list maintainer to attack. A simple usenet group or IRC channel can be flooded, and email can be mailbombed, and the obvious way to do it is with bogus spam reports to reduce the integrity of the information. And some of it's an arms race, e.g. spammer submits a purported open relay to list-manager the list-manager's tester tests the "relay", and the "relay" captures the tester's IP address for DDOSing.
There are spam-reporting reputation systems - Cloudmark and Vipul's Razor do some of that, if imperfectly, or simple subscriber-only systems can stay below the radar (even though they'll have some spammers subscribing...) and you could probably build one that was P2P for a bit more safety. Vipul's distriuted approach lets users mark messages as spam, and distributes hashes, rather than killing whole sites, but you could adapt it.
OK, actual standalone calculators beyond the simple 4-function are pretty much obsolete for most uses, but a good calculator program for a PDA or a PC is still quite useful - there are times that a spreadsheet is just overkill.
I think the one I was using just before my PC died was XCalc, and I have some sort of less satisfactory RPN calculator on my Palm Pilot (it'd be nice to have one that was both good and free, but Palm's programming environment is too annoying to write one myself:-)
Technically it's Pseudonymous rather than Anonymous, but all you need is a consistent set of signatures by a trusted key - you don't need to know a True Name for the human body that owns the key. Somebody who wants to run a list can publish the key in a bunch of well-known sites, and if somebody wants to sign it certifying that it's the original one they've seen, that's fine too. That doesn't mean that, for instance "The Original Joe Spews" won't be immediately joined by 500 other "John Doe Spews" "John Bigbootee Spews" "Joe Job Spews" "Spam-Haters Anonymous", etc., but that's a job for reputation to solve. Each one has a unique public key, and the name is just a convenient handle.
> The only way to ban SPAM is to make the act of buying SPAM services illegal. ?? That fails badly.
From: billg@microsoft.com Subject: Buy Windows 2005 Now! Received: from
Dump that grungy old Linux Stuff and buy Windows!
Your proposal would make it easy for anybody who wanted to stifle their competition to joejob them, which would make it illegal to buy their product in spite of the fact that the spam is obviously bogus.
Most of the Nigerian 419 spam is illegal in Nigeria, under Section 419 of the law. The economy's enough different that a $1000 fine is a lot of money. The government over the last few years hasn't done much to stop them, and it's been corrupt and violent enough that stopping people from scamming a few greedy foreigners isn't a high priority. On the other hand, if they get a cut of the anti-spammer reward money, corrupt violent officials might find it more profitable to burn some scammers and even extradite a few. The problem, of course, is that most of these scammers aren't *successful* scammers, they're just wanabees hoping to get lucky, and there's no profit to anybody in prosecuting or shaking down an unsuccessful wanabee scammer.
If you look at the article, it doesn't support your assertion that spam is a theft of billions of dollars. It does say that spam is a waste of billions of dollars worth of recipients' time, but the average non-Tivo-owning American wastes much more time watching TV commercials than deleting spam; this just wastes their time at work also. Spam is also not a big bandwidth cost of connectivity-oriented ISPs - you get more bytes of Slashdot a day than spam.
It *is* a serious problem for email service providers, who do see a significant impact on their resource usage, but for the rest of us, most of the impact really is the annoyance and the time wasted on it.
Normally I'd expect this to fail almost as badly as the current California law, which requires ADV: tags and valid remove-me addresses. Yes, it's trying much harder to be hard to duck (the "this is a one-time mailing" trick will no longer work, and they're worrying a lot less about collateral damage, joe jobs, precise accurate definitions, and interference with legitimate mailing lists), but it's still unlikely. And spammers will need to start creating a lot of disposable corporations (either ~$100 Delaware ones or ~$500-1000 offshore ones) to be the official senders of their spam and advertisers of their merchandise in case they get caught, and a lot of Nigerian Corrupt Officials' Widows will have to avoid moving to California. But fundamentally it's pretty weak.
On the other hand, California does have a lot of unemployed or underemployed computer experts (sorry, consultants in private practice who are available on short notice), many of whom have the spare time and skills to start hunting spammers. Most of them don't have the legal skills to negotiate these things through the courts efficiently - but there are also a lot of unemployed technology-oriented lawyers (sorry, lawyers in private practice or small firms who are available on short notice) who might be interested in some joint activities on spec. The lower end of this business is hunting down $1000 spams; the higher end is bounty-hunting for ISPs.
On the other hand, it does increase the opportunity for email about "You can make Thousands of Dollars in your Spare Time Hunting Down Spammers! Buy our Instruction Kit!"...
The last few years have had a number of events of major Antarctic ice shelves also breaking up. And things have been happening like open water at the North Pole rather than the usual icecap up there.
If you RTFA, you'll see them discussing that they don't know whether this is global warming or just regional warming. Not mentioned in the article, but relevant, is that in some parts of the Canadian Arctic, I think including this area, the local Inuit had stopped making kayaks for some centuries, and had to relearn in the mid-1800s when the weather got enough warmer that kayaks were useful again. Don't know if that's global warming or just regional either.
Seriously, I do have a PII-233 as my home desktop machine, with 384MB RAM, and I've been looking forward to a new Knoppix release that might do a better job with my lame Trident video card. Instead they drop CPU support! Yaarrrrgh!
Also, my lab has a bunch of doorstop Pentium-60 machines, which are a nice network monitoring server and simple web/ftp server if you don't need any horsepower, though they don't have a lot of RAM on them.
Seemed a bit like overkill for playing Frogger, though I suppose if you want a networked MMORPG version of it where you're trying to frag everybody else's frogs before they cross the road, I guess it'll help...
The response you get depends on the interface you use, which affects whether it's readable by the blind. If you're typing DNS queries by hand, for instance, it will tell you that nonexistent-domain-24324324.com has IP address 64.94.110.11, which isn't correct, but it's the same lie they tell sighted people. If you use email, your email system will give you a message like
: host verisignsucks12232.com[64.94.110.11] said: 550 : Client host rejected: The domain you are trying to send mail to does not exist.
which is only slightly inaccurate. Your email-to-speech reader should be able to read it to you about as well as it could have read the message you should have gotten.
If you're using a web browser, it's a different story (unless Verisign's web pages are tuned for different browsers, in which case Lynx could be made to work ok.) There's lots of Javascript, mostly at the end, and the phrase about the domain verisignsucks-1342314321.com does not exist is unfortunately buried in the code for a complex table, even though visibly it's rendered near the top of the page. So that depends on your user interface's ability to read you tables and ignore Javascript.
If you're using most other protocols, somewhat incorrect things will happen, because most of them use "A" records, which Verisign will respond to with their IP address, and the service you're looking for probably isn't there. But again, they're the same incorrect things that happen to sighted people, and presentation is an applications programming problem.
If you read them a bit more carefully, they're not as outrageous as they look. They don't refer to the process that _got_ you the SiteFinder Web form - they refer to how you use the form once you've got it. Some of them are much less than ideal, but others of them are reasonable. The basic terms are
It's free - if you don't like it, don't use it.
If you don't like the results, it's not our fault, so don't use it.
If you thought it _was_ our fault, you wave any rights to do anything to us except not use it.
A bunch of copyright notices.
If you don't like the web pages we point you to, it's not our fault, it's those web pages' fault, so don't use it if you don't like it.
The search engine is separate from the DNS service, so if the search engine's not working right, that doesn't get you a refund on your DNS contract.
(The bogus part) - the search results are only for your personal non-commercial use and you can't do anything with it (with more detail than that) and you can't metasearch, and any commercial use requires a separate agreement.
But yes, spammers can do this with those ccTLDs, and the fact that it's an obvious problem when .com and .net do it doesn't mean we shouldn't have realized it was a problem when .museum and those ccTLDs did it. (oops...)
One obvious technique for using remove-me addresses is, if you're using spambait addresses to feed your spam filtering system, to send unsubscribes for those addresses rather than your real ones. (Obviously you only do this for removal addresses that don't appear to have your real address encoded in them.) Worst case is that some spammer gets his time wasted by removing addresses that weren't on his list.
Some time you _do_ need to hear Dierdre McCarthy playing Wipeout on bodhran....
is a Token Ringo....
A couple of months ago I got a call on my cellphone from the AT&T-run deaf relay service, which has expanded from relaying TDDs to relaying from some Internet interface (I think web?). It was, as near as I could tell, a Nigerian scammer. It was obviously not an American, because they were calling me on a Sunday evening on Memorial Day weekend to talk about a business opportunity, and I asked what time zone they were in and it was compatible with being daytime in Nigeria... I asked the operator if she could trace the call but apparently she couldn't.
However, SCO's display of Greek-fonted malloc() as an example of possibly stolen code might be able to trash their GPL-redistribution rights for anything newer than whenever Linux got GPL'd or included that malloc(). Their claims have been way too fuzzy to tell exactly what they meant, and of course they've been asserting that they can't reveal their trade secrets except under NDA and therefore can't show anybody anything.
IBM's lawsuit might make it possible for IBM to do discovery to force SCO to clarify their claims on exactly what they think they own. SCO's lawsuit against IBM can also do that. It's probably lots of fun to be an IBM lawyer right now, and I bet it's not too often that it's been possible to say that :-)
The BSD and X Windows parts are important. After all, you're not just trying to annoy RMS, you're trying to trip up SCO's lawyers, who don't really understand the issues that were quasi-resolved by the AT&T vs. BSD lawsuits or the technology involved in them, and don't appear to have a very deep understanding of any of the research IBM or companies it had bought did that they implemented in a Unix operating system environment.
"Free, like in beer".
On the other hand, the code they showed other people in Greek fonts which they claimed was an exact copy of Unix code that they own included a BSD version of malloc(), which says they've pretty much toasted their ability to distribute or copy just about anything since Linus adopted the GPL (or since Linus included the BSD-like malloc(), whichever came second.)
So they're in a maze of twisty little self-contradictory statements, all different. (Oh, wait, adventure was in V7 or at least 4.1BSD, which makes this parody a derivative work? Arrrrgh!)
There are a couple of approaches that might make sense for distributed collection of Spammer and RBL data. The Vipul's Razor / Cloudmark approach is good of having real humans read spam messages and distribute pointers so that other humans don't need to read them, but that doesn't cut down on their transmission (at least from spammer to mailbox; it can prevent the mailbox-to-user transmission which is more annoying to the user.) But it doesn't identify open relays, open proxies, and other attractive nuisances.
However, you could build a distributed system that splits up the IPv4 address space and gives out chunks of it to the users for relay/proxy checking, and uses P2P mechanisms to share the results. You'd definitely have to have multiple users check each address space, and do some sort of karma system, and have some kind of randomization method for who gets which address space, because otherwise spammers and their pet zombies will put out false negatives for the relays they're using and false positives for machines they do use and DDOS the users who are checking up on them.
Perhaps something out of the control of the individual user, like a Diffie-Hellman key exchange with peer systems, would reduce the ability of evil users to do false negatives on the systems they report on? On the other hand, it would encourage them to scan the systems they're responsible for reporting on to see if there are any that are exploitable, but a reputation system still helps minimize the damage from that/
There are still problems with any active-probing system. How do you tell the difference between a good spam-prevention-bot user probing systems for abusable weaknesses and an evil spammer's bot probing systems for weaknesses? Can some chain of digital signatures help any? Is there any obvious way to implement automated trustable distributed karma?
I normally abbreviate X/BSD/GCC/Linux as "Linux", but once in a while the "GNU/GPL" part is at least as relevant as the "BSD" part. After all, SCO was distributing 2.4.13 under the GPL, and the BSD parts have already had their relationships with AT&T Unix intellectual property somewhat defined.
Signed, "Happy Customer of SCO Linux 2.4.13 distribution, downloaded for free but not actually installed."
such as Usenet and Freenet and Gnutella and probably Kazaa, and it's not too hard to develop efficient data formats for baseline and incremental update and detail records (easier for IPv4 blocking than IPv6
There are some problems with broadcasting the list as opposed to doing transactional interaction - a list of "mis-configured open relays or proxies with updates" is not much different from the spamware spammers' products of list of new still-usable open relays. (It's a bit less useful, because they know that some people are blocking them, but they also know that lots of people aren't.)
The other half of the communications process is harder - getting the information on spammers to the list maintainer without exposing the list maintainer to attack. A simple usenet group or IRC channel can be flooded, and email can be mailbombed, and the obvious way to do it is with bogus spam reports to reduce the integrity of the information. And some of it's an arms race, e.g. spammer submits a purported open relay to list-manager the list-manager's tester tests the "relay", and the "relay" captures the tester's IP address for DDOSing.
There are spam-reporting reputation systems - Cloudmark and Vipul's Razor do some of that, if imperfectly, or simple subscriber-only systems can stay below the radar (even though they'll have some spammers subscribing...) and you could probably build one that was P2P for a bit more safety. Vipul's distriuted approach lets users mark messages as spam, and distributes hashes, rather than killing whole sites, but you could adapt it.
I think the one I was using just before my PC died was XCalc, and I have some sort of less satisfactory RPN calculator on my Palm Pilot (it'd be nice to have one that was both good and free, but Palm's programming environment is too annoying to write one myself :-)
Technically it's Pseudonymous rather than Anonymous, but all you need is a consistent set of signatures by a trusted key - you don't need to know a True Name for the human body that owns the key. Somebody who wants to run a list can publish the key in a bunch of well-known sites, and if somebody wants to sign it certifying that it's the original one they've seen, that's fine too. That doesn't mean that, for instance "The Original Joe Spews" won't be immediately joined by 500 other "John Doe Spews" "John Bigbootee Spews" "Joe Job Spews" "Spam-Haters Anonymous", etc., but that's a job for reputation to solve. Each one has a unique public key, and the name is just a convenient handle.
Your proposal would make it easy for anybody who wanted to stifle their competition to joejob them, which would make it illegal to buy their product in spite of the fact that the spam is obviously bogus.
Most of the Nigerian 419 spam is illegal in Nigeria, under Section 419 of the law. The economy's enough different that a $1000 fine is a lot of money. The government over the last few years hasn't done much to stop them, and it's been corrupt and violent enough that stopping people from scamming a few greedy foreigners isn't a high priority. On the other hand, if they get a cut of the anti-spammer reward money, corrupt violent officials might find it more profitable to burn some scammers and even extradite a few. The problem, of course, is that most of these scammers aren't *successful* scammers, they're just wanabees hoping to get lucky, and there's no profit to anybody in prosecuting or shaking down an unsuccessful wanabee scammer.
It *is* a serious problem for email service providers, who do see a significant impact on their resource usage, but for the rest of us, most of the impact really is the annoyance and the time wasted on it.
On the other hand, California does have a lot of unemployed or underemployed computer experts (sorry, consultants in private practice who are available on short notice), many of whom have the spare time and skills to start hunting spammers. Most of them don't have the legal skills to negotiate these things through the courts efficiently - but there are also a lot of unemployed technology-oriented lawyers (sorry, lawyers in private practice or small firms who are available on short notice) who might be interested in some joint activities on spec. The lower end of this business is hunting down $1000 spams; the higher end is bounty-hunting for ISPs.
On the other hand, it does increase the opportunity for email about "You can make Thousands of Dollars in your Spare Time Hunting Down Spammers! Buy our Instruction Kit!"...
The last few years have had a number of events of major Antarctic ice shelves also breaking up. And things have been happening like open water at the North Pole rather than the usual icecap up there.
If you RTFA, you'll see them discussing that they don't know whether this is global warming or just regional warming.
Not mentioned in the article, but relevant, is that in some parts of the Canadian Arctic, I think including this area, the local Inuit had stopped making kayaks for some centuries, and had to relearn in the mid-1800s when the weather got enough warmer that kayaks were useful again. Don't know if that's global warming or just regional either.
Seriously, I do have a PII-233 as my home desktop machine, with 384MB RAM, and I've been looking forward to a new Knoppix release that might do a better job with my lame Trident video card. Instead they drop CPU support! Yaarrrrgh!
Also, my lab has a bunch of doorstop Pentium-60 machines, which are a nice network monitoring server and simple web/ftp server if you don't need any horsepower, though they don't have a lot of RAM on them.
Seemed a bit like overkill for playing Frogger, though I suppose if you want a networked MMORPG version of it where you're trying to frag everybody else's frogs before they cross the road, I guess it'll help...
If you use email, your email system will give you a message like which is only slightly inaccurate. Your email-to-speech reader should be able to read it to you about as well as it could have read the message you should have gotten.
If you're using a web browser, it's a different story (unless Verisign's web pages are tuned for different browsers, in which case Lynx could be made to work ok.) There's lots of Javascript, mostly at the end, and the phrase about the domain verisignsucks-1342314321.com does not exist is unfortunately buried in the code for a complex table, even though visibly it's rendered near the top of the page. So that depends on your user interface's ability to read you tables and ignore Javascript.
If you're using most other protocols, somewhat incorrect things will happen, because most of them use "A" records, which Verisign will respond to with their IP address, and the service you're looking for probably isn't there. But again, they're the same incorrect things that happen to sighted people, and presentation is an applications programming problem.
Except for that one bogus part,