All a spammer needs to do to avoid this kind of attack on a "website" is to have the trojan horse that is operating the "website" on a compromised PC ("zombie") on some broadband connection do some form verification before submitting the order for handling by spammers own computers somewhere else. Only real orders would pass through. And if they don't already they would quickly attack. That's what spammers do. They don't care about being attacked. They are constantly being attacked and they are constantly adapting, just like bacteria adapting to antibiotics...
Perhaps a better approach if we want to take this clearly illegal path is to drown the spammers with orders made with stolen or fake credit card numbers. That might be a big problem for them...
If someone really wants to make software that automatically does something about spam received, the program should just report the spam to the network abuse address of the source of the spam message. Spamcop.net does a really good job in parsing headers, identifying the source, locating the address of the correct abuse team, and sending them a complaint. Everything is done automatically except that the user has to manually copy and paste the email in raw form (or forward as attachment) and then to manually review and approve the complaint before it is sent. This is reasonable as it is a real complaint to a real abuse team. But it is limited to people that have the technical ability to extract the raw form of the email and submit it, and have the patience to do it with every single piece of spam...
Thia system should be further automated into a system that receives automatic forwards of spam identified by humans (e.g. clicking a "this is spam" button in an email reader) and then parses headers and classifies them according to their real sources, and then ISPs should have access to this data so they can identify the sources in their networks and block them. What I suggest here is a system that does quite what spamcop does but on a larger scale, with millions of email readers providing input that might have lower quality than manual spamcop reports by spamcop users that know what email headers are, and a reasonable way to organize the millions of complaints so abuse teams can use them (obviously receiving thousands of complaints in individual email messages about copies of the same message from the same zombie PC is not the right way. There's a need for automatically organizing these so abuse teams can spend their time dealing with new complaints).
So instead of a system that overloads the spammers websites I suggest a system that's cutting them off by helping the network providers find them and disconnect them.
> Thinking in layers is the most effective approach to fighting spam...
ABSOLUTELY!!!
> SPF CAN check the From addess, it's merely a matter of choice
But then it's not really SPF. The SPF standard defines both a way of publicizing a list of hosts that may send on behalf of a domain, and a method of assigning a pass/notpass value to an email message based on the published SPF record (or lack of such record). SPF defines its tests with the envelope-from address. SenderID uses the same record in the DNS comparing it to a different address, so it's the same list of servers with a different test. Testing the header "From" using the SPF record is yet another test that is not equivalent to any published standard. So if everyone, or even just several big ISPs decide to do this, it adds another UNPUBLISHED standard that senders have to comply with. I don't say that it is a bad idea to compare the header "From" address to the SPF record. It might be good as an extra layer in ranking messages as more or less "spammy" after reception and filtering mail accordingly. But it was not chosen as a good method to verify source because it breaks too much legitimate email.
>... Just need a trojan/worm that checks your inbox for addresses... Or your trash folder. Or your swap file... A trojan could just insert the spam directly into your inbox bypassing all email protocols... but they are not doing it yet. I suspect that they are already starting to crop addresses by scanning the HD of compromised machines.
> Regarding VARA... you do know that half of it is SPF right? Yes, sort of. VARA is just a concept. It can use SPF or other methods to try to verify that email came from a "legitimate" host.
> The only difference is you want the end user to make the SPF record Actually not. The user only says that email address A is to recieve email only from domain Bm, and that's it. The owner of domain B set up their own SPF record. When email arrives for address A, the MTA quries the DNS for the SPF record of domain B, and accepts email only if it passes the test. An ISP can provide this service to a user is by letting her access a web page where she enters a domain or list of domains, and then an email address is generated than can be handed to whoever is supposed to send the email "from" these domains.
> By using SPF, you've provided a route to track you by. > The SPF verifies the emails very likely came from your system. > This improves the ability to track you down Only this would almost alway lead to a dead end. Spammers are already using throaway domains and compromised machines. Almost all the spam I report using SpamCop comes from IP addresses of PCs on broadband. So this path leads to a compromised machine. SPF would be able to verify the compromised machine. DNS would lead to the spammer's website on another compromised machine, and financial info would lead to someone whose credit card number was stolen... What's really needed here is for service providers to identify the compromised machines on their networks and help users clean them, or at least block their outgoing traffic as long as they are compromised, and do it fast. If this goal can be achieved and spammers are forced to use their own machine, then SPF or other authentication methods would become useful for finding the spammer. Anyway, the real spammer is the advertiser and the contact info is in the spam.
> It's the #3 I wonder about. > Why are they trustworthy?
You have a point! I have no idea. Just gut feeling! What do others think? Can it be that Slashdot "sells" our email addresses? I believe that it does not, but then it's just my belief, unsupported by facts.
A more general issue: If I agreed that my email address be displayed on a website (such as by checking a box that says I agree), is that website allow to give my address to anyone in any other way pther than posting it where I expected them to post it (e.g., in my public profile and alongside my posts). I believe not.
Remark (for those who came directly to this post): #3 refers to the grandparent post where I said I trust that Slashdot did not give my address to spammers.
> Are you sure that's just due to screen scraping?
I'm quite sure. What else? Who knows this address?
1) Myself. 2) Sneakemail. 3) Slashdot. 4-zillion) Anyone that has access to the slashdot.org
The address is not available anywhere else. So how did the spammers get the address: I trust that 1,2,3 didn't give the address to spammers. (#1 - I know this guy personally. #2 - has lots of other addresses I have and no particular interest in specifically giving apammers only the address I give to slashdot. #3 - others here can explain why this party can be trusted). #4-zillion I consider screen scraping, because they only have access to the address by finding it on a web page. And while it is possible that someone here hates me enough to manually copy my address and give it to spammers, I doubt that there's anyone here that would not realize by just looking at it that it's a waste of time with an address that is obviously a throwaway address.
Actually there is one additional possibility: zillion+1) key logger or HD scanner on my PC.
While it is a possiblity, It is highly unlikely that it would pick up only the throwaway addresses I use on slashdot.
> With several gmail accounts, I never have trouble managing spam...
Of course you have! You have to check each account separately. And in time you might find out that it's difficult to dump an account when you're not sure that you remember who got the address. What you really need is a single account with multiple addresses (in a way you already have it in gmail: if you are user@gmail.com you can use user+anystring@gmail.com).
One popular way to do it is to use a disposable addresses service that forwards the mail you receive at any of your multiple addresses there to your mailbox (the one you already use, such as your ISP or your gmail account.
Another approach is to register a domain - usually you would get free email forwarding with that. Then you can use all the addresses in your domain. This costs less than $10 a year and has the added benefit that having your own domain is cool (and you can send your love letters from "the_one_who_loves_you@mydomain.net").
There are some email services that allow a user to use a whole subdomain (e.g. jcitizen@fastmail.fm can use anything@jcitizen.fastmail.fm). This is much like registering a domain but without having to either forward email or host it somewhere.
The benefit of all these methods is that you get all your email in one place, but they still come to different addresses so it is easy to cut off a spam stream if one of those addresses starts getting spam.
Each one of these methods has it's own advantages and disadvantages. I use a combination of several of them, but one or two of them are good enough for almost anyone.
I use sneakemail.com and spamgourmet.com for "disposable addresses". They are very different services. At least spamgourmet is a service everyone should know about because it's the most hassle free service on earth: about 20 seconds to register and then use transparently. SneakEmail requires more work but in return gives a lot of control. I use it with financial institutes (bank, credit card...) as it totally eliminates the risk of phishing.
Then I use fastmail subdomains and aliases, and I use my own domain that I host with fastmail. Fastmail allows for very detailed filtering of incoming email using the Sieve filtering language, so this allows for management of all the email coming from different addresses (sorting into folders, applying differernt spam filter sensitivity to different sources...) Gmail is a bit less powerfull than Fastmail in filtering ability (e.g., envelope info is not available for fltering in Gmail) but it is very easy to setup filters in Gmail to separate and label incoming email forwarded from sneakemail, and tghe search functionality in Gmail can also do this job. Of course I could do with one email address and one disposable email address, but I like to play!.
I use a different email address with each subscription (I use sneakemail.com for that). Some email addresses of mine have been harvested from several online forums, but with the addresses I publish on slashdot this happens more often than anywhere else. I change address on slashdot every few days, and usually it takes no more than a week for the address to be picked up by spammers (one time it happened on the same day).
>... anything that adds a layer of complexity for spammers > while minimally impacting legitimate email senders > is not a bad thing
Only I think that in the case of SPF the impact on legitimate email is much greater than the added layer of complexity for spammers. In fact they already have all the tools they need to bypass SPF and are using it. The only added complexity is adding a one line record to the DNS for the domain. A spammer needs to spend a few minutes once to learn how to do it. On the other hand these authentication techniques break a lot of existing email practices, like email forwarding, or like sending email from web form ("send this article to a friend"). A lot of people would have to spend a lot of time and money adjusting to a technology that doesn't seem to do what it claims it can do.
But the worst impact is by big players like microsoft that would not accept mail even from authenticated senders like microsoft claim they would do (SPF clearly states that lack of SPF record is equivalent to the doamin owner authorizing every computer as a server, and it passes the SPF test. MS Hotmail decided they would not follow this standard and would consider these domains as unauthenticated. This means that big players here get to decide how you are to use your own domain even if you are not their client, and just following the standard is not enough. You are only free to use what is yours the way they decide you can use it.
There are good and harmless ways to use SPF authentication, but they are not the way MS plans to use it.
> If a spammer acquires a SPF authenticated domain > which he then uses to send spam, don't you think > it would be relatively easy to find and block > that domain? I think it would be extremely easy and would have very little impact on the spammer. Spammers already change domains daily for the websites they operate and providers constantly take their websites off (either that or they are blacklisted). By the time a domain is blocked the spammer would already be using a new one.
>... effective litigation and prosecution > is made more difficult by a lack of > effective authentication for email traffic. > These are things that SenderID and SPF are > designed to address
These are NOT things that SenderID and SPF are designed to address! neither of them can authenticate the real identity of a person responsible for sending email. The only thing they "authenticate" is that someone that paid for the use of a domain has set permision for email to be sent with some hidden header field containing the domain name from a list of specific computers (IP addresses listed either directly or indirectly in an SPF record). There is nothing here that can identify a person. Spammers have already used SPF authenticated domains that they purchased with stolen identities (credit card info). The ONLY THING SPF/SenderID provide, is very limited protection for brand names.
On the other hand following the money (credit card payments to spammers) have already proved effective for litigation, and they don't necessiate any change in technology.
No need to alter ebay/paypal DNS. No need to spoof IP.
Method 1: You need a bunch of stolen credit card info with enough personal info to use for small payments online. You buy domains werothjwer.com werwervser634.com etc. (not paypa1.com) You send your spam with Paypal.com/ebay.com in the "From" header and with werothjwer.com in the "Sender" header and the SMTP envelope-from. Your email passes SPF/SenderID tests perfectly, and the recipient email client (Outlook Express?) proudly peresents email "From: paypal.com" (not paypa1.com!). By the time someone complains about you using their credit card your phishing emails are history, and you have a pile of now CC+personal info to use for your next venture. Paypal/ebay can seize all your registered doamains because you don't need them anymore. You get new ones every day using presh stolen identities.
method 2: No need for the classical identity theft (Credit card+personal info). You alter the trjan horses that power your spam sending botnet to use info from the compromised machine's credentials in the "Sender" header and the SMTP envelope-from and route it through the servers listed in the email account info on the infected PC. You can still use paypal.com or ebay.com in the "From" field.
SPF/SenderID are very well suited to fight late 20th century spammers' methods, but the 20th century is over and spammers don't use these methods anymore.
The real mistake with all those "authentication" methods is that the data they try to "authenticate" is quite meaningless and useless in the email protocols. the only piece of data that has any significance in an SMTP transaction is the recipient's envelope address. If it is not correct the message never gets to its destination. The rest is quite useless, especially for bulk mailers (the envelope-from is there for error messages in case of indirect delivery, and the different headers indicating "message origin" are there for replies. Bulk mailers have no interest in either of them so they are free to abuse them). If you don't want to be fooled with an email "from paypal" that is not from paypal, all you have to do is to give paypal a unique address to send mail to you. Mail sent from paypal to that address is from paypal. Mail sent "from paypal" to any other address you use is not from paypal. So the only thing needed to protect people from themselves is to educate them about using unique email addresses with those entities such as financial institutes where they want to be sure they email sent is really from the intended sender. It's not foolproof, but it would be extremely difficult to break this in bulk. It's not like harvesting/purchasing huge lists of addresses. It's a real effort to recover each single address.
One obstacle to public education is that ISPs have no interest in having their customers know that email addresses are so cheap. The only thing that locks Joe Sixpack or Jane Shoponline to their ISP is the precious email address they got from their ISP. Changing an email address is a hassle and most users don't realize that there's no real reason to use the email address supplied by their connectivity provider (except to make it difficult to switch providers).
One suggested method to base authentication on recipient's address is VarA (http://wiki.outboundindex.net/VarA). VarA is a way to do it without any database. There are many other ways to do it, but actually all one needs right now is a disposable email address service like spamgourmet.com or sneakemail.com, or an email provider that allows users to use all addresses in a subdomain (like FastMail.FM allowing user jcitizen to use all addresses like anything@jcitizen.fastmail.fm). There are many other services that provide similar functionality. There is no "best" option here. I use a combination of the three above and addresses in my own domain (another cheap option). One concern that I have with those "authentication" schemes like SPF is that they would make it harder to use bulletproof anti-phishing protection like unique addresses for an "authentication" scheme that any half educated spammer would be able to bypass...:-(
First, you need to publish a one line SPF in your DNS record. That's a few minutes work.
And then, if your forum software allows a forum member to email another forum member using your server and their email address in "From", then you should either have an additional "Sender" header with an address in your domain (which is really the correct way to do it and comply with email standars - rfc2822), or you can use your own address in the "From" and their address in "Reply-to" (which is less standards compliant, because rfc2822 defines "From" as the author and "Sender" as the one actually sending - such as when a boss dictates to a secretary and the secretary sends).
The worst assumption in implementing SPF/SenderID is classifying doamins that did not publish an SPF record as incompliant, when the SPF specification specifically means that not publishing an SPF record has a meaning equivalent to publishing a record that authorizes sending from any server. In other words: The SPF specification has a default record that is assumed if no record is explicitly given and that is the record that is most suitable to the vast majority of email users - those that do not need to protect the use of their "brand name" in hidden email headers (another misinformation in the article is that SPF/SenderID protects somehow against "changing" the "From" header. It does not in any way. "From" is not checked by SPF, and is checked by SenderID only if there is absolutely no other kind of sesnder/resender headers. I would say that the only thing that these "authentication" schmes do is promote the worse kind of identity theft: stealing credit card info+personal info needed to use the CC numbers, and using these to buy wahtever's needed to bypass SPF/DKIM - all that's needed is a domain name to use in a hidden email header.)
I believe there are implementations that use SpamAssassin and weigh an SPF test in. The way to do it is of course to use all the available data, including results of SPF/DKIM if available, and use statistics to assign them weights that produce the best prediction of a message being unwanted.]
What it seems M$ is planning is to weigh SenderID compliance more than what statistics would give it, making more uncomplying messages go into the Jubk mail folder, and by doing so with many millions of mailboxes of users who have no real choice about their spam filters, they can thus force copliance.
One mportant thing one needs to remember is that in some jurisdictions complying with SenderID would mean either infringing on M$ IP or getting a license from them.
There is a greater danger in students using free software than them getting the crazy idea of that information should be accesible to everyone... some of them might even get involved in development. Imagine all these fresh minds that M$ cannot even hire because of age limitations on employment...
Younger minds can have novell ideas. FOSS needs them. School kids getting involved can bring new ideas. Perhaps even non-geek participation in designing GUIs.
I like to call it "the coolness factor" in OSS. If kids learn that they can actually make a difference: having your idea or design incorporated in software used by millions all around the world is cool, and kids should learn about it and go for it!
Obviously this guy is in the business of extortion. Each separate story might sound like the guy trying to protect a trademark, but all taken together show that it is obviously not the case. A court can excuse the guy for one case of harrassing someone that followed the word "steal" by a word starting with "th". A court can excuse the guy for harrassinf a private (non-commercial) website using the disctionary word.
But collectively, the evidence described in this story clearly shows that all of these are planned of systematic extortion, and not protecting a brand name in certain areas of commerce. The guy is just shooting around and sometimes collects settlement money. The evidence should be collected. And the guy should face criminal charges and serve time.
> There ought to be a law (maybe there is) that > says this kind of abuse of trademark is illegal
I think any kind of legal harassment ("legal extortion") should be illegal, not just the kind related to trademarks. Lawyers should know that they should be careful that a legal threat made should be reasonable, or they might risk more than just losing a case in court. In severe cases they should face criminal charges.
Legal threats are a sort of weapon, and abusing it should have consequences.
A step further would be to enable people to prefer content that is legally permitted to use.
What might make it possible is an open protocol to communicate permissions (such as GPL/Crative commons license). Something like extra headers that specify such data. Then search engines/file sharing software could allow a user to filter/prioritize search results by permisions.
One good side effect would be that content providers would be motivated to provide at least some versions of what they have with free use permissions, if they want to be found on search engines, because this model would discriminate against content that have no explicit permisions policy.
Another benefit is that by making default options tend towards locating files that are legal to use creators of sharing software can defnd themselves in court by showinf that ythey are actively discouraging "piracy" (regardless of what they have said in public in the past).
I think it is important to have a working model that allows people TO CHOOSE, before the dominant model becomes one (or many) that take these rights away (closed protocol DRM).
What P2P and other technologies that enable access to content (search engines, websites...) would need now is a way to show that they are not advocating illegal use of information.
What I think is needed is an open protocol for stating use permisions of files served. Such a protoco; would allow the poster of a file to include information about the allowed use of the files, such as GPL or other open source licence or Creative Commons license allowing redistribution/derivative works etc. Such a protocol should also allow for posting of contact info of copyright holders for those copyright holders that do not wish to set permisions in advance, so whoever finds the file can easily check if the file is reusable by asking the author.
What such a protocol would allow is for P2P clients and for search engines to allow users to limit their searches to files with permisions to use (or to sort search results according to freedom to use). Distributors of P2P clients could use these abilities for legal defense, and they can also set the defaults to prefer free content.
The main benefit is teaching people to look for free content (i.e. with legal permisions given in advance in a GPL/CC style license). If people just change their habits a bit due to default instalations prefering content that comes with predetermined permisions, it would put presure on everyone who wants their contents to be found to supply at least some permisions.
Of course it may be abused: anyone can rip a CD and post the contents with a CC redistribution allowed license. But the legal consequences then would mean jailtime rather than settling with the RIAA out of court on a few thousand bucks.
This sounds like DRM. It sounds like this because it really is DRM. But if the free culture community wants to promote free use licences and avoid restrictive DRM, it has to win the race and produce DRM of the kind that would protect the rights of the public, instead of the interest of commercial interests (should DRM be renamed CIRM for "Digital Commercial Interests Managent"?). An open standard to communicate permisions would allow anyone to write software that gives the user the choice to choose what's right and what's wrong. Closed DRM deprives the user of any right, and transfers the power completely to the supplier/distributor.
> question for the supreme court: > do you really believe the the copyright of the bay > city rollers first album is more deserving of legal > protection than a human life?
Copyright outlast life by 70 years! So natuarlly it needs more protection!
But think of this: a weapon can be used to shorten the term of copyright, by shortening the life of the author (who is usually not the copyright owner in the case of recorded popular music, since the right are signed away by young artists seeking a recording contract). But the current ruling cannot help here. Killing the auther is not infringement of copyright. Contrary to infringement, it promotes the legal use of the work (after the shortened copyright term expires)
I remember several years ago an announcement in a usinversity departmental mailing list that "finally the beaurocrats have allowed us to get rid of some of the old computers and monitors in the computer lab. Anyone who wants to take any of them can do so. One suggested use I can think of is an anchor for a medium size boat...".
If you are in a university, you can probably find someone who would love to get rid of an old PC but is not allowed to. Transfering to another department is perhaps something the beaurocrats would approve. You don't need much power to run a stripped down UNIX/LINUX based firewall. I have at home an old Pentium 1 running Smoothwall with 4 PCs behind it. For a computer lab with more computers you might need a bit more power, but not much more. You can probably find an abandoned Pentium 3 that some professor replaced with a shiny new machine bought with grant money (after all, something has to be done with the money to show it was needed;-) )
Of course your boss cannot fire you for not doing illegal activity. Your boss can certainly fire you for another reason if you are not doingthe illegal activity...
The guy driving the broken truck and getting the ticket probably have done the right thing. The ticket was probably much cheaper than the risk of losing a job...
It is really the fault of the law that doesn't make the employer accountable. In this case both the driver and the one giving the instruction should have been fined, and the boss should have been fined more!
This week in Israel we had a crash between a truck driven by an overworked driver and a train. (The driver was said to have worked 40 hours...) Both drivers were killed, Several passengers were killed. hundreds of passengers were wounded, some severely. The owners of the company emloying the truck driver had sabbotged the "blackboxes" recording working hours of drivers and other data on their trucks so they could overwork the drivers without superviosion. The operators of the train did not have good enough arrangements at the railroad crossing that was known to be dangerous. I realy hope some management ends behind bars. Otherwise nothing would change...
> mail.gmail._com checks the From:/return of > slashdot._org and checks their SPF record > for slashdot._org
Actually they do not. Neither SPF nor SenderID check the "from" header. SenderID checks the "sender" header and they require forwarders to add/rewrite this header (or use one of the "resent" headers). SPF checks the SMTP envelope from and they expect forwarders to produce one in their own domain and arrange for relaying relayed mail/error messages. The "From" header can be anything. Forwarders complying would get through. So will phishers, using exactly the same methods.
> What it WILL do is keep spammers from imitating > existing domains in their "from" headers...
It will not and it cannot. It can only stop forging "Sender" headers (Sender-ID) or envelope-from (SPF). The "From" header that is shown to the user of any email client can still be anything,
> Anyone with an SPF record of "every sender is OK" > probably should be blocked as a probable spammer.
And that is where the current email system starts breaking. You're telling people how to use their eamil. WHere do you stop? What you describe is a system to force people to change their systems. Many would have to change their software or hardware to achieve that, and there's lot of money to be made. That's what MS wants...
Slashdot Mirror
All a spammer needs to do to avoid this kind of attack on a "website" is to have the trojan horse that is operating the "website" on a compromised PC ("zombie") on some broadband connection do some form verification before submitting the order for handling by spammers own computers somewhere else. Only real orders would pass through. And if they don't already they would quickly attack. That's what spammers do. They don't care about being attacked. They are constantly being attacked and they are constantly adapting, just like bacteria adapting to antibiotics...
Perhaps a better approach if we want to take this clearly illegal path is to drown the spammers with orders made with stolen or fake credit card numbers. That might be a big problem for them...
If someone really wants to make software that automatically does something about spam received, the program should just report the spam to the network abuse address of the source of the spam message. Spamcop.net does a really good job in parsing headers, identifying the source, locating the address of the correct abuse team, and sending them a complaint. Everything is done automatically except that the user has to manually copy and paste the email in raw form (or forward as attachment) and then to manually review and approve the complaint before it is sent. This is reasonable as it is a real complaint to a real abuse team. But it is limited to people that have the technical ability to extract the raw form of the email and submit it, and have the patience to do it with every single piece of spam...
Thia system should be further automated into a system that receives automatic forwards of spam identified by humans (e.g. clicking a "this is spam" button in an email reader) and then parses headers and classifies them according to their real sources, and then ISPs should have access to this data so they can identify the sources in their networks and block them. What I suggest here is a system that does quite what spamcop does but on a larger scale, with millions of email readers providing input that might have lower quality than manual spamcop reports by spamcop users that know what email headers are, and a reasonable way to organize the millions of complaints so abuse teams can use them (obviously receiving thousands of complaints in individual email messages about copies of the same message from the same zombie PC is not the right way. There's a need for automatically organizing these so abuse teams can spend their time dealing with new complaints).
So instead of a system that overloads the spammers websites I suggest a system that's cutting them off by helping the network providers find them and disconnect them.
> Thinking in layers is the most effective approach to fighting spam ...
... Just need a trojan/worm that checks your inbox for addresses ...
... you do know that half of it is SPF right?
ABSOLUTELY!!!
> SPF CAN check the From addess, it's merely a matter of choice
But then it's not really SPF. The SPF standard defines both a way of publicizing a list of hosts that may send on behalf of a domain, and a method of assigning a pass/notpass value to an email message based on the published SPF record (or lack of such record). SPF defines its tests with the envelope-from address. SenderID uses the same record in the DNS comparing it to a different address, so it's the same list of servers with a different test. Testing the header "From" using the SPF record is yet another test that is not equivalent to any published standard. So if everyone, or even just several big ISPs decide to do this, it adds another UNPUBLISHED standard that senders have to comply with. I don't say that it is a bad idea to compare the header "From" address to the SPF record. It might be good as an extra layer in ranking messages as more or less "spammy" after reception and filtering mail accordingly. But it was not chosen as a good method to verify source because it breaks too much legitimate email.
>
Or your trash folder. Or your swap file... A trojan could just insert the spam directly into your inbox bypassing all email protocols... but they are not doing it yet. I suspect that they are already starting to crop addresses by scanning the HD of compromised machines.
> Regarding VARA
Yes, sort of. VARA is just a concept. It can use SPF or other methods to try to verify that email came from a "legitimate" host.
> The only difference is you want the end user to make the SPF record
Actually not. The user only says that email address A is to recieve email only from domain Bm, and that's it. The owner of domain B set up their own SPF record. When email arrives for address A, the MTA quries the DNS for the SPF record of domain B, and accepts email only if it passes the test. An ISP can provide this service to a user is by letting her access a web page where she enters a domain or list of domains, and then an email address is generated than can be handed to whoever is supposed to send the email "from" these domains.
> By using SPF, you've provided a route to track you by.
> The SPF verifies the emails very likely came from your system.
> This improves the ability to track you down
Only this would almost alway lead to a dead end. Spammers are already using throaway domains and compromised machines. Almost all the spam I report using SpamCop comes from IP addresses of PCs on broadband. So this path leads to a compromised machine. SPF would be able to verify the compromised machine. DNS would lead to the spammer's website on another compromised machine, and financial info would lead to someone whose credit card number was stolen...
What's really needed here is for service providers to identify the compromised machines on their networks and help users clean them, or at least block their outgoing traffic as long as they are compromised, and do it fast. If this goal can be achieved and spammers are forced to use their own machine, then SPF or other authentication methods would become useful for finding the spammer. Anyway, the real spammer is the advertiser and the contact info is in the spam.
> It's the #3 I wonder about.
> Why are they trustworthy?
You have a point! I have no idea. Just gut feeling! What do others think? Can it be that Slashdot "sells" our email addresses? I believe that it does not, but then it's just my belief, unsupported by facts.
A more general issue: If I agreed that my email address be displayed on a website (such as by checking a box that says I agree), is that website allow to give my address to anyone in any other way pther than posting it where I expected them to post it (e.g., in my public profile and alongside my posts). I believe not.
Remark (for those who came directly to this post): #3 refers to the grandparent post where I said I trust that Slashdot did not give my address to spammers.
> Are you sure that's just due to screen scraping?
I'm quite sure. What else? Who knows this address?
1) Myself.
2) Sneakemail.
3) Slashdot.
4-zillion) Anyone that has access to the slashdot.org
The address is not available anywhere else. So how did the spammers get the address:
I trust that 1,2,3 didn't give the address to spammers. (#1 - I know this guy personally. #2 - has lots of other addresses I have and no particular interest in specifically giving apammers only the address I give to slashdot. #3 - others here can explain why this party can be trusted). #4-zillion I consider screen scraping, because they only have access to the address by finding it on a web page. And while it is possible that someone here hates me enough to manually copy my address and give it to spammers, I doubt that there's anyone here that would not realize by just looking at it that it's a waste of time with an address that is obviously a throwaway address.
Actually there is one additional possibility:
zillion+1) key logger or HD scanner on my PC.
While it is a possiblity, It is highly unlikely that it would pick up only the throwaway addresses I use on slashdot.
> With several gmail accounts, I never have trouble managing spam ...
Of course you have! You have to check each account separately. And in time you might find out that it's difficult to dump an account when you're not sure that you remember who got the address. What you really need is a single account with multiple addresses (in a way you already have it in gmail: if you are user@gmail.com you can use user+anystring@gmail.com).
One popular way to do it is to use a disposable addresses service that forwards the mail you receive at any of your multiple addresses there to your mailbox (the one you already use, such as your ISP or your gmail account.
Another approach is to register a domain - usually you would get free email forwarding with that. Then you can use all the addresses in your domain. This costs less than $10 a year and has the added benefit that having your own domain is cool (and you can send your love letters from "the_one_who_loves_you@mydomain.net").
There are some email services that allow a user to use a whole subdomain (e.g. jcitizen@fastmail.fm can use anything@jcitizen.fastmail.fm). This is much like registering a domain but without having to either forward email or host it somewhere.
The benefit of all these methods is that you get all your email in one place, but they still come to different addresses so it is easy to cut off a spam stream if one of those addresses starts getting spam.
Each one of these methods has it's own advantages and disadvantages. I use a combination of several of them, but one or two of them are good enough for almost anyone.
I use sneakemail.com and spamgourmet.com for "disposable addresses". They are very different services. At least spamgourmet is a service everyone should know about because it's the most hassle free service on earth: about 20 seconds to register and then use transparently. SneakEmail requires more work but in return gives a lot of control. I use it with financial institutes (bank, credit card...) as it totally eliminates the risk of phishing.
Then I use fastmail subdomains and aliases, and I use my own domain that I host with fastmail. Fastmail allows for very detailed filtering of incoming email using the Sieve filtering language, so this allows for management of all the email coming from different addresses (sorting into folders, applying differernt spam filter sensitivity to different sources...) Gmail is a bit less powerfull than Fastmail in filtering ability (e.g., envelope info is not available for fltering in Gmail) but it is very easy to setup filters in Gmail to separate and label incoming email forwarded from sneakemail, and tghe search functionality in Gmail can also do this job. Of course I could do with one email address and one disposable email address, but I like to play!.
I use a different email address with each subscription (I use sneakemail.com for that). Some email addresses of mine have been harvested from several online forums, but with the addresses I publish on slashdot this happens more often than anywhere else. I change address on slashdot every few days, and usually it takes no more than a week for the address to be picked up by spammers (one time it happened on the same day).
>... anything that adds a layer of complexity for spammers
> while minimally impacting legitimate email senders
> is not a bad thing
Only I think that in the case of SPF the impact on legitimate email is much greater than the added layer of complexity for spammers. In fact they already have all the tools they need to bypass SPF and are using it. The only added complexity is adding a one line record to the DNS for the domain. A spammer needs to spend a few minutes once to learn how to do it. On the other hand these authentication techniques break a lot of existing email practices, like email forwarding, or like sending email from web form ("send this article to a friend"). A lot of people would have to spend a lot of time and money adjusting to a technology that doesn't seem to do what it claims it can do.
But the worst impact is by big players like microsoft that would not accept mail even from authenticated senders like microsoft claim they would do (SPF clearly states that lack of SPF record is equivalent to the doamin owner authorizing every computer as a server, and it passes the SPF test. MS Hotmail decided they would not follow this standard and would consider these domains as unauthenticated. This means that big players here get to decide how you are to use your own domain even if you are not their client, and just following the standard is not enough. You are only free to use what is yours the way they decide you can use it.
There are good and harmless ways to use SPF authentication, but they are not the way MS plans to use it.
> If a spammer acquires a SPF authenticated domain
> which he then uses to send spam, don't you think
> it would be relatively easy to find and block
> that domain?
I think it would be extremely easy and would have very little impact on the spammer. Spammers already change domains daily for the websites they operate and providers constantly take their websites off (either that or they are blacklisted). By the time a domain is blocked the spammer would already be using a new one.
> ... effective litigation and prosecution
> is made more difficult by a lack of
> effective authentication for email traffic.
> These are things that SenderID and SPF are
> designed to address
These are NOT things that SenderID and SPF are designed to address! neither of them can authenticate the real identity of a person responsible for sending email. The only thing they "authenticate" is that someone that paid for the use of a domain has set permision for email to be sent with some hidden header field containing the domain name from a list of specific computers (IP addresses listed either directly or indirectly in an SPF record). There is nothing here that can identify a person. Spammers have already used SPF authenticated domains that they purchased with stolen identities (credit card info). The ONLY THING SPF/SenderID provide, is very limited protection for brand names.
On the other hand following the money (credit card payments to spammers) have already proved effective for litigation, and they don't necessiate any change in technology.
> Ok. That should do, nobody read this far anyway.
:-)
I did!
No need to alter ebay/paypal DNS.
:-(
No need to spoof IP.
Method 1:
You need a bunch of stolen credit card info with enough personal info to use for small payments online.
You buy domains werothjwer.com werwervser634.com etc. (not paypa1.com)
You send your spam with Paypal.com/ebay.com in the "From" header and with werothjwer.com in the "Sender" header and the SMTP envelope-from.
Your email passes SPF/SenderID tests perfectly, and the recipient email client (Outlook Express?) proudly peresents email "From: paypal.com" (not paypa1.com!).
By the time someone complains about you using their credit card your phishing emails are history, and you have a pile of now CC+personal info to use for your next venture. Paypal/ebay can seize all your registered doamains because you don't need them anymore. You get new ones every day using presh stolen identities.
method 2:
No need for the classical identity theft (Credit card+personal info). You alter the trjan horses that power your spam sending botnet to use info from the compromised machine's credentials in the "Sender" header and the SMTP envelope-from and route it through the servers listed in the email account info on the infected PC. You can still use paypal.com or ebay.com in the "From" field.
SPF/SenderID are very well suited to fight late 20th century spammers' methods, but the 20th century is over and spammers don't use these methods anymore.
The real mistake with all those "authentication" methods is that the data they try to "authenticate" is quite meaningless and useless in the email protocols. the only piece of data that has any significance in an SMTP transaction is the recipient's envelope address. If it is not correct the message never gets to its destination. The rest is quite useless, especially for bulk mailers (the envelope-from is there for error messages in case of indirect delivery, and the different headers indicating "message origin" are there for replies. Bulk mailers have no interest in either of them so they are free to abuse them). If you don't want to be fooled with an email "from paypal" that is not from paypal, all you have to do is to give paypal a unique address to send mail to you. Mail sent from paypal to that address is from paypal. Mail sent "from paypal" to any other address you use is not from paypal. So the only thing needed to protect people from themselves is to educate them about using unique email addresses with those entities such as financial institutes where they want to be sure they email sent is really from the intended sender. It's not foolproof, but it would be extremely difficult to break this in bulk. It's not like harvesting/purchasing huge lists of addresses. It's a real effort to recover each single address.
One obstacle to public education is that ISPs have no interest in having their customers know that email addresses are so cheap. The only thing that locks Joe Sixpack or Jane Shoponline to their ISP is the precious email address they got from their ISP. Changing an email address is a hassle and most users don't realize that there's no real reason to use the email address supplied by their connectivity provider (except to make it difficult to switch providers).
One suggested method to base authentication on recipient's address is VarA (http://wiki.outboundindex.net/VarA). VarA is a way to do it without any database. There are many other ways to do it, but actually all one needs right now is a disposable email address service like spamgourmet.com or sneakemail.com, or an email provider that allows users to use all addresses in a subdomain (like FastMail.FM allowing user jcitizen to use all addresses like anything@jcitizen.fastmail.fm). There are many other services that provide similar functionality. There is no "best" option here. I use a combination of the three above and addresses in my own domain (another cheap option). One concern that I have with those "authentication" schemes like SPF is that they would make it harder to use bulletproof anti-phishing protection like unique addresses for an "authentication" scheme that any half educated spammer would be able to bypass...
You shouldn't have any problem with SPF.
First, you need to publish a one line SPF in your DNS record. That's a few minutes work.
And then, if your forum software allows a forum member to email another forum member using your server and their email address in "From", then you should either have an additional "Sender" header with an address in your domain (which is really the correct way to do it and comply with email standars - rfc2822), or you can use your own address in the "From" and their address in "Reply-to" (which is less standards compliant, because rfc2822 defines "From" as the author and "Sender" as the one actually sending - such as when a boss dictates to a secretary and the secretary sends).
The worst assumption in implementing SPF/SenderID is classifying doamins that did not publish an SPF record as incompliant, when the SPF specification specifically means that not publishing an SPF record has a meaning equivalent to publishing a record that authorizes sending from any server. In other words: The SPF specification has a default record that is assumed if no record is explicitly given and that is the record that is most suitable to the vast majority of email users - those that do not need to protect the use of their "brand name" in hidden email headers (another misinformation in the article is that SPF/SenderID protects somehow against "changing" the "From" header. It does not in any way. "From" is not checked by SPF, and is checked by SenderID only if there is absolutely no other kind of sesnder/resender headers. I would say that the only thing that these "authentication" schmes do is promote the worse kind of identity theft: stealing credit card info+personal info needed to use the CC numbers, and using these to buy wahtever's needed to bypass SPF/DKIM - all that's needed is a domain name to use in a hidden email header.)
I believe there are implementations that use SpamAssassin and weigh an SPF test in. The way to do it is of course to use all the available data, including results of SPF/DKIM if available, and use statistics to assign them weights that produce the best prediction of a message being unwanted.]
What it seems M$ is planning is to weigh SenderID compliance more than what statistics would give it, making more uncomplying messages go into the Jubk mail folder, and by doing so with many millions of mailboxes of users who have no real choice about their spam filters, they can thus force copliance.
One mportant thing one needs to remember is that in some jurisdictions complying with SenderID would mean either infringing on M$ IP or getting a license from them.
There is a greater danger in students using free software than them getting the crazy idea of that information should be accesible to everyone ... some of them might even get involved in development. Imagine all these fresh minds that M$ cannot even hire because of age limitations on employment...
Younger minds can have novell ideas. FOSS needs them. School kids getting involved can bring new ideas. Perhaps even non-geek participation in designing GUIs.
I like to call it "the coolness factor" in OSS. If kids learn that they can actually make a difference: having your idea or design incorporated in software used by millions all around the world is cool, and kids should learn about it and go for it!
Obviously this guy is in the business of extortion. Each separate story might sound like the guy trying to protect a trademark, but all taken together show that it is obviously not the case. A court can excuse the guy for one case of harrassing someone that followed the word "steal" by a word starting with "th". A court can excuse the guy for harrassinf a private (non-commercial) website using the disctionary word.
But collectively, the evidence described in this story clearly shows that all of these are planned of systematic extortion, and not protecting a brand name in certain areas of commerce. The guy is just shooting around and sometimes collects settlement money. The evidence should be collected. And the guy should face criminal charges and serve time.
> There ought to be a law (maybe there is) that
> says this kind of abuse of trademark is illegal
I think any kind of legal harassment ("legal extortion") should be illegal, not just the kind related to trademarks. Lawyers should know that they should be careful that a legal threat made should be reasonable, or they might risk more than just losing a case in court. In severe cases they should face criminal charges.
Legal threats are a sort of weapon, and abusing it should have consequences.
> Maybe it is a good idea ... to break a patent ...
Not in the case of Amazon's patents, because Amazon REALLY invented statistics...
> ... it indexes everything alike. ...
A step further would be to enable people to prefer content that is legally permitted to use.
What might make it possible is an open protocol to communicate permissions (such as GPL/Crative commons license). Something like extra headers that specify such data. Then search engines/file sharing software could allow a user to filter/prioritize search results by permisions.
One good side effect would be that content providers would be motivated to provide at least some versions of what they have with free use permissions, if they want to be found on search engines, because this model would discriminate against content that have no explicit permisions policy.
Another benefit is that by making default options tend towards locating files that are legal to use creators of sharing software can defnd themselves in court by showinf that ythey are actively discouraging "piracy" (regardless of what they have said in public in the past).
I think it is important to have a working model that allows people TO CHOOSE, before the dominant model becomes one (or many) that take these rights away (closed protocol DRM).
What P2P and other technologies that enable access to content (search engines, websites...) would need now is a way to show that they are not advocating illegal use of information.
What I think is needed is an open protocol for stating use permisions of files served. Such a protoco; would allow the poster of a file to include information about the allowed use of the files, such as GPL or other open source licence or Creative Commons license allowing redistribution/derivative works etc. Such a protocol should also allow for posting of contact info of copyright holders for those copyright holders that do not wish to set permisions in advance, so whoever finds the file can easily check if the file is reusable by asking the author.
What such a protocol would allow is for P2P clients and for search engines to allow users to limit their searches to files with permisions to use (or to sort search results according to freedom to use). Distributors of P2P clients could use these abilities for legal defense, and they can also set the defaults to prefer free content.
The main benefit is teaching people to look for free content (i.e. with legal permisions given in advance in a GPL/CC style license). If people just change their habits a bit due to default instalations prefering content that comes with predetermined permisions, it would put presure on everyone who wants their contents to be found to supply at least some permisions.
Of course it may be abused: anyone can rip a CD and post the contents with a CC redistribution allowed license. But the legal consequences then would mean jailtime rather than settling with the RIAA out of court on a few thousand bucks.
This sounds like DRM. It sounds like this because it really is DRM. But if the free culture community wants to promote free use licences and avoid restrictive DRM, it has to win the race and produce DRM of the kind that would protect the rights of the public, instead of the interest of commercial interests (should DRM be renamed CIRM for "Digital Commercial Interests Managent"?). An open standard to communicate permisions would allow anyone to write software that gives the user the choice to choose what's right and what's wrong. Closed DRM deprives the user of any right, and transfers the power completely to the supplier/distributor.
> question for the supreme court:
> do you really believe the the copyright of the bay
> city rollers first album is more deserving of legal
> protection than a human life?
Copyright outlast life by 70 years! So natuarlly it needs more protection!
But think of this: a weapon can be used to shorten the term of copyright, by shortening the life of the author (who is usually not the copyright owner in the case of recorded popular music, since the right are signed away by young artists seeking a recording contract). But the current ruling cannot help here. Killing the auther is not infringement of copyright. Contrary to infringement, it promotes the legal use of the work (after the shortened copyright term expires)
I remember several years ago an announcement in a usinversity departmental mailing list that "finally the beaurocrats have allowed us to get rid of some of the old computers and monitors in the computer lab. Anyone who wants to take any of them can do so. One suggested use I can think of is an anchor for a medium size boat...".
;-) )
If you are in a university, you can probably find someone who would love to get rid of an old PC but is not allowed to. Transfering to another department is perhaps something the beaurocrats would approve. You don't need much power to run a stripped down UNIX/LINUX based firewall. I have at home an old Pentium 1 running Smoothwall with 4 PCs behind it. For a computer lab with more computers you might need a bit more power, but not much more. You can probably find an abandoned Pentium 3 that some professor replaced with a shiny new machine bought with grant money (after all, something has to be done with the money to show it was needed
Of course your boss cannot fire you for not doing illegal activity. Your boss can certainly fire you for another reason if you are not doingthe illegal activity...
The guy driving the broken truck and getting the ticket probably have done the right thing. The ticket was probably much cheaper than the risk of losing a job...
It is really the fault of the law that doesn't make the employer accountable. In this case both the driver and the one giving the instruction should have been fined, and the boss should have been fined more!
This week in Israel we had a crash between a truck driven by an overworked driver and a train. (The driver was said to have worked 40 hours...) Both drivers were killed, Several passengers were killed. hundreds of passengers were wounded, some severely. The owners of the company emloying the truck driver had sabbotged the "blackboxes" recording working hours of drivers and other data on their trucks so they could overwork the drivers without superviosion. The operators of the train did not have good enough arrangements at the railroad crossing that was known to be dangerous. I realy hope some management ends behind bars. Otherwise nothing would change...
> mail.gmail._com checks the From:/return of
> slashdot._org and checks their SPF record
> for slashdot._org
Actually they do not. Neither SPF nor SenderID check the "from" header. SenderID checks the "sender" header and they require forwarders to add/rewrite this header (or use one of the "resent" headers). SPF checks the SMTP envelope from and they expect forwarders to produce one in their own domain and arrange for relaying relayed mail/error messages. The "From" header can be anything. Forwarders complying would get through. So will phishers, using exactly the same methods.
> What it WILL do is keep spammers from imitating ...
> existing domains in their "from" headers
It will not and it cannot. It can only stop forging "Sender" headers (Sender-ID) or envelope-from (SPF). The "From" header that is shown to the user of any email client can still be anything,
> Anyone with an SPF record of "every sender is OK"
> probably should be blocked as a probable spammer.
And that is where the current email system starts breaking. You're telling people how to use their eamil. WHere do you stop? What you describe is a system to force people to change their systems. Many would have to change their software or hardware to achieve that, and there's lot of money to be made. That's what MS wants...
Unlike the great wall of china, the great firewall of china is one-way: it stops only incoming traffic...
China doesn't want spam. So it lets the spam go out...