John R. Levine writes, speaks, and consults on the Internet, electronic mail, and related topics. He speaks to many trade, policy, and general groups. He’s testified at the Federal Trade Commission Spam Forum on the mechanics of spam, and to the Senate Commerce Committee on spyware. He’s spoken at the Internet Law and Policy Forum and at many conferences. He’s written many books on the Internet and other computer topics. His books range from the best-selling Internet for Dummies, with over seven million copies of nine editions in print in dozens of languages, the new Fighting Spam for Dummies, and Windows XP: the Complete Reference to books on computer language tools and graphics programming.
Except where otherwise noted, all postings by John Levine on CircleID are licensed under a Creative Commons License.
Senator Elizabeth Warren and Rep. Jerry Nadler recently wrote a letter complaining that VeriSign overcharges for .com domains due to its market power. They sent it to the Department of Justice and the National Telecommunications and Information Administration (NTIA). While you can make a reasonable case that the claim is true, two more interesting questions are "Why now?" and "Why bother?" more
The Internet Archive's Controlled Digital Lending (CDL) lends out scans of physical books, ensuring that each scan is lent to one person at a time. Publishers sued, and the Archive lost thoroughly in April 2023. The Archive appealed the decision to the Second Circuit court in New York. As I said at the time, the appeal seemed like a long shot since that is the same court that said that Google Books was OK, mostly because it didn't provide full copies of the books. more
Jay Fink had an interesting little business. If you lived in California, you could give him access to your email account; he'd look through the spam folder for spam that appeared to violate the state anti-spam law and give you a spreadsheet and a file of PDFs. You could then sue the spammers, and if you won, you'd give Fink part of the money as his fee. more
In 2020 a group of book publishers sued the Internet Archive over their Controlled Digital Lending program, which made PDF scans of books and lent them out from the Archive's website. For books still in copyright, the Archive usually limited the number of copies of a book lent to the number of physical copies of the book they had in storage. Several publishers sued with an argument that can be summarized as "that's not how it works." more
Large Language Models (LLM) like GPT -- 4 and its front-end ChatGPT work by ingesting gigantic amounts of text from the Internet to train the model and then responding to prompts with text generated from those models. Depending on who you ask, this is either one step (or maybe no steps) from Artificial General Intelligence, or as Ted Chiang wrote in the New Yorker, ChatGPT Is a Blurry JPEG of the Web. more
CDA Section 230 has been called "The 26 Words that Created the Internet". While it is obvious how Sec 230 protects the World Wide Web, it is equally important for e-mail. A recent Pennsylvania court case emphasizes this point. Dr. Thomas, a professor at the University of Pennsylvania, forwarded an article about another professor Dr. Monge to an online e-mail discussion list. Dr. Monge claimed the article was defamatory and sued Dr. Thomas, the university, and many others. more
The ever-entertaining Fifth Circuit has recently upheld a strange Texas law that forbids most kinds of social media moderation. (Techdirt explains many of the reasons the court is wrong, so I won't try.) This brings us to the trendy question of whether Facebook, Twitter, et al. should be treated as common carriers. You can make a good argument to separate the point-to-point data transport from the ISP and make the former common carriage. more
Last week the Ukrainian government sent a letter to ICANN asking them to revoke the ".ru", ".рф" and ".su" top-level domains. It also said they were asking RIPE, which manages IP addresses in Europe, to revoke Russian IP addresses. Both ICANN and RIPE said no. Other people have explained why it would have been a policy disaster, but beyond that, neither would actually have worked. more
Technologists and law enforcement have been arguing about cryptography policy for about 30 years now. People talk past each other, with each side concluding the other side are unreasonable jerks because of some fundamental incompatible assumptions between two conceptual worlds in collision. In the physical world, bank branches have marble columns and granite counters and mahogany woodwork to show the world that they are rich and stable. more
Back in the 1980s, everyone used the Lotus 1-2-3 spreadsheet on their PCs. In 1989, Borland released a competitor, Quattro Pro. It used the same menu commands as 1-2-3 so that users could import their 1-2-3 spreadsheets with keyboard macros. Lotus sued Borland, and after a loss in the district court, Borland won on appeal, arguing that the keyboard commands are a "method of operation" and not subject to copyright. Lotus appealed to the Supreme Court... more
When one person transmits the speech of another, we have had three legal models, which I would characterize as Magazine, Bookstore, and Railroad. The Magazine model makes the transmitting party a publisher who is entirely responsible for whatever the material says. The publisher selects and reviews all the material it published. If users contribute content such as letters to the editor, the publisher reviews them and decides which to publish. more
The 20th century was the golden age of surveillance. High-speed communication went either by telegraph and telephone, which needed a license from the government, or by radio, which anyone can listen to. Codes were manual or electromechanical and were breakable, e.g., the Zimmermann telegram and Bletchley Park. (The UK government spent far more effort inventing a cover story for the source of the telegram than on the break itself, to avoid telling the world how thoroughly they were spying on everyone.) more
A fundamental rule of trademarks is that they have to be distinctive, and that nobody can register a trademark on a generic term like "wine" or "plastic." In a case decided today by the U.S. Supreme Court, the court decided 8-1 that online travel agent Booking.com could register its domain name as a trademark. In this case, I think the majority got it wrong, and Justice Breyer's lone dissent is correct. more
An acquaintance said, "We trust our electronic systems to transfer millions of dollars of value; I suspect we will eventually develop schemes we will trust to record and count votes." Unfortunately, this is one of the chronic fallacies that make voting security experts tear their remaining hair out. The security models are entirely different, so what banks do is completely irrelevant to voting. more
A recent piece in The Markup called Swinging the Vote? attempts to figure out how Google decides where to deliver political e-mail. They were startled to discover that only a small fraction of it was delivered into the main inbox, and a fair amount was classed as spam. They shouldn't have been. This is an example of the fallacy We're so nice that the rules don't apply to us, which is far too common among non-profit and political mailers. more
In the always interesting Lawfare blog, former FBI counsel Jim Baker in a piece called Rethinking Encryption reiterates his take on the encryption debates. There's a certain amount that makes me want to bang my head against the wall... But it's worth reading to remind us of what the other side is thinking, even with a lot of motivated reasoning that makes him conclude that Congress can pass some laws and the going dark problem will be solved. more
Apropos of recent news stories about a blockchain-based voting system that was hacked before its first election, someone asked: "Perhaps final recognition that a lot of blockchain is hype? Or simply an interesting side-story?" A blockchain can ensure that the lies you see are the same lies that were published, but that doesn't have much to do with voting. more
The IETF's DMARC working group is thinking about a maintenance update to the DMARC spec, fixing bits that are unclear and perhaps changing it where what mail servers do doesn't exactly agree with what it says. Someone noted that a lot of mailers claim to have "deployed DMARC," and it's not at all clear what that really means. ... I've suggested that we could write a DMARC deployment guide that describes the parts of DMARC, the ways they interact and in what sequence it's useful to deploy them. If you'd find that useful, leave a comment. more
ICANN has spent years trying to figure out what to do with domain name variants, strings that look different but mean the same thing, for some definition of "the same." They've been trying to deal with them in second level domains for a decade, and are now working on rules to allow variant top-level domains. Unfortunately, variants don't work. The problem isn't putting them in the DNS; it's that once they're in the DNS, they don't work anywhere else. more
The IETF is in the midst of a vigorous debate about DNS over HTTP or DNS over HTTPS, abbreviated as DoH. How did we get there, and where do we go from here? (This is somewhat simplified, but I think the essential chronology is right.) Javascript code running in a web browser can't do DNS lookups, other than with browser.dns.resolv() to fetch an A record, or implicitly by fetching a URL which looks up a DNS A or AAAA record for the domain in the URL. more
Forty five what? Forty five abandoned top-level domains. On November 7, ICANN received a notice from the Communication Regulatory Authority of the State of Qatar that they are terminating the registration agreement for .DOHA. Two weeks before that, the Zadco company terminated .ZIPPO. In addition to the $180,000 application fee, applicants had to hire consultants, make arrangements with back-end operators, go through the certification process to get their TLD online. more
M3AAWG, the Messaging, Malware, and Mobile, Anti-Abuse Working Group and APWG, the Anti-Phishing Working Group, surveyed their members about recent WHOIS changes. With over 300 results from security researchers, it's the broadest report yet on WHOIS use. The survey results confirm our concerns that WHOIS was a vital resource for security research, and its loss is a serious and ongoing problem. more
I have recently become aware of a blog post from Recorded Future that attempts to analyze the effects of the GDPR on online security. Unfortunately, it starts by asking an irrelevant question and then goes on to use irrelevant metrics to come to a meaningless answer. The premise of Recorded Future's article - that spammers would send more spam and register more domains because GDPR came into effect - tells us nothing useful about how GDPR affects anything. It's the wrong question... more
When you're standing close to ICANN, the domain business may seem pretty big, but when you stand farther away, not so much. Verisign's revenues are about $1 billion/year. The .COM and .NET top-level domains together have about 150M names. The next biggest gTLDS are .ORG with 25M and .INFO with 12M. The biggest new TLDs are TOP with 2.9M and .XYZ with 1.8M, with both bloated by firesale prices. The rest are smaller, mostly much smaller. more
On Friday I was on a surprisingly interesting session at Rightscon 2018 in Toronto about GDPR and WHOIS. The panel consisted of Eleeza Agoopian from ICANN staff; Avri Doria who was recently appointed to the ICANN board; Elliot Noss who runs large registrar Tucows; Stephanie Perrin who has done a lot of privacy work for the Canadian government and as an ICANN volunteer, and me; Milt Mueller, who is now at Georgia Tech, moderated. more
Bruce Schneier is a famous cryptography expert and Orin Kerr a famous cyberlaw professor. Together they've published a law journal article on Encryption Workarounds. It's intended for lawyers so it's quite accessible to non-technical readers. The article starts with a summary of how encryption works, and then goes through six workarounds to get the text of an encrypted message. more
A recent story in Medium describes yet again quite well why blockchains don't solve any real problems: Blockchain is not only crappy technology but a bad vision for the future. So what is their irresistible appeal? Bitcoins remind me of a story from the late chair of the Princeton University astronomy department. In 1950 Immanuel Velikovsky published Worlds in Collision, a controversial best-selling book that claimed that 3500 years ago Venus and Mars swooped near the earth... more
Recently I've been working on Email Address Internationalization (EAI), looking at what software is available (Gmail and Outlook/Hotmail both handle it now) and what work remains to be done. A surprisingly tricky part is assigning EAI addresses to users. In traditional ASCII mail, the local part of the address, what goes before the @ sign, can be any printable ASCII characters. more
One of the chronic features of the Bitcoin landscape is that Bitcoin exchanges screw up and fail, starting with Mt. Gox. There's nothing conceptually very hard about running an exchange, so what's the problem? The first problem is that Bitcoin and other blockchains are by design completely unforgiving. If there is a bug in your software which lets people steal coins, too bad, nothing to be done. more
Unicode's goal, which it meets quite well, is that whatever text you want to represent in whatever language, dead or alive, Unicode can represent the characters or symbols it uses. Any computer with a set of Unicode typefaces and suitable layout software can display that text. In effect, Unicode is primarily a typesetting language. Over in the domain name system, we also use Unicode to represent non-ASCII identifiers. That turns out to be a problem because an identifier needs a unique form, something that doesn't matter for typesetting. more
Let's say I'm with the Chinese government and decide that I am tired of people evading currency controls and money laundering using Bitcoin. So we adjust the Great Firewall of China to block port 8333. We also add some proxies that allow some uncleared transactions from outside to flow into Chinese networks but not the other way and keep track of which ones we let through. Since a large fraction of the miners are inside China, and all of the hard currency exchanges are outside, this will cause a pretty serious fork. more
Rep's Graves and Sinema recently introduced H.R. 4036, the catchily named Active Cyber Defense Certainty Act or ACDC act which creates some exceptions to criminal parts of computer crime laws. Lots of reports have decried "hack back" but if you read the bill, it's surprisingly well targeted. The first change is to what they call Attributional Technology, and says it's OK to put bait on your computer for an intruder intended to identify the intruder. more
A recent article in the New York Times Dealbook column reported on phone number hijacking, in which a bad guy fraudulently takes over someone's mobile phone number and used it to reset credentials and drain the victim's account. It happens a lot, even to the chief technologist of the FTC. This reminds us that security is hard, and understanding two-factor authentication is harder than it seems. more
Previous article introduced my DNS extension language, intended to make it easier to add new DNS record types to DNS software. It described a new perl module Net::DNS::Extlang that uses the extension language to automatically create perl code to handle new RRTYPEs. Today we look at my second project, intended to let people create DNS records and zone files with new RRTYPEs. more
The Domain Name System has always been intended to be extensible. The original spec in the 1980s had about a dozen resource record types (RRTYPEs), and since then people have invented many more so now there are about 65 different RRTYPEs. But if you look at most DNS zones, you'll only see a handful of types, NS, A, AAAA, MX, TXT, and maybe SRV. Why? A lot of the other types are arcane or obsolete, but there are plenty that are useful. more
It is not much of an exaggeration to say that the Digital Millenium Copyright Act of 1998 makes the Internet as we know it possible. The DMCA created a safe harbor that protects online service providers from copyright suits so long as they follow the DMCA rules. One of the rules is that the provider has to register with the Copyright Office to designate an agent to whom copyright complaints can be sent. The original process was rather klunky; send in a paper form that they scan into their database, along with a check. more
Among the many issues affecting ICANN's thousand new TLDs is collisions, that is, the same name already used elsewhere. The other uses are non-standard and unofficial, but some names turn out to have been used a lot. One approach to see how bad the collisions are is controlled interruption, in which the TLD publishes wildcard records with obvious impossible values, in the hope that systems that use colliding names see them and do something about it. more
Classified ad site craigslist is famously protective of its contents. While they are happy for search engines like Google to index the listings, they really, really do not like third parties to scrape and republish their content in other forms. In 2013 craigslist sued a company called 3taps which had created an API for craigslist data. They also sued real estate site Padmapper, which showed craigslist and other apartment listings on a map, something craigslist didn't do at the time. more
M3AAWG is a trade association that brings together ISPs, hosting providers, bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware, and mobile abuse. (Those comprise the M3.) One of the things they do is publish best practice documents for network and mail operators, including two recently published, one on Password Recommendations for Account Providers, and another on Password Managers Usage Recommendations. more
Human rights are a topic that came up several times at the IETF meeting that just ended. There's a Human Rights Research Group that had a session with a bunch of short presentations, and the featured two talks at the plenary asking, 'Can Internet Protocols Affect Human Rights?' The second one, by David Clark of MIT, was particularly good, talking about "tussle" and how one has to design for it or else people will work around you. more
Unsubscribing from mailing lists is hard. How many times have you seen a message "please remove me from this list," followed by two or three more pointing out that the instructions are in the footer of every message, followed by three or four more asking people to not send their replies to the whole list (all sent to the whole list, of course,) perhaps with a final message by the list manager saying she's dealt with it? For marketing broadcast lists, it's even worse because there's no list to write to. more
I have groused at length about the damage that anti-phishing technique DMARC does to e-mail discussion lists. For at least two years list managers and list software developers have been trying to figure out what to do about it. The group that brought us DMARC is working on an un-DMARC-ing scheme called ARC, which will likely help somewhat, but ARC isn't ready yet, and due to ARC's complexity, it's likely that there will be many medium or small mail systems that enforce DMARC and can't or won't use ARC. more
Unsubscribing from mailing lists is hard. How many times have you seen a message "please remove me from this list," followed by two or three more pointing out that the instructions are in the footer of every message, followed by three or four more asking people to not send their replies to the whole list (all sent to the whole list, of course,) perhaps with a final message by the list manager saying she's dealt with it? more
A few days ago I was startled to get an anti-spam challenge from an Earthlink user, to whom I had not written. Challenges are a WKBA (well known bad idea) which I thought had been stamped out, but apparently not. The plan of challenges seems simple enough; they demand that the sender does something to prove he's human that a spammer is unlikely to do. more
The latest ICANN domain auction brought the auction proceeds piggy bank to about $240 million. The application fees for the new gTLD round were $361 million of which, at the end of March, they'd spent $227 million, and their very conservative estimate is that at the end of the process they'll have spent $289 million. If you add the numbers from the private auctions to the ones for the ICANN auctions, it's as much or more than the application costs. more
This week ICANN will auction off .WEB or .WEBS. There are seven live applications for .WEB and one for .WEBS. The string contention process decided that the two names are so similar that they'll only assign one of them, so all eight applications are in one auction... There are some deep pocketed bidders in this round including Google, Donuts, web.com which owns Network Solutions and a lot of other web properties, and Schlund which owns the largest web hoster 1&1. more
A guy I know passed along this e-mail sent to one of his customers. They assumed it was a phish, since they didn't recognize the domain name in the link, but couldn't figure out what the goal of the phish was. They even checked the list of ICANN registrars, and nope, registrar.eu wasn't on the list. Nonetheless, this mail was real, and if the recipient had ignored it, his domain would have been suspended. What's going on? more
One of the oft-made claims about Bitcoin and its blockchain transaction ledger is that they make transactions really cheap, so you can pay someone anywhere in the world for free, or close to it. But when you look closer, is that really true? Not by a long shot. Bitcoin transactions are stored in a large shared database called the blockchain. more
The US government is demanding Apple unlock iPhones in about a dozen cases beside the San Bernardino one. In a strikingly similar case, Judge James Orenstein in Brooklyn rejected the government's request for three separate reasons. In the decision the judge refers several times to the San Bernardino case, and it is clear he expects this decision to be an important precedent for that one. more
ICANN has now published the results of the auction for .SHOP, an eye-popping $41,501,000. This pushes the ICANN's auction pot over $100 million. That's a lot of money. There are eighteen more name contention sets that are on hold for various reasons, of which a few such as .WEB look likely to generate even more money once the hold issues are resolved. more
The Domain Name System is now over 25 years old. Since the publication of RFCs 1034 and 1035 in 1987, there have been over 100 RFC documents published that extend and clarify the original DNS specs. Although the basic design of the DNS hasn't changed, its definition is now extremely complex, enough so that it's a challenging task to tell whether a DNS package correctly implements the specs. more
ICANN just published the results of the auction for .HOTELS and .HOTEIS. The high bidder (I'm not sure "winner" really applies here) was Booking.com, who will use .HOTELS. The $2.2M they paid, along with the prior results, notably the $25 million Google paid for .APP, brings the total in ICANN's auction pot to about $60.5 million. There's a few more auctions scheduled for CAM, PHONE, and SHOP/SHOPPING, along with yet to be scheduled auctions for DOCTOR, INC, LLP, and LLC. more
DMARC is an anti-phishing technique that AOL and Yahoo repurposed last year to help them deal with the consequences of spam to (and apparently from) addresses in stolen address books. Since DMARC cannot tell mail sent through complex paths like mailing lists from phishes, this had the unfortunate side effect of screwing up nearly every discussion list on the planet. Last week the DMARC group published a proposal called ARC, for Authenticated Received Chain, that is intended to mitigate the damage. What is it, and how likely is it to work? more
ICANN is in the midst (I wouldn't yet say the middle) of its transition from oversight by the US Department of Commerce to oversight by something else. A Cross Community Working Group (CCWG) on Accountability delivered a long report in August that proposes a new oversight structure for ICANN. But it has the practical problem that the ICANN board really, really hates it. Having looked at it, I can't entirely blame them. more
ICANN, as we all know, is a California non-profit that is tax exempt in the US as a charity, under section 501(c)(3) of the US tax code. But it's a rather unusual charity. Typical charities support the arts, or education, or sports, or relief for the poor. ICANN doesn't do anything like that. So what's the basis for its tax exemption? We don't have to guess, it's all in the application they filed in 1999. more
Back in the 1990s as the Internet was starting to become visible to the world, several people had the bright idea of setting up their own top level domains and selling names in competition with what was then the monopoly registrar Network Solutions (NSI). For these new TLDs to be usable, either the TLD operators had to persuade people to use their root servers rather than the IANA servers, or else get their TLDs into the IANA root. Attempts to get people to use other roots never were very successful... more
When last we wrote, trademark lawyers had written an outraged letter to ICANN about the $2500 price to preregister trademark.sucks names, and ICANN, reliably panicking in the face of legal threats, wrote to the US Federal Trade Commission and Canadian Office of Consumer Affairs saying please tell us that's illegal so we can shut down this registry with whom we just signed a long-term contract. (The mysterious $1 surcharge turned out to be a weak attempt by ICANN to collect debts that affiliates of registry owner Momentous defaulted on long ago.) more
At NetHui last week one of the most interesting sessions was "Is there an app for that?". The issue was that while apps can be easy to use, they are little walled gardens within an app store which is another level of walled garden. The Apple app store or Google play makes it easy to find apps, but it also means that you're limited to apps that your environment's corporate overlords approve and in Apple's case, charge to include. more
Stepping back from the DMARC arguments, it occurs to me that there is a predictable cycle with every new e-mail security technology... Someone invents a new way to make e-mail more secure, call it SPF or DKIM or DMARC or (this month's mini-fiasco) PGP in DANE. Each scheme has a model of the way that mail works. For some subset of e-mail, the model works great, for other mail it works less great. more
Every year M3AAWG gives an award for lifetime work in fighting abuse and making the Internet a better place. Yesterday at its Dublin meeting they awarded it to Rodney Joffe, who has been quietly working for over 20 years. I can't imagine anyone who deserves it more. more
Although I don't have a lot of sympathy for the trademark lawyers' argument that trademark holders need to register .sucks domains cheaply before anyone else can, there is one point at the end of their letter that's worth a look. The registry contract for .sucks, between Vox Populi and ICANN, has this sentence that appears (as far as I know) in no other registry contract, in the section on Registry-Level fees. more
Good taste has never been a criterion in ICANN's new domains program, and domains including .fail and the remarkably vulgar .wtf have become part of the DNS with little comment. Now we have .sucks, which is intended to empower consumers, but does so in a way so clumsy that ICANN is asking regulators in the U.S. and Canada for an excuse to shut it down. more
Back in the mid 1990s, before ICANN was invented, a lot of people assumed that the way you would find stuff on the Internet would be through the Domain Name System. It wasn't a ridiculous idea at the time. The most popular way to look for stuff was through manually managed directories like Yahoo's, but they couldn't keep up with the rapidly growing World Wide Web. Search engines had been around since 1994, but they were either underpowered and missed a lot of stuff, or else produced a blizzard of marginally relevant results. more
ICANN reports that Google paid over $25 million for .APP in the February 25 domain auction. They were willing to bid $30M, but it's a second bid auction so that was just enough to beat out whoever the second highest bidder was. The auction proceeds piggy bank just nearly doubled from $34M to about $59M dollars, and ICANN still has no idea what to do with it. more
Kieren McCarthy reports in The Register that an obscure Panamanian company paid $30 million for .BLOG in the January 21 domain auction. ICANN's web site confirms that the domain did go to the Panamanian company. It doesn't report the amount, but Kieren's sources are usually correct. If so, the auction proceeds piggy bank just doubled from $30M to $60M dollars, and ICANN still has no idea what to do with it. more
I have often remarked that any fool can run a DNS-Based Blacklist (DNSBL) and many fools do so. Since approximately nobody uses the incompetently run black lists, they don't matter. Unfortunately, using a DNSBL requires equally little expertise, which becomes a problem when an operator wants to shut down a list. When someone sets up a mail server (which we'll call an MTA for Mail Transfer Agent), one of the tasks is to configure the anti-spam features, which invariably involves using DNSBLs. more
The Spamhaus Project just published a long article about the botnets they've been watching during 2014. As this chart shows, we're not making any progress. They also note that the goals of botnets have changed. While in the past they were mostly used to send spam, now they're stealing banking and financial information, engaging in click fraud, and used for DDoS and other malicious mischief. more
Two weeks ago I blogged about ICANN's astonishingly lucrative domain auctions. At that time, they'd raised $26.7 million. Now, two auctions later, they're up to about $33 million. Yesterday's two auctions were for .MLS and .BABY. The former, for those who aren't deep into the real estate biz, stands for Multiple Listing Service, the system that lets you list a house with one broker, and all the other brokers can sell it. more
The recent huge security breach at Sony caps a bad year for big companies, with breaches at Target, Apple, Home Depot, P.F.Changs, Neiman Marcus, and no doubt other companies who haven't admitted it yet. Is this the new normal? Is there any hope for our private data? I'm not sure, but here are three observations... This week Brian Krebs reported on several thousand Hypercom credit card terminals that all stopped working last Sunday. Had they all been hacked? more
DMARC is an anti-phishing scheme that was repurposed in April to try to deal with the fallout from security breaches at AOL and Yahoo. A side effect of AOL and Yahoo's actions is that a variety of bad things happen to mail that has 'From:' addresses at aol.com or yahoo.com, but wasn't sent from AOL or Yahoo's own mail systems. If the mail is phish or spam, that's good, but when it's mailing lists or a newspaper's mail-an-article, it's no so good. more
Last week we heard of yet another egregious security breach at an online provider, as crooks made off with the names, address, and birth dates of eBay users, along with encrypted passwords. They suggest you change your password, which is likely a good idea, and you better also change every other place you used the same password. But that's not much help since you can't change your name, address, and birth date, which are ever so handy for phishing and identity theft. more
Two weeks ago I wrote about Yahoo's unfortunate mail security actions. Now it's AOL's turn, and the story, as best as I can piece it together, is not pretty. Yahoo used an emerging system called DMARC, which was intended to fight phishing of often forged domains like paypal.com. A domain owner can publish a DMARC "reject" policy which, oversimplifying a little, tells the world that if mail with their name on the 'From:' line didn't come from their servers, it's not from them so you should reject it. more
Heartbleed, for anyone who doesn't read the papers, is a serious bug in the popular OpenSSL security library. Its effects are particularly bad, because OpenSSL is so popular, used to implement the secure bit of https: secure web sites on many of the most popular web servers such as apache, nginx, and lighttpd. A few people have suggested that the problem is that OpenSSL is open source, and code this important should be left to trained professionals. They're wrong. more
DMARC is what one might call an emerging e-mail security scheme. It's emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo. DMARC lets a domain owner make assertions about mail that has their domain in the address on the 'From:' line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. more
Here's a chart showing the ten largest new Top-Level Domains (TLDs) and the number of domains in each one, going back five days. It's updated every day around 3 AM New York time, so visit early and often. Data is from downloaded TLD zone files. Some new TLDs don't have zone files available yet but I don't think any of them are very big. more
ICANN has now accepted several hundred new top level domains (TLDs) and some of them are now open for general registration. I have sized up for zone file access, so I can download daily snapshots of most of the active zones, and I'm making daily counts of the number of names in each zone. more
Earlier this week Verisign sponsored a two day conference on name collisions in the DNS. Despite the very short time frame in which it was organized, only a month from announcement to meeting, there were some very good presentations. I'll just hit some highlights here; all of the papers and slides are on their web site at namecollisions.net. Sunday morning started with a keynote by Bruce Schneier, who is not a DNS expert (and doesn't claim to be) but had some interesting observations on names in general. more
One of the hottest topics in the email biz these days (insofar as any topic is hot) is how we will deal with mail on IPv6 networks. On existing IPv4 networks, one of the most effective anti-spam techniques is DNSBLs, blackists (or blocklists) that list IP addresses that send only or mostly spam, or whose owners have stated that they shouldn't be sending mail at all. DNSBLs are among the cheapest of anti-spam techniques since they can be applied to incoming mail connections without having to receive or filter spam. more
Everyone who's been in the e-mail biz long enough knows the term FUSSP, Final Ultimate Solution to the Spam Problem, as described in a checklist from Vern Schryver and a form response that's been floating around the net for a decade. FUSSPs fall into two general categories, bad ideas that won't go away, and reasonable ideas that are oversold. more
A lot of people (including me) are pretty upset at revelations of the breadth and scale of NSA spying on the Internet, which has created a great deal of ill will toward the US government? Will this be a turning point in Internet Governance? No, smoke will continue to be blown and nothing will happen. Governments are not monolithic. What people call Internet governance is mostly at the DNS application level, and perhaps the IP address allocation. more
ICANN recently updated the list of reserved second level domain names. Those are names that you won't be able to register in any of the 1500 or so new domains they're planning to add. There's rather a lot of them, currently 629. The names are in three groups, the ICRC (the Red Cross), the IOC (the Olympic games) and everyone else. Several years ago the Red Cross and later the Olympics came to ICANN and insisted that they make a special list of forbidden names, separate from the various trademark registries. more
Spam Arrest is a company that sells an anti-spam service. They attempted to sue some spammers and, as has been widely reported, lost badly. This case emphasizes three points that litigious antispammers seem not to grasp: Under CAN SPAM, a lot of spam is legal; Judges hate plaintiffs who try to be too clever, and hate sloppy preparation even more; Never, ever, file a spam suit in Seattle. more
I've been having arguments about Network Neutrality with a lawyer. My position is that you can't adequately regulate ISPs to be neutral, because there's no agreement what "neutral" means in practice. He points out that the courts aren't interested in technical details like what packets are dropped, it's that all traffic has to be treated the same, and ISPs should just figure out how to do that. So I contemplated a city with Plumbing Neutrality with the simple rule that all people must be treated the same... more
The IETF WEIRDS working group is defining a follow-on to WHOIS. Since this is the IETF, it's working on the technical issues about which it can deal with, not policy which is up to ICANN and the country registries. Somewhat to my surprise, the group is making steady progress. We've agreed that the basic model is RESTful, with queries via http, and responses as JSON data structures. The protocol is named RDAP for Registration Data Access Protocol, or maybe RESTful Data Access protocol. more
At its meeting in Durban, ICANN signed contracts with the applicants for four new top level domains. The new domains are ????, which means "web" in Arabic, ?????? and ????, which mean "online" and "site" in Russian, and ??, which means "game" in Chinese. They should give us an interesting hint about the future of the new TLDs, because all four are utterly, totally, generic. more
The endless lawsuit by the Authors Guild (which purports to represent authors, no longer including me), against Google moved another small step toward completion today. The Guild is just sure that Google's book scanning project means that end of civilization as we, or at least they, know it. Their arguments run from the somewhat plausible, that the scans are in violation of copyright, to the just plain goofy, that the scan data is so amazingly valuable yet vulnerable that Google must destroy it before someone steals it. more
Last week a Utah court issued a default judgement under CAN SPAM in Zoobuh vs. Better Broadcasting et al. I think the court's opinion is pretty good, even though some observers such as very perceptive Venkat Balasubramani have reservations. The main issues were whether Zoobuh had standing to sue, whether the defendants domain names were obtained fraudulently, and whether the opt-out notice in the spam was adequate. more
The papers have been abuzz with the shutdown of Liberty Reserve, an online payments system, due to accusations of large scale money laundering via anonymous transactions. Many people have noted similarities between LR and Bitcoin and wonder whether Bitcoin is next. I doubt it, because with Bitcoin, nothing is anonymous. more
Culminating a year-long policy development process, ICANN today launched its new Blocking Usage Review Panel (BURP). The BURP provides long-needed oversight over services that block Internet traffic. "While everyone understands that national laws such as the U.S. CAN SPAM define what traffic is or is not elegible to block, legal processes can be slow and cumbersome," said a spokeswoman. "Since the Internet is global and traffic often traverses multiple countries, the array of different laws cause uncertainty." more
Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about, It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems. more
Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts. One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple... more
Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation's leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common? more
In the previous installments we looked at software changes in mail servers, and in the software that lets user mail programs pick up mail. What has to change in the user mail programs? ... The first and most obvious is that users have to be able to enter the addresses. more
According to a filing with the SEC, the Department of Commerce renewed the .COM agreement for six more years. The renewal was held up until the last minute (the old agreement expired yesterday) due to antitrust concerns, specifically about pricing. The main change in the new agreement is that Verisign is no longer allowed to increase the price above the existing $7.85... more
In the previous instalment we looked at the software changes needed for mail servers to handle internationalized mail, generally abbreviated as EAI. When a message arrives, whether ASCII or EAI, mail servers generally drop it into a mailbox and let the user pick it up. The usual ways for mail programs to pick up mail are POP3 and IMAP4. more
Mail software consists of a large number of cooperating pieces, described in RFC 5598. A user composes a message with a Mail User Agent (MUA), which passes it to a Mail Submission Agent (MSA), which in turn usually passes it to a sequence of Mail Transfer Agents (MTAs), which eventually hand it to a Mail Delivery Agent (MDA) to place it in the user's mail store. If the recipient user doesn't read mail on the same computer with the mail store (as is usually the case these days) POP or IMAP transfers the mail to the recipient's MUA. more
In July, several people filed attempted class action suits against Google, on the peculiar theory that Gmail was spying on its own users' mail. One of the suits was in Federal court, the other two in California state court, but the complaints were nearly identical so we assume that they're coordinated.Now we have a similar suit filed in provincial court in British Columbia, Canada. more
United Against Nuclear Iran (UANI) is an advocacy group that, among other things, tries to isolate Iran by pressuring businesses and organizations to stop doing business with Iran. This week they turned their attention to ICANN and RIPE to try to cut off Internet access to Iranian organizations. Regardless of one's opinion about the wisdom of isolating Iran (and opinions are far from uniform), this effort was a bad idea in an impressive number of both technical and political ways. more
Bing is Microsoft's newish search engine, whose name I am reliably informed stands for Bing Is Not Google. A couple of months ago, as an experiment, I put up a one page link farm at wild.web.sp.am. As should be apparent after about three seconds of clicking on the links there, each page has links to 12 other pages, with the page's host name made of three names, like http://aaron.louise.celia.web.sp.am. The pages are generated by a small perl script and a database of a thousand first names. more
A few days ago I opined that if several people want the same Top-Level Domain (TLD) and can't come to terms otherwise, they should arrange a private auction. It would be an odd sort of auction, since the buyers and sellers are the same people, so unlike normal auctions, the goal is not to maximize the selling price. How might it work? more
The process for ICANN's new TLDs says that if there are several equally qualified applicants for a TLD, and they can't agree which one gets it, ICANN will hold an auction to decide. Recently some people have suggested that the applicants could use a private auction instead. Well, of course. In a situation like this, the question isn't whether there will be an auction, but only who will keep the money. more
In recent months there's been a robust and apparently well-funded debate about the legal status of search engine results, in particular Google's search results. On Tuesday, Tim Wu, a well-known law professor at Columbia weighed in with an op-ed in the New York Times, arguing that it's silly to claim that computer software has free speech rights. Back in April, equally famous UCLA professor Eugene Volokh published a paper, funded by Google, that came to the opposite conclusion... more
ICANN unveiled all the applications for new top level domains today, all 1,930 of them. Most of them were fairly predictable, big companies applying for their own names like .IBM, .DUPONT, .AUDI, and .HSBC. The most applications for the same name were 13 for .APP, 11 for .INC and .HOME, 10 for .ART, 9 for .SHOP, .LLC, .BOOK, and .BLOG. None of those claim community support so they'll have to slug it out in the contention process. more
DNS blacklists for IPv4 addresses are now nearly 15 years old, and DNSBL operators have gathered a great deal of expertise running them. Over the next decade or two mail will probably move to IPv6. How will running IPv6 DNSBLs differ from IPv4? There aren't any significant IPv6 DNSBLs yet since there isn't significant unwanted IPv6 mail traffic yet (or significant wanted traffic, for that matter), but we can make some extrapolations from the IPv4 experience. more
I opined about a year ago that DNS blacklists wouldn't work for mail that runs over IPv6 rather than IPv4. The reason is that IPv6 has such a huge range of addresses that spammers can easily send every message from a unique IP address, which means that recipient systems will fire off a unique set of DNSBL queries for every message... Now I'm much less sure this will be a problem... more
Courtesy forwards have been a standard feature of e-mail systems about as long as there have been e-mail systems. A user moves or changes jobs or something, and rather than just closing the account, the mail system forwards all the mail to the user's new address. Or a user with multiple addresses forwards them all to one place to be able to read all the mail together. Since forwarding is very cheap, it's quite common for forwards to persist for many years. Unfortunately, forwarding is yet another thing that spam has screwed up. more
It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, [email protected], there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook. more
The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now. Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. more
My mail server has a lot of spamtraps. They come from various sources, but one of the most prolific is bad addresses in personal domains. Several of my users have their own domains, such as my own johnlevine.com, in which they use a handful of addresses. Those addresses tend either to be people's first names, for individual mailboxes, or else the names of companies. If I did business with Verizon (which I do not) I might give them an address like [email protected]. All those domains get mail to lots of other addresses, which is 100% spam. more
An interesting new paper from the Naval Postgraduate School describes what appears to be an interesting new twist on spam filtering, looking at the characteristics of the TCP session through which the mail is delivered. They observe that bots typically live on cable or DSL connections with slow congested upstreams. ... This paper tries to see whether it would be practical to use that info to manage spam in real time. more
In my last post I blogged about greylisting, a well-known anti-spam technique for rejecting spam sent by botnets. When a mail server receives a an attempt to deliver mail from an IP address that's never sent mail before, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail senders always retry, badly written spamware often doesn't. I found that even though everyone knows about greylisting, about 2/3 of IPs don't successfully retry. more
Greylisting is a hoary technique for rejecting spam sent by botnets and other poorly written spamware. When a mail server receives an attempt to deliver mail from a hitherto unseen sending host IP address, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail software does try again, at which point you note that the host knows how to retry and you don't greylist mail from that IP again. more
Mainsleaze is nerdy slang for spam sent by large, well-known, otherwise reputable organizations. Although the volume of mainsleaze is dwarfed by the volume of spam for fake drugs, account phishes, and Nigerian 419 fraud, it causes work for mail managers far out of proportion to its volume... The problem with mainsleaze is that it is generally mixed in with mail that the recipients asked for, and there's no way to tell the difference mechanically. more
In previous installments we've been looking at aspects of the design of the DNS. In today's grand finale we look at the the subtle but very knotty issue of names inside and outside the DNS. In the early years of the DNS, domain names were typically resolved to A records which were used to identify a host running a service. With the notable exception of e-mail, once the host was identified, the name no longer mattered. more
In previous installments we've been looking at aspects of the design of the DNS. Today we look at the relationship of similar names in the DNS. A poorly appreciated aspect of the DNS is that there is no inherent relationship between similar looking names. more
In the five previous exciting installments, we've been looking at aspects of the design of the DNS. Today we look at records types, and how you can tell what a DNS record means. All the records in the DNS are strongly typed. Each record includes an RRTYPE, a small number, which defines both the format of the record and what the record means. It is possible and common to have different record types with the same format, but different meanings. more
In the previous four installments, we've been looking at aspects of the design of the DNS. Today we look at the amount of data one can ask the DNS to store and to serve to clients. Most DNS queries are made via UDP, a single packet for query and a single packet for the response, with the packet size traditionally limited to 512 bytes. This limits the payload of the returned records in a response packet to about 400 bytes... more
In the previous installments, we've been looking at aspects of the design of the DNS. Many databases go to great effort to present a globally consistent view of the data they control, since the alternative is to lose credit card charges and double-book airline seats. The DNS has never tried to do that. The data is roughly consistent, but not perfectly so. more
In the previous installments, we looked at the overall design of the DNS and the way DNS name matching works. The DNS gains considerable administrative flexibility from its delegation structure. Each zone cut, the place in the DNS name tree where one set of DNS servers hands off to another, offers the option to delegate the administration of a part of the DNS at the delegation point. more
In the previous installment, we looked at the overall design of the DNS. Today we'll look at the ways it does and does not allow clients to look up data by name. The most important limitation of the DNS, compared to other databases, is that it only does exact match lookups. That is, with a few minor exceptions, the name in the query has to match the name of the desired records exactly. more
Over the past 30 years the Domain Name System has become an integral part of the operation of the Internet. Due to its ubiquity and good performance, many new applications over the years have used the DNS to publish information. But as the DNS and its applications have grown farther from its original use in publishing information about Internet hosts, questions have arisen about what applications are appropriate for publication in the DNS, and how one should design an application to work well with the DNS. more
In our last instalments we discussed the various ways to encode non-ASCII character sets, of which UTF-8 is the winner, and some complex approaches that tried to make UTF-8 mail backward compatible with ASCII mail. After years of experiments, the perhaps surprising consensus is that if you're going to do international mail, you just do it. more
In our last installment we discussed MIME, Unicode and UTF-8, and IDNA, three things that have brought the Internet and e-mail out of the ASCII and English only era and closer to fully handling all languages. Today we'll look at the surprisingly difficult problems involved in fixing the last bit, internationalized e-mail addresses. more
Back when the Internet was young end servers came with shovels (for the coal), everyone on the net spoke English, and all the e-mail was in English. To represent text in a computer, each character needs to have a numeric code. The most common code set was (and is) ASCII, which is basically the codes used by the cheap, reliable Teletype printing terminals everyone used as their computer consoles. ASCII is a seven bit character code, code values 0 through 127, and it includes upper and lower case letters and a reasonable selection of punctuation adequate for written English. more
On June 20th, the ICANN board voted to move ahead with the new generic Top-Level Domains (gTLDs) program, intended to add hundreds, if not thousands of new names to the DNS root. Now what? Not even the most enthusiastic ICANN supporters think that any new TLDs will be added before the end of 2012, but there are other things going on that greatly complicate the outlook. more
I've been watching at the excitement build in the domain community, where a lot of people seem to believe that at next month's Singapore meeting, by golly, this time ICANN will really truly open the floodgates and start adding lots of new Top-Level Domains (TLDs). I have my doubts, because there's still significant issues with the Governmental Advisory Committee (GAC) and the US Government and ICANN hasn't yet grasped the fact that governments do not defer to NGOs, but let's back up a little and ask is this a good idea. more
It's no secret that the supply of IPv4 addresses, on which the Internet has been based since the dawn of digital time, is rapidly running out. The official replacement is much larger IPv6 addresses, but I can report from experience that the task of switching is not trivial, and for a long time there will be a lot of the net that's only on IPv4. So once the initial supply of IPv4 addresses run out, and the only way to get some is to buy them from someone else, what will the market be like? more
It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events suggests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.) more
At Friday's board meeting, ICANN once again narrowly approved the contentious .XXX domain intended for pornography. What this vote primarily shows is that ICANN's processes have been broken for a long time, and aren't getting fixed. Two board members made thoughtful and eloquent statements before the vote outlining the reasons they were about to vote for or against the domain. more
Unless you've been living under a rock, you've doubtless seen reports that the supply of IPv4 addresses is running out. Earlier this month IANA, the master allocation authority, handed out the last so-called /8, a large chunk of 16 million addresses, to one of the regional address registries... Then what? The conventional wisdom is that everyone needs to support IPv6, a mostly compatible upgrade to IPv4 with much larger addresses, by the time the v4 space runs out. But I'm not so sure, particularly for e-mail. more
For a very long time, predating the birth of ICANN, there's been a running battle about what should be required when one registers domain names. To oversimplify quite a lot, one side sees domain names as an essential component of free speech, so anyone should be able to register any domain without limit, the other notes that they're primarily used for commercial purposes and they enable quite a lot of mischief, so the more control, the better. more
Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe. more
All effective spam filters use DNS blacklists or blocklists, known as DNSBLs. They provide an efficient way to publish sets of IP addresses from which the publisher recommends that mail systems not accept mail. A well run DNSBL can be very effective; the Spamhaus lists typically catch upwards of 80% of incoming spam with a very low error rate. DNSBLs take advantage of the existing DNS infrastructure to do fast, efficient lookups. A DNS lookup typically goes through three computers... more
The case Melaleuca v. Hansen has been moving slowly through Idaho federal court since 2007. On Sept 30 the court decided in favor of the defendants. Although the outcome is probably correct, the court's decision perpetuates the misreading of CAN SPAM from the infamous Gordon case that makes it in practice impossible to win a CAN SPAM case in the 9th Circuit. more
A small company in suburban Philadelphia called Holomaxx recently filed two lawsuits against large webmail providers, complaining that they weren't delivering mail from Holomaxx. The first suit is against Microsoft and Return Path, and the second suit is against Yahoo and Cisco/Ironport. Neither is going anywhere. more
The .LY domain is Libya, and their government recently cancelled the registration of the short and snappy VB.LY, provoking great gnashing of teeth. If you direct your attention to the address bar above this page, you'll note that it's at JL.LY, equally short and snappy. The .LY registry started allowing two letter second-level domains last year, and there was a quiet land rush. Now they restrict those domains to people actually in Libya, but say they'll let us keep the ones we have. How concerned am I that they'll take my domain away, too? more
For several months I have been working with the Spamhaus project on a whitelist, which we announced to the public this week. While this is hardly the first mail whitelist, our goals are somewhat different from other whitelists. Think of e-mail as ranging from inky black to pearly white... more
When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints. more
Earlier today, Google and Verizon offered a widely publicized "Proposal for an Open Internet." There's been extensive comment with lots of reasons not to like it, but one I haven't seen is that the proposal would make it much harder to filter so-called "mainsleaze" spam. ... The problem is that under the pitifully weak CAN-SPAM law, a lot of spam is entirely legal. more
In a recent article, I read about increasingly intrusive tracking of online users, which has lead to a proposal at the FTC, "FTC Chairman Jon Leibowitz said the system would be similar to the Do-Not-Call registry that enables consumers to shield their phone numbers from telemarketers." Maybe I'm dense, but even if this weren't a fundamentally bad idea for policy reasons, I don't see how it could work. more
A friend of mine wrote to ask: "The Supreme Court overturned the Jaynes conviction on First Amendment grounds, yes? I'm wondering what that could mean from the spam filtering perspective." Spam filters, and in particular DNS blacklists are intended to prevent e-mail from being delivered. Doesn't the First Amendment make it illegal to block speech? The short answer is no, but of course it's slightly more complicated than that in practice. more
At Friday's meeting of the ICANN board in Brussels, they voted, probably for the last time, to approve the 2004 application for the .XXX domain. Purely on the merits, there is of course no need for a top level domain for porn. This isn't about the merits, this is about whether ICANN follows its own rules. Despite overheated press reports, .XXX will not make porn any more available online than it already is (how could it?), there is no chance of all porn being forced into .XXX (that's a non-starter under US law), and .XXX will have no effect on the net other than perhaps being a place to put legal but socially marginal porn far away from any accidental visitors. more
Earlier this week in a press release, VeriSign said that they are selling their SSL certificate business to Symantec. VeriSign is the dominant player in this market, having absorbed competitor Thawte in 1999, and Geotrust in 2006. Three years ago, when VeriSign decided to divest its non-core businesses, they kept the certificate business. So what's changed? more
Way back in 2004, ICANN invited applications for a round of new TLDs. They got quite a few. Some were uncontroversial, such as .JOBS for the HR industry. Some were uncontroversial but took a long time, such as .POST which took five years of negotiation, entirely due to the legal peculiarities of the registry being part of the UN. But one was really controversial, .XXX. By 2005, the applicant, ICM registry, had satisfied all the criteria that ICANN set out in the 2004 round to get .XXX approved, and ICANN has been stalling them ever since... more
The CAN SPAM act has been in place for five and a half years. Compatible state laws have been in place nearly as long. Anti-spam laws in the EU, Australia, and New Zealand were enacted years ago. But the number of significant anti-spam lawsuits is so small that individual bloggers can easily keep track of them. Considering that several billion spams a day are sent to people's inboxes, where are all the anti-spam lawsuits? more
Last month a bill in the Israeli Knesset would have required ISPs to provide portable e-mail addresses, analogous to portable phone numbers that one can take from one phone company to the other. As I noted at the time, e-mail works differently from telephone calls, and portability would be difficult, expensive, and unreliable. So I was wondering, idly, if we really wanted to provide portable e-mail addresses, how hard would it be? more
Bennett Haselton, who runs the Peacefire anti-censorship site, is one of the more successful anti-spam litigants. He says he's filed about 140 suits, mostly in small claims court, and has won the majority of the suits that got far enough to be decided on the merits. But last month, in Federal court in Seattle, he lost a suit against Quicken Loans that he should have won, partly because of his own mistakes, but largely because of the pernicious effect of Gordon vs. Virtumundo. more
News reports say that the Israeli government is close to passing a law that requires portable e-mail addresses, similar to portable phone numbers. Number portability has been a success, making it much easier to switch from one provider to another, and address portability might ease switching among ISPs. But e-mail is not phone calls. Is it even possible? more
For the benefit of trademark owners, ICANN has something called the UDRP (Uniform Dispute Resolution Process) that allows the owner to file a complaint against an allegedly infringing domain name, to be resolved by one of a small set of arbitrators. About 90% of UDRP cases that proceed to a decision are decided in favor of the complainant; opinions differ as to whether that's because of the merit of the complaints or the institutional bias of the arbitrators. more
In a recent discussion among mail system managers, we learned that one of the large spam filter providers now has an option to reject all mail from ESPs (e-mail service providers, outsourced bulk mailers) regardless of opt-in, opt-out, spam complaints, or anything else, just block it all. Some of the ESPs wondered what would drive people to do that... more
Earlier this year, the New Zealand Department of Internal Affairs, the US Federal Trade Commission, and the Australian CMA broke up a large fake drug spam ring known as Herbal Kings, run by New Zealander Lance Atkinson. The NZ government fined him NZ$108,000 (about US$80,000) which, while a substantial fine, seemed pretty small compared to the amount of money he must have made. But today, at the FTC's request a US judge fined Atkinson US$15.5 million, and got his US accomplice Jody Smith to turn over $800,000, including over $500,000 in an Israeli bank. more
ICANN has opened their new fast track process for "countries and territories that use languages based on scripts other than Latin" to get domain names that identify the country or territory in its own language. It's not clear to me what the policy is supposed to be for countries whose languages use extended Latin with accents and other marks that aren't in the ASCII set. more
Banks love it when their customers do their transactions on line, since it is so much cheaper than when they use a bank-provided ATM, a phone call center, or, perish forbid, a live human teller. Customers like it too, since bank web sites are usually open 24/7, there's no line and no need to find a parking place. Unfortunately, crooks like on line banking too, since it offers the possibility of stealing lots of money. How can banks make their on line transactions more secure? more
At its recent meeting in Seoul ICANN announced with great fanfare that it's getting ever closer to adding lots of new Top Level Domains (TLDs). Despite all the hype, new TLDs will make little difference... I agree with my old friend Lauren Weinstein that this is a tempest in a very expensive teapot, because all of the purported reasons that people want new TLDs have been proven false, and the one actual reason that a new TLD would be valuable has no public benefit. more
On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past. more
Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer... I like VeriSign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. more
In a discussion about a recent denial of service attack against Twitter, someone asked, "Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure?" Sure, but you're not going to like it. The Internet was originally a walled garden, where its operators knew who all the users were and could eject anyone who misbehaved... more
VeriSign makes a great deal of money from the .COM and .NET registries. Can we tell how much they make, and how much that might change if the CFIT lawsuit succeeds? It's not hard to make some estimates from public information. The largest gTLD registry that VeriSign doesn't run is .ORG, which was transferred a few years ago to the Public Internet Registry (PIR) which pays Afilias to run the registry, and uses whatever is left over to support the Internet Society (ISOC)... more
The DKIM standard has been out for two years now, and we're starting to see some adoption by large mail systems, but there's still a lot of misunderstanding about what DKIM does and doesn't do... Any a mail system can add a signatures to the messages it handles, and spammers can sign their mail, too. A DKIM signature contains, stripped down to its basics, the domain of the signer and a checksum of the message. more
Yesterday I said that the original motivations for adding new TLDs were to break VeriSign's monopoly on .COM, and to use domain names as directories. Competitive registrars broke the monopoly more effectively than any new domains, and the new domains that tried to be directories have failed. So what could a new TLD do? more
ICANN's Sydney meeting has come and gone, with the promised flood of new Top-Level Domains (TLDs) claimed to be ever closer to reality. Does the world need more TLDs? Well, no. Way back in the mid 1990s, it seemed obvious that Internet users would use the DNS as a directory, particularly once early web browsers started to add .COM to words typed in the address bar. This led to the first Internet land rush, with heavy hitters like Procter and Gamble registering diarrhea.com in 1995... more
Back in 2005 an organization called the Coalition for Internet Transparency (CFIT) burst upon the scene at the Vancouver ICANN meeting, and filed an anti-trust suit against VeriSign for their monopoly control of the .COM registry and of the market in expiring .COM domains. They didn't do very well in the trial court, which granted Verisign's motion to dismiss the case. But yesterday the Ninth Circuit reversed the trial court and put the suit back on track. more
Phishing, stealing personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites. more
Viviane Redding, the Information Society and Media Commissioner for the EC posted a video blog this week noting that the JPA between ICANN and the US Department of Commerce ends this September. In it she proposes that ICANN be overseen by a "G-12 for Internet Governance" with 12 geographically balanced government representatives from around the world. That's such a non-starter that I'm baffled that she would even propose it... more
Last September the Virginia Supreme Court issued a surprise ruling that reversed its previous decision and threw out the state’s anti-spam law on First Amendment grounds. The Commonwealth made a last ditch appeal to the US Supreme Court, which I predicted they’d be unlikely to accept. I guessed right... more
It's coming up on two years since the DomainKeys Identified Mail (DKIM) standard was published. While we're seeing a certain amount of signed mail from Google, Paypal, and ESPs, there's still a long way to go. How hard is it to sign your mail with DKIM? The major hurdle might seem to be getting mail software that can sign outgoing mail. more
If you visit the new dashboard on ICANN's web site, you see some nice bar charts, including one rather large negative number of $4,462,000. If you click the little arrow at the top of the Financial Performance chart, a footnote window pops open where the last sentence is: "The large variance to budget is due to investment losses of $4.6 mil." Investment losses? Yup, ICANN's been speculating in the stock market... more
An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted: "The sender pays for bandwidth and agrees to abide by the bandwidth provider's rules." It is useful to think of the Internet as a collection of tubes, all leading from the periphery to the middle, where the middle is approximately "the peering point." The sender has paid for the tubes leading from himself to the middle... more
ICANN's authority to manage top level of the DNS comes from a two-year Joint Project Agreement (JPA) signed with the US Department of Commerce in 1997, since extended seven times, most recently until September 2009. Since the DoC can unilaterally cancel the JPA which would put ICANN out of the DNS business, when DoC speaks, ICANN listens. On Thursday, the US DoC sent a scathing letter to ICANN about the proposed plan to sell large numbers of new top-level domains (TLDs). There's a long list of issues... more
Domain tasting, as everyone probably knows by now, is the disreputable practice of registering lots of domains, seeing how much traffic they get, and then using the five day Add Grace Period (AGP) to refund the 99.9% of them that aren't worth paying for. A related abuse is front running, registrars speculatively grabbing domains that people inquire about to prevent them from using a different registrar. more
In a widely reported court case, Facebook won an $800M default judgment and injunction against a Montreal man named Adam Guerbuez, who has a long and sordid history. But it probably won't make any difference. The problem is that he's in Canada. more
In the past year ICANN has been putting a lot more effort into its compliance activities, which is a good thing, since the previous level was, ah, exiguous. That's the good news. The bad news is that while they're paying more attention to misbehaving registrants, the registrars, gatekeepers to the world of domains, have serious issues that ICANN has yet to address. more
A message on Dave Farber's Interesting People list complained that Comcast was blocking mail forwarded by DynDNS, a popular provider of DNS and related services for small-scale users... Actually, they're blocking it because a lot of it is spam. This is a problem that every mail forwarder and every mail system encounters; the only unusual thing here is that DynDNS is whining about it. It's yet another way that spammers have broken the mail for the rest of us. more
I've always been a fan of co-ops. In New York, we shop at greenstar.coop and my wife banks at alternatives.coop, in the UK we shop at co-operative.coop. So when the .COOP domain opened, I wondered if I could get my own clever domain name, but found that chicken.coop was taken by a small producer co-op in the southern U.S. Drat. more
According to news reports, the governor of Kentucky has filed a suit in state court to seize 141 gambling domain names. His claimed authority is a 1974 law against "gambling devices", on the theory that a domain is a "device", and online gambling is taking money away from in-state horse racing and the lottery. The judge sensibly has said that he doesn't understand all the issues, and has given all sides a week to submit briefs. more
The 2004 criminal spam case against large-scale spammer Jeremy Jaynes, which I've covered in several previous blog entries, appears to have come to an ignominious end with the state supreme court throwing out the law under which he was convicted. The Virginia anti-spam law was one of the first in the country with criminal provisions, but it failed due to the way that First Amendment cases are treated differently from all other cases. more
ICANN recently commissioned a report from a domain auction company to see whether it would be a good idea to auction Top-Level Domains (TLDs) that have multiple applicants. Remarkably, the domain auctioneers came to the conclusion that auctions are a great idea, which they surely are for some people. But are they a good idea for ICANN? And if ICANN admits they can't evaluate competing applications on their merits, how can they keep the process from turning into another speculative land grab? more
An acquaintance asked whether there's been any progress in the oft-rumored project to come up with a more secure replacement for SMTP. Answer: No. Truly, spam isn't a technical problem, it's a social one. If we could figure out some way to make mail recipient networks and hosts willing to shun known bad actors, even at the cost of losing some real mail for a while until the bad actors cave, it would make vastly more difference than any possible technical changes. more
Lost amid the furor about ICANN's rule change that may (or may not) lead to a flood of TLDs is the uncomfortable fact that almost without exception, the new TLDs created since 2000 have been utter failures. Other than perhaps .cat and .mobi, they've missed their estimates of the number of registrations by orders of magnitude, and they haven't gotten mindshare in the target community. So what went wrong? more
The biggest buzz from the Paris ICANN meeting was that the board accepted last fall's proposal for a streamlined process to add new TLDs. A variety of articles in the mainstream press, many featuring inflammatory but poorly informed quotes (from people who probably got a phone call saying "We go to press in five minutes, what do you think about ICANN's plan to add a million new domains?") didn't help. When can we expect the flood of TLDs? Don't hold your breath... more
I've writen several blog entries about the continued downward swirling motion of Tralliance, the company that runs the registry for .TRAVEL. In this month's installment, as told in their quarterly 10-Q SEC filing, they flirt with bankruptcy but may well end up more stable than before. One of the more eye-catching paragraphs says... more
Many online businesses use affiliates to drum up business. The affiliate finds a lead somewhere, passes it to the business, and gets a commission if the lead turns into a sale. Web based affiliates are relatively uncontroversial, but affiliates who advertise by e-mail are a chronic problem due to their propensity to send spam, both spam as normally defined and as defined by CAN SPAM. Is it possible to do legitimate e-mail affiliate marketing? Maybe... more
Last September MySpace sued ur-spammers Sanford "Spamford" Wallace and Walt "Pickle Jar" Rines were for egregious violations of CAN SPAM. Neither responded, so as was widely reported, earlier this week the court granted a default judgement. Since they sent a lot of spam, the statutory damages came to an enormous $235 million. Even for Spamford, that's a lot of money. more
n 2004 Jaynes became the country's first convicted spam felon under the Virginia anti-spam law. He's been appealing his conviction ever since, most recently losing an appeal to the Virginia Supreme Court by a 4-3 decision in February. As I discussed in more detail at the time the key questions were a) whether the Virginia law had First Amendment problems and b) whether Jaynes had standing to challenge it. The court answered No to b), thereby avoiding the need to answer a), the dissent answered Yes to both. more
The governor of Colorado recently signed a new anti-spam law [PDF] into effect. Since CAN SPAM draws a tight line around what states can do, this law is mostly interesting for the way that it pushes as firmly against that line as it can. Other observers have already done a legal analysis of the way it's worded to avoid being tossed out as the Oklahoma law was in Mummagraphics, and to make it as easy as possible for suits to meet the falsity or deception limits in CAN SPAM. To me the most interesting part of this law is its one-way fee recovery language... more
The ICANN Generic Names Supporting Organization has had tasting on its agenda since last fall, with a staff report issued in January, and a proposed anti-tasting policy written in March. On Thursday the 17th, the GNSO put the proposed policy to a vote, and it passed overwhelmingly. Under ICANN rules, the ICANN board has to take up the resolution at its next meeting, and since it was approved by a supermajority, it becomes ICANN policy unless 2/3 of the board votes against it, which in this case is unlikely. more
The judge in E360 vs. Comcast filed his order yesterday (read previous postings here and here), and to put it mildly, he agreed with Comcast. It starts: "Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer." ...and from E360's viewpoint, goes downhill from there. more
A lot of spam uses fake return addresses. So back around 2000 it occurred to someone that if there were a way to validate the return addresses in mail, they could reject the stuff with bad return addresses. A straightforward way to do that is a callout, doing a partial mail transaction to see if the putative sender's mail server accepts mail to that address. This approach was popular for a few years, but due to its combination of ineffectiveness and abusiveness, it's now used only by small mail systems whose managers don't know any better. What's wrong with it? more
In the past week, Comcast filed an answer, denying all of E360's charges, and attached to it a motion to file a most impressive counterclaim. The court granted the motion on Monday so the counterclaim has been filed. At about the same time, E360 filed its response to Comcast's previous motion to dismiss the suit due to its utter lack of legal merit. more
I've now read Soloway's plea agreement. Despite some claims from his lawyers that it's some kind of victory that he only pleaded to three of the 40 charges, with the rest being dismissed, it's clear from the agreement that he indeed did just about everything that the government charged. The government as is usual had several similar charges in each category. more
Large scale spammer Robert Soloway, whose criminal trial was scheduled to start in a week and a half pled guilty to most of the charges against him. The indictment made three categories of charges. Counts 1-10 were mail fraud, due to Soloway delivering his spamware through the mail, and the product egregiously failing to be what he said it was, notably including 30 million addresses purported to be opt-in. Counts 11-17 seven were wire fraud, sending spam making false claims about the product, support, guarantee... more
Back in January, bulk mailer E360 filed a suit against giant cable ISP Comcast. This week Comcast responded with a withering response... Their memorandum of law wastes no time getting down to business: "Plaintiff is a spammer who refers to itself as a "internet marketing company," and is in the business of sending email solicitations and advertisements to millions of Internet users, including many of Comcast's subscribers." Comcast's analysis is similar to but even stronger than the one I made in January... more
Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details. The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people... more
Several people pointed out that although the suit still hasn't appeared in PACER, copies of the complaint are available online, including this one [PDF] at Lextext. Having read it, I'm rather underwhelmed... I do not purport to be a lawyer (nor do I usually play one on the net), but it's hard to see how the facts, which are not in serious dispute, would support any of these charges. more
In a recent press release, Los Angeles law firm Kabateck Brown Kellner says it's filed a class action suit against Network Solutions and ICANN for front running. (If you tuned in late, NetSol admits that if you query a domain name on their web site, they will speculatively register it so that it's only available through NetSol for five days, at their above market price.) This is a very peculiar suit... For one thing, it's hard to see how the total class damages would be large enough to be worth a suit... more
In a message posted to the ICANN GNSO list, Avri Doria forwarded along a most interesting document from Neustar, who runs the .biz domain... Neustar proposes to change their registrar agreement so that each registrar will only get credit for deletions of 10% of their new domains, with a few minor exceptions for tiny registrars and bulk registrations due to one-time mistakes. They say they expect Afilias to propose the same change for .info. more
At last week's meeting, the ICANN board uncharacteristially did something and voted to make their fee of 20 cents per domain-year nonrefundable. They expect this to stop both domain tasting and NSI's frontrunning, which it certainly will. It's not clear when this change will go into effect, but it might be within a month. more
Well, I read the indictment (available here from Spamhaus.) It's a long litany of criminal behavior, primarily pump and dump stock fraud of a long list of penny stocks from the US and China. Ralsky is described as the "chief executive officer and overall leader" of the scheme... The thing that strikes me about this indictment is that although it includes a lot of CAN SPAM charges, everything Ralsky and Co. did was already illegal under conventional fraud and computer tampering laws. more
The defendants in Dell's domain tasting suit responded last Friday. It looks like a pretty feeble response to me. Their main argument is that they're just the registrar, and deny Dell's claim that the registrants are fakes made up by the registrar. They also argue that they're not infringing, they didn't use the names in question in commerce, they were just acting as helpful search engines, you know, like Google or Yahoo. (The comparison to Google and Yahoo is theirs.) more
Dell filed a suit in Florida in early October against a nest of domain tasters in Miami, widely reported in the press last week... The primary defendant is a Miami resident named Juan Vasquez, doing business as several registrars called BelgiumDomains, CapitolDomains, and DomainDoorman, as well as a whole bunch of tiny companies of unknown authenticity... Those registrars have an egregious history of domain churning. I gave a talk on domain tasting at MAAWG in October in which I picked out the registrars who churned the most domains from the May registrar reports, and those three were the worst, each having registered about 500,000 domains, refunded over 10 million... more
A reasonably well informed article in Thursday's USA Today reminds us that in 2004 Bill Gates said the spam problem would be solved in early 2006, but here at the end of 2007 there's more spam than ever. They go through a laundry list of problems of spambots, new kinds of PDF and MP3 spam, and phishing, and a list of of partial or non-solutions including filters, walled gardens, and an odd system called Boxbe, a hybrid of whitelists, challenge/response, and pay for delivery. Oh, and Bill says he never said spam would be solved... more
The Storm worm has gotten a lot of press this year, with a lot of the coverage tending toward the apocalyptic. There's no question that it's one of the most successful pieces of malware to date, but just how successful is it? Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year... more
If you had an e-mail address any time in the past six years, you've probably gotten spam for something called VigRX for Men, with fairly specific promises that it will make you, ah, manlier. I always wondered how many nitwits could fall for this kind of nonsense. Thanks to a recent class action settlement, we now know that there have been quite a lot of them. A class action suit filed in 2001 in Colorado settled recently, with some quite amazing info in the documents available at http://lemsettlement.com. LEM stands for Leading Edge Marketing, the name used by the defendants for several companies in the US, Canada, and the Bahamas. more
Zango, a company that used to be called 180 solutions, has a long history of making and distributing spyware. (See the Wikipedia article for their sordid history.) Not surprisingly, anti-spyware vendors routinely list Zango's software as what's tactfully called "potentially unwanted". Zango has tried to sue their way out of the doghouse by filing suit against anti-spyware vendors. In a widely reported decision last week, Seattle judge John Coghenour crisply rejected Zango's case, finding that federal law gives Kaspersky complete immunity against Zango's complaint... more
Last week I wrote a note the ICANN WHOIS privacy battle, and why nothing's likely to change any time soon. Like many of my articles, it is mirrored at CircleID, where some of the commenters missed the point. One person noted that info about car registrations, to which I roughly likened WHOIS, are usually available only to law enforcement, and that corporations can often be registered in the name of a proxy, so why can't WHOIS do the same thing? more
The Seventh Circuit has issued its opinion in the continuing saga of E360 Insight vs. the Spamhaus Project. While it is not a complete victory for Spamhaus, they did about as well as anyone could have hoped for under the circumstances. E360 won on the procedural issue, while Spamhaus won on the substance. The procedural issue was whether the default judgement against Spamhaus was properly granted last September. The court session was so odd that the appeals decision quotes several pages of the transcript. more
ICANN has been wrangling about WHOIS privacy for years. Last week, yet another WHOIS working group ended without making any progress. What's the problem? Actually, there are two: one is that WHOIS privacy is not necessarily all it's cracked up to be, and the other is that so far, nothing in the debate has given any of the parties any incentive to come to agreement. The current ICANN rules for WHOIS say, approximately, that each time you register a domain in a gTLD (the domains that ICANN manages), you are supposed to provide contact information... WHOIS data is public, and despite unenforceable rules to the contrary, it is routinely scraped... more
If there were a lifetime achievement award for losing lawsuits for being annoying, Sanford Wallace would be a shoo-in. Fifteen years ago, his junk faxing was a major impetus for the TCPA, the law outlawing junk faxes. Later in the 1990s, his Cyber Promotions set important legal precedents about spam in cases where he lost to Compuserve and AOL. Two years ago, he lost a suit to FTC who sued his Smartbot.net for stuffing spyware onto people's computers. And now, lest anyone think that he's run out of bad ideas, he's back, on the receiving end of a lawsuit from MySpace... more
When I was growing up, one of the annoyances of life in New York City was squeegee men. When your car was stopped at a light, these guys would run up, make a few swipes at your windshield with a squeegee, then look menacing until you gave them a tip. It occurs to me that domain "monetizers'' are the Internet's squeegee men. If I make a minor typing error entering a domain name, they run up and offer to sell a link to the place I wanted to go (well, they sell the place I wanted to go a click from me, but close enough.) more
I recently came across a copy of a ruling in the bizarre case of MySpace vs. theglobe.com. Theglobe.com was the ultimate dot.com bubble company. It started up here in Ithaca, and went public at the peak of dot.com hysteria with one of the the greatest one-day price runups ever. Since then they bought and sold a variety of busineses, none of which ever made any money, including the Voiceglo VoIP service which appears to be what the spam was promoting. more
In an entry in the ICANN blog, Paul Levins says they've arranged to move Registerfly's domains to another registrar. They won't say who the other registrar is beyond "an existing accredited Registrar with a demonstrated record of customer service" which could be just about anyone other than Registerfly. They have "most" of the registrant data. All is to be unveiled next week. In the meantime, read the comments on the blog... more
Forwarding e-mail is so easy that it must be legal, right? Not everyone thinks so. Ned Snow at the University of Arkansas recently wrote A Copyright Conundrum: Protecting Email Privacy that argues that forwarding violates the sender's copyright rights, so it's not. The article is quite clever and is (as best I can tell, not being a legal historian) well researched, even if you agree with me that its conclusions are a bunch of codswallop... more
Last December I wrote about Mark Mumma, who runs a small web hosting company in Oklahoma City and his battle with Omega World Travel a/k/a cruise.com. Mumma lost his CAN SPAM suit agains them in December, but Omega's countersuit for defamation went to trial last week, and I hear that the jury awarded Omega $2.5 million in damages, which Mumma is not likely to be able to pay. This may be painted in some circles as a huge defeat for anti-spam activists, but it's not... more
ICANN's web site has a press release saying that the were granted a temporary restraining order on Monday requiring that Registerfly cough up all the info on their registrants, or else.
My assumption all along has been that the reason that Registerfly hasn't provided full info is because they don't have it. ICANN agrees that they got partial data last month, and it's hard to imagine a reason that Registerfly would have given them some of the data but deliberately held back the rest. I guess we'll know soon enough.
By the way, I hear that ICANN plans to implement their registrar escrow policy, the one that's been in the contracts since 2000, pretty soon. more
One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late. Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set... ICANN has tied itself with the issue of homographs, different characters that look the same or mean the same thing. Once people noticed that IDNs let you register different names that look the same, the intellectual property crowd that has always had a mysteriously great influence on ICANN went into a tizzy and they went into lengthy discussions on what to do about them... more
Last week I noted here that cutting off collapsed domain Registerfly will leave a huge problem for registrants. ICANN is supposed to have escrowed copies of each registrar's registrant data, but has never got around to setting that up. This means that unless Registerfly can supply the data, there may be no record of the actual owner of their domains. more
For about the last two years, I was a member of ICANN's At Large Advisory Commitee (ALAC), the group charged with representing the interests of ordinary Internet users within ICANN. In case anyone is wondering, here's why I'm not on the ALAC any more. ICANN has a very narrow mission. They maintain the root zone, the list of top-level domain names in the Internet's domain name system. They coordinate numeric IP addresses, with the real work delegated to five Regional Internet Registries. And they keep track of some simple and uncontroversial technical parameters for Internet routing applications... more
An earthquake on Tuesday near Taiwan caused widespread disruption to telephone and Internet networks. The quake affected an area of the sea bottom with a lot of undersea cables that broke, and since there is only a limited number of cable repair ships, it will take at least weeks to fish them up and splice them. more
In November, Mark Mumma, who runs a little design firm at webguy.com, lost an appeal in the Fourth Federal Circuit. He'd filed suit against cruise.com and their parent Omega World Travel under CAN SPAM and an Oklahoma anti-spam law. Omega countersued for defamation. The court threw out Mumma's case, and allowed part of the defamation case to proceed. At first blush, this looks like a big win for spammers. more
Last week the Federal Trade Commission settled a lawsuit against Yesmail, a large ESP (Email Service Provider). The facts of the case are not in dispute, but their meaning is. Yesmail, like most large ESPs, has absorbed a number of its smaller competitors over the years including a company called @Once. Back in 2004, they screwed up their incoming mail so that a whole lot of bounces and opt-out requests were erroneously filtered out as spam. As a result, thousands of people who'd told @Once to stop sending them mail kept getting mail anyway... more
You may have read reports that the total amount of spam is on the decline. Don't believe them. In the month of October, I saw the amount of spam in my traps here roughly double, from about 50,000 per day to 100,000/day now. In conversations with managers at both ISPs and corporate networks, I'm hearing the same thing. more
Whatever you think the answer is (typically about ten bucks), the answer is likely to change radically for the worse, based on new contracts that ICANN is planning to approve. On July 28th ICANN posted proposed new contracts for .ORG, .BIZ, and .INFO, for a public comment period that ends four days from now, on the 28th. There's a lot not to like about these proposed contracts, but I will concentrate here on two related particularly troublesome areas, pricing and data mining. more
The IETF DKIM working group has been making considerable progress, and now has a close-to-final draft. DKIM will let domains sign their mail so if you get a message from [email protected], the furble.net mail system can sign it so you can be sure it really truly is from furble.net. But unless you already happen to be familiar with furble.net, this doesn't give you any help deciding whether you want the message. This is where the new Domain Assurance Council (DAC) comes in... more
With all of the recent excitement about *.cm, the Cameroonian wildcard that someone is using to collect vast numbers of mistyped .com addresses, I wondered how many other wildcards there were at the DNS top level. There's a total of 13. Half of the wildcards are harmless. The *.museum wildcard leads to a registry page that helps guess what you might have been looking for. ...The .mp page also claims that .mp is for Mobile Phone rather than for the Marianas Islands, but they're hardly the only small poor island to try to cash in on their ccTLD, and they at least run it themselves. more
Another paper from the Fifth Workshop on the Economics of Information Security, (WEIS 2006) is Proof of Work can Work by Debin Liu and L, Jean Camp of Indiana University. Proof of work (p-o-w) systems are a variation on e-postage that uses computation rather than money. A mail sender solves a lengthy computational problem and presents the result with the message. The problem takes long enough that the sender can only do a modest number per time period, and so cannot send a lot of messages, thereby preventing spamming. But on a net full of zombies, proof of work doesn't work. more
News reports say that high profile Ryan Pitylak was fined $10 million by the Texas Attorney General. A few days ago, he paid a $1M settlement to Microsoft. Since it had been widely reported that he'd made between $3M and $4M during his spamming career, that seemed like a pretty good deal for him. As I commented to the San Antonio Express, this new fine is more in line with what he did, and at least relieves him of all his ill-gotten gains... more
So-called domain tasting is one of the more unpleasant developments in the domain business in the past year. Domain speculators are registering millions of domains without paying for them, in a business model not unlike running a condiment business by visiting every fast food restaurant in town and scooping up all of the ketchup packets. Since 2003, the contract between ICANN and each unsponsored TLD registry (.biz, .com, .info, .net, .org, and .pro) has added an Add Grace Period (AGP) of five days during which a registrant can delete a newly registered domain and get a full refund. Although this provision was clearly intended to allow registrars to correct the occasional typo and spelling error in registrations, speculators realized that this allows them to try out any domain for five days for free... more
On Monday the 3rd, California state Senator Dean Flores held a hearing of the E-Commerce, Wireless Technology, and Consumer Driven Programming committee grandly titled AOL: You Have Certified Mail, Will Paid E-mail Lead to Separate, Unequal Systems or is it the Foolproof Answer to Spam?. The senator's office said they were very eager to have me there, to the extent they offered to fly me out from New York, so since I happened to be on the way home from ICANN in New Zealand that weekend, I took a detour through Sacramento. Sen. Florez conducted the hearing, with Sens. Escutia and Torlakson sitting in briefly. Unfortunately, Sen. Bowen, who is very well informed on these topics, wasn't there. There were five panels of speakers, and I got to lead off... more
Goodmail Systems made a big splash last week when AOL and Yahoo announced that they will be giving preferential treatment to mail that uses Goodmail's CertifiedEmail service, claiming (implausibly) that this has something to do with stopping spam... Since Goodmail charges senders for each message, some people see this as the end of e-mail as we know it. I have my concerns about Goodmail, but a lot of the concerns are either overblown or based on bad reporting... more
A student at a well-known US university wrote me and asked whether, given the huge national interest in getting the industry to unite behind (at least) one format, did I think that the FTC should've played a stronger role in pushing the industry to adopt an authentication format? I said: Nope. Part of the reason it's taking so long to agree on a standard is that the process is infested with academic theoreticians who are more interested in arguing about hypotheticals and pushing their pet spam solutions than in doing something useful... more
Way back in 2000-2001, ICANN approved a handful of new top level domains, and entered into agreements with their promoters. Three of the sponsored domains, are coming up for renewal next year, so they've sent in their renewal proposals. A sponsored domain is one that restricts who can register to members of a particular community, in this case respectively co-ops, museums, and the airline industry. Let's take a look and see how they're doing. more
One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late. Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set. more
Last week the DMA announced with considerable fanfare that their members should all use e-mail authentication. DMA members send a lot of bulk e-mail, but not much that would be considered spam by any normal metric. (Altria's Gevalia Kaffee is one of the few exceptions.) Their main problem is their legitimate bulk mail, sent in large quantities from fixed sources, getting caught by ISPs spam filters. That happens to be one problem for which path authentication schemes like SPF and Sender ID are useful, since they make it easier to add known fixed source mailers to a recipient ISP's whitelist, and that's just what AOL and probably other big ISPs use it for. While the DMA may be implying that this is a virtuous move, in reality it's something that their members are doing anyway for straightforward business purposes. more
A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN. This has two and a half effects. The most obvious is political -- if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign's A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can't publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. more
A press release on the ICANN web site says that ICANN and Verisign have agreed to settle all pending lawsuits, and there’s a new .COM agreement, all tentative but if history is any guide, nothing short of DOC action is going to stop it. The good news is that VeriSign has agreed not to make unilateral changes like Sitefinder. They have to give prior notice to ICANN for any material change in the operation of the registry, and if ICANN has any concerns there’s a lengthy process full of expert panels and Consensus and the like to decide whether they can do it. more
On Thursday the 22nd, Robert Braver, an Oklahoma ISP owner who is a long time activist against both spam and junk faxes, received a default judgment of over $10 million against high profile spammer Robert Soloway and his company Newport Internet Marketing. Soloway has frequently been cited as one of the ten largest spammers in the world. more
Yesterday, the IESG, the group that approves RFCs for publication received an appeal from Julian Mehnle to not to publish the Sender-ID spec as an experimental RFC due to technical defects. IESG members' responses were sympathetic to his concerns, so I'd say that a Sender-ID RFC has hit a roadblock. The problem is simple: Although Sender-ID defines a new record type, called SPF 2.0, it also says that in the absence of a 2.0 record, it uses the older SPF1 record. Since SPF and Sender-ID can use the same records, if you publish an SPF record, you can't tell whether people are using it for SPF or Sender-ID. Ned Freed commented... more
MAAWG is the Messaging Anti-Abuse Working group. It was started by Openwave, a vendor that sells e-mail hardware and software to large ISPs and originally consisted only of Openwave customers, but has evolved into an active forum in which large ISPs and software vendors exchange notes on anti-spam and other anti-abuse activities. Members now include nearly every large ISP including AOL, Earthlink, Yahoo, Comcast and Verizon is a member, along with ESPs like Doubleclick, Bigfoot, and Checkfree, and vendors like Ciscom, Ironport, Messagelabs, Kelkea/Trend, and Habeas. They've also been quietly active in codifying best practices and working on some small but useful standards like a common abuse reporting format. more
A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don't think much of it. As I said to an Associated Press reporter: "It's the worst kind of vigilante approach," said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. "Deliberate attacks against people's Web sites are illegal." more
A recent press release from the Internet Society reports that the IETF will shortly publish specifications of SPF and Sender-ID in the RFC series. What does this mean for the future? ...More than 4000 documents have been published in the RFC series since the first RFC in 1969, relatively few of which have evolved into Internet standards. Each RFC is characterized when published as standards-track, best current practice, informational, experimental, or historical. These four RFCs, three describing Sender ID and one describing SPF, are all experimental. more
Paul Graham is a smart guy who popularized naive Bayesian spam filtering in 2002 with A Plan for Spam and has organized a series of informal spam conferences at MIT. Earlier this month he was shocked and horrified to discover that his web site, hosted at Yahoo where he used to work, had appeared on the widely used Spamhaus blacklist... more
Industry Canada, the part of the Canadian government roughly equivalent to the U.S. Commerce Department, has had a task force on spam working for the past year or so. I was invited to participate as an unofficial member, since I'm not a Canadian. Yesterday, it wrapped up its work and published its report (aussi disponsible en francais) to the government. It's quite good, and has a set of 22 recommendations. more
For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. ...Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. ...So the question is, is it worth the effort to make all of the senders and URLs match up? more
I got a letter the other day from AOL postmaster Carl Hutzler, about how the Internet community could get rid of spam, if it really wanted to. With his permission, here are some excerpts. "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution)." more
The CAN SPAM Act of 2003 went into effect a year ago on Jan 1, 2004. As of that date, spam suddenly stopped, e-mail was once again easy and pleasant to use, and Internet users had one less problem to worry about. Oh, that didn't happen? What went wrong? more
In my spare time when I'm not dealing with the world of e-mail, I'm a politician so now and then I put on my cynical political hat. At the FTC Authentication Summit one of the more striking disagreements was about the merits and flaws of SPF and Microsoft's Sender-ID. Some people thought they are wonderful and the sooner we all use them the better. Others thought they are deeply flawed and pose a serious risk of long-term damage to the reliability of e-mail. Why this disagreement over what one might naively think would be a technical question? more
The Federal Trade Commission and NIST had a two-day Authentication Summit on Nov 9-10 in Washington DC. When they published their report explaining their decision not to create a National Do Not Email Registry, the FTC identified lack of e-mail authentication as one of the reasons that it wouldn't work, and the authentication summit was part of their process to get some sort of authentication going. At the time the summit was scheduled, the IETF MARID group was still active and most people expected it to endorse Microsoft's Sender-ID in some form, so the summit would have been mostly about Sender-ID. Since MARID didn't do that, the summit had a broader and more interesting agenda. more
The country's first criminal trial about spam ended in Leesburg, Virginia earlier this month with a conviction of Jeremy Jaynes, better known under his nom de spam of Gavin Stubberfield. I was an expert witness for the prosecution, the Commonwealth of Virginia. The case was brought under Virginia's state anti-spam law, not the weaker Federal CAN-SPAM act... more
The IETF MARID working group has been slogging away all summer trying to produce a draft standard about e-mail sender verification. They started with Meng Wong's SPF and Microsoft's Caller ID for E-mail, which got stirred together into a hybrid called Sender ID. One of the issues hanging over the MARID process has been Microsoft's Intellectual Property Rights (IPR) in Caller ID and Sender ID. The IETF has a process described in RFC 3668 that requires contributors to disclose IPR claims related to their contributions. more
IBM researcher Nathaniel Borenstein has commented that everyone agrees that spam is bad, and that's a huge impediment to doing anything about it. Having decided that spam is bad, it's tempting to divide the spam problem into smaller problems and try to solve the smaller problems, then put the solutions to the subproblems together and, voila, no more spam. That would be fine if the combined subproblems were truly equivalent to the spam problem, but that's rarely the case. more
The first week in July I went to an acronym-heavy World Symposium on the Internet Society Thematic Meeting on spam in Geneva. A few people have reported this as a meeting by "the UN", which it wasn't. Although the International Telecommunications Union is now part of the UN, it dates back to an 1865 treaty to manage international telegraph communication... more
In my roles as postmaster at CAUCE (the Coalition Against Unsolicited Commercial E-mail) and abuse.net, I get a lot of baffled and outraged mail from people who have discovered that someone is sending out spam, often pornographic spam, with their return address on the From: line. "How can they do that? How do I make them stop?'' The short answers are "easily'' and "it's nearly impossible.'' more