J.D. Falk

J.D. Falk

Internet Standards and Governance
Joined on April 2, 2008
Total Post Views: 494,298

About

From all of us at CircleID: It is with great sadness that we report the passing of Jesse David (J.D.) Falk, 1974 - 2011

J.D. Falk worked on anti-spam systems and policies for such influential companies as the original Mail Abuse Prevention System, Microsoft, and Yahoo!.  As a part of Return Path’s Email Intelligence Group he worked on products and services which help major ISPs deal with spam and related e-mail issues, and was involved in developing technical standards for the internet.

J.D. sat on the board of the Coalition Against Unsolicited Commercial Email, and was the Document Editor of the Program Committee of the Messaging Anti-Abuse Working Group (MAAWG).  He lived near San Francisco with his wife and a cat named Bacon.

Except where otherwise noted, all postings by J.D. Falk on CircleID are licensed under a Creative Commons License.

Featured Blogs

Impenetrable Processes and Fool’s Gold at ICANN

A couple of weeks ago, I attended part of the ICANN meeting in San Francisco. I've been watching ICANN and been peripherally aware of their issues since the organization began, but this was my first chance to attend a meeting. What I learned is that ICANN is a crazy behemoth of a bureaucracy, steeped in impenetrable acronyms and processes that make it nearly impossible for someone new to get up to speed. The best example of this is the recent approval of the .XXX top-level domain. more

Comcast’s Impressive System for Notifying Infected Users

Pretty much as long as there've been computers, one of the biggest challenges has been user education. How do you create software smart enough to inform a user when they're about to do something potentially disastrous - or, worse, when something disastrous has been done to them? As one of the world's largest access providers, Comcast has put a ton of thought into developing a notification system for their users. The solution Comcast developed involves, in effect, hijacking HTTP requests... more

Is Amazon Playing Chicken With Mailbox Providers?

It's easy to look at Amazon SES and sigh. Thousands of low-end customers sending mail from a shared IP pool? Amazon already knows that trick never works! Just one spammer will ruin the reputation of those IP addresses, resulting in ongoing delivery problems for everyone who uses the service. It is possible that Amazon can build the systems and human processes to keep spammers out; certainly sounds like they want to. more

How the End of IPv4 Affects Email and Hosting

Anyone who has been watching the technology industry for more than a couple of years quickly learns to recognize FUD: Fear, Uncertainty and Doubt. FUD is (apparently) widely believed to be an effective marketing technique, especially when it comes to security, privacy, or scarcity. But the FUD often falls flat. Scarcity, in particular, is rare on the internet -- even rarer than privacy or security. There's constant FUD about scarcity of bandwidth, but the pipes get upgraded. Attempts to impose artificial scarcity through paywalls or other devices inevitably fail in the face of free alternatives. Even the scarcity of IPv4 addresses, which have indeed run out at the top, hasn't affected end users at the bottom yet -- and probably won't, for a long time. more

Where Every Phisher Knows Your Name

Spear phishing is the unholy love child of email spam and social engineering. It refers to when a message is specifically crafted, using either public or previously stolen information, to fool the recipient into believing that it's legitimate. This personalization is usually fairly general, like mentioning the recipient's employer (easily gleaned from their domain name.) Sometimes they address you by name. Much scarier is when they use more deeply personal information stolen from one of your contacts... more

Remembering the Good Times

The most effective early email-borne viruses didn't need botnets. They didn't change your computer settings, or steal your login credentials. And they somehow convinced regular users to help them spread. The first warnings about the Good Times virus began to appear in November of 1994, and by December the warnings were seen all over as people did what the warning said, and forwarded it to all their friends. There was another outbreak the following March... more

Facebook + email = Facebook

Remember when Gmail launched in 2004, and everyone said it was going to kill Hotmail, Yahoo!, and AOL? Six years later, and this chart shows pretty clearly that while gmail has grown, only AOL's pageviews have fallen. The rest have held fairly steady. So what's everyone freaking out about? more

Transmissions from the Past: Radio and Email on Mobile Devices

Apparently, along with trying to change who gets paid when the music gets played, the National Association of Broadcasters is lobbying Congress to require FM radio receivers to be built into phones and other mobile devices. I'm sure this is in part a reaction to the rise of streaming music apps like Pandora and the Public Radio Player, but they want FM receivers in not-so-smart phones too. more

Omnibus Cybersecurity Bill May Not Go Where Original Authors Intended

In an interview with GovInfoSecurity, Sen. Thomas Carper said that the U.S. Senate is considering attaching cybersecurity legislation to a defense authorizations bill. Though clearly a ploy to be able to say "we did something about those evil hackers" before the elections, CAUCE applauds the attempt. There can be no doubt that the United States (and many other countries) sorely needs better laws to deal with these threats. more

Clouded by a Convenient Illusion

In a relatively short time, the phrase "in the cloud" has become a term of art when talking about the internet. A quick Google search shows nearly a million uses of the phrase in the past month, a 3x increase from the same period in 2009. But, what does it actually mean to have your web site, your software, your data, or anything else "in the cloud?" "In the cloud" is derived from "cloud computing," which in turn is just a new term for distributed computing, where data-crunching tasks are spread across a variety of different physical processing units. This was common in mainframes in the 1960s, and later the idea of distributing processing across cheap PCs running Linux became popular in the 1990s. more

The Other Side of Security

The Denver edition of Security BSides took place a few weeks ago in a garage turned art gallery on the far end of Denver's emerging Santa Fe Arts District, right on the border between historic working-class neighborhoods and a rambling wasteland of building supply warehouses. ... The presentation I enjoyed most was "Top 10 Ways IT is Enabling Cybercrime," presented by Daniel J. Molina from Kaspersky Labs. He described how quickly threats are evolving, how many new threats are appearing every day, and explained that the targets aren't always who you'd expect. more

Facebook, Privacy, and the Loss of Trust

Facebook sure is getting beaten up recently. There's even a crowd-funded initiative to replace it with something open, called Diaspora -- everyone on Facebook is talking about it. Yet it wasn't even two full years ago that Facebook was the darling of the ditherati. For a while it seemed as if nearly everything Facebook did was hailed as the future of messaging, perhaps the future of the Internet - or maybe the Internet didn't matter anymore, except for Facebook. more

Resources for Cleaning Your Network

The first step (but certainly not the last) towards saving the internet from spam, malware, and other abuse is to keep your own network clean. A friend of CAUCE, who wishes to remain anonymous, offers these tips and resources to help you identify problem traffic emanating from your network, and clean it up. Though primarily written for ISPs, many of the items below should apply equally well to any network owner. more

A Dangerous Buzz, and Opt-In Isn’t Just for Email

Google is great at generating buzz, and they've done it again with their new social vitality tool, appropriately named Google Buzz. Buzz takes all of your Gmail contacts (and presumably other connections from elsewhere within the Googleplex), and makes them all your "friends" by default; it then shares your activity from Google Reader, YouTube, and other tools with all of them, and vice versa... more

A Look Inside the European Response to Spam

Last week the European Network and Information Security Agency (ENISA), which assists the European Commission and its member states with network and information security issues, published its third Anti-Spam Measures Survey. The survey provides insight into how network operators in Europe are responding to the continued onslaught of email spam. more

Bridging the Gaps: MAAWG, IETF, and BITS Establish Formal Relationships

As announced this morning, the Messaging Anti-Abuse Working Group (MAAWG) has established formal relationships with the Internet Engineering Task Force (IETF) and the BITS/Financial Services Roundtable... It's often said that there are too many different organizations working on the overlapping areas of abuse, trust, and related issues. I believe the collaborative approach MAAWG has chosen will bridge these gaps. more

Maybe Email IS Dead - Part of It, Anyway

I tend to chuckle at every new proclamation that email is dead. Google Wave won't kill it. Twitter and Facebook aren't killing it; they're using it. RSS didn't kill it. Instant messaging didn't kill it. "Push media" (remember that?) didn't kill it. AOL and Compuserve and Prodigy didn't kill it; they joined it. And before that, usenet and email lived happily side-by-side. more

A Deluge is Underway; is Email Waterproof?

What's that we see, waving through the raindrops? Isn't email supposed to be dead? You already know I'm going to say no; as usual, once you see past the refraction and the rainbows, reality is somewhat more complicated. The recent, ongoing launch of Google Wave has almost everything we've come to expect. It begins with a slow roll-out, with people begging for invitations. Then comes the headlines proclaiming the death of email, often based on nothing more than a short preview video and someone else's interview with Wave's creators. more

An Unwelcome Afterlife for a Long-Dead Blacklist

There's still a few weeks before Halloween, but have we ever got a scary story for you -- and every word of it is true. (Imagine we're sitting around a campfire, chowing down on s'mores, flashlights under our faces.) Seven years ago, on this very internet, there was a man named Matthew who was angry about spam. Now sure, there are lots of people angry about spam, and some of them are named Matthew, but this particular Matthew decided that he was going to do something about it... more

Happy Birthday, Internet!

Oh, Internet. You had such potential when you were born — darling of the research community, supported by the wealthiest military the world has ever known. And you married well, into a powerful merchant family. Why are you so lost? Is it a midlife crisis? You were born, some say, 40 years ago this week in a lab at UCLA — one of ARPA's many children. It wasn't until nearly two months later that you first spoke, transmitting the letters "L" and "O" before crashing... more

DKIM for Discussion Lists

There's a pernicious meme floating around that DomainKeys Identified Mail (DKIM) doesn't work with discussion lists, particularly those hosted on common open source software packages like MailMan. It's particularly odd to see this claim after I set it up successfully on a stock Debian server in less than half an hour, just a few weeks ago. Here's how it can, should, and does work. more

How to Steal Reputation

The term "reputation hijacking" continues to spread through the anti-spam community and the press. It's intended to describe when a spammer or other bad actor uses someone else's system -- usually one of the large webmail providers -- to send their spam. The idea is that in doing so, they're hijacking the reputation of the webmail provider's IPs instead of risking the reputation of IPs under their own control. But I really have to laugh (though mostly out of sadness) whenever this technique is described as something new... more

Searching for Truth in DKIM: Part 5 of 5

Throughout this series of articles we've been talking about DKIM, and what a valid DKIM signature actually means. .. What this means for senders (of any type) is that with DKIM, you’re protected. On the internet, your domain name is a statement of your brand identity – so by signing messages with DKIM, you can finally, irrevocably tie those messages to your brand. more

Searching for Truth in DKIM: Part 4 of 5

Once you've determined that you can trust the signer of a message, as we discussed in part 3, it's easy to extrapolate that various portions of the message are equally trustworthy. For example, when there's a valid DKIM signature, we might assume that the From: header isn't spoofed. But in reality, DKIM only tells us two basic things... more

Searching for Truth in DKIM: Part 3 of 5

Last year, MAAWG published a white paper titled Trust in Email Begins with Authentication [PDF], which explains that authentication (DKIM) is “[a] safe means of identifying a participant-such as an author or an operator of an email service” while reputation is a “means of assessing their trustworthiness.”

 more

Searching for Truth in DKIM: Part 2 of 5

In part 1, we explained that the DKIM "d=" value identifies the domain name which signed the message, which may be a different domain name from the author of the message. Tying the signing and author domains together will require an additional standard: Author Domain Signing Practices (ADSP). In IETF parlance, the "author domain" is the domain name in the From: header, so ADSP is a way for the author domain to publish a statement specifying whether any other domain name should ever sign a message purporting to be From: that author domain... more

Searching for Truth in DKIM: Part 1 of 5

DomainKeys Identified Mail (DKIM) is the leading email authentication technology, supported by major ISPs including Google, AOL, and Yahoo! (who invented its predecessor), popular mail server software like Sendmail, and many of the best minds in email technology. But if you peruse the archives of the IETF DKIM mailing list, or start up a conversation at MAAWG, it might appear that there's still a lot of disagreement about what a DKIM signature actually means. more

The Root of All Email

This week, the Internet Engineering Task Force (IETF) published a number of what they call "RFCs," which originally meant "Requests for Comment" - the standards documents which specify the technical underpinnings of the Internet. Two of these, numbered 5321> and 5322, replace earlier documents defining the very core of internet email. On the surface, each of these seem surprisingly simple... Yet without general industry-wide acceptance of (and compliance with) these standards, internet email simply would not exist. more

Why It Doesn’t Matter That the Virginia Anti-Spam Law was Struck Down

If the headlines are to be believed, spam is now entirely legal in Virginia and anyone can send whatever they want without any fear of reprisal, ever. Looking beyond the headlines, it appears that the Virginia Supreme Court's ruling in AOL's case against formerly convicted spammer Jeremy Jaynes declares that the Virginia anti-spam law violates the Constitutional protection of anonymous speech, and thus is null and void. more

Spam Fighters: Revenge is a Dish Best Left in the Freezer and Forgotten

There's no denying that the fight against spam attracts a lot of crazies, both pro- and anti-spam. One of the common attributes of the anti-spam kooks is that they often think in terms of somehow taking revenge against the spammers -- regardless of who else gets hurt along the way. In 2005, that revenge came in the form of BlueFrog, a service which purported to launch what can only be called denial of service attacks against spammers' web sites... This week, a company called SpamZa was hurriedly making a similar mistake... more

Lies, Damn Lies, and Anti-Spam Vendor Press Releases

There's a lot of chatter about a recent study purporting to show that 29.1% of internet users has bought something from spam. As ITWire reported, "Marshal were not only interested in how many people were purchasing from a spam source, but also what goods and services they were buying. Perhaps less surprisingly this revealed that sex and drugs sell well online." But at downloadsquad, Lee Mathews discovered the shocking truth: "the survey only involved 600 people." more

ACLU, Anti-Spam Laws, and the First Amendment

In an article published by the Technology Liberation Front, Cato Institute adjunct scholar Tim Lee dissects a recent argument by the American Civil Liberties Union (ACLU) regarding free speech & anti-spam laws. It's been interesting to watch the ACLU wrestle with anti-spam legislation. Their entire purpose is to work through the legal system to protect our civil rights, as defined in the First Amendment -- which is why I've been a card-carrying member since before I was old enough to vote... more

Technologists vs. Marketers: Talking Incompatible Talk Leads to Walking in the Wrong Direction

As if conversations between technologists and marketers weren't already difficult enough, it appears that the Direct Marketing Association's (DMA) Email Experience Council wants to redefine long-standardized terms such as "header" and "message." more

If Thou Be’st as Poor for a Subject as He’s for a King…

Way back in 1995, Wired reporter Simson Garfinkel gave Jeff Slaton the name "Spam King." Less than a year later, Sanford Wallace earned the title -- and soon had to share it (and his upstream provider) with Walt Rines. Others have come and gone; Sanford and Walt reappear every few years, together or separately, only to be sued away again... it seems as if any spammer noticed by law enforcement is immediately crowned "the Spam King," even when there are multiple such crownings happening at the same time. more

Good News from Three Spam Cases in the U.S.

They say (whoever "they" are) that good things come in threes, and that certainly seems true for law enforcement against spammers this week. In New York, Adam Vitale was sentenced to 30 months in prison and ordered to pay $183,000 in restitution for a week of spamming AOL back in 2005... In Illinois, an FTC settlement requires Spear Systems and company executives Bruce Parker and Lisa Kimsey to give up $29,000, stop making "false or unsubstantiated claims about health benefits" of their products, and bars them from violating CAN-SPAM ever again... And finally, in Seattle, the Robert Soloway case continues... more

Identifying Spam: MAAWG’s Latest Documents Improve Accuracy of Reputation Systems

The Messaging Anti-Abuse Working Group (MAAWG), of which Return Path (my employer) is a very active participant, met recently in Heidelberg, Germany. Among other exciting projects, they finished two new best practices documents which have been lauded in the press as a big step towards stopping botnet spam... more

If It Spams Like a Duck…

We've been wondering what e360 hoped to gain with their recent lawsuits against Spamhaus and others. If they were trying to clarify the right of ISPs to protect their users from spam, then they've certainly done a good job -- especially in this particular case. If it wasn't clear before, Judge Zagel's explanation should satisfy even the most pedantic of filtering opponents: "ISPs acting in good faith to protect their customers are not liable for blocking messages that some spammer claims are not spam..." more

Trust in Email Begins with Authentication

As most CAUCE supporters already know, forging 'From:' or other commonly seen email headers is trivially easy. It's one of the most frustrating oversights in the creation of Internet email technology -- though of course that's only obvious in hindsight; it was just fine for the pre-Internet networks of the late 1970s and early-mid 1980s. Since then, things have changed -- and the most interesting recent technological advancements in email have been in the realm of sender authentication, which encompasses ways to verify that the apparent sender of a message actually is the entity which sent it. more