Another paper from the Fifth Workshop on the Economics of Information Security, (WEIS 2006) is Proof of Work can Work by Debin Liu and L, Jean Camp of Indiana University. Proof of work (p-o-w) systems are a variation on e-postage that uses computation rather than money. A mail sender solves a lengthy computational problem and presents the result with the message. The problem takes long enough that the sender can only do a modest number per time period, and so cannot send a lot of messages, thereby preventing spamming. But on a net full of zombies, proof of work doesn't work. more
The recent testing by Gmail of DomainKeys affords an opportunity to look again at what the impact of it may be in any attempt to introduce a Domino addin to verify DomainKeys signatures. I have here a sample of an email sent from Gmail and that same email after being delivered to the in-box of a Notes/Domino user who prefers MIME. There are differences which make DomainKeys a real problem at Domino shops (and, I suspect, others). more
Sender Policy Framework (SPF) stops novice spammers but not the professionals, says Spammer-X, a retired spammer who has gone into a lot of the details in his book, "Inside the Spam Cartel". The best way to beat SPF is to join it... First, Joe Spammer rents a dedicated spam host in a spammer-friendly location, like China. Next, he registers 100 domain names, and each domain is registered under a fake name and address. Next, DNS entries for each of the hosts are set up, including a valid pointer record (PTR), an MX record and reverse DNS entries for each domain... more
For some time now I have contended that Confirmed Opt-in, 'COI' is dead, or at the very least on life support. It certainly is not a major factor in the continued relation between sender and receiver; that relies far more heavily on the ongoing and historical reputation of the mailer and the mail stream. Proof of permission doesn't scale; end-users complain all the time, but it is rare if not impossible for a receiving site to request proof when an end-user complains, then the receiver complains to the sender, and the sender says that permission was actually in place. Much more commonly, the sender unsubscribes the address and moves on, permission or not, since the subscriber doesn't want the mail any more. But then, I recently had two eye-opening experiences... more
Well, it has been quite a while since first the Hong Kong OFTA (in 2004) and then CITB (in 2006) issued requests for public comment about a proposed UEM (Unsolicited Electronic Messaging) bill to be introduced in Hong Kong, for the purpose of regulating unsolicited email, telephone and fax solicitations. We're a large (worldwide) provider of email and spam filtering - but we're based in Hong Kong, and any regulation there naturally gets tracked by us rather more actively than laws elsewhere. We sent in our responses to both these agencies... The bill is becoming law now - and most of it looks good... There's one major fly in the ointment though... more
There's a lot of argument as to which "anti-spam" techniques are legitimately so called. In this article, I'd like to consider what constitutes an anti-spam technique in an ideal sense, then consider the various practiced approaches to spam mitigation in that light, drawing conclusions as to how we should frame the "anti-spam" discussion. ...For the purposes of this discussion, let "spam" refer to "unsolicited bulk email". Not everyone agrees on this definition, but it's by far the most widely accepted, and without a working definition we won't be able to define "anti-spam"... more
There's been a lot of noise this week since the news broke about AOL and Goodmail, so I thought I'd take the opportunity to change the direction of the dialog a little bit. First, there are two main issues here, and I think it's healthy to separate them and address them separately. One issue is the merits of an email stamp system like the one Goodmail is proposing, relative to other methods of improving and ensuring email deliverability. The second issue -- and the one that got me started earlier this week - is the question of AOL making usage of Goodmail stamps a mandatory event, replacing its enhanced whitelist. more
With the closure of IETF's MARID group a month ago, many of us have left Microsoft's Sender-ID standard for the dead. After being rejected by the Apache Foundation and the Debian Project over licensing issues, and causing the closure of MARID for some of the same issues (in addition to already long running technical ones), some thought that Microsoft may have just buried it and gone on to better things like IETF's new MAILSIG group (in formation). But just like the ghost of Hamlet's father it just refuses to die and now it looks like it is coming back to life in a new reincarnation... more
It seems like spam is in the news every day lately, and frankly, some of the proposed solutions seem either completely hare-brained or worse than the problem itself. I'd like to reiterate a relatively modest proposal I first made over a year ago: Require legitimate DNS MX records for all outbound email servers.
MX records are one component of a domain's Domain Name System (DNS) information. They identify IP addresses that accept inbound email for a particular domain name. To get mail to, say, linux.com, a mail server picks an MX record from linux.com's DNS information and attempts to deliver the mail to that IP address. If the delivery fails because a server is out of action, the delivering server may work through the domain's MX records until it finds a server that can accept the mail. Without at least one MX record, mail cannot be delivered to a domain.
more
I have often remarked that any fool can run a DNS-Based Blacklist (DNSBL) and many fools do so. Since approximately nobody uses the incompetently run black lists, they don't matter. Unfortunately, using a DNSBL requires equally little expertise, which becomes a problem when an operator wants to shut down a list. When someone sets up a mail server (which we'll call an MTA for Mail Transfer Agent), one of the tasks is to configure the anti-spam features, which invariably involves using DNSBLs. more
As we, here in the United States celebrate our independence this Fourth of July, we are reminded that the liberties and freedoms that come with that independence have yet to be won online. As citizens of this country we are blessed with safety and security from threats both foreign and domestic, but those guarantees have not yet extended to our citizenship in the global Internet community. This is true not just for American citizens, but for all Internet users throughout the world. more
One idea to make the problem of mail more manageable is to restrict the address space that is allowed to send mail. In an ideal world, we'd restrict where mail mail servers could send mail from. So, if we say that the number of individual mail servers in the world will probably never exceed 32 million (not unreasonable), or 2^25, then what if the 25 least significant bits were reserved for mail servers? more
There has been a lot of talk about IDNs here and elsewhere but what does the reality look like for a plain user? As a test, I randomly choose 28 domains from Alexa's top 100 Sites and tried to create a user account with the email address user@??.com. The bleak result... more
With the Online Trust Alliance Town Hall Meeting and Email Authentication Roundtable next week as well as the RSA Conference, I decided to pause and think about where we are and where we might be headed with regard to email authentication. Over the years, many of us have collectively worked to provide a framework for authenticating email... more
A few years ago, cell phone portability was introduced in the United States which caused a major shift in the market. The same thing happened this past year in Israel, following a major battle involving the cell carriers, consumer groups and the Israeli parliament (The Knesset). What if the same happened with email addresses? Ridiculous, you say? May be so, but there is chatter here in Israel to create a law which forces the local service providers hands to do just that. more
A World-Renowned Source for Internet Developments. Serving Since 2002.