Spam

Spam / Featured Blogs

Privacy Alert: Watch Out For FOISA

This morning, at 10 am in 2141 Rayburn, the Subcommittee on Courts, the Internet, and Intellectual Property is holding a hearing on "Internet Domain Name Fraud -- New Criminal and Civil Enforcement Tools." At that hearing, the Subcommittee will be considering a new Whois bill creating new penalties for people who provide false data when registering a domain name. We need to raise our collective eyebrows at this bill (which was suddenly dropped the evening before this hearing). The title of the bill is the "Fraudulent Online Identity Sanctions Act." (FOISA)

WSIS: What Is It ‘Really’ All About?

Until a few weeks ago, almost everyone in the Internet governance circus seemed to ignore the very existence of WSIS. After it popped up on international newspapers, however, things have been changing; and suddenly, I have started noticing plenty of negative reactions, on the lines of "we don't need WSIS, we don't need the UN, we don't need governments, we don't need internationalization - just go away from our network". However, I often find that these reactions are based on fundamental misunderstandings of the issues at stake; so please let me offer a different perspective.

ICANN on Closing Off Port 43

ICANN has launched three task forces on WHOIS restructuring...It sounds innocuous enough -- nobody likes spam -- but the restrictions being discussed reach further than marketers. Pushed by registrars who feel that WHOIS amounts to forced disclosure of their customer lists, the task force is seriously discussing closing off port 43's straightforward access to WHOIS information, replacing it with GIF-based barriers or similar access restrictions.

Nations at WSIS Better Off with an ICANN-Like Structure

There is much talk currently about the WSIS meeting taking place in Geneva this week which means some needed attention is being paid to Internet governance. While some may view the term "Internet governance" as an oxymoron and my natural reaction is something along the lines of "I hope that they continue to view regulation as too complicated so that we Internet-folks can just keep doing what we are doing" I confess to knowing deep down that we would all be better off with a simple, effective policy framework than with the current anarchic state.

Yahoo’s New Domain Keys: Will it Be Effective?

To paraphrase an old Klingon proverb, there can be no spam solution, so long as e-mail is free. Yahoo has unveiled plans to launch its Domain Keys software as an open-source toolkit in 2004. The intent is to allow developers of major e-mail systems to integrate Yahoo's public/private key authentication system into their own software and thus create momentum for a standard whose raison d'etre is identify verification. This is a commendable effort, but a closer look reveals that it will not only not stop the spam problem, it may have almost no effect at all.

Blacklisting Under Wrong Assumptions

If you analyze the relay of spam- and malware-containing email circulating on the Internet purely through your mail server logs (running the Unix command "tail"), a large proportion seem to come from Asia Pacific hosts, especially those from mainland China. Therefore, many less-experienced systems administrators have simply blocked the access from subnets of Chinese or Asian origin, effectively destroying the fabric of the Internet -- messaging. If administrators took pains to analyze these supposedly Asian spam messages by analyzing the full Internet headers, they would have realized that the Asian servers were merely used by the real spammers as open relays, or perhaps as zombie hosts previously infected with the mass mailing worms through the exploitation of operating system vulnerabilities.

The Future of Email

While people may debate the death of email, there is no question that many email servers are already overloaded with spam. Current spam solutions are beginning to address the problem, but so far they all suffer from the arms race issue - as fast as we come up with new ways to fight spam, spammers are finding new ways to deliver it to us. While the functionality of email will certainly continue, the current system must change. When the change comes, it will deliver the future of email to Microsoft.

Lobbying for Whois Privacy

Today a letter was submitted to the President of ICANN, Paul Twomey, at the ICANN Carthage meeting, "asking him to ensure that strong privacy safeguards, based on internationally accepted standards, are established for the WHOIS database." Latest reports indicated that the draft letter had been signed by about 50 nonprofit groups and represented 21 countries on six continents. "Signers of the letter included the American Library Association, the U.S. Association for Computing Machinery, the Australian Council for Civil Liberties, Electronic Frontier Finland, Privacy Ukraine, and the United Kingdom's Foundation for Information Policy Research."

The Internet Infrastructure: Stability vs. Innovation

Stratton Sclavos of VeriSign distills the essence of the SiteFinder controversy in his CNet interview...There is a subtle but essential misunderstanding here. Innovation can and should happen in Internet infrastructure, but there are a handful of core elements that must remain open and radically simple if the Internet is to remain, well, the Internet. These include TCP/IP, SMTP, HTTP, BIND, BGP, and the DNS (especially the .com registry). Any change in these protocols should be very carefully vetted through a consensus-based process.

Is Industry Underestimating the Ending Dot?

According to RFC1034, "cnn.com" and "cnn.com." should be the same domain names. However, it doesn't appear that programmers always understand that trailing dots can be added to domain names. Web servers also can't seem to agree what to do with a period at the end of a host name. IIS, thttp, and Akamai's Web server all get confused while Apache doesn't seem to care. How much other software behaves incorrectly because of a trailing period on a domain name? Can spam-filtering software be bypassed with dotted email addresses? Here is a situation when bad things can happen -- "WebShield SMTP infinite loop DoS Attack"...