John Levine

John Levine

Author, Consultant & Speaker
Joined on June 14, 2004
Total Post Views: 2,126,364

About

John R. Levine writes, speaks, and consults on the Internet, electronic mail, and related topics. He speaks to many trade, policy, and general groups. He's testified at the Federal Trade Commission Spam Forum on the mechanics of spam, and to the Senate Commerce Committee on spyware. He's spoken at the Internet Law and Policy Forum and at many conferences. He's written many books on the Internet and other computer topics. His books range from the best-selling Internet for Dummies, with over seven million copies of nine editions in print in dozens of languages, the new Fighting Spam for Dummies, and Windows XP: the Complete Reference to books on computer language tools and graphics programming.

Except where otherwise noted, all postings by John Levine on CircleID are licensed under a Creative Commons License.

Featured Blogs

One-Click Unsubscription

Unsubscribing from mailing lists is hard. How many times have you seen a message "please remove me from this list," followed by two or three more pointing out that the instructions are in the footer of every message, followed by three or four more asking people to not send their replies to the whole list (all sent to the whole list, of course,) perhaps with a final message by the list manager saying she's dealt with it? more»

The Kindness of Strangers, or Not

A few days ago I was startled to get an anti-spam challenge from an Earthlink user, to whom I had not written. Challenges are a WKBA (well known bad idea) which I thought had been stamped out, but apparently not. The plan of challenges seems simple enough; they demand that the sender does something to prove he's human that a spammer is unlikely to do. more»

Almost Free Domains for Almost Everyone

The latest ICANN domain auction brought the auction proceeds piggy bank to about $240 million. The application fees for the new gTLD round were $361 million of which, at the end of March, they'd spent $227 million, and their very conservative estimate is that at the end of the process they'll have spent $289 million. If you add the numbers from the private auctions to the ones for the ICANN auctions, it's as much or more than the application costs. more»

It's Auction Time Again

This week ICANN will auction off .WEB or .WEBS. There are seven live applications for .WEB and one for .WEBS. The string contention process decided that the two names are so similar that they'll only assign one of them, so all eight applications are in one auction... There are some deep pocketed bidders in this round including Google, Donuts, web.com which owns Network Solutions and a lot of other web properties, and Schlund which owns the largest web hoster 1&1. more»

Do You Know Who Your Domain Name Registrar Is?

A guy I know passed along this e-mail sent to one of his customers. They assumed it was a phish, since they didn't recognize the domain name in the link, but couldn't figure out what the goal of the phish was. They even checked the list of ICANN registrars, and nope, registrar.eu wasn't on the list. Nonetheless, this mail was real, and if the recipient had ignored it, his domain would have been suspended. What's going on? more»

Are Blockchains the Most Expensive Database Ever Invented?

One of the oft-made claims about Bitcoin and its blockchain transaction ledger is that they make transactions really cheap, so you can pay someone anywhere in the world for free, or close to it. But when you look closer, is that really true? Not by a long shot. Bitcoin transactions are stored in a large shared database called the blockchain. more»

Three Reasons Why Apple Didn't Have to Unlock a Phone

The US government is demanding Apple unlock iPhones in about a dozen cases beside the San Bernardino one. In a strikingly similar case, Judge James Orenstein in Brooklyn rejected the government's request for three separate reasons. In the decision the judge refers several times to the San Bernardino case, and it is clear he expects this decision to be an important precedent for that one. more»

Now We're Talking About Some Serious Money

ICANN has now published the results of the auction for .SHOP, an eye-popping $41,501,000. This pushes the ICANN's auction pot over $100 million. That's a lot of money. There are eighteen more name contention sets that are on hold for various reasons, of which a few such as .WEB look likely to generate even more money once the hold issues are resolved. more»

A Free DNS Conformance Test Suite

The Domain Name System is now over 25 years old. Since the publication of RFCs 1034 and 1035 in 1987, there have been over 100 RFC documents published that extend and clarify the original DNS specs. Although the basic design of the DNS hasn't changed, its definition is now extremely complex, enough so that it's a challenging task to tell whether a DNS package correctly implements the specs. more»

Another Day, Another Two Million Dollars

ICANN just published the results of the auction for .HOTELS and .HOTEIS. The high bidder (I'm not sure "winner" really applies here) was Booking.com, who will use .HOTELS. The $2.2M they paid, along with the prior results, notably the $25 million Google paid for .APP, brings the total in ICANN's auction pot to about $60.5 million. There's a few more auctions scheduled for CAM, PHONE, and SHOP/SHOPPING, along with yet to be scheduled auctions for DOCTOR, INC, LLP, and LLC. more»

What's ARC?

DMARC is an anti-phishing technique that AOL and Yahoo repurposed last year to help them deal with the consequences of spam to (and apparently from) addresses in stolen address books. Since DMARC cannot tell mail sent through complex paths like mailing lists from phishes, this had the unfortunate side effect of screwing up nearly every discussion list on the planet. Last week the DMARC group published a proposal called ARC, for Authenticated Received Chain, that is intended to mitigate the damage. What is it, and how likely is it to work? more»

An Alternative to CCWG Overreach

ICANN is in the midst (I wouldn't yet say the middle) of its transition from oversight by the US Department of Commerce to oversight by something else. A Cross Community Working Group (CCWG) on Accountability delivered a long report in August that proposes a new oversight structure for ICANN. But it has the practical problem that the ICANN board really, really hates it. Having looked at it, I can't entirely blame them. more»

Why is ICANN Tax Exempt?

ICANN, as we all know, is a California non-profit that is tax exempt in the US as a charity, under section 501(c)(3) of the US tax code. But it's a rather unusual charity. Typical charities support the arts, or education, or sports, or relief for the poor. ICANN doesn't do anything like that. So what's the basis for its tax exemption? We don't have to guess, it's all in the application they filed in 1999. more»

ICANN Wins a Very Weak TLD Lawsuit

Back in the 1990s as the Internet was starting to become visible to the world, several people had the bright idea of setting up their own top level domains and selling names in competition with what was then the monopoly registrar Network Solutions (NSI). For these new TLDs to be usable, either the TLD operators had to persuade people to use their root servers rather than the IANA servers, or else get their TLDs into the IANA root. Attempts to get people to use other roots never were very successful... more»

Dot SUCKS: The Ultimate Vanity Domain

When last we wrote, trademark lawyers had written an outraged letter to ICANN about the $2500 price to preregister trademark.sucks names, and ICANN, reliably panicking in the face of legal threats, wrote to the US Federal Trade Commission and Canadian Office of Consumer Affairs saying please tell us that's illegal so we can shut down this registry with whom we just signed a long-term contract. (The mysterious $1 surcharge turned out to be a weak attempt by ICANN to collect debts that affiliates of registry owner Momentous defaulted on long ago.) more»

Are Apps a Passing Phase?

At NetHui last week one of the most interesting sessions was "Is there an app for that?". The issue was that while apps can be easy to use, they are little walled gardens within an app store which is another level of walled garden. The Apple app store or Google play makes it easy to find apps, but it also means that you're limited to apps that your environment's corporate overlords approve and in Apple's case, charge to include. more»

The Cycle of E-Mail Security

Stepping back from the DMARC arguments, it occurs to me that there is a predictable cycle with every new e-mail security technology... Someone invents a new way to make e-mail more secure, call it SPF or DKIM or DMARC or (this month's mini-fiasco) PGP in DANE. Each scheme has a model of the way that mail works. For some subset of e-mail, the model works great, for other mail it works less great. more»

Rodney Joffe Wins a Well-Deserved Mary Litynski Award

Every year M3AAWG gives an award for lifetime work in fighting abuse and making the Internet a better place. Yesterday at its Dublin meeting they awarded it to Rodney Joffe, who has been quietly working for over 20 years. I can't imagine anyone who deserves it more. more»

How Much Money Is There in Complaining?

Although I don't have a lot of sympathy for the trademark lawyers' argument that trademark holders need to register .sucks domains cheaply before anyone else can, there is one point at the end of their letter that's worth a look. The registry contract for .sucks, between Vox Populi and ICANN, has this sentence that appears (as far as I know) in no other registry contract, in the section on Registry-Level fees. more»

ICANN and a Lot of Other People Outsmart Themselves With .SUCKS

Good taste has never been a criterion in ICANN's new domains program, and domains including .fail and the remarkably vulgar .wtf have become part of the DNS with little comment. Now we have .sucks, which is intended to empower consumers, but does so in a way so clumsy that ICANN is asking regulators in the U.S. and Canada for an excuse to shut it down. more»

The DNS Still Isn't a Directory

Back in the mid 1990s, before ICANN was invented, a lot of people assumed that the way you would find stuff on the Internet would be through the Domain Name System. It wasn't a ridiculous idea at the time. The most popular way to look for stuff was through manually managed directories like Yahoo's, but they couldn't keep up with the rapidly growing World Wide Web. Search engines had been around since 1994, but they were either underpowered and missed a lot of stuff, or else produced a blizzard of marginally relevant results. more»

With .APP, ICANN's Auction Piggy Bank Just Got Even Bigger

ICANN reports that Google paid over $25 million for .APP in the February 25 domain auction. They were willing to bid $30M, but it's a second bid auction so that was just enough to beat out whoever the second highest bidder was. The auction proceeds piggy bank just nearly doubled from $34M to about $59M dollars, and ICANN still has no idea what to do with it. more»

ICANN's Auction Piggy Bank Just Got Twice As Big

Kieren McCarthy reports in The Register that an obscure Panamanian company paid $30 million for .BLOG in the January 21 domain auction. ICANN's web site confirms that the domain did go to the Panamanian company. It doesn't report the amount, but Kieren's sources are usually correct. If so, the auction proceeds piggy bank just doubled from $30M to $60M dollars, and ICANN still has no idea what to do with it. more»

When DNSBLs Go Bad

I have often remarked that any fool can run a DNS-Based Blacklist (DNSBL) and many fools do so. Since approximately nobody uses the incompetently run black lists, they don't matter. Unfortunately, using a DNSBL requires equally little expertise, which becomes a problem when an operator wants to shut down a list. When someone sets up a mail server (which we'll call an MTA for Mail Transfer Agent), one of the tasks is to configure the anti-spam features, which invariably involves using DNSBLs. more»

Spamhaus Tells Us That Botnets Are Getting Worse

The Spamhaus Project just published a long article about the botnets they've been watching during 2014. As this chart shows, we're not making any progress. They also note that the goals of botnets have changed. While in the past they were mostly used to send spam, now they're stealing banking and financial information, engaging in click fraud, and used for DDoS and other malicious mischief. more»

Thirty-Three Million and Counting

Two weeks ago I blogged about ICANN's astonishingly lucrative domain auctions. At that time, they'd raised $26.7 million. Now, two auctions later, they're up to about $33 million. Yesterday's two auctions were for .MLS and .BABY. The former, for those who aren't deep into the real estate biz, stands for Multiple Listing Service, the system that lets you list a house with one broker, and all the other brokers can sell it. more»

Can Big Companies Stop Being Hacked?

The recent huge security breach at Sony caps a bad year for big companies, with breaches at Target, Apple, Home Depot, P.F.Changs, Neiman Marcus, and no doubt other companies who haven't admitted it yet. Is this the new normal? Is there any hope for our private data? I'm not sure, but here are three observations... This week Brian Krebs reported on several thousand Hypercom credit card terminals that all stopped working last Sunday. Had they all been hacked? more»

Dealing With DMARC

DMARC is an anti-phishing scheme that was repurposed in April to try to deal with the fallout from security breaches at AOL and Yahoo. A side effect of AOL and Yahoo's actions is that a variety of bad things happen to mail that has 'From:' addresses at aol.com or yahoo.com, but wasn't sent from AOL or Yahoo's own mail systems. If the mail is phish or spam, that's good, but when it's mailing lists or a newspaper's mail-an-article, it's no so good. more»

Why Do We Accept $10 Security on $1,000,000 Data?

Last week we heard of yet another egregious security breach at an online provider, as crooks made off with the names, address, and birth dates of eBay users, along with encrypted passwords. They suggest you change your password, which is likely a good idea, and you better also change every other place you used the same password. But that's not much help since you can't change your name, address, and birth date, which are ever so handy for phishing and identity theft. more»

AOL Has a Security Hole, and It's Our Problem

Two weeks ago I wrote about Yahoo's unfortunate mail security actions. Now it's AOL's turn, and the story, as best as I can piece it together, is not pretty. Yahoo used an emerging system called DMARC, which was intended to fight phishing of often forged domains like paypal.com. A domain owner can publish a DMARC "reject" policy which, oversimplifying a little, tells the world that if mail with their name on the 'From:' line didn't come from their servers, it's not from them so you should reject it. more»

Open Source Software Is the Worst Kind Except for All of the Others

Heartbleed, for anyone who doesn't read the papers, is a serious bug in the popular OpenSSL security library. Its effects are particularly bad, because OpenSSL is so popular, used to implement the secure bit of https: secure web sites on many of the most popular web servers such as apache, nginx, and lighttpd. A few people have suggested that the problem is that OpenSSL is open source, and code this important should be left to trained professionals. They're wrong. more»

Yahoo Addresses a Security Problem by Breaking Every Mailing List in the World

DMARC is what one might call an emerging e-mail security scheme. It's emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo. DMARC lets a domain owner make assertions about mail that has their domain in the address on the 'From:' line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. more»

New TLD Update

Here's a chart showing the ten largest new Top-Level Domains (TLDs) and the number of domains in each one, going back five days. It's updated every day around 3 AM New York time, so visit early and often. Data is from downloaded TLD zone files. Some new TLDs don't have zone files available yet but I don't think any of them are very big. more»

How Are ICANN's New TLDs Doing?

ICANN has now accepted several hundred new top level domains (TLDs) and some of them are now open for general registration. I have sized up for zone file access, so I can download daily snapshots of most of the active zones, and I'm making daily counts of the number of names in each zone. more»

The Name Collision Conference

Earlier this week Verisign sponsored a two day conference on name collisions in the DNS. Despite the very short time frame in which it was organized, only a month from announcement to meeting, there were some very good presentations. I'll just hit some highlights here; all of the papers and slides are on their web site at namecollisions.net. Sunday morning started with a keynote by Bruce Schneier, who is not a DNS expert (and doesn't claim to be) but had some interesting observations on names in general. more»

Fine Grained Mail Filtering With IPv6

One of the hottest topics in the email biz these days (insofar as any topic is hot) is how we will deal with mail on IPv6 networks. On existing IPv4 networks, one of the most effective anti-spam techniques is DNSBLs, blackists (or blocklists) that list IP addresses that send only or mostly spam, or whose owners have stated that they shouldn't be sending mail at all. DNSBLs are among the cheapest of anti-spam techniques since they can be applied to incoming mail connections without having to receive or filter spam. more»

The Naive Arrogance of FUSSPs

Everyone who's been in the e-mail biz long enough knows the term FUSSP, Final Ultimate Solution to the Spam Problem, as described in a checklist from Vern Schryver and a form response that's been floating around the net for a decade. FUSSPs fall into two general categories, bad ideas that won't go away, and reasonable ideas that are oversold. more»

An Internet Governance Update

A lot of people (including me) are pretty upset at revelations of the breadth and scale of NSA spying on the Internet, which has created a great deal of ill will toward the US government? Will this be a turning point in Internet Governance? No, smoke will continue to be blown and nothing will happen. Governments are not monolithic. What people call Internet governance is mostly at the DNS application level, and perhaps the IP address allocation. more»

Wow. That's a Lot of Reserved Names

ICANN recently updated the list of reserved second level domain names. Those are names that you won't be able to register in any of the 1500 or so new domains they're planning to add. There's rather a lot of them, currently 629. The names are in three groups, the ICRC (the Red Cross), the IOC (the Olympic games) and everyone else. Several years ago the Red Cross and later the Olympics came to ICANN and insisted that they make a special list of forbidden names, separate from the various trademark registries. more»

How Not to Stop Spammers

Spam Arrest is a company that sells an anti-spam service. They attempted to sue some spammers and, as has been widely reported, lost badly. This case emphasizes three points that litigious antispammers seem not to grasp: Under CAN SPAM, a lot of spam is legal; Judges hate plaintiffs who try to be too clever, and hate sloppy preparation even more; Never, ever, file a spam suit in Seattle. more»

Plumbing Neutrality

I've been having arguments about Network Neutrality with a lawyer. My position is that you can't adequately regulate ISPs to be neutral, because there's no agreement what "neutral" means in practice. He points out that the courts aren't interested in technical details like what packets are dropped, it's that all traffic has to be treated the same, and ISPs should just figure out how to do that. So I contemplated a city with Plumbing Neutrality with the simple rule that all people must be treated the same... more»

What's Up With WEIRDS?

The IETF WEIRDS working group is defining a follow-on to WHOIS. Since this is the IETF, it's working on the technical issues about which it can deal with, not policy which is up to ICANN and the country registries. Somewhat to my surprise, the group is making steady progress. We've agreed that the basic model is RESTful, with queries via http, and responses as JSON data structures. The protocol is named RDAP for Registration Data Access Protocol, or maybe RESTful Data Access protocol. more»

Four New Generic Top Level Domains

At its meeting in Durban, ICANN signed contracts with the applicants for four new top level domains. The new domains are شبكة, which means "web" in Arabic, онлайн and сайт, which mean "online" and "site" in Russian, and 游戏, which means "game" in Chinese. They should give us an interesting hint about the future of the new TLDs, because all four are utterly, totally, generic. more»

Google Books Case Part 4,523: Decide Fair Use First

The endless lawsuit by the Authors Guild (which purports to represent authors, no longer including me), against Google moved another small step toward completion today. The Guild is just sure that Google's book scanning project means that end of civilization as we, or at least they, know it. Their arguments run from the somewhat plausible, that the scans are in violation of copyright, to the just plain goofy, that the scan data is so amazingly valuable yet vulnerable that Google must destroy it before someone steals it. more»

CAN SPAM Issues in Zoobuh V. Better Broadcasting

Last week a Utah court issued a default judgement under CAN SPAM in Zoobuh vs. Better Broadcasting et al. I think the court's opinion is pretty good, even though some observers such as very perceptive Venkat Balasubramani have reservations. The main issues were whether Zoobuh had standing to sue, whether the defendants domain names were obtained fraudulently, and whether the opt-out notice in the spam was adequate. more»

Liberty Reserve Now, Bitcoin Next?

The papers have been abuzz with the shutdown of Liberty Reserve, an online payments system, due to accusations of large scale money laundering via anonymous transactions. Many people have noted similarities between LR and Bitcoin and wonder whether Bitcoin is next. I doubt it, because with Bitcoin, nothing is anonymous. more»

ICANN Announces Blocking Usage Review Panel

Culminating a year-long policy development process, ICANN today launched its new Blocking Usage Review Panel (BURP). The BURP provides long-needed oversight over services that block Internet traffic. "While everyone understands that national laws such as the U.S. CAN SPAM define what traffic is or is not elegible to block, legal processes can be slow and cumbersome," said a spokeswoman. "Since the Internet is global and traffic often traverses multiple countries, the array of different laws cause uncertainty." more»

Verisign Doesn't Think the Net Is Ready for a Thousand New TLDs

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about, It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems. more»

The Incredible Leakyness of Commercial Mailers (Cont'd)

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts. One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple... more»

The Incredible Leakyness of Commercial Mailers

Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation's leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common? more»

Making Multi-Language Mail Work (Part 3)

In the previous installments we looked at software changes in mail servers, and in the software that lets user mail programs pick up mail. What has to change in the user mail programs? ... The first and most obvious is that users have to be able to enter the addresses. more»

Verisign Dodges a Bullet, Gets to Keep .COM Pricing

According to a filing with the SEC, the Department of Commerce renewed the .COM agreement for six more years. The renewal was held up until the last minute (the old agreement expired yesterday) due to antitrust concerns, specifically about pricing. The main change in the new agreement is that Verisign is no longer allowed to increase the price above the existing $7.85... more»

Making Multi-Language Mail Work (Part 2)

In the previous instalment we looked at the software changes needed for mail servers to handle internationalized mail, generally abbreviated as EAI. When a message arrives, whether ASCII or EAI, mail servers generally drop it into a mailbox and let the user pick it up. The usual ways for mail programs to pick up mail are POP3 and IMAP4. more»

Making Multi-Language Mail Work (Part 1)

Mail software consists of a large number of cooperating pieces, described in RFC 5598. A user composes a message with a Mail User Agent (MUA), which passes it to a Mail Submission Agent (MSA), which in turn usually passes it to a sequence of Mail Transfer Agents (MTAs), which eventually hand it to a Mail Delivery Agent (MDA) to place it in the user's mail store. If the recipient user doesn't read mail on the same computer with the mail store (as is usually the case these days) POP or IMAP transfers the mail to the recipient's MUA. more»

A Copycat Canadian Privacy Suit Against Gmail

In July, several people filed attempted class action suits against Google, on the peculiar theory that Gmail was spying on its own users' mail. One of the suits was in Federal court, the other two in California state court, but the complaints were nearly identical so we assume that they're coordinated.Now we have a similar suit filed in provincial court in British Columbia, Canada. more»

Unclear on the Concept, Sanctions Edition

United Against Nuclear Iran (UANI) is an advocacy group that, among other things, tries to isolate Iran by pressuring businesses and organizations to stop doing business with Iran. This week they turned their attention to ICANN and RIPE to try to cut off Internet access to Iranian organizations. Regardless of one's opinion about the wisdom of isolating Iran (and opinions are far from uniform), this effort was a bad idea in an impressive number of both technical and political ways. more»

Silly Bing

Bing is Microsoft's newish search engine, whose name I am reliably informed stands for Bing Is Not Google. A couple of months ago, as an experiment, I put up a one page link farm at wild.web.sp.am. As should be apparent after about three seconds of clicking on the links there, each page has links to 12 other pages, with the page's host name made of three names, like http://aaron.louise.celia.web.sp.am. The pages are generated by a small perl script and a database of a thousand first names. more»

ICANN's New TLDs: Of Course There Will Be an Auction - Part 2

A few days ago I opined that if several people want the same Top-Level Domain (TLD) and can't come to terms otherwise, they should arrange a private auction. It would be an odd sort of auction, since the buyers and sellers are the same people, so unlike normal auctions, the goal is not to maximize the selling price. How might it work? more»

ICANN's New TLDs: Of Course There Will Be an Auction - Part 1

The process for ICANN's new TLDs says that if there are several equally qualified applicants for a TLD, and they can't agree which one gets it, ICANN will hold an auction to decide. Recently some people have suggested that the applicants could use a private auction instead. Well, of course. In a situation like this, the question isn't whether there will be an auction, but only who will keep the money. more»

On Search Neutrality

In recent months there's been a robust and apparently well-funded debate about the legal status of search engine results, in particular Google's search results. On Tuesday, Tim Wu, a well-known law professor at Columbia weighed in with an op-ed in the New York Times, arguing that it's silly to claim that computer software has free speech rights. Back in April, equally famous UCLA professor Eugene Volokh published a paper, funded by Google, that came to the opposite conclusion... more»

Wow, That's a Lot of Applications

ICANN unveiled all the applications for new top level domains today, all 1,930 of them. Most of them were fairly predictable, big companies applying for their own names like .IBM, .DUPONT, .AUDI, and .HSBC. The most applications for the same name were 13 for .APP, 11 for .INC and .HOME, 10 for .ART, 9 for .SHOP, .LLC, .BOOK, and .BLOG. None of those claim community support so they'll have to slug it out in the contention process. more»

Running DNSBLs in an IPv6 World

DNS blacklists for IPv4 addresses are now nearly 15 years old, and DNSBL operators have gathered a great deal of expertise running them. Over the next decade or two mail will probably move to IPv6. How will running IPv6 DNSBLs differ from IPv4? There aren't any significant IPv6 DNSBLs yet since there isn't significant unwanted IPv6 mail traffic yet (or significant wanted traffic, for that matter), but we can make some extrapolations from the IPv4 experience. more»

IPv6 DNS Blacklists Reconsidered

I opined about a year ago that DNS blacklists wouldn't work for mail that runs over IPv6 rather than IPv4. The reason is that IPv6 has such a huge range of addresses that spammers can easily send every message from a unique IP address, which means that recipient systems will fire off a unique set of DNSBL queries for every message... Now I'm much less sure this will be a problem... more»

How Spam Has Damaged Mail Forwarding - And Ways to Get Around It

Courtesy forwards have been a standard feature of e-mail systems about as long as there have been e-mail systems. A user moves or changes jobs or something, and rather than just closing the account, the mail system forwards all the mail to the user's new address. Or a user with multiple addresses forwards them all to one place to be able to read all the mail together. Since forwarding is very cheap, it's quite common for forwards to persist for many years. Unfortunately, forwarding is yet another thing that spam has screwed up. more»

Phish or Fair?

It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, accounts@bankofamerica.com, there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook. more»

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now. Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. more»

The State of Mail Database Marketing

My mail server has a lot of spamtraps. They come from various sources, but one of the most prolific is bad addresses in personal domains. Several of my users have their own domains, such as my own johnlevine.com, in which they use a handful of addresses. Those addresses tend either to be people's first names, for individual mailboxes, or else the names of companies. If I did business with Verizon (which I do not) I might give them an address like verizon@johnlevine.com. All those domains get mail to lots of other addresses, which is 100% spam. more»

Filtering Spam at the Transport Level

An interesting new paper from the Naval Postgraduate School describes what appears to be an interesting new twist on spam filtering, looking at the characteristics of the TCP session through which the mail is delivered. They observe that bots typically live on cable or DSL connections with slow congested upstreams. ... This paper tries to see whether it would be practical to use that info to manage spam in real time. more»

Greylisting Still Works - Part II

In my last post I blogged about greylisting, a well-known anti-spam technique for rejecting spam sent by botnets. When a mail server receives a an attempt to deliver mail from an IP address that's never sent mail before, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail senders always retry, badly written spamware often doesn't. I found that even though everyone knows about greylisting, about 2/3 of IPs don't successfully retry. more»

Greylisting Still Works - Part I

Greylisting is a hoary technique for rejecting spam sent by botnets and other poorly written spamware. When a mail server receives an attempt to deliver mail from a hitherto unseen sending host IP address, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail software does try again, at which point you note that the host knows how to retry and you don't greylist mail from that IP again. more»

The Mainsleaze Blog

Mainsleaze is nerdy slang for spam sent by large, well-known, otherwise reputable organizations. Although the volume of mainsleaze is dwarfed by the volume of spam for fake drugs, account phishes, and Nigerian 419 fraud, it causes work for mail managers far out of proportion to its volume... The problem with mainsleaze is that it is generally mixed in with mail that the recipients asked for, and there's no way to tell the difference mechanically. more»

The Design of the Domain Name System, Part VIII - Names Outside the DNS

In previous installments we've been looking at aspects of the design of the DNS. In today's grand finale we look at the the subtle but very knotty issue of names inside and outside the DNS. In the early years of the DNS, domain names were typically resolved to A records which were used to identify a host running a service. With the notable exception of e-mail, once the host was identified, the name no longer mattered. more»

The Design of the Domain Name System, Part VII - Related Names Are Not Related

In previous installments we've been looking at aspects of the design of the DNS. Today we look at the relationship of similar names in the DNS. A poorly appreciated aspect of the DNS is that there is no inherent relationship between similar looking names. more»

The Design of the Domain Name System, Part VI - Overloaded Record Types

In the five previous exciting installments, we've been looking at aspects of the design of the DNS. Today we look at records types, and how you can tell what a DNS record means. All the records in the DNS are strongly typed. Each record includes an RRTYPE, a small number, which defines both the format of the record and what the record means. It is possible and common to have different record types with the same format, but different meanings. more»

The Design of the Domain Name System, Part V - Large Data

In the previous four installments, we've been looking at aspects of the design of the DNS. Today we look at the amount of data one can ask the DNS to store and to serve to clients. Most DNS queries are made via UDP, a single packet for query and a single packet for the response, with the packet size traditionally limited to 512 bytes. This limits the payload of the returned records in a response packet to about 400 bytes... more»

The Design of the Domain Name System, Part IV - Global Consistency

In the previous installments, we've been looking at aspects of the design of the DNS. Many databases go to great effort to present a globally consistent view of the data they control, since the alternative is to lose credit card charges and double-book airline seats. The DNS has never tried to do that. The data is roughly consistent, but not perfectly so. more»

The Design of the Domain Name System, Part III - Name Structure and Delegation

In the previous installments, we looked at the overall design of the DNS and the way DNS name matching works. The DNS gains considerable administrative flexibility from its delegation structure. Each zone cut, the place in the DNS name tree where one set of DNS servers hands off to another, offers the option to delegate the administration of a part of the DNS at the delegation point. more»

The Design of the Domain Name System, Part II - Exact and Approximate Name Matching

In the previous installment, we looked at the overall design of the DNS. Today we'll look at the ways it does and does not allow clients to look up data by name. The most important limitation of the DNS, compared to other databases, is that it only does exact match lookups. That is, with a few minor exceptions, the name in the query has to match the name of the desired records exactly. more»

The Design of the Domain Name System, Part I

Over the past 30 years the Domain Name System has become an integral part of the operation of the Internet. Due to its ubiquity and good performance, many new applications over the years have used the DNS to publish information. But as the DNS and its applications have grown farther from its original use in publishing information about Internet hosts, questions have arisen about what applications are appropriate for publication in the DNS, and how one should design an application to work well with the DNS. more»

Email in the World's Languages - Part III

In our last instalments we discussed the various ways to encode non-ASCII character sets, of which UTF-8 is the winner, and some complex approaches that tried to make UTF-8 mail backward compatible with ASCII mail. After years of experiments, the perhaps surprising consensus is that if you're going to do international mail, you just do it. more»

Email in the World's Languages - Part II

In our last installment we discussed MIME, Unicode and UTF-8, and IDNA, three things that have brought the Internet and e-mail out of the ASCII and English only era and closer to fully handling all languages. Today we'll look at the surprisingly difficult problems involved in fixing the last bit, internationalized e-mail addresses. more»

Email in the World's Languages - Part I

Back when the Internet was young end servers came with shovels (for the coal), everyone on the net spoke English, and all the e-mail was in English. To represent text in a computer, each character needs to have a numeric code. The most common code set was (and is) ASCII, which is basically the codes used by the cheap, reliable Teletype printing terminals everyone used as their computer consoles. ASCII is a seven bit character code, code values 0 through 127, and it includes upper and lower case letters and a reasonable selection of punctuation adequate for written English. more»

The New gTLD Chess Game

On June 20th, the ICANN board voted to move ahead with the new generic Top-Level Domains (gTLDs) program, intended to add hundreds, if not thousands of new names to the DNS root. Now what? Not even the most enthusiastic ICANN supporters think that any new TLDs will be added before the end of 2012, but there are other things going on that greatly complicate the outlook. more»

The gTLD Boondoggle

I've been watching at the excitement build in the domain community, where a lot of people seem to believe that at next month's Singapore meeting, by golly, this time ICANN will really truly open the floodgates and start adding lots of new Top-Level Domains (TLDs). I have my doubts, because there's still significant issues with the Governmental Advisory Committee (GAC) and the US Government and ICANN hasn't yet grasped the fact that governments do not defer to NGOs, but let's back up a little and ask is this a good idea. more»

IP Addresses as Money

It's no secret that the supply of IPv4 addresses, on which the Internet has been based since the dawn of digital time, is rapidly running out. The official replacement is much larger IPv6 addresses, but I can report from experience that the task of switching is not trivial, and for a long time there will be a lot of the net that's only on IPv4. So once the initial supply of IPv4 addresses run out, and the only way to get some is to buy them from someone else, what will the market be like? more»

What Next for Email Service Providers?

It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events suggests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.) more»

ICANN Approves .XXX Again

At Friday's board meeting, ICANN once again narrowly approved the contentious .XXX domain intended for pornography. What this vote primarily shows is that ICANN's processes have been broken for a long time, and aren't getting fixed. Two board members made thoughtful and eloquent statements before the vote outlining the reasons they were about to vote for or against the domain. more»

A Politically Incorrect Guide to IPv6

Unless you've been living under a rock, you've doubtless seen reports that the supply of IPv4 addresses is running out. Earlier this month IANA, the master allocation authority, handed out the last so-called /8, a large chunk of 16 million addresses, to one of the regional address registries... Then what? The conventional wisdom is that everyone needs to support IPv6, a mostly compatible upgrade to IPv4 with much larger addresses, by the time the v4 space runs out. But I'm not so sure, particularly for e-mail. more»

Domains and the Freedom to Speak

For a very long time, predating the birth of ICANN, there's been a running battle about what should be required when one registers domain names. To oversimplify quite a lot, one side sees domain names as an essential component of free speech, so anyone should be able to register any domain without limit, the other notes that they're primarily used for commercial purposes and they enable quite a lot of mischief, so the more control, the better. more»

Do-Not-Track: Still Not a Great Idea

Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe. more»

Why DNS Blacklists Don't Work for IPv6 Networks

All effective spam filters use DNS blacklists or blocklists, known as DNSBLs. They provide an efficient way to publish sets of IP addresses from which the publisher recommends that mail systems not accept mail. A well run DNSBL can be very effective; the Spamhaus lists typically catch upwards of 80% of incoming spam with a very low error rate. DNSBLs take advantage of the existing DNS infrastructure to do fast, efficient lookups. A DNS lookup typically goes through three computers... more»

Yet Another Unfortunate CAN SPAM Case

The case Melaleuca v. Hansen has been moving slowly through Idaho federal court since 2007. On Sept 30 the court decided in favor of the defendants. Although the outcome is probably correct, the court's decision perpetuates the misreading of CAN SPAM from the infamous Gordon case that makes it in practice impossible to win a CAN SPAM case in the 9th Circuit. more»

How Not to Get Your Mail Delivered

A small company in suburban Philadelphia called Holomaxx recently filed two lawsuits against large webmail providers, complaining that they weren't delivering mail from Holomaxx. The first suit is against Microsoft and Return Path, and the second suit is against Yahoo and Cisco/Ironport. Neither is going anywhere. more»

A Tempest in a Libyan Teapot

The .LY domain is Libya, and their government recently cancelled the registration of the short and snappy VB.LY, provoking great gnashing of teeth. If you direct your attention to the address bar above this page, you'll note that it's at JL.LY, equally short and snappy. The .LY registry started allowing two letter second-level domains last year, and there was a quiet land rush. Now they restrict those domains to people actually in Libya, but say they'll let us keep the ones we have. How concerned am I that they'll take my domain away, too? more»

The Spamhaus Whitelist

For several months I have been working with the Spamhaus project on a whitelist, which we announced to the public this week. While this is hardly the first mail whitelist, our goals are somewhat different from other whitelists. Think of e-mail as ranging from inky black to pearly white... more»

ARF is Now an IETF Standard

When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints. more»

Google and Verizon Offer a Gift to Spammers

Earlier today, Google and Verizon offered a widely publicized "Proposal for an Open Internet." There's been extensive comment with lots of reasons not to like it, but one I haven't seen is that the proposal would make it much harder to filter so-called "mainsleaze" spam. ... The problem is that under the pitifully weak CAN-SPAM law, a lot of spam is entirely legal. more»

Even if Do-Not-Track Were a Good Idea, Could It Ever Work?

In a recent article, I read about increasingly intrusive tracking of online users, which has lead to a proposal at the FTC, "FTC Chairman Jon Leibowitz said the system would be similar to the Do-Not-Call registry that enables consumers to shield their phone numbers from telemarketers." Maybe I'm dense, but even if this weren't a fundamentally bad idea for policy reasons, I don't see how it could work. more»

Does the First Amendment Forbid Spam Filtering?

A friend of mine wrote to ask: "The Supreme Court overturned the Jaynes conviction on First Amendment grounds, yes? I'm wondering what that could mean from the spam filtering perspective." Spam filters, and in particular DNS blacklists are intended to prevent e-mail from being delivered. Doesn't the First Amendment make it illegal to block speech? The short answer is no, but of course it's slightly more complicated than that in practice. more»

The .XXX Fiasco is Almost Over

At Friday's meeting of the ICANN board in Brussels, they voted, probably for the last time, to approve the 2004 application for the .XXX domain. Purely on the merits, there is of course no need for a top level domain for porn. This isn't about the merits, this is about whether ICANN follows its own rules. Despite overheated press reports, .XXX will not make porn any more available online than it already is (how could it?), there is no chance of all porn being forced into .XXX (that's a non-starter under US law), and .XXX will have no effect on the net other than perhaps being a place to put legal but socially marginal porn far away from any accidental visitors. more»

VeriSign Leaves the Security Certificate Business

Earlier this week in a press release, VeriSign said that they are selling their SSL certificate business to Symantec. VeriSign is the dominant player in this market, having absorbed competitor Thawte in 1999, and Geotrust in 2006. Three years ago, when VeriSign decided to divest its non-core businesses, they kept the certificate business. So what's changed? more»

The Real Issue About ICANN and .XXX

Way back in 2004, ICANN invited applications for a round of new TLDs. They got quite a few. Some were uncontroversial, such as .JOBS for the HR industry. Some were uncontroversial but took a long time, such as .POST which took five years of negotiation, entirely due to the legal peculiarities of the registry being part of the UN. But one was really controversial, .XXX. By 2005, the applicant, ICM registry, had satisfied all the criteria that ICANN set out in the 2004 round to get .XXX approved, and ICANN has been stalling them ever since... more»

Why Aren't There More Spam Lawsuits?

The CAN SPAM act has been in place for five and a half years. Compatible state laws have been in place nearly as long. Anti-spam laws in the EU, Australia, and New Zealand were enacted years ago. But the number of significant anti-spam lawsuits is so small that individual bloggers can easily keep track of them. Considering that several billion spams a day are sent to people's inboxes, where are all the anti-spam lawsuits? more»

More on Portable Email Addresses

Last month a bill in the Israeli Knesset would have required ISPs to provide portable e-mail addresses, analogous to portable phone numbers that one can take from one phone company to the other. As I noted at the time, e-mail works differently from telephone calls, and portability would be difficult, expensive, and unreliable. So I was wondering, idly, if we really wanted to provide portable e-mail addresses, how hard would it be? more»

Another Spam Case Lost in Washington, or Gordon Strikes Again

Bennett Haselton, who runs the Peacefire anti-censorship site, is one of the more successful anti-spam litigants. He says he's filed about 140 suits, mostly in small claims court, and has won the majority of the suits that got far enough to be decided on the merits. But last month, in Federal court in Seattle, he lost a suit against Quicken Loans that he should have won, partly because of his own mistakes, but largely because of the pernicious effect of Gordon vs. Virtumundomore»

Are Portable Email Addresses Possible?

News reports say that the Israeli government is close to passing a law that requires portable e-mail addresses, similar to portable phone numbers. Number portability has been a success, making it much easier to switch from one provider to another, and address portability might ease switching among ISPs. But e-mail is not phone calls. Is it even possible? more»

Google Loses Another Domain Name Dispute

For the benefit of trademark owners, ICANN has something called the UDRP (Uniform Dispute Resolution Process) that allows the owner to file a complaint against an allegedly infringing domain name, to be resolved by one of a small set of arbitrators. About 90% of UDRP cases that proceed to a decision are decided in favor of the complainant; opinions differ as to whether that's because of the merit of the complaints or the institutional bias of the arbitrators. more»

Just Make It Stop

In a recent discussion among mail system managers, we learned that one of the large spam filter providers now has an option to reject all mail from ESPs (e-mail service providers, outsourced bulk mailers) regardless of opt-in, opt-out, spam complaints, or anything else, just block it all. Some of the ESPs wondered what would drive people to do that... more»

US Court Levies $15 Million Fine Against Spammer

Earlier this year, the New Zealand Department of Internal Affairs, the US Federal Trade Commission, and the Australian CMA broke up a large fake drug spam ring known as Herbal Kings, run by New Zealander Lance Atkinson. The NZ government fined him NZ$108,000 (about US$80,000) which, while a substantial fine, seemed pretty small compared to the amount of money he must have made. But today, at the FTC's request a US judge fined Atkinson US$15.5 million, and got his US accomplice Jody Smith to turn over $800,000, including over $500,000 in an Israeli bank. more»

A Thought About Not-Quite-ASCII Top Level Domains

ICANN has opened their new fast track process for "countries and territories that use languages based on scripts other than Latin" to get domain names that identify the country or territory in its own language. It's not clear to me what the policy is supposed to be for countries whose languages use extended Latin with accents and other marks that aren't in the ASCII set. more»

How Do You Do Secure Bank Transactions on the Internet?

Banks love it when their customers do their transactions on line, since it is so much cheaper than when they use a bank-provided ATM, a phone call center, or, perish forbid, a live human teller. Customers like it too, since bank web sites are usually open 24/7, there's no line and no need to find a parking place. Unfortunately, crooks like on line banking too, since it offers the possibility of stealing lots of money. How can banks make their on line transactions more secure? more»

The Tempest in the TLD Teapot

At its recent meeting in Seoul ICANN announced with great fanfare that it's getting ever closer to adding lots of new Top Level Domains (TLDs). Despite all the hype, new TLDs will make little difference... I agree with my old friend Lauren Weinstein that this is a tempest in a very expensive teapot, because all of the purported reasons that people want new TLDs have been proven false, and the one actual reason that a new TLD would be valuable has no public benefit. more»

Helping Banks Fight Phishing and Account Fraud, Whether They Like It or Not

On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past. more»

Are Phishing and Malware Separate Threats?

Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer... I like VeriSign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. more»

Why Can't We Make the Internet Secure?

In a discussion about a recent denial of service attack against Twitter, someone asked, "Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure?" Sure, but you're not going to like it. The Internet was originally a walled garden, where its operators knew who all the users were and could eject anyone who misbehaved... more»

How Unconscionable is the Profit That Verisign Makes from Its Registry?

VeriSign makes a great deal of money from the .COM and .NET registries. Can we tell how much they make, and how much that might change if the CFIT lawsuit succeeds? It's not hard to make some estimates from public information. The largest gTLD registry that VeriSign doesn't run is .ORG, which was transferred a few years ago to the Public Internet Registry (PIR) which pays Afilias to run the registry, and uses whatever is left over to support the Internet Society (ISOC)... more»

Three Myths About DKIM

The DKIM standard has been out for two years now, and we're starting to see some adoption by large mail systems, but there's still a lot of misunderstanding about what DKIM does and doesn't do... Any a mail system can add a signatures to the messages it handles, and spammers can sign their mail, too. A DKIM signature contains, stripped down to its basics, the domain of the signer and a checksum of the message. more»

What are TLDs Good For?

Yesterday I said that the original motivations for adding new TLDs were to break VeriSign's monopoly on .COM, and to use domain names as directories. Competitive registrars broke the monopoly more effectively than any new domains, and the new domains that tried to be directories have failed. So what could a new TLD do? more»

Who Needs More TLDs?

ICANN's Sydney meeting has come and gone, with the promised flood of new Top-Level Domains (TLDs) claimed to be ever closer to reality. Does the world need more TLDs? Well, no. Way back in the mid 1990s, it seemed obvious that Internet users would use the DNS as a directory, particularly once early web browsers started to add .COM to words typed in the address bar. This led to the first Internet land rush, with heavy hitters like Procter and Gamble registering diarrhea.com in 1995... more»

Appeals Court Revives the CFIT Anti-Trust Suit Against VeriSign

Back in 2005 an organization called the Coalition for Internet Transparency (CFIT) burst upon the scene at the Vancouver ICANN meeting, and filed an anti-trust suit against VeriSign for their monopoly control of the .COM registry and of the market in expiring .COM domains. They didn't do very well in the trial court, which granted Verisign's motion to dismiss the case. But yesterday the Ninth Circuit reversed the trial court and put the suit back on track. more»

Fight Phishing With Branding

Phishing, stealing personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites. more»

A "G12" to Oversee ICANN? Not Likely

Viviane Redding, the Information Society and Media Commissioner for the EC posted a video blog this week noting that the JPA between ICANN and the US Department of Commerce ends this September. In it she proposes that ICANN be overseen by a "G-12 for Internet Governance" with 12 geographically balanced government representatives from around the world. That's such a non-starter that I'm baffled that she would even propose it... more»

The Jaynes Case is Finally Over

Last September the Virginia Supreme Court issued a surprise ruling that reversed its previous decision and threw out the state’s anti-spam law on First Amendment grounds. The Commonwealth made a last ditch appeal to the US Supreme Court, which I predicted they’d be unlikely to accept. I guessed right... more»

How Hard Is It to Deploy DKIM?

It's coming up on two years since the DomainKeys Identified Mail (DKIM) standard was published. While we're seeing a certain amount of signed mail from Google, Paypal, and ESPs, there's still a long way to go. How hard is it to sign your mail with DKIM? The major hurdle might seem to be getting mail software that can sign outgoing mail. more»

ICANN Blows $4.6 Million In Stock Market

If you visit the new dashboard on ICANN's web site, you see some nice bar charts, including one rather large negative number of $4,462,000. If you click the little arrow at the top of the Financial Performance chart, a footnote window pops open where the last sentence is: "The large variance to budget is due to investment losses of $4.6 mil." Investment losses? Yup, ICANN's been speculating in the stock market... more»

Who Pays for Email?

An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted: "The sender pays for bandwidth and agrees to abide by the bandwidth provider's rules." It is useful to think of the Internet as a collection of tubes, all leading from the periphery to the middle, where the middle is approximately "the peering point." The sender has paid for the tubes leading from himself to the middle... more»

US Department of Commerce Doesn't Like ICANN's New Domain Plan

ICANN's authority to manage top level of the DNS comes from a two-year Joint Project Agreement (JPA) signed with the US Department of Commerce in 1997, since extended seven times, most recently until September 2009. Since the DoC can unilaterally cancel the JPA which would put ICANN out of the DNS business, when DoC speaks, ICANN listens. On Thursday, the US DoC sent a scathing letter to ICANN about the proposed plan to sell large numbers of new top-level domains (TLDs). There's a long list of issues... more»

ICANN Sets the Schedule to Kill Domain Tasting

Domain tasting, as everyone probably knows by now, is the disreputable practice of registering lots of domains, seeing how much traffic they get, and then using the five day Add Grace Period (AGP) to refund the 99.9% of them that aren't worth paying for. A related abuse is front running, registrars speculatively grabbing domains that people inquire about to prevent them from using a different registrar. more»

Facebook Wins $800M Against Spammer. So What?

In a widely reported court case, Facebook won an $800M default judgment and injunction against a Montreal man named Adam Guerbuez, who has a long and sordid history. But it probably won't make any difference. The problem is that he's in Canada. more»

Domain Registrar Hide and Seek

In the past year ICANN has been putting a lot more effort into its compliance activities, which is a good thing, since the previous level was, ah, exiguous. That's the good news. The bad news is that while they're paying more attention to misbehaving registrants, the registrars, gatekeepers to the world of domains, have serious issues that ICANN has yet to address. more»

Users Don't Like Forwarded Spam

A message on Dave Farber's Interesting People list complained that Comcast was blocking mail forwarded by DynDNS, a popular provider of DNS and related services for small-scale users... Actually, they're blocking it because a lot of it is spam. This is a problem that every mail forwarder and every mail system encounters; the only unusual thing here is that DynDNS is whining about it. It's yet another way that spammers have broken the mail for the rest of us. more»

Cluck, Cluck… ICANN and Contract Compliance Enforcement

I've always been a fan of co-ops. In New York, we shop at greenstar.coop and my wife banks at alternatives.coop, in the UK we shop at co-operative.coop. So when the .COOP domain opened, I wondered if I could get my own clever domain name, but found that chicken.coop was taken by a small producer co-op in the southern U.S. Drat. more»

Kentucky Governor: All Your Gambling Sites Belong to Us

According to news reports, the governor of Kentucky has filed a suit in state court to seize 141 gambling domain names. His claimed authority is a 1974 law against "gambling devices", on the theory that a domain is a "device", and online gambling is taking money away from in-state horse racing and the lottery. The judge sensibly has said that he doesn't understand all the issues, and has given all sides a week to submit briefs. more»

Virginia Court Throws Out Spam Law; One Spammer Gets Away With It

The 2004 criminal spam case against large-scale spammer Jeremy Jaynes, which I've covered in several previous blog entries, appears to have come to an ignominious end with the state supreme court throwing out the law under which he was convicted. The Virginia anti-spam law was one of the first in the country with criminal provisions, but it failed due to the way that First Amendment cases are treated differently from all other cases. more»

ICANN Paints Itself Into a Corner

ICANN recently commissioned a report from a domain auction company to see whether it would be a good idea to auction Top-Level Domains (TLDs) that have multiple applicants. Remarkably, the domain auctioneers came to the conclusion that auctions are a great idea, which they surely are for some people. But are they a good idea for ICANN? And if ICANN admits they can't evaluate competing applications on their merits, how can they keep the process from turning into another speculative land grab? more»

Why We'll Never Replace SMTP

An acquaintance asked whether there's been any progress in the oft-rumored project to come up with a more secure replacement for SMTP. Answer: No. Truly, spam isn't a technical problem, it's a social one. If we could figure out some way to make mail recipient networks and hosts willing to shun known bad actors, even at the cost of losing some real mail for a while until the bad actors cave, it would make vastly more difference than any possible technical changes. more»

Why New TLDs Don't Matter

Lost amid the furor about ICANN's rule change that may (or may not) lead to a flood of TLDs is the uncomfortable fact that almost without exception, the new TLDs created since 2000 have been utter failures. Other than perhaps .cat and .mobi, they've missed their estimates of the number of registrations by orders of magnitude, and they haven't gotten mindshare in the target community. So what went wrong? more»

ICANN to Add New Top-Level Domains, World to Come to an End

The biggest buzz from the Paris ICANN meeting was that the board accepted last fall's proposal for a streamlined process to add new TLDs. A variety of articles in the mainstream press, many featuring inflammatory but poorly informed quotes (from people who probably got a phone call saying "We go to press in five minutes, what do you think about ICANN's plan to add a million new domains?") didn't help. When can we expect the flood of TLDs? Don't hold your breath... more»

Dot Travel Still Isn't Dead Yet

I've writen several blog entries about the continued downward swirling motion of Tralliance, the company that runs the registry for .TRAVEL. In this month's installment, as told in their quarterly 10-Q SEC filing, they flirt with bankruptcy but may well end up more stable than before. One of the more eye-catching paragraphs says... more»

CAN SPAM and Affiliate Mailer Opt-Out

Many online businesses use affiliates to drum up business. The affiliate finds a lead somewhere, passes it to the business, and gets a commission if the lead turns into a sale. Web based affiliates are relatively uncontroversial, but affiliates who advertise by e-mail are a chronic problem due to their propensity to send spam, both spam as normally defined and as defined by CAN SPAM. Is it possible to do legitimate e-mail affiliate marketing? Maybe... more»

Wow, Sanford Wallace Owes a Lot of Money

Last September MySpace sued ur-spammers Sanford "Spamford" Wallace and Walt "Pickle Jar" Rines were for egregious violations of CAN SPAM. Neither responded, so as was widely reported, earlier this week the court granted a default judgement. Since they sent a lot of spam, the statutory damages came to an enormous $235 million. Even for Spamford, that's a lot of money. more»

Jeremy Jaynes Gets One More Chance

n 2004 Jaynes became the country's first convicted spam felon under the Virginia anti-spam law. He's been appealing his conviction ever since, most recently losing an appeal to the Virginia Supreme Court by a 4-3 decision in February. As I discussed in more detail at the time the key questions were a) whether the Virginia law had First Amendment problems and b) whether Jaynes had standing to challenge it. The court answered No to b), thereby avoiding the need to answer a), the dissent answered Yes to both. more»

Colorado Has a New Spam Law

The governor of Colorado recently signed a new anti-spam law [PDF] into effect. Since CAN SPAM draws a tight line around what states can do, this law is mostly interesting for the way that it pushes as firmly against that line as it can. Other observers have already done a legal analysis of the way it's worded to avoid being tossed out as the Oklahoma law was in Mummagraphics, and to make it as easy as possible for suits to meet the falsity or deception limits in CAN SPAM. To me the most interesting part of this law is its one-way fee recovery language... more»

ICANN GNSO Votes to Kill Domain Tasting

The ICANN Generic Names Supporting Organization has had tasting on its agenda since last fall, with a staff report issued in January, and a proposed anti-tasting policy written in March. On Thursday the 17th, the GNSO put the proposed policy to a vote, and it passed overwhelmingly. Under ICANN rules, the ICANN board has to take up the resolution at its next meeting, and since it was approved by a supermajority, it becomes ICANN policy unless 2/3 of the board votes against it, which in this case is unlikely. more»

Comcast 1, E360 0

The judge in E360 vs. Comcast filed his order yesterday (read previous postings here and here), and to put it mildly, he agreed with Comcast. It starts: "Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer." ...and from E360's viewpoint, goes downhill from there. more»

Sender Address Verification: Still a Bad Idea

A lot of spam uses fake return addresses. So back around 2000 it occurred to someone that if there were a way to validate the return addresses in mail, they could reject the stuff with bad return addresses. A straightforward way to do that is a callout, doing a partial mail transaction to see if the putative sender's mail server accepts mail to that address. This approach was popular for a few years, but due to its combination of ineffectiveness and abusiveness, it's now used only by small mail systems whose managers don't know any better. What's wrong with it? more»

A Third, More Interesting Round in E360 vs. Comcast

In the past week, Comcast filed an answer, denying all of E360's charges, and attached to it a motion to file a most impressive counterclaim. The court granted the motion on Monday so the counterclaim has been filed. At about the same time, E360 filed its response to Comcast's previous motion to dismiss the suit due to its utter lack of legal merit. more»

More on the Soloway Case

I've now read Soloway's plea agreement. Despite some claims from his lawyers that it's some kind of victory that he only pleaded to three of the 40 charges, with the rest being dismissed, it's clear from the agreement that he indeed did just about everything that the government charged. The government as is usual had several similar charges in each category. more»

Robert Soloway Pleads Guilty

Large scale spammer Robert Soloway, whose criminal trial was scheduled to start in a week and a half pled guilty to most of the charges against him. The indictment made three categories of charges. Counts 1-10 were mail fraud, due to Soloway delivering his spamware through the mail, and the product egregiously failing to be what he said it was, notably including 30 million addresses purported to be opt-in. Counts 11-17 seven were wire fraud, sending spam making false claims about the product, support, guarantee... more»

Comcast Fires Back at E360

Back in January, bulk mailer E360 filed a suit against giant cable ISP Comcast. This week Comcast responded with a withering response... Their memorandum of law wastes no time getting down to business: "Plaintiff is a spammer who refers to itself as a "internet marketing company," and is in the business of sending email solicitations and advertisements to millions of Internet users, including many of Comcast's subscribers." Comcast's analysis is similar to but even stronger than the one I made in January... more»

The Anti-Phishing Consumer Protection Act of 2008

Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details. The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people... more»

More on the Front Running Class Action Suit

Several people pointed out that although the suit still hasn't appeared in PACER, copies of the complaint are available online, including this one [PDF] at Lextext. Having read it, I'm rather underwhelmed... I do not purport to be a lawyer (nor do I usually play one on the net), but it's hard to see how the facts, which are not in serious dispute, would support any of these charges. more»

The Front Running Class Action Suit

In a recent press release, Los Angeles law firm Kabateck Brown Kellner says it's filed a class action suit against Network Solutions and ICANN for front running. (If you tuned in late, NetSol admits that if you query a domain name on their web site, they will speculatively register it so that it's only available through NetSol for five days, at their above market price.) This is a very peculiar suit... For one thing, it's hard to see how the total class damages would be large enough to be worth a suit... more»

Neustar and Afilias Jump on the No-Tasting Bandwagon

In a message posted to the ICANN GNSO list, Avri Doria forwarded along a most interesting document from Neustar, who runs the .biz domain... Neustar proposes to change their registrar agreement so that each registrar will only get credit for deletions of 10% of their new domains, with a few minor exceptions for tiny registrars and bulk registrations due to one-time mistakes. They say they expect Afilias to propose the same change for .info.  more»

Domain Tasting to Go Away for Real This Time

At last week's meeting, the ICANN board uncharacteristially did something and voted to make their fee of 20 cents per domain-year nonrefundable. They expect this to stop both domain tasting and NSI's frontrunning, which it certainly will. It's not clear when this change will go into effect, but it might be within a month. more»

Ralsky Indicted, CAN-SPAM is Still Useless

Well, I read the indictment (available here from Spamhaus.) It's a long litany of criminal behavior, primarily pump and dump stock fraud of a long list of penny stocks from the US and China. Ralsky is described as the "chief executive officer and overall leader" of the scheme... The thing that strikes me about this indictment is that although it includes a lot of CAN SPAM charges, everything Ralsky and Co. did was already illegal under conventional fraud and computer tampering laws. more»

Defendants Respond to Dell's Anti-Tasting Suit

The defendants in Dell's domain tasting suit responded last Friday. It looks like a pretty feeble response to me. Their main argument is that they're just the registrar, and deny Dell's claim that the registrants are fakes made up by the registrar. They also argue that they're not infringing, they didn't use the names in question in commerce, they were just acting as helpful search engines, you know, like Google or Yahoo. (The comparison to Google and Yahoo is theirs.) more»

More on Dell's Anti-Tasting Suit

Dell filed a suit in Florida in early October against a nest of domain tasters in Miami, widely reported in the press last week... The primary defendant is a Miami resident named Juan Vasquez, doing business as several registrars called BelgiumDomains, CapitolDomains, and DomainDoorman, as well as a whole bunch of tiny companies of unknown authenticity... Those registrars have an egregious history of domain churning. I gave a talk on domain tasting at MAAWG in October in which I picked out the registrars who churned the most domains from the May registrar reports, and those three were the worst, each having registered about 500,000 domains, refunded over 10 million... more»

USA Today: Spam Is Bad

A reasonably well informed article in Thursday's USA Today reminds us that in 2004 Bill Gates said the spam problem would be solved in early 2006, but here at the end of 2007 there's more spam than ever. They go through a laundry list of problems of spambots, new kinds of PDF and MP3 spam, and phishing, and a list of of partial or non-solutions including filters, walled gardens, and an odd system called Boxbe, a hybrid of whitelists, challenge/response, and pay for delivery. Oh, and Bill says he never said spam would be solved... more»

How Big is the Storm Botnet?

The Storm worm has gotten a lot of press this year, with a lot of the coverage tending toward the apocalyptic. There's no question that it's one of the most successful pieces of malware to date, but just how successful is it? Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year... more»

Thank Heavens for Class Action Lawyers

If you had an e-mail address any time in the past six years, you've probably gotten spam for something called VigRX for Men, with fairly specific promises that it will make you, ah, manlier. I always wondered how many nitwits could fall for this kind of nonsense. Thanks to a recent class action settlement, we now know that there have been quite a lot of them. A class action suit filed in 2001 in Colorado settled recently, with some quite amazing info in the documents available at http://lemsettlement.com. LEM stands for Leading Edge Marketing, the name used by the defendants for several companies in the US, Canada, and the Bahamas. more»

Zango Verdict is Good News for Spam Filters and Blacklists

Zango, a company that used to be called 180 solutions, has a long history of making and distributing spyware. (See the Wikipedia article for their sordid history.) Not surprisingly, anti-spyware vendors routinely list Zango's software as what's tactfully called "potentially unwanted". Zango has tried to sue their way out of the doghouse by filing suit against anti-spyware vendors. In a widely reported decision last week, Seattle judge John Coghenour crisply rejected Zango's case, finding that federal law gives Kaspersky complete immunity against Zango's complaint... more»

More on WHOIS Privacy

Last week I wrote a note the ICANN WHOIS privacy battle, and why nothing's likely to change any time soon. Like many of my articles, it is mirrored at CircleID, where some of the commenters missed the point. One person noted that info about car registrations, to which I roughly likened WHOIS, are usually available only to law enforcement, and that corporations can often be registered in the name of a proxy, so why can't WHOIS do the same thing? more»

Spamhaus Appeal: They Win on Substance

The Seventh Circuit has issued its opinion in the continuing saga of E360 Insight vs. the Spamhaus Project. While it is not a complete victory for Spamhaus, they did about as well as anyone could have hoped for under the circumstances. E360 won on the procedural issue, while Spamhaus won on the substance. The procedural issue was whether the default judgement against Spamhaus was properly granted last September. The court session was so odd that the appeals decision quotes several pages of the transcript. more»

If WHOIS Privacy is a Good Idea, Why is it Going Nowhere?

ICANN has been wrangling about WHOIS privacy for years. Last week, yet another WHOIS working group ended without making any progress. What's the problem? Actually, there are two: one is that WHOIS privacy is not necessarily all it's cracked up to be, and the other is that so far, nothing in the debate has given any of the parties any incentive to come to agreement. The current ICANN rules for WHOIS say, approximately, that each time you register a domain in a gTLD (the domains that ICANN manages), you are supposed to provide contact information... WHOIS data is public, and despite unenforceable rules to the contrary, it is routinely scraped... more»

Spamford Wallace Gets Sued Yet Again

If there were a lifetime achievement award for losing lawsuits for being annoying, Sanford Wallace would be a shoo-in. Fifteen years ago, his junk faxing was a major impetus for the TCPA, the law outlawing junk faxes. Later in the 1990s, his Cyber Promotions set important legal precedents about spam in cases where he lost to Compuserve and AOL. Two years ago, he lost a suit to FTC who sued his Smartbot.net for stuffing spyware onto people's computers. And now, lest anyone think that he's run out of bad ideas, he's back, on the receiving end of a lawsuit from MySpace... more»

Squeegee Domains

When I was growing up, one of the annoyances of life in New York City was squeegee men. When your car was stopped at a light, these guys would run up, make a few swipes at your windshield with a squeegee, then look menacing until you gave them a tip. It occurs to me that domain "monetizers'' are the Internet's squeegee men. If I make a minor typing error entering a domain name, they run up and offer to sell a link to the place I wanted to go (well, they sell the place I wanted to go a click from me, but close enough.) more»

CAN SPAM Applies Even Within a Single Provider

I recently came across a copy of a ruling in the bizarre case of MySpace vs. theglobe.com. Theglobe.com was the ultimate dot.com bubble company. It started up here in Ithaca, and went public at the peak of dot.com hysteria with one of the the greatest one-day price runups ever. Since then they bought and sold a variety of busineses, none of which ever made any money, including the Voiceglo VoIP service which appears to be what the spam was promoting. more»

ICANN Says Registerfly Domains Moving to Another Registrar

In an entry in the ICANN blog, Paul Levins says they've arranged to move Registerfly's domains to another registrar. They won't say who the other registrar is beyond "an existing accredited Registrar with a demonstrated record of customer service" which could be just about anyone other than Registerfly. They have "most" of the registrant data. All is to be unveiled next week. In the meantime, read the comments on the blog... more»

Stop! Don't Forward That E-mail!

Forwarding e-mail is so easy that it must be legal, right? Not everyone thinks so. Ned Snow at the University of Arkansas recently wrote A Copyright Conundrum: Protecting Email Privacy that argues that forwarding violates the sender's copyright rights, so it's not. The article is quite clever and is (as best I can tell, not being a legal historian) well researched, even if you agree with me that its conclusions are a bunch of codswallop... more»

Oklahoma Spammer Fighter Loses Even Worse

Last December I wrote about Mark Mumma, who runs a small web hosting company in Oklahoma City and his battle with Omega World Travel a/k/a cruise.com. Mumma lost his CAN SPAM suit agains them in December, but Omega's countersuit for defamation went to trial last week, and I hear that the jury awarded Omega $2.5 million in damages, which Mumma is not likely to be able to pay. This may be painted in some circles as a huge defeat for anti-spam activists, but it's not... more»

ICANN to RegisterFly: We Really REALLY Mean It This Time

ICANN's web site has a press release saying that the were granted a temporary restraining order on Monday requiring that Registerfly cough up all the info on their registrants, or else.

My assumption all along has been that the reason that Registerfly hasn't provided full info is because they don't have it. ICANN agrees that they got partial data last month, and it's hard to imagine a reason that Registerfly would have given them some of the data but deliberately held back the rest. I guess we'll know soon enough.

By the way, I hear that ICANN plans to implement their registrar escrow policy, the one that's been in the contracts since 2000, pretty soon. more»

Splitting the Root: It's Too Late

One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late. Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set... ICANN has tied itself with the issue of homographs, different characters that look the same or mean the same thing. Once people noticed that IDNs let you register different names that look the same, the intellectual property crowd that has always had a mysteriously great influence on ICANN went into a tizzy and they went into lengthy discussions on what to do about them... more»

Registerfly Victims Are Really Stuck Now

Last week I noted here that cutting off collapsed domain Registerfly will leave a huge problem for registrants. ICANN is supposed to have escrowed copies of each registrar's registrant data, but has never got around to setting that up. This means that unless Registerfly can supply the data, there may be no record of the actual owner of their domains. more»

Why I left the ICANN At Large Advisory Committee

For about the last two years, I was a member of ICANN's At Large Advisory Commitee (ALAC), the group charged with representing the interests of ordinary Internet users within ICANN. In case anyone is wondering, here's why I'm not on the ALAC any more. ICANN has a very narrow mission. They maintain the root zone, the list of top-level domain names in the Internet's domain name system. They coordinate numeric IP addresses, with the real work delegated to five Regional Internet Registries. And they keep track of some simple and uncontroversial technical parameters for Internet routing applications... more»

Earthquake in Asia, Spam Plummets

An earthquake on Tuesday near Taiwan caused widespread disruption to telephone and Internet networks. The quake affected an area of the sea bottom with a lot of undersea cables that broke, and since there is only a limited number of cable repair ships, it will take at least weeks to fish them up and splice them. more»

Oklahoma Anti-Spammer Loses Big in Court

In November, Mark Mumma, who runs a little design firm at webguy.com, lost an appeal in the Fourth Federal Circuit. He'd filed suit against cruise.com and their parent Omega World Travel under CAN SPAM and an Oklahoma anti-spam law. Omega countersued for defamation. The court threw out Mumma's case, and allowed part of the defamation case to proceed. At first blush, this looks like a big win for spammers. more»

Dog Eats Opt-Out Requests, FTC Is Not Impressed

Last week the Federal Trade Commission settled a lawsuit against Yesmail, a large ESP (Email Service Provider). The facts of the case are not in dispute, but their meaning is. Yesmail, like most large ESPs, has absorbed a number of its smaller competitors over the years including a company called @Once. Back in 2004, they screwed up their incoming mail so that a whole lot of bounces and opt-out requests were erroneously filtered out as spam. As a result, thousands of people who'd told @Once to stop sending them mail kept getting mail anyway... more»

Huge Increase in Spam in October Email

You may have read reports that the total amount of spam is on the decline. Don't believe them. In the month of October, I saw the amount of spam in my traps here roughly double, from about 50,000 per day to 100,000/day now. In conversations with managers at both ISPs and corporate networks, I'm hearing the same thing. more»

How Much Do You Think a .ORG, .BIZ, or .INFO Domain Costs?

Whatever you think the answer is (typically about ten bucks), the answer is likely to change radically for the worse, based on new contracts that ICANN is planning to approve. On July 28th ICANN posted proposed new contracts for .ORG, .BIZ, and .INFO, for a public comment period that ends four days from now, on the 28th. There's a lot not to like about these proposed contracts, but I will concentrate here on two related particularly troublesome areas, pricing and data mining. more»

Making DKIM More Useful with Domain Assurance Email

The IETF DKIM working group has been making considerable progress, and now has a close-to-final draft. DKIM will let domains sign their mail so if you get a message from fred@furble.net, the furble.net mail system can sign it so you can be sure it really truly is from furble.net. But unless you already happen to be familiar with furble.net, this doesn't give you any help deciding whether you want the message. This is where the new Domain Assurance Council (DAC) comes in... more»

More Top-Level Domain Wildcards

With all of the recent excitement about *.cm, the Cameroonian wildcard that someone is using to collect vast numbers of mistyped .com addresses, I wondered how many other wildcards there were at the DNS top level. There's a total of 13. Half of the wildcards are harmless. The *.museum wildcard leads to a registry page that helps guess what you might have been looking for. ...The .mp page also claims that .mp is for Mobile Phone rather than for the Marianas Islands, but they're hardly the only small poor island to try to cash in on their ccTLD, and they at least run it themselves. more»

Another Try at Proof-of-Work e-Postage Email

Another paper from the Fifth Workshop on the Economics of Information Security, (WEIS 2006) is Proof of Work can Work by Debin Liu and L, Jean Camp of Indiana University. Proof of work (p-o-w) systems are a variation on e-postage that uses computation rather than money. A mail sender solves a lengthy computational problem and presents the result with the message. The problem takes long enough that the sender can only do a modest number per time period, and so cannot send a lot of messages, thereby preventing spamming. But on a net full of zombies, proof of work doesn't work. more»

How Much Money Do Spammers Make?

News reports say that high profile Ryan Pitylak was fined $10 million by the Texas Attorney General. A few days ago, he paid a $1M settlement to Microsoft. Since it had been widely reported that he'd made between $3M and $4M during his spamming career, that seemed like a pretty good deal for him. As I commented to the San Antonio Express, this new fine is more in line with what he did, and at least relieves him of all his ill-gotten gains... more»

In Bad Taste

So-called domain tasting is one of the more unpleasant developments in the domain business in the past year. Domain speculators are registering millions of domains without paying for them, in a business model not unlike running a condiment business by visiting every fast food restaurant in town and scooping up all of the ketchup packets. Since 2003, the contract between ICANN and each unsponsored TLD registry (.biz, .com, .info, .net, .org, and .pro) has added an Add Grace Period (AGP) of five days during which a registrant can delete a newly registered domain and get a full refund. Although this provision was clearly intended to allow registrars to correct the occasional typo and spelling error in registrations, speculators realized that this allows them to try out any domain for five days for free... more»

California Frets about Goodmail Email

On Monday the 3rd, California state Senator Dean Flores held a hearing of the E-Commerce, Wireless Technology, and Consumer Driven Programming committee grandly titled AOL: You Have Certified Mail, Will Paid E-mail Lead to Separate, Unequal Systems or is it the Foolproof Answer to Spam?. The senator's office said they were very eager to have me there, to the extent they offered to fly me out from New York, so since I happened to be on the way home from ICANN in New Zealand that weekend, I took a detour through Sacramento. Sen. Florez conducted the hearing, with Sens. Escutia and Torlakson sitting in briefly. Unfortunately, Sen. Bowen, who is very well informed on these topics, wasn't there. There were five panels of speakers, and I got to lead off... more»

How Bad is Goodmail?

Goodmail Systems made a big splash last week when AOL and Yahoo announced that they will be giving preferential treatment to mail that uses Goodmail's CertifiedEmail service, claiming (implausibly) that this has something to do with stopping spam... Since Goodmail charges senders for each message, some people see this as the end of e-mail as we know it. I have my concerns about Goodmail, but a lot of the concerns are either overblown or based on bad reporting... more»

The Politics of Email Authentication, 2006 Edition

A student at a well-known US university wrote me and asked whether, given the huge national interest in getting the industry to unite behind (at least) one format, did I think that the FTC should've played a stronger role in pushing the industry to adopt an authentication format? I said: Nope. Part of the reason it's taking so long to agree on a standard is that the process is infested with academic theoreticians who are more interested in arguing about hypotheticals and pushing their pet spam solutions than in doing something useful... more»

Time to Renew .coop, .museum, and .aero ICANN

Way back in 2000-2001, ICANN approved a handful of new top level domains, and entered into agreements with their promoters. Three of the sponsored domains, are coming up for renewal next year, so they've sent in their renewal proposals. A sponsored domain is one that restricts who can register to members of a particular community, in this case respectively co-ops, museums, and the airline industry. Let's take a look and see how they're doing. more»

Splitting the Root: It's Too Late

One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late. Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set. more»

DMA Requires Email Authentication, Do We Care?

Last week the DMA announced with considerable fanfare that their members should all use e-mail authentication. DMA members send a lot of bulk e-mail, but not much that would be considered spam by any normal metric. (Altria's Gevalia Kaffee is one of the few exceptions.) Their main problem is their legitimate bulk mail, sent in large quantities from fixed sources, getting caught by ISPs spam filters. That happens to be one problem for which path authentication schemes like SPF and Sender ID are useful, since they make it easier to add known fixed source mailers to a recipient ISP's whitelist, and that's just what AOL and probably other big ISPs use it for. While the DMA may be implying that this is a virtuous move, in reality it's something that their members are doing anyway for straightforward business purposes. more»

ICANN Gets the Root Zone, Too

A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN. This has two and a half effects. The most obvious is political -- if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign's A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can't publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. more»

Verisign Gets .COM Forever, But ICANN Gets a Lobbyist

A press release on the ICANN web site says that ICANN and Verisign have agreed to settle all pending lawsuits, and there’s a new .COM agreement, all tentative but if history is any guide, nothing short of DOC action is going to stop it. The good news is that VeriSign has agreed not to make unilateral changes like Sitefinder. They have to give prior notice to ICANN for any material change in the operation of the registry, and if ICANN has any concerns there’s a lengthy process full of expert panels and Consensus and the like to decide whether they can do it. more»

Oklahoma Man Wins $10 Million Judgment Against a Spammer

On Thursday the 22nd, Robert Braver, an Oklahoma ISP owner who is a long time activist against both spam and junk faxes, received a default judgment of over $10 million against high profile spammer Robert Soloway and his company Newport Internet Marketing. Soloway has frequently been cited as one of the ten largest spammers in the world. more»

Maybe the IETF Won't Publish SPF and Sender-ID as Experimental RFCs After All

Yesterday, the IESG, the group that approves RFCs for publication received an appeal from Julian Mehnle to not to publish the Sender-ID spec as an experimental RFC due to technical defects. IESG members' responses were sympathetic to his concerns, so I'd say that a Sender-ID RFC has hit a roadblock. The problem is simple: Although Sender-ID defines a new record type, called SPF 2.0, it also says that in the absence of a 2.0 record, it uses the older SPF1 record. Since SPF and Sender-ID can use the same records, if you publish an SPF record, you can't tell whether people are using it for SPF or Sender-ID. Ned Freed commented... more»

SPF Loses Mindshare

MAAWG is the Messaging Anti-Abuse Working group. It was started by Openwave, a vendor that sells e-mail hardware and software to large ISPs and originally consisted only of Openwave customers, but has evolved into an active forum in which large ISPs and software vendors exchange notes on anti-spam and other anti-abuse activities. Members now include nearly every large ISP including AOL, Earthlink, Yahoo, Comcast and Verizon is a member, along with ESPs like Doubleclick, Bigfoot, and Checkfree, and vendors like Ciscom, Ironport, Messagelabs, Kelkea/Trend, and Habeas. They've also been quietly active in codifying best practices and working on some small but useful standards like a common abuse reporting format. more»

Abusive Anti-Anti-Spam Scheme a Dreadful Strategy

A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don't think much of it. As I said to an Associated Press reporter: "It's the worst kind of vigilante approach," said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. "Deliberate attacks against people's Web sites are illegal." more»

IETF Publishes RFCs on SPF and Sender ID

A recent press release from the Internet Society reports that the IETF will shortly publish specifications of SPF and Sender-ID in the RFC series. What does this mean for the future? ...More than 4000 documents have been published in the RFC series since the first RFC in 1969, relatively few of which have evolved into Internet standards. Each RFC is characterized when published as standards-track, best current practice, informational, experimental, or historical. These four RFCs, three describing Sender ID and one describing SPF, are all experimental. more»

We Hate Spam Except, Of Course, When It's Inconvenient to Do So

Paul Graham is a smart guy who popularized naive Bayesian spam filtering in 2002 with A Plan for Spam and has organized a series of informal spam conferences at MIT. Earlier this month he was shocked and horrified to discover that his web site, hosted at Yahoo where he used to work, had appeared on the widely used Spamhaus blacklist... more»

Canada Finishes its Spam Task Force, Result is Pretty Good

Industry Canada, the part of the Canadian government roughly equivalent to the U.S. Commerce Department, has had a task force on spam working for the past year or so. I was invited to participate as an unofficial member, since I'm not a Canadian. Yesterday, it wrapped up its work and published its report (aussi disponsible en francais) to the government. It's quite good, and has a set of 22 recommendations. more»

Phish-Proofing URLs in Email?

For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. ...Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. ...So the question is, is it worth the effort to make all of the senders and URLs match up? more»

How to Stop Spam

I got a letter the other day from AOL postmaster Carl Hutzler, about how the Internet community could get rid of spam, if it really wanted to. With his permission, here are some excerpts. "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution)." more»

A Year of CAN SPAM

The CAN SPAM Act of 2003 went into effect a year ago on Jan 1, 2004. As of that date, spam suddenly stopped, e-mail was once again easy and pleasant to use, and Internet users had one less problem to worry about. Oh, that didn't happen? What went wrong? more»

A Political Analysis of SPF and Sender-ID

In my spare time when I'm not dealing with the world of e-mail, I'm a politician so now and then I put on my cynical political hat. At the FTC Authentication Summit one of the more striking disagreements was about the merits and flaws of SPF and Microsoft's Sender-ID. Some people thought they are wonderful and the sooner we all use them the better. Others thought they are deeply flawed and pose a serious risk of long-term damage to the reliability of e-mail. Why this disagreement over what one might naively think would be a technical question? more»

The FTC Authentication Summit

The Federal Trade Commission and NIST had a two-day Authentication Summit on Nov 9-10 in Washington DC. When they published their report explaining their decision not to create a National Do Not Email Registry, the FTC identified lack of e-mail authentication as one of the reasons that it wouldn't work, and the authentication summit was part of their process to get some sort of authentication going. At the time the summit was scheduled, the IETF MARID group was still active and most people expected it to endorse Microsoft's Sender-ID in some form, so the summit would have been mostly about Sender-ID. Since MARID didn't do that, the summit had a broader and more interesting agenda. more»

Putting a Spammer in Jail

The country's first criminal trial about spam ended in Leesburg, Virginia earlier this month with a conviction of Jeremy Jaynes, better known under his nom de spam of Gavin Stubberfield. I was an expert witness for the prosecution, the Commonwealth of Virginia. The case was brought under Virginia's state anti-spam law, not the weaker Federal CAN-SPAM act... more»

An Analysis of Microsoft's MARID Patent Applications

The IETF MARID working group has been slogging away all summer trying to produce a draft standard about e-mail sender verification. They started with Meng Wong's SPF and Microsoft's Caller ID for E-mail, which got stirred together into a hybrid called Sender ID. One of the issues hanging over the MARID process has been Microsoft's Intellectual Property Rights (IPR) in Caller ID and Sender ID. The IETF has a process described in RFC 3668 that requires contributors to disclose IPR claims related to their contributions. more»

Spam and the Introduction Problem

IBM researcher Nathaniel Borenstein has commented that everyone agrees that spam is bad, and that's a huge impediment to doing anything about it. Having decided that spam is bad, it's tempting to divide the spam problem into smaller problems and try to solve the smaller problems, then put the solutions to the subproblems together and, voila, no more spam. That would be fine if the combined subproblems were truly equivalent to the spam problem, but that's rarely the case. more»

What the ITU WSIS Spam Meeting Accomplished

The first week in July I went to an acronym-heavy World Symposium on the Internet Society Thematic Meeting on spam in Geneva. A few people have reported this as a meeting by "the UN", which it wasn't. Although the International Telecommunications Union is now part of the UN, it dates back to an 1865 treaty to manage international telegraph communication... more»

Email Address Forgery

In my roles as postmaster at CAUCE (the Coalition Against Unsolicited Commercial E-mail) and abuse.net, I get a lot of baffled and outraged mail from people who have discovered that someone is sending out spam, often pornographic spam, with their return address on the From: line. "How can they do that? How do I make them stop?'' The short answers are "easily'' and "it's nearly impossible.'' more»