John Levine

John Levine

Author, Consultant & Speaker
Joined on June 14, 2004
Total Post Views: 1,624,094

About

John R. Levine writes, speaks, and consults on the Internet, electronic mail, and related topics. He speaks to many trade, policy, and general groups. He's testified at the Federal Trade Commission Spam Forum on the mechanics of spam, and to the Senate Commerce Committee on spyware. He's spoken at the Internet Law and Policy Forum and at many conferences. He's written many books on the Internet and other computer topics. His books range from the best-selling Internet for Dummies, with over seven million copies of nine editions in print in dozens of languages, the new Fighting Spam for Dummies, and Windows XP: the Complete Reference to books on computer language tools and graphics programming.

Except where otherwise noted, all postings by John Levine on CircleID are licensed under a Creative Commons License.

Featured Blogs

Dealing With DMARC

DMARC is an anti-phishing scheme that was repurposed in April to try to deal with the fallout from security breaches at AOL and Yahoo. A side effect of AOL and Yahoo's actions is that a variety of bad things happen to mail that has 'From:' addresses at aol.com or yahoo.com, but wasn't sent from AOL or Yahoo's own mail systems. If the mail is phish or spam, that's good, but when it's mailing lists or a newspaper's mail-an-article, it's no so good. more»

Why Do We Accept $10 Security on $1,000,000 Data?

Last week we heard of yet another egregious security breach at an online provider, as crooks made off with the names, address, and birth dates of eBay users, along with encrypted passwords. They suggest you change your password, which is likely a good idea, and you better also change every other place you used the same password. But that's not much help since you can't change your name, address, and birth date, which are ever so handy for phishing and identity theft. more»

AOL Has a Security Hole, and It's Our Problem

Two weeks ago I wrote about Yahoo's unfortunate mail security actions. Now it's AOL's turn, and the story, as best as I can piece it together, is not pretty. Yahoo used an emerging system called DMARC, which was intended to fight phishing of often forged domains like paypal.com. A domain owner can publish a DMARC "reject" policy which, oversimplifying a little, tells the world that if mail with their name on the 'From:' line didn't come from their servers, it's not from them so you should reject it. more»

Open Source Software Is the Worst Kind Except for All of the Others

Heartbleed, for anyone who doesn't read the papers, is a serious bug in the popular OpenSSL security library. Its effects are particularly bad, because OpenSSL is so popular, used to implement the secure bit of https: secure web sites on many of the most popular web servers such as apache, nginx, and lighttpd. A few people have suggested that the problem is that OpenSSL is open source, and code this important should be left to trained professionals. They're wrong. more»

Yahoo Addresses a Security Problem by Breaking Every Mailing List in the World

DMARC is what one might call an emerging e-mail security scheme. It's emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo. DMARC lets a domain owner make assertions about mail that has their domain in the address on the 'From:' line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. more»

New TLD Update

Here's a chart showing the ten largest new Top-Level Domains (TLDs) and the number of domains in each one, going back five days. It's updated every day around 3 AM New York time, so visit early and often. Data is from downloaded TLD zone files. Some new TLDs don't have zone files available yet but I don't think any of them are very big. more»

How Are ICANN's New TLDs Doing?

ICANN has now accepted several hundred new top level domains (TLDs) and some of them are now open for general registration. I have sized up for zone file access, so I can download daily snapshots of most of the active zones, and I'm making daily counts of the number of names in each zone. more»

The Name Collision Conference

Earlier this week Verisign sponsored a two day conference on name collisions in the DNS. Despite the very short time frame in which it was organized, only a month from announcement to meeting, there were some very good presentations. I'll just hit some highlights here; all of the papers and slides are on their web site at namecollisions.net. Sunday morning started with a keynote by Bruce Schneier, who is not a DNS expert (and doesn't claim to be) but had some interesting observations on names in general. more»

Fine Grained Mail Filtering With IPv6

One of the hottest topics in the email biz these days (insofar as any topic is hot) is how we will deal with mail on IPv6 networks. On existing IPv4 networks, one of the most effective anti-spam techniques is DNSBLs, blackists (or blocklists) that list IP addresses that send only or mostly spam, or whose owners have stated that they shouldn't be sending mail at all. DNSBLs are among the cheapest of anti-spam techniques since they can be applied to incoming mail connections without having to receive or filter spam. more»

The Naive Arrogance of FUSSPs

Everyone who's been in the e-mail biz long enough knows the term FUSSP, Final Ultimate Solution to the Spam Problem, as described in a checklist from Vern Schryver and a form response that's been floating around the net for a decade. FUSSPs fall into two general categories, bad ideas that won't go away, and reasonable ideas that are oversold. more»

An Internet Governance Update

A lot of people (including me) are pretty upset at revelations of the breadth and scale of NSA spying on the Internet, which has created a great deal of ill will toward the US government? Will this be a turning point in Internet Governance? No, smoke will continue to be blown and nothing will happen. Governments are not monolithic. What people call Internet governance is mostly at the DNS application level, and perhaps the IP address allocation. more»

Wow. That's a Lot of Reserved Names

ICANN recently updated the list of reserved second level domain names. Those are names that you won't be able to register in any of the 1500 or so new domains they're planning to add. There's rather a lot of them, currently 629. The names are in three groups, the ICRC (the Red Cross), the IOC (the Olympic games) and everyone else. Several years ago the Red Cross and later the Olympics came to ICANN and insisted that they make a special list of forbidden names, separate from the various trademark registries. more»

How Not to Stop Spammers

Spam Arrest is a company that sells an anti-spam service. They attempted to sue some spammers and, as has been widely reported, lost badly. This case emphasizes three points that litigious antispammers seem not to grasp: Under CAN SPAM, a lot of spam is legal; Judges hate plaintiffs who try to be too clever, and hate sloppy preparation even more; Never, ever, file a spam suit in Seattle. more»

Plumbing Neutrality

I've been having arguments about Network Neutrality with a lawyer. My position is that you can't adequately regulate ISPs to be neutral, because there's no agreement what "neutral" means in practice. He points out that the courts aren't interested in technical details like what packets are dropped, it's that all traffic has to be treated the same, and ISPs should just figure out how to do that. So I contemplated a city with Plumbing Neutrality with the simple rule that all people must be treated the same... more»

What's Up With WEIRDS?

The IETF WEIRDS working group is defining a follow-on to WHOIS. Since this is the IETF, it's working on the technical issues about which it can deal with, not policy which is up to ICANN and the country registries. Somewhat to my surprise, the group is making steady progress. We've agreed that the basic model is RESTful, with queries via http, and responses as JSON data structures. The protocol is named RDAP for Registration Data Access Protocol, or maybe RESTful Data Access protocol. more»

Four New Generic Top Level Domains

At its meeting in Durban, ICANN signed contracts with the applicants for four new top level domains. The new domains are شبكة, which means "web" in Arabic, онлайн and сайт, which mean "online" and "site" in Russian, and 游戏, which means "game" in Chinese. They should give us an interesting hint about the future of the new TLDs, because all four are utterly, totally, generic. more»

Google Books Case Part 4,523: Decide Fair Use First

The endless lawsuit by the Authors Guild (which purports to represent authors, no longer including me), against Google moved another small step toward completion today. The Guild is just sure that Google's book scanning project means that end of civilization as we, or at least they, know it. Their arguments run from the somewhat plausible, that the scans are in violation of copyright, to the just plain goofy, that the scan data is so amazingly valuable yet vulnerable that Google must destroy it before someone steals it. more»

CAN SPAM Issues in Zoobuh V. Better Broadcasting

Last week a Utah court issued a default judgement under CAN SPAM in Zoobuh vs. Better Broadcasting et al. I think the court's opinion is pretty good, even though some observers such as very perceptive Venkat Balasubramani have reservations. The main issues were whether Zoobuh had standing to sue, whether the defendants domain names were obtained fraudulently, and whether the opt-out notice in the spam was adequate. more»

Liberty Reserve Now, Bitcoin Next?

The papers have been abuzz with the shutdown of Liberty Reserve, an online payments system, due to accusations of large scale money laundering via anonymous transactions. Many people have noted similarities between LR and Bitcoin and wonder whether Bitcoin is next. I doubt it, because with Bitcoin, nothing is anonymous. more»

ICANN Announces Blocking Usage Review Panel

Culminating a year-long policy development process, ICANN today launched its new Blocking Usage Review Panel (BURP). The BURP provides long-needed oversight over services that block Internet traffic. "While everyone understands that national laws such as the U.S. CAN SPAM define what traffic is or is not elegible to block, legal processes can be slow and cumbersome," said a spokeswoman. "Since the Internet is global and traffic often traverses multiple countries, the array of different laws cause uncertainty." more»

Verisign Doesn't Think the Net Is Ready for a Thousand New TLDs

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about, It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems. more»

The Incredible Leakyness of Commercial Mailers (Cont'd)

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts. One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple... more»

The Incredible Leakyness of Commercial Mailers

Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation's leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common? more»

Making Multi-Language Mail Work (Part 3)

In the previous installments we looked at software changes in mail servers, and in the software that lets user mail programs pick up mail. What has to change in the user mail programs? ... The first and most obvious is that users have to be able to enter the addresses. more»

Verisign Dodges a Bullet, Gets to Keep .COM Pricing

According to a filing with the SEC, the Department of Commerce renewed the .COM agreement for six more years. The renewal was held up until the last minute (the old agreement expired yesterday) due to antitrust concerns, specifically about pricing. The main change in the new agreement is that Verisign is no longer allowed to increase the price above the existing $7.85... more»

Making Multi-Language Mail Work (Part 2)

In the previous instalment we looked at the software changes needed for mail servers to handle internationalized mail, generally abbreviated as EAI. When a message arrives, whether ASCII or EAI, mail servers generally drop it into a mailbox and let the user pick it up. The usual ways for mail programs to pick up mail are POP3 and IMAP4. more»

Making Multi-Language Mail Work (Part 1)

Mail software consists of a large number of cooperating pieces, described in RFC 5598. A user composes a message with a Mail User Agent (MUA), which passes it to a Mail Submission Agent (MSA), which in turn usually passes it to a sequence of Mail Transfer Agents (MTAs), which eventually hand it to a Mail Delivery Agent (MDA) to place it in the user's mail store. If the recipient user doesn't read mail on the same computer with the mail store (as is usually the case these days) POP or IMAP transfers the mail to the recipient's MUA. more»

A Copycat Canadian Privacy Suit Against Gmail

In July, several people filed attempted class action suits against Google, on the peculiar theory that Gmail was spying on its own users' mail. One of the suits was in Federal court, the other two in California state court, but the complaints were nearly identical so we assume that they're coordinated.Now we have a similar suit filed in provincial court in British Columbia, Canada. more»

Unclear on the Concept, Sanctions Edition

United Against Nuclear Iran (UANI) is an advocacy group that, among other things, tries to isolate Iran by pressuring businesses and organizations to stop doing business with Iran. This week they turned their attention to ICANN and RIPE to try to cut off Internet access to Iranian organizations. Regardless of one's opinion about the wisdom of isolating Iran (and opinions are far from uniform), this effort was a bad idea in an impressive number of both technical and political ways. more»

Silly Bing

Bing is Microsoft's newish search engine, whose name I am reliably informed stands for Bing Is Not Google. A couple of months ago, as an experiment, I put up a one page link farm at wild.web.sp.am. As should be apparent after about three seconds of clicking on the links there, each page has links to 12 other pages, with the page's host name made of three names, like http://aaron.louise.celia.web.sp.am. The pages are generated by a small perl script and a database of a thousand first names. more»

ICANN's New TLDs: Of Course There Will Be an Auction - Part 2

A few days ago I opined that if several people want the same Top-Level Domain (TLD) and can't come to terms otherwise, they should arrange a private auction. It would be an odd sort of auction, since the buyers and sellers are the same people, so unlike normal auctions, the goal is not to maximize the selling price. How might it work? more»

ICANN's New TLDs: Of Course There Will Be an Auction - Part 1

The process for ICANN's new TLDs says that if there are several equally qualified applicants for a TLD, and they can't agree which one gets it, ICANN will hold an auction to decide. Recently some people have suggested that the applicants could use a private auction instead. Well, of course. In a situation like this, the question isn't whether there will be an auction, but only who will keep the money. more»

On Search Neutrality

In recent months there's been a robust and apparently well-funded debate about the legal status of search engine results, in particular Google's search results. On Tuesday, Tim Wu, a well-known law professor at Columbia weighed in with an op-ed in the New York Times, arguing that it's silly to claim that computer software has free speech rights. Back in April, equally famous UCLA professor Eugene Volokh published a paper, funded by Google, that came to the opposite conclusion... more»

Wow, That's a Lot of Applications

ICANN unveiled all the applications for new top level domains today, all 1,930 of them. Most of them were fairly predictable, big companies applying for their own names like .IBM, .DUPONT, .AUDI, and .HSBC. The most applications for the same name were 13 for .APP, 11 for .INC and .HOME, 10 for .ART, 9 for .SHOP, .LLC, .BOOK, and .BLOG. None of those claim community support so they'll have to slug it out in the contention process. more»

Running DNSBLs in an IPv6 World

DNS blacklists for IPv4 addresses are now nearly 15 years old, and DNSBL operators have gathered a great deal of expertise running them. Over the next decade or two mail will probably move to IPv6. How will running IPv6 DNSBLs differ from IPv4? There aren't any significant IPv6 DNSBLs yet since there isn't significant unwanted IPv6 mail traffic yet (or significant wanted traffic, for that matter), but we can make some extrapolations from the IPv4 experience. more»

IPv6 DNS Blacklists Reconsidered

I opined about a year ago that DNS blacklists wouldn't work for mail that runs over IPv6 rather than IPv4. The reason is that IPv6 has such a huge range of addresses that spammers can easily send every message from a unique IP address, which means that recipient systems will fire off a unique set of DNSBL queries for every message... Now I'm much less sure this will be a problem... more»

How Spam Has Damaged Mail Forwarding - And Ways to Get Around It

Courtesy forwards have been a standard feature of e-mail systems about as long as there have been e-mail systems. A user moves or changes jobs or something, and rather than just closing the account, the mail system forwards all the mail to the user's new address. Or a user with multiple addresses forwards them all to one place to be able to read all the mail together. Since forwarding is very cheap, it's quite common for forwards to persist for many years. Unfortunately, forwarding is yet another thing that spam has screwed up. more»

Phish or Fair?

It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, accounts@bankofamerica.com, there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook. more»

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now. Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. more»

The State of Mail Database Marketing

My mail server has a lot of spamtraps. They come from various sources, but one of the most prolific is bad addresses in personal domains. Several of my users have their own domains, such as my own johnlevine.com, in which they use a handful of addresses. Those addresses tend either to be people's first names, for individual mailboxes, or else the names of companies. If I did business with Verizon (which I do not) I might give them an address like verizon@johnlevine.com. All those domains get mail to lots of other addresses, which is 100% spam. more»

Filtering Spam at the Transport Level

An interesting new paper from the Naval Postgraduate School describes what appears to be an interesting new twist on spam filtering, looking at the characteristics of the TCP session through which the mail is delivered. They observe that bots typically live on cable or DSL connections with slow congested upstreams. ... This paper tries to see whether it would be practical to use that info to manage spam in real time. more»

Greylisting Still Works - Part II

In my last post I blogged about greylisting, a well-known anti-spam technique for rejecting spam sent by botnets. When a mail server receives a an attempt to deliver mail from an IP address that's never sent mail before, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail senders always retry, badly written spamware often doesn't. I found that even though everyone knows about greylisting, about 2/3 of IPs don't successfully retry. more»

Greylisting Still Works - Part I

Greylisting is a hoary technique for rejecting spam sent by botnets and other poorly written spamware. When a mail server receives an attempt to deliver mail from a hitherto unseen sending host IP address, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail software does try again, at which point you note that the host knows how to retry and you don't greylist mail from that IP again. more»

The Mainsleaze Blog

Mainsleaze is nerdy slang for spam sent by large, well-known, otherwise reputable organizations. Although the volume of mainsleaze is dwarfed by the volume of spam for fake drugs, account phishes, and Nigerian 419 fraud, it causes work for mail managers far out of proportion to its volume... The problem with mainsleaze is that it is generally mixed in with mail that the recipients asked for, and there's no way to tell the difference mechanically. more»

The Design of the Domain Name System, Part VIII - Names Outside the DNS

In previous installments we've been looking at aspects of the design of the DNS. In today's grand finale we look at the the subtle but very knotty issue of names inside and outside the DNS. In the early years of the DNS, domain names were typically resolved to A records which were used to identify a host running a service. With the notable exception of e-mail, once the host was identified, the name no longer mattered. more»

The Design of the Domain Name System, Part VII - Related Names Are Not Related

In previous installments we've been looking at aspects of the design of the DNS. Today we look at the relationship of similar names in the DNS. A poorly appreciated aspect of the DNS is that there is no inherent relationship between similar looking names. more»

The Design of the Domain Name System, Part VI - Overloaded Record Types

In the five previous exciting installments, we've been looking at aspects of the design of the DNS. Today we look at records types, and how you can tell what a DNS record means. All the records in the DNS are strongly typed. Each record includes an RRTYPE, a small number, which defines both the format of the record and what the record means. It is possible and common to have different record types with the same format, but different meanings. more»

The Design of the Domain Name System, Part V - Large Data

In the previous four installments, we've been looking at aspects of the design of the DNS. Today we look at the amount of data one can ask the DNS to store and to serve to clients. Most DNS queries are made via UDP, a single packet for query and a single packet for the response, with the packet size traditionally limited to 512 bytes. This limits the payload of the returned records in a response packet to about 400 bytes... more»

The Design of the Domain Name System, Part IV - Global Consistency

In the previous installments, we've been looking at aspects of the design of the DNS. Many databases go to great effort to present a globally consistent view of the data they control, since the alternative is to lose credit card charges and double-book airline seats. The DNS has never tried to do that. The data is roughly consistent, but not perfectly so. more»

The Design of the Domain Name System, Part III - Name Structure and Delegation

In the previous installments, we looked at the overall design of the DNS and the way DNS name matching works. The DNS gains considerable administrative flexibility from its delegation structure. Each zone cut, the place in the DNS name tree where one set of DNS servers hands off to another, offers the option to delegate the administration of a part of the DNS at the delegation point. more»

The Design of the Domain Name System, Part II - Exact and Approximate Name Matching

In the previous installment, we looked at the overall design of the DNS. Today we'll look at the ways it does and does not allow clients to look up data by name. The most important limitation of the DNS, compared to other databases, is that it only does exact match lookups. That is, with a few minor exceptions, the name in the query has to match the name of the desired records exactly. more»

The Design of the Domain Name System, Part I

Over the past 30 years the Domain Name System has become an integral part of the operation of the Internet. Due to its ubiquity and good performance, many new applications over the years have used the DNS to publish information. But as the DNS and its applications have grown farther from its original use in publishing information about Internet hosts, questions have arisen about what applications are appropriate for publication in the DNS, and how one should design an application to work well with the DNS. more»

Email in the World's Languages - Part III

In our last instalments we discussed the various ways to encode non-ASCII character sets, of which UTF-8 is the winner, and some complex approaches that tried to make UTF-8 mail backward compatible with ASCII mail. After years of experiments, the perhaps surprising consensus is that if you're going to do international mail, you just do it. more»

Email in the World's Languages - Part II

In our last installment we discussed MIME, Unicode and UTF-8, and IDNA, three things that have brought the Internet and e-mail out of the ASCII and English only era and closer to fully handling all languages. Today we'll look at the surprisingly difficult problems involved in fixing the last bit, internationalized e-mail addresses. more»

Email in the World's Languages - Part I

Back when the Internet was young end servers came with shovels (for the coal), everyone on the net spoke English, and all the e-mail was in English. To represent text in a computer, each character needs to have a numeric code. The most common code set was (and is) ASCII, which is basically the codes used by the cheap, reliable Teletype printing terminals everyone used as their computer consoles. ASCII is a seven bit character code, code values 0 through 127, and it includes upper and lower case letters and a reasonable selection of punctuation adequate for written English. more»

The New gTLD Chess Game

On June 20th, the ICANN board voted to move ahead with the new generic Top-Level Domains (gTLDs) program, intended to add hundreds, if not thousands of new names to the DNS root. Now what? Not even the most enthusiastic ICANN supporters think that any new TLDs will be added before the end of 2012, but there are other things going on that greatly complicate the outlook. more»

The gTLD Boondoggle

I've been watching at the excitement build in the domain community, where a lot of people seem to believe that at next month's Singapore meeting, by golly, this time ICANN will really truly open the floodgates and start adding lots of new Top-Level Domains (TLDs). I have my doubts, because there's still significant issues with the Governmental Advisory Committee (GAC) and the US Government and ICANN hasn't yet grasped the fact that governments do not defer to NGOs, but let's back up a little and ask is this a good idea. more»

IP Addresses as Money

It's no secret that the supply of IPv4 addresses, on which the Internet has been based since the dawn of digital time, is rapidly running out. The official replacement is much larger IPv6 addresses, but I can report from experience that the task of switching is not trivial, and for a long time there will be a lot of the net that's only on IPv4. So once the initial supply of IPv4 addresses run out, and the only way to get some is to buy them from someone else, what will the market be like? more»

What Next for Email Service Providers?

It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events suggests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.) more»

ICANN Approves .XXX Again

At Friday's board meeting, ICANN once again narrowly approved the contentious .XXX domain intended for pornography. What this vote primarily shows is that ICANN's processes have been broken for a long time, and aren't getting fixed. Two board members made thoughtful and eloquent statements before the vote outlining the reasons they were about to vote for or against the domain. more»

A Politically Incorrect Guide to IPv6

Unless you've been living under a rock, you've doubtless seen reports that the supply of IPv4 addresses is running out. Earlier this month IANA, the master allocation authority, handed out the last so-called /8, a large chunk of 16 million addresses, to one of the regional address registries... Then what? The conventional wisdom is that everyone needs to support IPv6, a mostly compatible upgrade to IPv4 with much larger addresses, by the time the v4 space runs out. But I'm not so sure, particularly for e-mail. more»

Domains and the Freedom to Speak

For a very long time, predating the birth of ICANN, there's been a running battle about what should be required when one registers domain names. To oversimplify quite a lot, one side sees domain names as an essential component of free speech, so anyone should be able to register any domain without limit, the other notes that they're primarily used for commercial purposes and they enable quite a lot of mischief, so the more control, the better. more»

Do-Not-Track: Still Not a Great Idea

Back in August, FTC chair Jon Leibowitz suggested an Internet do-not-track registry, analogous to the telephone do-not-call registry. At the time, I thought it wasn't a good idea for both technical and non-technical reasons. This week, the FTC published an online privacy report recommending the same thing, and Rep. Ed Markey promises to offer a bill next year to mandate do-not-track for children. With all this interest, might it be a good idea now? Maybe. more»

Why DNS Blacklists Don't Work for IPv6 Networks

All effective spam filters use DNS blacklists or blocklists, known as DNSBLs. They provide an efficient way to publish sets of IP addresses from which the publisher recommends that mail systems not accept mail. A well run DNSBL can be very effective; the Spamhaus lists typically catch upwards of 80% of incoming spam with a very low error rate. DNSBLs take advantage of the existing DNS infrastructure to do fast, efficient lookups. A DNS lookup typically goes through three computers... more»

Yet Another Unfortunate CAN SPAM Case

The case Melaleuca v. Hansen has been moving slowly through Idaho federal court since 2007. On Sept 30 the court decided in favor of the defendants. Although the outcome is probably correct, the court's decision perpetuates the misreading of CAN SPAM from the infamous Gordon case that makes it in practice impossible to win a CAN SPAM case in the 9th Circuit. more»

How Not to Get Your Mail Delivered

A small company in suburban Philadelphia called Holomaxx recently filed two lawsuits against large webmail providers, complaining that they weren't delivering mail from Holomaxx. The first suit is against Microsoft and Return Path, and the second suit is against Yahoo and Cisco/Ironport. Neither is going anywhere. more»

A Tempest in a Libyan Teapot

The .LY domain is Libya, and their government recently cancelled the registration of the short and snappy VB.LY, provoking great gnashing of teeth. If you direct your attention to the address bar above this page, you'll note that it's at JL.LY, equally short and snappy. The .LY registry started allowing two letter second-level domains last year, and there was a quiet land rush. Now they restrict those domains to people actually in Libya, but say they'll let us keep the ones we have. How concerned am I that they'll take my domain away, too? more»

The Spamhaus Whitelist

For several months I have been working with the Spamhaus project on a whitelist, which we announced to the public this week. While this is hardly the first mail whitelist, our goals are somewhat different from other whitelists. Think of e-mail as ranging from inky black to pearly white... more»

ARF is Now an IETF Standard

When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints. more»

Google and Verizon Offer a Gift to Spammers

Earlier today, Google and Verizon offered a widely publicized "Proposal for an Open Internet." There's been extensive comment with lots of reasons not to like it, but one I haven't seen is that the proposal would make it much harder to filter so-called "mainsleaze" spam. ... The problem is that under the pitifully weak CAN-SPAM law, a lot of spam is entirely legal. more»

Even if Do-Not-Track Were a Good Idea, Could It Ever Work?

In a recent article, I read about increasingly intrusive tracking of online users, which has lead to a proposal at the FTC, "FTC Chairman Jon Leibowitz said the system would be similar to the Do-Not-Call registry that enables consumers to shield their phone numbers from telemarketers." Maybe I'm dense, but even if this weren't a fundamentally bad idea for policy reasons, I don't see how it could work. more»

Does the First Amendment Forbid Spam Filtering?

A friend of mine wrote to ask: "The Supreme Court overturned the Jaynes conviction on First Amendment grounds, yes? I'm wondering what that could mean from the spam filtering perspective." Spam filters, and in particular DNS blacklists are intended to prevent e-mail from being delivered. Doesn't the First Amendment make it illegal to block speech? The short answer is no, but of course it's slightly more complicated than that in practice. more»

The .XXX Fiasco is Almost Over

At Friday's meeting of the ICANN board in Brussels, they voted, probably for the last time, to approve the 2004 application for the .XXX domain. Purely on the merits, there is of course no need for a top level domain for porn. This isn't about the merits, this is about whether ICANN follows its own rules. Despite overheated press reports, .XXX will not make porn any more available online than it already is (how could it?), there is no chance of all porn being forced into .XXX (that's a non-starter under US law), and .XXX will have no effect on the net other than perhaps being a place to put legal but socially marginal porn far away from any accidental visitors. more»

VeriSign Leaves the Security Certificate Business

Earlier this week in a press release, VeriSign said that they are selling their SSL certificate business to Symantec. VeriSign is the dominant player in this market, having absorbed competitor Thawte in 1999, and Geotrust in 2006. Three years ago, when VeriSign decided to divest its non-core businesses, they kept the certificate business. So what's changed? more»

The Real Issue About ICANN and .XXX

Way back in 2004, ICANN invited applications for a round of new TLDs. They got quite a few. Some were uncontroversial, such as .JOBS for the HR industry. Some were uncontroversial but took a long time, such as .POST which took five years of negotiation, entirely due to the legal peculiarities of the registry being part of the UN. But one was really controversial, .XXX. By 2005, the applicant, ICM registry, had satisfied all the criteria that ICANN set out in the 2004 round to get .XXX approved, and ICANN has been stalling them ever since... more»

Why Aren't There More Spam Lawsuits?

The CAN SPAM act has been in place for five and a half years. Compatible state laws have been in place nearly as long. Anti-spam laws in the EU, Australia, and New Zealand were enacted years ago. But the number of significant anti-spam lawsuits is so small that individual bloggers can easily keep track of them. Considering that several billion spams a day are sent to people's inboxes, where are all the anti-spam lawsuits? more»

More on Portable Email Addresses

Last month a bill in the Israeli Knesset would have required ISPs to provide portable e-mail addresses, analogous to portable phone numbers that one can take from one phone company to the other. As I noted at the time, e-mail works differently from telephone calls, and portability would be difficult, expensive, and unreliable. So I was wondering, idly, if we really wanted to provide portable e-mail addresses, how hard would it be? more»

Another Spam Case Lost in Washington, or Gordon Strikes Again

Bennett Haselton, who runs the Peacefire anti-censorship site, is one of the more successful anti-spam litigants. He says he's filed about 140 suits, mostly in small claims court, and has won the majority of the suits that got far enough to be decided on the merits. But last month, in Federal court in Seattle, he lost a suit against Quicken Loans that he should have won, partly because of his own mistakes, but largely because of the pernicious effect of Gordon vs. Virtumundomore»

Are Portable Email Addresses Possible?

News reports say that the Israeli government is close to passing a law that requires portable e-mail addresses, similar to portable phone numbers. Number portability has been a success, making it much easier to switch from one provider to another, and address portability might ease switching among ISPs. But e-mail is not phone calls. Is it even possible? more»

Google Loses Another Domain Name Dispute

For the benefit of trademark owners, ICANN has something called the UDRP (Uniform Dispute Resolution Process) that allows the owner to file a complaint against an allegedly infringing domain name, to be resolved by one of a small set of arbitrators. About 90% of UDRP cases that proceed to a decision are decided in favor of the complainant; opinions differ as to whether that's because of the merit of the complaints or the institutional bias of the arbitrators. more»

Just Make It Stop

In a recent discussion among mail system managers, we learned that one of the large spam filter providers now has an option to reject all mail from ESPs (e-mail service providers, outsourced bulk mailers) regardless of opt-in, opt-out, spam complaints, or anything else, just block it all. Some of the ESPs wondered what would drive people to do that... more»

US Court Levies $15 Million Fine Against Spammer

Earlier this year, the New Zealand Department of Internal Affairs, the US Federal Trade Commission, and the Australian CMA broke up a large fake drug spam ring known as Herbal Kings, run by New Zealander Lance Atkinson. The NZ government fined him NZ$108,000 (about US$80,000) which, while a substantial fine, seemed pretty small compared to the amount of money he must have made. But today, at the FTC's request a US judge fined Atkinson US$15.5 million, and got his US accomplice Jody Smith to turn over $800,000, including over $500,000 in an Israeli bank. more»

A Thought About Not-Quite-ASCII Top Level Domains

ICANN has opened their new fast track process for "countries and territories that use languages based on scripts other than Latin" to get domain names that identify the country or territory in its own language. It's not clear to me what the policy is supposed to be for countries whose languages use extended Latin with accents and other marks that aren't in the ASCII set. more»

How Do You Do Secure Bank Transactions on the Internet?

Banks love it when their customers do their transactions on line, since it is so much cheaper than when they use a bank-provided ATM, a phone call center, or, perish forbid, a live human teller. Customers like it too, since bank web sites are usually open 24/7, there's no line and no need to find a parking place. Unfortunately, crooks like on line banking too, since it offers the possibility of stealing lots of money. How can banks make their on line transactions more secure? more»

The Tempest in the TLD Teapot

At its recent meeting in Seoul ICANN announced with great fanfare that it's getting ever closer to adding lots of new Top Level Domains (TLDs). Despite all the hype, new TLDs will make little difference... I agree with my old friend Lauren Weinstein that this is a tempest in a very expensive teapot, because all of the purported reasons that people want new TLDs have been proven false, and the one actual reason that a new TLD would be valuable has no public benefit. more»

Helping Banks Fight Phishing and Account Fraud, Whether They Like It or Not

On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past. more»

Are Phishing and Malware Separate Threats?

Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer... I like VeriSign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. more»

Why Can't We Make the Internet Secure?

In a discussion about a recent denial of service attack against Twitter, someone asked, "Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure?" Sure, but you're not going to like it. The Internet was originally a walled garden, where its operators knew who all the users were and could eject anyone who misbehaved... more»

How Unconscionable is the Profit That Verisign Makes from Its Registry?

VeriSign makes a great deal of money from the .COM and .NET registries. Can we tell how much they make, and how much that might change if the CFIT lawsuit succeeds? It's not hard to make some estimates from public information. The largest gTLD registry that VeriSign doesn't run is .ORG, which was transferred a few years ago to the Public Internet Registry (PIR) which pays Afilias to run the registry, and uses whatever is left over to support the Internet Society (ISOC)... more»

Three Myths About DKIM

The DKIM standard has been out for two years now, and we're starting to see some adoption by large mail systems, but there's still a lot of misunderstanding about what DKIM does and doesn't do... Any a mail system can add a signatures to the messages it handles, and spammers can sign their mail, too. A DKIM signature contains, stripped down to its basics, the domain of the signer and a checksum of the message. more»

What are TLDs Good For?

Yesterday I said that the original motivations for adding new TLDs were to break VeriSign's monopoly on .COM, and to use domain names as directories. Competitive registrars broke the monopoly more effectively than any new domains, and the new domains that tried to be directories have failed. So what could a new TLD do? more»

Who Needs More TLDs?

ICANN's Sydney meeting has come and gone, with the promised flood of new Top-Level Domains (TLDs) claimed to be ever closer to reality. Does the world need more TLDs? Well, no. Way back in the mid 1990s, it seemed obvious that Internet users would use the DNS as a directory, particularly once early web browsers started to add .COM to words typed in the address bar. This led to the first Internet land rush, with heavy hitters like Procter and Gamble registering diarrhea.com in 1995... more»

Appeals Court Revives the CFIT Anti-Trust Suit Against VeriSign

Back in 2005 an organization called the Coalition for Internet Transparency (CFIT) burst upon the scene at the Vancouver ICANN meeting, and filed an anti-trust suit against VeriSign for their monopoly control of the .COM registry and of the market in expiring .COM domains. They didn't do very well in the trial court, which granted Verisign's motion to dismiss the case. But yesterday the Ninth Circuit reversed the trial court and put the suit back on track. more»

Fight Phishing With Branding

Phishing, stealing personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites. more»

A "G12" to Oversee ICANN? Not Likely

Viviane Redding, the Information Society and Media Commissioner for the EC posted a video blog this week noting that the JPA between ICANN and the US Department of Commerce ends this September. In it she proposes that ICANN be overseen by a "G-12 for Internet Governance" with 12 geographically balanced government representatives from around the world. That's such a non-starter that I'm baffled that she would even propose it... more»

The Jaynes Case is Finally Over

Last September the Virginia Supreme Court issued a surprise ruling that reversed its previous decision and threw out the state’s anti-spam law on First Amendment grounds. The Commonwealth made a last ditch appeal to the US Supreme Court, which I predicted they’d be unlikely to accept. I guessed right... more»

How Hard Is It to Deploy DKIM?

It's coming up on two years since the DomainKeys Identified Mail (DKIM) standard was published. While we're seeing a certain amount of signed mail from Google, Paypal, and ESPs, there's still a long way to go. How hard is it to sign your mail with DKIM? The major hurdle might seem to be getting mail software that can sign outgoing mail. more»

ICANN Blows $4.6 Million In Stock Market

If you visit the new dashboard on ICANN's web site, you see some nice bar charts, including one rather large negative number of $4,462,000. If you click the little arrow at the top of the Financial Performance chart, a footnote window pops open where the last sentence is: "The large variance to budget is due to investment losses of $4.6 mil." Investment losses? Yup, ICANN's been speculating in the stock market... more»

Who Pays for Email?

An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted: "The sender pays for bandwidth and agrees to abide by the bandwidth provider's rules." It is useful to think of the Internet as a collection of tubes, all leading from the periphery to the middle, where the middle is approximately "the peering point." The sender has paid for the tubes leading from himself to the middle... more»

US Department of Commerce Doesn't Like ICANN's New Domain Plan

ICANN's authority to manage top level of the DNS comes from a two-year Joint Project Agreement (JPA) signed with the US Department of Commerce in 1997, since extended seven times, most recently until September 2009. Since the DoC can unilaterally cancel the JPA which would put ICANN out of the DNS business, when DoC speaks, ICANN listens. On Thursday, the US DoC sent a scathing letter to ICANN about the proposed plan to sell large numbers of new top-level domains (TLDs). There's a long list of issues... more»

Topic Interests

SecuritySpamEmailPrivacyInternet ProtocolLawIP AddressingCybercrimeDNSDomain NamesRegistry ServicesTop-Level DomainsICANNDNS SecurityRegional RegistriesMultilinguismCensorshipNet NeutralityAccess ProvidersInternet GovernanceWebPolicy & RegulationVoIPTelecomWhoisP2PMalwareCybersquattingCyberattackIPv6BroadbandMobileWirelessEnumDDoS

Recent Comments

Popular Posts

How to Stop Spam

Oklahoma Man Wins $10 Million Judgment Against a Spammer

SPF Loses Mindshare

The Anti-Phishing Consumer Protection Act of 2008

In Bad Taste