Law, Spam / blogs / May 16, 2008 9:51 AM PST

Wow, Sanford Wallace Owes a Lot of Money

Last September MySpace sued ur-spammers Sanford "Spamford" Wallace and Walt "Pickle Jar" Rines were for egregious violations of CAN SPAM. Neither responded, so as was widely reported, earlier this week the court granted a default judgement. Since they sent a lot of spam, the statutory damages came to an enormous $235 million. Even for Spamford, that's a lot of money. ›››

Spam / blogs / May 04, 2008 10:44 AM PST

Jeremy Jaynes Gets One More Chance

n 2004 Jaynes became the country's first convicted spam felon under the Virginia anti-spam law. He's been appealing his conviction ever since, most recently losing an appeal to the Virginia Supreme Court by a 4-3 decision in February. As I discussed in more detail at the time the key questions were a) whether the Virginia law had First Amendment problems and b) whether Jaynes had standing to challenge it. The court answered No to b), thereby avoiding the need to answer a), the dissent answered Yes to both. ›››

Spam / blogs / Apr 30, 2008 8:29 AM PST

Colorado Has a New Spam Law

The governor of Colorado recently signed a new anti-spam law [PDF] into effect. Since CAN SPAM draws a tight line around what states can do, this law is mostly interesting for the way that it pushes as firmly against that line as it can. Other observers have already done a legal analysis of the way it's worded to avoid being tossed out as the Oklahoma law was in Mummagraphics, and to make it as easy as possible for suits to meet the falsity or deception limits in CAN SPAM. To me the most interesting part of this law is its one-way fee recovery language... ›››

DNS / blogs / Apr 21, 2008 6:59 AM PST

ICANN GNSO Votes to Kill Domain Tasting

The ICANN Generic Names Supporting Organization has had tasting on its agenda since last fall, with a staff report issued in January, and a proposed anti-tasting policy written in March. On Thursday the 17th, the GNSO put the proposed policy to a vote, and it passed overwhelmingly. Under ICANN rules, the ICANN board has to take up the resolution at its next meeting, and since it was approved by a supermajority, it becomes ICANN policy unless 2/3 of the board votes against it, which in this case is unlikely. ›››

Spam / blogs / Apr 11, 2008 10:40 AM PST

Comcast 1, E360 0

The judge in E360 vs. Comcast filed his order yesterday (read previous postings here and here), and to put it mildly, he agreed with Comcast. It starts: "Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer." ...and from E360's viewpoint, goes downhill from there. ›››

Spam / blogs / Apr 07, 2008 8:00 AM PST

Sender Address Verification: Still a Bad Idea

A lot of spam uses fake return addresses. So back around 2000 it occurred to someone that if there were a way to validate the return addresses in mail, they could reject the stuff with bad return addresses. A straightforward way to do that is a callout, doing a partial mail transaction to see if the putative sender's mail server accepts mail to that address. This approach was popular for a few years, but due to its combination of ineffectiveness and abusiveness, it's now used only by small mail systems whose managers don't know any better. What's wrong with it? ›››

Spam / blogs / Mar 26, 2008 6:17 PM PST

A Third, More Interesting Round in E360 vs. Comcast

In the past week, Comcast filed an answer, denying all of E360's charges, and attached to it a motion to file a most impressive counterclaim. The court granted the motion on Monday so the counterclaim has been filed. At about the same time, E360 filed its response to Comcast's previous motion to dismiss the suit due to its utter lack of legal merit. ›››

Spam / blogs / Mar 20, 2008 7:03 AM PST

More on the Soloway Case

I've now read Soloway's plea agreement. Despite some claims from his lawyers that it's some kind of victory that he only pleaded to three of the 40 charges, with the rest being dismissed, it's clear from the agreement that he indeed did just about everything that the government charged. The government as is usual had several similar charges in each category. ›››

Spam / blogs / Mar 15, 2008 8:12 PM PST

Robert Soloway Pleads Guilty

Large scale spammer Robert Soloway, whose criminal trial was scheduled to start in a week and a half pled guilty to most of the charges against him. The indictment made three categories of charges. Counts 1-10 were mail fraud, due to Soloway delivering his spamware through the mail, and the product egregiously failing to be what he said it was, notably including 30 million addresses purported to be opt-in. Counts 11-17 seven were wire fraud, sending spam making false claims about the product, support, guarantee... ›››

Spam / blogs / Mar 06, 2008 9:19 AM PST

Comcast Fires Back at E360

Back in January, bulk mailer E360 filed a suit against giant cable ISP Comcast. This week Comcast responded with a withering response... Their memorandum of law wastes no time getting down to business: "Plaintiff is a spammer who refers to itself as a "internet marketing company," and is in the business of sending email solicitations and advertisements to millions of Internet users, including many of Comcast's subscribers." Comcast's analysis is similar to but even stronger than the one I made in January... ›››

DNS, Domain Names, Privacy, Security, Spam, Whois / blogs / Mar 04, 2008 10:06 AM PST

The Anti-Phishing Consumer Protection Act of 2008

Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details. The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people... ›››

DNS / blogs / Feb 28, 2008 8:33 AM PST

More on the Front Running Class Action Suit

Several people pointed out that although the suit still hasn't appeared in PACER, copies of the complaint are available online, including this one [PDF] at Lextext. Having read it, I'm rather underwhelmed... I do not purport to be a lawyer (nor do I usually play one on the net), but it's hard to see how the facts, which are not in serious dispute, would support any of these charges. ›››

DNS, Domain Names / blogs / Feb 27, 2008 9:49 AM PST

The Front Running Class Action Suit

In a recent press release, Los Angeles law firm Kabateck Brown Kellner says it's filed a class action suit against Network Solutions and ICANN for front running. (If you tuned in late, NetSol admits that if you query a domain name on their web site, they will speculatively register it so that it's only available through NetSol for five days, at their above market price.) This is a very peculiar suit... For one thing, it's hard to see how the total class damages would be large enough to be worth a suit... ›››

DNS, Domain Registries, Top-Level Domains / blogs / Feb 06, 2008 8:50 AM PST

Neustar and Afilias Jump on the No-Tasting Bandwagon

In a message posted to the ICANN GNSO list, Avri Doria forwarded along a most interesting document from Neustar, who runs the .biz domain... Neustar proposes to change their registrar agreement so that each registrar will only get credit for deletions of 10% of their new domains, with a few minor exceptions for tiny registrars and bulk registrations due to one-time mistakes. They say they expect Afilias to propose the same change for .info.  ›››

DNS / blogs / Jan 29, 2008 9:30 AM PST

Domain Tasting to Go Away for Real This Time

At last week's meeting, the ICANN board uncharacteristially did something and voted to make their fee of 20 cents per domain-year nonrefundable. They expect this to stop both domain tasting and NSI's frontrunning, which it certainly will. It's not clear when this change will go into effect, but it might be within a month. ›››

DNS, Spam / blogs / Jan 14, 2008 9:59 AM PST

Ralsky Indicted, CAN-SPAM is Still Useless

Well, I read the indictment (available here from Spamhaus.) It's a long litany of criminal behavior, primarily pump and dump stock fraud of a long list of penny stocks from the US and China. Ralsky is described as the "chief executive officer and overall leader" of the scheme... The thing that strikes me about this indictment is that although it includes a lot of CAN SPAM charges, everything Ralsky and Co. did was already illegal under conventional fraud and computer tampering laws. ›››

Cybersquatting, DNS / blogs / Dec 14, 2007 12:10 PM PST

Defendants Respond to Dell’s Anti-Tasting Suit

The defendants in Dell's domain tasting suit responded last Friday. It looks like a pretty feeble response to me. Their main argument is that they're just the registrar, and deny Dell's claim that the registrants are fakes made up by the registrar. They also argue that they're not infringing, they didn't use the names in question in commerce, they were just acting as helpful search engines, you know, like Google or Yahoo. (The comparison to Google and Yahoo is theirs.) ›››

Cybersquatting, DNS / blogs / Dec 03, 2007 8:10 AM PST

More on Dell’s Anti-Tasting Suit

Dell filed a suit in Florida in early October against a nest of domain tasters in Miami, widely reported in the press last week... The primary defendant is a Miami resident named Juan Vasquez, doing business as several registrars called BelgiumDomains, CapitolDomains, and DomainDoorman, as well as a whole bunch of tiny companies of unknown authenticity... Those registrars have an egregious history of domain churning. I gave a talk on domain tasting at MAAWG in October in which I picked out the registrars who churned the most domains from the May registrar reports, and those three were the worst, each having registered about 500,000 domains, refunded over 10 million... ›››

Security, Spam / blogs / Nov 25, 2007 10:50 AM PST

USA Today: Spam Is Bad

A reasonably well informed article in Thursday's USA Today reminds us that in 2004 Bill Gates said the spam problem would be solved in early 2006, but here at the end of 2007 there's more spam than ever. They go through a laundry list of problems of spambots, new kinds of PDF and MP3 spam, and phishing, and a list of of partial or non-solutions including filters, walled gardens, and an odd system called Boxbe, a hybrid of whitelists, challenge/response, and pay for delivery. Oh, and Bill says he never said spam would be solved... ›››

P2P, Security, Spam / blogs / Oct 24, 2007 10:43 AM PST

How Big is the Storm Botnet?

The Storm worm has gotten a lot of press this year, with a lot of the coverage tending toward the apocalyptic. There's no question that it's one of the most successful pieces of malware to date, but just how successful is it? Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year... ›››

Spam / blogs / Oct 21, 2007 1:35 PM PST

Thank Heavens for Class Action Lawyers

If you had an e-mail address any time in the past six years, you've probably gotten spam for something called VigRX for Men, with fairly specific promises that it will make you, ah, manlier. I always wondered how many nitwits could fall for this kind of nonsense. Thanks to a recent class action settlement, we now know that there have been quite a lot of them. A class action suit filed in 2001 in Colorado settled recently, with some quite amazing info in the documents available at http://lemsettlement.com. LEM stands for Leading Edge Marketing, the name used by the defendants for several companies in the US, Canada, and the Bahamas. ›››

Spam / blogs / Sep 11, 2007 11:07 AM PST

Zango Verdict is Good News for Spam Filters and Blacklists

Zango, a company that used to be called 180 solutions, has a long history of making and distributing spyware. (See the Wikipedia article for their sordid history.) Not surprisingly, anti-spyware vendors routinely list Zango's software as what's tactfully called "potentially unwanted". Zango has tried to sue their way out of the doghouse by filing suit against anti-spyware vendors. In a widely reported decision last week, Seattle judge John Coghenour crisply rejected Zango's case, finding that federal law gives Kaspersky complete immunity against Zango's complaint... ›››

DNS, Policy & Regulation, Privacy, Whois / blogs / Sep 03, 2007 7:37 PM PST

More on WHOIS Privacy

Last week I wrote a note the ICANN WHOIS privacy battle, and why nothing's likely to change any time soon. Like many of my articles, it is mirrored at CircleID, where some of the commenters missed the point. One person noted that info about car registrations, to which I roughly likened WHOIS, are usually available only to law enforcement, and that corporations can often be registered in the name of a proxy, so why can't WHOIS do the same thing? ›››

Spam / blogs / Sep 03, 2007 6:20 PM PST

Spamhaus Appeal: They Win on Substance

The Seventh Circuit has issued its opinion in the continuing saga of E360 Insight vs. the Spamhaus Project. While it is not a complete victory for Spamhaus, they did about as well as anyone could have hoped for under the circumstances. E360 won on the procedural issue, while Spamhaus won on the substance. The procedural issue was whether the default judgement against Spamhaus was properly granted last September. The court session was so odd that the appeals decision quotes several pages of the transcript. ›››

DNS, Policy & Regulation, Privacy, Security, Top-Level Domains, Whois / blogs / Aug 28, 2007 10:20 PM PST

If WHOIS Privacy is a Good Idea, Why is it Going Nowhere?

ICANN has been wrangling about WHOIS privacy for years. Last week, yet another WHOIS working group ended without making any progress. What's the problem? Actually, there are two: one is that WHOIS privacy is not necessarily all it's cracked up to be, and the other is that so far, nothing in the debate has given any of the parties any incentive to come to agreement. The current ICANN rules for WHOIS say, approximately, that each time you register a domain in a gTLD (the domains that ICANN manages), you are supposed to provide contact information... WHOIS data is public, and despite unenforceable rules to the contrary, it is routinely scraped... ›››

Security, Spam / blogs / Aug 20, 2007 8:27 AM PST

Spamford Wallace Gets Sued Yet Again

If there were a lifetime achievement award for losing lawsuits for being annoying, Sanford Wallace would be a shoo-in. Fifteen years ago, his junk faxing was a major impetus for the TCPA, the law outlawing junk faxes. Later in the 1990s, his Cyber Promotions set important legal precedents about spam in cases where he lost to Compuserve and AOL. Two years ago, he lost a suit to FTC who sued his Smartbot.net for stuffing spyware onto people's computers. And now, lest anyone think that he's run out of bad ideas, he's back, on the receiving end of a lawsuit from MySpace... ›››

DNS, Domain Names / blogs / Jun 23, 2007 6:11 PM PST

Squeegee Domains

When I was growing up, one of the annoyances of life in New York City was squeegee men. When your car was stopped at a light, these guys would run up, make a few swipes at your windshield with a squeegee, then look menacing until you gave them a tip. It occurs to me that domain "monetizers'' are the Internet's squeegee men. If I make a minor typing error entering a domain name, they run up and offer to sell a link to the place I wanted to go (well, they sell the place I wanted to go a click from me, but close enough.) ›››

DNS, Spam, VoIP / blogs / Jun 20, 2007 9:13 PM PST

CAN SPAM Applies Even Within a Single Provider

I recently came across a copy of a ruling in the bizarre case of MySpace vs. theglobe.com. Theglobe.com was the ultimate dot.com bubble company. It started up here in Ithaca, and went public at the peak of dot.com hysteria with one of the the greatest one-day price runups ever. Since then they bought and sold a variety of busineses, none of which ever made any money, including the Voiceglo VoIP service which appears to be what the spam was promoting. ›››

DNS / blogs / May 25, 2007 11:15 AM PST

ICANN Says Registerfly Domains Moving to Another Registrar

In an entry in the ICANN blog, Paul Levins says they've arranged to move Registerfly's domains to another registrar. They won't say who the other registrar is beyond "an existing accredited Registrar with a demonstrated record of customer service" which could be just about anyone other than Registerfly. They have "most" of the registrant data. All is to be unveiled next week. In the meantime, read the comments on the blog... ›››

Privacy, Spam / blogs / May 09, 2007 7:02 PM PST

Stop! Don’t Forward That E-mail!

Forwarding e-mail is so easy that it must be legal, right? Not everyone thinks so. Ned Snow at the University of Arkansas recently wrote A Copyright Conundrum: Protecting Email Privacy that argues that forwarding violates the sender's copyright rights, so it's not. The article is quite clever and is (as best I can tell, not being a legal historian) well researched, even if you agree with me that its conclusions are a bunch of codswallop... ›››

Spam, Web Hosting / blogs / Apr 30, 2007 10:26 AM PST

Oklahoma Spammer Fighter Loses Even Worse

Last December I wrote about Mark Mumma, who runs a small web hosting company in Oklahoma City and his battle with Omega World Travel a/k/a cruise.com. Mumma lost his CAN SPAM suit agains them in December, but Omega's countersuit for defamation went to trial last week, and I hear that the jury awarded Omega $2.5 million in damages, which Mumma is not likely to be able to pay. This may be painted in some circles as a huge defeat for anti-spam activists, but it's not... ›››

DNS / blogs / Apr 19, 2007 8:27 AM PST

ICANN to RegisterFly: We Really REALLY Mean It This Time

ICANN's web site has a press release saying that the were granted a temporary restraining order on Monday requiring that Registerfly cough up all the info on their registrants, or else.

My assumption all along has been that the reason that Registerfly hasn't provided full info is because they don't have it. ICANN agrees that they got partial data last month, and it's hard to imagine a reason that Registerfly would have given them some of the data but deliberately held back the rest. I guess we'll know soon enough.

By the way, I hear that ICANN plans to implement their registrar escrow policy, the one that's been in the contracts since 2000, pretty soon. ›››

DNS, Domain Names, Multilinguism / blogs / Apr 06, 2007 7:41 PM PST

Splitting the Root: It’s Too Late

One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late. Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set... ICANN has tied itself with the issue of homographs, different characters that look the same or mean the same thing. Once people noticed that IDNs let you register different names that look the same, the intellectual property crowd that has always had a mysteriously great influence on ICANN went into a tizzy and they went into lengthy discussions on what to do about them... ›››

DNS / blogs / Mar 29, 2007 8:09 AM PST

Registerfly Victims Are Really Stuck Now

Last week I noted here that cutting off collapsed domain Registerfly will leave a huge problem for registrants. ICANN is supposed to have escrowed copies of each registrar's registrant data, but has never got around to setting that up. This means that unless Registerfly can supply the data, there may be no record of the actual owner of their domains. ›››

DNS, Domain Names, Internet Governance, Top-Level Domains / blogs / Mar 06, 2007 10:22 AM PST

Why I left the ICANN At Large Advisory Committee

For about the last two years, I was a member of ICANN's At Large Advisory Commitee (ALAC), the group charged with representing the interests of ordinary Internet users within ICANN. In case anyone is wondering, here's why I'm not on the ALAC any more. ICANN has a very narrow mission. They maintain the root zone, the list of top-level domain names in the Internet's domain name system. They coordinate numeric IP addresses, with the real work delegated to five Regional Internet Registries. And they keep track of some simple and uncontroversial technical parameters for Internet routing applications... ›››

Spam / blogs / Dec 28, 2006 12:33 PM PST

Earthquake in Asia, Spam Plummets

An earthquake on Tuesday near Taiwan caused widespread disruption to telephone and Internet networks. The quake affected an area of the sea bottom with a lot of undersea cables that broke, and since there is only a limited number of cable repair ships, it will take at least weeks to fish them up and splice them. ›››

Spam / blogs / Dec 13, 2006 9:22 AM PST

Oklahoma Anti-Spammer Loses Big in Court

In November, Mark Mumma, who runs a little design firm at webguy.com, lost an appeal in the Fourth Federal Circuit. He'd filed suit against cruise.com and their parent Omega World Travel under CAN SPAM and an Oklahoma anti-spam law. Omega countersued for defamation. The court threw out Mumma's case, and allowed part of the defamation case to proceed. At first blush, this looks like a big win for spammers. ›››

Spam / blogs / Nov 17, 2006 10:00 AM PST

Dog Eats Opt-Out Requests, FTC Is Not Impressed

Last week the Federal Trade Commission settled a lawsuit against Yesmail, a large ESP (Email Service Provider). The facts of the case are not in dispute, but their meaning is. Yesmail, like most large ESPs, has absorbed a number of its smaller competitors over the years including a company called @Once. Back in 2004, they screwed up their incoming mail so that a whole lot of bounces and opt-out requests were erroneously filtered out as spam. As a result, thousands of people who'd told @Once to stop sending them mail kept getting mail anyway... ›››

Spam / blogs / Nov 06, 2006 10:53 AM PST

Huge Increase in Spam in October Email

You may have read reports that the total amount of spam is on the decline. Don't believe them. In the month of October, I saw the amount of spam in my traps here roughly double, from about 50,000 per day to 100,000/day now. In conversations with managers at both ISPs and corporate networks, I'm hearing the same thing. ›››

DNS, Domain Names, Law, Top-Level Domains / blogs / Aug 28, 2006 2:53 PM PST

How Much Do You Think a .ORG, .BIZ, or .INFO Domain Costs?

Whatever you think the answer is (typically about ten bucks), the answer is likely to change radically for the worse, based on new contracts that ICANN is planning to approve. On July 28th ICANN posted proposed new contracts for .ORG, .BIZ, and .INFO, for a public comment period that ends four days from now, on the 28th. There's a lot not to like about these proposed contracts, but I will concentrate here on two related particularly troublesome areas, pricing and data mining. ›››

Spam / blogs / Aug 11, 2006 8:51 AM PST

Making DKIM More Useful with Domain Assurance Email

The IETF DKIM working group has been making considerable progress, and now has a close-to-final draft. DKIM will let domains sign their mail so if you get a message from fred@furble.net, the furble.net mail system can sign it so you can be sure it really truly is from furble.net. But unless you already happen to be familiar with furble.net, this doesn't give you any help deciding whether you want the message. This is where the new Domain Assurance Council (DAC) comes in... ›››

DNS, Domain Registries, Top-Level Domains / blogs / Aug 09, 2006 9:09 AM PST

More Top-Level Domain Wildcards

With all of the recent excitement about *.cm, the Cameroonian wildcard that someone is using to collect vast numbers of mistyped .com addresses, I wondered how many other wildcards there were at the DNS top level. There's a total of 13. Half of the wildcards are harmless. The *.museum wildcard leads to a registry page that helps guess what you might have been looking for. ...The .mp page also claims that .mp is for Mobile Phone rather than for the Marianas Islands, but they're hardly the only small poor island to try to cash in on their ccTLD, and they at least run it themselves. ›››

Security, Spam / blogs / Jul 21, 2006 9:34 AM PST

Another Try at Proof-of-Work e-Postage Email

Another paper from the Fifth Workshop on the Economics of Information Security, (WEIS 2006) is Proof of Work can Work by Debin Liu and L, Jean Camp of Indiana University. Proof of work (p-o-w) systems are a variation on e-postage that uses computation rather than money. A mail sender solves a lengthy computational problem and presents the result with the message. The problem takes long enough that the sender can only do a modest number per time period, and so cannot send a lot of messages, thereby preventing spamming. But on a net full of zombies, proof of work doesn't work. ›››

Spam / blogs / Jun 08, 2006 3:04 PM PST

How Much Money Do Spammers Make?

News reports say that high profile Ryan Pitylak was fined $10 million by the Texas Attorney General. A few days ago, he paid a $1M settlement to Microsoft. Since it had been widely reported that he'd made between $3M and $4M during his spamming career, that seemed like a pretty good deal for him. As I commented to the San Antonio Express, this new fine is more in line with what he did, and at least relieves him of all his ill-gotten gains... ›››

DNS, Security, Top-Level Domains / blogs / May 02, 2006 9:14 AM PST

In Bad Taste

So-called domain tasting is one of the more unpleasant developments in the domain business in the past year. Domain speculators are registering millions of domains without paying for them, in a business model not unlike running a condiment business by visiting every fast food restaurant in town and scooping up all of the ketchup packets. Since 2003, the contract between ICANN and each unsponsored TLD registry (.biz, .com, .info, .net, .org, and .pro) has added an Add Grace Period (AGP) of five days during which a registrant can delete a newly registered domain and get a full refund. Although this provision was clearly intended to allow registrars to correct the occasional typo and spelling error in registrations, speculators realized that this allows them to try out any domain for five days for free... ›››

DNS, Security, Spam / blogs / Apr 07, 2006 10:23 AM PST

California Frets about Goodmail Email

On Monday the 3rd, California state Senator Dean Flores held a hearing of the E-Commerce, Wireless Technology, and Consumer Driven Programming committee grandly titled AOL: You Have Certified Mail, Will Paid E-mail Lead to Separate, Unequal Systems or is it the Foolproof Answer to Spam?. The senator's office said they were very eager to have me there, to the extent they offered to fly me out from New York, so since I happened to be on the way home from ICANN in New Zealand that weekend, I took a detour through Sacramento. Sen. Florez conducted the hearing, with Sens. Escutia and Torlakson sitting in briefly. Unfortunately, Sen. Bowen, who is very well informed on these topics, wasn't there. There were five panels of speakers, and I got to lead off... ›››

Spam / blogs / Feb 14, 2006 12:13 PM PST

How Bad is Goodmail?

Goodmail Systems made a big splash last week when AOL and Yahoo announced that they will be giving preferential treatment to mail that uses Goodmail's CertifiedEmail service, claiming (implausibly) that this has something to do with stopping spam... Since Goodmail charges senders for each message, some people see this as the end of e-mail as we know it. I have my concerns about Goodmail, but a lot of the concerns are either overblown or based on bad reporting... ›››

Security, Spam / blogs / Jan 05, 2006 1:12 PM PST

The Politics of Email Authentication, 2006 Edition

A student at a well-known US university wrote me and asked whether, given the huge national interest in getting the industry to unite behind (at least) one format, did I think that the FTC should've played a stronger role in pushing the industry to adopt an authentication format? I said: Nope. Part of the reason it's taking so long to agree on a standard is that the process is infested with academic theoreticians who are more interested in arguing about hypotheticals and pushing their pet spam solutions than in doing something useful... ›››

DNS, Domain Names, Top-Level Domains / blogs / Dec 31, 2005 9:12 AM PST

Time to Renew .coop, .museum, and .aero ICANN

Way back in 2000-2001, ICANN approved a handful of new top level domains, and entered into agreements with their promoters. Three of the sponsored domains, are coming up for renewal next year, so they've sent in their renewal proposals. A sponsored domain is one that restricts who can register to members of a particular community, in this case respectively co-ops, museums, and the airline industry. Let's take a look and see how they're doing. ›››

DNS, Domain Names, Multilinguism / blogs / Dec 02, 2005 1:13 PM PST

Splitting the Root: It’s Too Late

One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late. Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set. ›››

Spam / blogs / Nov 03, 2005 2:25 PM PST

DMA Requires Email Authentication, Do We Care?

Last week the DMA announced with considerable fanfare that their members should all use e-mail authentication. DMA members send a lot of bulk e-mail, but not much that would be considered spam by any normal metric. (Altria's Gevalia Kaffee is one of the few exceptions.) Their main problem is their legitimate bulk mail, sent in large quantities from fixed sources, getting caught by ISPs spam filters. That happens to be one problem for which path authentication schemes like SPF and Sender ID are useful, since they make it easier to add known fixed source mailers to a recipient ISP's whitelist, and that's just what AOL and probably other big ISPs use it for. While the DMA may be implying that this is a virtuous move, in reality it's something that their members are doing anyway for straightforward business purposes. ›››

DNS, DNSSEC, Regional Registries, Top-Level Domains / blogs / Oct 25, 2005 7:12 AM PST

ICANN Gets the Root Zone, Too

A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN. This has two and a half effects. The most obvious is political -- if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign's A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can't publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. ›››

DNS, Domain Names, Domain Registries, Top-Level Domains / blogs / Oct 25, 2005 6:42 AM PST

Verisign Gets .COM Forever, But ICANN Gets a Lobbyist

A press release on the ICANN web site says that ICANN and Verisign have agreed to settle all pending lawsuits, and there’s a new .COM agreement, all tentative but if history is any guide, nothing short of DOC action is going to stop it. The good news is that VeriSign has agreed not to make unilateral changes like Sitefinder. They have to give prior notice to ICANN for any material change in the operation of the registry, and if ICANN has any concerns there’s a lengthy process full of expert panels and Consensus and the like to decide whether they can do it. ›››

Spam / blogs / Sep 26, 2005 2:27 PM PST

Oklahoma Man Wins $10 Million Judgment Against a Spammer

On Thursday the 22nd, Robert Braver, an Oklahoma ISP owner who is a long time activist against both spam and junk faxes, received a default judgment of over $10 million against high profile spammer Robert Soloway and his company Newport Internet Marketing. Soloway has frequently been cited as one of the ten largest spammers in the world. ›››

Spam / blogs / Aug 25, 2005 4:23 PM PST

Maybe the IETF Won’t Publish SPF and Sender-ID as Experimental RFCs After All

Yesterday, the IESG, the group that approves RFCs for publication received an appeal from Julian Mehnle to not to publish the Sender-ID spec as an experimental RFC due to technical defects. IESG members' responses were sympathetic to his concerns, so I'd say that a Sender-ID RFC has hit a roadblock. The problem is simple: Although Sender-ID defines a new record type, called SPF 2.0, it also says that in the absence of a 2.0 record, it uses the older SPF1 record. Since SPF and Sender-ID can use the same records, if you publish an SPF record, you can't tell whether people are using it for SPF or Sender-ID. Ned Freed commented... ›››

Spam / blogs / Aug 02, 2005 12:02 PM PST

SPF Loses Mindshare

MAAWG is the Messaging Anti-Abuse Working group. It was started by Openwave, a vendor that sells e-mail hardware and software to large ISPs and originally consisted only of Openwave customers, but has evolved into an active forum in which large ISPs and software vendors exchange notes on anti-spam and other anti-abuse activities. Members now include nearly every large ISP including AOL, Earthlink, Yahoo, Comcast and Verizon is a member, along with ESPs like Doubleclick, Bigfoot, and Checkfree, and vendors like Ciscom, Ironport, Messagelabs, Kelkea/Trend, and Habeas. They've also been quietly active in codifying best practices and working on some small but useful standards like a common abuse reporting format. ›››

Security, Spam, Web Hosting / blogs / Jul 26, 2005 2:14 PM PST

Abusive Anti-Anti-Spam Scheme a Dreadful Strategy

A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don't think much of it. As I said to an Associated Press reporter: "It's the worst kind of vigilante approach," said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. "Deliberate attacks against people's Web sites are illegal." ›››

Spam / blogs / Jun 30, 2005 9:58 AM PST

IETF Publishes RFCs on SPF and Sender ID

A recent press release from the Internet Society reports that the IETF will shortly publish specifications of SPF and Sender-ID in the RFC series. What does this mean for the future? ...More than 4000 documents have been published in the RFC series since the first RFC in 1969, relatively few of which have evolved into Internet standards. Each RFC is characterized when published as standards-track, best current practice, informational, experimental, or historical. These four RFCs, three describing Sender ID and one describing SPF, are all experimental. ›››

Spam / blogs / Jun 21, 2005 6:59 AM PST

We Hate Spam Except, Of Course, When It’s Inconvenient to Do So

Paul Graham is a smart guy who popularized naive Bayesian spam filtering in 2002 with A Plan for Spam and has organized a series of informal spam conferences at MIT. Earlier this month he was shocked and horrified to discover that his web site, hosted at Yahoo where he used to work, had appeared on the widely used Spamhaus blacklist... ›››

Spam / blogs / May 19, 2005 7:48 AM PST

Canada Finishes its Spam Task Force, Result is Pretty Good

Industry Canada, the part of the Canadian government roughly equivalent to the U.S. Commerce Department, has had a task force on spam working for the past year or so. I was invited to participate as an unofficial member, since I'm not a Canadian. Yesterday, it wrapped up its work and published its report (aussi disponsible en francais) to the government. It's quite good, and has a set of 22 recommendations. ›››

Security, Spam / blogs / Apr 18, 2005 12:06 PM PST

Phish-Proofing URLs in Email?

For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. ...Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. ...So the question is, is it worth the effort to make all of the senders and URLs match up? ›››

Security, Spam, Web Hosting / blogs / Jan 24, 2005 12:35 PM PST

How to Stop Spam

I got a letter the other day from AOL postmaster Carl Hutzler, about how the Internet community could get rid of spam, if it really wanted to. With his permission, here are some excerpts. "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution)." ›››

Spam / blogs / Jan 07, 2005 12:37 PM PST

A Year of CAN SPAM

The CAN SPAM Act of 2003 went into effect a year ago on Jan 1, 2004. As of that date, spam suddenly stopped, e-mail was once again easy and pleasant to use, and Internet users had one less problem to worry about. Oh, that didn't happen? What went wrong? ›››

IP Addressing, Spam / blogs / Dec 19, 2004 5:45 PM PST

A Political Analysis of SPF and Sender-ID

In my spare time when I'm not dealing with the world of e-mail, I'm a politician so now and then I put on my cynical political hat. At the FTC Authentication Summit one of the more striking disagreements was about the merits and flaws of SPF and Microsoft's Sender-ID. Some people thought they are wonderful and the sooner we all use them the better. Others thought they are deeply flawed and pose a serious risk of long-term damage to the reliability of e-mail. Why this disagreement over what one might naively think would be a technical question? ›››

Privacy, Spam / blogs / Nov 24, 2004 11:38 AM PST

The FTC Authentication Summit

The Federal Trade Commission and NIST had a two-day Authentication Summit on Nov 9-10 in Washington DC. When they published their report explaining their decision not to create a National Do Not Email Registry, the FTC identified lack of e-mail authentication as one of the reasons that it wouldn't work, and the authentication summit was part of their process to get some sort of authentication going. At the time the summit was scheduled, the IETF MARID group was still active and most people expected it to endorse Microsoft's Sender-ID in some form, so the summit would have been mostly about Sender-ID. Since MARID didn't do that, the summit had a broader and more interesting agenda. ›››

IP Addressing, Law, Spam / blogs / Nov 16, 2004 11:28 AM PST

Putting a Spammer in Jail

The country's first criminal trial about spam ended in Leesburg, Virginia earlier this month with a conviction of Jeremy Jaynes, better known under his nom de spam of Gavin Stubberfield. I was an expert witness for the prosecution, the Commonwealth of Virginia. The case was brought under Virginia's state anti-spam law, not the weaker Federal CAN-SPAM act... ›››

Internet Protocol, Privacy, Spam / blogs / Sep 21, 2004 7:40 AM PST

An Analysis of Microsoft’s MARID Patent Applications

The IETF MARID working group has been slogging away all summer trying to produce a draft standard about e-mail sender verification. They started with Meng Wong's SPF and Microsoft's Caller ID for E-mail, which got stirred together into a hybrid called Sender ID. One of the issues hanging over the MARID process has been Microsoft's Intellectual Property Rights (IPR) in Caller ID and Sender ID. The IETF has a process described in RFC 3668 that requires contributors to disclose IPR claims related to their contributions. ›››

Spam / blogs / Aug 06, 2004 7:30 AM PST

Spam and the Introduction Problem

IBM researcher Nathaniel Borenstein has commented that everyone agrees that spam is bad, and that's a huge impediment to doing anything about it. Having decided that spam is bad, it's tempting to divide the spam problem into smaller problems and try to solve the smaller problems, then put the solutions to the subproblems together and, voila, no more spam. That would be fine if the combined subproblems were truly equivalent to the spam problem, but that's rarely the case. ›››

Security, Spam / blogs / Jul 28, 2004 6:55 AM PST

What the ITU WSIS Spam Meeting Accomplished

The first week in July I went to an acronym-heavy World Symposium on the Internet Society Thematic Meeting on spam in Geneva. A few people have reported this as a meeting by "the UN", which it wasn't. Although the International Telecommunications Union is now part of the UN, it dates back to an 1865 treaty to manage international telegraph communication... ›››

Security, Spam / blogs / Jun 14, 2004 6:30 AM PST

Email Address Forgery

In my roles as postmaster at CAUCE (the Coalition Against Unsolicited Commercial E-mail) and abuse.net, I get a lot of baffled and outraged mail from people who have discovered that someone is sending out spam, often pornographic spam, with their return address on the From: line. "How can they do that? How do I make them stop?'' The short answers are "easily'' and "it's nearly impossible.'' ›››

Recent Comments — by John Levine

Most Popular — by John Levine