Re: Micorsoft's Sender ID Authentication......?
Wasn't there a lot of turmoil within the IETF last year on sender authentication because Microsoft was trying to push it's own sender ID authetication mechasnisms as a draft standard? In part the problem was 'legal' (versus technical)...the folks involved in the working list from MS...technical people, offered ongoing reassurance that the as-yet-unpublished patent apps were benign, that it would always be available free, etc. etc... but once the patent apps were published, they were far over-reaching, included SPF aspects, etc.. (I have _zero_ doubt that the legal/corporate folks upstairs at MS were responsible for that, and that the good folks from MS on the working list were as surprised as were the rest of us). Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy IADB Email Sender Accreditation Database: http://www.isipp.com/iadb.php Professor of Law, Lincoln Law School of SJ Advisor, Kinar Secure Email Advisor, Relemail Email Privacy Certification Advisor, Virus Bulletin Asilomar Microcomputer Workshop Planning Committee
Re: IBM to offer service to bounce unwanted e-mail back to the
On Mar 23, 2005, at 12:37 PM, RSK wrote: On Tue, Mar 22, 2005 at 10:24:37AM -0800, Andreas Ott wrote: http://money.cnn.com/2005/03/22/technology/ibm_spam/ If this write-up is accurate, It's not. From the http://www.aunty-spam.com website: IBM Not Spamming Spammers! FairUCE is About Fair Use, Not Abuse! Did you hear? IBM is spamming spammers! It’s all over the Internet, and tongues are a’wagging! Except, it ain’t so. IBM is not spamming spammers. Whether you think that spamming spammers is right or wrong, IBM ain’t doing it, and shame on CNN for getting it so wrong, and making IBM look so irresponsible, and in league with the likes of Lycos’ “Make Love Not Spam” DOSsing Screensaver program, and the notorious Mugu Maurauder bandwidth sucking program. You can’t really blame the folks who read CNN’s horribly wrong piece for spreading the rumour, after all it was quite sensationalist: “Spamming spammers? IBM to offer service to bounce unwanted e-mail back to the computers that sent them. March 22, 2005: 12:22 PM EST NEW YORK (CNN/Money) - IBM unveiled a service Tuesday that sends unwanted e-mails back to the spammers who sent them. The new IBM (Research) service, known as FairUCE, essentially uses a giant database to identify computers that are sending spam. E-mails coming from a computer on the spam database are sent directly back to the computer, not just the e-mail account, that sent them.” Wrong, wrong, wrong. About the only thing which the article got right is that the program is called “FairUCE". FairUCE, according to IBM’s own FairUCE website, readily available for anyone to read (cough…CNN reporters..cough), is a “spam filter that stops spam by verifying sender identity instead of filtering content". Let’s say that again: FairUCE is a spam filter that stops spam by verifying sender identity instead of filtering content. If FairUCE can’t verify sender identity, then it goes into challenge-response mode, sending a challenge email to the sender, to which the sender must reply, to demonstrate that it is not a spambot sending the mail in question, but a real live person. Here is IBM’s explanation of how the FairUCE system works: “Technically, FairUCE tries to find a relationship between the envelope sender’s domain and the IP address of the client delivering the mail, using a series of cached DNS look-ups. For the vast majority of legitimate mail, from AOL to mailing lists to vanity domains, this is a snap. If such a relationship cannot be found, FairUCE attempts to find one by sending a user-customizable challenge/response. This alone catches 80% of UCE and very rarely challenges legitimate mail.” Now, being kind, it’s possible that the good folks at CNN mistook the sending of the challenge for “spamming the spammer" (Rest at http://www.aunty-spam.com/ibm-not-spamming-spammers-fairuce-is-about- fair-use-not-abuse/) Anne
Re: AOL scomp
Otherwise, I think that it can be helpful in identifying issues. We use it to help advise us with respect to the IADB accreditation database, and what we have found is that yes, there are a lot of complaints for legitimate opt-in mail, but a demonstrable change in *volume* (rather than the valid:invalid complain ratio) can often notify us very early on about a problem mailing by someone listed in IADB. Due to the nature of the senders listed in IADB, typically a "what's going on with this??" inquiry will result very quickly in a problem customer of the sender's either getting a clue or getting the boot. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy http://www.isipp.com http://www.isipp.com/iadb.php Professor of Law, Lincoln Law School of SJ
Re: OT - 3 Free Gmail invites
If you have spare Gmail accounts, please consider donating them here: http://www.gmail4troops.com Anne
Scholarships available to International Spam Law & Policies conference
All, We have had two more 'scholarships' donated to allow two people who could not otherwise do so to attend our "International Spam Law & Policies: The Global Case" conference (http://www.isipp.com/events.php). Topics include: "Issues and Solutions in Dealing with Borderless Activities in a Bordered World" "Doing the Right Thing: Email Compliance and Spam Enforcement Across Borders" "International Perspectives on the Growth of Spam and the Effectiveness of Laws vs. Technology" "Current and Future Trends in European Anti-Spam Policy and Efforts" "International Concerns Regarding Spam: A View from the U.N. WSIS Meeting, and What Identity Means in an International Online World" ..and a few more which I can't mention until the speakers providing them have cleared us to do so. If you'd like to apply for one of these to spots, please send email to [EMAIL PROTECTED], explaining how this conference is professionally relevant to you, why you personally want to attend, and anything else which you think is relevant. These scholarships cover the cost of attendance ($475.00 before any discount), but not travel, lodging or other expenses. Hotel rooms are available for about $90/night and up under our discount. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy Professor of Law, Lincoln Law School of SJ Committee Member, Asilomar Microcomputer Workshop
IDDB: Companion Domains Database to IADB (and IADB Update)
All, We have not yet announced, but have made available, the IDDB - ISIPP Domains Database. This is a companion database to IDDB, and allows queriers to do a query by domain name; if the domain name is listed, it will return a list of IP addresses from which the domain is properly allowed to mail, along with the listee's IADB registration number for cross reference. Obviously, the resulting IP addresses can than be plugged into an IADB query to get the IADB data about the sender's status, opt-in policies, etc.. This is _not_ intended as a replacement for SPF, MS Caller ID for Email, Domain Keys, etc.. Rather it is simply a companion database to IADB, which we are offering at the request of both senders and receivers who wanted this ability. IADB is also growing, now offering additional information (the newest is the data code which means "the only email which comes from this IP address is mailing list email, and that mailing list email is entirely confirmed (double) opt-in"), and providing such information to ISPs, spam filters, and other queriers for more than 325million pieces of email per month. The full list if current information provided by an IADB lookup is at http://www.isipp.com/iadbquery.php Querying IDDB, as with IADB, is free (and always will be), and can be done by filling out a short form at http://www.isipp.com/iadb_query_sign_up.php We hope that you will get good use out of IDDB as well as IADB, and I want to thank those of you already supporting it. Anne
Re: Update on Querying IADB
> > 127.3.100.3 Accepts unverified sign-ups, gives chance to opt out > > > 127.3.100.5 Has opt-in confirmation mechanism > > 127.3.100.6 Has and uses opt-in confirmation mechanism > > > 127.3.100.10 All mailing list mail is confirmed opt-in > > Hmm.. this is loads of fun if you're running a Listserv that has > several thousand lists defined, and not all of them have the same > policies (for instance, although the vast majority of our lists are > 'confirmed opt-in', we have several lists that are bulk-loaded with > database extracts for "captive audience" lists such as "all freshmen", > "all grad students", and so on). In a case like this we would list any IPs from which *only* come confirmed lists separately, so that they would get the 127.3.100.10 listing. Otherwise we would look at the lowest common denominator and use that data code response. > Also, the pricing seems a bit whacked - are you *really* expecting > sites that have less than 30 customers to pay $200/month? I know a > *lot* of people who have formed collectives of 10-15 people who chip > in and get a 1U at a colo I've already answered this on the fly, separately, but it bears repeating. If you are talking about non-commercial mailing lists, that would probably qualify for the newsletter publisher rate, which is only $10/month. It's also critical that people understand that you are now talking about *being listed* in IADB, not about querying IADB, which is always free (We've heard from at least one list member who thought these rates being talked about were to *query* the list). > It's totally unclear how you can encode an "individual" listing - that > whole "stuff to the left of the @ sign" thing is rather unhandy... Are you asking about "is there a data response code for "individual"? There *could* be, but we determined that in the scheme of things which most receiving systems care about, it doesn't matter. What matters is the type of mail they send. Anne
Re: Update on Querying IADB
Also, the pricing seems a bit whacked - are you *really* expecting sites that have less than 30 customers to pay $200/month? I know a *lot* of people who have formed collectives of 10-15 people who chip in and get a 1U at a colo They are not email service providers; if you are talking about a site which only publishes non-commercial mailing lists, they would probably fall under the "newsletter publisher" rate, which is $10.00/month. Anne
Update on Querying IADB
For those interested in seeing how this has evolved, and what exactly this particular accreditation database provides, our query pages have been expanded, and include a link to the full suggested DNSL data response codes. The codes we use at present include: 127.0.0.1Listed in IADB 127.0.1.255 Vouched listing 127.2.255.1 Publishes SPF record 127.2.255.2 Publishes Microsoft "Caller I.D. for Email" record 127.2.255.101Participates in Habeas program 127.2.255.102Participates in Ironport's Bonded Sender program 127.3.100.0 Has absolutely no mailing controls in place 127.3.100.1 Scrapes addresses, pure opt-out only 127.3.100.2 Accepts unverified sign-ups such as through web page 127.3.100.3 Accepts unverified sign-ups, gives chance to opt out 127.3.100.4 Reserved 127.3.100.5 Has opt-in confirmation mechanism 127.3.100.6 Has and uses opt-in confirmation mechanism 127.3.100.7 Reserved 127.3.100.8 Reserved 127.3.100.9 Reserved 127.3.100.10 All mailing list mail is confirmed opt-in The general information is at http://www.isipp.com/iadb.php Query information specifically is at http://www.isipp.com/iadbquery.php It is, of course, free to query IADB, as well as to be listed as an individual. Anne
Re: SPAM Prevention/Blacklists
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks, As a follow-up to my previous post, for those interested, the IADB (ISIPP Accreditation Database) is now officially up and running. We'll give a courtesy listing to anyone from NANOG who is *not* a commercial sender (and listings for individuals are always free). Querying is, of course, also always free. http://www.isipp.com/iadb.php Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy
Re: SPAM Prevention/Blacklists
Also, I like sender verification, but that's me. i used it for some time, and reluctantly shut it down. blocked a lot of email abuse, but too many false positives for my taste. Could you go into more detail? ... Maybe I have others I just don't know about? How many people send legit e-mail with return addresses which are bogus? On a related note, for those of you interested, the IADB (ISIPP Accreditation Database) is now up and running, although not publicly announced yet. You can read information about it at: http://www.isipp.com/iadb.php What is unique about the IADB is that it is designed to list not only IP addresses, but also associated domains *if* the listee is publishing an SPF record, and conversely IADB listees will be able to get a unique "accreditation code" to put into their SPF records. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy Professor of Law, Lincoln Law School of SJ
Spam and the Law Conference Presentations Available (including Audio)
All, The proceedings of last month's Spam and the Law conference are now available through us. They are available as individual sessions, or you can get the entire conference (broken out into individual sessions). Each presentation includes the full audio of the speaker's presentation (and the quality is excellent - our sound guy did a superb job), along with any handouts, PowerPoints, etc.. There is a 25% discount for list members (only! Please don't share the discount link! If you want to tell someone about the availability of the proceedings, please just give them our website address at http://www.isipp.com) To get the discount, use this link: http://www.1shoppingcart.com/app/adtrack.asp?AdID=68216 It will redirect you to our site, and when you check out it will automatically apply the discount. Anne
Spam and the Law Conference Update, NANOG Discount
All, We just got confirmation that California Attorney General Bill Lockyer will be speaking at our Spam and the Law conference. It should be *very* interesting to hear what he has to say, in light of all that has gone on with regards to SB186, CAN-SPAM, etc.. Full information current with all speakers (now including Larry Lessig, Guy Kawasaki, Brian Huseman, and many others) available at http://www.isipp.com/events.php We are still offering a NANOG discount on admission, as well - be sure to put "NANOG" in the coupon section when you register, and you'll get $100.00 off. Anne Anne P. Mitchell, Esq. President & CEO Institute for Spam and Internet Public Policy
Re: Verizon Postmaster contact?
> I see VZ was not kind enough to put any contact info in Jared's NOC > list. They are currently blocking all mail from an ISP customer of > mine (based on the envelope From, not IP), and I need to get someone > on the phone to clear this up. Verizon is listed in EDDB; I think that I've made this offer here before, but anybody who'd like to participate in EDDB, and who otherwise qualifies, can have a healthy "Nanog Discount", or even be listed only (no access) for free. EDDB is at http://www.isipp.com/eddb.php In the meantime, Charles, may I forward your note to the Verizon contact? Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam & Internet Public Policy Professor of Law, Lincoln Law School of SJ
RE: more on filtering
> >> I don't see how that is the same thing here. I have an > >> agreement with cust X to provide services in accordance with > >> my AUP. cust X resells that service to cust Y, etc. cust Y > >> is bound to the terms and conditions of my agreement with > >> cust X, despite that I do not have a direct agreement with cust Y. > > > > Oh christ...network engineers trying to be lawyers. Hey, it's only fair - I'm trying to be a network engineer. :-) The concept about which the original poster is speaking is probably that of either "sub-licensees" or "third party beneficiaries" (different things, but he is probably thinking of one of those two concepts). In the former, it means that his *users* are bound by the same criteria as is he if he makes a contract with someone (it was the concept we used at Habeas to bind ISP users if an ISP signed a license with Habeas). The latter, third party beneficiaries, is *actually* what one would need to bind a users' own customers to the users' contract, and that must be spelled out explicitly in the contract between ISP and customer X. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam & Internet Public Policy Professor of Law, Lincoln Law School of SJ
Re: Whitelisting, AOL E.mail etc.
Robert, and all, > 2) Having the requisite AOL contact information in any event - might > be important toward at least partially achieving a resolve to future > problems. Also let me remind folks that this is exactly what EDDB is for - to provide a place to find contact information in situations such as this. (Yes, that information is in EDDB.) We have contact information for senders, ISPs, and spam filtering companies. Information provided *by* them, not culled from elsewhere - this is them saying "if you are a participant in EDDB, you can contact us directly here:" I'm not pushing this to get EDDB payments from folks here - in fact, if you contact me directly off-list I'll tell you about the *very* healthy NANOG discount. :-) http://www.isipp.com/eddb.php Anne P.S. If you want a laugh, check out our new Slam a Spammer graphic, at http://www.isipp.com/slamspammer.php Anne P. Mitchell, Esq. President & CEO Institute for Spam and Internet Public Policy
Re: Email Deliverability Summit II Update
> Dave - the problem with basic email is that is has no assured delivery > capabilities or receipt processes. To that end, and to Dave's question (and some I've received off-list) - these are not particularly *technical* standards - they are practical standards, having to do more with email industry process and practice - and while they are framed as ISIPP's standards, they were formed, refined and adopted unanimously by: RoadRunner AOL Microsoft Outblaze SpamAssassin Cloudmark Ironport Everyone.net MSN/TV SamSpade Cyphertrust Word to the Wise ReturnPath Mailshell MessageFire MailFrontier Cable & Wireless ePrivacyGroup Cheetahmail Digital Impact Yesmail RappDigital Innovyx Digital River Silverpop Socketware Atriks and TheMail.com WhatCounts Digital Connexxions e-Dialog Uptilt ExactTarget Captaris Experian Acquireweb SubscriberMail NetCreations iVillage CNET ..and, indeed, many of these orgs have already put them into practice. They are based on a dialogue between senders and receivers, in which the senders basically said "tell us what we have to do to get our mail delivered", the receivers said "this is what you have to do, and what can we do to help you do that?"..and this is the result. It's not the law.. but when several of the top ISPs and spam filters say "do this", senders listen. Anne
Email Deliverability Summit II Update
I've had so many people over the past few weeks ask me for an update as to how Email Deliverability Summit II went that I thought I really ought to at least point to some links, which is exactly what I'm going to do, in the interest of not taking up list bandwidth. In short, it was absolutely amazing. Twenty CEOs or other executive decision-makers from ISPs, spam-filtering companies, and other email receivers (some of them on this list), and twenty from large email sending companies, in a room at a roundtable for 8 solid hours - and we got a *lot* accomplished. Those accomplishments include the promulgation and announcement of 5 new industry standards for both email senders and receivers (this is up at http://www.isipp.com/standards.php), the presentation of EDDB - which is a receivers/senders contact information database (it was actually Damian's request which reminded me to post about this - EDDB allows participants to log in and get the appropriate contact information for the sender or receiver in question - information about EDDB is at http://www.isipp.com/eddb.php), and the announcement of a new cross-industry working group - the Email Processing Industry Alliance (EPIA), which will carry on with the work started at Summits I and II (if you'd like information about being involved as a receiver, contact Mark Herrick of RoadRunner at [EMAIL PROTECTED], or Craig Hughes of SpamAssassin Open Source at [EMAIL PROTECTED]; senders should contact Ian Oxman at [EMAIL PROTECTED]). Finally, ISIPP announced it's upcoming Spam and the Law conference (http://www.isipp.com/events.php). I'd also like to take this opportunity to mention that independent of ISIPP I am working on a new email deliverability product which allows senders and receivers to preauthorize and prevalidate (and even preschedule) the senders' legitimate bulk mailings. We're currently in beta, and I'd welcome any of you to participate in the beta test (which of course is free, and once we get into commercial production we expect to offer *deep* discounts to beta testers). Anyone who would like more information should contact me directly. Anne Anne P. Mitchell, Esq. President & CEO Institute for Spam and Internet Public Policy
Re: abuse case management
Mikael, > Is there an abuse case management system as freeware somewhere, > something like all the ticket/case handling packages out there, but > more specifically aimed at abuse/complaint handling. Not Freeware, but I know that the folks at Word to the Wise have developed something to do exactly that. I have no idea of cost, but drop them a line at [EMAIL PROTECTED] Anne Anne P. Mitchell, Esq. CEO Habeas, Inc.
Re: ISP Whitelist (was Re: NOC contact for he.net)
> > That query configuration in SpamAssassin was incorrect, and has been > > fixed in 2.60. While I apologize that it caused you an > > inconvenience, it was in fact set up like that without our > > knowledge. It was querying the HIL even if there were no Habeas > > headers present in the inbound email in question, so it was querying > > the HIL for every single piece of email going through SA. > > In other words, the HIL is designed to only counteract the Mark, and > not operate as a bl(a|o)cklist. I've seen a lot of confusion > concerning people's perceptions on that (read the iCop interview. > haha). Correct, although if people choose to use it as a blocklist, that is their business. But the only IP addresses on there are those for which we have in hand email infringing our mark, and we remove the listing as soon at the infringement stops. Anne
Re: ISP Whitelist (was Re: NOC contact for he.net)
> I hope you've provisioned a bit more bandwidth onto your various DNS > servers that are handling your whiet/blacklists. About a 2 months ago > there seemed to be some sort of confusion where you took your HIL list > down, changed it's name and then changed it to zone-xfer only. Not a > lot of fun for Spamasassin users which had it configured in by default > (and others no doubt). That query configuration in SpamAssassin was incorrect, and has been fixed in 2.60. While I apologize that it caused you an inconvenience, it was in fact set up like that without our knowledge. It was querying the HIL even if there were no Habeas headers present in the inbound email in question, so it was querying the HIL for every single piece of email going through SA. In fact, it was the mass querying (8000 queries per second) even with no Habeas indicator present which caused us to have to make that change. Our servers are set up properly, and are stable. Anne
Re: ISP Whitelist (was Re: NOC contact for he.net)
> > On Thu, 3 Jul 2003, Anne P. Mitchell, Esq. wrote: > > If you're interested in reviewing the criteria for acceptance onto > > the HISP (contained in a HISP license which, again, is free), > > contact me off-list. > > Gosh, didn't the AGIS lawyers once try to save the net? Licenses, > licenses, licenses. Heh, I'm here not as a lawyer, but as CEO of Habeas. The HISP is a companion to our HUL whitelist, which is a list of the IP addresses of our customer/licensees (bulk mail guaranteed to be confirmed opt- in), and our HIL (DNS blocklist of those who breach our license or otherwise infringe our trademark by using it to try to get spam through). Anne
ISP Whitelist (was Re: NOC contact for he.net)
> I have lost my copy of the contact list for the NOCs. Can someone > supply the contact ingo for he.net? This is probably as good a time as any to mention that we have just inaugurated our ISPWL (dns-based ISP whitelist), the "HISP". It's relevant to this because members provide both standard business and urgent contact information, as well as "member to member only" contact information, for sharing with other members [note, we do *not* get involved in issues, we simply make the contact information available to other HISP members.] So in this case, if he.net is a HISP member, Roy could have gone to the HISP members contact page and looked up the information, including urgent contact information. Obviously the primary thrust of the HISP is to allow sites to query a DNS whitelist of ISPs who they can know to be whitehat, and who live up to a certain level of abuse-handling and other criteria (defined in the free license). There is no charge whatsoever for being listed on the HISP, or for querying it. If you're interested in reviewing the criteria for acceptance onto the HISP (contained in a HISP license which, again, is free), contact me off-list. Anne [EMAIL PROTECTED]
Re: companies like microsoft and telia...
MS is also, I am told, behind the gutting, stalling, and undermining of Senator Bowen's SB 12 (the California anti-spam legislation). Right now her office is basically scrambling to get other ISPs to give their input so that they can demonstrate that MS does not speak for the networking world in wanting things like this: "If a recipient has either provided direct consent or has a preexisting or current business relationship with the sender, commercial e-mail advertisements from that sender shall not be construed as unsolicited commercial e-mail advertisements." ... (k) "Preexisting or current business relationship," as used in connection with the sending of a commercial e-mail advertisement, means the recipient has made an inquiry, application, purchase, or transaction regarding products or services, including the use of free products or services, offered by the sender." So pretty much if someone breathed in their general direction, it's ok to put them on a mailing list and spam the heck out of them. Period. MS apparently threw their weight around in the Business & Professions committee, and asserted that they stand for everyone, and few others have come forth to refute it. [Note: We're leading a delegation to meet with Senator Bowen tomorrow; if anybody here cares about this stuff, and would like to offer their 2cents, I'd be happy to send you a copy of the bill, and hand carry a fax to her (or give you a fax # for her). But it needs to be fast, I'm heading up there in about 8 hours. This is CA legislation affecting any network which sends to or is in CA - it will impact everyone, on some level.] We now end this "how Bill becomes a law" civics class, and return you to your regularly scheduled NANOG. Anne
Re: Weird email messages with "re:movie" and "re:application" in the subject line..
> New spam technique or some new virus, similar to a Melissa? Any body > else seeing this? We're seeing it here too, coming to role accounts. Our folks are saying virus, but haven't identified which one yet. Anne
Re: Major E-mail Delivery for FTC DNCR Launch
Oops..2nd time, sorry - had to resub to NANOG and hadn't actually sent the sub to -post. > Except possibly don't use the word "spam", or anything else that is > liable to trip SpamAssassin and friends into giving your messages a > high score (so references to abdominal anatomy and cable tv decoders > are also probably unwise :). > > I'm frequently surprised that more people don't run their (legitimate, > opt-in, whatever) bulk mail through SpamAssassin before they send it > in order to see how spam-like it looks. I'm forever having to pick > itineraries and electronic tickets from airlines out of my spam > folder. Send them to us; we're happy to tell them to use Habeas. :-) (SpamAssassin is a partner, and whitelists mail using our headers, so those itineraries and e-tickets will sail through SpamAssassin, along with about 3 dozen other ISP and spam filter partners :-) Of course, if it's mailing list mail, it *has* to be confirmed opt-in.] Anne
