For the past 2 years or so, I’ve been using GMail to handle my main mail feed for jmason.org. I’m an absolute convert to its “river of threads”/search-based workflow.

Since starting at Amazon, I’ve had to start dealing with a heavy volume of work mail. Previously jobs have either had low mail volumes, or used Google Apps hosting for their mail, but Amazon’s volumes are high and — obviously — they’re not using Google. ;) For a while, I tried using Thunderbird, but it just didn’t really cut it; I could never keep track of mails I wanted archived, or remember which folder they were in, etc. — the same old problems that GMail solved.

Enter Sup. It’s a console-based *nix email client, with a Mutt-like curses interface, which offers something closely approximating the GMail experience:

Sup is a console-based email client for people with a lot of email. It supports tagging, very fast full-text search, automatic contact-list management, custom code insertion via a hook system, and more. If you’re the type of person who treats email as an extension of your long-term memory, Sup is for you.

Inbox Zero is a daily occurrence for my work email now; I can simply archive pretty much everything, and reliably know the excellent full-text search support will allow me to find it again in an instant when I need it. The new-user guide is well worth a read to get an idea of its featureset and UI.

Setting it up

The process of getting it set up is quite hairy; here are some instructions for Ubuntu, which thoroughly failed to work for me on 9.04. I had a similarly tricky time using some Ruby packages on the Red Hat work desktop, but eventually avoided it by just building vanilla Ruby from source, then using that to install “gem” and from that, “sudo gem install sup”. Much easier…

Next step is to get the mail. From some reading, it appears the most reliable way to deal with a MS Exchange 2007 server is to use offlineimap to sync it to a local set of maildirs, then add those as Sup “sources” using sup-add, one by one. This is very well supported in Sup, and works well. Offlineimap is very easy to install on Ubuntu, and can easily be built from source if that’s not an option. My config is pretty much a vanilla copy of the minimal config.

There’s a good Sup hook to run “offlineimap” every poll interval, and rescan synced sources that contain new mail. It works well.

Sup has an interesting approach to mail storage — it doesn’t. Instead, it stores pointers to the messages’ locations in their source storage. This is a great idea, since bugs in Sup therefore cannot lose your mail — just your metadata about your mail. However, it means that if the source changes in a way which moves or removes messages, you need to tell Sup to rescan (using “sup-sync”), but that’s no big deal in practice; in the more usual case, if new mail arrives, it’s automatically rescanned.

I have just under 7000 mail messages in my Sup index, and rescans are speedy and searches super-fast. It’s very nicely done.

Outbound mail is delivered using /usr/sbin/sendmail by default, which should be working on any decent *nix desktop anyway ;)

Recommended Hooks

The Hooks wiki page has a few good hooks that you should install:

• ~/.sup/hooks/before-poll.rb: the above-mentioned offlineimap poll hook
• ~/.sup/hooks/mime-decode.rb: ‘uses w3m to translate all HTML attachments that don’t have a text/html alternative.’ Well worth installing.
• ~/.sup/hooks/before-add-message.rb: essential to filter out cron noise and the like so it doesn’t hit the inbox; unfortunately Sup doesn’t (yet) support GMail’s “filter messages like this” UI.

Bad Points

• Long URIs: unfortunately, very long URIs are broken by Sup’s renderer, and it doesn’t offer a native way to “activate” URIs and have them displayed in the browser; instead one has to cut and paste them. This is pretty lame. I’ve hacked up a perl script that will reconstruct the full URLs from the broken rendering, when the text is piped to it, but that’s a horrible hack.

• Index Corruption: I’ve had the misfortune (once, in the month since I started) of corrupting my search index, causing Ruby exception stack traces when I attempted to run “sup-sync” to scan new mail. The only fix appeared to be to restore my index from a “sup-dump” backup. Thankfully all seems fine now, but it was a definite reminder of the product’s beta status.

• Calendaring: still as painful as it’s ever been with UNIX command line email.

• HTML: A good-quality, email-oriented, native HTML renderer would be awesome.

• MIME: Sup again takes the traditional approach from UNIX command line clients of delegating to the mailcap file and its rules; unfortunately my RHEL5 desktop is too crappy to have a good mailcap setup. So I’ve had to write this from scratch to deal with the usual .docs and .xls’s etc., flying about.

• Inconsistent Key Mapping: Given that it shares so much UI with GMail in other respects, it’s a little annoying that Sup doesn’t have the same key mapping. Not a big deal, as it took only a couple of hours to get the hang of Sup’s, though.

Overall

If you’re happy enough to spend a day or two getting the damn thing installed, and aren’t afraid of a little dalliance with the bleeding edge, I strongly recommend it. It’s definitely the best *NIX mail reader at the moment.

Tags: commandline, curses, email, gmail, mail, smtp, sup, unix

• MailChannels’ Ken Simpson on the new email RFCs : diffed. the explicit statement that there is no length limit to mail headers is potentially tricky
  (tags: rfcs rfc-5321 rfc-5322 email standards internet smtp)

Tags: email, internet, rfc-5321, rfc-5322, rfcs, smtp, standards

• Vint Cerf interviewed on spam, malware etc. : pretty much the EFF party line, I think: “every man for himself”. also talks about net neutrality
  (tags: vint-cerf internet filtering spam malware abuse network-neutrality anti-spam eff)

• video of a fake e-Passport being accepted by airport security reader : an e-Passport for “Elvis Aaron Presley”, no less, happily scanned by an Amsterdam passport security station. hahahaha!
  (tags: elvis funny security e-passports video via:slashdot rfid)

• Facebook adds Ireland as a Friend : ‘Dublin will be the centre for Facebook’s international operations and will provide a range of online technical, sales and operations support to Facebook’s users and customers across EMEA region.’ good news
  (tags: facebook dublin ireland web2.0 emea)

• RFC-5321 (Obsoletes: 2821) : The newest rev to the Simple Mail Transfer Protocol (via fanf)
  (tags: rfcs rfc-2821 standards internet smtp email rfc-5321)

• RFC-5322 (Obsoletes: 2822) : the newest rev to the Internet Message Format for email (via fanf)
  (tags: via:fanf rfc rfc-2822 rfc-5322 standards email internet)

Tags: abuse, anti-spam, dublin, e-passports, eff, elvis, email, emea, facebook, filtering, funny, internet, ireland, malware, network-neutrality, rfc, rfc-2821, rfc-2822, rfc-5321, rfc-5322, rfcs, rfid, security, smtp, spam, standards, via:fanf, via:slashdot, video, vint-cerf, web2.0

• The Evolution of Pre-Launch Gmail In Screenshots : fascinating! They really did a good job improving the UI, early revs were quite uninspiring
  (tags: gmail google history email web ui)

• SealSkinz : waterproof socks and gloves — come recommended by Dublin’s cycle-couriers to avoid wet feet in all this bloody rain. lots and lots of good testimonials
  (tags: dryness feet comfort clothing rain weather cycling outdoors socks gloves)

Tags: clothing, comfort, cycling, dryness, email, feet, gloves, gmail, google, history, outdoors, rain, socks, ui, weather, web

Del.icio.us 2.0 goes live yay! I’ve been waiting for this for yonks

10 years of Boards.ie massive ~50GB RDF/XML dump, for open crunching, to generate interesting “SIOC Semantic Web” apps

Postmaster.comcast.net how to get mail delivered successfully to Comcast, the usual stuff

Why we’ll never replace SMTP ‘The reason that e-mail is uniquely useful is that you can exchange mail with people you don’t already know. The reason that spam exists is that you can exchange mail with people you don’t already know.’ +1

“Bikes-for-Billboards” scheme exposes major planning flaws ‘what was initially hailed as “free bikes” has become one of the biggest planning controversies to hit Dublin in years.’ No shit. 70% of sites are on the Northside, rather than the richer Southside; and each bike will cost over EUR300k in ad revenue!

Rob Enderle’s page on Wikipedia detailing this analyst’s hilariously wrong pro-SCO, anti-Apple/Linux predictions over the years. John Gruber: ‘the only way it would be worthwhile for reporters to [quote him] would be if they were willing to describe him as “almost always utterly wrong”‘

Tags: ads, advertising, analysts, anti-spam, apple, bikes, billboards, blogging, boards.ie, comcast, cycling, del.icio.us, dublin, email, enderle-group, funny, fussp, guidelines, history, internet, ireland, isps, jc-decaux, john-gruber, Links, linux, mail, microsoft, oh-dear, planning, postmaster, releases, rob-enderle, scandals, sco, semantic-web, sioc, smtp, spam, tech, urban, via:archiseek, wikipedia

Recently, more and more people have been complaining about backscatter; its levels seem to have increased over the past few weeks.

If you’re unfamiliar with the terminology — backscatter is mail you didn’t ask to receive, generated by legitimate, non-spam-sending systems in response to spam. Here are some examples, courtesy of Al Iverson:

• Misdirected bounces from spam runs, from mail servers who “accept then bounce” instead of rejecting mail during the SMTP transaction.
• Misdirected virus/worm “OMG your mail was infected!” email notifications from virus scanners.
• Misdirected “please confirm your subscription” requests from mailing lists that allow email-based signup requests.
• Out of office or vacation autoreplies and autoresponders.
• Challenge requests from “Challenge/Response” anti-spam software. Maybe C/R software works great for you, but it generates significant backscatter to people you don’t know.

It used to be OK to send some of these types of mail — but no longer. Nowadays, due to the rise in backscatter caused by spammer/malware abuse, it is no longer considered good practice to “accept then bounce” mail from an SMTP session, or in any other way respond by mail to an unauthorized address of the mail’s senders.

Backscatter as spam delivery mechanism

I would hazard a guess that this rise is due to one of the major spam-sending botnets adopting the use of “real” sender addresses rather than randomly-generated fake ones, probably in order to evade broken-by-design Sender-Address Verification filters.

There’s an alternate theory that spammers use backscatter as a means of spam delivery — intending for the mails to bounce, in effect using the bounce as the spam delivery mechanism. Symantec’s most recent “State of Spam” report in particular highlights this.

I don’t buy it, however. Compare their own example message — here’s what the mail originally sent by the spammer to the bouncer, rendered:

And here’s what it looks like once it passes through the bouncer’s mail system:

That’s simply unreadable. There’s absolutely no way for a targeted end user to read the “payload” there…

Getting rid of it

I haven’t run into this recent spike in backscatter at all, myself, since I have a working setup that deals with it. This blog post describes it. If you’re using Postfix and SpamAssassin, it would be well worth taking a look; if you’re just using SpamAssassin and not Postfix, you should still try using the Virus Bounce Ruleset to rid yourself of various forms of unwanted bounce message.

Note that you need to set the ‘whitelist_bounce_relays’ setting to use the ruleset, otherwise its rules will not fire.

SPF

There’s a theory that setting SPF records (or other sender-auth mechanisms like DomainKeys or DKIM) on your domains, will reduce the amount of backscatter sent to your domains. Again, I doubt it.

Backscatter is being sent by old, legacy mail systems. These systems aren’t configured to take SPF into account either. When they’re eventually updated, it’s likely they’ll be fixed to simply not send “accept then bounce” responses after the SMTP transaction has completed. It’s unlikely that a system will be fixed to take SPF into account, but not fixed to stop sending backscatter noise.

It’s good advice to use these records anyway, but don’t do it because you want to stop backscatter.

What about my own bounces?

You might be worried that the SpamAssassin VBounce ruleset will block bounces sent in response to your own mail. As long as the error conditions are flagged during the SMTP transaction (as they should be nowadays), and you’ve specified your own mailserver(s) in ‘whitelist_bounce_relays’, you’re fine.

Tags: anti-spam, backscatter, email, smtp, spam, spamassassin

Back in January, I wrote about how I deal with email backscatter nowadays. Since then, I’ve made a notable tweak.

This is that I no longer reject “null-sender” traffic during the SMTP transaction. It turned out that it broke Exim’s implementation of Sender Address Verification, which performs the SAV check using a MAIL FROM of <>, rendering it indistinguishable from a bounce during the SMTP transaction.

Now, I’ve complained about SAV, but I have to be pragmatic anyway (Postel’s law and all that!) — so it was better to just allow other sites to perform SAV lookups against our server, and fix the anti-bounce stuff some other way.

The new method (below) does this, by allowing null-sender SMTP traffic just fine; it detects bounces in Postfix if they arrive via SMTP in RFC-3464 format, and bounces that slip past are then dealt with in a more CPU-intensive manner using the SpamAssassin “VBounce” ruleset (which is part of the now-released SpamAssassin 3.2.0, btw).

This increases the load, since some bounces cannot be rejected at MAIL FROM time now, and instead we have to wait ’til DATA — but CPU hasn’t been a problem recently, so this is ok.

Here are the updated instructions:

In Postfix

In my Postfix configuration, on the machine that acts as MX for my domains – edit ‘/etc/postfix/header_checks’, and add these lines:

/^Content-Type: multipart\/report; report-type=delivery-status\;/  REJECT no third-party DSNs
/^Content-Type: message\/delivery-status; /     REJECT no third-party DSNs

Edit ‘/etc/postfix/main.cf’, and ensure it contains:

header_checks = regexp:/etc/postfix/header_checks

Then run:

sudo /etc/init.d/postfix restart

This catches most of the bounces — RFC-3464-format Delivery-Status-Notification messages from other mail servers.

In SpamAssassin

As before, install the Virus-bounce ruleset and set it up. This will catch challenge-response mails, “out of office” noise, “virus scanner detected blah” crap, and bounce mails generated by really broken groupware MTAs — the stuff that gets past the Postfix front-line.

Tags: anti-spam, backscatter, bounces, email, howto, smtp, spamassassin, vbounce, virus-bounces, viruses

Both Jeremy Zawodny and Dale Dougherty at O’Reilly Radar are expressing some pretty serious frustration with the current state of SMTP. I have to say, I’ve been feeling it too.

A couple of months back, our little server came under massive load; this had happened before, and normally in those situations it was a joe-job attack. Switching off all filtering and just collecting the targeted domain’s mail in a buffer for later processing would work to ameliorate the problem, by allowing the load to “drain”. Not this time, though.

Instead, when I turned off the filtering, the load was still too high — the massive volume of spam (and spam blowback / backscatter) was simply too much for the Postfix MTA. The MTA could not handle all the connections and SMTP traffic in time to simply collect all the data and store it in a file!

Looking into the “attack” afterwards, once the load was back under control, it looked likely that it wasn’t really an attack — it was just a volume spike. Massive SMTP load, caused by spammers increasing the volume of their output for no apparent reason. (Since then, spam volumes have been increasing still further on a nearly weekly basis.)

This is the effect of botnets — the amount of compromised hosts is now big enough to amplify spam attacks to server-swamping levels. Our server is not a big one, but it serves less than 50 users’ email I’d say; the user-to-CPU-power ratio is pretty good compared to most ISPs’ servers.

So here’s the thing. New SMTP-based methods of delivering nonspam email — whether based on DKIM, SPF, webs of trusted servers, or whatever — will not be able to operate if they have to compete for TCP connection slots with spammers, since spammers can now swamp the SMTP listener for port 25 with connections. In effect, spam will DDoS legitimate email, no matter what authentication system that legit mail uses to authenticate itself.

This, in my opinion, is a big problem.

What’s the fix? A “new SMTP” on a whole different port, where only authed email is permitted? How do you make that DoS-resistant? Ideas?

(Obviously, counting on spammers to notice or care is not a good approach.)

Tags: anti-spam, botnets, dos, email, filtering, security, smtp, spam

An interesting post from Simon Willison, noting that he is now publishing a list of “non-spammy” OpenID identities (namely people who posted one or more non-spammy comments to his blog).

I attempted to comment, but my comments haven’t appeared — either they got moderated as irrelevant (I hope not!) or his new anti-comment-spam heuristics are wonky ;) Anyway, I’ll publish here instead.

It’s possible to publish a whitelist in a “secure” fashion — allowing third parties to verify against it, without explicitly listing the identities contained. One way is using Google’s enchash format. Another is using something like the algorithm in LOAF.

Also, a small group of people (myself included) tried social-network-driven whitelisting a few years back, with IP addresses and email, as the Web-o-Trust.

Social-network-driven whitelisting is not as simple as it first appears. Once someone in the web — a friend of a friend — trusts a marginally-spammy identity, and a spam is relayed via that identity, everyone will get the spam, and tracking down the culprit can be hard unless you’ve designed for that in the first place (this happened in our case, and pretty much killed the experiment). I think you need to use a more complex Advogato-style trust algorithm, and multiple “levels” of outbound trust, instead of the simplistic Web-o-Trust model, to avoid this danger.

Basically, my gut feeling is that a web of trust for anti-spam is an attractive concept, possible, but a lot harder than it looks. It’s been suggested repeatedly ever since I started writing SpamAssassin, but nobody’s yet come up with a working one… that’s got to indicate something ;) (Mind you, the main barrier has probably been waiting for workable authentication, which is now in place with DK/SPF/DKIM.)

In the meantime, the concept of a trusted third party who publishes their concept of an identity’s reputation — like Dun and Bradstreet, or Spamhaus — works very nicely indeed, and is pretty simple and easy to implement.

Tags: anti-spam, email, enchash, loaf, openid, reputation, trust, web-o-trust, whitelisting

There’s a common misconception about spam, email, and email authentication; Matt Cutts has been the most recent promulgator, asking ‘Where’s my authenticated email?’, in which various members of the comment thread consider this as an anti-spam question.

Here’s the thing — email these days is authenticated. If you send a mail from GMail, it’ll be authenticated using both SPF and DomainKeys. However, this alone will not help in the fight against spam.

Put simply — knowing that a mail was sent by ‘jm3485 at massiveisp.net’, is not much better than knowing that it was sent by IP address 192.122.3.45, unless you know that you can trust ‘jm3485 at massiveisp.net’, too. Spammers can (and do) authenticate themselves.

Authentication is just a step along the road to reputation and accreditation, as Eric Allman notes:

Reputation is a critical part of an overall anti-spam, anti-phishing system but is intentionally outside the purview of the DKIM base specification because how you do reputation is fundamentally orthogonal to how you do authentication.

Conceptually, once you have established an identity of an accountable entity associated with a message you can start to apply a new class of identity-based algorithms, notably reputation. … In the longer term reputation is likely to be based on community collaboration or third party accreditation.

As he says, in the long term, several vendors (such as Return Path and Habeas) are planning to act as accreditation bureaus and reputation databases, undoubtedly using these standards as a basis. Doubtless Spamhaus have similar plans, although they’ve not mentioned it.

But there’s no need to wait — in the short term, users of SpamAssassin and similar anti-spam systems can run their own personal accreditation list, by whitelisting frequent correspondents based on their DomainKeys/DKIM/SPF records, using whitelist_from_spf, whitelist_from_dkim, and whitelist_from_dk.

Hopefully more ISPs and companies will deploy outbound SPF, DK and DKIM as time goes on, making this easier. All three technologies are useful for this purpose (although I prefer DKIM, if pushed to it ;).

It’s worth noting that the upcoming SpamAssassin 3.2.0 can be set up to run these checks upfront, “short-circuiting” mail from known-good sources with valid SPF/DK/DKIM records, so that it isn’t put through the lengthy scanning process.

That’s not to say Matt doesn’t have a point, though. There are questions about deployment — why can’t I already run “apt-get install postfix-dkim-outbound-signer” to get all my outbound mail transparently signed using DKIM signatures? Why isn’t DKIM signing commonplace by now?

Tags: accreditation, anti-spam, authentication, dkim, domainkeys, email, habeas, reputation, return-path, smtp, spam, spamhaus, spf

As I’ve noted before, we still have a major problem with sites generating bounce/backscatter storms in response to forged mail — whether deliberately targeted, as a “Joe-Job”, or as a side-effect of attempts to evade over-simplistic sender address verification as seen in spam, viruses, and so on.

Sites sending these bounces have a broken mail configuration, but there are thousands remaining out there — it’s very hard to fix an old mail setup to avoid this issue. As a result, even if your mail server is set up correctly and can handle the incoming spam load just fine, a single spam run sent to other people can amplify the volume of response bounces in a Smurf-attack-style volume multiplication, acting as a denial of service. I’ve regularly had serious load problems and backlogs on my MX, due solely to these bounces.

However, I think I’ve now solved it, with only a little loss of functionality. Here’s how I did it, using Postfix and SpamAssassin.

(UPDATE: if you use the algorithm described below, you’ll block mail from people using Sender Address Verification! Use this updated version instead.)

Firstly, note that if you adopt this, you will lose functionality. Third party sites will not be able to generate bounces which are sent back to senders via your MX — except during the SMTP transaction.

However, if a message delivery attempt is run from your MX, and it is bounced by the host during that SMTP transaction, this bounce message will still be preserved. This is good, since this is basically the only bounce scenario that can be recommended, or expected to work, in modern SMTP.

Also, a small subset of third-party bounce messages will still get past, and be delivered — the ones that are not in the RFC-3464 bounce format generated by modern MTAs, but that include your outbound relays in the quoted header. The idea here is that “good bounces”, such as messages from mailing lists warning that your mails were moderated, will still be safe.

OK, the details:

In Postfix

Ideally, we could do this entirely outside Postfix — but in my experience, the volume (amplified by the Smurf attack effects) is such that these need to be rejected as soon as possible, during the SMTP transaction.

Update: I’ve now changed this technique: see this blog post for the current details, and skip this section entirely!

(If you’re curious, though, here’s what I used to recommend:)

In my Postfix configuration, on the machine that acts as MX for my domains – edit ‘/etc/postfix/header_checks’, and add these lines:

/^Return-Path: <>/                              REJECT no third-party DSNs
/^From:.*MAILER-DAEMON/                         REJECT no third-party DSNs

Edit ‘/etc/postfix/null_sender’, and add:

<>              550 no third-party DSNs

Edit ‘/etc/postfix/main.cf’, and ensure it contains these lines:

header_checks = regexp:/etc/postfix/header_checks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/null_sender

(If you already have an ’smtpd_sender_restrictions’ line, just add ‘check_sender_access hash:/etc/postfix/null_sender’ to the end.) Finally, run:

sudo postmap /etc/postfix/null_sender
sudo /etc/init.d/postfix restart

This catches most of the bounces — RFC-3464-format Delivery-Status-Notification messages from other mail servers.

In SpamAssassin

Install the Virus-bounce ruleset. This will catch challenge-response mails, “out of office” noise, “virus scanner detected blah” crap, and bounce mails generated by really broken groupware MTAs — the stuff that gets past the Postfix front-line.

Once you’ve done these two things, that deals with almost all the forged-bounce load, at what I think is a reasonable cost. Comments welcome…

Tags: anti-spam, backscatter, bounces, email, howto, smtp, spamassassin, vbounce, virus-bounces, viruses

As all right-thinking people know by now, Challenge-response spam filtering is broken and abusive, since it simply shifts the work of filtering spam out of your email, onto innocent third-parties — either your legitimate correspondents, people on mailing lists you read, or even random people you have never heard of (due to spam blowback).

I’ve ranted about this in the past, but I’m not alone in this opinion — and frequently find myself explaining it. To avoid repeating myself, here’s a canonical collection of postings from around the web on this topic.

• Spamcop FAQ: Why are auto responders bad?:

Description: This “selfish” method of spam filtering replies to all email with a “challenge” – a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.

1. Does not scale: If everyone used this method, nobody would ever get any mail.
2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.
3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.

• Karsten M. Self: Challenge-Response Anti-Spam Systems Considered Harmful:

C-R systems in practice achieve an unacceptably high false-positive rate (non-spam treated as spam), and may in fact be highly susceptible to false-negatives (spam treated as non-spam) via spoofing.

Effective spam management tools should place the burden either on the spammer, or, at the very least, on the person receiving the benefits of the filtering (the mail recipient). Instead, challenge-response puts the burden on, at best, a person not directly benefitting, and quite likely (read on) a completely innocent party. The one party who should be inconvenienced by spam consequences ¿ the spammer ¿ isn’t affected at all.

Worse: C-R may place the burden on third parties either inadvertantly (via spoofed sender spam or virus mail), or deliberately (see Joe Job, below). Such intrusions may even result in subversion of the C-R system out of annoyance. Many recent e-mail viruses spoof the e-mail sender, including Klez, Sobig variants, and others.

• John Levine: Challenge-response systems are as harmful as spam:

The collateral damage from widely used C/R systems, even with implementations that avoid the stupid bugs, will destroy usable e-mail. [jm: in fairness, this was written in 2003.]

Challenge systems have effects a lot like spam. In both cases, if only a few people use them they’re annoying because they unfairly offload the perpetrator’s costs on other people, but in small quantities it’s not a big hassle to deal with. As the amount of each goes up, the hassle factor rapidly escalates and it becomes harder and harder for everyone else to use e-mail at all.

• Ed Felten: A Challenging Response to Challenge-Response:

I’m skeptical of CR as a response to email. If you’re the first on your block to adopt CR, and if nobody else uses anti-spam technology, then CR might provide you some modest benefit. But it¿s hard to see how CR can be widely successful in a world where most people use some kind of spam defense.

• Jeremy Zawodny: TMDA Users Can Blow Me (heh):

If these systems are so brain-dead as to not bother adding my address to the whitelist when the user sends me e-mail, I have serious trouble understanding why anyone is using them.

Is it just me? Is this too hard to figure out?

Anyway, there’s another 5 minutes I’ll never get back. It’s too bad there’s no mail header to warn me that “this message is from a TDMA user”, because then I’d be able to procmail ‘em right to /dev/null where they belong.

Ugh.

This bullshit is not going to “solve” the spam problem, people. If that’s your solution, please let me opt out. Forever.

• Michele Neylon: Why C/R is not a good idea:

C/R slows down and impedes communication by placing unwanted barriers between you and your clients/suppliers.

If you must insist on using some form of C/R please make sure that you whitelist my address before you contact me as I will not reply to challenges.

• TidBITS policy on Challenge-Response:

We will not answer any challenges generated in response to our mailing list postings. Thus, if you’re using a challenge-response system and not receiving TidBITS, you’ll need to figure that out on your own. Also, if you send us a personal note and we receive a challenge to our reply, we may or may not respond to it, depending on our workload at the time.

• Fedora Project policy on UOL — a Brazilian ISP that uses C-R extensively:

uol.com.br uses a very broken method of anti-spam. Everytime someone sends an email message to one of their members, they send back a verification message, asking the original sender to click a link before they will allow the message through. These messages are themselves a form of spam, and the resulting back-scatter of these messages is altogether bad for the Internet, the UOL member, and all of the UOL member’s contacts. UOL is aware of the complaints against them, and they refuse to correct the issue, claiming that their members love the service.

• Matt Sergeant: C-R spam solutions:

I hate C/R systems. With a passion. I absolutely will not respond to them. They go in the trash. I don’t get them very often but I get them more and more. I think they have the potential to seriously damage email communication as we know it. And I’m not alone in this opinion.

• Richi Jennings: ‘Challenge/Response makes you a spammer.’

• BusinessWeek: Stephen Wildstrom: A Spam-Fighter More Noxious Than Spam: ‘Challenge-response filtering systems are likely to wipe out e-mails you want, too.’

• and lots more at Spamlinks.net

Phew.

Tags: abuse, anti-spam, backscatter, blowback, bounces, c-r, challenge-response, email, filtering, rants, smtp

Another day, another absurd IBM software patent. Via the IP list, here’s United States Patent 7,003,497:

1. A method for confirming an electronic transaction, comprising the steps of: performing an electronic transaction between a first party and a second party; providing, by the first party to the second party, contact information of a third party service provider associated with the first party; contacting, by the second party, the third party service provider to obtain a location of a predetermined, private mailbox associated with the first party; sending, by the second party, a request for confirmation of the electronic transaction to the predetermined, private mailbox associated with the first party; accessing the private mailbox by the first party; and sending, by the first party, a reply message to the request for confirmation to thereby confirm authorization of the electronic transaction, wherein information regarding the private mailbox is not communicated to the second party during the electronic transaction.

There’s lots of waffle in the background section about this being for electronic e-commerce transactions, but that claim, and claims 2 and 3 at least, are easily sufficiently broad to cover simple “confirmed opt-in” email subscription systems — in other words, the system whereby a potential newsletter subscriber clicks on a link in order to “confirm” that they want to subscribe to a newsletter. That’s the current best practice email subscription method used by pretty much everyone.

Filed December 31, 2001. There was plenty of prior art before this date, but who would want to go up against IBM, no less, to attempt to get this invalidated, especially now that it’s been issued?

Thanks USPTO, you’re doing a heck of a job!

Tags: email, ibm, mailing-lists, patents, subscription, uspto

Boing Boing has an interesting case today:

“I filled out a web form for a contest from Miller using a throwaway junk email address and then, months after I dumped the throwaway account, I got this to my main account! Not sure I like the idea of companies tracking me down like this.”

I sent a mail to follow up on this, but it’s worth blogging here too.

This is, unfortunately, common practice among the “legitimate” bulk mailer companies; it’s called “e-pending” (short for “email address appending”). Basically, the advertiser contacts one of the big data-mining companies, provides them with the data they have about the customer — name, postal address, etc., and gets them to match that against their database; the data-miner then provides any other email addresses they may have on file for that user, even if those email addrs were provided for bills, promotional use for other companies, etc.

The advertisers contend that permission was given by the person who’s being mailed; the recipients contend that permission was given to send to a specific address, not all of that person’s addresses in perpetuity.

Here’s a few more examples of e-pending gone bad: two Jennifer Millers, Sony scraping ancient Internic contact addresses, Spamvertized.org comment on the practice, Joe St. Sauver comments.

It’s exclusively a US phenomenon, as far as I know; I think most cases of e-pending are rendered illegal under EU data protection law. Handy. ;)

Update: Brian at the Spam Kings weblog notes that ‘this spooky little spam was the work of Equifax, the big credit reporting agency that shut down its Boca Raton-based spam operation, Naviant, in 2003, due to the impending passage of CAN-SPAM.’

Tags: bulk-mail, data-mining, data-protection, email, epending, privacy, spam

Today’s top item on the b3ta front page, under Site News:

Yahoo please talk to us! Help! – our yahoogroups list (with over 100,000 subscribers) has been deleted. We don’t know why. If you work at Yahoo and can help us sort this out please contact me at robmanuel AT gmail dot com.

posted by rob on 10th Feb at 2pm

B3ta is a long-established UK humour site who send out a weekly newsletter, every Friday afternoon, using Yahoo! Groups as their mailing list service. They’ve been doing this for years. Yep, that’s 100,000 subscribers.

Anyway, if anyone from Y!Groups, or anyone who knows someone there, is reading, please do get in touch with the b3ta guys — this is a very serious catastrophe for them. I’d be curious to hear how/why this happened.

To tie this into spam-filtering and email operational topics, it brought this posting from Jeremy Zawodny to mind:

This all makes me wonder if it’s worth it for smaller organizations to bother running their own mail servers anymore. If Google offered small business mail the way Yahoo does, there’d be some serious competition in the market and it’d make a lot of people’s lives much easier.

While Jeremy was talking about a different service from list hosting, I think we’re seeing the other side of the email-outsourcing coin, here.

Update: fwiw, it’s back:

Yahoo update – on Friday Yahoo deleted our list of 100,000 newsletter readers email addresses, hence we didn’t send a newsletter. Today they’ve been in touch and have promised a response by Tuesday. Fingers crossed. UPDATE: It looks like it’s back! Hooray for Yahoo!

Tags: b3ta, email, mailing-lists, newsletters, outsourcing, yahoo

Apparently, spammers are now exploiting a hole, or holes, in multiple PHP scripts which use the mail() API.

The holes are described at the SecurePHP wiki; basically, the script author inserts CGI fields directly into a message template without stripping newlines, and this allows attackers to create new headers, take over the message body, and generally take over the mail message and destinations entirely.

Funnily enough, these are the same holes Ronald F. Guilmette and I found in FormMail 1.9, and described in our Jan 2002 advisory Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9 (PDF) on page 10, Exploitation of email and realname CGI Parameters. Ah, plus ca change…

Worth noting that perl’s venerable taint checking would have spotted these, if it were used.

Tags: email, exploits, formmail, php, security, smtp, vulnerabilities

Spam: if you work in anti-spam, especially in filtering, or even just in working with email in general, it’s well worth going to CEAS 2005, the Conference on Email and Anti-Spam, on Thursday July 21st and Friday 22nd in Stanford:

The organizers of the Conference on Email and Anti-Spam invite you to participate in its second annual meeting. This forum brings together academic and industrial researchers to present new work in all aspects of email, messaging and spam — with papers this year covering fields as diverse as text classification, clustering and visualization of email, social network analysis applied to both email and spam, spam filtering methods including text classification and systems approaches, game theory, data analysis, Human Interactive Proofs, and legal studies, among others. The conference will feature 26 paper presentations, a banquet, and two invited speakers. See http://www.ceas.cc for details of the current program, as well as on-line registration.

Registration runs out on July 10th.

I went last year, and it was excellent — several very interesting papers were presented. I’m going this year, too, along with quite a few SpamAssassin committers, and I’m looking forward to it.

Tags: analysis, classification, conference, email, going, july, registration, spam, text, year

Spam: I’m quoted in
New Scientist! w00t!

SlashDot picked it up pretty quickly. One comment there misses the point, though:

This is interesting and promising technology. But like all antispam techniques, spammers will find a way around it. Once spammers get a copy of the software, they can create and test countermeasures in the comfort of their own sleazy lairs.

It’s worth talking about this. Newsflash: spammers have no difficulty testing their spam against closed-source spam filters, even when they can’t ‘get a copy’ and test them in ‘their sleazy lairs’.

How do they do it? Easy — just set up an account at a site that uses that filter (AOL, Yahoo!, Hotmail, and GMail, it’s pretty obvious how to do that; for other closed-source filters, find an ISP that uses it). Then send ‘test mails’ repeatedly to that account, and apply trial and error to see what gets past the filter and what doesn’t. Eventually, they figure out what works for that filter, and what doesn’t.

How did I figure this out? Well, I came across the manual for the Send-Safe ratware on-line. It noted that the ‘hashbuster’ randomisation technique, which we in the SpamAssassin team had long assumed was intended to block hash matches by DCC, Pyzor and Razor, was in fact intended to block AOL’s implementation of that system. The open source ones weren’t even mentioned.

Update: found it — from their FAQ:

Mime Encoded content

If you want to get into AOL… use it.

MIME encoders allow you to send documents written within a specific application through email without causing readability or formatting problems. For example, you can send a letter created in MSWord with and be certain that it arrives at its destination in the same format by encoding it with MIME first. The recipient then decodes it back into the original MSWord format.

That isn’t why we use it though.

We use it to cause ‘uniqueness’.

When you put a rotate tag at the beginning of a MIME encoded email, it causes everything after that point (including checksums) to be ‘different’ in every message.

Why is that that important?

Because it throws off filters that look for many copies of the same message to nuke.

Tags: account, aol, copy, email, filter, format, mime, msword, point, spam

Software: Mark Twomey, in response to all the Win32 API stuff recently:

We now have a generation of computer users … who have never received or sent email from a so called ‘rich client’, never had to send a postal order off to order something from some distant vendor, and are not amazed by something like a search engine. ….

Those (’rich client’) people remind me of minicomputer users who crapped on the ‘crummy little operating systems’ used on ‘crummy little desktop computers.’

He’s right, you know — for de yoot, Windows is generally just a way to access Hotmail.

Tags: api, client, computer, crummy, email, generation, response, software, something, stuff, win

Spam: Reg: German hate mail spam attack stuns experts: ‘Mailboxes in Germany and the Netherlands were flooded yesterday with spam containing German right-wing propaganda. Spammers used the Sober.G virus – a mass mailing worm that sends itself to email addresses harvested from infected computers – to spread their messages as widely as possible.’

The one good thing about this is that it might help some people realise that spam isn’t all about porn and commercial email; any kind of mail can be spam, including political speech.

However, this may be a bit late for the US, since CAN-SPAM explicitly does not regulate political spam. ah well, you live and learn, I suppose. ;)

Tags: attack, email, mail, mailboxes, propaganda, sober, spam, spammers, virus, yesterday

Spam: Anne Mitchell on GMail’s spam filtering — sounds like her results are actually worse than mine were. But the ads worked well:

… just today, in an email from Mrs. Nwakama Ani, the wife of the late James Ani, a farmer in ZImbabwe, asking me to please help her to export $50million dollars which her late husband amassed, Gmail’s Adsense very thoughtfully offered me ‘Cheap airline tickets from the USA to Zimbabwe’. You know, just in case I want to go over there and help her personally.

Anne’s spam weblog looks like good stuff — I’ve added it to the blogroll…

Tags: adsense, email, farmer, gmail, husband, mine, spam, today, wife, zimbabwe

Mail: I’ve dusted off my old e-mail usability wishlist, made a couple of changes to reflect the current situation now that GMail has implemented some of them, and Wikified the page.

There’s still a couple that I think would be valuable, so anyone looking at new usability ideas for email is welcome to take a look ;)

Tags: anyone, couple, email, gmail, look, mail, page, situation, usability, wikified, wishlist

Spam: Lisa Rein has captured the Daily Show’s segment on spam — ‘Email Trouble’ — Rob Courddry interviewing Scott Richter. (direct link to the 10MB Quicktime movie).

This vidcap leaves out the unfunny subtitles — and it’s on archive.org, so at least you’ll be chewing up non-profit bandwidth instead of someone’s personal-site bandwidth ;) If you haven’t seen it yet, go ahead and download it; it’s well funny.

(link found via Spamblogging.)

Tags: bandwidth, daily, email, link, movie, quicktime, segment, show, spam, trouble

Web: Check out GMail’s ‘thread history’ built into the message display, dubbed ‘collapsable history’ and ‘cards’. Very, very nice email usability!

More at Kevin Fox’ weblog, fury.com.

Tags: com, display, email, fury, gmail, history, message, thread, usability, web, weblog

Funny: The Daily Show last night did an absolutely fantastic Rob Corddry segment with Scott Richter; sheer genius. Apparently, Scott is a ‘high-volume email deployer’, and spam is all the fault of the USPS, or something.

Don’t miss it… here’s hoping Lisa Rein digitizes it!

Tags: daily, deployer, email, fault, funny, genius, night, segment, show, spam, usps

Social: LOAF is ‘a way to share your address book without abandoning your privacy.’

A nifty use of Bloom filters to share your address book in a one-way manner — when you receive a mail, you can query your LOAF db to see if any of your correspondents previously corresponded with the sender; but they cannot look up the LOAF file to determine your correspondents, unless they know that correspondent’s email address in advance.

This, BTW, would be a very good way to implement a ‘Do-Not-Email’ list — although the other two problems with those still apply.

Interesting stuff — although I wonder how acceptable the 4-8Kb MIME part overhead per message will be…

Tags: address, bloom, book, email, loaf, mail, manner, privacy, social, use, way

Spam: Kottke passes on news of the second coming — in spam:

It is now that blacklisting and filtering and blocking and Blocking of Port 25 and Blocking SMTP connections and filtering out email and anything related that does not allow any person in the United States of America to send email to anybody and then have opt-out or opt-in and that COMPLY with the CAN-SPAM Act of 2003 are doing something that is ILLEGAL and you are a CRIMINAL for doing this you have CRIMINAL LIABILITY and CIVIL LIABILITY and your company CANNOT protect you in the slightest. If your company asked you to murder somebody would you do this? Of course not for most. Then do NOT do illegal and criminal things now that are out side of the law and outside of Federal Law now with the passing of the CAN-SPAM Act of

1. The corporate veil can be pierced and board members of the corporation and officers of the corporation and executives of the corporation and managers of the corporation and employees of the corporation that are involved in the slightest in the writing of or approval of or enforcement of Terms of Service or Policies or Procedures or Business Decisions or Business Practices or Zero Tolerance Policies that would or does interrupt or cancel or block or filter or blacklist or harass or defame the character of or slander Ted Jesus Christ GOD in the slightest from sending legal email now and into the future are COMMITTING A CRIME and have CIVIL LIABILITY also and can be pursued by the US Attorney and State Attorneys and District Attorneys and the FTC and also if doing certain things also the ATF and the FBI and more. If calling TJCG a SPAMMER and then BLACKLISTING or BLOCKING or FILTERING or putting into list or putting into any Product or Service anything related to stopping the emails of TJCG you are also committing DEFAMATION OF CHARACTER and LIBEL and SLANDER and damaging the good reputation of TJCG.

What, no divine retribution?

Tags: act, blacklisting, blocking, can-spam, company, corporation, email, law, liability, spam, tjcg

Spam: filster: Linking reputations networks to email whitelists. Very interesting — a tool to use the social network data from Orkut, FOAFweb, Reputation Research Network, and CPAN to whitelist email senders in SpamAssassin. Only problems I can see:

• needs an anti-forging mechanism like SPF to avoid spammers forging their way through your whitelist — but the author does cover that.
• some of the site terms of service may prohibit scraping — Orkut’s, for example, is very strict.

Still, a very nifty idea, and one worth more investigation… the combination of FOAF and SPF in particular, given that tribe.net (if I recall correctly?) will be generating FOAF data, is quite cool.

Tags: email, filster, foaf, foafweb, network, orkut, reputation, spam, spf, tool, whitelist

Work: Life Hacks: Tech Secrets of Overprolific Alpha Geeks, Danny O’Brien’s ETech talk.

Amazingly, despite not being an alpha geek ;), I already use all these things:

• a todo.txt file (anything else is inconvenient).
• everything incoming comes through email, including RSS (thanks to rss2email). Again, anything else is inconvenient; I couldn’t be bothered with another desktop app.
• I hack scripts for every repetitive task I run into
• I sync instead of backup; everything has a CVS repository running on a remote server, even my home dir
• I have a nasty tendency to web-scrape data

These tips definitely are good advice. Although I have a feeling the result is optimised to a weblogging UNIX geek who spends hours hacking perl/python scripts. ;)

I’m looking forward to LifeHacks.com when it does eventually go live… should be interesting.

Tags: anything, email, etech, everything, geek, hacks, life, overprolific, secrets, tech, work

Spam: Gary Schrock on the SpamAssassin-talk notes:

… that study that’s being talked about in an email doesn’t exist. There’s something in the Trends in Cognitive Science journal about it, that discusses why that email is actually as readable as it is. I’d try to pass on the knowledge, but while I may work in a lab that does psycholinguistics, that doesn’t mean I understand it enough to pass it on. But the short story is there’s no such research at Cambridge.

(The irony here is that this was being talked about in the lab where I work earlier today, and when I mentioned this email someone in the lab was able to hand me to article from Trends. Unfortunately the journal is only available online with subscription.)

Tags: cognitive, email, journal, knowledge, lab, science, something, spam, spamassassin-talk, study, trends

Spam: Ever seen this in referrer logs, and wondered if the International Atomic Energy Agency really had linked to your site? Sourcefrog has.

Of course, it isn’t them. In reality, it’s a spambot called Atomic Harvester 2000. This is how spammers get ‘targeted lists of email addresses’; they throw a couple of search terms into this, it hits Google, and scrapes all email addresses from the pages found. More info:

• ‘A creepy faked referrer’
• ‘user agent is … NS4 on Mac’
• WebMasterWorld forum

Tags: agency, atomic, course, email, energy, international, reality, referrer, site, sourcefrog, spam

Spam: via NTK — a slightly over-literal interpretation of the SpamAssassin QUOTED_EMAIL_TEXT rule. Classic. (warning: NSFW spam content)

Tags: classic, email, interpretation, nsfw, ntk, quoted, rule, spam, spamassassin, text, warning

Ireland: A while back, I posted ‘Room for an Irish Netflix’, which plugged the idea of opening a version of the Netflix concept for Ireland. Well, over on the taint.org QT forum, JCorbett says: ‘ DVDRentals.ie is what you’re looking for!’

Sure enough, it looks pretty good — 20 eurons a month, and a reasonable selection (considering they just started).

But it limits how many DVDs you can get out in a month to 8. IMO, that’s unnecessary — nobody can watch DVDs and turn them around through the postal system that quickly!

Also, the browsing interface is lousy — I’d suggest licensing some kind of metadata from IMDb or similar, so people can get third-party reviews, comments, ‘my favourite action movie’ lists, that kind of thing.

Can’t tell much more, as the FAQ page doesn’t work on Mozilla/Firebird for some damn reason.

Sick: Anger as contestants hungry for money go begging on TV (Irish Indo) (via forteana):

A reality television show in which 12 young Russian contestants have to scrounge, beg and even steal to win a pension for life, is being filmed in Berlin.

In a city already struggling with bankruptcy and large numbers of asylum-seekers, police and residents have been quick to condemn Golod, Russian for ‘hunger’. The contestants live in a container without money or food to survive; none of them speaks German. ‘Golod’ is proving a huge hit with Moscow television viewers, thousands of whom tune in at nine each evening to find out how Karina, Anastasia and 10 other photogenic contestants are faring on the mean streets of a foreign city.

Spam: Latest Pew Internet report on spam. Pew Internet surveys are very good. This one notes that ‘25% of America’s email users say they are using email less because of spam. Within that group, most say that spam has reduced their overall use of email in a big way.’

Mafia: A mafia hacker tells his story to Wired (Simson Garfinkel via FoRK).

Tags: city, dvds, email, golod, ireland, irish, kind, money, month, netflix, spam

Software: Shirky on the Semantic Web. Great snippet:

it turns out that people can share data without having to share a worldview, so we got the meta-data without needing the ontology. Exhibit A in this regard is the weblog world. In a recent paper discussing the Semantic Web and weblogs, Matt Rothenberg details the invention and rapid spread of ‘RSS autodiscovery’, where an existing HTML tag was pressed into service as a way of automatically pointing to a weblog’s syndication feed.

About this process, which went from suggestion to implementation in mere days, Rothenberg says:

Granted, RSS autodiscovery was a relatively simplistic technical standard compared to the types of standards required for the environment of pervasive meta-data stipulated by the semantic web, but its adoption demonstrates an environment in which new technical standards for publishing can go from prototype to widespread utility extremely quickly. …

This, of course, is the standard Hail Mary play for anyone whose

technology is caught on the wrong side of complexity. People pushing such technologies often make the ‘gateway drug’ claim that rapid adoption of simple technologies is a precursor to later adoption of much more complex ones. Lotus claimed that simple internet email would eventually leave people clamoring for the more sophisticated features of CC:Mail (RIP), PointCast (also RIP) tried to label email a ‘push’ technology so they would look like a next-generation tool rather than a dead-end, and so on.

Here Rothenberg follows the script to a tee, labeling RSS autodiscovery

’simplistic’ without entertaining the idea that simplicity may be a requirement of rapid and broad diffusion. The real lesson of RSS autodiscovery is that developers can create valuable meta-data without needing any of the trappings of the Semantic Web. Were the whole effort to be shelved tomorrow, successes like RSS autodiscovery would not be affected in the slightest.

Another good line: ‘There is a list of technologies that are actually political philosophy masquerading as code, a list that includes Xanadu, Freenet, and now the Semantic Web.’

Tags: adoption, autodiscovery, email, environment, rip, rss, semantic, software, technology, web, weblog

Linux: so it seems one of the GNOME guys wants to rewrite the rc.d boot script system in Python. Eek!

• scary OSNews interview
• Slashdot story
• My comment
• Richard Gooch’s cool need(8)/provide(8) tools

Games: Someone has broken into Valve Software’s network and stolen the source code for Half-Life 2 — shacknews:

• 1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.
• 2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.
• 3) For the next week, there appears to have been suspicious activity on my webmail account.
• 4) Around 9/19 someone made a copy of the HL-2 source tree.
• 5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook’s preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn’t been seen anywhere else, and isn’t detected by normal virus scanning tools).

Insanely bad news for Valve. :(

Tags: account, boot, email, gnome, linux, machine, script, someone, source, valve, virus

Heads up for all the businesses out there sending mail to European customers — the EU E-Privacy Directive is now coming into force. Italy is the latest country to implement it; so businesses mailing Italian customers or prospects may wish to make sure that they abide by these rules:

• Companies may send direct marketing email only to customers and subscribers who have given their prior consent to receiving such, either by subscribing explicitly or by providing their details during a prior transaction, such as a purchase.

• Forged headers and other means of disguising or concealing the sender’s identity is illegal.

• All messages must bear opt-out details as well.

• Apparently, in the Italian rendition, senders may also ‘collect’ addresses but must immediately give the user a clear opportunity to opt-out at that point — but as far as I know this isn’t in the core EU directive.

Similar laws will be coming in all over Europe, so USian senders should really pay attention: opt-in — it’s not just a good idea, it’s the law (in Europe at least ;).

Malware: It sounds like SoBig.F is about to call home for new code (scroll down to ‘Downloading Functionality’). This is not good. :( Block port 8998/udp.

SoBig.F, the assorted bounce messages from forged SoBig.F mails, the assorted replies from autoresponders and list admin software from forged SoBig.F mails, and (of all things) user complaints about the forged mails (argh! surely they know they’re forgeries by now!) are really driving me up the wall. As I check my mail, there’s at least 400 of these messages this morning alone.

IP: Lessig lays into USPTO director: ‘If Lois Boland said this, then she should be asked to resign.’ … ‘That someone who doesn’t understand them is at a high level of this government just shows how extreme IP policy in America has become.’

Tags: country, directive, email, force, heads, mail, marketing, rivacy, sobig, user

The RID-Spam Act chugs through Congress. This one’s very much toothless; according to CAUCE, it’s not actually anti-spam really — CAUCE says:

(it is) ‘a gross misnomer to call them ‘anti-spam.’ ‘Anti-consumer,’ sure. ‘Pro-spam,’ even. But not ‘anti-spam.”

Amazingly, DMcC notes that it may even de-fang the stronger state laws if it gets passed. Wow.

And check out this quote from the CNet story:

Rep. Bob Goodlatte, R-Va., defended the bill’s opt-out approach. Goodlatte said that of the physical junk mail he gets, ‘maybe 10 percent of it is something that I have some interest in. For that reason alone I think an opt-out approach is the best solution here.’

Good for him. The way he’s talking there, he’s looking forward to receiving 700,000 mails per year that ‘he has some interest in’. Earth calling Goodlatte — direct email is not the same as physical junk mail. There’s a fundamental economic difference — with email, the recipient pays. That means you cannot compare the volumes so simplistically. Just say no to One Bite Of The Apple!

US Politics: Rod notes this story: The Guardian coming to the US. Excellent! I think that’s a fantastic idea, and they’ll clean up.

Consider this — the only large-circulation print media that (a) people over here read, and (b) had the nerve to really treat the war in Iraq critically, as far as I know, are those two flaming-red anarchosyndicalist rags, the Economist and the Financial Times. (Not only are they not even written in the US, they’re quite conservative by Euro standards.) The US media needs more liberal voices.

Actually, I’m exagerrating heavily here. As Craig has pointed out before, the Christian Science Monitor is a pretty good paper, with some critical journalism — and one with a great story behind it’s provenance to boot.

But the Guardian has a pretty much wide open field all the same — here’s hoping they can get the distribution side sorted out.

E-Voting: Some good comments on this Slashdot story regarding e-voting systems.

• The Brazilian legislature mandated a retrofit ‘of 3% (some 12,000 machines) to produce a paper ballot that the voter could peruse and deposit in a box for recount (the first large-scale use of the ‘Mercuri Method’).’

• Georgia noted that the e-voting systems ‘were all very flashy and glitzy, but all had severe problems with security and/or usability. We eventually decided to run a pilot program in last year’s off-year election and try out 5 of the most promising machines in a real-world election. The final winner will be used across the state in 2004. No more hanging chad, but I think we are going to have a whole new set of problems to deal with.’

Tags: act, approach, cauce, email, guardian, interest, junk, mail, rid-spam, story

SenderBase is a cool site which lists email traffic volumes for specific senders and organisations.

This will make for some very cool spam tests. As you can see, several of the top ten sending domains are ISPs that, shall we say, may have a few ‘issues’ with customers’ open proxies. They’re scattered in amongst the Yahoo!s and Hotmails ;) Then there’s a couple of well-known domains that, let’s say, have a habit of appearing on the SBL.

Well, not quite as practical, but useful nonetheless, is Alexa’s ‘traffic detail’ feature for the web.

Very nifty; a log-scale graph of traffic as measured by pageviews from Alexa’s toolbar, and you can pick 2 sites and compare their hitrates. For example, according to this, SpamAssassin is bigger than Jesus ;)

Thanks to ‘Mr. FoRK’ on the FoRK list for this URL…

Tags: cool, couple, email, hotmails, isps, senderbase, site, spam, traffic, yahoo

The concept of a ‘pay-to-mail’ scheme — charge people to send you mail — is patented, it seems. Good, I never liked it anyway ;)

A method and apparatus for determining whether a party sending an email communication is on a list of parties authorized by the intended receiving party. If the sending party is not on the list of authorized parties, an electronic billing agreement is emailed to the sending party indicating a fee that will be charged to the sending party in return for the message being provided to the intended receiving party. Preferably, the present invention is implemented with Internet communications and utilizes a security protocol to enable the electronic transaction to be transacted in a secure manner.

Date: Tue, 01 Jul 2003 15:00:09 -0400
From: “Bob Wyman” (spam-protected)
To: (spam-protected)
cc: “‘Yakov Shafranovich”‘ (spam-protected)
Subject: RE: US Spam patents: Partial list

A new, spam-related, US Patent was issued today. It is a continuation in part of US Patent 6,192,114 which is on the first list of patents I posted to this group.

See: http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=6587550

US Patent 6,587,550 METHOD AND APPARATUS FOR ENABLING A FEE TO BE CHARGED TO A PARTY INITIATING AN ELECTRONIC MAIL COMMUNICATION WHEN THE PARTY IS NOT ON AN AUTHORIZATION LIST ASSOCIATED WITH THE PARTY TO WHOM THE COMMUNICATION IS DIRECTED

Abstract A method and apparatus for determining whether a party sending an email communication is on a list of parties authorized by the intended receiving party. If the sending party is not on the list of authorized parties, an electronic billing agreement is emailed to the sending party indicating a fee that will be charged to the sending party in return for the message being provided to the intended receiving party. Preferably, the present invention is implemented with Internet communications and utilizes a security protocol to enable the electronic transaction to be transacted in a secure manner.

————————————————————————

Inventors: Council; Michael O. (186 Hurt Dr., Cordele, GA 31015);
Santos; Daniel J. (3525 Roswell Rd., #721, Atlanta, GA 30305) Appl. No.: 783340 Filed: February 14, 2001

Asrg mailing list (spam-protected) https://www1.ietf.org/mailman/listinfo/asrg

Tags: agreement, apparatus, billing, communication, email, fee, list, method, party, patent

rOD gets an email:

I found your web site, http://www.groovymother.com/archives/week_2002_10_20.html has a reference to a Clue-By-Four ™. Unfortunately, my company owns the trademark to that term, and I am in the process of bringing that product to market. My lawyers have told me that if you do not remove that reference, it dilutes my trademark.

I would much rather ask you politely to remove references to Clue-by-Four™ than have an ugly lawyerese letter sent via certified mail, etc.

WTF? Applied for in 1999, and it refers to a ‘novelty toy, namely a foam rubber two-by-four shaped board’.

Tags: by, clue, company, email, reference, rod, site, term, trademark, web