The combined DKIM standard, mixing Yahoo!’s DomainKeys and Cisco’s IIM, has been submitted to the IETF as a candidate spec by the MASS ‘pre-working group effort’. I like the idea behind both (a few years back, I, a few other SpamAssassin developers, and several others came up with the roots of a message-signature anti-forgery scheme we called ‘porkhash’, but never really went anywhere with it), so I’m glad to see this one progressing nicely.

Seeing as I never seem to write much about anti-spam here any more, I might as well remedy that now with some comments on the new DKIM draft. ;)

It’s a very good synthesis of the two previous drafts, DomainKeys and IIM, more DK-ish, but taking the nice features from IIM.

The ‘h=’ tag is now listed as REQUIRED. This specifies the list of headers that are to be signed. If I recall correctly, this was added in IIM, modifies the behaviour of DK, and is a good feature — it protects against in-transit corruption by, (a) specifying an order of the headers, to protect against MTAs that reorder them; and (b) allowing sites to protect the ‘important’ headers (From, To, Subject etc.) and ignore possible additions by MTAs down the line (scanner additions, mailing list munging and additions, and so on).

A list of recommended headers to sign is included, with From as a MUST and Subject, Date, Content-Type and Content-Transfer-Encoding as a SHOULD.

Forwarding is, of course, just fine. This one doesn’t suffer from the SPF failure mode, whereby a forwarder will break a signature if it doesn’t rewrite the SMTP MAIL FROM sender address. (Of course, it now has its own new failure modes — the message must be forwarded in a nearly-pristine state.)

The message length to sign can be specified with ‘l=’. This may be useful to protect against the issue where mailing list managers add a footer to a signed message. It recommends that verifiers remove text after the ‘l’ length, if it appears, since that offers a way for spammers to reuse existing signatures. I still have to think about this, but I suspect SpamAssassin could give points for additional text beyond the ‘l=’ point that doesn’t match mailing list footer profiles.

The IIM HTTP-based public-key infrastructure is gone; it’s all DNS, as it was in DK.

The ‘z=’ field, which contains copies of the original headers, is a great feature for filters — we can now pragmatically detect ‘acceptable’ header rewriting if necessary, and handle recovery at the receiver end.

Multiple signatures, unfortunately, couldn’t be supported. I can see why, though, it’s a very hard problem.

The ‘Security Considerations’ section is excellent — 9.1.2 uses a very clever HTML attack.

Looks like development of DKIM-Milter, and an associated library, libdkim, are underway.

Given all that, it looks good. It’s not clear how much we can do with DK, and now DKIM, in SpamAssassin, however — it’s very important in these schemes that the message be entirely unmunged, and in most SpamAssassin installs, the filter doesn’t get to see the message until after the delivering MTA, or the MDA (Message Delivery Agent), has performed some rewriting. This would cause FPs if we’re not very, very careful.

I hope though, that we can find a useful way to trust DKIM results. It appears likely that they’d make an excellent way to provide trustworthy whitelisting — ‘whitelist_from_dkim’ rules, similarly to our new whitelist_from_spf support. (In fact, we could probably just merge both into some new ‘whitelist_from_authenticated’ setting.)

Tags: course, dkim, domainkeys, failure, iim, list, message, mtas, subject, the

Patents: Ian Clarke copied the FSFE-IE mailing list with a good mail he sent to Mairead McGuinness MEP, detailing the current state of proposed fixes to the European software patenting directive. He discusses a comment from an Ericsson employee asking for software patentability:

It may be the case that this employee was concerned about Ericsson’s ability to compete against smaller competitors if Ericsson cannot use software patents against them. I would argue that it is not the responsibility of any EU institution to protect Ericsson against legitimate competition from other companies, indeed competition must be encouraged. Software patents will have a stifling effect on competition in Europe, and this is why some large companies like Ericsson are strong advocates for this directive.

And a brief overview of the amendments we want:

The Foundation for a Free Information Infrastructure, an organisation whose line we endorse, has prepared an analysis of the amendments, indicating which will help to ensure that software patents do not become patentable, and which will not. This document may be downloaded here.

In particular, we support the position and amendments of Piia Noora Kauppi MEP, who has taken a strong position against the introduction of software patents within the EPP group, and also the position of Michel Rocard MEP who is the rapporteur for this Directive.

The only other thing it misses, in my opinion, is a paragraph discussing the ‘as such’ loophole that has been heavily relied upon by most pro-swpat politicians recently — the trick of saying ‘this directive does not permit software patenting, as such‘.

Indeed, it does not permit patenting of all software techniques, but instead permits the patenting of software techniques as long as it is of ‘a technical nature’ — without defining what that means. Given that it’s clearly arguable that all software is technical, and since patent offices earn money based on the patents they accept, rather than those they reject, this is a loophole the size of a bus. Many of the desired amendments concern cleaning up this obvious omission.

Anyway, here’s the full text of Ian’s mail from the list archive.

Tags: competition, directive, employee, ericsson, fsfe-ie, list, mailing, mep, patents, position, software

Spam: Spam Chongqing: Spamming Experiment:

Kasia at unix-girl.com decided to run a spamming experiment on her blog. She posted a couple spams to her own blog and waited to see what would happen. In less than 24 hours she received 356 more spams.

The chongqing guys confirm this, and I’ve noticed this as well (although just in passing, I’ve never tried testing it).

Interestingly, I’m pretty sure the same thing can happen with mailing lists, if the mailing list archives are allowed to contain the mailing list’s posting address, and the list allows open posting. It works like this:

• spammer A posts a spam to the list
• spam is archived
• google finds archived spam
• list-builders B, C, D google for search terms, find archive page for that mail message
• B, C, D scrape the addresses from that page and pick up the list posting address
• they then either sell on to spammers E, F, and G, who spam that address, or they spam the address themselves
• and redo loop from the start.

One key factor is the search terms B, C, and D use. My theory is that they are intending to generate ‘targeted’ lists, and in spamming, most targeted lists are simply lists of addresses scraped from pages that show up in a google search for a specific keyword — ‘meds’, ‘viagra’, ‘degree’, etc.

Joe at chonqing surmises that it may be through the Broken Windows Theory — that spam appearing in a weblog’s comments, or in a wiki page, indicates that the administrator is asleep at the wheel and more spam can be posted with impunity. in my opinion, that’s probably more likely for google-spam and wiki-spam than for email spam, but undoubtedly is a factor.

PS: href=”http://chongq.blogspot.com/2005/04/another-spammer-owned-antispam-site.html”> wecanstopspam.org has been allowed to lapse and has been stolen by a spammer. Oh dear.

Tags: address, blog, experiment, google, list, mailing, page, search, spam, theory

Patents: an interesting FUD-busting point from the FSFE-IE mailing list today. Malcolm Tyrrell wrote:

Why does the following point keep coming up? Do I misunderstand the issue, or is this just plain nonsense: (quoting this ENN article)

‘Indeed, the big businesses that backed the directive — such as Philips, Nokia, Alcatel and Microsoft (…) also say, in somewhat ominous terms, that without patent protection, big companies will be less inclined to spend cash on European R&D projects, because the governments of Europe cannot offer any guarantees that commercially useful technology will be protected. In the US, those much-needed safeguards are in place, patent supporters note.’

I presume that these big companies will obtain patents in all territories where patents are available, regardless of where the R&D is performed. Unless they are threatening this merely as revenge (and I would think that there responsibility to their own shareholders precludes this), there would be no more or less reason to do R&D in Europe whether software is patentable there or not. Am I wrong?

He’s right; in my experience, software patents are applied for world-wide, in as many regions as possible (and as funds and time permit) — and there’s very little barrier for an inventor in one country to obtain patents in other countries (apart from money to pay for all those billable hours).

However, Fergal Daly had a more interesting additional point:

‘As far as I can see you’re right and in fact this is a plus for Europe, as labs in Europe would be free to use other people’s patents during their research, whereas in other regions they would have to license them before they could implement them, even for private use.’

He’s right, too, as far as I can see. This would be quite a big win for European R&D, since it would also mean they could develop an algorithm similar to a patented algorithm, as long as the patented technique was only implemented in software inside their European labs. This would be illegal to do anywhere else in the world where software patents were legal, hence is a competitive advantage over their international competitors.

In addition, it would mean that in the scenario where a product is produced using a patented algorithm, but the algorithm doesn’t appear in the final product, that would allow them to perform production in Europe without paying the license fees that would be payable elsewhere.

In summary — the ‘patents needed for R&D’ line is FUD, and the reality is in fact the opposite!

Tags: algorithm, fsfe-ie, fud-busting, list, mailing, patent, patents, point, right, software, today

Map: much interesting geowankery going on in London, where they suffer under the same Ordnance Survey monopoly as we do in Ireland.

This message to their mailing list notes a quote from IKONOS of $1,172.50 USD plus shipping for a 1m Color Geo referenced satellite image of central London, covering 67 square kilometers.

Given ‘enough processing’, data extracted from that map becomes a Derived Work, and have no copyright restrictions. ‘Processing’ includes ‘vector extraction, classification, etc.’

Now, I worked it out — central Dublin city centre covers about 3km x 4km. At the named rates for London, that works out at an inexpensive $210! Looks like it was imaged in September 2003.

There’s something interesting for a local geohacker to add to their list of projects ;)

(There’s also some old Landsat-7 data that may be usable.)

Tags: geowankery, ikonos, list, map, message, monopoly, ordnance, processing, quote, survey, usd

Perl: at last, a perl-related posting! I’ve released IPC::DirQueue 0.04; details of what’s changed (summary, a couple of bugs fixed) are at that link.

BTW, thanks to Ask and Robert at perl.org, who are providing free SVN repository and list hosting for CPAN modules! And don’t overlook the fact that the mailing list/newsgroups each have their own RSS feed, woot!)

Tags: btw, couple, dirqueue, ipc, link, list, org, perl, summary, svn

Patents: wow, this is amazing news! ‘IBM today pledged open access to key innovations covered by 500 IBM software patents to individuals and groups working on open source software. IBM believes this is the largest pledge ever of patents of any kind and represents a major shift in the way IBM manages and deploys its intellectual property (IP) portfolio.’

Even better, they are hoping to begin a ‘patent commons’ for other companies to join, and the OSI definitions of which licenses are judged ‘open’ apply.

More details:

• IBM’s press release
• PDF list of patents
• the list, as plain text (fixed!)

Of course, it would be better if it were also safe for commercial software development. But this is a valuable bulwark against Microsoft-style patent tactics.

Tags: access, ibm, kind, list, news, patent, patents, pledge, software, source, today

Web: Google Suggest, a drop-down list of suggestions — with hitrates! The one letter hits are interesting, too.

“spam” hitrates, the top 3 (aside from “spam” itself):

• “spam filter”: 6,400,000 results
• “spamcop”: 1,570,000
• “spamassassin”: 1,350,000

in the top 3. getting there!

unfortunately, you have to get as far as “justin ma” before my name shows up, so not doing too great in that competition. ;)

Tags: competition, filter, google, letter, list, name, spam, spamassassin, spamcop, suggest, web

Web: Almost every project and organisation has, at some stage, bemoaned having stale data on their website, and wished there was a better way to keep it up to date; or wished their FAQ was more complete; or wished they had the time to HTML-ize all their know-how and get it up there.

Well, here’s what we did in SpamAssassin to deal with this problem. (Seeing as I’ve talked about this three times in the past month, I’ll write it up here so I can just point at the URL next time!)

First off, we experimented with having the site checked into CVS, FAQ-o-matic, and the Python FAQ software (which was pretty good). All were OK, but very specific in format, using the traditional question-answer FAQ layout — that’s good for FAQs, but not so good for a lot of other stuff — and keeping it updated was still limited to a small group, therefore the info got stale again.

So we moved to a Wiki. Here’s my tips for Wiki-izing your website so that the end results are better than what went in.

Use good wiki software: unusable software will be a pain to use, and the info will still go stale. We used Moin Moin - http://moin.sourceforge.net/ - partly because I like Python (it’s nearly perl! ;), it can produce RSS, and it was pretty easy to install.

Don’t worry: people won’t vandalise it (much). It turns out that vandalism and people throwing up crappy info isn’t a serious problem at all. You should increase the barrier, in the following ways:

Require user accounts: set the security policy so that a user account must be set up before editing is possible. This means you won’t get wiki-spammed, and also has the side effect of imposing a pretty big barrier to casual vandals.

Send changes to a list: set all changes to be mailed to a mailing list as diffs. This is the most important tip. If you already have a mailing list with the knowledgeable part of the community on it, use that list — because they’re the ones who’ll be able to recognise if erroneous info is put up, and will be annoyed about this enough to bother fixing it. There’s a bonus side-effect of this; even if some people didn’t like the wiki to start with, they’ll eventually be needled into using it by wanting to fix stuff they perceive as wrong. And then they get sucked in ;)

Use diff for the mailed changes: Moin by default will only send out change messages saying ’something changed on this page!’. That’s not good enough, unfortunately — you want to mail out what the new text looks like, and highlight exactly where the change happened. Moin can do this nicely, with this patch, which adds a mail_commits_address, where all diffs on every page are sent, using the normal diff mechanism.

Ensure the wiki software can revert quickly: If someone does make a bad change, Moin supports one-click reversion of the page to what it was beforehand. That’s great for dealing with spam, or clueless vandalism.

Keep one or two static pages: If you’re worried about some script kiddie thinking that defacing a wiki makes them look cool, then keep one or two of the primary user-facing pages as static data. For example, take a look at the link-bar at the top of http://spamassassin.apache.org/ ; five of the ten links are to static pages, the other five are now wiki-ized. In particular, our front page and our downloads page are both static, but our docs are predominantly Wiki’d.

Publicize Mozex: most techie groups will have techie users, and we hate using browser text-boxes to edit text. Mozex — http://mozex.mozdev.org/ — saves the day here — it’s a godsend.

Shepherd new changes: in the early stages, you want one or two people who tidy up changes from Wiki newbies, as they go in. They need to keep it looking pretty, and perform Refactoring of stuff that could be laid out better or should become multiple pages. Eventually, others will get the hang of that (and do a much better job than you do ;).

That’s the lot. Most of these are to, essentially, migrate aspects of your already-existing and already-working community into this new outlet. In our experience, it’s worked really well — our Wiki is now the most reliable source of info about SpamAssassin, and is extensive and up-to-date.

Tags: faq, info, list, problem, python, software, time, use, web, website, wiki

Mail: Ask’s mods to ezmlm got me thinking about mailing list managers. Hence, here’s my wishlist for what MLMs should be capable of…

Tags: ezmlm, list, mail, mlms, wishlist

Patents: Oh, come on. USPTO: task list window for use in an integrated development environment. Here’s claim 1:

1. A computer-implemented method for managing development-related tasks, the method comprising:

   during an interactive code development session, evaluating source code to determine whether a comment token is present;

   in response to determining that the source code contains a comment token, inserting a task into a task list; and

   in response to completion of a task, modifying the task list during the interactive code development session to indicate that the task has been completed.

There’s 74 more claims that are about up to that standard, including the usual ‘an input module connected to the knee-bone’ mumbo-jumbo that means it ‘isn’t a software patent’.

This is just quite simply absurd. Are we really supposed to believe that nobody had thought of what is essentially a list of tickboxes, displaying the output of ‘grep TODO *.c’, before March 6, 2000? You have got to be kidding. This /. comment suggests that Delphi 5 (released 1999) did it.

(update: looks like there was a provisional patent application, so that may have to be Mar 5 1999.)

William Chiles, Anders Hejlsberg, Randy Kimmerly and Peter Loforte should be ashamed of themselves for filing this joke. And the USPTO examiner who granted it should be fired.

(PS: a factoid from the slashdot comments: IBM receives (note: not even ‘files for’) nearly 10 patents every day.)

Tags: code, comment, development, list, method, patents, response, session, source, task, uspto

Doh: Garret Collins on the IE-rant mailing list points out a notable ‘oops’ moment in Sky News Ireland’s new promo:

(Original here.)

Tags: doh, ie-rant, ireland, list, moment, news, original, promo, sky

Admin: If you have anything hosted on dogma.slashnull.org, our old shared server, get in touch with the boxhosting list, Vin, or even myself ASAP. It’s going to be gone in 2 weeks…

Tags: admin, anything, asap, dogma, list, org, server, slashnull, touch

Web: What’s the link between Debian Linux and Dueling Banjos? Any ideas? No? Well, according to Debian Weekly News of September 16th, 2003, it’s become what’s called a Google-flop:

No Dueling Banjos from Debian. Some of the most bizarre mails on debian-devel over the years have been repeated requests by various people for the sheet music for dueling banjos. Several list subscribers have been eager to assist the posters in their search. Jim Penny called this the Dueling Banjo Effect and explained that this has become a self-perpetuating Google-flop. People use Google which points them to Debian to get this sheet music, and the act of asking reinforces Google’s notion that Debian is a good place to get the music.

(thanks to Rick Moen for pointing this out on the ILUG list.)

Tags: banjos, debian, dueling, google, google-flop, link, linux, list, music, sheet, web

Humour: xscreensaver, the default (and greatest) screensaver on most free UNIX distros, may contain R-rated content, as this mail to the Fedora discussion list notes.

Much to my surprise, I stumbled across it drawing an ‘erect penis’ when I returned from lunch today. So I did some investigating:

    $ strings /usr/X11R6/lib/xscreensaver/glsnake | grep penis
    erect penis
    flaccid penis
  

Tags: content, default, discussion, humour, list, lunch, mail, screensaver, surprise, unix, xscreensaver

Politics: Nelson Mandela banned from visiting the US. oops! But they’ve fixed it:

The good news is that the United States government has removed Nelson Mandela, Tokyo Sexwale and Sidney Mufamadi from its list of global terrorists. The bad news is that the removal is only for the next 10 years. ….

‘To make an exception for those who struggled against apartheid would require congress to change the law, and that would be a very lengthy process,’ (Virginia Farris, the public affairs spokesperson for the US embassy in Pretoria) said.

Via Wendy M. Grossman, who reckons myself and the other SpamAssassin guys are Mrs. Beeton. ;)

Tags: apartheid, congress, exception, government, list, make, news, politics, removal, sexwale, tokyo

Politics: Eli Lilly wants it both ways. First off pro-free-market:

Not many U.S. companies would put ‘maintenance of free market’ at the top of their worry list, but the pharmaceutical industry has genuine reasons for concern.

But then, anti-free-market!:

Starting immediately, if a Canadian wholesaler tries to order more Lilly product than Lilly’s estimate of what is appropriate for Canadian use, ‘they will not be able to have it,’ Smith said.

Tags: concern, eli, industry, lilly, list, maintenance, market, politics, product, top, wholesaler

Spam: SMTP Sender Authentication, by David Jeske of Y! Groups (pointer from Jeremy.

Schemes similar to this — calling back to a sending server to verify that a mail was really sent via that host — have been proposed before in several venues, the most high-profile and public being the ASRG list. Here is a message I sent to that list in April 2003 discussing a few of those schemes:

• J C Lawrence’s ‘forward chained digital signatures’ on Received headers
• William at elan.net’s ‘complex callback verification requirying full message tracking server functionality with dns extensions’
• Russ Nelson’s Q249
• Our own ‘porkhash’

I still like this style of system, I think, but in terms of deployability and simplicity, I’m supporting Sender-Permitted From for now — which similarly forces senders to use registered relays for a given SPF-supporting domain, but using DNS as the protocol and IP addresses as the hard-to-forge identity component.

Another bonus of SPF is that it’s simple, easy to implement, has *running code* out there now, and is being pushed strongly by a pragmatic and sane driving person (in the form of Meng Weng Wong). It’s not always easy in the anti-spam field to find a solution like that ;)

BTW, SPF also, similarly, breaks envelope sender forging. However, I agree, this is one egg that has to be broken to help stop spam (or at least force spammers to use their own domains and IPs.)

Tags: authentication, list, mail, message, pointer, schemes, sender, server, smtp, spam, spf

SMTP Sender Authentication, by David Jeske of Y! Groups (pointer from Jeremy.

Schemes similar to this — calling back to a sending server to verify that a mail was really sent via that host — have been proposed before in several venues, the most high-profile and public being the ASRG list. Here is a message I sent to that list in April 2003 discussing a few of those schemes:

• J C Lawrence’s ‘forward chained digital signatures’ on Received headers
• William at elan.net’s ‘complex callback verification requirying full message tracking server functionality with dns extensions’
• Russ Nelson’s Q249
• Our own ‘porkhash’

I still like this style of system, I think, but in terms of deployability and simplicity, I’m supporting Sender-Permitted From for now — which similarly forces senders to use registered relays for a given SPF-supporting domain, but using DNS as the protocol and IP addresses as the hard-to-forge identity component.

Another bonus of SPF is that it’s simple, easy to implement, has *running code* out there now, and is being pushed strongly by a pragmatic and sane driving person (in the form of Meng Weng Wong). It’s not always easy in the anti-spam field to find a solution like that ;)

BTW, SPF also, similarly, breaks envelope sender forging. However, I agree, this is one egg that has to be broken to help stop spam (or at least force spammers to use their own domains and IPs.)

Tags: authentication, list, mail, message, pointer, schemes, sender, server, smtp, spf

e-Voting: Wired has an absolutely mind-numbing list of issues with the security of Diebold voting machine procedures, including passwords printed in manuals which the staff can take home, that same password being reused for multiple systems including the on-site machines at polling stations, tamper-resistance measures being omitted, poll supervisors hired without background checks, bicycle locks being used to secure voting machines, one shared key used to ’secure’ the memory cards, etc.

‘The election process is mainly based on trust,’ Ginnold said. ‘We trust that poll workers are not going to be tampering with them.’

It’s simply insane to replace a known-good voting system (even if it’s just First-Past-the-Post instead of Proportional Representation, but that’s another issue) with a quick hack like this, IMO.

Please vote anyway, if you’re a CA citizen. And not for the fondling meathead, naturally.

DMCA: EFF: Unintended Consequences: Five Years under the DMCA. An incredible list of cases where the DMCA was used unfairly to restrict competition, research, or fair use, some of which I didn’t even know about. For example, I didn’t realise that the International Information Hiding Workshop Conference will no longer hold conferences on US soil after Professor Ed Felten was threatened over their SDMI paper.

Politics: Michael Moore on how to talk to your conservative brother-in-law. MM may play to the gallery now and again, but sometimes, he’s a genius:

Paying workers more money makes you money!

Dear brother-in-law, when you don’t pay people enough for them to take care of life’s essentials, it ends up costing you and everybody else a lot of money. When you pay your employees more money, what do you think they do with it? Invest it in stocks? Hoard it in offshore accounts? No! They spend it! And what do they spend it on? The stuff you make and sell! If you pay people squat, or lay them off, they can’t buy your stuff. They become a drain on the economy; some turn to crime, and when they turn to crime, it’s your Mercedes they want, not some junker Oldsmobile in their poor neighbour’s driveway.

Science: IgNobel prize winners 2003, including a prize for the nation of Liechtenstein for renting out the entire country for ‘corporate conventions, weddings, bar mitzvahs, and other gatherings’.

Tags: brother-in-law, diebold, dmca, e-voting, list, money, poll, security, stuff, voting, wired

You Might Be An Anti-Spam Kook If… — very funny list from Vernon Schryver, concerning the many Final Ultimate Solutions to the Spam Problem (FUSSP) (link via Raph).

Raph says he, too, has a FUSSP, but says ‘I realize that using a trust metric to defeat spam, while probably effective, won’t be easy.’ Nevertheless, I’d be interested in hearing it, for one. Go on Raph, write it up! ;)

Funny: Whisky boss ‘amazed’ by spy interest: ‘The boss of a tiny Scottish distillery says he is amazed to learn that US spies have been monitoring his whisky plant for weapons of mass destruction.’

Tags: anti, boss, final, fussp, kook, list, might, raph, spam, whisky

Chuq van Rospach has a great idea — instead of a do not spam list, an I am your customer, not your asset, and quit treating me like one list:

Where do-not-spam lists are useful (and ought to be mandatory) are third party sales and rentals. Any time someone buys or rents a list, that list has to be filtered against the do-not-spam list. If you’re on it, you fall out of the transfer. that would include any time that information moves from one company to another, the do-not-spam restrictions apply. (ditto, IMHO, for phone and other personal information. I’ll go further, actually. I think there ought to be a generic ‘do not sell me as an asset’ list, preventing transfer of personal information of any kind without permission. Or more correctly, a I am your customer, not your asset, and quit treating me like one list.

Great idea. Really, the resale of contact information for marketing purposes sounds fantastic to marketers — but as The Story of Nadine demonstrates, it only takes two years for the contact information to be sold (via a chain of increasingly dodgy operators) from DeliverE, a subsidiary of Excite to horse bestiality porn spam.

Tags: asset, chuq, contact, customer, idea, information, list, spam, time, transfer

Every now and again, someone says ‘to fix spam, we must ditch SMTP and start all over again’. Eric Rescorla describes why this is not the case.

Great blog — I think I’ll add that to my list. (found via Ed Felten.)

Tags: blog, case, ditch, fix, list, smtp, someone, spam

Several MailMan mailing lists I run have been really painful to admin, due to spam overload combined with Mailman’s pretty crappy ‘pending messages’ admin interface, which goes like this: scroll down to each message, select ‘discard’ radio button, scroll to next, select ‘discard’ radio button, repeat until wrists hurt.

Thankfully, waider has saved my lists from oblivion. this script, given the list URL and the admin password, will log in to the admin interface, get the list of pending messages in the queue, scan each one using Mail::SpamAssassin (of course ;), and ditch the spam.

It just cleaned out 182 spams from one list, leaving all of 7 valid requests in the queue. Beautiful!

Dublin: Stefan Geens posts an IrishBroadband success story. See, it really works!

Tags: admin, button, interface, list, mailing, mailman, queue, radio, scroll, spam

The fearsome Drop Bear is detailed in this forwarded snippet from the forteana list.:

Drop bears are often mistaken for koalas, and to all but a trained naturalist, the differences are minor. They have even been reported to imitate the sleepy demeanor of their genetic cousins, probably as a sort of behavioural camouflage, and roughly one third of all drop bear related fatalities occur when a well-meaning tourist tries to pose with one for a souvenir photograph.

More here. Thankfully I managed to avoid these creatures while camping through Victoria last year — only just about though.

In other news: a great SFWeekly feature on Hal Robins, aka. Dr. Howland Owll of the CotSG.

Date: Wed, 06 Aug 2003 07:42:52 +1000
From: Peter Darben (spam-protected)
To: Forteana List (spam-protected)
Subject: The secret is finally out

While ploughing through the rapidly growing pile of Dungeon/Polyhedron magzines on my desk I found this little gem

—– (for the d20 Modern Gaming System from Dungeon/Polyhedron June, 2003)

Drop Bear

Although the Australian government officially denies the drop bear’s existence, these bloodthirsty relatives of the peaceful koala are the bane of Australia’s parks and forests. Named for their preferred of attack - hurtling down from the shelter of trees onto the heads of unsuspecting prey

• drop bears are responsible for dozens of deaths each year, and the number

climbs with each passing year.

Drop bears are often mistaken for koalas, and to all but a trained naturalist, the differences are minor. They have even been reported to imitate the sleepy demeanor of their genetic cousins, probably as a sort of behavioural camouflage, and roughly one third of all drop bear related fatalities occur when a well-meaning tourist tries to pose with one for a souvenir photograph.

The internal government conspiracy to disavow the existence of drop bears relates to Australia’s recent tourism marketing. They certainly can’t sell visitors on the idea of coming to Australia if the visitors knew they were going to be savaged by vicious wild animals masquerading at cuddly koalas. Though the Australians themselves are aware that certain chemical repellents such as Aeroguard are effective in discouraging drop bear attacks, forestry service rangers are forbidden by law from explaining exactly why they so heartily recommend it. But as the drop bears’ natural food source, rabbits, are gradually reduced in population, it is only a matter of time before the drop bears turn to more plentiful prey : man.

[nerdish gaming stats omitted]

—–

peter

Tags: bear, camouflage, drop, forteana, list, naturalist, photograph, third, tourist, year

The Table of Condiments That Periodicially Go Bad. Forwarded via the forteana list by Martin Adamson, who notes it ‘obviously doesn’t include the trans-uranic condiments like Marmite and Vegemite’.

Tags: condiments, forteana, forwarded, list, marmite, periodicially, table, vegemite

There were some reports on the SpamAssassin-talk mailing list today, that all queries to the now-defunct orbs.dorkslayers.com DNSBL zone are now returning a true result.

Thomas Mechtersheimer pointed out the culprit: it turns out that b.gtld-servers.net, one of the top-level DNS global TLD servers ( run by Verisign, as far as I can see), is returning 65.246.50.11 for every query for a name that does not exist under the .com and .net zones. That includes second-level names, and anything under a nonexistent second-level name.

Take a look. a.gtld-servers.net is returning the correct NXDOMAIN results, b.gtld-servers.net is blissfully sending all this traffic to some poor UUnet dialup ;)

dig 242.110.40.68.orbs.dorkslayers.com. @a.gtld-servers.net.
;; ->>HEADER< <- opcode: QUERY, status: NXDOMAIN, id: 27661
dig 242.110.40.68.orbs.dorkslayers.com. @b.gtld-servers.net.
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 52998
242.110.40.68.orbs.dorkslayers.com. 15 IN A     65.246.50.11
dig 4905893958xc98gdf9g8945.com @a.gtld-servers.net.
;; ->>HEADER< <- opcode: QUERY, status: NXDOMAIN, id: 9454
dig 4905893958xc98gdf9g8945.com @b.gtld-servers.net.
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 42344
4905893958xc98gdf9g8945.com. 15 IN      A       65.246.50.11

Update: It’s been fixed, as of about 1200 PDT.

Tags: com, dnsbl, header, list, mailing, name, net, spamassassin-talk, today, zone

In case you’re trying to reconcile Arlene McCarthy’s public words, about how the proposed EU legislation helps block software and bizmeth patents, and the FFII’s public words saying the opposite, here’s a helpful email thread cross-posted between the Patents list at AFUL.org and the free-sklyarov-uk list.

• The letter asking for clarification on some key points;

• The rather vague reply from AMcC;

• a follow-up from Rui Miguel Seabra;

• one from Bernhard Kaindl;

• and from Hartmut Pilch.

Also, Hartmut Pilch notes a prior letter which as yet remains unanswered; ‘All she has until now ever done is to send out standard answers to unspecific letters from concerned (and possibly naive-sounding) software developpers. Whenever someone tries to ask her more specific questions, there is no response at all. However documenting the fact that there is no response may also help. So please remember the public letter and point demand a response at every opportunity.’

The Financial Times has an article (paying subscribers only, but that link excerpts a part) which makes clear the difficulties. ‘oftware protection regulations across EU member states should be harmonized while also allowing software developers to carry on without the threat of patent searches and litigation hanging over their heads. He argues that the EU directive’s wording is opaque: The proposal lists computer implemented inventions as patentable, but this definition fails to establish whether it refers to software algorithms or inventions whose usability is dependent on software. Cane also notes that it is harder to see parallels in software invention and physical invention, and argues that there are few truly novel software inventions because most software is based upon prior work carried out by other people.’ (thanks to Gary Robinson for the link)

Tags: bizmeth, case, ffii, invention, legislation, letter, link, list, response, software

Brilliant. From this week’s b3ta newsletter via the forteana list comes this work of one-liner UL genius:

Snopes conspiracy: ‘ Snopes was set up in early 1995 by the CIA as a way to debunk popular conspiracy theories, Companies and individuals can now pay to have their urban legend denied on the site, a prime beneficiary being Richard Gere.’

Spam: Hackers Hijack PC’s for Sex Sites (NYT). Good article about a (suspected) Russian spam ring using hijacked PCs and reverse proxies to host spamvertized websites.

Ceramics: Anyone who’s been following the IRTF’s Anti-Spam Research Group mailing list recently, will have come across Mark McCarron’s ‘proposal’ regarding an anti-spam system that has something to do with everyone paying 5,000 UKP, ditching end-to-end SMTP, stopping any non-human-initiated e-mail, and energy from the Pyramids of Giza (I think).

Surprisingly enough, The Reg wrote some unkind words, and now Mark exercises his right to reply. Unmissable, mainly for the details of his reign of terror during school and his ‘jack of all trades’ abilities.

Great fun, in a kind of ‘watching a car-crash’ way.

Tags: brilliant, conspiracy, forteana, list, newsletter, snopes, spam, way, week, work

The concept of a ‘pay-to-mail’ scheme — charge people to send you mail — is patented, it seems. Good, I never liked it anyway ;)

A method and apparatus for determining whether a party sending an email communication is on a list of parties authorized by the intended receiving party. If the sending party is not on the list of authorized parties, an electronic billing agreement is emailed to the sending party indicating a fee that will be charged to the sending party in return for the message being provided to the intended receiving party. Preferably, the present invention is implemented with Internet communications and utilizes a security protocol to enable the electronic transaction to be transacted in a secure manner.

Date: Tue, 01 Jul 2003 15:00:09 -0400
From: “Bob Wyman” (spam-protected)
To: (spam-protected)
cc: “‘Yakov Shafranovich”‘ (spam-protected)
Subject: RE: US Spam patents: Partial list

A new, spam-related, US Patent was issued today. It is a continuation in part of US Patent 6,192,114 which is on the first list of patents I posted to this group.

See: http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=6587550

US Patent 6,587,550 METHOD AND APPARATUS FOR ENABLING A FEE TO BE CHARGED TO A PARTY INITIATING AN ELECTRONIC MAIL COMMUNICATION WHEN THE PARTY IS NOT ON AN AUTHORIZATION LIST ASSOCIATED WITH THE PARTY TO WHOM THE COMMUNICATION IS DIRECTED

Abstract A method and apparatus for determining whether a party sending an email communication is on a list of parties authorized by the intended receiving party. If the sending party is not on the list of authorized parties, an electronic billing agreement is emailed to the sending party indicating a fee that will be charged to the sending party in return for the message being provided to the intended receiving party. Preferably, the present invention is implemented with Internet communications and utilizes a security protocol to enable the electronic transaction to be transacted in a secure manner.

————————————————————————

Inventors: Council; Michael O. (186 Hurt Dr., Cordele, GA 31015);
Santos; Daniel J. (3525 Roswell Rd., #721, Atlanta, GA 30305) Appl. No.: 783340 Filed: February 14, 2001

Asrg mailing list (spam-protected) https://www1.ietf.org/mailman/listinfo/asrg

Tags: agreement, apparatus, billing, communication, email, fee, list, method, party, patent

Jeremy Kister on the SpamAssassin-talk mailing list notes:

In an article written by Randy Cassingham, Randy describes ‘why e-mail abuse should be a crime’ and suggests ways to stop spam. His fifth suggestion states Ensure that your ISP is taking steps to combat the problem, such as installing SpamAssassin…

This is in Playboy July 2003 pg 53 (bottom). (and no, i usually dont read it for the articles ;) )

Plus a pretty good article in Forbes, too. A good news week for SpamAssassin…

Tags: abuse, article, cassingham, crime, list, randy, spam, spamassassin, spamassassin-talk, suggestion

If you plan to get a tattoo in a language you don’t understand, this should serve as a cautionary tale. (via the forteana list)

Tags: forteana, language, list, tale, tattoo

Looks like SpamAssassin’s ‘tag, not delete’ technique has spread to the real world ;)

Thanks to David Raistrick for forwarding this to the SpamAssassin-Talk mailing list…

Tags: forwarding, list, looks, mailing, spamassassin, spamassassin-talk, tag, technique, world

a message on Dave Farber’s IP list tipped EMusic.com as a little-known alternative to Apples new music store. So I took a look, and whaddya know, it’s incredible! Here’s the key points:

• A fantastic selection of my favourite genres: roots reggae, dancehall, ambient and drum and bass. This is exactly the stuff you can’t find on P2P nets nowadays, and it’s not on Apple’s store either. EMusic is not so hot for the top-40 stuff, but let’s face it, I will never want to listen to Britney’s latest anyway.

• ‘Try before you buy’ 30-second track tasters, so you can listen to
  • the tune just enough to see if you like it before committing.
• A flat monthly rate of 10 bucks, for 50 tracks a month.

• Download as plain old un-DRM-encumbered MP3s. So it’ll work fine on my Linux desktop, and pretty much any music-listening device you can possibly imagine for the next few years.

Wow. I’m so signing up for this. I think in 10 minutes I’ve identified my next 6 months’ listening material…

Tags: alternative,