Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Releases Patent on SenderID

ScuttleMonkey posted more than 7 years ago | from the sharing-your-toys-in-the-sandbox dept.

128

wayne writes "Microsoft has now put the SenderID patents under the OSP. The Open Specification Promise was discussed on slashdot before in conjunction with web services and it is good to see that they are opening up even more. There are still technical problems with SenderID compared with SPF and, of course, SPF isn't problem free. Still, over the last year, the number of SPF records has more than doubled from around 1.7 million to 4.1 million, with rate of growth increased in the last 6 months."

cancel ×

128 comments

Sorry! There are no comments related to the filter you selected.

yay (0, Redundant)

Anonymous Coward | more than 7 years ago | (#16555548)

they did it! yay!

google, death, untimely (-1, Flamebait)

(fagging beta) (983460) | more than 7 years ago | (#16555552)

Google [google.com] is Dead now and forever.

Do a story about that, Slashfag. Do I have to do all the thinking around here?

ATTN: Jim Allchin (0)

Anonymous Coward | more than 7 years ago | (#16556524)

Please come home, all is forgiven.

Love,

http://www.gnaa.us/ [www.gnaa.us]

Spammers are already using it (0)

Anonymous Coward | more than 7 years ago | (#16555556)

Re:Spammers are already using it (0)

Anonymous Coward | more than 7 years ago | (#16556148)

So? The important thing is that I can use SPF to protect myself from thousands of bounces when a spammer uses one of my email addresses in the From: header.

Re:Spammers are already using it (1)

crow (16139) | more than 7 years ago | (#16557874)

How do you do that?

I was having this problem, so I added SPF records for my domains. Then spammers started using another one of my domains and the spam started going up, not down.

Re:Spammers are already using it (0)

Anonymous Coward | more than 7 years ago | (#16558916)

You add (sufficiently strict) SPF records to all your domains, of course.

Re:Spammers are already using it (1)

crow (16139) | more than 7 years ago | (#16559578)

Done.

Spammers don't seem to care; they still forge from my domains.

Mail servers don't care. They still send back bounce messages to me.

Now if my mail server could do the SPF lookup on the received lines in the bounced message and drop it, that would work. Without that, SPF doesn't help me without cooperation from everyone else.

Re:Spammers are already using it (1)

wkcole (644783) | more than 7 years ago | (#16558976)

So? The important thing is that I can use SPF to protect myself from thousands of bounces when a spammer uses one of my email addresses in the From: header.

That's a false hope. I know from very direct experience that it does not work today, and logically it is unlikely to ever work.

The underlying reason that "blowback" from forged spam is a problem is that a lot of people are still running mail systems that are designed (to whatever degree they are designed rather than thrown together) with mid-90's assumptions that are no longer true:

  • Most mail is legitimate
  • An insignificant fraction of junk mail uses SMTP envelope or From header sender addresses that exist but don't belong to anyone associated with the sending of the crap
  • Enough legit mail is innocently mis-addressed that having a few percent of address-typo'd mail silently dropped is unacceptable damage.
  • Exposing the (in)validity of recipient addresses at your external border at RCPT time in SMTP is a significant information leak.
  • The system complexity and fragility added by making as much rejection as possible happen synchronously at the SMTP border is too high a cost for its benefits

The result is mail systems that accept mail rather promiscuously, storing and queueing it up for steps like filtering or forwarding to other internal systems for delivery. Those later steps can result in failure, and the mid-90's assumptions about mail lead to the decision to follow the traditional ruiles and generate a bounce for any failed message. SPF (or any other sender authentication scheme) can only help if those systems that are living in the past implement its use in deciding whether to accept mail and/or whether to generate a bounce for mail. Many blowback-generating mail systems can eliminate blowback completely (or for less cost: 5-nines complete) simply by rearchitecting for modern realities, without bringing SPF into the picture.

Being in the position of running largish mail systems, I can see quite starkly that SPF alone as a blowback control would do more harm than it is worth. Real mail systems get legitimate mail from domains run by fools who can't get their SPF records right and use "-all" as a trailing default. Real mail systems get mail transparently forwarded to them through sites that do not modify the SMTP sender, no matter how much the SPF cheerleaders would like them to. Real mail systems can't absolutely trust SPF when it is derogatory unless they are willing to accept occasional loss of otherwise perfectly legitimate mail.

Re:Spammers are already using it (0)

Anonymous Coward | more than 7 years ago | (#16559252)

SPF achieves the effect I described in two ways: 1) Fewer mail systems produce bounces. Not none, but fewer. 2) An increasing number of mail systems reject or at least flag mail from domains with mismatching SPF records as spam. Therefore spammers try to avoid sending from domains with strict SPF records.

it's about time microsoft. (-1, Troll)

Fruity McGayGay (1005769) | more than 7 years ago | (#16555558)

I submit David Hasselhoff is the AntiChrist
And I have the proof

How can one explain the phenomenal global success of one of this country's least talented individuals? There are only three ways.

* Mr. Hasselhoff actually is talented, but this goes unnoticed in his own country.
* Mr. Hasselhoff has sold his soul to Satan in return for global success.
* David Hasselhoff is the AntiChrist.

I vote for the latter -- and perhaps, after seeing the facts involved, the rest of the world will agree.

The Facts First, the obvious. Add a little beard and a couple of horns -- David Hasselhoff looks like the Devil, doesn't he? And the letters in his name can be rearranged to spell fad of devil's hash.

What does this mean? Well, Baywatch is David's fad. David is the devil. The Hash is what makes Knight Rider popular in Amsterdam.

(I was actually hoping to make the letters in his name spell out he is of the devil, which would be possible if his middle name was "Ethesis," which it might be. I'm sure his publicist would hide such a middle name if it were true.)

Second -- and most importantly -- David Hasselhoff and his television series were foretold in the Bible. Biblical scholars worldwide may quibble over interpretations, but they all agree on this. For a few telling examples let's skip to the end of the Bible. If any book of the Bible will tell us who the AntiChrist is, it's the Revelation of Saint John, which basically describes the AntiChrist and the Armageddon He causes. I'll just give you the verse, and the current theological interpretation of that verse.

Who is the Beast?
Rev 13:1 And I stood upon the sand of the sea, and saw a beast rise up out of the sea, having seven heads and ten horns The Beast, of course, is David Hasselhoff. The Heads are His separate television incarnations. Young and the Restless, Revenge of the Cheerleaders, Knight Rider, Terror at London Bridge, Ring of the Musketeers, Baywatch and Baywatch Nights. The ten horns represent His musical releases: Crazy For You, David, David Hasselhoff, Do You Love Me?, Du, Everybody Sunshine, I Believe, Looking For Freedom, Night Lover and Night Rockers. Not only does Mitch The Lifeguard literally "rise out of the sea" on Baywatch, but David's musical career has mostly occurred in Europe, a metaphoric rise to fame from across the sea. Rev 13:3 And I saw one of his heads as it were wounded to death; and his deadly wound was healed: and all the world wondered after the beast. Of course, this is a reference to his third head: Knight of the Phoenix, the first episode of Knight Rider. In this episode, "Michael Long, a policeman, is shot and left for dead. The shot is deflected by a plate in his head, but ruins his face. He is saved and his face reconstructed. He is reluctant, but agrees to use K.I.T.T. to help the Foundation for Law and Government fight criminals who are 'beyond the reach of the law'. " Knight Rider has been shown in 82 countries. Rev 13:5 And there was given unto him a mouth speaking great things and blasphemies; and power was given unto him to continue forty and two months. The following blasphemies are actual quotes from David Hasselhoff -- I read these while he was 42 years old.
"I'm good-looking, and I make a lot of money."

"There are many dying children out there whose last wish is to meet me."

"I'm six foot four, an all-American guy, and handsome and talented as well!"

"Before long, I'll have my own channel -- I'll be like Barney."

"(Baywatch) is responsible for a lot of world peace." which the Hoff said at the Bollywood Oscars. Don't believe me? Read the original article!

And here's a blasphemy that came from David's recent (Feb 2004) visit to the Berlin Wall museum. I couldn't have made something this great up by myself. He was upset that the museum didn't spend more time devoted to his personal role in the fall of Communism. You can read more about it here, if you don't believe me.

The Second Beast: Television
Rev 13:11-13And I beheld another beast coming up out of the earth; and he had two horns like a lamb, and he spake as a dragon. And he exerciseth all the power of the first beast before him, and causeth the earth and them which dwell therein to worship the first beast, whose deadly wound was healed. And he doeth great wonders, so that he maketh fire come down from heaven on the earth in the sight of men,

The Second Beast, with it's dual antennae, is obviously the Television -- merely a pawn in Hasselhoff's underworldly regime. His stereo speaker (the dragon's voice) spews forth the blasphemy of Baywatch until He has caused all people of the earth to worship and watch Baywatch and Baywatch Nights. How well has he done? Baywatch is now seen by about one billion viewers in 140 countries -- the most watched series ever.

You probably never knew this, but the entire historical purpose of television has been to attract a worldwide audience for the eventual syndication of Baywatch. And how does it accomplish this global distribution? Via satellite - from heaven to the Earth.

Rev 13:15 And he had power to give life unto the image of the beast, that the image of the beast should both speak, and cause that as many as would not worship the image of the beast should be killed. How does television work? By giving life unto Hasselhoff's image. I'm pretty sure the second part hasn't happened yet.

Lifeguards: Denizens of the Underworld

These biblical revelations will show that the lifeguards on Baywatch are foretold as servants of the Devil. (Need I say who that is again?)
Rev 20:11And I saw a great white throne, and him that sat on it, from whose face the earth and the heaven fled away; and there was found no place for them

Rev 20:13And the sea gave up the dead which were in it; and death and hell delivered up the dead which were in them...
Doesn't this sound like an exact description of what the lifeguards on Baywatch do? They sit on their big white wooden throne, and watch out over the sea -- waiting for a dying person to get cast up. Rev 9:6 And in those days shall men seek to find death, and shall not find it; and shall desire to die, and death shall flee from them.

One word: CPR
Rev 10:2 And he had in his hand a little book open: and he set his right foot upon the sea, and his left foot on the earth, Sounds like a lifeguard, eh? Standing on the beach reading a paperback?

Rev 17:3-5 ...and I saw a woman sit upon a scarlet coloured beast, full of names of blasphemy, having seven heads and ten horns. And the woman was arrayed in purple and scarlet colour, and decked with gold and precious stones and pearls, having a golden cup in her hand full of abominations and filthiness of her fornication: And upon her forehead was a name written, MYSTERY, BABYLON THE GREAT, THE MOTHER OF HARLOTS AND ABOMINATIONS OF THE EARTH.

and if that wasn't enough, try Ezekiel 23:17 And the Babylonians came to her into the bed of love, and they defiled her with their whoredom, and she was polluted with them, and her mind was alienated from them.

The fabled "Whore of Babylon." Well, people have been calling Hollywood "Babylon" since long before I was making web pages. And of all the women in Hollywood, whose wedding night video is the most popular? Hmmm.... Did someone say "Barb Wire?"
Rev 18:11 And the merchants of the earth shall weep and mourn over her; for no man buyeth their merchandise any more Do you know any merchants who invested heavily in the acting career of this "whore of Babylon?" I've seen that "VIP" show of hers, and I'd be weeping if I had spent money on the merchandising rights.
Rev. 18:21 ... a mighty angel took up a stone like a great millstone, and cast it into the sea,...

Speaking of lifeguards chucking rocks at innocent people, listen to this excerpt from a recent lawsuit against his Hasselness: "while Plaintiff was in the audience of the Rosie O'Donnell Show, Defendandt DAVID HASSELHOFF came on stage and threw a stack of cards depicting himself into the audience, striking Plaintiff in the eye. . . [he] should have known that throwing cards into an audience could cause injury to the audience."
Rev 18:14 And the fruits that thy soul lusted after are departed from thee, and all things which were dainty and goodly are departed from thee, and thou shalt find them no more at all. He stands to lose money in this lawsuit -- or maybe even all those dainty and goodly things he bought.

The Number of the Beast
The Bible shows us another way to prove a person is the AntiChrist, namely through numerology. Rev 13:18 says: "Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."

That's a bit cryptic, to be sure. One score is twenty, so threescore is 60, the number of the beast is 666.

Now, the way biblical scholars and numerologists usually convert the names of men into their numbers is through a simple numerical code. Let's assign the 26 letters of the alphabet the numbers 1 through 26. It looks like this:

a 1 i 9 q 17 y 25

b 2 j 10 r 18 z 26

c 3 k 11 s 19

d 4 l 12 t 20

e 5 m 13 u 21

f 6 n 14 v 22

g 7 o 15 w 23

h 8 p 16 x 24

Now, we take the letters from Mr. Hasselhoff's name, assign numbers to them, and calculate his number.

D A V I D H A S S E L H O F F

4 1 22 9 4 8 1 19 19 5 12 8 15 6 6

Now, since thirteen is such a fitting number for evil, let's multiply the first 13 numbers together. The total (65,874,124,800) is approximately 6.6 billion. Tack on the remaining 6's from the end of his name, and you've got yourself the mark of the beast.

Another tactic you could use would be to add the letters in "David" (I think you should get 40) and the letters in Hasselhoff (99) and then multiply them together. 40 x 99 = 3960. Now, 3960 is 660 x 6. And of course, 660 plus 6 is -- again -- the mark of the beast.

Not enough proof for you? Well, let's see what else the winning combination of the Bible and numerology have in store for David.....

As he explains it in his interview, David Hasselhoff first decided to act at the age of 7 when he saw a local production of Rumplestiltskin. His acting debut was in Peter Pan. Knight Rider ended its run in 1986, when Hasselhoff was 32. Baywatch debuted in 1989, when Hasselhoff was 35. His first televised role was as Snapper Foster on the Young and the Restless at the age of 19. If we look at the 37th chapter of the 19th book of the Bible (Psalms) -- at verses 32 and 35, we notice an interesting phenomenon. Take a look:

32. The wicked watcheth the righteous, and seeketh to slay him.
35. I have seen the wicked in great power, and spreading himself like a green bay tree.

Viewers of Baywatch may have thought they were watching the good leader Mitch Buchannon -- whose main job as head lifeguard is to watch over the righteous babes at the beach, and save them. According to the Bible, he is really trying to slay them. But can we be sure that the show in question is actually Baywatch? Well, count the number of letters in Rumplestiltskin and Peter Pan. 15 and 8, right? Now look at those bible verses again. Find the 15th word of verse 35 - and the 8th word from the end of verse 32. Put them together. 35. I have seen the wicked in great power, and spreading himself like a green bay tree. 32. The wicked watcheth the righteous, and seeketh to slay him.

Why the hell did Microsoft have to go and... (5, Funny)

Avillia (871800) | more than 7 years ago | (#16555592)

...Make a new grading scale for suntan lotion? I mean, honestly, we've already got Sun Protection Factor, we don't need some retarded system like SenderID... Hell, we don't even need SPF, idiotic parents just can't think of their children and get the thick blue paste that WORKS instead of this new THE PURPLE FADES IN crap.

Honestly.

Re:Why the hell did Microsoft have to go and... (1)

benplaut (993145) | more than 7 years ago | (#16556438)

THE PURPLE FADES IN crap.

Why would you want to cover yourself in purple crap?

Re:Why the hell did Microsoft have to go and... (3, Funny)

Fred_A (10934) | more than 7 years ago | (#16556700)

Maybe children like it better because it comes from Barney ?

Re:Why the hell did Microsoft have to go and... (0)

Anonymous Coward | more than 7 years ago | (#16557306)

Eww, Barney jizz.

Re:Why the hell did Microsoft have to go and... (1)

CarpetShark (865376) | more than 7 years ago | (#16557152)

Especially given that everyone knows where sunlight comes from ;)

Re:Why the hell did Microsoft have to go and... (1)

Villageidiot9390 (640068) | more than 7 years ago | (#16558688)

Google?

Re:Why the hell did Microsoft have to go and... (1)

jZnat (793348) | more than 7 years ago | (#16560258)

That's GNU/Sunlight you insensitive clod!

Have they released a SenderID SDK? (3, Interesting)

Bucaro (758451) | more than 7 years ago | (#16555600)

Although I may not be a fan of M$, I am a fan of anything anti-spam. How much coding does it take to make ones own email client, Mail, Thunderbird, or whatever, work with a senderID tag?

Re:Have they released a SenderID SDK? (4, Insightful)

grcumb (781340) | more than 7 years ago | (#16556076)

Although I may not be a fan of M$, I am a fan of anything anti-spam.

I'm not. Not a fan of anything at all, that is. I'm a fan of open systems (preferably officially endorsed standards) that are well understood and secured for use many years into the future. SMTP, for all its baggage, is one standard that has actually aged fairly well over the years.

There are fundamental flaws, of course, and now these flaws are costing us a lot of money, time and effort trying to stop people from preying on the system and on human naïveté.

Microsoft's approach to this can be summarised as, "Hey gang let's all get together and fight spam my way!" This is okay, but in the opinion of this hoary old curmudgeon, I'd rather people said, "Hey gang, let's all get together and figure out how to fight spam!" There's a small but integral difference between those two statements. It lies in the potential for Microsoft to stop in mid-fight, take its ball and go home.

What Microsoft is trying to do with this latest move is to convince the world that it will not do this. I'd like to believe that's true, but their track record gives us every reason to believe the opposite. Even if they're perfectly sincere about this right now, people will still be suspicious that at some time in the future they might try to lock things down again.

It's unfortunate that we have been led to feel this way, and I suppose it's never to late for a leopard to change his spots. I doubt this one will, though.

Re:Have they released a SenderID SDK? (1, Informative)

Antique Geekmeister (740220) | more than 7 years ago | (#16557112)

Email clients are not what SenderID is for: it's for mail servers, to reject the spam before it even gets into the user's cue. Unfortunately SenderID is not only patented, the Microsoft license prevents other people from modifying it for other uses. This means it should not and cannot be used in Sendmail, Postfix, or other open source MTA's due to license restrictions.

SenderID is also cryptographic. This prevents software with it integrated from being exported to "restricted" companies, due to the strange rules about encryption being a material of war.

SenderID is also fundamentally broken: SPF rejects spam messages in a way that is very lightweight and free to implement (publish a TXT record in your domain's DNS), and rejects the message before its contents are even sent, based on the "FROM" line used for email bounces. SenderID requires purchased keys from Microsoft, and requires the MTA to accept the email message to process the SenderID key, which seriously burdens the server.

SenderID basically has nothing to do with SPF or anti-spam: it has to do with selling keys for bulk emailers, legitimate or not, to send bulk email while avoiding anti-spam messages. Its presence in a message is actually a very powerful sign that the message is spam, just as those "Haiku" messages in email headers used to be.

Unfortunately, the creators of SPF accepted Microsoft sponsorship and involvement with SenderID to get Microsoft support, integrating SPF-like features into Hotmail and other Microsoft tools in order to get a larger user base, but unfortunately accepting a corrupt influence that has actively hindered the acceptance of SPF.

Make no mistake, SPF has problems. It breaks most email forwarding unless the forwarder uses SRS or some other tool to rewrite the email address to send bounce messages to. But it's very lightweight and effective, and the email forwarding was already badly broken and needs fixing.

Re:Have they released a SenderID SDK? (4, Informative)

Keeper (56691) | more than 7 years ago | (#16557198)

Email clients are not what SenderID is for: it's for mail servers, to reject the spam before it even gets into the user's cue.

SenderID can be implemented on both mail servers and clients.

Unfortunately SenderID is not only patented, the Microsoft license prevents other people from modifying it for other uses. This means it should not and cannot be used in Sendmail, Postfix, or other open source MTA's due to license restrictions.

Wrong: http://www.microsoft.com/interop/osp/default.mspx [microsoft.com]

SenderID is also cryptographic. This prevents software with it integrated from being exported to "restricted" companies, due to the strange rules about encryption being a material of war.

SenderID has no cryptography. You're thinking DomainKeys.

SenderID is also fundamentally broken: SPF rejects spam messages in a way that is very lightweight and free to implement (publish a TXT record in your domain's DNS), and rejects the message before its contents are even sent, based on the "FROM" line used for email bounces.

Incorrect. Both SenderID and SPF are based off of DNS TXT records. The primary difference between the two is that SenderID validates that the FROM field has not been forged, while SPF validates that the return path has not been forged.

SenderID requires purchased keys from Microsoft, and requires the MTA to accept the email message to process the SenderID key, which seriously burdens the server.

SenderID basically has nothing to do with SPF or anti-spam: it has to do with selling keys for bulk emailers, legitimate or not, to send bulk email while avoiding anti-spam messages. Its presence in a message is actually a very powerful sign that the message is spam, just as those "Haiku" messages in email headers used to be.


SenderID has no cryptography. You purchase nothing from Microsoft. You're thinking DomainKeys.

Unfortunately, the creators of SPF accepted Microsoft sponsorship and involvement with SenderID to get Microsoft support, integrating SPF-like features into Hotmail and other Microsoft tools in order to get a larger user base, but unfortunately accepting a corrupt influence that has actively hindered the acceptance of SPF.

Blah blah blah, insert Microsoft is teh big evil rant here. You should learn what you're talking about before complaining about something it doesn't do.

Re:Have they released a SenderID SDK? (1)

Keeper (56691) | more than 7 years ago | (#16557114)

Not much. It basically involves a DNS lookup, parsing of some string information, and some rule-based comparisons derrived from the parsing. Probably a couple days worth of dev work to read up on the RFC (http://www.ietf.org/rfc/rfc4406.txt?number=4406), implement it, and test the core logic. Can't really say how long it would take to integrate into your mail client of choice.

Re:Have they released a SenderID SDK? (1, Informative)

caudron (466327) | more than 7 years ago | (#16557424)

Although I may not be a fan of M$, I am a fan of anything anti-spam

Here's my shocking intro: I'm not for just "anything" anti-spam.

I've said all this before on /., but let me explain again:

The Sender Policy Framework (SPF) so-called spam solution is being adopted all over the place without nary a complaint. But think about it. Tim Berners-Lee didn't just envision a web of equitable bandwidth, he envisioned a web of peers---a web of end points, all equally valid. What happens when my system is no longer considered a valid end point? Suddenly, we have a network of clients and servers rather than peers. When the SPF process looks to verify that the sender is the one valid smtp server for the mail address' domain (based on either MX or A records), it devalues all non-domain level systems on the web. Peers on the network become clients, fed valid packets from those servers that are approved to pass said packets. The SMTP semantic paradigm moves from Sender>Receiver to Server>Client.

But no one really cares because there is some belief that this will help reduce spam. It will, but so will turning off our mail clients. Neither is the right solution. The solution is a newer, better mail protocol, many of which have been proposed that DO NOT devalue the peers of the network. Probably one of the better known of the examples is the IM2000 protocol [homepages.tesco.net] .

But we'd rather have a network of tiered rights, I suppose, than deal with the mess of changing a protocol for real.

In programming cicrles, this is called cruft. "What, the exosting app doesn't do all that's needed becuase we didn't think we'd need this functionality? Then just tack that functionality on it." Sometimes it makes sense to add small functional differences to an extant app. Sometimes it makes more sense to just move to an app that does what you want out of the box instead. This is an example of the second, but as a community, the Internet seems to have decided to do the first. the ISP's love it. It further adds control in their own hands (server-client models make them more powerful online) but why in God's name should we agree to use it?

Tom Caudron
http://tom.digitalelite.com/ [digitalelite.com]

Re:Have they released a SenderID SDK? (2, Insightful)

sgtrock (191182) | more than 7 years ago | (#16557928)

I recommend that you spend a little time studying the history of the Internet before making these kinds of statements. Spend even more time studying how electronic mail was originally designed, and how it has evolved. I think you'll find that far from being 'cruft', a client/server model was exactly the model that the original designers wanted for a variety of very good reasons.

The Internet didn't start with the Web, after all.

Re:Have they released a SenderID SDK? (0)

Anonymous Coward | more than 7 years ago | (#16559180)

The Sender Policy Framework (SPF) so-called spam solution is being adopted all over the place without nary a complaint. But think about it. Tim Berners-Lee didn't just envision a web of equitable bandwidth, he envisioned a web of peers---a web of end points, all equally valid.

What the hell does Tim Berners-Lee and the Web have to do with SMTP and email? He didn't "envision" jack about the latter.

Re:Have they released a SenderID SDK? (1)

bfields (66644) | more than 7 years ago | (#16559712)

I'm sympathetic to this sort of democratic argument that all peers should have equal capabilities, but....
it devalues all non-domain level systems on the web
.... what's a "domain level system", and what's so hard about getting one? A DNS name doesn't strike me as a big barrier to entry.

Brr... (2, Funny)

Mikachu (972457) | more than 7 years ago | (#16555612)

It's a little cold in hell for this time of year, don't you think?

Re:Brr... (2, Funny)

gbobeck (926553) | more than 7 years ago | (#16555946)

Well, lets see. Hell, MI has the zip code 48169 and is located at 422605N, 835906W. Using Yahoo weather, we can lookup weather for that zipcode.

from http://weather.yahoo.com/forecast/USMI0672.html [yahoo.com] , the weather on 23 October 2006 at 12:15 am EDT is:

Fair, 34F.Barometer is 29.93 in and steady, and 87% humidity. There is a 7 mph west wind.

Of course, conditions will change, so keep on watching for Hell to freeze over.

Re:Brr... (1)

Mike89 (1006497) | more than 7 years ago | (#16556352)

Of course, conditions will change, so keep on watching for Hell to freeze over.
Too late [wikipedia.org]

Can we get the FUD tag now? (0, Troll)

zappepcs (820751) | more than 7 years ago | (#16555622)

More MS FUD about being open, yet MS has never yet shown themselves to be anything but selfinterested proprietary money grabbers... Okay, yes, that sounds vaguely troll-like, but lets be realistic (no smoke without fire) and say, we really need to see genuine advances on the part of MS to believe anything they say, or that others might say nicely about them.

Not to be the boy who cried wolf, but why does anything that MS does that even sounds vaguely like Open Source make the news if it isn't Open Sourced? Just sounds like more FUD to me.... call me cynical, but I don't like when my OS calls home and does other things I don't want it to. When you count the brass tacks, this is just more propaganda

Re:Can we get the FUD tag now? (1)

AchiIIe (974900) | more than 7 years ago | (#16555664)

> Okay, yes, that sounds vaguely troll-like, but lets be realistic

I disagree sir, that sounds like a troll to me. There is nothing FUD about this story.

> Not to be the boy who cried wolf, but why does anything that MS does that even sounds vaguely like Open Source make the news if it isn't Open Sourced?

http://slashdot.org/articles/05/01/30/1433226.shtm l [slashdot.org]

Re:Can we get the FUD tag now? (1)

Bucaro (758451) | more than 7 years ago | (#16555734)

I am serious. No Troll. I am just sick of the damn cialias, viagra, whatever the hell they come up with next emails and having to change my email address all the damn time. I figure if M$ does come out with SenderID, even if they are using FUD, I can actually open my inbox without deleting half of it. I have email addresses that I have never used for anything outside of school that get spammed with stock quotes or random crap all the time. With M$ putting some money behind SenderID and getting a few people to join up with them (even if they are only screwed later -- think Zune and Plays for sure) then there will still be a large following. Maybe making SenderID standard with outlook express with vista they can get the standards ball rolling. I can even see the warning now .... the message you are about to read does not have a SenderID, and may possibly be spam. Have them download the latest version of Microsoft Outlook/Euntourage/Linux-STFU so the origin of this message can be verified.

Re:Can we get the FUD tag now? (4, Informative)

nmb3000 (741169) | more than 7 years ago | (#16555686)

More MS FUD about being open

What? Do you even know what FUD is? Fear Uncertainty and Doubt. It's usually meant to mean the kind of news Microsoft might release saying "OMG Linux is insecure!!!~" or SCO saying "WTF Linux newbs must pay money or we'll sue!!!". Microsoft trying to show some interest in open standards certainly does not qualify as FUD, especially since this isn't the first open stuff they've done [sourceforge.net] .
  • (no smoke without fire)
  • Not to be the boy who cried wolf
  • count the brass tacks

I think we have a finalist for the category 'Most Useless Cliches in a Slashdot Post'. Congratulations, however I've never heard of actually counting the brass tacks (though it appears I'm not alone [google.com] ) :)

Re:Can we get the FUD tag now? (0)

zappepcs (820751) | more than 7 years ago | (#16555720)

Despite your disregard for my opinion (doesn't matter) the matter of counting brass tacks is in the meaning of counting final facts, or summarizing the facts:

Brass tacks is an object used in the popular expression "get down to the brass tacks". The expression usually means clearing out confusing details and finding out the real facts about something. The etymology of the expression likely has roots in the way fabric manufacturers used to mark out a yard in tacks on the counter so customers could buy their fabric accordingly.

Meaning that when you count the brass tacks, you have finalized the facts, or sale, or truth.

YMMV

Re:Can we get the FUD tag now? (0)

Anonymous Coward | more than 7 years ago | (#16555826)

> Brass tacks is an object

Is they? C'mon, if you're going to paste unattributed Wikipedia content to shore up your weird-ass made-up phrases, at least clean up the grammar a bit first.

(You missed a chance there, though - you could just have added your made-up phrase to Wikipedia, then referenced the article as incontrovertible truth.)

> YMMV

Yes, at the end of the day, YMMV, but you've got to take the rough with the smooth, and really it's just swings and roundabouts and when all's said and done it's six of one and half a dozen of the other.

Did I miss any?

Re:Can we get the FUD tag now? (1)

IdolizingStewie (878683) | more than 7 years ago | (#16555872)

GP's grammar was correct. Admittedly it probably should have been "'Brass tacks' is an object," but he is referring to the words themselves, not the tacks. As there is only one subject to that sentence, the verb is correctly singular.

Re:Can we get the FUD tag now? (1)

suv4x4 (956391) | more than 7 years ago | (#16556008)


More MS FUD about being open

What? Do you even know what FUD is? Fear Uncertainty and Doubt.


If course he knows what FUD is. But why stop there.

This FUD about MS being open is nothing compared to the FUD that Vista is secure or the FUD that IE7 is a decent browser.

The worst FUD is that Microsoft isn't some evil empire of giggling mutants who want to take over the world: it's in fact lots of smart (and some not so) developers working on their designated products, some marketing guys, some clerks and some lawyers united under a common title.

This promotes doubt and uncertainty.

But it mostly promotes fear: be afraid, be really afraid!

/me throws away torch from under chin

Re:Can we get the FUD tag now? (1)

Extide (1002782) | more than 7 years ago | (#16555758)

Why do people compare MS to the Open Source community? Can't be done. Simple fact is, MS is a business, the Open Source community is eactly that, a community. The only reason businesses exist, is to make money.

Re:Can we get the FUD tag now? (0)

Anonymous Coward | more than 7 years ago | (#16556890)

The only reason businesses exist, is to make money.

In an immoral country like the US, that's true. It's all about protection from risk, not about responsibilty.

Sender ID, SPF, DomainKeys (5, Interesting)

bcrowell (177657) | more than 7 years ago | (#16555702)

So now we have Sender ID [wikipedia.org] , SPF [wikipedia.org] , and DomainKeys [wikipedia.org] .

AFAICT, they all aim to accomplish similar things. Unfortunately, there's no consensus on which to use, and that means that they're all basically useless. One of these mechanisms would only become useful if virtually everybody used it, because then people could refuse to accept e-mail that didn't use it. Gmail and yahoo both use DomainKeys, which suggests that it's something that can really be implemented successfully in the real world. Looking at the Wikipedia articles, Sender ID seems to have problems because it breaks preexisting standards (see "Standardization issues"). My impression is that a lot of people looked at DomainKeys and said, "oooh, scary, it uses crypto." But hey, this is 2006, not 1992. Strong crypto is everywhere. Is there any reason not to go ahead and standardize on DomainKeys?

Re:Sender ID, SPF, DomainKeys (2, Insightful)

ldspartan (14035) | more than 7 years ago | (#16555904)

DomainKeys doesn't break forwarding and... you know, SMTP. DomainKeys doesn't require mail servers to rewrite the headers on every message ever.

In short, DomainKeys wasn't designed by idiots, while the other two apparently were.

I'm unbiased! pffffft :P

--
phil

Re:Sender ID, SPF, DomainKeys (2, Interesting)

RyanAXP (60761) | more than 7 years ago | (#16555952)

SPF most certainly was not written by idiots, although MS's wacky SenderID carries the distinctive odor of cretinism. What you should perhaps understand is that SPF and DomainKeys/DKIM are complementary to each other, while SenderID bears all the hallmarks of yet another "just incompatible enough" Microsoft "extension" to SPF.

Re:Sender ID, SPF, DomainKeys (3, Insightful)

DA-MAN (17442) | more than 7 years ago | (#16556090)

DomainKeys doesn't break forwarding and... you know, SMTP.

DomainKeys breaks a lot of things. As one of the maintainers of the QmailToaster [qmailtoaster.com] project, I've run across a lot of people where DomainKeys breaks their entire setup.

1) If you forward your mail to an upstream server (sendmail smarthost, Exchange SMTP Connector, etc), DomainKeys will always be void.
2) If you have a backup mail server or a scanning mail server that receives and then transfers to your primary mail server un-modified (IE doesn't remove the DomainKeys) then your main mail server will reject it.

DomainKeys sucks. SPF sucks, SRS is a hack.

Re:Sender ID, SPF, DomainKeys (0)

Anonymous Coward | more than 7 years ago | (#16556338)

f you forward your mail to an upstream server (sendmail smarthost, Exchange SMTP Connector, etc), DomainKeys will always be void.
huh? Your upstream rewrites all your headers or changes the body content? Since when is it ok for an upstream to do that?
2) If you have a backup mail server or a scanning mail server that receives and then transfers to your primary mail server un-modified (IE doesn't remove the DomainKeys) then your main mail server will reject it.
Huh? Why would you set up your mail server to reject a message because of a header?

Re:Sender ID, SPF, DomainKeys (1)

DA-MAN (17442) | more than 7 years ago | (#16556486)

1) If you forward your mail to an upstream server (sendmail smarthost, Exchange SMTP Connector, etc), DomainKeys will always be void.

huh? Your upstream rewrites all your headers or changes the body content? Since when is it ok for an upstream to do that?


From http://antispam.yahoo.com/domainkeys [yahoo.com]

Why sign the entire message?

DomainKeys signs the entire message to allow the receiving server to also verify that the message wasn't tampered with or altered in transit. By signing the headers and the body, DomainKeys makes it impossible to reuse parts of a message from a trusted source to fool users into believing the email is from that source.


Your upstream server doesn't rewrite the header. It adds a header stating that the mail was tunneled through it. DomainKeys only works when the message travels from point A to point B. Period. End of Story.

2) If you have a backup mail server or a scanning mail server that receives and then transfers to your primary mail server un-modified (IE doesn't remove the DomainKeys) then your main mail server will reject it.

Huh? Why would you set up your mail server to reject a message because of a header?


DomainKeys is supposed to help find invalid e-mail. The sign of an invalid e-mail is a bad DomainKey Signature.

A DomainKey signature will be bad if you have a backup server or a scanning server (as it adds its name into the transferred headers) into an e-mail that's not supposed to be modified at all during transit.

If you're not rejecting e-mail that is failing DomainKey validation, why even bother to implement DomainKey It just doesn't make any sense.

Re:Sender ID, SPF, DomainKeys (1, Informative)

Anonymous Coward | more than 7 years ago | (#16556668)

With all due respect, you have no idea what you're talking about.
 
As long as 1) the sender uses the h= tag to list the headers it has signed*, and/or 2) the in-between server inserts its headers at the top of the message as specified in RFC822, the signature will still verify no matter what headers are added between sender and receipient.
 
The only way to break the signature is to modify the original headers or body, or inserting new headers below the DomainKey signature.
 
Please read the spec before describing weaknesses in the protocol.
 
* If the h= tag is used, these in-between servers can modify headers that aren't listed in the h= tag without mooting the signature.

Re:Sender ID, SPF, DomainKeys (0)

Anonymous Coward | more than 7 years ago | (#16558872)

Your post would be better without the "Huh?"s.

Re:Sender ID, SPF, DomainKeys (1)

iritant (156271) | more than 7 years ago | (#16557328)

There are certainly problems with DomainKey and DKIM [dkim.org] but I cannot glean from what you wrote that you and I agree on what those problems are. If you do NOT modify the body or one of the protected headers, DKIM will pass validation no problem (I say this as someone who has his mail validated this way every day).

I will speak to DKIM since that is what the IETF [ietf.org] is standardizing on, and that is the code you can get for free on SourceForge. DKIM's biggest advantage is that it does not care about how the mail gets to your mailbox, that there might be intervening MX forwarders or other mechanisms, that convolute the path, and that these may or may not participate in whatever path-based games SPF and Sender-ID presume. DKIM's biggest disadvantage is not for everyday mail, but primarily relating to mailing lists, where validation of the content becomes a problem, when it is altered. A DKIM header contains a header signature and a body hash. The body hash becomes invalid when you add stuff like mailing list info, or if you normalize the output in any way, which some systems do.

The answer to all of this is for those systems to take responsibility for the message and apply appropriate policies before forwarding. This means that a mailing list should, yes, check whatever reputation service and then make a decision as to whether or not the sender is to be trusted (assuming a valid and acceptable signature).

It also means that corporate mail servers should perform validation PRIOR to any monkeying of the headers or the body. Whatever fragility can thus be mitigated.

Re:Sender ID, SPF, DomainKeys (1)

kitterma (757172) | more than 7 years ago | (#16557450)

Right. DomainKeys doesn't break fowarding, it breaks mailing lists instead.

Pick your poison.

Re:Sender ID, SPF, DomainKeys (1)

Mr Fodder (93517) | more than 7 years ago | (#16555918)

For the record Google also checks the SPF, though I'm not sure if they actually do anything with it (as I've seen messages that fail still get through)

The following is from one of my emails:

Received-SPF: pass (gmail.com: domain of ***@yahoo.com designates 68.142.206.106 as permitted sender)

Re:Sender ID, SPF, DomainKeys (3, Interesting)

DA-MAN (17442) | more than 7 years ago | (#16556166)

For the record Google also checks the SPF, though I'm not sure if they actually do anything with it (as I've seen messages that fail still get through)

The following is from one of my emails:


Received-SPF: pass (gmail.com: domain of ***@yahoo.com designates 68.142.206.106 as permitted sender)


That's peculiar because Yahoo! doesn't publish SPF records.

Typical SPF Record:
$ host -t txt gmail.com
gmail.com text "v=spf1 redirect=_spf.google.com"
$


Yahoo!
$ host -t txt yahoo.com
$

Re:Sender ID, SPF, DomainKeys (1)

svindler (78075) | more than 7 years ago | (#16556552)

Could be that Google has created their own txt entry for yahoo.com in the dns servers that their mail servers use.

I see a lot of spam which appears to be from @yahoo.com users but coming from a gazillion different mail servers ( and no, I actually don't see the mails, I just see the reports on a number of mail servers).

Re:Sender ID, SPF, DomainKeys (2, Informative)

Just Some Guy (3352) | more than 7 years ago | (#16557770)

That's peculiar because Yahoo! doesn't publish SPF records.

The default is to guess at permitted relays for a domain, so smtp.example.com would be allowed to forward @example.com email. Perhaps it should have read:

Received-SPF: pass (gmail.com: domain of ***@yahoo.com designates 68.142.206.106 as permitted sender, or doesn't designate anything at all but got lucky this time)

but that's a bit more verbose.

Re:Sender ID, SPF, DomainKeys (4, Informative)

Zeinfeld (263942) | more than 7 years ago | (#16555944)

Actually Sender-ID and SPF are the exact same thing. Both allow the sender to describe their email sending configuration in identical terms. The only difference is what receivers decide to do with the information. That part is outside the scope of any sane spec since the whole point of spam control is that the recipients not the senders get to decide.


There is a big difference between Sender-ID and Domain Keys, Sender-ID uses the IP address of the outgoing email server. DKIM uses public key cryptography. We knew at the start that it would take about four years to agree a cryptographic standard hence the decision to adopt a two track approach.


This is not a VHS vs Betamax competition. There are genuine differences in the specs. If you are going to deploy one you have to do much of the work required for the other.


One of the core problems in MARID was that most of the people involved had little experience of the standards process and no inclination to accept reasonable compromises. Another problem is that the IETF rushed the formation of the group in order to prevent a rival standards body moving in on their turf. This pre-empted the negotiations I was moderating in an attempt to agree on a common proposal before the working group was chartered. As soon as the WG was chartered with an open charter the way was open for third party groups to introduce additional proposals even though they had no support from any constituency.


The original patent license terms were not unusual or unreasonable. It was just that a number of persons decided to make an objection in this case to a practice that nobody had objected to for over a decade. As a result of the SCO case the patent lawyers at several large companies (not just Microsoft) had determined that the reciprocation clause in the traditional open patent license was probably not enforceable if there was an open sublicense clause.


Some people decided to make SPF the place to fight this particular battle and started making unjustified accusations of bad faith on Microsoft's part. Then a splinter group decided to exploit the situation and propose a completely unrelated specification that had no commercial support whatsoever.


The point that was lost on many participants was that the only reason to go to a standards body is to get buy in for a proposal. If you want the best technical proposal you should not involve more than five people in the design.


Sender-ID is not incompatible with SPF as alleged. The only difference is at the recipient side and the recipient cannot be forced to interpret SPF or Sender-ID in any particular way. We had agreement in the WG to proceed on a common spec and nobody found any problems until the patent issue was raised.

Re:Sender ID, SPF, DomainKeys (1)

killjoe (766577) | more than 7 years ago | (#16556024)

Standards don't mean shit unless MS implements them. SPF didn't go anywhere because MS REFUSED to implement it. That was despicable considering every other SMTP server implements it.

MS wants people to think they are pro standards but look at their implementation record. Not pretty.

Re:Sender ID, SPF, DomainKeys (3, Informative)

statemachine (840641) | more than 7 years ago | (#16556760)

Actually Sender-ID and SPF are the exact same thing. Both allow the sender to describe their email sending configuration in identical terms. The only difference is what receivers decide to do with the information.


But it's a huge difference for the receiver, whether or not you feel it's sane.

1) SPF regulates the envelope sender. Sender-ID regulates the TO: field.

2) SPF can be used to reject incoming messages before any data is sent. Sender-ID has to (at least) wait for the TO: field to be sent along with the rest of the DATA part -- which doesn't limit bandwidth consumption very much.

3) If the MTA isn't going to reject messages and only add to the score, then Sender-ID will be fine for you. If you want to reject messages to avoid tying up your MTA (and lower your bandwidth consumption), SPF is the way to go.

And for the parting shot (not against the parent), DomainKeys is just too much of a load on a busy server, IMHO, because it requires computing a hash for every single message. It just doesn't scale. It has other severe problems too, but I saw them adequately discussed earlier.

Re:Sender ID, SPF, DomainKeys (1)

statemachine (840641) | more than 7 years ago | (#16556780)

Sorry for any confusion. I meant to say: Sender-ID regulates the FROM: field.

Re:Sender ID, SPF, DomainKeys (1)

Keeper (56691) | more than 7 years ago | (#16557158)

Regulating the envelope sender is rather useless. Yes, spammers typically forge the sender as well as the from fields. However, a "valid" sender can still forge the from address.

Re:Sender ID, SPF, DomainKeys (1)

terrahertz (911030) | more than 7 years ago | (#16557474)

Actually Sender-ID and SPF are the exact same thing.

According to OpenSPF's comparison of the two systems [openspf.org] , that's not true:

"Executive summary

SPF and Sender ID are not the same. They differ in what they validate and what "layer" of the e-mail system they are concerned with. Sender ID is not the latest version of SPF - it is a new and independent experiment. The "spf2.0" tag name is a historical accident. Neither is better because they address different problems. There is controversy because Sender ID is incompatible with existing specifications. Microsoft is aware of the problem and representatives of theirs have stated that they have no plans to fix it. There are practical work-arounds for SPF and Sender ID users."


Additionally, the problem with Sender ID being "incompatible" is due to the "recommended" specification:

"The Sender ID specification contains a recommendation to use SPF's v=spf1 policies -- which are originally defined to apply to MAIL FROM and HELO identities only -- and apply them to the PRA identity as well. Specifically, it says to consider v=spf1 as equivalent to spf2.0/mfrom,pra. This is technically wrong, as is explained in detail below. Sender ID implementors should correct this and treat v=spf1 records as equivalent to spf2.0/mfrom. Unfortunately this mistake in the Sender ID specification was not corrected prior to its publication despite an appeal from the SPF project."


I have not implemented Sender ID in my systems on principle -- I agree with OpenSPF that Sender ID's recommended implementation is, in a word, stupid. So far, SPF by itself is working out great for me.

The original MS patent license & v=spf1 vs. PR (2, Interesting)

Julian Mehnle (517566) | more than 7 years ago | (#16559384)

Some of what you write is debatable, but some isn't.

The original patent license terms were not unusual or unreasonable. It was just that a number of persons decided to make an objection in this case to a practice that nobody had objected to for over a decade.

Saying that is ignoring the facts. Both the ASF [apache.org] and the Debian [debian.org] project classified the Microsoft's license for their patent as inherently incompatible with free software. And patents on e-mail standards, unlike patents on many other IT technologies, are a very particular problem because a very large (if not the larger) part of the e-mail server world runs on free software. Go read the ASF's and Debian's explanations, they certainly did do their homework.

Sender-ID is not incompatible with SPF as alleged. The only difference is at the recipient side and the recipient cannot be forced to interpret SPF or Sender-ID in any particular way.

(To be explicit about my motives: I am the one who appealed to the IESG/IAB on behalf of the SPF project about the reuse of "v=spf1" records for the PRA algorithm [wikipedia.org] in the Sender ID specification.)

You correctly point out that a communication standard is little more than a silent agreement between senders and receivers that only works if the receiving party tries their best not to misinterpret what the sending party meant. But then you simply quit the subject, assuming that communication standards will work even with everyone interpreting stuff their way, because, after all, there is no protocol police, thank you. Sorry, but "compatible" means something else to me.

We had agreement in the WG to proceed on a common spec and nobody found any problems until the patent issue was raised.

Again you are missing the facts. Quoting from my appeal to the IESG:

It is also worth noting that at the time the MARID WG was closed [in September 2004 [imc.org] ], the then-current Sender ID specification draft-ietf-marid-protocol-03 [archive.org] did not include the re-use of "v=spf1" records for PRA checking. This was only introduced in [Microsoft's] individual submission draft-lyon-senderid-core-00 [archive.org] in October 2004. Also did Microsoft's record generation wizards generate only "v=spf2.0/pra" records [listbox.com] until the end of October [listbox.com] , when they began generating only "v=spf1" records.

Read the appeal [ietf.org] . It connects a lot of dots that many do not like to remember.

When to use SPF instead of DomainKeys (2, Informative)

billstewart (78916) | more than 7 years ago | (#16556644)

Look, crypto is a fine thing if it's doing what you want, and DKIM may be useful *after* a message has passed an SPF check, but they're doing different things, even though both of them are ostensibly about preventing joe jobs and other forgeries.


SPF lets a domain administrator specify that all mail from that domain will come from one of the specific servers, so you can trash crude forgeries quickly at the cost of a couple of DNS lookups, and incidentally trash a lot of phishing spam without burning up lots of CPU.


DKIM lets an administrator specify crypto keys that will be used to sign real email from that domain, so you can validate it at the cost of a lot of CPU. That's useful for checking mail that purports to be from *your* bank but might be a *good* forgery. But it's a waste of CPU for checking mail from banks you don't care about, or the 99.44% of purported PayPal/eBay messages that are fake, since you can use SPF to discard the ones sent by zombies, Chinese spammers, address-space hijackers, etc.

So maybe you want both, or maybe you'll use other methods to deal with the good forgeries. But SPF lets you trash a lot of the crude phishing spam before you do any heavy lifting. (Of course, it won't protect you from mail purporting to be from PayPalSecurityLtd.co.uk or Paypal.aq, and spammers will fight back by polluting the namespace, but it's at least some help.)

Re:Sender ID, SPF, DomainKeys (0)

Anonymous Coward | more than 7 years ago | (#16556900)

I use Yahoo mail and right after Domain keys implemented, there is zero amount of phishing in my inbox. I have also noticed highly respected Spamcop.net uses domainkeys for their (spamcop accepted mails) mails alerts.

If you are running Linux or advanced Windows setup, you won't notice how serious phishing problem is. Remember the times you wouldn't click IP hostnames? They are now using compromised hosts with real SSL certificate!

This URL will show a glimpse of the current,evil phishers:
http://www.phishtank.com/ [phishtank.com]

BTW, it is free service of OpenDNS people with free SDK.

If Yahoo and Gmail uses in real life with success, Microsoft should adopt it.

Why not just fix Windows? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16555712)

These days, the problem of spam is mostly caused by compromised Windows systems which unknowingly send out millions of such messages a day each. Thus the best way to fix the problem of spam is to get it at the root: Windows.

It won't be an easy task for Microsoft, but they'll need to bring the security level of Windows up to at least that of Linux, Solaris, MacOS X and the BSDs. Not only will they have to manage that for any new Windows products, but they'll also have to retrofit those security enhancements all the way back to at least Windows 95. They'll have to make sure that those changes don't break any existing applications, so it'll be a very significant challenge.

Re:Why not just fix Windows? (0)

zappepcs (820751) | more than 7 years ago | (#16555738)

Tonight, I think someone will mod you troll for that comment... oooohhhh

Re:Why not just fix Windows? (1)

dubonbacon (866462) | more than 7 years ago | (#16555844)

Why not just kill Windows as we know it instead of "fixing" it.

Re:Why not just fix Windows? (1)

flyingfsck (986395) | more than 7 years ago | (#16555998)

Why not kill Windows?

Because 'ps -e | grep win.exe' and 'kill -9 $PID' don't work on Windows...

Re:Why not just fix Windows? (1)

Fred_A (10934) | more than 7 years ago | (#16556964)

Why not just kill Windows as we know it instead of "fixing" it.
Hasn't this been tried already ? When it was rewritten as NT 4, then NT 5 and now as Vista ?
So far although the system has gotten a bit more useable (or rather less brittle), killing the thing and starting over hasn't yielded stellar results either (except to the bottom line, which is the only one that really counts of course). Plus it still needs fixes :)

Re:Why not just fix Windows? (2, Interesting)

ATinyMouse (703798) | more than 7 years ago | (#16556270)

I realize this is Slashdot and Microsoft is a convenient scapegoat, but I have to disagree with your statement. Compromised Windows systems may play a large roll in SPAM delivery today, but they aren't the root of the problem. If you want the root, look at any ISP that allows unauthorized hosts to send mail. They deserve far more blame then Microsoft does. You'd think with the cost of bandwidth, the tools available for detecting, and the problem with SPAM today, ISP's would be doing everything they could to tighten up their network. It doesn't really cost anything to put in blocks on port 25 and only allow traffic from authorized hosts, like their own email servers and customers paying for that capability.

Re:Why not just fix Windows? (1)

dangitman (862676) | more than 7 years ago | (#16556436)

may play a large roll in SPAM delivery today,

Mmmm, SPAM rolls, home delivered? Delicious and convenient. Why would anyone object to that? ... Oh, you must have meant "spam."

Re:Why not just fix Windows? (1)

Fred_A (10934) | more than 7 years ago | (#16557018)

Well, I fon't know how things work in the US, but here I'm not paying for a "Web connection", I'm paying for a connection to the network. As such I'm entitled to be a regular host on the Internet and to run whatever services I damn please. Because that's the purpose of the network. Of course the host in question does not run Windows.

If someone started filtering ports or doing whatever kind of crap upstream of me, I certainly wouldn't be amused. This could be somehow mitigated if the filters could be lifted on demand.

And before the usual "you should get a commercial line" objection is raised, I have to say I disagree with that line of reasoning. I don't need symetric bandwidth (1 MB up is enough for me), I don't need the supposedly added reliability (in 5 or 6 years, my line has been down for maybe 2 or 3 hours). And everyone should be able to participate in the network in the way he sees fit as long as it's not disruptive.

So called "solutions" that are worse than the problem they pretend to solve shouldn't be considered.

Re:Why not just fix Windows? (1)

Antique Geekmeister (740220) | more than 7 years ago | (#16557260)

Nice FUD. You've confused SPF and SenderID with port filtering, and railed against all of them with claims about it being "worse than the problem they pretend to solve".

You obviously haven't experienced the problem of running a large mail server and having 50,000 fake email worm messages with your client's "FROM " addresses or other forged data cause the bounces to hammer your mail server into uselessness. The fakery of the "FROM " line is different than the classic "From:" forgery: it causes the faked server to get the bounce message. It makes complete sense for an ISP to say "only mail from these addresses is allowed to pretend it's directly from our domain", and publish DNS records that reflect this. This takes a huge load off of a lot of mail servers, and let's people who want to track the spam talk to the right address about it.

Re:Why not just fix Windows? (1)

Dragonslicer (991472) | more than 7 years ago | (#16557420)

Maybe you have your view threshold set too high or just didn't see the indentation of the posts correctly, but I believe he was responding to this:

It doesn't really cost anything to put in blocks on port 25 and only allow traffic from authorized hosts, like their own email servers and customers paying for that capability."

Re:Why not just fix Windows? (1)

drsmithy (35869) | more than 7 years ago | (#16556920)

These days, the problem of spam is mostly caused by compromised Windows systems which unknowingly send out millions of such messages a day each. Thus the best way to fix the problem of spam is to get it at the root: Windows.

You mis-spelled 'Users' there, chief.

It won't be an easy task for Microsoft, but they'll need to bring the security level of Windows up to at least that of Linux, Solaris, MacOS X and the BSDs.

Given that all currently supported versions of Windows, from a technical perspective, have security capabilities that exceed those of most unixes, how do you propose they do more than they already have ?

Re:Why not just fix Windows? (1)

Antique Geekmeister (740220) | more than 7 years ago | (#16557284)

No, the spambots are almost entirely Windows. Take a look at the reports from the MIT spam conferences. The claim of "security capabilities" of Windows versus those of most other operating systems is nonsense for anyone with experience in the field.

Re:Why not just fix Windows? (2, Insightful)

RidiculousPie (774439) | more than 7 years ago | (#16557856)

Given that all currently supported versions of Windows, from a technical perspective, have security capabilities that exceed those of most unixes, how do you propose they do more than they already have ?

It doesn't matter if these security measures are there if noone uses them. Windows still ships with new user accounts being administrator by default. The default group policy is very permissive, and acls do nothing versus the administrator user. If windows had decent sudo capabilities (yes I have used runas and credentials storing in shortcuts), which make it painful for the average user to run as anything other than Administrator.

Poor security by default is the real issue. Corporate entities can afford to create group policy and run users as non admins and have things like standard images if systems do get infected. A home user does not have the resources. Security needs to be on by default.

Huh? (0, Offtopic)

chmod a+x mojo (965286) | more than 7 years ago | (#16555754)

Is MS actaully doing something right?

Personally, I don't see why they don't make their addon products available for open source platforms. It would seem to me to be common sense to support UNIX / Linux (seeing as how office is /was available for Mac computers) that they would want to sell as many copies as possible. I mean think about it, if a company is not using windows you are not making money. So sell them Office software instead, yes they could use an open source alternative but also offer or beter yet bundle support with your apps.

Maybe they are "testing the waters" by "donating" to open standards and opening up API's. Or it could all be a big PR stunt, but i am hopeing for the former because compitition is always good (as long as it is somewhat fair anyways).

Re:Huh? (3, Insightful)

Shados (741919) | more than 7 years ago | (#16555974)

Office probably has crazy R&D and coding costs(even if you find the quality of Office to be lacking, it doesn't change that, outsourcing aside, the programmers coding it for MS don't work for peanuts...they probably make 2-3 times what I make, and I don't work for peanuts myself!), so recoding the whole damn thing (even if you port the Mac version, I'm sure it uses a lot of Mac-only API), plus support, etc, it most likely would come down to a loss, or a very tiny profit margin: not worth the customers they'd -lose- from people who would move from Windows to *nix when they see Microsoft's alternate products available there.

embrace-and-extend ver 2.0 (0)

Anonymous Coward | more than 7 years ago | (#16555988)

So instead of the usual "embrace-and-extend", now it is donate-(wait for it to become standard)-and extend? :-)

You disgust me (4, Funny)

suv4x4 (956391) | more than 7 years ago | (#16556050)

This is Slashdot, and there's not even ONE anti-Microsoft post modded up!

MS could start the adoption wave (1)

cyberjessy (444290) | more than 7 years ago | (#16556226)

One good thing about MS driving this is that unlike some standards body which can only prescribe what to do, they could start implementing this on Exchange servers. While most of the mail servers are _not_ Exchange, this could start the adoption cycle.

Maybe something like how the "nofollow" tag became a standard to stop comment-spam on blogs. It isn't any official standard, but when blogger, and mov-type, wordpress and google followed it became an unofficial standard.

Re:MS could start the adoption wave (1)

Marcion (876801) | more than 7 years ago | (#16557008)

But nofollow is rubbish, I removed it from my Wordpress install. I want people to link to other articles. There is also no evidence that nofollow has reduced the quantity of spam but rather just hurt innocent small sites from getting anywhere on google.

Far more effective is askismet or other blog comment controls. If you set up a site and then invite comments, then you should moderate your own comments, it is that simple.

SPF/Sender-ID is great in theory (2, Informative)

jonwil (467024) | more than 7 years ago | (#16556280)

However, until people start saying "these are the only mailservers permitted to send mail for my domain, anything else should be rejected outright", mailservers wont reject mail from support@paypal.com sent from paypalscam.ru.

Counterexample that proves the point! (1, Informative)

Anonymous Coward | more than 7 years ago | (#16556522)

You mention paypal. Paypal does, in fact, publish spf records:

$ dig paypal.com txt ;; ANSWER SECTION:
paypal.com. 472 IN TXT "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com include:spf-2._sid.paypal.com ~all"
paypal.com. 472 IN TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

If your mailserver checks for SPF, it will notice that paypalscam.ru is not on the list of paypal.com approved senders and make a decision. Whether you configure your mailserver to check spf--and what you do with that information--is, of course, up to you. You can tell it to reject the message outright, or to put in a notification header and alert the user.

Don't blame SPF if you choose to disregard what it tells you. :)

Mod Parent Up, Please (2, Informative)

billstewart (78916) | more than 7 years ago | (#16556692)

Paypal and EBay are the two sites I most want to have using SPF or equivalent, because I get huge amounts of spam from them but also occasionally get real email from them if I've bought something. There are also a couple of banks that are big scammer targets, and it'd be nice to have their phish get trashed.


On the other hand, I've never had a problem with forged mail from the Bank of Nigeria, so maybe they don't need to use it :-)

Re:Counterexample that proves the point! (0)

Anonymous Coward | more than 7 years ago | (#16560184)

Can SpamAssassin do SPF lookups? I'd love to drop all that "Yoru account has be compromised!" emails from security@paypal.ru....

mod 0p (-1)

Anonymous Coward | more than 7 years ago | (#16556488)

nice, but lacking teeth (2, Interesting)

oohshiny (998054) | more than 7 years ago | (#16556620)

The terms of the OSP "promises" seem fine: irrevocability, general applicability, etc.

The trouble is that it's a "promise". A "promise" on a web page is not the same thing as a legally binding commitment.

The proper thing to handle this would be for Microsoft to submit the specification to a standards body with a legally binding contract and steep penalties should Microsoft break the contract and take legal action against anybody implementing the specification.

I can't tell why they aren't doing this. It could be

* arrogance ("we're too big to have to make a binding commitment to anybody"),

* it could be ignorance ("if we promise, it ought to be good enough"),

* or it could be nefarious ("the OSP will be good enough for commercial implementors, but it's not FOSS compliant", "they think it's open and binding, but we have hidden this pitfalls in the fine print").

Any guesses?

Note that Microsoft's spec is not needed, since there are already alternatives.

Re:nice, but lacking teeth (1)

Antique Geekmeister (740220) | more than 7 years ago | (#16557464)

Try another reason: by controlling the patent, but publishing it for "free" use, they avoid anyone else publishing a variant of it with a differnt signature authority. Microsoft is the owner, vendor, and signer of the SenderID keys: if another signature authority, that refuses to sell to spammers, shows up to use the same technology, Microsoft can slap them with a patent lawsuit.

We've seen very similar issues with SSL keys and the restrictions on the root signature authorities: Microsoft wants to remain the root keyholder for SenderID keys. The patent lets them do this.

SenderID and Outlook Express (1)

sacx13 (1011547) | more than 7 years ago | (#16556624)

The SenderID it doesn't have any importance when a lot of spam is coming directly through OutLookExpress of the infected users. We will have spam with SenderID ...

Regards

Microsoft Office XML specs (1)

oohshiny (998054) | more than 7 years ago | (#16556630)

Not that I think OSP can be trusted, but it is interesting that the Microsoft Office XML specs apparently haven't even been released under OSP.

Breaking SMTP not a solution (2, Insightful)

fruey (563914) | more than 7 years ago | (#16556718)

All of these solutions have flaws. I'm with deBoynePollard on this:

An interesting take is to make the sender responsible for storing mail [cr.yp.to] : suggested by Dan Bernstein (DJB), the qmail guy.

There's always politics in it. Some people don't like DJB's attitude and they're anti-qmail and go for Postfix or sendmail.

Wietse Venema, the postfix guy, isn't too happy about SPF either [irbs.net] : but he does provide plugins for Postfix.

SPAM needs a solution, but breaking SMTP isn't the way to go IMHO. I think a well configured email server, RBLs, requiring reasonable RFC compliance and such will eliminate much SPAM. Spending energy on evangelising good mail server configuration is still the best way to go.

Re:Breaking SMTP not a solution (3, Insightful)

Just Some Guy (3352) | more than 7 years ago | (#16557892)

An interesting take is to make the sender responsible for storing mail: suggested by Dan Bernstein (DJB), the qmail guy.

As per typical DJB ideas, it's broken and only implements half the functionality of what it intends to replace. I've used this example before, so skip this if it sounds familiar:

A friend of mine hosts a customer that sends weekly newsletters to about 25,000 subscribers. With SMTP, my friend can spool the whole set and then watch as the mail queue flushes over time (measured in a small number of hours). It takes advantage of the fact that if 10,000 of those newsletters are going to @example.com addresses, it can deliver all 10,000 of them at once. In any case, his system delivers mail at the pace it can handle.

Enter DJB's scheme. Now, my friend delivers 25,000 "you've got mail!" notifications. Then, he watches in horror as 9AM EDT rolls around and 5,000 of his customer's customers simultaneously try to fetch unique copies of the newsletter to read with their morning coffee. Repeat at 9AM CDT, MDT, and PDT. His choice is to get out of the newsletter delivery business, or spend $$$$ on vastly increasing his bandwidth.

Basically, it's fundamentally broken. SMTP is more or less optimized for throughput. DJB's plan is more or less pessimized for latency.

Re:Breaking SMTP not a solution (2, Interesting)

fruey (563914) | more than 7 years ago | (#16558134)

That's a fair point. I suggested the DJB link as a talking point, and I'm glad it brought out an intelligent response. I just said it was an "interesting take" and has some ideas which are worthy of discussion.

For major businesses RSS & such would be a good way to deliver "subscriber" content. Bloggers can do the same. They can also take advantage of proxy hierarchies. Bandwidth is getting cheaper anyway. Newsletters sent massively are exploiting the same weak link that SPAMmers exploit, so it's a tough call!

The line between SPAM and opt-in newsletters is something that makes the process difficult. Most Internet protocols are based on trust, store & forward, and good network configuration. Where you can catch SPAM is to axe everything in your policy to fight it around bad config.

That is what I retain as my key point: better DNS config, better SMTP/MTA config... if marketing people have to send better formatted newsletters and run well configured DNS servers... Hotmail / GMail / Yahoo can already fix some rules for that and begin to oblige the newsletter sender's SMTP/MTA/DNS chain to be better configured.

Re:Breaking SMTP not a solution (1)

kitterma (757172) | more than 7 years ago | (#16558860)

Most of those are arguements against SRS, not SPF per se.

The architectural issue is that SPF checks have to be done at the trust boundary to be done correctly. In the forwarding case, that transition is at the forwarder (the forwarder is an agent of the receiver, not the sender). Alternatively, receivers can whitelist forwarders from SPF checks as it's already to late to do SPF correctly.

The bottom line is that receivers need to understand their mail architecture to check SPF. SRS is a hack that would simplify that effort, but it's certainly not necessary for SPF.

Personally, in two years of a -all SPF record I've had a grand total of TWO messages bounce due to forwarding. From my perspective it's all much ado about not very much. The nuisance of having to re-send two e-mails is noise level. I am miles ahead because I no longer have to deal with hundreds of joe job bounces every day.

Of course (1)

nurb432 (527695) | more than 7 years ago | (#16557216)

Embrace, extend, patent, restrict... we all know the routine.

And have you heard about the "extra secure" features of exchange 2007? It would restrict you to geting mail only from other exchnage 2007 servers... For your security of course. Its for the kids too.

Enough of saying "It's a trap" with Microsoft (0)

Anonymous Coward | more than 7 years ago | (#16559246)

Microsoft has changed and is getting more friendly to the Open Source movement every day. Funny thing is /.ers continue to state 'they are evil greedy money grubbers.' Well they are a business and they are finally seeing that maybe there is some profit in working with and not against the open source community. Oh, that's right, this is communist slashdot where those who want to make a profit is somehow evil. The slashdot sheeple believe in the matra "Information wants to be free" so all music, movies, software, etc. should be free and open. Basically they don't want to pay for anything. Fuck, they would steal all of their hardware if they knew they could get away with it.

Naturally, this post wil be modded down into oblivion as the slashdot sheeple don't waqnt to debate the points, but rather censor the posts as they know almost all slashdot sheeple have a threshold of at least 0. Funny thing is the posts that state "Open Source rulez, All closed source drulez" comments, even when posted exactly like that are modded to +5 insightful, informative, or interesting. That shows where the /. mindset is at.

TLS is another way to go. (1)

o517375 (314601) | more than 7 years ago | (#16559722)

Add TLS to the SMTP protocol. Force the sending server to encrypt with a certificate. This will not only eliminate 60% of all spam but most viruses. And it would solve the clear text issue. And it is a commonly accepted method. Sure it would add overhead, but would be well worth the cost.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>