Sea of Noise


Thu, 05 Jun 2008

Gmail: Smell the Fail

Gmail has been sucking even more than usual lately. If you don't run a mail server, you might not have noticed; but Gmail has become a cesspool spewing spam onto the rest of the 'net. For the few hundred domains I host, Gmail is now beating out Yahoo, MSN, Earthlink, and AT&T as a source of spam among the companies I don't block from my servers outright. (And that's quite an accomplishment, because the aforementioned companies suck more than a little! AOL, BTW, would have been on that list until recently, and they still originate a lot of spam, but they've come a long way.)

For what it's worth, here's a comment I posted tonight to a discussion list where Gmail's suckage and our desire to block their servers has been a topic of conversation among mail server administrators of late:

Quite a few of us seem to think that Google and other "free"mail services have a responsibility to the rest of the 'net to vet their prospective users. The response to any proposed requirements, though, seems to be that the methods aren't impervious to fraud and/or will be too high a barrier for certain kinds of people. But there's no reason that multiple approaches to tying someone to a real world identity can't be used, nor does a decision about trust have to be binary. (Why are new Gmail users able to send a seemingly infinite number of emails, to anyone, on day one?) More importantly, all of these approaches could be enhanced by using reputation information already present in the network.

When Gmail was first rolled out, I was excited about it—not because I wanted to use it, but because I mistakenly thought Google was doing something new to address the spam problem that plagued other freemail services. Remember "invites"? It boggles my mind that Google stopped requiring invites and apparently never used the social network and reputation possibilities they provided!

Am I the only person who is amazed that the company built on PageRank can't figure this out?

[/internet/spam] permanent link

Wed, 07 Dec 2005

Does the EFF Do More Harm Than Good?

"Bonhomie Snoutintroff", whose tongue one must assume is planted at leasy partly in his cheek, writes in The Register yesterday that the EFF Needs to Die:

The Electronic Frontier Foundation (EFF) is renowned for its impeccable taste in the battles it fights on behalf of consumers, and for its uncanny ability to stuff every case up in ways that lead to permanent injury for everyone except the entities they oppose.

Well, maybe. There's a valid point in there somewhere. But I'm not sure whether the point is that the EFF needs to die, because they're doing more harm than good, or that geeks ought to be supporting them even more than they are, so they can do a better job.

A little bit of both, I'd guess.

As Lawrence Lessig himself explained in "How I Lost the Big One", there are times when you need the help of "a lawyer, not a scholar":

Most lawyers and law professors have little patience for idealism about courts in general and this Supreme Court in particular. Most have a much more pragmatic view. As I read back over the transcript from that argument in October, I can see a hundred places where the answers could have taken the conversation in different directions, where the truth about the harm that this unchecked power will cause could have been made clear to this court. Kennedy in good faith wanted to be shown. I, idiotically, corrected his question. Souter in good faith wanted to be shown the First Amendment harms. I, like a math teacher, reframed the question to make the logical point. I had shown them how they could strike down this law of Congress if they wanted to. There were a hundred places where I could have helped them want to, yet my stubbornness, my refusal to give in, stopped me. I have stood before hundreds of audiences trying to persuade; I have used passion in that effort to persuade; but I refused to stand before this audience and try to persuade with the passion I had used elsewhere. It was not the basis on which a court should decide the issue.

Don't misunderstand: the idealism of those involved with the EFF is one of the reasons I've always admired them. I don't think they need to be less idealistic in terms of what fights they choose--even if that means taking on a lost cause. But being right is seldom enough: they might also need to be more pragmatic about the tactics they use to win.

And, at the same time, we should be supporting them now more than ever.

[/internet] permanent link

Thu, 10 Nov 2005

Hotmail Considered Harmful

The time has arrived for Internet email providers to consider blocking all traffic from Microsoft and its associated services.

The hotmail.com and msn.com networks have long been among the biggest originators of spam email in the world (even well beyond the generous amount one would expect them to generate given their size). Once upon a time it was just that they handed out accounts indiscrimately, leaving the rest of the Internet to clean up after them and deleting accounts for abuse after the fact. Eventually, it became obvious that cared so little that they wouldn't even take the simplest steps to prevent future abuse, such as applying content filtering to block recurring spams that were being sent from and reported to their network on a daily basis.

Over the past year, though, it has become obvious that Microsoft, as a company, either has a policy of being completely irresponsible or is incompetent on a scale that would be hilarious if they weren't running one of the larger networks on the Internet (not to mention selling the operating system that runs on most desktops), or both!

Here's a demonstration of how Microsoft makes it impossible even to report most abuse from their network. The story is true. Only the IP and email addresses of the victims have been changed, to protect the innocent.

First, the victim (OK, the victom was me in this case) receives a spam with a subject line of "EMAIL LOTTERY WINNING NOTIFICATION !!!". According to the Received: header and mail server logs, this spam was sent to the victim's server from the IP address 65.54.249.31. A reverse lookup reveals that this IP is named "omc2-s21.bay6.hotmail.com". Of course, while actual reverse IP address forgeries are rare, they're certainly possible. But double-checking with the whois server at whois.arin.net confirms that 65.54.249.31 belongs to "Microsoft Corp", with a listed abuse address of "abuse@hotmail.com" and phone number of "+1-425-882-8080". So, the administrator of the email server (me again) sends an email to abuse@hotmail.com, which is both the address listed in whois and the address that the relevant RFC prescribes.

In response, Microsoft's server sends an automated message that claims, "Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to: abuse@hotmail.com". Well, that's true. The return address on the spam was in the msn.com domain. But, never mind that msn.com belongs to the same company, it's not relevant. The abuse came from Microsoft's network, for which abuse@hotmail.com is the correct abuse address, and anyway spammers can forge any return address they like.

What would have happened if the return address had been in the hotmail.com domain? Here it gets even funnier (or sadder, or perhaps criminal, depending on your perspective). Hotmail's email robot would then forward the email (e.g. to abuse@css.one.microsoft.com) and the email would be rejected as spam! ("Your e-mail was rejected by an anti-spam content filter on gateway." Gee, thanks.) Yes, that's right. Microsoft is even dumber than the US military. So, it's impossible to report spam properly to Microsoft, as most of the time it will be ignored one way or another before it even gets to a human. And I know what you're thinking, hey, even though you shouldn't have to, you could try abuse@microsoft.com, abuse@msn.com, postmaster@hotmail.com, or some other logical address. Sadly, they all suffer from the same lack of clue. In fact, hotmail.com, microsoft.com, and msn.com have all been listed at rfc-ignorant.org for a long time. In fact, the entry for microsoft.com shows that this situation is at least partly a deliberate act by Microsoft, as the bounce message shown includes the statement, "Please note that the e-mail address you have contacted, 'abuse@microsoft.com' will be retired on April 29, 2005." That's right. The same Internet standards that apply to everyone else on the Internet apparently don't apply to Microsoft. (But, then, anyone who has used MSIE ought to know that already.)

The mail servers I run receive hundreds, and reject thousands and thousands, of spam emails and other abuse attempts from hotmail.com every single day. I only bother even to report a fraction of the relevant spam that arrives in my personal mailbox. Even so, I'm getting tired of the vast majority of them not even getting delivered to a human (never mind how little good that might do). After scanning the spam-l discussion list and confirming that I was not alone in experiencing this problem, I decided it was time to pick up the phone.

Since Microsoft's ARIN whois listing explicitly gives a phone number for making abuse complaints, I called it. After working my way through an annoying automated prompt, I spoke to a polite operator who told me that they had no specific department to deal with this issue, and that I should contact MSN tech support at 800-386-5550. At that number, you can "enjoy" a conversation with a rather rude automated voice system that refuses to do anything until you speak the last name of your MSN account. (What do their mute customers do, I wonder? And why do I think MSN would care?) After "speaking" with this robot for a few minutes, with no success, I gave up.

What does all this mean?

Maybe next week I'll take a day off from reporting spam and spend the time calling the local Attorney General instead.

[/internet/spam] permanent link

Thu, 15 Sep 2005

Quirks vs. Standards Mode in Browsers

I love the W3.

Perhaps quoting from their short but sweet summary of quirks vs. standards mode will save someone else some research time (emphasis mine):

XHTML 1.0 can be served as HTML or XML. If you serve it as XML, use the MIME type application/xhtml+xml.

It is generally a good idea to use a DOCTYPE declaration at the top of an HTML or XHTML file so that the document is rendered in standards mode by more recent user agents.

The presence of an XML declaration in an XHTML 1.0 file served as HTML will cause your file to be rendered in quirks mode on Internet Explorer (and therefore for a potentially large proportion of your audience).

Insert your own rant about MSIE here.

Here are some other good pages on the subject for those of us for whom a short summary will not suffice:

[/internet/www] permanent link

Wed, 29 Jun 2005

army.mil Considered Harmful

It never ceases to amaze me that the people who want to tell me how to run my life (the US government, in all its many manifestations), and especially those who receive a large portion of my taxes to protect me and my countrymen (the US Army, US Navy, etc.), can't even secure their own mail servers or follow simple Internet standards.

My mail servers have received spam from mail servers run by the US government, including the military, so many times and for so long that I've lost track (and pretty much given up on them). Reports, by email and phone, have all gone unanswered. Amazingly, our political masters don't even think RFC 2142 applies to them. (In addition to being listed in abuse.rfc-ignorant.org, .mil is also listed in whois.rfc-ignorant.org. In for a penny, in for a pound, I guess.)

After having mail to the RFC standard abuse address bounce for the umpteenth time, I thought I'd give it one more try. I called the contact person listed at ARIN for the relevant mail server. Amazingly, she not only answered her phone, but turned out to be both helpful and intelligent. Miracles do happen! She did inform me that I could report the abuse to abuse@ the relevant subdomain.

Of course the Army should get its act together and comply with Internet standards. But, in the meantime, I sent a report to the relevant address.

It bounced.

The people running the Army's mail servers are apparently so stupid that they're using a content-based filter to filter mail sent to their own abuse address:

The following message to <ako.postmaster@us.army.mil> was undeliverable.
The reason for the problem:
5.x.0 - Message bounced by administrator 
Final-Recipient: rfc822;ako.postmaster@us.army.mil
Action: failed
Status: 5.0.0 (permanent failure)
Diagnostic-Code: smtp; 5.x.0 - Message bounced by administrator  (delivery attempts: 0)
Reporting-MTA: dns; spammta01.int.dr1.us.army.mil
Received: from XXXXX.XXXXXX.XXX (XXX.XX.XXX.XX)
  by mxoutdr1.us.army.mil with ESMTP; 29 Jun 2005 18:09:58 +0000
X-AKO: 46338039:204.89.131.35:29 Jun 2005 18:09:58 +0000:$ACCEPTED:4.2
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAQE35ew=
Subject: [AKO Content Violation - SPAM]Fwd: Returned mail: see transcript for details
X-IronPort-AV: i="3.93,242,1114992000"; 
   d="scan'208"; a="46338039:sNHT160135857"

Feel safe? I don't.

And I know what you Navy guys are thinking. But, no, last I checked, the Navy is just as bad. And both are only a little worse than many of our largest Internet service providers.

I'm sick of it. From now on, every time I get spam from a government-run mail server, some elected representative of mine is getting a call.

Join me, won't you?

[/internet/spam] permanent link

Sat, 24 Jul 2004

Lessig Declares Email Bankruptcy

Lawrence Lessig finally gave up on his pile of unanswered email and declared "email bankruptcy":

He went on to note that he had spent 80 hours the prior week sorting through unanswered e-mail built up since January 2002, and had determined that "without extraordinary effort" he would simply never be able to respond to these messages.

I feel his pain. I easily have over 1000 messages marked for reply in my current email client, and I'm not a public figure. (Let's not even go into the gigabytes of unread list email...) Many people get the same kind of relief Lessig did when their hard drive crashes without a backup and they start clean. Me, I've got email on various media going back to at least the mid-90s--probably earlier. Maybe it's time to follow his example...

[/internet/email] permanent link

Microsoft Wins Against Spammer

Scum-sucking spammer Daniel Khoshnood ordered to pay Microsoft $3.95 million in damages. I wonder how it feels to be such a lowlife that folks are even rooting for Microsoft to beat you? [via Laporte]

[/internet/spam] permanent link

Sat, 17 Jul 2004

X% of Email is Spam, Where X = ?

A humorous metafilter post presents several estimates of the percentage of Internet email traffic that spam accounts for, ranging from 50% to 90%. Of course, no one knows. First, we'd have to agree what "spam" was and what we meant by "traffic". Then we'd have to actually go look at the mail delivered to our mailboxes and figure it out.

From my personal experience as an ISP owner, though, I can say that for me and my customers (most of whom are businesses) it's a lot closer to 90% than 50%. Worse, over 99% of my mail server resources are consumed by spammers (and it's been that way for years now), since dictionary attacks, spam blocking, bounces, and the like mean that spam accounts for proportionately more resources than legitimate email.

[/internet/spam] permanent link

Wed, 14 Jul 2004

A Corollary to Godwin's Law

Somehow it seems fitting that a thoughtful essay about Godwin's Law on kuro5hin has elicited, well, about the same kind of "debate" one finds on Usenet these days...

[/internet] permanent link

Tue, 13 Jul 2004

Bypass Site Registration

Remember five or ten years ago when every big media company thought they were going to get rich offering their content on the web? Well, they've all pretty much figured out that it's not going to happen that way, but that doesn't stop them from asking you to register to use their site. Personally, my policy has been to just move on and read one of the many other good sites out there. But now there's a better way... [via Interesting People]

[/internet] permanent link

Mon, 12 Jul 2004

Can Spammers Abuse Bayesian Filtering to Block Legitimate Messages?

Edward Felten made an interesting observation: Bayesian anti-spam filters are, in essence, trained by the bad guys. Could spammers exploit this situation to poison the filters and cause certain legitimate email to be blocked ("like a Google Bomb for spam filters", as Brian Carnell put it)? Those who commented on Felten's post believe not. I agree that it would be a difficult proposition, as spammers only train the filters with bad email, not good email. Nevertheless, it's a question worth considering. Hardcore spammers appear to be a fairly small group, and collective action on their part might not be difficult to arrange. Even if this particular approach wouldn't succeed, we should ask whether there are others ways they could cooperate to wreak havoc. (As if the continuous deluge of spam weren't enough...)

[/internet/spam] permanent link

Sun, 11 Jul 2004

Conference on Email and Spam

The first Conference on Email and Spam (July 30-31, 2004) looks worth attending. A shame I'm already booked for something...

[/internet/spam] permanent link

Internet Hoaxes: Just Say No!

The next time you open your email to find a chain letter or a dire warning about a new virus, please stop and check it out at CIAC's Hoaxbusters page. There you'll find not only a comprehensive list of hoaxes, but tips on recognizing hoaxes and other useful information.

[/internet] permanent link

Thu, 03 Jun 2004

Peekabooty

The Peekabooty project aims to use peer-to-peer technology to route around censorship.

(I think I originally stumbled onto this site because of Paul Baranowski's essay explaining why he chose Python to implement Peekabooty.)

[/internet/p2p] permanent link

Tue, 01 Jun 2004

FreeCache

The folks at Internet Archive have rolled out FreeCache, a free content distribution network. The terms of service aren't yet clearly defined, but it looks to be ready for casual use.

[/internet/cdn] permanent link

Thu, 01 Apr 2004

Dumb Virus Scanners

meta-creation_date:03/05/2004

For the love of Bob! If you're running a virus scanner written by people so dumb they don't realize worms forge the From: header of the emails they send, turn off the email notification "feature"! I mean, here you are, writing a program you're going to charge $40+ for and you can't scan the Received: header and do a whois query to figure out the correct place to report the abuse?

[/internet/email] permanent link

Fri, 12 Dec 2003

Reply-To: Header Munging

Should munging the Reply-To: header in email list postings be considered harmful or useful? You be the judge!

[/internet/email] permanent link

Thu, 27 Nov 2003

US Makes A Dog's Breakfast Of Spam Law

According to New Zealand's Daily Aardvark, the US Congress recently made "a dog's breakfast" of spam law. That captures my sentiments about the so-called CAN-SPAM law exactly: Cognress wants voters to think the "CAN" is something you do with meat products before putting them on the supermarket shelf; actually, it's "CAN" as in "you can spam now".

As I said recently, the problem is the lack of applicable laws, it's the near-total lack of enforcement. (The reasons I say "near" total are the FTC's recent actions against scammers and California's prosecution of spammers in their state courts, the notable exceptions to the general apathy of US governments on this issue.) This new law isn't just not what's needed; it makes things worse. Or, rather, it makes them better, if you're a spammer. Hmm... I wonder who has been lobbying your local Congresscritters and how much money they received in the process?

[/internet/spam] permanent link

Tue, 18 Nov 2003

Two Internets, One Wire

The reason Phil Howard is my shordurpersav of the morning:

There are two internets sharing the same set of wires. One of them operates with apparently no rules, whatsoever. The other has rules against abuses. Which internet do you want to be a part of? [posted to spam-l]

[/internet] permanent link

Tue, 21 Oct 2003

The Value of Non-Performance

John Vogel has posted some interesting comments (The Value of Non-Performance) on Site Finder and WLS. As he points out, both services would reward VeriSign for non-performance of its core registry functions, leaving it to seek the optimal level of incompetence that maximizes profits.

[/internet/dns] permanent link


Syndicate Me via RSS!
(Instructions)

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 License.

Powered by Blosxom!