Internet and e-mail policy and practice including Notes on Internet E-mail

←2004→ Months Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Click the comments link on any story to see comments or add your own. RSS feed Join my blog network on Facebook Blog Networks

Home 26 Dec 2004 Why computer geeks particularly hate spam Email A friend wrote describing his wife's experience activating a new credit card. She had to call an 800 number, which connected to an automated system that made her sit through a long ad for a worthless registration or credit report service before it admitted that her card was good. I think all big banks do that now. I realize one way that we geeks differ from the range of normal computer users is that we expect to have control over our computers. For most people, their experience of a Windows PC is that strange things happen, they don't know why, they don't know what to do about it. Windows pop up all the time. They used to say "Install oompha flooba greep. OK?" but now since Windows XP SP2 they say "Install oompha flooba greep. This may be very, very, very, dangerous. OK?" and they click OK anyway because as often as not, it's not. (I got that message a few days ago about Microsoft's own applet that figures out which updates to Office you can apply.) They can't tell the popups that are part of the ESPN or Orbitz web sites from Gator spyware. But we can. So when I got my my most recent credit card, I noticed that I had the option of phone or web activation, so I chose web activation because I knew that I could make the crud go away via a combination of popup blockers and clickthroughs, wresting control back from the droid that would otherwise have made me sit through an ad for credit card insurance. Since we're used to control, we get particularly bent out of shape at attempts to take it away from us. But most people lost that long ago. posted at: 12:55 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/control.trackback 19 Dec 2004 A political analysis of SPF and Sender-ID Email In my spare time when I'm not dealing with the world of e-mail, I'm a politician so now and then I put on my cynical political hat. At the FTC Authentication Summit one of the more striking disagreements was about the merits and flaws of SPF and Microsoft's Sender-ID. Some people thought they are wonderful and the sooner we all use them the better. Others thought they are deeply flawed and pose a serious risk of long-term damage to the reliability of e-mail. Why this disagreement over what one might naively think would be a technical question? SPF does what's known in the mail biz as path authentication, that is, it attempts to check whether the route that a message took to get to the recipient is valid for that kind of message. In particular, SPF provides a very complex scheme through which a domain can publish the IP addresses from which it expects its mail to be sent. Microsoft's Sender-ID works almost identically to SPF, with the only difference being which of several possible return addresses on a piece of e-mail it checks. If all of a domain's mail is indeed sent from the same place, then SPF or Sender-ID works fairly well. (It still has problems with mail forwarders, but that's a separate issue discussed at great length elsewhere.) On the other hand, if the domain's mail can legitimately come from lots of different places, particularly lots of different places that are hard to predict in advance, SPF and Sender-ID are useless. So what kind of domain sends all its mail from one place? Corporations, mostly. A business will often have a single mail server, or a mail server per branch office, and a policy that all company mail is sent through the company's server. If employees are travelling, they have to connect back to their home network to get and send mail. A bulk mailing service, known in the biz as an Email Service Provider or ESP. sends all of its mail from its own servers. That's both because that's why the servers exist, and because it's easier to get recipient ISPs to whitelist their mail if the ESP can give the recipients a small set of IP addresses to add to the whitelist. On the other hand, mail from university domains can come from all sorts of unexpected places. Students and faculty travel, and being clever academics, lash up all sorts of ad-hoc schemes to send and receive their mail. Many universities provide courtesy mail addresses for alumni that the alums can forward to whatever ISP they happen to be using. The alums send their outgoing mail from their own ISP, so mail from the university's domain can originate at any ISP in the world. Internet Service Providers are in about the same situation as universities. Their customers may check mail from work, and send mail with a personal ISP address via their work servers. Or they might move and keep an old account to avoid changing their e-mail addresses, sending mail with their old ISP address from their new ISP. Corporations and ESPs run a lot of Microsoft servers. Businesses use Microsoft's Exchange to integrate e-mail and calendar facilities, ESPs run various integrated mail and database applications. Universities and ISPs are more likely to be running Unix or Linux servers. Universities do so since they're been running Unix since before Windows existed, ISPs because Unix and Linux mail software can support vastly more users per server than Windows mail software can. So places that run a lot of Microsoft software tend to be set up so that Microsoft's Sender-ID works, and places that don't aren't. Coincidence? You make the call. posted at: 01:13 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/spfpol.trackback 18 Dec 2004 A spam filtering parable Email A few weeks ago I was at an Industry Canada meeting in Ottawa where we talked about spam and e-mail authentication. They introduced a Stop Spam Here campaign (aussi disponsible en français) that tells people how to install virus filters and hide their e-mail addresses. One of the topics that came up over lunch was an ill-considered bill in Parliament that would have required ISPs to provide spam filtering to all of their customers. While munching on the fussy little hotel sandwiches provided, I had a vision ... "Ottawans have a problem. Ill-mannered teenagers have been dumping cans of garbage from overpasses onto cars on the 417, the main highway in the area. To deal with this problem, the local police have provided some helpful tips: When driving on the 417, be sure to keep your windows rolled up If possible, drive with a passenger who can watch overpasses and look for flying garbage. Home owners should chain their garbage cans to the porch or weight them down with boulders to keep people from tipping them. We realize this also makes it impossible to collect the garbage, but we're working on that. You can buy sturdy plastic anti-garbage shields and mount them on your car. The government is considering requiring car dealers to provide these shields as standard equipment. ..." You get the idea. While spam garbage shields are an unfortunate necessity these days, I really think I'd rather put my effort into sending the cops after the miscreants so they don't dump the garbage in the first place. posted at: 22:16 :: permanent link to this entry :: 0 comments Trackback link is http://weblog.johnlevine.com/Email/the417.trackback

Topics Copyright Law - 8 Email - 116 ICANN - 52 My other sites Who is this guy? Airline ticket info Taughannock Networks Other blogs Spam resource (Al Iverson) The Spam Diaries (Ed Falk) Word to the Wise (Laura Atkins) Lextext (Bret Fausett) Related sites IRTF Anti-Spam Research Group Network Abuse Clearinghouse Coalition Against Unsolicited Commercial E-mail

© 2005-2008 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.