SpamHaus Behind .mail Top-Level Domain 304
securitas writes "The SpamHaus Project is the group pushing ICANN to create a new trusted-sender system and the .mail top-level domain. SpamHaus proposes that registrants under the .mail TLD would pay at least $2000 per year to and 'agree to abide by certain anti-spam mailing practices.' The interesting twist is that companies that comply with the US CAN-SPAM act - which SpamHaus opposed due to the legalization of bulk unsolicited commercial e-mail - would not be eligibile to register a .mail address.
The .mail TLD proposal was recently discussed on Slashdot."
Maybe a Good Thing? (Score:5, Insightful)
This could probably be worded a little more clearly. Complying with the CAN-SPAM act is as easy as not doing anything at all. I think what the submitter means, correct me if I'm wrong, is the "one-shot" bulk mail that a company is allowed to send you under CAN-SPAM. Obviously, SpamHaus considers this spam, still, even though it's technically legal (I would tend to agree).
This new TLD proposal, according to their FAQ [spamhaus.org], is not aimed at stopping spam, or replacing the email infrastructure from the ground up. It's more towards legitimizing non-spam email. It may not be technically possible (not my area of expertise, I remember some nay-sayers in the last article discussion who at least sounded like they knew what they were talking about), but I still think their hearts are in the right place. Am I wrong?
I'm looking forward to the whitepaper they've promised on it.
Re:Maybe a Good Thing? (Score:4, Insightful)
Re:Maybe a Good Thing? (Score:3, Insightful)
The only exception that comes to mind if your ISP took the decision out of your hands. However, they would ONLY do this if it became massively widespread (otherwise they'd be throwing out 99% of valid email). I'd like to think that if
Re:Maybe a Good Thing? (Score:4, Insightful)
Yes it is, and its yet another attempt to get a service out of the control of the end user.
Re:Maybe a Good Thing? (Score:3, Insightful)
Re:Maybe a Good Thing? (Score:5, Insightful)
Re:Maybe a Good Thing? (Score:3, Insightful)
It does not take away your ability to run your own mail server. You can still run it on your private network... or maybe to communicate with systems run by people who trust you to not misuse an obsolete protocol. But nothing currently says that my mail server (or that of my ISP) has to talk to y
Re:Maybe a Good Thing? (Score:3, Insightful)
differentiating how? by coughing up $2000? that's crazy.
Re:Maybe a Good Thing? (Score:3, Insightful)
When it comes down to it, isn't it still about me deciding whether I want to read an incoming email or filter it out?
How w
Re:Maybe a Good Thing? (Score:2, Interesting)
Re:Maybe a Good Thing? (Score:3, Interesting)
I wonder why they don't take this to the next level and use the information in PPP or DHCP logs to blacklist the ones with dynamic addresses?
Re:Maybe a Good Thing? (Score:3, Insightful)
I own my own mailserver. I built it myself. I run it myself. I'm the only one with an account. It is for my large site that has about 100,000 registered accounts. Not one single piece of spam has ever been sent from my servers nor would it. It is used merely to send notices and account registration confirmations and the like to users who have accounts and rely on these notices and emails as part of the functionality of our site.
It is a non-commercial site. I make ze
Re:Maybe a Good Thing? (Score:3, Interesting)
The ISP's .mail domain could be revoked if a single one of their subdomain customers broke the conditions of use for the .mail domain. I doubt an ISP would risk this (sell a subdomain to 1000 people, one violates the T&Cs, ISP's domain is revoked, ISP has 999 very irate customers who now can't send mail.)
I doubt AOL, for example, could get a .mail domain, since they would not be able
Correction (Score:5, Insightful)
That's not quite correct. The SpamHaus rules wouldn't ban anyone who obeyed the CAN-SPAM act. Presumably most ordinary companies obey CAN-SPAM by refusing to do anything that vaguely resembles spamming, and they'd be just fine under the SpamHaus rules. What SpamHaus wants to do is to use a stricter definition of what constitutes spam, so that some senders who meet the terms of CAN-SPAM still wouldn't qualify.
Re:Correction (Score:2)
I belive you are mistaken. As I understand CAN-SPAM, you can spam all you want, so long as you have a postal address in the mail, a working opt-out mechanism, and dont forge anything. Note: complying with CAN-SPAM just means your email is legal, not that it isn't spam.
Re:Correction (Score:2, Informative)
I think that you're misreading what I wrote. The point is that there are two ways of obeying the CAN-SPAM act:
My point is that the original article seems to say that neither group 1 (spammers who follow the rules) nor group 2 (non-spammers) would be allowed to register under .mail. This would obviously be stupid, and isn't what SpamHaus is saying.
Goodby home mail server (Score:5, Interesting)
I certainly can't pay $2000 a year.
Re:Goodby home mail server (Score:2)
Re:Goodby home mail server (Score:5, Interesting)
Yahoo/Hotmail both have far more users than that. $2000 is not going to be a big deal for them (for example, with 2 million users, it would be a tenth of a penny per person). I'm sure that they are already spending far more than that on hardware, software, and administration.
Re:Goodby home mail server (Score:5, Insightful)
Nor can a lot of people, which is why this propsal will never work.
Re:Goodby home mail server (Score:3, Insightful)
Re:Goodby home mail server (Score:3, Interesting)
Re:Goodby home mail server (Score:3, Insightful)
No matter what way you cut it this problem wont be solved by political bullshit, or bussiness bullshit. Its a technical issue, it will be solved by technical means. Some hacker needs to sit down and spend a few months writing an open standard for
Re:Goodby home mail server (Score:4, Insightful)
Nor can a lot of people, which is why this propsal will never work.
The current email system already doesn't work. There's no way people who get 1000's of spam emails per day will ever find email from your domain in their mail filter logs. So this plan doesn't have to work. It just has to be less broken then the status quo.
Re:Goodby home mail server (Score:5, Insightful)
Re:Goodby home mail server (Score:4, Insightful)
Re:Goodby home mail server (Score:3, Interesting)
I'll see your 5 and raise you another 7. A few of those are actual paying customers; the rest are a personal domain, domains I and some friends use to do business with, and a few domains I host as freebies for organisations I like. This scheme would make the cut of my gross income that I give to Uncle Sam (and his state and local nephews) seem rather small in comparison... and at least for that I get free police service, road cons
Re:Goodby home mail server (Score:4, Insightful)
it would also rely on spammers actually playing by the rules.
Re:Goodby home mail server (Score:4, Informative)
So then you need to buy a certificate. And there will be competitino for these certifiicates which should drive the price down to a reasonable level.
Re:Goodby home mail server (Score:4, Informative)
like the original poster, i run about 10 domains on a mail server at home for myself and some friends. at $250 for a 2 year cert (bargain basement prices), that's going to cost me $1250 a year, which i think is unreasonable for the "little guy" who isn't running a company.
keep in mind that there are plenty of people happily using the internet that have no commercial intent whatsoever. i know it's very un-american of me, but none of my websites and domains are intended to make money.
competition is only going to drive down prices if there is true competition, which currently isn't the case with certificates. basically, microsoft has de facto control over who can issue certificates as they control which trusted root certificates are going to ship with their browsers. until this situation has changed, i'll take my chances with either un-secured connections or educating my users on how to install a root certificate into their browser before i pay into the verisign cartel.
Re:Goodby home mail server (Score:4, Insightful)
InstantSSL [instantssl.com] sells 2 year certs for $89.
And they are trusted by the same 99.3% (who came up with that number) of browsers as Verisign.
Re:Goodby home mail server (Score:3, Interesting)
Re:Goodby home mail server (Score:3, Informative)
First, when does the end user ever have any idea of what company your cert is from? That information is never even presented to the user unless the CA is unknown. The end user knows when the little padlock is closed in his browser status bar and that's it.
Second, even were the end user to know which CA is being used, how would they have any idea of the relative difficulty of getting a Veri
Goodbye semi-professional mail server (Score:4, Insightful)
I cannot afford this. Meaning I will have to close all sites.
Personally, I think SPF is the best solution so far. It may not stop spam, but at least it stops forging headers, like the headers of 99,9% of spam in my inbox are.
Re:Goodby home mail server (Score:2)
Either anyone and everyone can run their own mail server (home users as well as spammers), or only select people are allowed to run a mail server (selected by buying a certficate, or a domain, or whatever).
As long as people are allowed to run their own mail servers, some of those will be open due to ignorance, and some of those will be used by spammers. Just a thought.
Just cut to the chase (Score:5, Funny)
Re:Just cut to the chase (Score:2)
This is dumb (Score:4, Insightful)
We already have a perfectly good, workable proposal for sender validation. It's called SPF. It's free. It will work, like this proposal, when people adopt it.
Seriously, $2k to prove that you're not a spammer, by one organisation's definition of the phrase? That sounds like profiteering to me, much along the lines of Ironport's dodgy Bonded Sender (tm) program.
No thanks.
Re:This is dumb (Score:2)
Really? Surely you would receive $2000 worth of services in exchange for your hard earned money!
1. Spam everyone like crazy.
2. Extort^H^H^H^H^H^HSell a $2000/year TLD.
3. Profit!
Doesn't the mob do something like this?
Re:This is dumb (Score:3, Interesting)
But this proposal is quite different from SPF. Under SPF, anyone with a domain is allowed to define which computers are valid mail senders for that domain, but there's no further restriction. That would prevent spammers (and email worms) from falsifying their sender address, but it doesn't directly confront the issue of spam. A spammer with his own domain, presumably hosted by a spam-friendly service provider, can still define his own computers as being permitted senders for that domain and send out spam
Re:This is dumb (Score:2)
Does a different job than SPF (Score:3, Interesting)
So basically, this is a $2000 whitelist. (Score:5, Interesting)
Whatever. Just like many whitelist methods, it has the standard flaws.
But I guess it couldn't hurt! Companies with the big bucks or with donors (I'm thinking Samba mailing lists, etc), could afford it.
The rest of us slobs would continue to crawl around in the
As an aside, could you have the same problem with this domain as with AOL's spam filtering, i.e., false reports? What are the punishments for violating the rules of the
Re:So basically, this is a $2000 whitelist. (Score:2)
Presumably loss of domain...
Re:So basically, this is a $2000 whitelist. (Score:2, Funny)
From the article:
SpamHaus probably won't have many hurdles from a technical stability standpoint. The organisation is tapping VeriSign, which has more experience operating TLDs than any other company, to provide the back-end infrastructure.
Be thankful; $2000 is VeriSign cutting-their-own-throats :-)
Re:So basically, this is a $2000 whitelist. (Score:2)
Re:So basically, this is a $2000 whitelist. (Score:2)
Re:So basically, this is a $2000 whitelist. (Score:2)
For christs sake people, the solutions exist. It's time to stop talking as if this is a hard problem and start acting like we know what we're doing.
Not on its own. (Score:2)
One change I'd make, though, is rather then using IP address, use digital signatures.
Re:So basically, this is a $2000 whitelist. (Score:2)
It also makes it much easier for spammers. Spammers know how to forge IP's. So now they know that if they make it seem like it's from
You can't beat spammers at the network. They will ALWAYS find a way around i
$2000 - one time, or per year? (Score:4, Interesting)
I am guessing it is a one-time fee, and the renewal will be less. Spamhaus states the up front cost is high as the first roadblock for spammers -- why pay $2000 for the domain when you are going to get shutdown almost immediately after using it to send spam? It also is going to cost them more than normal to run this sTLD. So a large one-time fee makes sense.
Re:$2000 - one time, or per year? (Score:3, Funny)
Newbies could learn well from this: if a poster states a valid, insightful argument that goes against the idea that all information should be free, your first line of defense should be anonymous cuss words.
If these fail, call them Micro$oft lovers. Or Mac zealots.
not great! (Score:5, Insightful)
I would like the ability to run my own servers and web sites as an individual, please. We don't need ANY system of top level domains that favor corporations over non-corporations. Find another way around the problem, please.
Re:not great! (Score:2, Insightful)
Because we all know that big corporations would never, ever, ever let spammers use their network, misconfigure a mail server, get hacked, etc.
*cough* AOL spam *cough*
Re:not great! (Score:2)
Re:not great! (Score:2, Insightful)
It's happening with ISPs that do draconian port filtering to prevent their paying users from being able to host their own content, to VeriSign attempting to own typos, to Microsoft wanting to decide how e-mail "postage" is used, a
Re:not great! (Score:2)
$2000 is the upper limit (Score:5, Informative)
Re:$2000 is the upper limit (Score:3, Informative)
Need to get stories strait (Score:3, Interesting)
Ok, then they need to update their FAQ [spamhaus.org], question 9 "What does a domain cost and why?":
The use of each domain will cost over US$2000. The price may vary depending on the registrar one uses.
This high cost will insure that most spammers will not bother and attempt to sign up for one, and if they do, it will be a high cost for what will be a very short time period of spamming.
The cost also pays for the much greater than normal vetting procedures places requesting this domain will go though before one is g
2 Large? No way (Score:2)
US $2000 for .mail domain! (Score:2)
Re:US $2000 for .mail domain! (Score:3, Interesting)
zombies anyone? (Score:2)
At best, this seems like a
Take your fee and shove it. (Score:3, Insightful)
Beyond that $2000 is chump change for spammers. It hurts no one but the honest guy, which is what government lately seems to be for, so perhaps it'll get pushed as a law. *sigh*
What we really need... (Score:4, Funny)
Oh, wait, that's the divorce tactic.
What the heck, it'd probably work for spammers, too.
why new TLD for paid reputation service? (Score:5, Insightful)
Re:why new TLD for paid reputation service? (Score:3, Insightful)
Re:why new TLD for paid reputation service? (Score:2, Insightful)
It's in IronPort's best interest to keep signing up spa
Re:why new TLD for paid reputation service? (Score:3, Interesting)
Now most folks don't have to send 500,000 msgs/hr from one box, which is what IronPort claims to do. They also
Yeah But... (Score:5, Insightful)
I think recent innovations -- SPF being my favorite so far -- offer a lot more promise than a new TLD. But that's just me :-)
Re:Yeah But... (Score:3, Offtopic)
Spammers have been using their own mail servers for years. And now they're using virus zombie networks anyway, which this won't stop.
Re:Yeah But... (Score:3, Insightful)
The thing that I like least about a new TLD is that it brings back relaying. Since it is going to be impractical to get a
There is a cur
Why a TLD? (Score:4, Interesting)
Re:Why a TLD? (Score:4, Insightful)
No, I don't think this is a good idea. But I see why a top level domain is necessary to pull it off.
They don't need too. (Score:2)
Step 2) mail client verifies that mail.schwab.com points to the same server as mail.schwab.com.mail.spamhaus.org.
Step 3) profit.
Re:Why a TLD? (Score:3, Informative)
That just confirms... (Score:3, Interesting)
As someone pointed out in a thread above there is no good reason to just use a reverse blacklist (like DNSRBL et al.) which identifies certain senders as non-spammers instead of identifying them as spammers.
"[...] set up to be more robust and attack resistant [...]". Oh please. If you get $2k from each and every person/corp. in your whitelist you sure as hell can afford some professional DNS hosting for your whitelist.
What mail I want to recieve (Score:2)
Even having a legit
Wonderful, we finally have the motivation... (Score:3, Insightful)
Which will leave "companies able to pay $2k/year" on one side, and "individuals capable of installing their own mail server" on the other.
This will cause a bit of disruption at first, as a few competing standards emerge, but in the long run, it will make blocking corporate traffic far easier (yeah, I get soooo much legit email from non-individuals... I think I can count the past year's on one hand). And with a bit of care, the non-corporate protocol will finally include several of the oft-discussed but as-yet-unimplemented techniques for completely locking out spam (or at least making it trivial to identify the source).
And encryption. Don't forget encryption. The non-corporate protocol should include end-to-end crypto, now that Big Brother can watch us on a whim right from the privacy of our own ISP's back door.
2000 per year? (Score:3, Interesting)
Sounds like a recipe for email tax. I think the only way to really stop this is to stop the 200 or so people per spam message that actually respond to spam and make it a profitable business.
So eventually... (Score:5, Insightful)
Brilliant idea. While we're at it, why don't we just let ICANN authoritatively say who can and can't send mail, and be done with it? It's not like their board is captured or anything.
Worthless (Score:4, Interesting)
If a company or provider isn't sending or supporting spam then why the hell would give a damn about someone else's spam filters? That is the only reason for this whitelist. I mean if they aren't sending spam then why should they be concerned about loosing mail to someone else's spam filters? Why would they want to drop $2k per domain for another whitelist? If perhaps I was a company that did mass mail customers like Sears, JCPenny's, or Amazon then maybe I would want to get on a popular whitelist. That said, why in the hell would I as an average joe or I as a typical ISP give a hoot about what someone else's spam filters do with my non-spam? If their filters are mistakenly tagging my mail as spam their customers will bitch and the problem will get fixed. It doesn't concern me.
I really don't see the point in a .mail TLD. Steve is a smart guy. Even at that I absolutely can not see his reasoning here. This is really a dumb idea. I make a point to personally blacklist domains that use tools that break email such as TMDA. I guess I'll just have to add another check to my rules.
Re:Worthless (Score:4, Interesting)
I was just reading the .mail STLD RFP application [icann.org] and am finding myself suprised by the people associated with the hair-brained idea.
Initial Board of Directors
Steve Linford, founder of Spamhaus.org
Joseph E. St. Sauver, Ph. D, Director, User Services and Network Applications Unv of Oregon
Already consented to be special advisors to the SO
John Levine, Chairman of the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF)
Wietse Zweitze Venema, Ph.D, Postfix author among other things
Other
Justin Mason or Daniel Quinlan of SpamAssassin.org
Eric Allman of Sendmail.org
Ted Galvin of SpamCon.org
Suresh Ramasubramanian of OutBlaze.com
That list amazes me. I can't believe those people would have anything to do with this project. I also can't believe they are intentionally involving Verislime. I wonder if this is an attempt to counter Microsoft's e-stamp proposal...
Re:Worthless (Score:3, Insightful)
1. Get into the anti-spam biz.
2. Talk ICANN into a
3. PROFIT!
If you wish to debate #2 just think about it for a bit.
The
What, the, fuck. (Score:4, Insightful)
Secondly, wtf. $2000 a year? That's insane. Right now, I can use my own mail server and only pay the $8/year domain registration fee. And that's the way it should be. People with enough tech savvy (and it doesn't take much these days) should be running their own mail servers. Open relays aren't an issue with modern mail servers (you have to work pretty hard to create one these days), and running your own mail server gives you a lot of fine-grained control over how you filter Spam for yourself (for example, using a catch-all email and using a different email for everything, letting you track how your address gets disseminated, and blocking addresses that get 'liberated')
It seems like some of these anti-Spam people hate Spam so much they completely lose track of what Email is for and the people it's supposed to be used by, everyone. Email black holes are one thing, but it's wrong to apply them as filters for people without their knowledge or consent. I read a salon article about a woman who, when roadrunner implemented RTBL she lost out on tons of email, including email from potential employers (she was a freelance author). She still got tons of Spam, of course.
I don't believe that technical solutions alone will stop Spam, but they, with real legal enforcement can probably reduce it a lot.
I'm also tired of these top-down authoritarian systems that put a few people in control of email (like e-stamps, or this insane plan, etc) before we even get good solutions like SPF working. Once people start checking SPF records a lot of this crap will get a lot better.
When will everybody just implement SPF (Score:3, Interesting)
I propose this: (Score:2, Funny)
ambiguous english (Score:3, Insightful)
That should have been "might not be eligible to register a .mail address.
In all probability, most people would be compliant with both CAN-SPAM and the .mail requirements (modulo being willing to pay $2K/year to send email).
2k ? (Score:4, Insightful)
And also exactly WHERE the money is going to ? The last thing we need is one governing body trying to control mail for the "betterment of all, so long as it helps our bottom line". We dont need a spam czar, or a spam conglomerate. We need the existing people to work together to prevent spam. ALL spam.
This is a half assed idea.
I don't see the point... (Score:5, Insightful)
I'm just not getting how this proposal would do much. I read through the text of the proposal [icann.org], which is written in fairly obtuse language I just couldn't quite plod through right now.
I said it before, and I'll say it again (Score:3, Insightful)
This will not work. (Score:3, Interesting)
On the other hand, the $2000 a year fee isn't going to do jack. Those who send spam do so because it's really darn profitable. To them, the $2000 a year is peanuts. To a service provider who can barely make ends meet and wants to expand its quality of service and options for customers, $2000 may be the difference between breaking even and going bankrupt. That's kind of like trying to protect individual inventors working in their basement by making the patent fees $200,000 or something. That'll only serve to accomplish the opposite of the intended result.
The bottom line is this: Make it difficult for spammers, not for legitimate users. A certain standard should be devised that includes technical as well as contractual devices to make it extremely difficult for any spammer to last any time at all on the .mail TLD. And mail received from non-.mail TLDs could automatically go into a "bulk mail" folder, or would not be downloaded from the server at all, except for the "From:" address and perhaps a digital signature, so the user (or his filters) can decide what to do with that information. And maybe that needs to happen with ALL mail, not just non-.mail TLD mail.
This is bad, just like .kids and .xxx (Score:3, Interesting)
Heck, let's say I run a porn service, and want to take advantage of this mail feature. I now have to use two different DNS domains? That's stupid.
Just as PICS can give you digitally-signed content ratings for the web, some other service can give you digitally-signed ratings/labels for e-mail. Extend SMTP to, perhaps, operate over TLS or SSL, or at least perform some sort of mutual check that both sides have a SpamHaus certificate that says they're not a spammer, and you can possibly "secure" the connection.
Or just digitally sign your e-mail messages and only accept digitally-signed e-mail. Tweak your trust relationships (for PGP-style signatures) or drop your trust from any roots that are seen to sponsor spammers, and you're all set.
Re:$2000/year (Score:3, Insightful)
--
Hot deal search engine. Better than google, froogle, pricewatch, pricegrabber, etc! [dealsites.net]
$2000/year would ruin free email (Score:5, Insightful)
Even if those free email places did pay for a
This would either get rid of free email or let spam live, both while closing down the small free email services. I don't like either option, we should do something else.
Re:$2000/year (Score:4, Insightful)
Re:$2000/year (Score:3, Insightful)
Perhaps not. But at least it get's it out of the grubby hands of VariSign and the corporate dog ICANN.
Re:$2000/year (Score:4, Insightful)
Re:my idea (Score:3, Interesting)
In fact, my original MTAs must be licensed was really more of a way to see if I could get a troll modded up to +5 than a serious post. However, over the last year, I've started thinking that it might actually be a good idea. The licensing I had in mind was rather like the way amateur radio operators are licensed, with a fairly heavy technical content (but not aimed at a particular MTA). Email abuse coming from the MTA could result in suspension or revocation of the MTA operator