Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed


04 Dec 2009

Just Make It Stop Email

In a recent discussion among mail system managers, we learned that one of the large spam filter providers now has an option to reject all mail from ESPs (e-mail service providers, outsourced bulk mailers) regardless of opt-in, opt-out, spam complaints, or anything else, just block it all. Some of the ESPs wondered what would drive people to do that.

We are bombarded by ads from the moment we get up until the moment we go to sleep. There's ads on the radio, ads on TV, ads in the newspaper, ads on billboards, ads on the bus, ads on the fricking steps in the NYC subway. In my physical mailbox, where I used to throw away about one worthless little newspaper full of ads a week, now it's one or two a day.

The reality is that recipients do not care if they get the vast majority of what ESPs send. Even if we might have at one point checked the box to get Valuable Offers for More Fabulous Products Like This, now it's just more stuff in the gusher of ads. If there's a button to push to make their inboxes an ad-free zone, it really shouldn't come as a surprise that people push it.

For the minority of stuff that people do want, like the daily headlines from newspapers, or perhaps the weekly roundup of cheap plane fares, there's better ways to get them than e-mail. An RSS or Twitter feed is entirely under the recipient's control, meaning that no sleazy marketing manager can try to shove his messages to the top of My Yahoo, or to insert his feed if I didn't ask for it. If I lose interest and unsubscribe, it is gone instantly, permanently, and reliably. If I were a mail manager, I would be delighted to push the no-ESP button, then show a few of my users how to set up feeds for the trickle of stuff they really want, because now the management burden is on them, not on me.

For ESPs, if there is any argument whatsoever about whether recipients want your mail, you lose. Yes, it's hard to read their minds and only send them what they want, but thats how competent ESPs make the big bucks.

(Several mail managers at very large ISPs wrote privately to thank me for my note and wish they had that button, but they asked me not to name them since ESPs are so excitable.)

  posted at: 16:47 :: permanent link to this entry :: 4 comments
Stable link is

03 Dec 2009

More fun with credit card checks Money
Three days ago I
blogged about the credit card purchase checks that Capital One sent me, that appear to be interest free 30 day loans, which means modest amounts of free money. Today they sent me more checks.

See more ...

  posted at: 01:16 :: permanent link to this entry :: 0 comments
Stable link is

30 Nov 2009

US court levies $15 million fine against spammer Email

Earlier this year, the New Zealand Department of Internal Affairs, the US Federal Trade Commission, and the Australian CMA broke up a large fake drug spam ring known as Herbal Kings, run by New Zealander Lance Atkinson. The NZ government fined him NZ$108,000 (about US$80,000) which, while a substantial fine, seemed pretty small compared to the amount of money he must have made. But today, at the FTC's request a US judge fined Atkinson US$15.5 million, and got his US accomplice Jody Smith to turn over $800,000, including over $500,000 in an Israeli bank. This is the largest spam fine I'm aware of, and the $500,000 is one of the largest international recoveries. Atkinson hasn't paid the $15M, but since he is in jail, it seems reasonably likely that the various governments will be able to track down his assets by the time he gets out.

Spammers are in it for the money, and to the extent they can keep what they get, they'll keep spamming. Fines that wipe out the profits, and in particular fines that can actually be collected are essential if we're going to make any progress against spam.

Fortunately for the FTC, Herbal King's spam was sloppy, with faked headers and broken opt-out links, which are among the few things that the weak CAN SPAM law forbids. If the spammers had been more careful, the fake drugs would still be illegal, but it would have been harder to prosecute them in the US since CAN SPAM wouldn't have applied.

You can read the NZ release on the CAUCE web site and the FTC release on the FTC's web site. I assisted the NZ government as a technical expert, providing advice to the court explaining how Atkinson's actions matched what the law forbids.

  posted at: 12:43 :: permanent link to this entry :: 0 comments
Stable link is

Fun with credit card checks Money
I have a Capital One Visa card that I haven't used in a long time. Every few months they send me cash advance checks, and I can see their increasing desperation as the terms of the checks keep getting better. The usual deal is a 2% or 3% transaction fee when you write the check, then they charge interest starting the day you write the check at a rate which on my account would be 24.9%. These are such an awful deal that rather than dropping them in the recycling bin at the post office, I bring them home and shred them. A few months ago they started sending checks offering no transaction fees, which improved them them to merely undesirable, but a few weeks ago they sent me a set with no fees and small print on the back of the letter saying they "Are treated as purchases according to the terms and amendments of your Customer Agreement." Hmmn.

See more ...

  posted at: 01:06 :: permanent link to this entry :: 1 comments
Stable link is

19 Nov 2009

A thought about not-quite-ASCII Top Level Domains ICANN

ICANN has opened their new fast track process for "countries and territories that use languages based on scripts other than Latin" to get domain names that identify the country or territory in its own language. It's not clear to me what the policy is supposed to be for countries whose languages use extended Latin with accents and other marks that aren't in the ASCII set.

Any country that uses an extended Latin character set can use extended characters in 2LDs right now, and I can't offhand think of any whose current unaccented two-letter ccTLD isn't an adequate mnemonic for their name. But let's say that Serbia feels that .RS is kind of lame, so they apply for and get .Србија which is perfectly reasonable, since that's the Cyrillic character set.

Then Romania decides that .RO is too generic, so they ask for .România with the circumflex over the â, as it is properly spelled in Romanian. That's an IDN, so how can they say no?

Hey, say the Hungarians, they got their country names, we want .Magyar. Oh, no, that's ASCII, that will be $185,000 and a highly uncertain multi-year process. Really?

  posted at: 01:17 :: permanent link to this entry :: 2 comments
Stable link is

09 Nov 2009

The Tempest in the TLD Teapot ICANN

At its recent meeting in Seoul ICANN announced with great fanfare that it's getting ever closer to adding lots of new Top Level Domains (TLDs). Despite all the hype, as I have argued before, new TLDs will make little difference.

There are two mostly separate kinds of new TLDs. One is TLDs for countries in non-ASCII character sets, known as IDNs. They're much less controversial, and ICANN will soon issue at least a few politically expedient ones like .中国 with the name in Chinese which would be equivalent to .CN. This is the only real TLD problem, it was waiting for technical specs and implementation (not from ICANN), but that is now largely done.

The controversial issue is domains with random new names, gTLDs. I agree with my old friend Lauren Weinstein that this is a tempest in a very expensive teapot, because all of the purported reasons that people want new TLDs have been proven false, and the one actual reason that a new TLD would be valuable has no public benefit.

See more ...

  posted at: 00:37 :: permanent link to this entry :: 4 comments
Stable link is

08 Nov 2009

How do you do secure bank transactions on the Internet? Money
Banks love it when their customers do their transactions on line, since it is so much cheaper than when they use a bank-provided ATM, a phone call center, or, perish forbid, a live human teller. Customers like it too, since bank web sites are usually open 24/7, there's no line and no need to find a parking place. Unfortunately, crooks like on line banking too, since it offers the possibility of stealing lots of money. How can banks make their on line transactions more secure?

See more ...

  posted at: 22:34 :: permanent link to this entry :: 8 comments
Stable link is

25 Oct 2009

How do you test spam filters? Email

(Thanks to Chris Lewis for permission to adapt this)

Everyone who uses e-mail needs spam filtering, and some filters definitely work better than others. Some people we know were trying to design tests of filter quality, which turns out to be extremely difficult.

What one might call 'filtering quality' assessment, should be the very very last step after "does it have the features I want?", "does it install/is it supported/supportable?", "does it crash?", "does it make lots of stupid mistakes?", "is it likely going to compare favorably with what we already have?".

You have to do the latter before the former. The latter is relatively easy. The former is what people keep asking about, and is the really really hard part to do right.

See more ...

  posted at: 00:24 :: permanent link to this entry :: 0 comments
Stable link is

07 Oct 2009

The Internet Archive Really Is Reliable

A recent message in the Risks Digest called Risks of believing what you see on the WayBack Machine ( claims that:

I have now encountered 2 legal cases in 3 months in which a plaintiff saw images on the WayBack Machine ( and believed that they indicated events in the past that never happened.

This is a big deal in legal circles, since is widely used in court cases to show the state of a web site at a given time, which can be critical in, for example, cases where the site shows prior art for a patent or infringing copies of copyrighted material. If the archive entries aren't reliable, all of these cases are thrown into doubt. Needless to say, it would be many defendants' dream come true if courts were to stop accepting archived copies.

I have analyzed the material cited in the article and find that the archive is fine, and his claims to the contrary are somewhere between disengenuous and deliberately misleading. Here's why.

See more ...

  posted at: 21:31 :: permanent link to this entry :: 0 comments
Stable link is

21 Aug 2009

Helping banks fight phishing and account fraud, whether they like it or not Email

On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past.

The goal of this suit is to identify the criminals behind a vast amount of theft through the ACH, the Automated Clearing House that handles direct deposits and electronic payments in the US. The pattern is that the bad guys install malware on the PC of company financial officers, and use it to make ACH transfers to money mules who then wire it out of the country.

Although the primary target of this suit is the crooks, an equally important subsidiary target is banks, who have consistently stonewalled attempts to learn about the extent of the losses the details of the scam, and what the banks are doing to deter it.

Bank stonewalling is not a new problem. Adam Brower wrote about his experience with one of them:

I can supply some perspective from my own experience. I noticed the article today, too, and spent some time nodding my head and clucking over my morning coffee.
For nearly a year, two years ago, I made it my personal mission to convince just one bank to aggressively pursue just one phisher. I did this, by the way, not as a representative of any anti-spam project, but as a citizen. I encountered the expected silence from a majority of the executives with whom I attempted to establish contact. From a very few others, I received polite thanks for my interest, advice to contact LEO, and from two of them, invitations to open accounts!
After months of such wheel-spinning, a door seemed to open. I received a thoughtful reply from a mid-level executive at a major New York-based bank. We exchanged emails for three weeks. After he accepted my very weak bona fides (I am, after all, far from expert in these matters, my sole strengths being doggedness and an occasional way with language) I sent him links to the wealth of investigative data available on the web, samples of phishing spam targeting his institution, background info on the rockphish phishing package Et al., and he lapped it up. I was astounded that so much of this was apparently news to a man in his position. We spoke on the phone three times, each time ending with agreement that the bank's enormous resources could and should be brought to bear against the crooks who were victimizing its customers and costing it unreported millions in losses each year. During the last call, he informed me that he intended to whiteboard, at a coming meeting, the entire body of stuff I had sent him, and to propose forming an internal task force to gather evidence against the malefactors and to contact and interface with LEO. Naif that I was, I was surprised when he hinted that there was institutional reticence when it came to providing reports of compromises to LEO. It's obvious to me now that the last thing in the world a big bank wants announced is the scale of their losses in this context, or the number of intrusions, but he seemed determined to stir the pot.
Subsequently, two weeks passed without a word. Email went unanswered. One day I called the office number on which we had spoken earlier. I was informed that Mr. Doe had left the firm. later, when I tried again, I was told that no-one by that name had ever worked there. Whether our conversations and his (supposed) departure were connected, who knows? Maybe he just decided to take his golden parachute, but it certainly could read like something from a Ludlum novel.

  posted at: 16:26 :: permanent link to this entry :: 0 comments
Stable link is

16 Aug 2009

Are phishing and malware separate threats? Email

Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer that watches the keystrokes you type, the mouse clicks you make, and the windows that appear on your screen, sends them back to bad guy HQ, and even adds or substitutes its own keystrokes and mouse clicks in a way that you can't easily detect.

I like Verisign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware.

We can usefully distiguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in.

None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you.

The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!)

It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together.

  posted at: 22:49 :: permanent link to this entry :: 2 comments
Stable link is

09 Aug 2009

Why can't we make the Internet secure?

In a discussion about a recent denial of service attack against Twitter, someone asked

Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure?

Sure, but you're not going to like it.

See more ...

  posted at: 13:54 :: permanent link to this entry :: 1 comments
Stable link is

04 Aug 2009

Verisign fires back at CFIT and sets a trap for ICANN ICANN
Last month the Ninth Circuit
revived CFIT's anti-trust case against Verisign. On Thursday, Verisign filed a most interesting petition for rehearing.

See more ...

  posted at: 22:31 :: permanent link to this entry :: 0 comments
Stable link is

13 Jul 2009

How unconscionable is the profit that Verisign makes from its registry? ICANN
Verisign makes a great deal of money from the .COM and .NET registries. Can we tell how much they make, and how much that might change if the
CFIT lawsuit succeeds? It's not hard to make some estimates from public information.

See more ...

  posted at: 05:57 :: permanent link to this entry :: 0 comments
Stable link is

04 Jul 2009

Three myths about DKIM Email
The DKIM standard has been out for two years now, and we're starting to see some adoption by large mail systems, but there's still a lot of misunderstanding about what DKIM does and doesn't do.

See more ...

  posted at: 21:17 :: permanent link to this entry :: 6 comments
Stable link is

02 Jul 2009

What are TLDs good for? ICANN
Yesterday I said that the original motivations for adding new TLDs were to break Verisign's monopoly on .COM, and to use domain names as directories. Competitive registrars broke the monopoly more effectively than any new domains, and the new domains that tried to be directories have failed. So what could a new TLD do?

See more ...

  posted at: 22:26 :: permanent link to this entry :: 2 comments
Stable link is

01 Jul 2009

Who needs more TLDs? ICANN
ICANN's Sydney meeting has come and gone, with the promised flood of new top-level domains claimed to be ever closer to reality. Does the world need more TLDs? Well, no.

See more ...

  posted at: 20:01 :: permanent link to this entry :: 0 comments
Stable link is

05 Jun 2009

Appeals Court revives the CFIT anti-trust suit agaist Verisign ICANN
Back in 2005 an organization called the Coalition for Internet Transparency (CFIT) burst upon the scene at the Vancouver ICANN meeting, and filed an anti-trust suit against Verisign for their monopoly control of the .COM registry and of the market in expiring .COM domains. They didn't do very well in the trial court, which granted Verisign's motion to dismiss the case. But yesterday the Ninth Circuit reversed the trial court and put the suit back on track.

See more ...

  posted at: 18:56 :: permanent link to this entry :: 0 comments
Stable link is

Fight phishing with branding Email
Phishing, the theft of personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites.

See more ...

  posted at: 08:10 :: permanent link to this entry :: 3 comments
Stable link is

15 May 2009

Don't mess with the Manx ICANN
[A triskelion] I got a note from a college friend via Facebook yesterday, telling me about the clever domain. Gee, it looked just like Facebook, like, you know,
a phish. Uh oh.

See more ...

  posted at: 07:23 :: permanent link to this entry :: 0 comments
Stable link is

06 May 2009

A "G12" to oversee ICANN? Not likely ICANN
Viviane Redding, the Information Society and Media Commissioner for the EC posted a
video blog this week noting that the JPA between ICANN and the US Department of Commerce ends this September. In it she proposes that ICANN be overseen by a "G-12 for Internet Governance" with 12 geographically balanced government representatives from around the world. That's such a non-starter that I'm baffled that she would even propose it.

See more ...

  posted at: 17:37 :: permanent link to this entry :: 1 comments
Stable link is

24 Apr 2009

Canadian government finally files an anti-spam law Email

Press reports say that the Canadian government introduced an anti-spam bill in the House of Commons today. I haven't had a chance to read it yet, but since it's reportedly based on the recommendations in the report from 2005 task force, of which I was a member, signs are encouraging. I'll write more once I've had a change to digest it.

  posted at: 17:27 :: permanent link to this entry :: 1 comments
Stable link is

31 Mar 2009

The Jaynes case is finally over Email

Last September the Virginia Supreme Court issued a surprise ruling that reversed its previous decision and threw out the state's anti-spam law on First Amendment grounds. The Commonwealth made a last ditch appeal to the US Supreme Court, which I predicted they'd be unlikely to accept. I guessed right, they turned it down yesterday, meaning the case is finally over.

Due to the peculiar facts and history of this case, the decision would be unlikely ever to affect anyone other than Jaynes, and he's still in jail on other charges, so in the big picture it's just a blip. I thought the VA legislature had already passed a revised law that fixed the first amendment problem, but apparently not, since the state Attorney General says he's drafting a new law for next year's session. Even that's not all that important, since state laws are tightly constrained by CAN SPAM, and can only make things that are already illegal under CAN SPAM more illegal. The most useful difference a state law can make is to leave out the CAN SPAM language about awarding costs which makes a losing CAN SPAM suit potentially very expensive to the plaintiff.

  posted at: 16:30 :: permanent link to this entry :: 0 comments
Stable link is

17 Mar 2009

How hard is it to deploy DKIM? Email
It's coming up on two years since the DKIM standard was published. While we're seeing a certain amount of signed mail from Google, Paypal, and ESPs, there's still a long way to go. How hard is it to sign your mail with DKIM?

See more ...

  posted at: 08:35 :: permanent link to this entry :: 2 comments
Stable link is

22 Feb 2009

Does reading software turn a book into an audiobook? Copyright Law
Amazon recently released a new version of their popular Kindle e-book device. One of the improvements is that it includes text-to-speech software that can read an e-book aloud in a robotic voice. The Authors Guild, the main trade association of book authors, immediately
claimed infringes the author's copyright, by making an audiobook version of the book it's reading aloud. That's ridiculous.

See more ...

  posted at: 12:39 :: permanent link to this entry :: 0 comments
Stable link is

04 Feb 2009

ICANN blows $4.6 million in the stock market ICANN

If you visit the new dashboard on ICANN's web site, you see some nice bar charts, including one rather large negative number of $4,462,000. If you click the little arrow at the top of the Financial Performance chart, a footnote window pops open where the last sentence is:

The large variance to budget is due to investment losses of $4.6 mil.
Investment losses? Yup, ICANN's been speculating in the stock market, and has lost $4.6 million, or to put it in concrete terms, the 20 cent fee from 23 million domain registrations.

See more ...

  posted at: 08:44 :: permanent link to this entry :: 0 comments
Stable link is

24 Jan 2009

What is a Workout? Money

A friend asked:

Apparently the mortgage holders today are not the loan originators and therefore have little incentive to deal, or should I say workout, one-one with consumers. Can [someone] provide some comments on workout to help clarify the concept?
Workouts are a normal part of bank lending, because foreclosing (or the equivalent) is very expensive, and the bank is often better off agreeing to a smaller or longer loan and actually getting paid.

See more ...

  posted at: 13:47 :: permanent link to this entry :: 0 comments
Stable link is

02 Jan 2009

Who pays for e-mail ? Email

An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted:

The sender pays for bandwidth and agrees to abide by the bandwidth provider's rules.

See more ...

  posted at: 22:31 :: permanent link to this entry :: 3 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
83 days ago

A keen grasp of the obvious
Italian Apple Cake
641 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed

© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.