Apache Rejects Sender ID 351
hexene writes "In an open letter to the IETF MARID Working Group, the Apache Software Foundation has rejected the patent-encumbered Sender ID specification. This means no Sender ID support for SpamAssassin, Apache JAMES, etc. They state that the current license is generally incompatible with open source, and contrary to the practice of open Internet standards."
Hoody Hoo! (Score:5, Insightful)
Good start... (Score:5, Insightful)
Wishful thinking? Probably, but a boy can dream...
Oh really? (Score:4, Insightful)
Funny, I thought Apache supported these things called modules that allowed you to extend Apache.
Just because it doesn't come from the Apache Foundation doesn't mean it wont happen.
Re:MSFT doesn't care about Apache. (Score:4, Insightful)
I had so much hope (Score:5, Insightful)
With the rejection by Apache, hopefully the rest of the FOSS will follow and then the industry at large.
What a suprise! (Score:5, Insightful)
Is any really surprised that MS is trying to build it's patent arsenal around such things? And of course they want to do it quickly because it's much easier to get something underhanded accepted quickly. (PATRIOT Act anyone?)
We are also concerned by the rush to adopt this standard in spite of technical concerns, lack of experience in the field, and a lack of consensus in the IETF MARID WG.
I think again Open Source groups show their strength by not allowing such tactics to take place without notice. It also shows that many major groups are very aware of how the game is being played.
Go Apache foundation! (Score:2, Insightful)
Re:Good for them, but not far enough. (Score:5, Insightful)
Re:First Post! (Score:3, Insightful)
Encumbered Standards (Score:5, Insightful)
Re:MSFT doesn't care about Apache. (Score:5, Insightful)
Re:Good for them, but not far enough. (Score:3, Insightful)
Obviously you have a beef with SPF. I seem to have missed it. So where's the beef?
Re:Good for them, but not far enough. (Score:5, Insightful)
SPF will not only stop spammers, but will stop (or at least prevent) people and worms from spoofing the from address *sent from _everywhere_* to claim to be from a user@domain they do not own. I do not want spammers or anyone to claim to be from my domain (or my legit email address even), and have angry letters accusing me of letters I did not send.
If you have your machine hacked, or running a mail relay by accident, you should have secured those equipments, and if you had anything important on it (eg. financial records), you probably have much bigger concerns, like identity theft.
Yes, I know, we are supposed to check the email headers, but most home users are completely ignorant of those features.
Re:Hoody Hoo! (Score:5, Insightful)
Re:In case you don't follow M$'s every move like m (Score:3, Insightful)
isn't a bit early to be calling it a standard?
especially if apache is rejecting it.
Re:Oh really? (Score:3, Insightful)
Some do and some don't just like everybody else. Of course, some people would argue that a strong social conscience has more to do with things like poverty, war and the like than it does with the GPL.
Re:MSFT doesn't care about Apache. (Score:2, Insightful)
Be original (Score:2, Insightful)
Re:Hoody Hoo! (Score:4, Insightful)
Re:In case you don't follow M$'s every move like m (Score:3, Insightful)
Re:We've seen this before... (Score:3, Insightful)
Re:Hoody Hoo! (Score:5, Insightful)
Don't be a tool. The ASF doesn't gives a damn who created the freakin' standard. The fact is, it's patent encumbered. Period. And, as a result, they refuse to implement it. This shouldn't be at all surprising. Frankly, I think it's down right ridiculous that the IETF is willing to consider a standard that's patent encumbered. But, hey, who wants a free, open Internet?
Re:MSFT doesn't care about Apache. (Score:4, Insightful)
And getting a few of the big players onboard with MS isn't going to do jack. The top dozen big ISPs are a drop in the bucket in the email system world-wide. Sure they are the biggest ISPs but that doesn't mean their userbase makes up the majority on the 'Net.
Re:Good for them, but not far enough. (Score:3, Insightful)
SPF is only useful to end users who can be fooled by forged text headers. It was created to help stop phishing and provide some kind of reputation protection. It's ridiculous that people who should know better co-opted it as a "spam solution" and are willing to break legitimate uses of SMTP to see it adopted, without seeming to even reale the leverage it hands big ISPs.
Look at it another way? (Score:5, Insightful)
What about us users who are behind the MS mail solutions? I have addresses on both sides of the coin and to think the Microsoft won't let me get mail because someone didn't use their patented technology is crazy....
I know they are trying to ram it through committee, but have they really thought about this? It's crazy. They already put most of my mail in the "Bulk" folder with hotmail, even if it is sent from a friend. And technology is slow to adapt, yet they've already made the announcement that they will not take mail without Sender ID after October 1st (I believe). Who here still uses HTML tags like We were supposed to drop that years ago. It still renders though.
We all hate spam but a "magic bullet" will only kill e-mail altogether IMHO. I've missed out on money actually because something gets marked as spam but I needed it for "business". Let me setup my own spam filters or let me weed through it.
Either way, I resent corporations like Microsoft and even Yahoo getting into the mix and removing me from the situation.
It's easy, don't give out your address. Don't click on links in e-mail that are so long they look like encryption keys. Don't allow images to load (easy with Thunderbird + Sygate Personal Firewall in XP and most webmail). Don't sign up for a freeipod (I want to post my referral link, so bad too.)
Re:Hoody Hoo! (Score:3, Insightful)
So? Arent there plenty of boards where people
1) Love MS or 2) Hate open source?
The internet is a big place. You could always hang out at gotdotnet or any of the thousands of MS sponsored blogs if you want to be filled with pro MS propaganda.
Media issues (Score:5, Insightful)
Firm positions like this must be applauded and upheld, but once again we also need other professionals to help get the voice out about the truth. We shall not be fanatical, but I humbly believe it is clear Microsoft is not being transparent in this and that does not bode well for the Internet as we've come to know it.
Re:MSFT doesn't care about Apache. (Score:3, Insightful)
There are 56 Million domain names in existence [netcraft.com] (22 million of them active). 70% of these domain names are hosted with Opensource software and hence use Opensource mailservers (for the most part).
MS needs buy-in from the Opensource community or their market share will continue to slip.
Re:I don't see the problem.. (Score:5, Insightful)
Re:Hoody Hoo! (Score:2, Insightful)
Re:I don't see the problem.. (Score:3, Insightful)
Lawrence Rosen had this to say:
In other words, Microsoft's license is not compatible with Open Source. Open source projects are not allowed to re-distribute the license to end users, unless they obtain a special license from Microsoft. If Apache did this, then you downloaded the Apache product and gave a copy to a friend, you would be infringing on Microsoft's patent because you don't have permission from Microsoft to sublicense their patent. Clearly this creates a completely unworkable situation with respect to Open Source software. Only authorized sites (authorized by Microsoft) would be allowed to distribute software which includes this IP. But, you are correct -- the license is 'royalty-free'. Just understand what strings are attached, and under which circumstances you may end up in jail, or paying huge fines...This puts way too much power in the hands of a single company, given that email is a piece of core internet infrastructure. This isn't even proven technology yet, but for some reason there is this rush to get this through the IETF.
Re:Hoody Hoo! (Score:3, Insightful)
You don't suppose that's got anything to do with the behavior of some proprietary vendors, specifically Microsoft?
You'll note that there are numerous other major players in IT who don't get the same kind of attention. Nobody is without criticism, of course. But how much bashing does, for example, Cisco get around here despite their market position in networking gear?
Microsoft reaps what it has sown.
Why does this matter? (Score:5, Insightful)
Spam is a social problem, and the behaviour that needs to be attacked is the broadcast unsolicited messaging process itself. Any bulk or broadcast communication that the recipient is not in control of (they didn't directly solicit it, or it's not relevant mail from someone they have an ongoing and clear relationship with) has to be explicitly illegal.
Mandate Sender-ID or SPF, and spammers will sign up and continue to spam. Mandate tagging, and spammers will tag and spam *and* people who aren't spammers will be unsure and tag as well... and their mail will be filtered out.
This is already happening, in both cases.
So, it doesn't matter whether anyone implements this technology or not, it's irrelevant to the problem people are hoping it will solve.
Please mod parent back up (Score:5, Insightful)
RMS is entirely accurate when he says that Microsoft's is probably aiming to control anti-spam tools by controlling who can develop to the standards.
You may or may not support Microsoft's right to attempt to control a market. What you should not do is ignore the impact such control would have.
Open source and free software has proven to be a significant balancing force in the push for better and cheaper IT. Microsoft have done an excellent job in lowering the cost of certain kinds of software, mainly the user front-ends. Open source and free software have handled the back-ends - the servers - better than anything produced by any company, anywhere.
Spam is not a front-end issue. Locking anti-spam standards into a Microsoft-dominated front-end will make much money for some people but will ultimately end in a monopoly control of email, almost certainly built to the usual Microsoft standards: pretty, charming, and totally insecure.
The IETF is composed of individuals, each with their agendas. Many IETF members work from principle, but many others are paid for their work, and paid by companies with serious commercial interests in the outcome.
It's easy to mock RMS: he is sincere and outspoken. But it is misplaced. RMS is a prophet in the true sense of the word: he has had a vision of the way software should be made, and he has defined a way for this to happen.
Naturally some commercial interests detest him. But it's wrong: cheaper software means opportunity for everyone, especially commercial software firms. The world has an endless appetite for pretty, seductive front-ends.
They just should not be doing anything really, vitally important.
And that includes filtering spam.
Re:Sendmail what is your move now?? (Score:2, Insightful)
Re:Hoody Hoo! (Score:2, Insightful)
That is what I am talking about...when MS does something bad blast them, but when they do something good give them some credit...
We Need An Open Source Solution To A Closed Source (Score:4, Insightful)
The majority of spam is now sent by zombied Windows PCs. Windows insecurity is now a large part of the spam problem. [eweek.com]
It sure looks like Microsoft sold PC users the problem, and now they want to sell us the solution. Should we really encourage OS insecurity by paying for the fix to a problem that never should have been?
SPF is teh win (Score:3, Insightful)
Everyone's just gonna dump Sender-ID and implement classic SPF records. This whole marid/sender-id thing is ridiculuous, and smart reasonable people know that classic SPF is unencumbered, extremely simple, and does the job just fine. This popular opinion is evidenced by how quick and widespread the adoption of classic SPF has been to date. I suspect eventually we'll see dns servers implementing a custom record type for SPF to replace the current TXT records, but other than that, you don't really need anything else.
Classic SPF = no forgeries. As it's use becomes more widespread, eventually there will come a breaking point in time where "everyone" knows that when they set up an email server and make theri MX record, they better make an SPF record while they're at it too - and most people will reject email that hasn't passed SPF checks.
It doesn't directly stop spam, but it makes spam accountable, which is a large step in the right direction.
Re:Good for them, but not far enough. (Score:2, Insightful)
Sender-ID was never about stopping spam (Score:2, Insightful)
This is all about stopping forgery of the From: for domains that have registered their Sender-ID or SPF records. Spammers can still register a domain with authorization for any or all mail servers that they want, and continue sending out spam from zombied systems to their blackened and smoking hearts' content. They can continue to send spam for any other domains that allow forgery, like for alumni accounts or other drop box domains.
Sender-ID is only designed to stop phish-ing emails. So if you get an email from citibank.com, you can be reasonably sure it came from somebody at citibank.com, and not some guy's home pc, as long as citibank.com set up their records appropriately. That's all.
BTW, the reason the IETF is considering Sender-ID over SPF, is because it is highly probable that Microsoft can sue SPF out of existence.
This isn't meant to stop spam. This has nothing to do with stopping spam.
Why does the IETF need to be told this? (Score:3, Insightful)
Finally, as developers of open source e-mail technologies, we are concerned that no company should be permitted IP rights over core Internet infrastructure. We believe the IETF needs to revamp its IPR policies to ensure that the core Internet infrastructure remain unencumbered.
Amen to that. But why did the IETF open the door to patent-encumbered, proprietary material in Internet standards in the first place? Sounds to me as though the current IETF needs to be largely replaced.
Re:Hoody Hoo! (Score:4, Insightful)
This is a common claim directed at Microsoft critics. There is a belief that Microsoft gets attacked because of their position. And I'm sure there is a certain degree of truth to it. However, I often see this as a dismissal to ALL Microsoft criticism - or even criticisms that individuals simply don't agree with. And that, frankly, is bunk.
I'm at a disadvantage here. I didn't read either the linked article nor the
I also occasionally disagree with some of the criticisms towards Microsoft that are voiced on Slashdot. However, that doesn't mean that all the criticisms are wrong. Nor does it mean that Microsoft is even unjustly targeted. Microsoft should be criticized for actions that deserve criticism. And there is no short supply of such actions from Microsoft.
Re:Sender-ID was never about stopping spam (Score:3, Insightful)
is about forgery. Forged spam is a use case, but there never was an illusion that this would stop spam--a spammer can simply buy a $9 domain, enter a record, and send the mail. The spammer just can't send it as user@protected.example.net
any more.
But the "Microsoft can sue SPF out of existence" piece is not correct (sorry, dude!). SPF protects part of the envelope:
the bounce address coded in the RFC 2821 MAIL-FROM;
Caller-ID/Sender-ID protect the headers in the RFC 2822
message (From:, Resent-From:, and the like). They do different
things. The working group discussed which one to prioritize
and picked the latter after Meng Wong and Mark Lentczner
(SPF authors) met with the Microsoft authors (Harry Katz and
Jim Lyons); this was discussed at the MARID
Campbell interim meeting.
Both are still interesting, but killing Sender-ID in favor of
SPF, as many are now advocating means you're changing
strategy; you're fundamentally changing what you're protecting.
To go back to the main point, neither will stop spam.
Write that down.