Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Spam Your Rights Online

On Futureproofing Spamhaus 146

BMcWilliams writes "Spamhaus director Steve Linford announced a new funding plan Tuesday. According to Linford's announcement, large ISPs and big corporate users of the Spamhaus zone transfer service (renamed the Spamhaus Data Feed Service) will be required to pay an annual subscription fee ranging between $190 and $14,500.(The free public-query mirrors will continue to exist.) The point of the new plan is to ensure that 'the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet'."
This discussion has been archived. No new comments can be posted.

On Futureproofing Spamhaus

Comments Filter:
  • email (Score:2, Funny)

    by rd4tech ( 711615 ) *
    Maybe they should send an email to everyone requesting those $$$ :)
    • No Need (Score:3, Funny)

      by Robmonster ( 158873 )
      They already have access to all those emails desperately trying to give away $3.5M . They have all the funding they'll ever need....
  • Bleck. (Score:2, Interesting)

    by JNighthawk ( 769575 )
    Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.
    • Sure it'll be passed onto customers. But that's not very much money per customer.

      If you don't have to deal with spam, you will someday. And you're paying cents for the benefit of everyone. You pay for a lot of things you don't use, this won't be the first.

    • Re:Bleck. (Score:5, Insightful)

      by Eggplant62 ( 120514 ) on Wednesday June 02, 2004 @09:45PM (#9321936)
      Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.


      Heh... I love it, it shows that not too many folks understand about how Spamhaus operates, and may be relying on distant memories of the Mail Abuse Prevention System (MAPS). Both organizations, Spamhaus and MAPS, have operated on a free-to-all, volunteer-run system, accepting donations where they could be had to fund themselves. Back in July 2001, MAPS moved to a fee-based for all (except for educational and single operator systems, which could sign a waiver and have free access) model, while Steve Linford kept MAPS in its free-for-all state, where it continues to operate today.

      However, several large users, including world governments, have voiced their opinions that they love what Spamhaus has done, however, how can they rely on a free service that may not be in operation in a year or two due to legal shenanigans like what Richter is pulling against Spamcop??

      That, in a nutshell, is what's happening here. No one has ever paid to use Spamhaus other than through voluntary contributions. This changes nothing, the blocklist service and website will still remain free to all comers, and those that have large userbases that want to depend on Spamhaus as a going concern can help by paying a fee for use of a zone transfer service to their own database or dns servers.

      Simple, ain't it?? The little guys win, the big guys win, the spammers lose.
      • Very true. (Score:3, Interesting)

        by JNighthawk ( 769575 )
        I'll admit that I don't know how Spamhaus operates. However, it doesn't detract from what I said. Costs will still be forced upon me for something that I may have no use for. The government does it, but now it may be done from the private sector?
        • Cost Offsets (Score:5, Insightful)

          by quinkin ( 601839 ) on Wednesday June 02, 2004 @10:13PM (#9322086)
          In theory you are correct. In practice all ISP's will not simultaneously commence paid spamhaus subscription and increase their fees. I would imagine that some ISP's may use this, either globally or as a premium value added service. Unless you are in a monopolistic market you will be free to choose a spamhaus-free (either lacking or only free zone transfers) ISP and it's assosciated lower costs.

          Even then a lot of businesses may actually save money through reducing bandwidth costs due to spam. I hope they don't force those savings onto you... :)

          Q.

          • Re:Cost Offsets (Score:5, Informative)

            by CritterNYC ( 190163 ) on Wednesday June 02, 2004 @10:31PM (#9322168) Homepage
            In theory you are correct. In practice all ISP's will not simultaneously commence paid spamhaus subscription and increase their fees. I would imagine that some ISP's may use this, either globally or as a premium value added service. Unless you are in a monopolistic market you will be free to choose a spamhaus-free (either lacking or only free zone transfers) ISP and it's assosciated lower costs.

            Even then a lot of businesses may actually save money through reducing bandwidth costs due to spam. I hope they don't force those savings onto you... :)


            Good points. Using the Spamhaus XBL and SBL actually saves a decent-sized ISP more than its cost in a given year in bandwidth, storage and CPU cycles.

            Additionally Spamhaus is letting operators of free DNSBL mirrors continue the Zone Transfer for free. Perhaps additional ISPs will be given the option of getting the Zone Transfer for free in exchange for setting up another public mirror.
        • Re:Very true. (Score:5, Insightful)

          by grasshoppa ( 657393 ) on Wednesday June 02, 2004 @10:33PM (#9322176) Homepage
          1) Everybody has a use for this. If you are part of an organization that uses a paid for spamhaus, then you have a use for it.

          2) Spamhaus recommends organizations that get 200,000+ emails a day sign up for the service. Conservatively, I think, we can estimate that would mean 100,000 users ( some get considerably more, most not at all ). At the high end, it's 14,500 a year. So, 14500/100000 = 14.5 cents a YEAR per user. I'll give you a fiver, if you shut up about the cost for the next 30+ years about it.

          3) Say I'm way off, and the number is more like 20,000 users. That puts us at about 73 cents per year per user.

          If you really can't afford that, how the hell are you able to sit here on the internet and gripe about it?

          4) Spam, annually, costs you way more. Or, more accurately, they cost your provider more, which in turn, gets passed on to you. So what they are doing is a cost saving measure.

          So, in closing, let me say this: Stop bitching, you are wrong.
          • Comment removed (Score:5, Informative)

            by account_deleted ( 4530225 ) on Wednesday June 02, 2004 @10:45PM (#9322232)
            Comment removed based on user account deletion
            • It seems to work out around 1000 spams/user/day round here, so 200,000 spams is 200 users.

              It's still not a lot, but I know the way the beancounters think... if it's not free it must be justified, and if it doesn't have an immediate benefit then there's no chance.
              • We get about 300,000-400,000 emails a day representing about 10 spams/user/day which is much lower then you, but we've been told [by a spam software salesperson] that we have a high spam count....90% of our mail is spam.

                Spam is free for the sender, but we're required to have equipment that would have been enough for an ISP 4 times our size 5-6 years ago [numbers in the last paragraph were made up on the spot, but are meant to provide an example of cost]
            • Just for another reference, we get about 200,000 valid emails a day for around 17,000 users. We get another 700,000 or 800,000 spams a day too, but those are run through Postini [postini.com] so thankfully I never see them. I'm sure that the cost of subscribing to Spamhaus would be far less than that of acquiring 4 times our bandwidth and storage facilities plus all the time I would have to mess with that trash.
        • Do you buy insurance? You may never use it. It's private sector.
        • Re:Very true. (Score:2, Insightful)

          by whmac33 ( 524094 )
          There are a lot of things that ISPs do that you may not need. Do you have all 6-7 email addresses that a lot of them allot. Do you use your 25 mb of free web space?

          Of course if your ISP's rates go up you could always switch ISP's. I don't think these are large fees for these ISP's that need the service, especially AOL. And the reason you don't get spam at AOL is because they are already doing a lot of spam filtering.
          • My ISP is Comcast, not AOL, I just use AOL for e-mail. But that's besides the point. You're right, that they are doing spam filtering already. I don't know. This just doesn't seem right to me.
        • You say that you only get 1-2 spam...ever think that's cuz your ISP uses spamhaus (or something like it)?

        • It may be that you "have no use for" Spamhaus services because your ISP is already using them on your behalf. So you might wind up paying for something you're already enjoying.

          And of course you are still free to switch to an ISP that doesn't subscribe to the Spamhaus premium service. Spamhaus can't force you to pay for anything unless you agree to let them, perhaps implicitly by continuing to use an ISP which pays them.
        • I'll admit that I don't know how Spamhaus operates. However, it doesn't detract from what I said. Costs will still be forced upon me for something that I may have no use for. The government does it, but now it may be done from the private sector?

          You could always vote with your feet and your wallet. There have to be plenty of operators out there that will cater to what you're looking for, even if it is email that's not filtered for you in any way, shape or form. Run your own servers if that's what concer

      • by waynemcdougall ( 631415 ) <slashdot@codeworks.gen.nz> on Thursday June 03, 2004 @01:59AM (#9323102) Homepage
        However, several large users, including world governments, have voiced their opinions that they love what Spamhaus has done

        Gee, I leave my tinfoil hat off for just one lousy week and there's not just one but multiple world governments. I was just getting to grips with overthrowing a few national governments.

        Do I get to choose which world government I'm under? Given the choice I, for one, would like to welcome my new illuminati overlords.

    • I didn't read the RTFA, but it seems you didn't even read the summary! The public access lists remain, i.e. the cost is not passed down to the little guy.

      The money is only demanded from companies using SpamHaus. Much like lots of the other really good things on the internet. For example AVG antivirus is free for home users, but if you want to use it in your business, it'll cost you a fee.

      The pricing scheme looks pretty fair also, I'm guessing the lowest price is for smaller-ish businesses, while the h
      • Isn't my ISP a company that may use Spamhaus to filter e-mail?
        • Re:Right, but... (Score:3, Insightful)

          by SinaSa ( 709393 )
          You raise a good point, and yet I doubt that the cost of subscribing to SpamHaus will be passed down to you. The article mentions the maximum price as $14,500. Which would be for a company say (in relation to your example), the size of AOL.

          Even if a small ISP who can't afford to simply swallow the cost passed it down to customers, you'd only be seeing a tiny increment on your monthly bill . And by tiny I am thinking in the figure of 10 or 20 cents. Do the math.

          Small ISP "FooNet" has 1000 customers. Th
          • It gets even better. The blurb says that's annual fees. So, you'd be out an extra 19 cents a year.

            Sign. Me. Up.
          • Only if they follow actual pricing and don't inflate the charges (a la cell phone bills) to exact extra revenue from customers.

            I can easily see some ISP saying "hey, it only costs us 10 cents per user, but hey, let's add a couple of bucks to the bill to cover the inevitable paperwork, and other sundry items that we can make them think are remotely related and we'll call it a filtration surcharge."
        • .... having the people who are combatting spam effectively reduce the over al global bandwith load that spam represents, plus helping in another oblique way be getting more people aware of spam and maintaining their own computers in a safer manner. It's a win for everyone who's on the net-except the spammers.
          • I benefit, I guess. Not directly, as far as I can see. I'm not spammed badly enough for me to need a filter. However, as stated in a different reply by me, this could provide companies an excuse to raise fees by some unreasonable amount (i.e. more than $.25)
    • Re:Bleck. (Score:4, Insightful)

      by oconnorcjo ( 242077 ) on Wednesday June 02, 2004 @09:58PM (#9322007) Journal
      Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

      Yeah I am really worried the 15 grand is going to be passed onto me from my multi-billion dollar ISP.

      I expect I will need to refinance my house to keep my internet connection.

      Spamhaus is providing a service that cuts costs for ISP's (due to savings in resources not needed for the handling of spam) so it only makes sense to throw some cash thier way in return.

      Penny pinching of the magnitude you are posting is ammusing. Next you will be saying the free coffee provided to the programmers at most ISP should be cut due to the large toll it provides on the cost to end user services (which is much more than 15 grand) or workers should provide for thier own toilet paper and soap. Cut the company softball team too! The 35 dollar's I pay for broadband is too high!

    • Re:Bleck. (Score:5, Insightful)

      by bigsteve@dstc ( 140392 ) on Wednesday June 02, 2004 @10:29PM (#9322160)
      Won't these costs just be forced down onto the customers?

      Are you suggesting that ISP customers are entitled to a service for nothing?? If customers are unhappy with a (probably tiny) increase in ISP charges to address the problem, they can always switch to a cheaper ISP ... and learn to enjoy their spam.

      I get maybe one spam e-mail a day.

      And how many extra spam e-mail do you think you would you receive if AOL stopped using the Spamhaus RBL?? (If AOL doesn't use the RBL the question is moot anyway.)

    • Re:Bleck. (Score:4, Insightful)

      by dubl-u ( 51156 ) * <<ot.atop> <ta> <2107893252>> on Thursday June 03, 2004 @12:43AM (#9322787)
      Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

      I was just about to blast you for your apparent refusal to spend a whole five seconds thinking this through, but I see that you have an AOL address, so I'll assume your question was asked with all sincerity.

      There are several ways you benefit from this:
      • First is that you might already be benefiting. Since you currently get spam, that means that spammers have your address. Getting only one a day probably means that your ISP already is using spam filtering. How do you know that Spamhaus's databases aren't part of it?
      • Good spam filtering helps keep costs down, lowering your bills. A network engineer at a major ISP told me that if they removed their spam defenses, they'd promptly crash; they don't have the capacity to handle the doubling or tripling of mail traffic that would result. $15k per year is nothing compared to tripling your ISP's mail handling and storage capacity.
      • People will see your messages. If I turned off my filters, less then one in ten of the items in my inbox would be real mail. Without good filtering, I'd accidentally delete a lot of real messages, especially ones from unknown correspondents.
      • The people you want to communicate with will still use email. Some people, especially marginal internet users like grandparents and small children, are already starting to abandon email as a medium, despite our best efforts at keeping the spam out. Without good tools like Spamhaus's lists, more and more people will just give up on their spam-choked inboxes.
      So basically, if you use email at all, it's worth supporting the fight against spam, even if you don't personally get any at the moment.
    • Won't these costs just be forced down onto the customers? Sure, it funds Spamhaus, but why is this a good thing for a user who doesn't have to deal with spam? I get maybe one spam e-mail a day.

      Part of the reason why you get so little spam is organizations like spamhaus.

      Compare the top-end $14,500 cost of spamhaus to the $400,000 price tag for one of the highest-end routers. If Spamhaus saves MSN from buying 2 more intel servers, then they'll recover their costs.
      For the largest ISP's (we're talking t

    • Re: (Score:1, Flamebait)

      Comment removed based on user account deletion
    • NihirNighthawk@aol.com posts "I get maybe one spam e-mail a day."

      Perhaps one a day gets through the AOL spam blocking/filtering. If they turn all of that off, do you think you'll still get one per day?

    • Maybe you don't understand how this works. A relatively small number of network operators (ISP's and other businesses that get a lot of mail) drive enough queries against the Spamhaus lists that it is worthwhile for them to have a full copy locally. IF your mail provider is one such entity, they are almost cerainly already using Spamhaus' lists and so you are simply not getting all the spam aimed at you. If it is not worthwhile for your mail provider to get a data feed from Spamhaus because their users don

  • I dunno... (Score:5, Interesting)

    by c0dedude ( 587568 ) on Wednesday June 02, 2004 @09:35PM (#9321865)
    Is this a Self-Elimating Business Model?
    The point of the new plan is to ensure that 'the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet
    As they eliminate spam, spam becomes less profitable, thus decreasing the need for them. Not only that, but the less spam, the less people will request their services, as they can do it in-house. What do you guys think?

    Lets get it out of the way now....
    1. Block spam
    2. ????
    3. Profit.
    There. Are you trolls happy?
    • by Hanzie ( 16075 ) * on Wednesday June 02, 2004 @09:45PM (#9321938)
      If Spamhaus eliminated Spam, Steve Linford would be the first one dancing. He'd probably get a knighthood, but I think he'd prefer a good night's sleep.

      MS claims that Hotmail receives 2 Billion spams a day. (That's 2x10^9 to you friends across the puddle). I don't see that going away, more's the pity.

      • by Anonymous Coward
        That's more penises than you can shake a stick at.
      • by shaitand ( 626655 ) * on Wednesday June 02, 2004 @10:09PM (#9322068) Journal
        Okay, that covers my account. How much does everyone else get in their hotmail account?
        • Suprisingly, none. Well i still do, but it all gets routed to the Junk folder.

          I used to get about 6 a day, then suddenly, about 3 months ago, all the spam stop getting delivered into my inbox.

          ALL. Well i think about 1 month ago, 1 got through, but that was it.

          • Actually, Hotmail must have done something magical to reduce the spam [or maybe I accidentally set my options to reject all mail or something].

            Around the big blackout last August my friend commented that his spam in his hotmail account went down to almost nothing. I short while later, I also noticed the same thing. For an account that got 4 spams within a few hours of signing up, I can now check it once per week and maybe remove 5 spam emails. I admit I have some stuff directed to a junk folder, but I a
        • Never. Not 1 spam in Junk mail or anywhere else. Ever. Not since I first opened it 3 years ago with the sole purpose of testing how much spam I get.

          I've never publicised the email address.

          More importantly the address is obscure. I've seen /.ers offer their so-called "obscure" email addresses and I've thought them all laughably likely to be hit in a dictionary attack.

          Mine is 14 characters, mixing letters and numbers, as a sentence implying a certain head of state doing something naughty. Easy to rememe

          • I've got a 14-character alphanumeric obscure email address that I've never given anyone - but at least I don't get spam!

            Do you get any email at all?

            Spam is all about the signal to noise ratio, you know.
            • Yes I get email, but your comment:

              Spam is all about the signal to noise ratio, you know.

              is completely wrong.

              Ratios of spam, and false positives and false negatives are relevant to spam detection.

              But by and large only absolutes are relevant to amount of spam received. The fact business colleagues send me 1,000 messages a day does not change the amount of spam I receive. I would neither receive less or more spam if they increased or decreased their so-called signal.

              Spam is not proprotional to non-s

        • I think they are send to all@hotmail.com or something, I'm not sure, I don't have hotmail anymore.
    • Re:I dunno... (Score:1, Interesting)

      by gr8_phk ( 621180 )
      " Is this a Self-Elimating Business Model?"

      Yes it is. And therefore, they have a financial incentive to allow some amount of spam through. This keeps the spammers around while also letting customers know that the spam problem still exists. They'd need to play both sides to stay in business.

      Pipe-full-of-fun-kit-number-7.

      • I don't think this is a business model. I'd see SpamHaus as closer to a non-profit that will gracefully close up shop if the disease it's out to get rid of is ever cured. Until then, however, there's bills to pay and they need to post a table of suggested donations.
    • Thats backwards! Less spam means each spam that gets through is more profitable. If a user received only a few spam a week, the user is much more likely to read the spam instead of trashing it. This is why spam can never be eliminated, only reduced.
  • it'll help in 2 ways (Score:2, Interesting)

    by Xiph ( 723935 )
    Make it a paid for service, so you can't sue for being on the list
    or to provide money as a cushion against suits? and hurt in one, if you're a corporate bulk user (not bulk like that) you'll pay, for something that saves your company money.
    • Make it a paid for service, so you can't sue for being on the list
      Why would that help? You have to pay for newspapers, but that doesn't protect them from libel (or is it slander?) laws. Why would paying for this list make any difference?
  • This says it all... (Score:3, Informative)

    by erick99 ( 743982 ) * <homerun@gmail.com> on Wednesday June 02, 2004 @09:36PM (#9321879)
    From the article:

    In the meantime, thanks largely to ineffective spam laws passed by governments, we're having to step up the fight against spam with more resources....

    Not that the gov't can do much anyway, but, it could do more. I think the fees are reasonable and I hope they are accepted and paid graciously.

    Happy Trails!

    Erick

  • GRsecurity, anyone? (Score:4, Interesting)

    by DiscordOfFive ( 778099 ) on Wednesday June 02, 2004 @09:38PM (#9321891) Journal
    This story makes me think of GRsecurity. Remember? It's dying because the developer didn't have any funding? Maybe Spamhaus caught wind of this, and is trying to avoid a similar fate.
  • by bhmit1 ( 2270 ) on Wednesday June 02, 2004 @09:44PM (#9321933) Homepage
    Just as soon as this $54Mil bank transfer goes through for this poor Nigerian widow.
    • Oh, thank you! Ever since my husband was killed in the Nigerian War of Fertility, I've had a hard time getting by. $54 million U.S. Dollars will be a start, but in order to survive and provide for my 37 children, I am going to need others to donate. If you would please send this e-mail to 10 of your friends, I would much appreciate it. Thank you, kind sir!
    • Just move to a state that has anti-spam laws, like North Carolina. North Carolina statures allow for 10 dollars per spam. California allows for 500 dollars per spam. Either way, with millions of pieces of spam per day intercepted by their service, they should stand to gain quite ludicrously on the deal. If they can track down 20 of the top spammers, and one of them has insurance, SpamHous will suddenly have far more money than it will know what to do with. Sadly indentured servitude is not a viable opt
      • ust move to a state that has anti-spam laws, like North Carolina. North Carolina statures allow for 10 dollars per spam. California allows for 500 dollars per spam. Either way, with millions of pieces of spam per day intercepted by their service, they should stand to gain quite ludicrously on the deal. If they can track down 20 of the top spammers, and one of them has insurance, SpamHous will suddenly have far more money than it will know what to do with. Sadly indentured servitude is not a viable option fo
  • Still free for most (Score:5, Interesting)

    by rborek ( 563153 ) on Wednesday June 02, 2004 @09:59PM (#9322009)
    Note that the charges are for those that are doing zone transfers (ie those transferring the entire blacklist to their own DNS servers, for faster queries and cutting down on query traffic across their Internet connection), not for those who just want to query their servers to find if a specific IP is in the blacklist.

    Spamhaus advises organizations set up a zone transfer if they're receiving 200,000+ e-mails per day. I doubt the average user (or small organization, corporation, etc.) will be receiving that much e-mail in a day (at least for now...)

  • Heh (Score:5, Insightful)

    by Emperor Tiberius ( 673354 ) on Wednesday June 02, 2004 @10:01PM (#9322024) Homepage
    the millions of users who rely on our anti-spam systems can be assured we'll be here for as long as spammers plague the Internet

    Don't they mean, as long as e-mail exists; in it's current form, anyway?

  • by fireman sam ( 662213 ) on Wednesday June 02, 2004 @10:16PM (#9322107) Homepage Journal
    homer: Ooh, I see. Get us addicted then jack up the price!
  • by BCW2 ( 168187 ) on Wednesday June 02, 2004 @10:32PM (#9322170) Journal
    If a corporate IS department is running their own mail servers, it would be wll worth the money. Transfer the lists into the server and check all incoming mail instantly instead of the latency caused by going to Spamhaus. The bandwidth and time saved for someone like GM, GE, Siemens,..... Thats a lot of money saved. $14,500 is pocket change to them anyway, and if it saved $50,000 over a year, thats a good return. I'd bet it would save a lot more than 50K though.

    The fact that it keeps Spamhaus a viable concern is another plus.

    • If a corporate IS department is running their own mail servers, it would be wll worth the money.

      Just speculation...

      Wouldn't most corporations prefer a whitelist-type solution in the first place? I'm just thinking of a recent story where email inquiries largely went unanswered.

      The dog ate my homework, some idiot (who has since been fired) must have deleted your message, I never received your original email, we had a virus, etc..

      It's a pretty good and plausible deny situation, isn't it?
    • > $14,500 is pocket change to them anyway, and if it saved $50,000 over a year, thats a good return. I'd bet it would save a lot more than 50K though.

      It may be a pittance to all of corporate, but it is by no means a trivial sum to a single IT department who must justify the expense up a few levels. Your returns cannot be quantified -- it's not as if spamhaus is alone in producing a savings from effective spam filtering. Even if they are the most effective, the difference between spamhaus and the next
  • by j3ll0 ( 777603 ) on Wednesday June 02, 2004 @10:41PM (#9322212)

    I may be an idiot, but it seems to me that most organisations could justify any of the amounts listed by doing some simple cost benefit analysis.

    My understanding is that Spamhaus allows you to blackhole IP blocks that are known to tolerate\encourage spam.

    If you step back and work out the cost of bandwidth to accept all of that spam, versus the cost to pay Spamhaus to blackhole it, it probably works out in favour of paying for Spamhaus.

    Here in .au, I seem to remember that a 2Mb FR link to .sg (our next corporate uplink) was in the order of AU$10K a month. So 14.5K = approx US$18K = approx 2/12 FR service. Given that the current stats say the amount of spam crossing the internet as a percentage is HEAPS higher than that, it would have to work out as more cost effective to pay Spamhaus, and save the bandwidth.

  • by Angry Black Man ( 533969 ) <`vverysmartman' `at' `hotmail.com'> on Wednesday June 02, 2004 @10:46PM (#9322240) Homepage
    "$190 and $14,500"

    This takes the sound bite "prices may vary" to a new level.
    • "$190 and $14,500"

      This takes the sound bite "prices may vary" to a new level.

      Prostitution's still got 'em beat.

      No pun there.

    • With "Free" also in existance...

      This seems a lot like the donation box at a museum. No reqired payment for walking through, but there's a table of suggested donations based on how much you should be able to pay, and most people are going to pay it because how else does the museum stay in business...
      • I see it as more like a museum store where you can buy your own copy of works in the museum (e.g. a lithograph of a painting or a miniature version of a sculpture). You have the option of just taking pictures (free), but if you want an official copy, you have to pay the museum. Similarly, Spamhaus offers a free service (DNSBL request) and a pay service (Zone/Data Transfer).
  • How to Stop Spam (Score:2, Interesting)

    by Anonymous Coward
    The answer is with SPF, or Sender Policy Framework. This is how it works:

    SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send. Close the hole, and we can easily block spammers by sender domain.

    SPF closes the hole by using a DNS record that says which hosts can send email with a from address in the domain. The record is a simple TXT record tha

    • by BdosError ( 261714 ) on Thursday June 03, 2004 @12:03AM (#9322588)
      This will be fine if/when everyone upgrades their DNS & MTA software to accept and use those standards. In addition, there are competing standards/proposals too, so which is the right one to choose?

      As an aside, I don't think that making it an RFC necessarily makes it patent free.
      • You're right, it doesn't make it patent free. Once an idea/invention is published there is a one year fileing period. After that it stayes in the public domain. Patent applications can stay in the approval process for several years though. I don't know how long this has been out, or whether it can be a "submarine patent".

        IANAPL
    • Re:How to Stop Spam (Score:4, Interesting)

      by humankind ( 704050 ) on Thursday June 03, 2004 @12:30AM (#9322727) Journal
      SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send.

      Yea, right. My mailbox isn't filling up with messages I didn't send. It's just plain filling up. This method is no more difficult to defeat that the current content-based anti-spam methods and requires major upgrades to both DNS and MTAs.

      Of course this is a Microsoft idea. Rather than improve the system, in typical Microsoft fashion they want to employ a new standard indigenous to their systems. Another marketing ploy that promises an amazing improvement that would never materialize.

      While some improvements to DNS authentication could prove helpful, they're not worth the trouble because in the end, this idea is little more than another flavor of whitelisting, which has proven to be most effective by a small config change to most MTAs and services like Spamcop, Sorbs and Spamhaus's RBL.

      What you're proposing is that the burden be switched from MTA to MTA+DNS. The problem is that it's not that much more difficult for spammers to forge additional DNS records in most cases.

      Yes, this scheme might address zombie proxy armies, BUT that presupposes that the major ISPs would actually properly manage their DNSes, which they DON'T NOW, so why would they update the new DNS records properly? They WOULDN'T. It's better to have the DNS records managed by an independent third party such as Spamhaus or Spamcop, that sysops can choose to use that are more responsible and more accurate in determining which hosts are allowed to deliver SMTP traffic.
      • The only spam that has gotten past my SpamAssassin recently would have been stopped if my MTA was SPF compatible. It shows up as coming from the address to which it was sent.

        It is very difficult to forge DNS records (one needs access to the legitimate name server). What is not difficult is creating legitimate DNS records. However, if spammers have to buy legitimate domains, then we can easily fix this by blacklisting those domains (and possibly revoking them). This can actually be done quite agressivel
    • I'm alreadying getting spam with vaild SPF records from throw away domains. SPF has nothing to do with spam prevention.
    • SPF is flawed because computer users can't always specify their SMTP gateway when using a closed application (e.g., BlackBoard group learning systems).
      • Re:How to Stop Spam (Score:4, Informative)

        by AKnightCowboy ( 608632 ) on Thursday June 03, 2004 @06:22AM (#9323989)
        SPF is flawed because computer users can't always specify their SMTP gateway when using a closed application (e.g., BlackBoard group learning systems).

        SPF isn't flawed, the application is flawed. Put in a trouble ticket to the company that makes BlackBoard group learning systems and tell them they need to add outbound SMTP gateway support. That's a seriously misbehaved application if it just assumes it can send mail directly out. We haven't allowed users to send mail directly out for 12 years.. everyone has to relay through a central mail gateway for logging purposes.

    • Re:How to Stop Spam (Score:5, Informative)

      by mdfst13 ( 664665 ) on Thursday June 03, 2004 @02:58AM (#9323294)
      SPF is not a Microsoft technology. Caller ID is the Microsoft solution (similar but different). SPF was designed by pobox.com. Microsoft and pobox.com recently agreed to make SPF and Caller ID compatible, but they are still different methods:

      1. SPF is text based; Caller ID is XML based (even though no other email header or DNS record is).

      2. SPF verifies the envelope sender; Caller ID verifies the From header of the email. While both will be the same in many cases, they do not have to be.
    • No need to add a new wrinkle to SMTP, just analyze the SMTP traffic to detect relaying by remote users and refuse to relay and force the local users to POP-BEFORE-SMTP to use the mail server. This is a simple 1-2 punch to stamp out a lot of spam
    • Yesterday at the Inbox Conference, one of the panelist said that over 500 domains of known spammers were publishing SPF records. One of the mail points of this technology is that its braindead easy to publish the record. In the example you state above, you use the ~all flag -- meaning that any IP address across the internet can send mail for that domain, thus avoiding solving the security problem you mention. Can you remind us all again why you thing this will stop spam?
  • Good or bad? (Score:4, Interesting)

    by xenobyte ( 446878 ) on Thursday June 03, 2004 @01:01AM (#9322868)
    One can wonder whether additional funding will have the effect of actually having the records reflect the realities. The trouble is that I know of at least one record (SBL6024) that is filled with errors and despite several attempts at having Steve correct them, all that happened was a bunch of insults in response.

    All content in that record except *one* line is completely wrong and/or severely outdated. The bad content reflects an old customer long gone (booted late 2002) whose IP-ranges were mixed up with Dynamic Pipe. All that remains valid is a single nameserver (freya.wildrhino.com) belonging to a different customer/alledged spammer: Wild Rhino.

    If the info should be correct that entire record should be removed and the /29 belonging to Wild Rhinos nameserver moved to their record (SBL14379) - or similar. I know it would not delist anything (that's not the issue) but it would correct the information and that's what's important here.

    But Steve does not want to admit his mistakes here, and one can wonder just how many other records in his system are equally flawed, mislisted or plain false. If the incorrectness is rampant throughout, one can wonder just what these businesses would be buying. I think Steve needs to learn a bit about humility and responsibility before he starts making money big-time on this. Because making money off lies and false pretenses has always been the domain of those he claims to hate the most: SPAMMERS.
    • Re:Good or bad? (Score:4, Informative)

      by valmont ( 3573 ) on Thursday June 03, 2004 @02:15AM (#9323168) Homepage Journal

      ey, dude, steve won't exactly be "making money big time" on this, as you assert in your post. The whole point for this price structure is to ensure the continued longevity of an essentially free-for-most, not-for-profit service. get it? And yeah maybe that money will give them more resources to deal with fringe cases such as the one you're outlining. The fact is, at some point, an ISP gave that IP block to a spammer. And for some reason spamhaus doesn't seem to feel confident about de-listing that block, maybe there's a good reason for that, i'll give spamhaus the benefit of the doubt any day. Maybe that'll teach ISPs to more carefully scrutinize who they give blocks to, and be more mindful of what sort of traffic goes on there.

      • Let me begin by repeating myself - They never asked for a delisting from SpamHaus, only that the record be corrected so that blatantly incorrect info is removed.

        Maybe that'll teach ISPs to more carefully scrutinize who they give blocks to...

        First of all, most startup ISPs will not know how to research the hats of potential customers and will thus be innocent in assigning an IP block to a spammer. And in the western world any customer must be presumed innocent until proved otherwise (to the ISP that is).
        • The contracts were all long-term and while they had provisions against spamming they only covered abuse of the ISPs networks, not abuse elsewhere. This means that their contracts cannot be terminated just because they spam from elsewhere for sites elsewhere, and that's exactly why Wild Rhino still has a nameserver there.

          Summary : A small, startup ISP isn't bright enough to get rid of their spammer, so they get listed as supporting spam.

          And you have the gall to bitch about being listed! So my point is

  • Fireproofing - protecting against a fire happening.
    Waterproofing - making sure water can't get in.
    Spamhaus is a GoodThing (TM) - is futureproofing it a good idea?
  • by Anonymous Coward

    Spamhaus is selling access to two lists.

    One of them, the SBL, is a list used to apply pressure to ISPs. It doesn't stop that much spam. It's a political tool, just the same as the MAPS RBL was.

    The other, the XBL, is extremely effective at stopping spam. But Spamhaus doesn't run the XBL. They're just downloading the (freely available) CBL and BOPM lists, then selling access to them for thousands of dollars a year.

  • According to Linford's announcement

    Something tells me Lindows's new company name isn't going to last...

Do molecular biologists wear designer genes?

Working...