Weekly Edition
Return to the Press pageSponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
""'The broadest adoption possible and the most consistent standards are in the interests of not just senders, not just ISPs, but of consumers,' said Trevor Hughes, executive director of the ESPC. "Hughes also points out that even if it doesn't become a standard, Sender ID will still be a factor if the major ISPs adopt it. "'Where we stand is that Sender ID is going to be a reality for large senders,' he said. 'We don't question the sincerity of the folks who are raising concerns over open source compatibility. We just haven't come up with the same concerns.'""
"Hmm. Did he just say the ESPC doesn't care about compatibility in a standard? Yes. I believe he did."
(Log in to post comments)
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 9, 2004 17:38 UTC (Thu) by pphaneuf (subscriber, #23480) [Link]
Uh, most MTAs used on the Internet are open source software? Making Sender ID unusable by open source MTAs pretty much garantees that it will never be widely available!
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 9, 2004 20:12 UTC (Thu) by NAR (subscriber, #1313) [Link]
One of the advantages of Open Source is that you can add the features that are missing from the released product, so even if postfix, exim, qmail, etc. won't support Sender ID, there might be some "unofficial" patches to "fix" them.
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 9, 2004 20:29 UTC (Thu) by copsewood (subscriber, #199) [Link]
Many administrators, especially those running live and busy systems, are very reluctant to diverge much from the standard packaging of free software that comes with thier chosen distribution. If you have particular specialist knowledge e.g. of Sendmail you might be willing to build the official distribution from source. However, few will experiment with an unofficial patch from a third party on a live and busy working system. While it is certainly true that free software has the advantage that you can experiment with it, few want to risk service reliability to end users by doing so, and not everyone has the luxury of parrallel working and test systems to experiment on.
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 9, 2004 20:50 UTC (Thu) by nigelm (subscriber, #622) [Link]
> even if postfix, exim, qmail, etc. won't support Sender ID,> there might be some "unofficial" patches to "fix" them.
The legal position of these might be very iffy - the person producing the patches would need to sign licensing agreements with Microsoft, as would all the recipients in this case. You would not be able to make the patches GPL due to the additional restrictions provisions, so the patched version would not be distributable (at least in the case of exim and courier). Personally I would not sign this sort of faustian deal with MS since you would be skating on the very edge of the licensing to start with - and they have more lawyers and more money than me.
Open source has no workable majority on numbers of mailboxes
Posted Sep 9, 2004 20:45 UTC (Thu) by nigelm (subscriber, #622) [Link]
The situation with MTAs and open source is a little more complex than counting installed systems.
The majority of mail is going to end up at one of the big providers - AOL, Outblaze, MSN, Hotmail and many more. The majority of legitimate mail also goes from the big players (the zombie SPAM cloud is a big load of machines, but hardly legitimate). Many of those use open source software, but will build and tailor the installation to their specific specs - when moving a few million messages per day a few percent improvement is a load of messages so optomisation can be worth it. Even if the provider is using GPL software they are quite free to add in GPL incompatible stuff for their own use - they just can't distribute it other than their internal deployment - and they can license Sender ID if their legal advice says to. This means that a majority of the potential email endpoints, and a majority of the legitimate email senders could end up using Sender ID even if the open source community in general shuns it, and they could leverage at least the requirement to publish appropriate domain records on the rest of the world if the rest of the world wants to talk to the big provider majority.
So despite open source having the majority of MTA boxes, it does not have a high level of control on the overall flow of mail. Sendmail has implemented Sender ID - although the interesting bit will be if the various distributions that carry sendmail will carry the Sender ID extensions - I expect the free ones not to, and the commercial Unix implementations maybe to carry it.
Nigel.
But the big ISPs don't need Sender ID
Posted Sep 10, 2004 13:33 UTC (Fri) by ayeomans (subscriber, #1848) [Link]
There's no need for the big ISPs to use anything like Sender ID. Because there are not many of them (even including the 50+ menbers of ESCP), they can share round their SenderID-style records very easily. The whole lot will fit on a single sheet of paper. I'd suspect they do something like this already, filtering out purported hotmail addresses that don't come from the correct IP block. And it would reduce the DNS load.
I think nigelm has hit the bullseye with "they could leverage at least the requirement to publish appropriate domain records on the rest of the world if the rest of the world wants to talk to the big provider majority". Think "follow the money".
Andrew Yeomans
Have you seen the ESPC's membership list?
Posted Sep 11, 2004 4:52 UTC (Sat) by farnz (subscriber, #17727) [Link]
The ESPC's membership list reads like a list of organisations whose main interest in getting rid of spam is to ensure that their e-mail is more visible when it lands in your mailbox; the big names on the list are companies like DoubleClick.
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 9, 2004 21:17 UTC (Thu) by erich (subscriber, #7127) [Link]
Most open source software has hooks for extensions. For example these "milter" things for Sendmail. Any you can always use an proxy providing SenderID support.So this IS doable with opensource. Especially you *may* insert the code. you can distribute it freely, no problem with the GPL. It's just people not wanting to distribute code they *may not run* due to a missing licence.
I doubt that SenderID will do any good if it is not widely deployed. Especially since Spammers have apparently been the first to adopt to SPF and such...
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 10, 2004 10:29 UTC (Fri) by CJF (guest, #16403) [Link]
> Most open source software has hooks for extensions. For example> these "milter" things for Sendmail. Any you can always use an proxy
> providing SenderID support. So this IS doable with
> opensource.
This is a very premissive notion of "doable". Is'nt that a bit like
saying that MSWord DOC format is "doable" with "open source" because
you can access MSWord from Linux using a VNC connection to a MSWindows
machine? In which case I guess everything counts as being
"open-source doable"...
Anyway, there are many additional complications when using SenderID
with proxies... and why should we have to use proxies? In effect,
most of these authentication regimes encourage the corporatisation of
the internet; it makes it more awkward for individuals and small
organisations to run their own mail service, or to have fixed email
addresses that are independent of an upstream ISP.
> Especially you *may* insert the code. you can distribute
> it freely, no problem with the GPL. It's just people not wanting to
> distribute code they *may not run* due to a missing licence.
This is ambiguous. Lets make it clear, the SenderID terms and
conditions are not compatible with software distributed under the GPL,
even Microsoft says so in their revised FAQ (although they of course
make out that this is a problem with the GPL, not their terms), nor
with many other licences, such as AFL, OSI etc. Also, even if you
distribute your own plugin under a different licence with which it
might be compatible (e.g. BSD), you would need to obtain permission
from Microsoft to do so.
> I doubt that SenderID will do any good if it is not widely
> deployed. Especially since Spammers have apparently been the first
> to adopt to SPF and such...
Many doubt that SenderID will do any good even if it is widely
deployed. Note that it is really not that much different from SPF,
accept that it uses a different header (the "header from" rather than
"envelope from"), and comes with an algorithm for the mail client
rather than the MTA (so when deployed as in some ways it will do less
for spam that SPF, since using the RPA algorithm does not avoid the
network traffic etc associated with spam, and may actually increase
network instability due to its additional UDP traffic).
I am using the fetchmail "prior-art" version of this algorithm, and
it really does not help spot spam these days... although it can tell
me when someone is working from home...
Even if, against the odds, it does make it a tiny bit harder for
spammers, is it really worth the loss of freedom (e.g.) for
whistle-blowers, remote workers, and those that don't want an
ISP/corporate branded email address?
If you read the discussions on this, you may come to the opinion that
Microsoft really wants this just to hack around the flaws in its own
software, so it can be seen to be doing something about the
consequences of the MS zombie cloud and the insecurities in its own
mail clients. Do we really want to give up existing freedoms for
this?
I don't mean to get at you, but reading the MARID email list really
gets me irritated at how easily a bad idea can go so far when given
the appropriate kind of backing, and also how easy it is for a company
to claim ownership of something that has been developed by others in
open discussion.
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 9, 2004 21:22 UTC (Thu) by einstein (subscriber, #2052) [Link]
The internet mail infrastructure is built upon open standards, as it should be, and largely upon open source. As has been pointed out, a core internet technology ought not to be encumbered with patents, nor under the control of a mischevious monopolist. As it stands, we have SPF, which is quite useful, with or without the microsoft piece."If Apache doesn't want to implement it, fine," Penn said. "People will just go somewhere else."
Yeah right - businesses and other institutions are going to throw a tantrum and dump their current email infrastructure, just to get the microsoft-patented flavor of SPF, instead of the currently available free and open implementation of SPF.
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 10, 2004 3:47 UTC (Fri) by allesfresser (subscriber, #216) [Link]
I look forward fervently to the day when the reverse is commonly spoken about new technologies: "If Microsoft doesn't want to implement it, fine...People will just go somewhere else."
I think it's one of Sir Billy's worst nightmares. :-)
Is Sender ID Dead in the Water? - No MARID Working Group Consensus (Groklaw)
Posted Sep 11, 2004 22:32 UTC (Sat) by gvy (guest, #11981) [Link]
> "If Apache doesn't want to implement it, fine," Penn said.> "People will just go somewhere else."
Dream on Penn. There's no "something else" that does differ in this particular eagerness and isn't bulky stinky sh*t.