What the heck is Notchup?

I seem to be getting random invites from people I "kind-of" know via some site called Notchup. No clue what this is, and the invites are all very boilerplate in nature. And there's some promise of getting paid for job interviews. And from talking to other folks, it sounds like somehow they get your contact info from LinkedIn. (Perhaps from a user giving up their username and password legitimately -- so likely not LinkedIn's fault -- but potentially this means Notchup is providing a tool for users to harvest their LinkedIn address book. Yuck.)

Then there's the WHOIS information for Notchup. See how it's owned by Domains by Proxy? That means the true owner of the domain doesn't want you to be able to tell who they are. No business name, no street address, no contact info.

That's who people are giving their contact info to? A site where the true owners of the site don't want you to know who they are?

Yeah, I don't think I'll be signing up, just yet.

(More good points to think about here.)

Domain Tasting to End?

John Levine reports that domain tasting is likely to come to an end, as ICANN plans to modify the domain registration process so that a $.20 fee paid by the registrar is non-refundable.

If you're not familiar with the practice, you can read how it works here. I am under the impression that there are a number of registrars exploiting this practice to let them dip their toes in the domain pool, see what's worth keeping, then dump the rest without paying anything. It seems to have opened the floodgates to domain speculation.

Domain tasting is a weird thing. I'm struggling to find what potential legitimate uses for this "feature" would be. John Levine's been schooling me on the topic since early 2006, and I have yet to hear of a good reason for it.

The only value I see in domain tasting is for questionable activities. For fast-flux spammers trying to hide long term evidence of their activities. (Send spam, then people trying to trace it more than five days later can't find any evidence of the domain. Rinse, lather, repeat, millions of times.) For strange things like grabbing up the domains you look up and trying to sell them back to you. For people putting up thousands of sites with nothing but pay-per-click ads on them. (Apparently Google doesn't like this practice, either.)

I'm hopeful that making the registrar fee non-refundable will effectively end this practice by making it cost-prohibitive.

Excellent comment(s) on the Ritz affair

First, swing over to Ed Falk's site to read a really good comment from a Slashdot reader.

Then, check out this most excellent response to trolling criticism on my CircleID post. Written by Brian McNett, it examines the blurred intersections and transitions between vigilantes and professionals. Excerpt:

During the period of David’s anti-spam activity, which ended around 2001 with a tragic accident which nearly took his life and has left him permanently disabled, I myself volunteered my time, resources and expertise to track down and identify spammers. It is only because I was more circumspect in my public postings to USENET, that I myself did not draw the attention of the plaintiff in this case. It is only because I was available for employment, and not in a medically induced coma, that I was able to become a professional, and now do my investigation in an official capacity.

Mr. Ritz performed the alleged criminal acts during a time when Mr. Iverson, Mr. Chandler, Mr. Schwartzman, and myself would also have been considered criminals had we fallen under the gaze of the plaintiff. Thus, Mr. Thorson, you are, knowingly or otherwise, continually impunging the defendant and acting as an apologist for the plaintiff among a group of professional who, were it not for a twist of fate, would also include David Ritz. Many of the “crimes” (isn’t this a civil case?) Mr. Ritz is accused of, are things all of us have done at one time or another as a routine part of both our efforts as volunteers, and our jobs as professionals. Mr. Iverson’s reputation as a professional was largely established based on his ability to, as the ruling puts it “disguise himself as a mailserver”. Mr. Schwarztman, has carried what the court calls “vigilantism” to the point of being Canada’s foremost expert on spam. Mr. Chandler has taken his legal, advocacy, and forensic skills (developed in the late 1990’s in what the court judges to be “criminal activity") to a position at one of Mr. Iverson’s employer’s direct competitors. Mr. Iverson and Mr. Chandler work for companies whose business is sending commercial email. Their needs and the needs of their customers are frequently at odds with the likes of Mr. Schwartzman, Mr. Smith and myself. Nonetheless, we are all here, firmly in opposition to the decision of your beloved North Dakotan legal system.

Very well written. Brian McNett is my hero.

David Ritz Story Gets Press

My recent post on Sierra vs David Ritz got picked up by CircleID (with my permission), and then by Slashdot!

Don’t forget to surf on over to the CircleID copy to see the ongoing discussion in comments. Lots of good stuff, plus a couple of trolls. Pretty typical, as these things go. My favorite quote: “I think there is something that people are missing. In the eyes of the court, Mr. Ritz is a menace to Sierra.” Uh, no, we actually get that that this is apparently the court's opinion. That’s the point here – the court got it wrong.

One guy took issue with me taking a swipe at North Dakota ("the one lone technology professional in ND") and (I assume, jokingly) invited me to visit the Microsoft campus there. Hey, if he's not kidding, and he makes a big donation to David's legal defense fund, I'm game.

Reminder: Donate! The handling of the money is being done by Ed Falk (who has had his own run-ins with this same plaintiff), and he assures me that every dime is going to the right place.

North Dakota Judge Gets it Wrong

....WAY wrong. This is just mind blowing.

Ever been prosecuted for tracking spam? Running a traceroute? Doing a zone transfer? Asking a public internet server for public information that it is configured to provide upon demand?

No? Well, David Ritz has. And amazingly, he lost the case.

Here are just a few of the gems that the court has the audacity to call "conclusions of law." Read them while you go donate to David's legal defense fund. He got screwed here, folks, and needs your help.

"Ritz's behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law." You might not know what a zone transfer is, but I do. It's asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.

"The Court rejects the test for "authorization" articulated by defendant's expert, Lawrence Baldwin. To find all access "authorized" which is successful would essentially turn the computer crime laws of this country upside down."
That's untrue. The judge is trying to hang David out to dry, even when provided evidence of what actually constitutes hacking or cracking. Accessing a server on the public internet that is set up to provide that public info is not a crime, and saying that it is not a crime doesn't suddenly damage computer crime law. The judge just amended the definition of "unauthorized" to include public internet servers that were expressly configured to provide info to anybody who asks for that info.

"Ritz has engaged in a variety of activities without authorization on the Internet. Those activities include port scanning, hijacking computers, and the compilation and publication of Whois lookups without authorization from Network Solutions." I'm not touching the "hijacking computers" statement -- who knows what the judge means, and I don't think it's wise to assume that the judge's definition matches the common one. But what really jumps out here is this: Publication of WHOIS information. You know, business records. Who owns a domain. Public information. The judge has arbitrarily decided that it is illegal to take information from WHOIS data -- necessary information when compiling a report on a company or activity, to make sure you're talking about the right person -- and put it in a spam report or on a website.

Mickey Chandler calls the court documents in this case "12 pages of bad law," and I couldn't agree more.

Gmail's Taking Care of Me

So, a long time ago, I signed up to receive Ken Magill's "Magilla Marketing" email updates from Direct Magazine. I really enjoy reading Ken's articles, and though I have occasionally disagreed with his take on things in the email industry, I do think he's smart and sharp. He gets it, and even on those occasions I disagree, I find his take on things to be interesting and insightful. I consider every one of his articles a "must read" and have for years, going back all the way to my time at MAPS back in 1999/2000.

Good to leave your Wifi open?

There's a lot of buzz lately about Bruce Schneier's new essay on how great it is to run an open wireless network at home.

My take on this is going to be short and sweet: You're crazy if you leave your wifi open. Here's what can or will happen if you don't secure your wifi:
  • Your own download speeds suffer as neighbors' infected laptops find a new vector to spew spam and malware.
  • You'll find your home IP address blacklisted and receiving spam complaints over bad stuff people send via your connection.
  • The buck stops with you. Your ISP can trace it as far as you and no further. This means that if somebody uses your wifi network to send spam, or traffic in kiddie porn, you're the one whose door the feds or the FTC are going to knock on.
  • Running a mail server? You'll get blacklisted due to all of the above.
When I lived in Minnesota, I inadvertently left my wifi access point unsecured for a period of time -- and I did find mail server blacklisted. A neighbor's infected laptop used my connection to send spam. I was pretty embarrassed about it at the time -- an anti-spam guy's IP address was being used to send spam! It just highlighted for me how it's not wise to tempt fate.

It might be really neat to leave your car unlocked, with the keys inside, so your neighbors can borrow it as needed. But, is it wise? C'mon, people!

Alan Ralsky indicted

Spamhaus writes: "The US Department of Justice went public today with the indictment of Alan Ralsky and 10 others who helped him. Alan Ralsky topped our Top 10 Worst Spammers list for quite some time and was involved in almost any sort spam activity that's being done. His gang frequently sent millions of spam messages per day. In recent years his focus has been on stock spam, and that's a key part of what the US DOJ indicted him for."

Others can cover this much more capably than I, so I'll skip the insight and just link to posts on the topic from various smart folks.

(I recall Ralsky being the guy who cried foul when, a few years ago, his home address was made public, and people signed him up for hundreds-to-thousands of junk mail postal lists.)

My Prediction For 2008

I've only got one prediction for 2008, and it's this: Spam is going to be even less tolerated by internet service providers than it is in 2007.

ISPs are continually tightening up their sending guidelines and acceptable use policies, and things you might have gotten away with in 2006 or 2007 will no longer be kosher.

Opt-out append? Purchased lists? Third-party lists? Mailing to the same, tired list forever? Forget about it. You're going to the bulk folder, if you get through at all.

ISPs are belt-tightening; automating sender-review and spam-prevention processes. Spam isn't a profit center for them; it sucks up their resources that they feel are better spent elsewhere. They're taking less and less time to individually review every whitelist request; they're relying more on automated, statistics-driven processes to keep more of the spam out, and they're catching more and more edge case senders in their new mechanisms. ISPs aren't making any money from the mail you're sending, they don't have a financial responsibility to accept that mail. And in a lot of cases, they firmly believe that their users are happier without the mail

It's up to you if you want to stay ahead of this problem, and stay in the inbox. The way to do it is avoid becoming that edge case. Maintain clear permission. Don't buy or sell lists. Avoid email append. Re-confirm your lists. Send people only what they expect.