This is the third and final report from the RSA Conference. Sorry if you were expecting this a day or two ago, but... well, let's just say circumstances conspired against me.

In this post:

• BoxSentry Ditches Challenge/Response; Fights False Positives
• AVG loves its freeloaders
• Astaro drops its R&D-led roadmap

This is the second of my reports from the RSA Conference. These meetings are getting brutal, but I'll spare you the pleas for sympathy.

In this post:

• Yubi-who? Easy single-signon, one-time-password auth.
• BitDefender defends its position in the AV market
• Varonis: the jelly-to-the-peanut-butter of net file shares
• Commtouch's new OEM Web security business
...Read more

This is the first of my reports from the RSA Conference. This will be just a short post, as the conference proper starts Tuesday. As ever, there's more depth on my blog.

In this post:

• Abaca's radical anti-spam tech wins at Yahoo!
• Websense (finally) gets appliance religion
...Read more

Are you a Novell GroupWise, ZENworks, or Teaming customer? Are you disappointed that Novell canceled the BrainShare event?

Do you know about GWAVACon? Read on for more info...

Well, not really, I just wanted to see if I could get six^W seven^W eight^W nine pages of comments on a post. Not to mention the odd death threat.

;-)

David Berlind sounds like he's sick of talking to hyperbole-fueled anti-spam vendors. Can't say I blame him...

It is probably true that if everyone in the world ran just one solution, we’d be able to tweak that solution in such a way that we’d finally get a handle on the inbound and outbound problems associated with spam. When everyone has access to the same technology, there’s a name for that. It’s called a standard. There is zero chance of some proprietary solution becoming the defacto antispam solution for the world. But, if only AOL, Google, Microsoft, and Yahoo (the world’s leading e-mail solution/service providers) would get together and decide on what the non-proprietary standards should be and implement them in their systems, it wouldn’t be long before every other e-mail solution provider would have to follow suit (in order for their e-mails to interoperate).

But the thing is, in a way, AOL, Google and Yahoo are doing what he asks (and Microsoft is making encouraging noises).

I just got an IM from a buddy. He told me to go to www(dot)geocities(dot)com(slash)picc_81(slash)index.htm

This appeared to be a Yahoo 360 login page. "Odd," I thought, "Why do I need to login to see a Geocities page? And anyway, aren't I already logged into Yahoo?"

Let's view the source. Oh. It sends the login credentials to a script on www2.fiberbit.net -- looks like it emails them to ggeocitiees@gmail.com

I learned today of a well-known software vendor whose business has suffered as a result of poor list management practices. It's not the first, and probably won't be the last. This sorry tale only goes to illustrate the importance of avoiding becoming an inadvertent spammer.

It appears that, although it had been legitimately sending mailings to its customers, the vendor had been ignoring unsubscribe requests. As I've said before, any unwanted bulk email sent by an organization after an appropriate unsubscribe request is spam -- an organization that fails to act on unsubscribe requests in this way is a spammer.

I wanted to pull together some of the conversations that have been flying around recently about challenge/response spam filtering and this "spam index" idea. As is often the case, quite a bit of the value is in the conversation, in addition to the original posts, hence this roundup...

Anonymous:

As the holder of a domain name frequently forged into the From: or Reply-To: fields of spam, I can testify for certain that it doesn't work. In fact, whenever I receive a challenge to one of those forged addresses, I make sure to reply to it to make sure the spam gets through. Petty, perhaps, but I'm not being paid to filter C/R users' spam, so I'll pass it through.

Dean Harding:

I'll admit I was a bit suspicious that if challenge/response was such a panacea why were there not more people using it? My point was not that people should start using challenge/response, though, it was more to just point out that many people are still not happy with their spam filtering.

Len Dressler:

[Richi,] you're really kind of a dork ...

...Read more

So, according to one Peter Brockmann, challenge/response (C/R) spam filtering is a wonderful thing, and beats all other anti-spam techniques into a cocked hat.

Huh? What? How did he come to that conclusion?

I've beaten the "C/R filters are a terrible idea" meme to death, as have many others, so I'm not going to repeat all that here. If you're new to the arguments, take a stroll through these posts (perhaps you should work from the bottom up).

But I was about to write about Peter's methodology. However, it would have been an identical post to the one Justin Mason wrote -- he beat me to the punch. So here are Justin's money quotes:

The “Spam Index” is a proprietary measurement of spam filtering, created by Brockmann and Company. A lower “Spam Index” score is better, apparently, so C/R wins!
...
However — there’s a fundamental flaw with that “Spam Index” measurement, though; it’s designed to make C/R look good ...

...Read more

Looking at my spamtraps yesterday evening, I noticed our "fake online greetings card" chums have switched from their previous boring subject lines to new ones, commemorating U.S. Independence Day.

Update: my chums at Symantec calculate that they blocked 5.5 million of these during just five hours on July 3.

The new subjects include such literary delights as:

4th Of July Celebration
America the Beautiful
America's 231st Birthday
Americas B-Day
Celebrate Your Independence
Dump tea in the harbor
Fourth of July Party

...Read more

I was recently asked by a journalist, "So who are these spammers, anyway?"

There are many different types of spammer. Here are some examples that I gave her:

Greetings from Vegas.

Our chums at Computerworld Oz recently published what seems to me to be a very oddly-written story. It seems that Kingfisher Bay -- an Australian resort -- was using an "aging" version of Symantec's spam filter. Surprise-surprise, old versions of spam filters don't work very well, letting through a lot of spam.

In fact, it turns out that the resort wasn't using the Symantec Brightmail technology at all. It was still using the old, pre-Brightmail engine. Oddly, Symantec still sells this -- can't see why that's a good idea.

Zulfikar Ramzan is right on in his demolition of Mikko Hypponen's idea for a ".bank" top-level domain.

Writing on Symantec's Security Response weblog, Zully basically... uhhh... urinates all over Mikko's plan (although he's a lot more diplomatic than that). Some choice cuts:

Phishers don’t have to use the .bank extension and most users will fail to notice ... if you look at almost every phishing site these days, the URL itself is a blatant giveaway that you’re not at an authentic site

...Read more

I guess it's OK to call Robert Soloway a spammer -- he's already been convicted in U.S. civil charges of spamming in 2003.

This time though, he's been arrested on criminal charges, brought by the FTC. The list of laws he's alleged to have broken is extensive:

• 10 counts of mail fraud
• 5 counts of wire fraud
• 5 counts of identity theft (aggravated)
• 13 counts of money laundering
• 2 counts of email fraud (the only counts related to the CAN-SPAM Act)