Archive for April, 2005

Nice Spam

Tuesday, April 19th, 2005

James wrote about weird spam, I’ve got another nice one. This was downloaded to my inbox just moments ago; it uses a spam-detection-circumvention technique that I’ve never seen before, i.e. making it into an ASCII art, how reminiscent of old times…

I’m surprised that spammers could be bothered.


Q     Q                                              QQQQQ                                             Q     Q
D     D  D    DD     DDDD   DDDDD     DD            D     D  D    DD    D       D   DDDD               D     D    DD    D       D  D    D  D    D
O     O  O   O  O   O    O  O    O   O  O           O        O   O  O   O       O  O                   O     O   O  O   O       O  O    O  OO  OO
O     O  O  O    O  O       O    O  O    O          O        O  O    O  O       O   OOOO               O     O  O    O  O       O  O    O  O OO O
 G   G   G  GGGGGG  G  GGG  GGGGG   GGGGGG          G        G  GGGGGG  G       G       G               G   G   GGGGGG  G       G  G    G  G    G
  G G    G  G    G  G    G  G   G   G    G          G     G  G  G    G  G       G  G    G                G G    G    G  G       G  G    G  G    G
   H     H  H    H   HHHH   H    H  H    H           HHHHH   H  H    H  HHHHHH  H   HHHH                  H     H    H  HHHHHH  H   HHHH   H    H

HHHHH   HHHHH   HHHH   HHHHHHH          HHHHHH   HHHHHH    H   HHHHH  HHHHHH   HHHHH
B    B  B      B          B             B     B  B     B   B  B       B       B  
B    B  B       B         B             B     B  B     B   B  B       B        B
BBBBB   BBBB     BBB      B             BBBBBB   BBBBBB    B  B       BBBBB     BBB
M    M  M           M     M             M        MMM       M  M       M            M
M    M  M           M     M             M        M  MM     M  M       M            M
MMMMM   MMMMM  MMMMM      M             M        M    MM   M   MMMMM  MMMMMM  MMMMM 

IDN in Dot Net RFP

Sunday, April 10th, 2005

The .NET RFP evaluation report by Telcordia is disappointing because:

IDN was not given the weight that it deserves; it was lumped together under the general heading of “Ability to support current feature functionality of .NET”.

Sure, IDN is a current feature of .NET, but it is a poorly implemented one. Currently, anyone on the Internet can register all sorts of mambo-jumbo IDN in .NET using randomly-picked Unicode characters. What’s more worrying is that you can spoof legitimate domain names using look-alike Unicode characters 1. The cause of this in .COM/NET is inadequate policy on Verisign’s part.

Of the five proposals, Sentan‘s is the only one that had a decent game plan for rectifying the situation. Their proposed plan of action is: grandfather existing names, remove controversial tables, add mature tables, then allow registrations only in languages for which language tables exist. NeuLevel has adopted tables from various currently deployed languages in their respective countries, and have consulted with those registries and language communities. The languages proposed were: Chinese, Japanese, Korean, French, German, Icelandic, Swedish, Norwegian, Danish, Polish, Thai. Each of these languages have been deployed in one or more registries, and the language tables are publicly available either on the IANA language table registry or on the registry sites. Specifically, advice was sought on the deployment of said language tables in a gTLD context, the security implications and how best to be conservative without crippling legitimate use.

I believe that this approach, though conservative, echoes many of the concerns raised by the community in the recent IDN list discussions. Sentan should be applauded for putting cultural respect, compliance and the stability of the Internet over profit.

Apparently, the evaluators missed the point.

At first glance, Verisign does comply with ICANN’s IDN guidelines but, really, it is taking advantage of the fact that the guidelines (deliberately or not) omitted many details. They did not violate the clauses of the guidelines, but have in every sense violated its spirit and purpose. Not only did Verisign show no plan to improve the situation in their proposal, they were proud to claim to be the only registry to support all languages and code points.

This message was also posted to ICANN’s net-rfp-general forum.

Disclaimer: Though I have worked as a consultant for NeuLevel providing expertise in the area of IDN’s, I am no longer affiliated any of the RFP bidders.

1 This is referred to as the IDN Homograph Attack. When the IDN standards were developed, it was decided that protocols should be kept simple, leave the policy making to the registries and other relevant organizations. As a result, the number of Unicode characters banned at protocol level were only restricted to spacing and control characters, private use blocks and other “non-characters”.