×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Earthlink Deploying Challenge-Response Anti-Spam System

michael posted more than 10 years ago | from the bringing-out-the-big-guns dept.

Spam 520

deliasee writes "The Washington Post reports that Earthlink is preparing to offer new spam filter technology that requires sender authentication. AOL is still concerned that such technologies will put too much burden on consumers." The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

520 comments

Nice moves (4, Interesting)

hendridm (302246) | more than 10 years ago | (#5901344)

I was hoping more ISPs would adopt the challenge-response system, like MailBlocks [mailblocks.com], previously featured [slashdot.org] on Slashdot. Way to go Earthlink! If I was interested in dialup, this would be a big selling point for me. I'm still waiting for a service that offers the challenge-response feature of MailBlocks but allows me to forward to my existing provider. I mean, a 12MB inbox is pretty lame. There are free providers [fastmail.fm] that can give me that much space...

Re:Nice moves (-1, Troll)

spacefight (577141) | more than 10 years ago | (#5901394)

Sorry but I call Challenge-Response system crap. eMail was not designed for such a challenge (well, let's forget the TCP/IP SYN/ACK). I won't burden this to my fellows mailing me. It drives network traffic as well up to the sky. Education is the way to go for spammers. Sue them if you're richt (read: AOL), complain about them if you're poor (read: everyone else) and be happy if they loose your DSL connection because of you as one guy dig who pissed me of days ago.

Re:Nice moves (4, Insightful)

apoc.famine (621563) | more than 10 years ago | (#5901463)

I dunno. This may be painful for a bit, and increase the amount of mail, but in the long run it might be worthwhile. While I agree that it makes some peoples' jobs harder, those people probably aren't using the major ISPs/mail-services. If the major players do this, it makes it that much less profitable for spammers to do business.

I mean, if you're a spammer, a brute force mailing to joeuser.org is MUCH less profitable than mailing the same million messages to hotmail.com. Go big guys, go! It won't bother me at all.

Re:Nice moves (3, Insightful)

d_lesage (199542) | more than 10 years ago | (#5901570)

It drives network traffic as well up to the sky

But wouldn't the added traffic be more than compensated by the reduction in traffic that would ensue when the spammers go out of "business"?

Re:Nice moves (1)

bozojoe (102606) | more than 10 years ago | (#5901490)

Anybody know what the most popular method of droppping spam? I was wondering if the rules based approach (spamassassin.org) or the Challenge/Response approach works better. Perhaps it depends on the target audience. ...looking at ask.slashdot.org next

Too drastic? (4, Insightful)

mao che minh (611166) | more than 10 years ago | (#5901345)

Drastic times call for drastic measures. The situation caused by the relentless onslaught of SPAM (which supposedly is rendering "damages" in the billions annually) can certainly be categorized as drastic. Is Earthlink's counter attack too drastic a measure, though?

On one hand it (Earthlink's new "technology") seems reasonable enough to the every-day-joe. I'm sure that the majority of Earthlink subscribers don't utilize news or mailing lists, and don't bother paying their bills online. For these people, it's fine. On the other hand, many others use online banking and other such automated tools (even account control mechanisms for online games will be affected). How quickly will all of these vendors conform to Earthlink's new technology and make the needed changes in their automated systems? Will Earthlink simply render many of these domains exempt?

The answer to solving SPAM resides in the current mechanisms used for the actual transmission and delivery, the mechanisms that all participants must use, not just Earthlink. This is of course the mail servers themselves.

Re:Too drastic? (1)

mark_lybarger (199098) | more than 10 years ago | (#5901422)

at least they're doing something and they're doing it with / around their mail servers and not through some legislative BS that them there lawYers are trying to get a little face time with.

will it work? who knows, it might really help. if not perhaps they'll learn from the mistakes. someone has to improve smtp into a sstp (simple secure ...)

Re:Too drastic? (5, Insightful)

iangoldby (552781) | more than 10 years ago | (#5901507)

People who want to continue to receive messages from mailing lists, online banking, etc, will have to add these sources to their whitelist.

It's a bit of a faf though, and I suspect many people will either not understand how to, not bother, or forget at least one address.

The solution is to have the incoming messages moved into a 'holding' folder that the recipient can see, and check in just the same way as checking through a 'spam' folder. This would remind the user to add false positives in the 'holding' folder to the whitelist. After a while, you can safely stop checking your 'holding' folder. Wouldn't it be good if this is what Earthlink are doing?

I think a scheme like this could be made to work, at least for webmail. For POP3, it could be a bit more tricky...

Re:Too drastic? (2, Insightful)

Binestar (28861) | more than 10 years ago | (#5901524)

Too drastic? I don't think so. This is something that is off by default, and needs to be turned on by the user. That user can also pre-approve e-mail addresses from his address book and mailing lists that he is on so that the challange never reaches those people.

This is just an added feature that users can use if they choose to.

As for the automated systems: It is the users responcibility to add those addresses to the accept list when (s)he signs up for the services.

Since this challange responce system has to be turned on by the user, it is only the user's fault if (s)he forgets to whitelist the address of places (s)he gives his e-mail account out to.

All in all it's definately a good option to have, but it's also a good thing that it is off by default, with the option to turn it on left upto the user.

How do two people with C/R communicate? (5, Insightful)

corsec67 (627446) | more than 10 years ago | (#5901350)

How do two people with challenge and response communicate?
If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
If they don't get through, then you would have a nasty mail loop.

Re:How do two people with C/R communicate? (2, Insightful)

Nutcase (86887) | more than 10 years ago | (#5901387)

very good point. I would mod you up if I could.

You can't have an automated challenge/response system, because that defeats the point.

You can't have a non C/R address for the challenges to be sent to, because it would end up getting spammed.

Basically, there is a no communications barrier in place until they communicate.. which makes no sense.

Re:How do two people with C/R communicate? (1)

PerlGuru (115222) | more than 10 years ago | (#5901448)

with most systems you can automatically add address from your addressbook and address from outgoing mail, problem solved. Of course that's just one problem, I don't really know where I stand on this issue but I think it is a good thing to have out there so people can choose for themself.

Re:How do two people with C/R communicate? (1)

grantsellis (537978) | more than 10 years ago | (#5901466)

How do two people with challenge and response communicate?

If the challenge always gets through, then the spammer will just issue challenges as spam.

Would it be hard to add a few lines to a C/R program so that you remember addresses you've sent mail to?

At least, if they don't use the lame C/R my brother uses, which sends its challenge from a different address than the one you send to.

:)

Re:How do two people with C/R communicate? (3, Interesting)

IIEFreeMan (450812) | more than 10 years ago | (#5901473)

> How do two people with challenge and response communicate?
> If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
> If they don't get through, then you would have a nasty mail loop.

In TMDA [tmda.net] (a challenge response system in python) at least, when you send a email to somebody, they don't get a challenge when they answer. It's logical because if you send him an email, you know he will not spam you :)
So i assume earthlink system will act the same.

Re:How do two people with C/R communicate? (4, Informative)

stratjakt (596332) | more than 10 years ago | (#5901483)

The way I read it, earthlink, up on recieving an e-mail, sends a challenge to the email sender. If the e-mail sender responds, it delivers the mail.

From the article:


When someone sends an e-mail to a challenge-response user, he or she gets an e-mail back asking to verify that the sender is a live person.

Once the sender does that by replicating a word or picture displayed on the screen, the original e-mail is allowed through. The system automatically recognizes future e-mails from the same sender, so the verification needs only to be performed once. Without the verification, the e-mail is not delivered.


So if earthlink people are on your mailing list, you'll get a challenge next time you send it out. It should only happen once, and from then on, you're email addy is "legit".

It's not like you get 9000000 challenges from everyone on the list. But if every ISP did it, you'd get a challenge from every ISP on the list.

This is the first step towards email being such a pain in the ass, that people just no longer bother using it.

Kiss SMTP and POP3 goodbye.

Re:How do two people with C/R communicate? (3, Interesting)

Garion911 (10618) | more than 10 years ago | (#5901547)

One idea: Any emails you send out, the recpt is automaticly added to the "ok, let through" list.

Re:How do two people with C/R communicate? (4, Informative)

Chester K (145560) | more than 10 years ago | (#5901576)

How do two people with challenge and response communicate?

My C/R setup (TMDA) automatically put anyone I send email to on my whitelist; therefore I'd get their challenge message.

Re:How do two people with C/R communicate? (2, Insightful)

SomeoneGotMyNick (200685) | more than 10 years ago | (#5901591)

The challenge is probably a randomly generated code to be returned before the original e-mail gets sent to the intended recipient.

Most spammers use fake return addresses anyway. The challenge will never arrive and the mail gets tossed. Thus, it never gets to the recipient. Voila, one less potential viagra purchase.

Re:How do two people with C/R communicate? (4, Informative)

esme (17526) | more than 10 years ago | (#5901620)

Here's how it works:
  1. Alice sends an email to Bob.
  2. Bob is automatically added to her access list (b/c she's sending him mail, he's not a spammer).
  3. Bob's mail server sends a confirmation request.
  4. Alice recieves the confirmation requestand responds.
  5. Original message is delivered to Bob.

-Esme

Forged Headers (5, Funny)

Anonymous Coward | more than 10 years ago | (#5901352)

I think forged headers are the calamity of the inprocess SMTP transfer mechanism. If we can liberate the dynamic IPs saturated on the IPlanet web matrix, then we could perform 3-way LDAP POP3 authentication with a digital certificate.

The other way this could be accomplished is to triangulate a 801.11b WAP source into an array of POSIX message headers that would reflect the consistency of the mail protocol.

What do you think?

Re:Forged Headers (-1)

Anonymous Coward | more than 10 years ago | (#5901380)

Sounds good to me!

Re:Forged Headers (0)

Anonymous Coward | more than 10 years ago | (#5901505)

I'll take two, please!

Intrusive and Easily Fooled (4, Interesting)

Templar (14386) | more than 10 years ago | (#5901355)

Ok, so I create a new hotmail account -- i_am_not_a_spammer@hotmail.com. I send one test message and respond to the challenge, authorizing all future email from my address, then I close the account, use the address as my return address, and spam away.

Then, I give the address to all my fellow spammers and we use it until it dies. Then we make a new one.

Gee, that was tough.

How about mandatory authentication instead? Or even better, program all routers to only allow properly signed outgoing packets. Spam and hackers disappear overnight.

Re:Intrusive and Easily Fooled (1)

missing000 (602285) | more than 10 years ago | (#5901412)

How about mandatory authentication instead? Or even better, program all routers to only allow properly signed outgoing packets. Spam and hackers disappear overnight.

Do I hear evil bit [rfc-editor.org] implimentiation?

I can't wait!

Re:Intrusive and Easily Fooled (1)

Whigh (663324) | more than 10 years ago | (#5901416)

For what it's worth, you have a point. If a spammer simply verifies that each is a valid account with the challenge system, they simply can then autospam as much as they want because they'll already be marked as safe. Loophole anyone?

Re:Intrusive and Easily Fooled (0)

Anonymous Coward | more than 10 years ago | (#5901426)

Or does the challenge/response only validate the sender for the given recipient? In which case, you'd need a response per destination.

Re:Intrusive and Easily Fooled (4, Informative)

MrPerfekt (414248) | more than 10 years ago | (#5901457)

Ok, so I create a new hotmail account -- i_am_not_a_spammer@hotmail.com. I send one test message and respond to the challenge, authorizing all future email from my address, then I close the account, use the address as my return address, and spam away.

Then, I give the address to all my fellow spammers and we use it until it dies. Then we make a new one.


You missed the point. You would have to do this _per user_ you wanted to spam. Which would get a little tedious to say the least. The point of challenge/response is that most of the reply-to:'s are fake email addresses. Hence, the challenge bounces and the message doesn't get put in the users inbox.

Re:Intrusive and Easily Fooled (1)

Templar (14386) | more than 10 years ago | (#5901521)

Yes, I read too quickly. I thought it was sender-based challenge, not recipient-based. Sorry about that.

Still, only routing packets originating (and identifying) from within solves this problem and many more.

Re:Intrusive and Easily Fooled (1)

Templar (14386) | more than 10 years ago | (#5901550)

Whoops -- I was right the first time -- it is sender-based, and it appears to be system wide. Original message stands. Cheers!

about time (1)

tomhudson (43916) | more than 10 years ago | (#5901356)

All I can say is, about time, and I hope that everyone else adopts a similar system. After all, we already use chap (challenge-response protocols) for our connections.

Besides, which is more of a burden, getting used to a new system w/o spam, or loosing valid messges because of spam?

Nice thought (0, Insightful)

Anonymous Coward | more than 10 years ago | (#5901360)

But what is to stop the spammer from actually doing it - I know that it would be time consuming, but do it once, and you are set - So one time, and you can keep on spamming.

Re:Nice thought (1)

hendridm (302246) | more than 10 years ago | (#5901438)

You think most spam is sent by some poor bastard sitting by a monitor typing in the names of the victims he wants to spam and waiting for their response?

Most spam is sent through automated measures. A bounce might get removed from the list, a reply might get marked as "active account" and continue to be spammed, but that doesn't matter until a human actually confirms the challenge response. If someone DID take the time to confirm the response, with a system like this, it would be easy to implement a permanent ban on the specific e-mail addresses that you specify. Just remove their name from the "okay" database or mark them with a "never deliver" flag.

too much hassle (3, Insightful)

chabegger (232188) | more than 10 years ago | (#5901362)

I think this will create way too much hassle. There are some people who wouldn't mind, but others (such as grandma) who have to be told three times where the power switch is won't really know what is going on. At least now when I don't reply I'll have a decent excuse... "but grandma, you forget to send it twice, so i didn't get it"

Now the spammers get address validation for free (5, Insightful)

chefbimbo (637251) | more than 10 years ago | (#5901365)

Seriously, what are they thinking? TMDA might seem like a nice idea in theory, in practice, it's a pain to use and not exactly safe either. Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).

Re:Now the spammers get address validation for fre (2, Informative)

PerlGuru (115222) | more than 10 years ago | (#5901400)

the article implies that an image would be part of the response, such as ticketmaster's please type the word in the picture into the box.

Re:Now the spammers get address validation for fre (1)

stratjakt (596332) | more than 10 years ago | (#5901518)

Because no OCR routines have ever been written, this is absolutely foolproof.

Even so, you only have to respond once, and you then have the full run of earthlink. So you spend a day responding to challenges from all the ISPs, then go back to business as usual.

Re:Now the spammers get address validation for fre (1)

Sylver Dragon (445237) | more than 10 years ago | (#5901548)

the article implies that an image would be part of the response, such as ticketmaster's please type the word in the picture into the box.

I give it about a month before someone figures out a way to use something similar to OCR technology to bypass this sort of thing. If this sort of challenge/response idea becomes very wide spread, the spammers will suddenly have a huge need to find a way around it, and they have the money to throw at it. It will eventually fail, just like every other filter out there. SPAM is here to stay, the best we can do is fight it constantly, and never respond to it, but even still we will never win.

Re:Now the spammers get address validation for fre (3, Interesting)

PerlGuru (115222) | more than 10 years ago | (#5901616)

I don't know about earthlink but ticketmaster's sys uses random different patterns obscuring the text. As for the text, the fonts they use vary, size varies, lines are not straight, and most of the fonts look like they are hand written (with even a single letter appearing differently in the same image)

I'd guess there system is pretty effective.

Mainstream Users (1)

PerlGuru (115222) | more than 10 years ago | (#5901366)

It will be interesting to see how well this method works now that it is going to be out there for mainstream non-geeks to use. I am a little curious about how the address will work for order confirmation, the article seems to hint at throw-away type address but doesn't give much detail.

Good idea, but... (3, Insightful)

onemorehour (162028) | more than 10 years ago | (#5901368)

This seems like it might be a good step, but it's missing the point. The only thing that will truly curb spam is to rework the SMTP protocol to not implicitly trust every host, as was mentioned in an earlier /. article.

Re:Good idea, but... (1)

stratjakt (596332) | more than 10 years ago | (#5901544)

This is step 1.

Make email more of a pain in the ass.

Once the spammers work around this (and they can, i mean you only have to respond once to get the full run of earthlink), they'll find another way to make SMTP a pain in the ass. Like charging a nickel for email, or some shit like that.

Eventually, when it's such a hassle or expense to use, and noone uses it, then it can be replaced.

Look at satellite radio. Why would anyone pay 40 bucks a month for a new kind of radio? Simple, they made regular FM radio suck. So if you want to hear anything but the top 40, you need to pay.

Earthlink should look for mailing list headers... (1)

phallstrom (69697) | more than 10 years ago | (#5901371)

If earthlink looked for mailing list headers or signs that the message is a mailing list they could allow it through... at least for awhile to avoid the challenge responses to mailing lists...

ugh.

Re:Earthlink should look for mailing list headers. (1)

PerlGuru (115222) | more than 10 years ago | (#5901480)

I think that might even work out very nicely perhaps with a little notice at the top of the message with instructions to add the address to the allowed list (perhaps a link) or deny further messages from the address

Michael's comment (4, Interesting)

Rev.LoveJoy (136856) | more than 10 years ago | (#5901373)

This is true, but perhaps it illustrates an opportunity for developers of mailing list software more than it exposes a flaw in Earthlink's plan to thwart spam?

As a network admin, many of the remote users I support (sales reps, on-the-road types) use Earthlink dial-up while travelling. At times, some of the program's that Earthlink has used to stop people from using their services to spam have make my job harder. However, I do not begrudge Eartlink for these inconviences, at least they, as a major ISP, are doing *something* about this problem.

My two cents,
-- RLJ

Correction (5, Informative)

robbyjo (315601) | more than 10 years ago | (#5901376)

every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers

Not exactly right. It happens only for the first time to detect whether the sender is legitimate or not. Quote the article:

The system automatically recognizes future e-mails from the same sender, so the verification needs only to be performed once.

The problem with this system is that the spammer can still spam using legitimate e-mail accounts as a camouflage (or expired e-mail accounts). Once the legitimate e-mail address is procured, the spam still goes on. It is futile, IMHO.

Re:Correction (1)

Freudounet (671620) | more than 10 years ago | (#5901486)

The problem with mailing list is that you often have to confirm you registration by answering an automated email they send you. This email will be "chalenged" but no onw will respond the challenge..

Re:Correction (4, Interesting)

Ed Avis (5917) | more than 10 years ago | (#5901491)

Spammers seem to be sending a whole bunch of crap from my address (ed@membled.com) even now. At least, I keep seeing what appear to be genuine delivery failure notifications of Russian spam sent from my address. Any system which trusts individual email addresses, without relying on some real authentication such as PGP signatures, is broken.

A simple rule is: Headers can be forged. Don't trust anything in the headers for antispam purposes. This includes the sender and recipient.

OSS Challenge-Response (1)

planet_hoth (3049) | more than 10 years ago | (#5901390)

Does anyone know of any open source challenge-response anti-spam projects similar to what Earthlink is developing? I've wanted something like this for a long time. While I don't have time to start a project myself, I'd like to contribute to someone else's.

Re:OSS Challenge-Response (0)

Anonymous Coward | more than 10 years ago | (#5901519)

ASK.

Active Spam Killer

http://www.paganini.net/ask/

Loops? (1)

91degrees (207121) | more than 10 years ago | (#5901391)

Does this automatically allow messages from people you've sent email to?

I'd hate to think that there are two messaging systems sending challenges out to each other before they let the other one's challenge through.

Warning: Infinite loop detected (2, Informative)

Marx_Mrvelous (532372) | more than 10 years ago | (#5901392)

Ha! I can just see it... Alice@me.com send and e-mail to Bob@you.com. Bob@ send a challenge to Alice. Alice, never having heard from Bob, send a challenge back to Bob. Either Bob ignores the second e-mail, or sends another challence. Of course, if the e-mail software allows any outgoing e-mail address to reply without challenge, this wouldn't be a problem.

Like Vacation (1)

nuggz (69912) | more than 10 years ago | (#5901446)

Like vacation messages?

Maybe spammers will just submit "verfication" messages instead of actual messages.

I can't wait to see the piles of accumulated cruft on earthlinks servers.

Re:Warning: Infinite loop detected (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#5901459)

Are you bright? witty? Do you have friends that laugh at your jokes? We at lrse hosting" [lrsehosting.com] are looking for a select few individuals to join our ranks at the internet's premier source of wit [sporks-r-us.com] and style [geekizoid.com].

Do YOU have what it takes? Register TODAY and FIND OUT!!!!

I like it (1)

Mundocani (99058) | more than 10 years ago | (#5901398)

I'm not convinced whether it'll actually work, but I'm willing to give it a chance. The SPAM problem is obviously getting way out of hand. It's sort of like evolution -- if the system works, then it'll become more widespread. If it doesn't work, well that's the nature of evolution isn't it?

Some experts see problems with the technology and doubt that consumers will warm to a process that adds another step to e-mail delivery

I don't really agree with the article's assumption here. It's true that it's another step, but it's one-time-only, which makes it much more palatable in my opinion.

Yes, but... (0)

Anonymous Coward | more than 10 years ago | (#5901399)

...does the spam filter run on Linux?

This is much better (1)

s4ltyd0g (452701) | more than 10 years ago | (#5901407)

than just blindly blocking mail comming from small sites using dynamic DNS.

Re:This is much better (1)

esquimaux (639595) | more than 10 years ago | (#5901516)

Blocking mail from small sites using dynamic DNS is also a useful tool. No single tool in the effort to stop spam is sufficient, nor are most of them painless.

The industry is considering several anti-spam measures that would form a "web of trust" between SMTP senders. The burden of joining that web of trust will likely be too high for Joe Linux User, just as hosting a permanent SSL/TLS-protected site with a *valid* site certificate is generally too much trouble for a home access user.

If you want your mail to be accepted, smarthost it to your upstream provider or to any major mail provider that provides SMTP relay services. Their relays had better be authenticated, of course, because ISPs will continue to crack down on mail through open relays.

Just do what I do (1)

greechneb (574646) | more than 10 years ago | (#5901409)

I use my filters this way:
upon recieving move all messages to folder spam
unless message is from "email@address.com"
if message in folder spam is older than 10 days move to folder trash

Each time someone I know sends me an email I add their address. Very rarely do I get new addresses once all of mine are set up. When they do, I add another address.

It takes a while to set up, but I don't have to depend on my ISP, and I can switch with no problem.

Good idea, bad idea. (4, Informative)

numbski (515011) | more than 10 years ago | (#5901411)

How to set up SpamAssassin Milter on OSX [216.239.53.104] <- Easily adapted for other platforms. I wrote it.
Squirrel Mail [squirrelmail.org]
SpamAssassin Config for Squirrel Mail [squirrelmail.org] <- Register Globals must be turned on in php.ini to use this.

Now, that being said, I run an ISP in St. Louis, and spam is a problem, but for the precise reason mentioned on the submission, I can't use a challenge-response system. The reason is that our support staff equals myself plus 1. If I want to answer phone calls all day from people complaining about not being able to get mail from their daily spamming of mailing lists, I best allow all. The problem is that these same people complain about all the spam they get...ugh. The above solution is elegant and leaves the ability to control the filter to the end user via webmail. If they don't like it, set the threshold high and it's 'off'. Been using this for months without a complaint.

Now if you don't use lists, and it's for your own mail server...go for it. That has to be the most effective method available, but not appropriate for wide scale use.

Re:Good idea, bad idea. (1)

numbski (515011) | more than 10 years ago | (#5901441)

Easily adapted for other platforms. I wrote it.

Errr...the article, not the software. :P

They should offer it with new email address (5, Insightful)

dnoyeb (547705) | more than 10 years ago | (#5901413)

me@challenge.earthlink.com

something like that. So that it allows users to gradually changeover to the system. That would allow them to be more extreme in their refusal to accept emails and much less compromising.

I like it.

Re:They should offer it with new email address (1)

Ed Avis (5917) | more than 10 years ago | (#5901532)

I hope it's not obvious, if each me@challenge.earthlink.com has a corresponding me@earthlink.com then spammers could figure this out pretty quickly.

WE challlenge YOU to a BATTLE of TIWS!!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#5901414)

Are you bright? witty? Do you have friends that laugh at your jokes? We at lrse hosting" [lrsehosting.com] are looking for a select few individuals to join our ranks at the internet's premier source of wit [sporks-r-us.com] and style [geekizoid.com].

Do YOU have what it takes? Register TODAY and FIND OUT!!!!

Response... (1, Interesting)

Duncan3 (10537) | more than 10 years ago | (#5901420)

And in day 2, spammers automate the responses.

Results:
1. Spammers get free AUTOMATED account verification.
2. The load on the email system doubles.

Conclusion:
Nice "solution" dumbass.

Re:Response... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#5901500)

Are you bright? witty? Do you have friends that laugh at your jokes? We at lrse hosting" [lrsehosting.com] are looking for a select few individuals to join our ranks at the internet's premier source of wit [sporks-r-us.com] and style [geekizoid.com].

Do YOU have what it takes? Register TODAY and FIND OUT!!!!

Re:Response... (0)

Anonymous Coward | more than 10 years ago | (#5901556)

They automate converting a picture into a word? OCR in perl? Unlikely. If they do just send a picture of a orange and say 'what is this?'

Great, so long as they drop the RBL. (0)

Anonymous Coward | more than 10 years ago | (#5901424)

I'll be happy to do authentication in exchange for actually being able to send e-mail to Earthlink subscribers from my home computer/vanity domain.

Earthlink was doing OK as is... (1)

q2k (67077) | more than 10 years ago | (#5901434)

It's been about a year since I was an Earthlink customer, but they had Brightmail implemented and it was blocking 95+% with no false positives. I had gotten so confident in it that I never even bothered to log in to the web site to check the caught spam. Has that system gotten worse? It seems like a challenge response system will put even more of a burden on their network with incoming spam being the same, but now you add all the authentification requests, replies etc.

Needs to be 'hard' in some way (3, Interesting)

Ed Avis (5917) | more than 10 years ago | (#5901437)

Of course it is no good if the spammers can set up automated systems to respond to the challenge. There are only two ways around this:

- Make the challenge 'AI-complete', that is, to give a correct answer you must be a thinking human being and not a computer. But then how can the other end check that the answer is correct? Having humans generate a fixed number of questions and provide sample answers also isn't going to work, since spammers will learn the correct answers. You need a way to generate an unlimited number of questions and to mark the answers automatically, and clearly this can't be done if the questions are intended to be too hard for a computer.

- Make the response computationally burdensome, so a computer can do it but only at the cost of some CPU power (so large bulk mailings would be impractical). This is what Hash Cash [cypherspace.org] and similar systems suggest.

It looks like Earthlink's system will rely on sending pictures you have to look at. Apart from the practical problems of clogging the wires with image files, I worry about OCR potential. The examples of this stuff I've seen on Yahoo, where you have to type in a number shown in a partially 'obscured' image, wouldn't have been difficult to develop OCR software for if you were so minded.

There's also the question of the spammer taking the challenge and sending it out to some other user. That user, by now used to replying to challenges from Earthlink and other addresses, will respond to the question and send the correct answer back to the spammer. D'oh!

Re:Needs to be 'hard' in some way (1)

BillFarber (641417) | more than 10 years ago | (#5901585)

The challenges are typically characters in a squiggly font or in a font with holes, so that humans can plainly see what the characters are and type in the characters as the response. The response cannot be automated because software is currenly unable to decipher these characters. The challenging program stores which characters where sent with each challenge so that the program effectively has the "answer sheet". No human intervention is necessary.

what about mailing lists? (1)

greechneb (574646) | more than 10 years ago | (#5901443)

What will it do with mailing lists?

They won't accept return emails, so they will never get the challenge?

I won't know what email address they are coming from until I get one, so how could I manually add an address to accept?

Oh great, now spam has its own protocol (5, Funny)

Anonymous Coward | more than 10 years ago | (#5901451)

"...the spam client MUST provide a Accept-Topics: header, where the value is one of 'penis-enlargment', 'make-money-fast', 'repair-credit', or 'any'. The server MUST reply with a Spam-Type: header, specifying the type of spam transferred. In addition, the server MUST respond with a Spam-Encoding: header, where the value is one of the options 'all-caps', 'many-exclamation-points', or 'broken-english'..."

I dunno... (1)

toasted_calamari (670180) | more than 10 years ago | (#5901456)

While it seems obvious that something needs to be done to slow down the spammers, I dont think this would be the best way.

One of the great things about email is that it is fast, I send a message and it arrives almost instantly. However, this system would remove alot of this advantage.

Now i might be wrong here, but as far as I can see, this attempts to solve the problem by requiring users to send two messages instead of one. Not only will this greatly slow down the speed with which one can send a message, which is probably part of the point, but it will also increase bandwidth traffic. Also, you can bet that the spammers will find some way to get around these turing tests.

This is a good start but I am concerned that it will only increase bandwidth unecessarily.

why challenge-response won't work (2, Redundant)

X_Bones (93097) | more than 10 years ago | (#5901462)

What if I'm registering at eBay or PayPal or some other site which sends an automatically-generated email when I complete the first step? What if I subscribe to a mailing list where I can't get a response from a human to a challenge? What if I'm applying for a job online and the company sends me an email saying they've received my resume, which I will not be able to see?
I think this kind of scheme is only useful when the message sender is human and you know who they are, in which case the system is pointless anyway. What I think we need is to phase in a new, secure version of SMTP where emails aren't relayed unless the sender's ID can be verified.

That's great! (0)

Enahs (1606) | more than 10 years ago | (#5901470)

I hope they do something that will actually serve their customers well, now, like improving their ability to handle the number of customers they have now, make sure that people going to their web site can actually learn about their broadband offerings (instead of getting error messages from servlets) and other things that make it look like they give a damn about their customers.

Fill up the ISP servers (5, Insightful)

nuggz (69912) | more than 10 years ago | (#5901475)

So when a spammer fires a few hundred or thousand emails to an ISP, they will sit on the mailserver waiting for him to respond.
Since the from address is faked, that same ISP will launch an acknowledgement flood against a third user.
Excellent.

I just see so many tricky things that someone somewhere will screw up.

Re:Fill up the ISP servers (3, Insightful)

stratjakt (596332) | more than 10 years ago | (#5901618)

The ISP sends only one challenge. You respond once, and henceforth are allowed to send as much as you want.

Now if I wanted to Joe Job some guy, I just pick someone who's chances are good that he's already allowed through earthlink. Say the maintainer of a mailing list with earthlink subscribers.

I've said it before. This is just a step towards making SMTP a pain in the ass, and obsolete. We can look forward to a high tech pay-per-use replacement in the future. Yay! Paying to send e-mail, I cant wait. But at least the two or three spams I get a month will be gone.

Probably won't work... (1)

Sebby (238625) | more than 10 years ago | (#5901482)

doesn't matter to me either way; I don't support companies that cripple innovation by patenting their crummy software.

Not a cure (1)

mugnyte (203225) | more than 10 years ago | (#5901492)


Every spam-subject /. post here eventually brings about the idea of an email system that doesn't moves bytes until requested.

What would be so painful if all email content was simply a web link to the sender's server, their "outbox". When the receiver went to read it, they could store a copy then if they wanted mobility. Or, their email client could follow these links automatically when given the notice.

The differentiation between a content link and a malicious one would be a delicate but solveable problem.

However, since no transmission is until demand, we're not shipping terebytes of crap around the wires for naught. Thats the real issue here. Spammer's email content must be served to the receivers as they open the email. Since spoofing would be akin to removing the content, nobody could get a message across without it.

I know I've read about a formalized version of this idea here. Somebody post it again.

mug

Challenge - Response doesn't work (5, Insightful)

tshak (173364) | more than 10 years ago | (#5901493)

What happens when the customer orders something from Amazon - the purchase confirmation email comes from a non-human address.

Just the other day I got an email from a company that I ordered software from describing a free upgrade that I could download. It came from donotreply@[host].com, meaning, if I was using Earthlink's system I probably wouldn't have received it.

The problem with Challenge - Response is that it makes the assumption that if there's not a human behind the email that it's spam. In practice, there are many legit emails that are not individually sent by a human.

Re:Challenge - Response doesn't work (1)

Ed Avis (5917) | more than 10 years ago | (#5901555)

They could have a dual system: send challenges normally, but if a message has enough Hash Cash [cypherspace.org] postage paid then no challenge is needed. This would let automated mailings get through if the sender was prepared to spend some amount of CPU time. Presumably the company with whom you have a business relationship would be willing to spend ten seconds of their server's CPU time to send you a message, but a spammer would not.

Yay! (0)

freality (324306) | more than 10 years ago | (#5901497)

The big guys have been dodging this obvious solution the whole time. Ever since instant messaging took off, it was obvious everyone was capable of using challenge-response, but of course, it hits email advertisers in the pocket. This led to moves by the likes of MS to counter anti-spam legislation in California. Hopefully this move by Earthlink will start the rush.

The neat thing here isn't that you choose who to accept - because that in itself is a pain - but that the sender has to allow for the possibility that you won't, which is currently not handled well in e-mail. Once legitimate senders generally have this capability, spam filters (either complex or just a rule to reject unknowns) will become more useful, as there's then a decent way to handle a bounce. Spam be gone!

Pure nonsense (and there is a better solution) (1)

marcink1234 (556931) | more than 10 years ago | (#5901501)

Sending often 50 mails a day (business conversations with cooperants, mailing lists, friend communications,...) I really hate the idea. I must say it will be easier for spammers to employ character recognizing software than for me to reply to all those confirmations.

The problem is somewhere else and there is solution. The real problem with spam is to force senders to identify themselves correctly (if they identify, they can be easily filtered, maybe including databases of the spam senders being just the lists). And the solution is to require the email to be digitally signed so one can verify it against the sender public key.

It'd work w/ a white list. (1)

x00101010x (631764) | more than 10 years ago | (#5901503)

The challenge-response thing is a great idea for yet-unknown senders. However, users should be able to have a white list that doesn't require a challenge. Using that, they could sent out an email/insert into paper bill statement that would give users information on where to grab a quick self-installing tool for their platform/email client that would allow 1 click additions to white lists... (or just add it to their Web Mail interface) Then, earthlink would give users 2 more months of spam (while they build their white list and such) before turning on the challenge-response system. Another idea, is take email that isn't obvious spam yet fails the challenge-response system and put it in a Junk folder of some sort where users can 1 click white list the sender... So Timmy goes, 'Hey, where's my starwars newsletter?' and Timmy checks his junk, finds the starwars newsletter and in 1 click sends it to his inbox and white lists newsletter@starwars.com or whatever. Of course, if a month or two goes by and you haven't pulled an item from the junk folder, it's assumed you don't care and it gets deleted. And yet another solution is to have earthlink build it's own white list of responsible, trusted senders (such as rhn-admin@rhn.redhat.com and such) so that users will only have to check that junk folder if it's either A) a sender that misbehaves or B) a sender that earthlink hasn't heard of yet. And to that matter... could always add a sender rating so that if enough people put a certain email address (rhn-admin@rhn.redhat.com) on their whitelist, earthlink would then either add it automatically or give some admin the task of checking out that the sender is really cool and then adding them to the earthlink wide white list. Anywho, that's just my 0.02USD

Regarding mailinglists (1)

CausticWindow (632215) | more than 10 years ago | (#5901506)

Just do the preemptive thing and remove all earthlink subscribers from any mailing list you admin.

Protocols like this are bad, especially when people like earthlink are the masterminds.

bad protocal: SMTP (4, Insightful)

JDizzy (85499) | more than 10 years ago | (#5901517)

The answer is not attaching more bad ideas to an already bad protocol. The ultimate answer is in the protocol designers. A government/state can pass as many laws governing the interaction of people/things with the bad protocols, but the IETF/IEEE will still create them, and certify them. People should just wake up and realize that SMTP is to blame for this big mess. ISP's should stop offering SMTP outright, and think of ways to replace it. Chat programs are probably a better way to pass messages anyways. SMTP has become a massive bazaar that is full over everyone on earth, and since it is completely open, its also completely ok to send bulk mail. Forging headers is another issue, but simply spewing email is intrinsically allowed by the protocol, and thus taken advantage of. If everyone one on earth had a computer, and everyone on earth sent email to everyone else on earth every day, would that be spam? No, because it would cross the line into accepted practice, and that is what we are starting to see due to the sheer bulk of spam sent to everyone on a daily basis. The point is that as long as SMTP exists, so will spam. The answer is to replace SMTP with something that doesn't allow spam to exist by removing the ability to anonymously send people messages.

Is sender pay model even discussed? (0)

Anonymous Coward | more than 10 years ago | (#5901527)

I can't believe nobody talked about ISP's business models. Relying receiver to pay for someone else's spam is not going to cut down the amount of spam being sent, no matter how powerful the filter is. Sure, spammers will just forward spams to remote server, but operators from those nodes are nuts for accepting spam requests, especially knowing when their nodes are going to be blacklisted. Ever wonder why SMS from cellphone companies suck?

Yeah, OK... (1)

Lord Jester (88423) | more than 10 years ago | (#5901528)

I had an Earthlink (Mindspring) dial-up account for quite a while.

I never gave out the address that was earthlink's (jester2@mindspring.com). However, I got tons of SPAM to that address. Seems earthlink is trying to play both sides of the fence. They want to lure customers with anti-spam feature, but they are still going to sell your address.

Hotmail System? (0)

EtherBoo (636012) | more than 10 years ago | (#5901537)

The idea sounds good. Reminds me of the hotmail system that fowards everything on a safe list to the inbox and everything else to the junk mail folder. The user is then able to allow or deny future mails from that sender. Hopefully more providers will follow in the same direction.

Folks, It's Opt In (3, Informative)

davewill (21519) | more than 10 years ago | (#5901542)

The article clearly states that the user turns this on or off. So it seems unlikely that a large number of challenges will start going out. As far as Grandma is concerned, you can add her email address to the OK list yourself so that she never sees a challenge. The only minor problem I see is receiving email from text only people, (Pine, etc..), or portable devices that might not render the bitmap correctly. But it seems a minor complaint, really.

Phaeton Sez (0)

Anonymous Coward | more than 10 years ago | (#5901566)

I could be horribly ignorant on the whole subject, but...

I think that making the ISPs and users at the recieving end of UCE take the brunt and actions against spam is the wrong way to go about it.

It needs to be attacked from the offence, not bolstered up at the defence.

We're still increasing the costs and hassles for the victims, while the perpetrators are still able to send volley after volley with no financial consequence.

Admittedly, i don't have any better ideas either, though.

Except for requiring a short time delay between messages sent. Just like anything else, difficult to enforce.

There's a whitelist (4, Informative)

Spittoon (64395) | more than 10 years ago | (#5901573)

Jeez people, read the whole article, it's not that long:

The challenge-response system will be optional and free for EarthLink subscribers, Anderson said. It will allow users to automatically clear the e-mail addresses of friends, family members and other associates in their electronic address books, so those people would not receive the challenge e-mail.

That's called a "white list"-- a list of addresses you know are legitimate.

When someone responds to a challenge and you accept their response, they go on your whitelist.

When you turn on this gadget, add your mailing list addresses to your white list. If you suddenly stop getting a list, go find out if they changed their sending address and add it to your white list.

If that's too much of a burden, feel free not to use the service, and go back to complaining about spam.

Wow, nobody understands this! (5, Insightful)

MrPerfekt (414248) | more than 10 years ago | (#5901582)

I see a slew of people saying "blah blah blah, they'll automate the response blah blah blah". And apparently, to alot of you, this is all new.

This is something that's been around for a few years and gee, spammers haven't gotten around it yet. C/R antispam systems work because spammers don't use valid Reply-to: or To: addresses.

If they did and the spam gets through the system, then great! There's one more point where we can nail them on when/if we go to hunt them down. Oh, you used your dialup with an SMTP server to auto-respond to the challenge (which is probably alot of work for the average evil spammer), great, email abuse@isp and have his account shutdown.

Since I have started using ASK to C/R my email. -zero- spams have gotten in my Inbox (which is what annoyed me the most about spam, the false positive I got when the little sound would ring telling me I had new mail.)

Intrusive? PLEASE! How lazy are you? Hit reply -once- and you'll never have to see it again when sending email to me. I'd say getting pelted with 200 spams a day is slightly more intrusive to me than what you're going to have to do to send an email to me.

How has this problem escaped me? (2, Informative)

Cobralisk (666114) | more than 10 years ago | (#5901584)

But spammers have found ways to defeat them and spam accounts for 40 percent of all e-mail

Is this true?

Of all my email accounts, the only one I ever get spam on is my yahoo account, which I set up pretty much to get spam on, since any websites I visit that require registration, I always give them the "spam" address I got for free. I don't even check that email for anything. Human beings are the only recipients of my paid email addresses. I am for measures like this though, because even though I'm not affected directly by spam, increased traffic on the net is bad for everyone.

We need to punish the sensless posting of one's own email address to anonymous sources. These are the same people that give out their address and phone numbers when they buy batteries from radio shack. Use your head, they don't want to know where you live so they can send you a case of scotch. They want to drink your beer, crash on your couch, sleep with your daughter, and have you pay them for the privelege.

Authenticate from address (1)

soundman32 (147936) | more than 10 years ago | (#5901600)

I've just implemented a POP3 email checker that makes sure the FROM address is valid. It removes about 25 spams per day (out of 100) and MailWasher takes care of the rest.

If anyone is interested in trying out my program, drop me a line.

Earthlink spam filtering (1)

ceswiedler (165311) | more than 10 years ago | (#5901603)

I use Earthlink, and they already have a decent spam-filtering system. I still use both SpamProbe and SpamAssassin, and the combination of all three works well enough that I'm not afraid to give my real address just about anywhere.

Well, except maybe Slashdot.

But perhaps with the new system, I can post it even here!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...