Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Catching Spam by Looking at Traffic, Not Content

Zonk posted more than 6 years ago | from the content-sniffing-doesn't-work-anyway dept.

Spam 265

AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?

Sorry! There are no comments related to the filter you selected.

sounds good to me (5, Insightful)

seanadams.com (463190) | more than 6 years ago | (#17752464)

I realize most of us here would ordinarily prefer for our ISPs to just move bits around, but it seems like they are in a pretty good position to curb spam if they were to start look at traffic patterns like this. If some DSL customer suddenly starts opening hundreds of outgoing SMTP connections, that would be a pretty reliable sign that his machine is pwned. Just block or throttle port 25, and send the customer an email telling him to fix his computer, and keep it blocked until he does - or he contacts abuse@ with a legitimate explanation. Not filtering based on the contents of the data should let them maintain plausible deniability and common carrier status.

We can't do this on our personal or company internet connections because we only see individual messages coming from many different IPs, but on the other end of the connection, or even at the backbone level, this strikes me as a pretty solid solution. They could even just tag the packets with the evil bit [faqs.org] and let us decide if we want to filter them or not.

Re:sounds good to me (2, Informative)

Anonymous Coward | more than 6 years ago | (#17752664)

That may be just another tool to circumvent Spam. My primary email spam filtering is Spamd @ openbsd.org/spamd. The service-based spamd is known as Spam Assassin. This is a daemonized version that was ported for Openbsd by the gods. It can be troublesome to configure if you are a first timer. But remain vigilant with google groups and documentation provided by openbsd.org and the man pages within spamd.

Re:sounds good to me (4, Interesting)

GreggBz (777373) | more than 6 years ago | (#17752832)

The new bread of zombies have wised up to port 25 blocking / throttling and like to funnel everything through the MTA for the domain to which they are connected.

A combination of policyd, postfix, spamassain and ids/bandwidth accounting software has turned it into something manageable, at least where I work. Customers are allowed say, 100 e-mails in a 30 minute time span. If they complain and have a real reason, we can adjust. This also makes finding users with pwned machines a lot easier.

Some of them now (the spam zombies) seem to be moderating their outgoing connections so that it's not so obvious but their volume is still substantial. It just never ends...

Re:sounds good to me (2, Insightful)

webdragon (788788) | more than 6 years ago | (#17752948)

I'm sure they could do that fairly easily but with how everyone is sue happy their going to have to change the terms of use contracts first to reflect that they can and will do it so they can cover their rear from being sued.

your specific idea sounds damned good to me (1)

Penguinisto (415985) | more than 6 years ago | (#17752950)

"If some DSL customer suddenly starts opening hundreds of outgoing SMTP connections, that would be a pretty reliable sign that his machine is pwned. Just block or throttle port 25, and send the customer an email telling him to fix his computer, and keep it blocked until he does - or he contacts abuse@ with a legitimate explanation."

...locking down port 25 outbound from the client would cure most of the bots out there (though not all - some jackass could set up a couple of open relays to listen on port {something-else} to then send the spam along from places where port 25 is wide open outbound. Then again, it ups the bar a bit, which isn't a bad thing either)...

Keep the port open for business commercial clients using T-1 or bigger (or who can at least demonstrate that they have an IT department), and (please!) allow it to be opened upon request by the customer w/o extra charge if he/she can demonstrably articulate on the phone that "yes, I'm setting up my own MTA here for (testing stuff / personal use / etc)".

'course, an ISP requiring clients to use IMAP w/ SSL would really rock, but I'm just dreaming by now...

/P

Re:your specific idea sounds damned good to me (2, Informative)

fifedrum (611338) | more than 6 years ago | (#17753142)

I work for an email hosting company and our standard with ISP customers is they use IMAP or SMTP auth, worst case, POP before SMTP. It's amazing how much spam is blocked going from an open relay for an ISP to authenticated-only.

spambots are bad, but my biggest problem is with fraudsters, both 419ers and standard credit card fraud types.

These sleazebags cause more trouble than the bots, and it's illegal to kill them. I'm not sure why they cause more trouble, they send out less email than the bots, perhaps the scammer's email is better targetted to real people, as opposed to directory harvesting type attacks.

Anyway, definately agree with you there, smtp auth, imap or whatever, all piped through SSL or nothing at all.

For those keeping track at home (1, Insightful)

Anonymous Coward | more than 6 years ago | (#17752994)

ISP traffic analysis blocking spam = good
ISP traffic analysis blocking torrents = bad

Re:For those keeping track at home (2, Insightful)

Miseph (979059) | more than 6 years ago | (#17753970)

Makes sense, since:

spam = bad
torrents != bad

Anyway, you're comparing apples to socket wrenches... Torrent is a file transfer protocol which can be used legitimately. Spam is a specific abuse of the various e-mail protocols, and by definition cannot have any legitimate use. For your comparison to make sense, it would either have to be between using torrent to distribute virii and spam, or between torrent and SMTP/etc. traffic.

Re:sounds good to me (1)

ronanbear (924575) | more than 6 years ago | (#17753028)

Or examining patterns might be a less resource hungry way to look for spam. Anything that does get flagged can be assessed in more detail. The more mail you send the more it gets checked to see if it's spam. Most people send valid bulk email (where they send it) to similar lists of people. That's easy to block using blacklists if a spammer tries the same method. But if you're sending 100s of messages to different people and it's a different 100 people and a large number of them are invalid addresses then it's something that's much more indicative of suspected spamming. btw I think there are several problems with the idea of blocking someones email ports and then sending them an email telling them that they have a problem with their email. For one thing people shouldn't mightn't read unsolicited emails telling them to do something that they don't understand. Spammers do the same thing.

Has been done for a long time. (5, Interesting)

MadTinfoilHatter (940931) | more than 6 years ago | (#17753212)

My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.

Re:Has been done for a long time. (1)

kenb215 (984963) | more than 6 years ago | (#17753648)

What ISP did you use?

Re:sounds good to me (4, Insightful)

kripkenstein (913150) | more than 6 years ago | (#17753688)

Sounds good? Don't major email providers already do something like this? What else are Google doing when lots of people click on "This is Spam" for a particular email - surely they notice such things? The same should be true of email traffic patterns. Yet, perhaps some minor detail in TFA is the new bit. Obviously any improvement in this area is welcome.

While this will not stop spam, it will be reduced dramatically. The STP value of a spam source will grow proportionally to the number of junk messages sent. The first several thousands emails will get to unlucky recipients when spamming starts, but the rest hundreds of thousands will not.
Actually, webmail can do one better: if a message is marked as spam at some point in time, the system can retroactively remove it from the Inboxes of the 'first few thousand unlucky recipients' (or mark it 'this may be spam', gray it out, etc., at the least). I don't know of anyone doing this, but I wish they would.

This is painfully obvious and hopelessly naive but (3, Interesting)

Recovering Hater (833107) | more than 6 years ago | (#17752510)

I am going to say it anyway. Why can't people stop responding to spam in the first place? Is it too much to ask? If spammers made absolutely zero dollars for their efforts would they stop? Will underdog be able to escape from the burning rubble in time? Tune in next week to find out in our next exciting adventure!

Re:This is painfully obvious and hopelessly naive (5, Funny)

jimicus (737525) | more than 6 years ago | (#17752554)

As soon as you've found a way to get that message through effectively to 100% of the population, do let us know.

Re:This is painfully obvious and hopelessly naive (5, Funny)

Grey Ninja (739021) | more than 6 years ago | (#17752736)

We could try mass mailing them. I've had some success with that in the past. =)

Re:This is painfully obvious and hopelessly naive (4, Interesting)

Pontus_Pih (1055656) | more than 6 years ago | (#17752818)

I was going to say... What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?

No! (3, Funny)

Penguinisto (415985) | more than 6 years ago | (#17753044)

We have enough problems with idiots who leave all their backscatter-inducing defaults on @ their mail servers - coupled with the common joe-jobs, it would quickly turn the Internet into a gelatinous mass choked with bounces.

Thx in advance,

/P

Re:This is painfully obvious and hopelessly naive (1)

Tim C (15259) | more than 6 years ago | (#17753214)

What would happen if we all started replying with the same auto generated mails?

The time it takes me to deal with the 2000+ spams I get each day would increase unmanageably?

Re:This is painfully obvious and hopelessly naive (1)

hackstraw (262471) | more than 6 years ago | (#17753292)

I was going to say... What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?

That too has been implemented. Its an invited DDOS attack on the spammer. I love it :)

Regarding the article, this is no big deal. Blacklists, whitelists, and greylists already exist. There is no additional market value with those techniques to eliminate spam.

Re:This is painfully obvious and hopelessly naive (1)

Ambidisastrous (964023) | more than 6 years ago | (#17753456)

I was going to say...What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?

Sure, it'd be pretty tedious to do that by hand, but if we automated [wikipedia.org] the process somehow...

Oh, wait [securityfocus.com] .

I imagine that if you ran a script by yourself, your e-mail address would be targeted as belonging to a valid sucker, and passed around on lists, so you'd be spammed even more. The efforts of a scrappy community of geeks are no match for the millions of pwned PCs around the world.

Re:This is painfully obvious and hopelessly naive (1)

AndroidCat (229562) | more than 6 years ago | (#17753124)

And don't worry, it's not spam because... [rhyolite.com] (Pick one or many)

Re:This is painfully obvious and hopelessly naive (1)

jonadab (583620) | more than 6 years ago | (#17753854)

Or we could make doing business with a spammer a felony, with a minimum sentence of 15000 hours of community service working for spam-fighting organizations.

Re:This is painfully obvious and hopelessly naive (0)

Anonymous Coward | more than 6 years ago | (#17752840)

As soon as you've found a way to get that message through effectively to 100% of the population, do let us know.

Send out a spam saying you can enlarge the recipient's penis. When the link is clicked, it should go to a website that plays audio screaming at the person for being an idiot. A big flashing red message would be good too. Not everyone will get the message, but everyone that needs it will.

I'll never stop (5, Funny)

diskofish (1037768) | more than 6 years ago | (#17752574)

Where else would I get my Viagra from?

Re:I'll never stop (4, Funny)

El_Muerte_TDS (592157) | more than 6 years ago | (#17754098)

You shouldn't. Impotence is nature's signal that you are not fit for reproduction. Your reproduction will only result in more people responding to spam, which is ofcourse a bad thing.

So do the world a favor... please...

Re:This is painfully obvious and hopelessly naive (2, Insightful)

stavrosg (893274) | more than 6 years ago | (#17752698)

I am going to say it anyway. Why can't people stop responding to spam in the first place? Is it too much to ask?

People will stop buying from spam when they stop forwarding every hoax or urban legend they recieve through their company e-mail to everybody else on their address book.

When someone finds a way to do it, please ping me.

Re:This is painfully obvious and hopelessly naive (1)

Daniel_Staal (609844) | more than 6 years ago | (#17753544)

Easy, first you start a nuclear war...

...Then once all the humans are dead, there will be no more spam problem. Except for the kind in cans. Those will last forever.

Re:This is painfully obvious and hopelessly naive (1)

Archangel Michael (180766) | more than 6 years ago | (#17753566)

I know of a way, but it is distasteful to too many people.

Death

Re:This is painfully obvious and hopelessly naive (4, Insightful)

the dark hero (971268) | more than 6 years ago | (#17752706)

That's the problem. this world is full of stupid people. They might not make money off of most people the spam gets to, but if you cast a big enough net you're bound to catch something(including some dolphins). Millions of pennies still add up to thousands of dollars.

Re:This is painfully obvious and hopelessly naive (4, Insightful)

KKlaus (1012919) | more than 6 years ago | (#17752932)

Complaining that people are frequently bad decision makers is usually not worthwhile. Much better to recognize the truth that they are, and then work to try and take the decisions out of their hands.

Its similar to a pretty interesting conceptual innovation in medicine, when people realized that even excellent doctors will at some point make grossly negligent mistakes simply due to the shear amount of work they do (i.e. operating on people with paralytics but not analgesics). So the innovation is to make them make fewer decisions - machines that check settings before running, labels that a four year old could understand, arrows and other reminders liberally applied.

So similarly here, yes it's annoying that people continue to "fund" spammers, but education is not the answer. Because, unfortunately, the spammer's target market of "everyone in the world" will always contain enough people to make their trade profitable if all we rely on is good decision making on the parts of spam recipients. So the solution has to be technical or legal. And in that regard, another small step for man here.

Re:This is painfully obvious and hopelessly naive (0, Offtopic)

TheMeuge (645043) | more than 6 years ago | (#17753464)

Oh how I wish I hadn't spent my mod points yesterday. Please mod parent up for a very insightful comment.

Even if no one ever responds, it won't stop (4, Insightful)

MarkusQ (450076) | more than 6 years ago | (#17753178)

Even if no one ever responds, it won't stop as long as the people paying to have it sent think it works. It's like burning candles to St. Balderdash for scam marketing morons. As long as there is a steady supply of rubes who think that sending spam is their road to riches, and are willing to pay some brighter but no more honest spam lord to send their dreck to a bazillion hapless victims for them, spam will contine to flow.

This is true even if no one ever responds to, falls for, or even opens a spam message ever again.

--MarkusQ

Re:This is painfully obvious and hopelessly naive (3, Interesting)

cdrguru (88047) | more than 6 years ago | (#17753288)

The money in spam isn't from people buying stuff - it is from the silly advertiser thinking they can send their ads to millions of people for $1000. They do this and get a report back that says only 0.8% of the people opened the email.

The spam-sending organization then shows them that they need to revise their message with a better subject line so more people opened the email. Another $1000 and more spam is sent, this time 0.7% of the people open the email.

Continue this until the advertiser runs out of money. If you have enough contracts for sending spam it matters not a whit if anyone buys the stuff at all. It is only important that people pay for it to be sent.

Re:This is painfully obvious and hopelessly naive (1)

jcr (53032) | more than 6 years ago | (#17753394)

Why can't people stop responding to spam in the first place?

Get back to us when you convince enough newbs to do that. The reason spam persists is because there are enough idiots to make spamming pay off, even if nearly everyone ignores it.

-jcr

Spam is desensitizing people for other reasons (1)

scottsk (781208) | more than 6 years ago | (#17753446)

No one cares if anyone responds to spam or not. Spammers are the lowest of the low on the food chain. What people who peddle immorality want is a steady stream of junk mail coming into your inbox hour after hour, day after day, and year after year. Eventually, it's going to weaken you - being exposed to all the viagra, penny stock, erase your credit without paying, etc etc etc - pretty soon you'll think this stuff is normal, and when you have to make a moral decision someplace else (someplace more profitable, I might add) this has to play some role in weakening you to think this stuff is normal. You'll be more likely to make a bad moral decision, and they'll profit from it. So the vast web of affiliate programs, spammers, botnets, etc is a low-cost investment for the real sleaze merchants and criminals. You can entice someone else to spam as an affiliate. They hire a botnet. Etc. The real people who profit from spam don't touch it, as is usual for this sort of thing.

Re:This is painfully obvious and hopelessly naive (2, Insightful)

bcrowell (177657) | more than 6 years ago | (#17753732)

Why can't people stop responding to spam in the first place? [...] If spammers made absolutely zero dollars for their efforts would they stop?
First off, if people stopped responding to spam, it wouldn't have any effect on phishing spam, since phishing is based on tricking the user into thinking it's legitimate mail rather than spam. Also, once you have control over an army of zombies, the incremental cost of sending one spam is zero. Even if the spammer thinks he's unlikely to make any money at all by sending out spam, he's already set up to do it, so why not? If even one person in ten million clicks on a spam accidentally because his cat walked across his desk, that makes it worth it to the spammer to have sent out the other 9,999,999 spams. Look at all the bayes-poisoning spams we get, with no link to click on; the spammers know they aren't going to profit from those, but they send them anyway, because it's free. And finally, there are a lot of other things you can do with a network of zombies. For instance, you can carry out extortion schemes by threatening DDOS attacks. The basic problems are (1) poor security of Windows, and (2) the fact that the e-mail protocols were designed before the internet existed, in an era when you knew everybody who was on your network.

unlikely indicators (4, Insightful)

Speare (84249) | more than 6 years ago | (#17752578)

I think the question raises an interesting point: spams *behave* differently on the network than most legitimate emails. It may not be a perfect discriminator, but it sure might be a corroborative scoring aid. This reminded me of the controversy when Slashdot started using text compressibility as a metric for "lameness." I was a disbeliever, and still have my reservations about it, but as a part of the overall toolbox for filtering lameness, the technique seems to have value.

And yet likely... (1)

paladinwannabe2 (889776) | more than 6 years ago | (#17752772)

Bayesian filters sometimes find weird words to do filtering on. Obviously there is 'Viagra' and 'Manhood' but there are also words like 'Republic' that have very high correlations with phishing spam- because any email that from the 'Democratic People's Republic of $Country' is likely to be as bogus as the countries name. If a country needs to add 'Democratic' or 'Republic' to its name, you know something's wrong.

In a similar way, any easily compressed text (like boing
boing
boing
boing
boing
boing
) is most likely someone hitting cut and past over and over again. AND I THINK WE CAN AGREE THAT TALKING IN ALL CAPS /-\|\||) |_33+ |5 |_/-\|V|3.

Re:And yet likely... (3, Insightful)

Zocalo (252965) | more than 6 years ago | (#17753104)

because any email that from the 'Democratic People's Republic of $Country' is likely to be as bogus as the countries name. If a country needs to add 'Democratic' or 'Republic' to its name, you know something's wrong

  • Central African Republic
  • Czech Republic
  • Democratic Republic of the Congo
  • Dominican Republic
  • Former Yugoslav Republic of Macedonia
And that's just the common names and not the official ones like "Republic of Ireland". Given that this is precisely the kind of verbose terminology that you would find in a genuine official email from a government body in such a country, I don't think that's going be suitable for anything other than a minor nudge towards spamminess.

Places you don't want to be (2, Insightful)

paladinwannabe2 (889776) | more than 6 years ago | (#17753628)

Democratic Republic of the Congo- Welcome to the land of warlords, genocide, and more genocide.
Central African Republic- Less than half the genocide of its neighbor in the congo.
Dominican and Czech Republics, and Macedonia- actual democracies.

So two of your five examples help prove my point- and when you start stacking adjectives together- like 'People's Democratic Republic of Korea' you know you've got one of the worst places to live on Earth.

Also, why on earth would you get an 'official government email' from someone in these countries? That's less likely than you being a Viagra dealer and have Viagra mentioned correctly in your email. That's also why different people will have different spam filters for their mail- if I worked with the Republic of Ireland or was a professor of Greek history I would probably see the word 'Republic' in legitimate email.

Re:And yet likely... (1)

bscanl (79871) | more than 6 years ago | (#17753658)

Totally OT: "Republic of Ireland" is not a country. Éire, or Ireland, is the name of the country you are thinking of. "Republic of Ireland" is a description of Éire, or Ireland, as per the Republic of Ireland Act 1949.

Dangerous (0)

Anonymous Coward | more than 6 years ago | (#17752580)

Spammers could reduce the trust in this system by reporting false traffic from legitimate servers, especially as long as the participation is still low. Instead of having to trust the source, you now have to trust intermediates. In order for this to work, intermediates would have to be selected carefully.

greylisting works (2, Insightful)

grub (11606) | more than 6 years ago | (#17752606)


OpenBSD's greylisting [openbsd.org] in spamd works wonders.

Re:greylisting works (1)

ivan256 (17499) | more than 6 years ago | (#17752662)

Greylisting is great and all, but I'm left wondering what OpenBSD has to do with it... Can you name a single operating system that can run an MTA that can't do greylisting?

I didn't think so.

Re:greylisting works (1)

grub (11606) | more than 6 years ago | (#17752734)


Greylisting is great and all, but I'm left wondering what OpenBSD has to do with it... Can you name a single operating system that can run an MTA that can't do greylisting?

Durr... This isn't on the MTA, this runs on the firewall or gateway before the spam touches your MTA. It saves your MTA from having to deal with this crap before it ever touches it.

Re:greylisting works (1)

ivan256 (17499) | more than 6 years ago | (#17752842)

I read the docs, and I still don't see how it's any different than the greylisting deamons (written in a variety of languages, and some probably sharing code with this one) that run on Linux or Windows.

The problem with this (5, Insightful)

wiredog (43288) | more than 6 years ago | (#17752630)

Mailing lists. How does it not tag a server that sends out mail to a list as a spammer?

Re:The problem with this (1)

crossmr (957846) | more than 6 years ago | (#17753656)

I'm betting the average bit of spam set out doesn't have anything on 99.9999999999% of mailing lists out there. Anyone with a mailing list which would approach the levels of spam one would expect from a compromised computer can speak with their ISP and give them the details to get an exemption.

Re:The problem with this (1)

gmuslera (3436) | more than 6 years ago | (#17753946)

Mailing list are a problem, but is something that could have a sustained ratio of sent mails, and maybe more important, a sustained ratio of received mails, if you count mails coming from and going to that host can lower the score as the mix of both traffics can hint a mailing list server there.

But what about announcement lists? You know, you sign up in a site, company, etc, and want to receive a mail when something big changes, a new product, whatever. That are usually unidirectional, targets a lot of people, and happens once in a while, very much like spam, if you look only at the traffic there.

Greylisting (1, Informative)

Daemonstar (84116) | more than 6 years ago | (#17752648)

This is similar to greylisting [greylisting.org] that has been around for a bit.

Greylisting is a simple method of defending electronic mail users against e-mail spam. In short, a mail transfer agent which uses greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again to send it later, at which time the destination will accept it. If the mail is from a spammer, it will probably not be retried, however, even spam sources which re-transmit later will be more likely to be listed in DNSBLs and distributed signature systems such as Vipul's Razor. Greylisting requires little configuration and modest resources. It is designed as a complement to existing defenses against spam, and not as a replacement.

Re:Greylisting (1, Interesting)

Anonymous Coward | more than 6 years ago | (#17752754)

No it's not similar. Greylisting works by exploiting that most spam-MTAs aren't RFC-compliant and don't retry after temporary errors. Greylisting will certainly be worked around. Legitimate MTAs can get around it. The fact that many spam-MTAs currently can't is a fixable bug.

The proposed method looks at traffic patterns to find and block spammy MTAs. It does not rely on bugs in the MTAs.

Re:Greylisting (1)

Gary W. Longsine (124661) | more than 6 years ago | (#17753176)

No, greylisting can be applied to RFC-compliant MTAs as well.

Re:Greylisting (1)

Daemonstar (84116) | more than 6 years ago | (#17753202)

*sigh* I'll bend my rule of not responding to AC's this time, because you obviously do not understand the reasoning behind greylisting; it has nothing to do with "buggy MTA's", but with intentional misconfiguration (taken from the TAMU website):

According to the internet specification, when a mail server receives a "400-level" error, it must queue the e-mail message and try later to deliver it. For legitimate e-mail, this process is standard and mandatory. Properly configured mail servers will redeliver their messages appropriately and greylisting should not represent a delivery challenge to them. Because SPAMmers send hundreds of thousands of e-mails per day to addresses they do not know to be working, they generate a large number of bounced messages. Acknowledging server responses for these messages, storing the messages on a server for some period of time, and redelivering them again represents for SPAMmers a resource-intensive process that might very well not return sales of their products or services. As a result, they intentionally misconfigure their mail servers. By requiring that every incoming e-mail message to the University originate from a properly configured mail server, most SPAM is filtered.
Of course greylisting can be worked around, but doing so puts a resource hit on the sending mail server; the bigger the hit, the slower it can send out SPAM. As for the receiving mail server, the greylisting service doesn't run on the MTA, but on the MX farm for the domain. Legitimate mail is then forwarded to the domain's MTA.

In the realm of similarity, slowlists [slowlists.org] are also an option.

Re:Greylisting (0)

Anonymous Coward | more than 6 years ago | (#17753504)

As a result, they intentionally misconfigure their mail servers. ...and thus make them non-compliant with the applicable RFCs. If greylisting becomes a problem for spammers, it will be worked around. The spammers handle gigabyte-sized lists of email addresses with ease. What makes you think they can't remember what messages to retry if they have to?

request (3, Funny)

illuminatedwax (537131) | more than 6 years ago | (#17752700)

please put obligatory Standard Spam Form joke below here please

we've got to keep this place organized

As you wish (1)

Kadin2048 (468275) | more than 6 years ago | (#17752988)

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
(X) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:request (0)

Anonymous Coward | more than 6 years ago | (#17753702)

It's not a joke. Ok, maybe the idea of responding to technical proposals with a form letter can be considered humorous, but the actual points in the form letter are valid and it is usually filled out pretty much correctly. Spam is a difficult problem, there is an ongoing flow of half-baked proposals, and most proposals fail in a number of common ways. If the proponents can't be bothered considering the common failure modes, why should the respondent take more trouble than filling out a standard form?

An interesting approach (1)

APOLAUF (925223) | more than 6 years ago | (#17752742)

I believe that this is a very viable approach. I am currently doing research on intelligent intrusion detection systems (not based on traffic analysis), and while SPAM and IDS don't seem awfully related, both traditional traffic-based IDSs and STP utilize data traffic analysis methods to identify potential problems. That being said, I think that the traffic analysis should be used only in combination with existing spam control and heuristics; it's a complex and multi-faceted problem and thus requires several fronts to combat it.

Yes and no - but a suggestion... (2, Insightful)

Penguinisto (415985) | more than 6 years ago | (#17752744)

I like the idea of gathering and using statistics on traffic patterns, but what they're looking for in many cases can be too easily defeated (e.g. "Junk messages are small"... now we get to watch MTA's spend more time trying to sort spam messages packed to the gills w/ random ASCII, necessitating a look through the message body all over again).

OTOH, As part of a larger array of spam-fighting tools, okay - there's bits in there I actually like and which can be used as part of other solutions, if not used in the way suggested. As someone who runs a couple of MTA's on top of everything else I do around here, I always like to find new and interesting ways of stopping spam.

N.B., all that I ask is this: Please make it useful w/o sucking down resources or requisitioning another server. I detest external RBL's - please don't suggest anything that may have an overly-subjective and/or an overly-dependant basis like that. If it isn't RFC-compliant (yes, Verizon, I'm talking to YOU when I say that!), I won't go near it.

Satisfy those, and yes, I'm interested, as would lots of other SMTP-monkeys out here.

/P

Obligatory (4, Funny)

teslar (706653) | more than 6 years ago | (#17752748)

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re: spam-solution-ridicule template REJECTED (-1, Troll)

Anonymous Coward | more than 6 years ago | (#17752942)

(x) Mailing lists and other legitimate email uses would be affected


One small problem: Mailing lists ARE spam, even if you signed up for them.
Perhaps you didn't get that memo?

Here at Slashdot, we do not care about mailing lists or people that choose to be on them. Therefore, your spam-solution-ridicule template submission has been rejected. Please resubmit the form with something we care about.

Signed,
the peanut gallery

OPPOTUNITY. == DISCRETION REQUIRED == (5, Funny)

Anonymous Coward | more than 6 years ago | (#17752790)

SIR,

OUR TECHNOLOGY DEPARTMENT HAS COME UP WITH A GREAT OPPUTUNITY TO STOP ALL YOUR SPAM. THIS TECHNOLOGY IS CALLED source Trust Prediction (STP). IT WORKS BASED ON identifying patterns and trends in real time AND IN THIS WAY PREVENT SPAM. HOWEVER TO MAKE PROFIT FROM THIS NEW TECHNOLOGYY WE NEED TO DO A PATENT APPLICATION. YOUR NAME CAME FORWARD AS AN EXCELLENT INVESTOR FOR THIS. WITH THE CURRENT RISE OF SPAM THIS TECH WILL BE REQUIRED QUICKLY BY A LOT OF PEOPLE.

I am only contacting you as a foreigner, I will use my influence to
effect legal approvals and onward transfer into your account At the
conclusion of this business, you will be given 50% of the total
PROFITS, 50% will be for me and my family AFTER DEDUCTION OF THE PATENT COSTS
. I await to hear from you.

Yours truly,

Mr.Barry Leoard.

FNB OF SOUTH AFRICA
THIS
IS MY PRIVATE EMAIL ADDRESS, YOU CAN SEND YOUR REPLY HERE:-
barryleonard@walla.com

Re:OPPOTUNITY. == DISCRETION REQUIRED == (3, Funny)

Archangel Michael (180766) | more than 6 years ago | (#17753652)

Source Trust Detection (STD)

There, fixed your spelling ...

Dead on the money. (1)

WindBourne (631190) | more than 6 years ago | (#17752792)

3 years ago, I was working developing some software for sale to the feds and commercial world. For the commercial world, I proposed the same idea. The only way to stop spam is have cooperating servers. More importantly, they need to have a lot of servers where fake addresses can be sent to. Load these into outlook and let the spammers harvest them. Now, you have a decent service that can be offered for free or sold.

Obligatory spam solution post (-1, Redundant)

Southpaw018 (793465) | more than 6 years ago | (#17752802)

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Obligatory spam solution post (1)

Southpaw018 (793465) | more than 6 years ago | (#17752824)

Damn, got beat to it. Sorry for the redundant spammy post!

The efficiency of throttling (1)

kalpaha (667921) | more than 6 years ago | (#17752854)

I guess it makes sense to throttle the connection: it will do no harm to legitimate email (I mean, it's not like it would really matter if the delivery takes 10 seconds or 50 seconds), but would seriously hamper the sending of millions of messages. That way, it wouldn't really matter if it gets some false positives, unlike with methods where the message is removed if it's deemed spam.

Problem (1)

Billosaur (927319) | more than 6 years ago | (#17752860)

What about legitimate mass marketers. The company I work for contracts with advertisers to send out bulk mailings to our opted-in users. Now, we don't spit out emails by the millions, but we certainly do send out large chunks of emails from a common source. Is this kind of thing going to interfere with legitimate mailings to opted-in customers?

Re:Problem (1)

radja (58949) | more than 6 years ago | (#17753082)

probably, but since the use of hexview's product is also opt-in, that's not a problem.

Acceptable loss. (1)

Kadin2048 (468275) | more than 6 years ago | (#17753126)

I'm not sure I care. Those "legitimate" "opt-in" lists tend to get reported by users as spam eventually anyway. Meaning even if they did originally 'opt in,' it's basically nothing but a nuisance eventually. (Usually people opt in, allegedly or actually, and then can't figure out how to opt out, or don't want to spend the effort to do so.) The effect is the same as spam, even if the intent isn't.

I would consider the elimination of commercial mass email a very small price to pay for the elimination of spam. In fact, I'd consider it a bonus.

Re:Problem (0, Troll)

cdrguru (88047) | more than 6 years ago | (#17753172)

You apparently don't get it. First rule of anti-spammers is "Spammers lie". The second rule is there is no such thing as a voluntary, opt-in managed mailing list that isn't just spam.

So, you say your business is legitimate. Obviously, you are lying. Spammers lie.

But your list is opt-in and only send legitimate email? Too bad, if someone gets it that forgot they signed up, it's spam. Therefore, you are a spammer.

While this technique might hold some value, it isn't going to counter the way spam is being sent today - not from a single source but from many, many sources.

Re:Problem (1)

Billosaur (927319) | more than 6 years ago | (#17753644)

We have a new world's record in the Jump to Conclusions!

Anybody got a "Troll" mod point to spare?

Re:Problem (1)

91degrees (207121) | more than 6 years ago | (#17753776)

You apparently don't get it. First rule of anti-spammers is "Spammers lie".

Yes. Spammers say they don't spam. Non-spammers say they don't spam. You're at a fork in the road with a spammer and a non-spammer...

The second rule is there is no such thing as a voluntary, opt-in managed mailing list that isn't just spam.

Sure there is. I'm subscribed to 5 of them. 3 from yahoo groups, and a couple of DVD shops that occasionally have decent special offers.

So, you say your business is legitimate. Obviously, you are lying. Spammers lie.

Why is this "obvious"?

But your list is opt-in and only send legitimate email? Too bad, if someone gets it that forgot they signed up, it's spam.

If the subcribers genuinely opted in, this "spam" would appear to benefit the subscribers as well as the sender. Why should everyone else suffer because one of the subscribers is incompetent?

Therefore, you are a spammer.

How so? He's sending solicted email.

Re:Problem (1)

ynohoo (234463) | more than 6 years ago | (#17753976)

What about legitimate mass marketers.

Dont be silly - they are all bastards.

Just because your business model is (currently) legal, does not make it defensible outside of a court of law. Around here, you are still vermin.

Ditto. Big mass marketers will benefit. (1)

giafly (926567) | more than 6 years ago | (#17754094)

This system relies on whitelisting to handle companies like yours. Hence you'll need to spend more on ISP relations. Big bulk-mailers can more easily afford this so they will gain at the expense of competitors.

BTW this system won't work because the author's assumptions are wrong. Botnet senders can easily afford all the following suggested countermeasures. I expect they'll carry on as normal. Then, if blocklisted, switch over to DDOSing the the STP servers until the blocklisting is removed again.
How spammers can fight the STP server
1. By slowing down message rates for each source
2. By limiting the number of messages sent by each source
3. By feeding STP server with useless noise
4. By DoS-ing the STP server(s)

Its not snake oil, but... (4, Interesting)

popo (107611) | more than 6 years ago | (#17752882)

... and its not disimilar from greylisting from what I can tell, but I don't think its going to be
effective in the long term. Getting around this type of filter (or delay) seems relatively simple
compared to the task of defeating the bayesian filters over the past couple years.

The lynchpin of greylisting is that legitimate mail will "try again" after being returned by the
server, while spam will not. The conclusion (which we hope is true) is that any mail that is
not re-sent was in fact spam. Never mind the danger that the assumption could be false and
legitimate mail gets lost -- how long will it be before spammers simply "re try" their spam --
or worse -- just send everything twice?

As with any attempt to modify behavior electronically -- behavior usually wins.
 

Solution (1)

VincenzoRomano (881055) | more than 6 years ago | (#17752904)

The SMTP protocol is showing all its age and weakness. It has not been designed to cope with today's use.
First of all it lacks authentication and authorisation mechanisms. The various anti-spam, white/black/grey listing look more like workarounds than solution.
Then you'd like to really know whether your message has been delivered or not and other nice details about the messages.
My personal feeling is that it's time now for a new messaging protocol.
SMTP is dead, long life to SMTP!

Re:Solution (1)

John Bayko (632961) | more than 6 years ago | (#17753598)

I see two possible replacements for email.

One is based on RSS (or similar, like Atom). Right now, RSS is used for what amounts to "mailing lists", by notifying the recipients there's something new, and they can pick up their copy - though it works by polling, no actual notification is sent.

One extremely important advantage of this is that you know exactly where the material is from.

I'm hoping that future versions will allow an RSS feed to be customised per user, which would basically amount to sender-hosted email, meaning a) the sender bears costs for the email, and b) the source cannot in any way be faked.

There are disadvantages, including the question of how someone can send you email for the first time. One solution is that you can "piggyback" on someone else's RSS feed for the first message (a common friend, or a well-known site like slashdot, or a blog site). This acts like an implicit filter, since you wouldn't have an RSS feed from someone you didn't trust enough to have some discretion to not spam you.

You'd no longer ask for someone's email address if you wanted to send them something, you'd give them your RSS feed.

The second scenario I see happening is based on "community sites" like MySpace or Livejournal. Most of these sites have features to let you know if someone else has a new blog post, to list friends or block enemies, various privacy levels, and so on. And among the younger users who are the target for these sites, many of them already think of email as old-fashioned (and useless because of spam), so their primary communication is through blogs and IM.

Right now, any email replacement would be limited to within a single "community", but I'd expect that at some point two or more (possibly smaller) sites would agree to exchange messages between them. If the protocol weren't open, some other site (or group) would come up with one that was. Once the exchange of messages (and friend information, etc.) became a feature attracting users, other sites would have to follow.

It would not be too much different from the growth of "OpenID", which is now used by several blog sites to identify users from outside their "community".

Once messaging is possible using a standard web protocol, it will gain the same functionality of email, but again with verified source and so no spam. It will be more centralised than an RSS type solution, but still work well enough to replace email.

I think one or the other is inevitable. Unfortunately I'm working on other things and can't try any of this myself, but maybe someone will.

Controlfreak Alarm!!! (0)

Anonymous Coward | more than 6 years ago | (#17752910)

FTA: "root cause of the problem: Internet messaging allows anyone to send as many messages as s/he wants."

Ahhh... another controlfreak who lost my interest after his first 1-2 sentences.

What about SenderBase? (3, Insightful)

NtroP (649992) | more than 6 years ago | (#17752912)

This isn't a new concept. Our mail gateways already participate in something like this with IronPort's [ironport.com] SenderBase [senderbase.org] reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.

It has really taken the load off our mail servers by blocking millions of connections. The rest, we run through SpamAssassin and everything works great!

Re:What about SenderBase? (0)

Anonymous Coward | more than 6 years ago | (#17753134)

I was hoping someone would mention this. We are still in the process of migrating to a bunch of X1000s. So far we are impressed.

Re:What about SenderBase? (1)

ACMENEWSLLC (940904) | more than 6 years ago | (#17753600)

This was the general basis for the http://antispam.or.id/ [antispam.or.id] blocklist. It worked well for a while. I used it for a few years. But it's dead now. Long live spam.

I am curious... (2, Interesting)

localman (111171) | more than 6 years ago | (#17752918)

Are any of you people still living with spam? Do we really need another solution? I've found that a personally managed baysean filter is plenty good enough. I'm down from 700+ per day to 2-3 per day. I still dislike the fact that spam is out there, but I haven't actually had to deal with it in years. Has this not worked for other people? I mean, I do have to continue to feed the filter, but it's very little work. Nothing wrong with new ideas in the battle, but I thought that for anyone who cared it was already won.

Cheers.

Re:I am curious... (1)

Intron (870560) | more than 6 years ago | (#17753660)

Why do you think it "works" when your server has to scan and reject 700+ emails/day?

Personally, I think that email should have a button that you can press if you don't like the email that adds a 0.1V charge to the sending PC. If one person presses it, the charge won't be noticeable, but if 1,000,000 press it...

Re:I am curious... (1)

Torvaun (1040898) | more than 6 years ago | (#17753852)

Well, there's the consideration that even filtered spam takes up bandwidth. Then there's the question of how much time you actually spend dealing with spam, what with continuous filter tuning and all. Then there's the simple fact that this suggestion, as printed, involves alerting the owners of spambots, some of whom will clean their computers, and possibly learn halfway decent security measures.

I'm all for this.

this and other effective weapons (5, Interesting)

fifedrum (611338) | more than 6 years ago | (#17752992)

yes, traffic shaping is effective in determining the nature of connections

I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.

Our most effective filters are:

connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.

HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.

Spamassassin at the client side, filtering email into various folders based on the score.

antivirus server that filters the few viruses that make it in, and phishing is filtered too.

The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.

Done that for 2years now (0)

Anonymous Coward | more than 6 years ago | (#17753088)

I have been doing this or something very similar, for 2 years now. It works. I use a special Linux Bridge, kernel ip traffic linked to a Postgresql DB for statistical analysis and scalability. As I have said many times, you have to control Spam by parameters the Spammer can not control. And not by parameters which are in his/her control, like text, pictures...
 

Botnets? (1)

Jabrwock (985861) | more than 6 years ago | (#17753222)

This wouldn't really work against botnets, would it? Because of the fact that they are distributed, you wouldn't really have a source trust issue... Not one that would trip any warning flags, anyway.

I can see it though, be a handy tool to aid against regular spammers, perhaps in analysing traffic to assist in maintaining SBLs...

host a torrent site, need an island (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#17753410)

Hi,
  I host a torrent site, I'm a pirate and we are currently trying to Purchase our rightful motherland.
RRRRRR! if you send us money so we can get our motherland, we can guarantee you citizenship and we will transfer 9,000,000,000.00 sealand dollars to your account ASAP.

All they have to do is slow down. (1)

edunbar93 (141167) | more than 6 years ago | (#17753448)

And this applies to botnets... how, exactly? If you can infect just a million computers with your spam bot, then you can send a million messages an hour by sending *one* message an hour per host! With a billion plus hosts on the net, you need to infect less than 0.1% of them to make that happen. The number of vulnerable computers at any given moment in time is easily more than 20%.

But hey, for every complex problem...

Whitelists (1)

Doc Ruby (173196) | more than 6 years ago | (#17753580)

Everyone should prioritize their incoming email by who in their address book sent it, or it's unsolicited, probably commercial, email, "UCE", aka SPAM.

Won't really work (2, Insightful)

jerseyjim (312295) | more than 6 years ago | (#17753716)

I use a popular, public email service. My emails have been identified as spam at times. The reality is the everyone from the service uses the same IP email address. All it takes is one person from that service to send spam and all those using the service get flag...so volume along isn't a good indicator.

excuse to reduce investment in real solution (1)

scumbaguk (918201) | more than 6 years ago | (#17753810)

Unfortunatly all this actualy does is reduce costs for anti spam companys as they do not have to keep up with the growing levels of spam while consumers keep paying more for their service each year. I have seen this method in action and what it means is people who pay for an anti spam solution are sometimes getting legitimate emails days later then they should. This is due to the mails not actualy being scanned for content just being put on the slow path because of the antispam providers unwillingness to invest in a system which can cope with actualy scanning the content. These test have their place but I have seen them missused at many antispam providers and IMO it's not acceptable.

Would work if (1)

crossmr (957846) | more than 6 years ago | (#17753844)

We made everyone who had a mailing list which contacts more than 100 people "register" with their ISP. They don't have to disclose the recipients or the nature of the list, simply a "I will be sending out a mailing list to x amount of users everyday in addition to my personal usage. Any customer who spits out more than some reasonable number of e-mails (who knows, maybe 200 per day is sufficient for most home users even on the upper ends of e-mail usage) will find their ability to use the outbound server restricted until they contact the ISP. Spammers send massive amounts of e-mails. It would be easy to find a cut off number that would help distinguish between the home user and the user who's computer has been compromised. This probably wouldn't even be that hard of a solution for an ISP to implement and could be mostly automatic except for the entering of exceptions into the database. Spam is really in the hands of the ISPs and their unwillingness to hold their customers accountable. Were I an ISP, I'd keep an eye for any evidence that any of my customers computers had been turned into a bot and require they fix the problem before they were allowed to use the services again. Sure they might go elsewhere, but if every ISP implemented the policy it would make the internet a vastly better place.

Openbsd spamd (1)

wondersparrow (685210) | more than 6 years ago | (#17753862)

Anyone ever looked at it? The concept is so simple its amazing. I am not the most technical person, but here is my impression of how it works/ A message comes in from a server that is not on any of the black/grey/white lists. The message gets bounced back saying try again later and the mail server gets grey listed. If the server retries again later (within the allotted time), it gets whitelisted. Spammers never try twice. I went from well over 200 spam per day to ~3 last year. Yup only 3. It is not cpu intensive, the mail is not analyzed or modified in any way, it just plain works. Try it, love it, tell others.

Re:Openbsd spamd (1)

wondersparrow (685210) | more than 6 years ago | (#17753962)

Oh, forgot to mention. It tarpits all grey and blacklisted connections. Woo for tying up spammers mta's states. :D

I've not RTFA, just the words "deal with spam" (-1, Troll)

b1rdy (451206) | more than 6 years ago | (#17753872)

Your idea will not work. Here is why it won't work... err, no, I'm going to get modded down aren't I.
OK, how about, In soviet russia spam.... damn, wrong again.
OK, how about FIRST POST!!! OK, it's my second post, but who's counting.

Friends don't let friends post pissed. I read slashdot. I have no friends. QED.
I do need viagra though.

WTF? The product promises to slow down your email? (1)

kingpetey (1054968) | more than 6 years ago | (#17753994)

The kind of analysis HexView suggests seems to promise a drastic bottleneck in email delivery as their servers check source IP addresses, etc. Awesome. I love the possibility of MY email grinding to a halt in an attempt to cause spammers delays in packets delivery. Sounds like greylisting under a euphamized name, like how time-shares are now called "fractional ownership."

The only real solution to spam. (2, Interesting)

arthurpaliden (939626) | more than 6 years ago | (#17754048)

Is to have the ISP charge for email usage in the same way as you get charged for your cell phone usage.

Follow the money and stop the source (2, Interesting)

spectro (80839) | more than 6 years ago | (#17754110)

1. Company offering product or service hires spammer 2. Spammer creates botnet by installing spyware in unsecured computers 3. Botnet sends spam Pretty much any solution so far involves stopping step 3, the delivery when the real problem relies in step 1, we need to find ways to stop step 1 from happening. Lets make hiring spammers a criminal offence, the same way "murder for hire" is. You can catch them by just having undercover officers order the product/service. I say let's make hiring spammer to advertise a product or service a Criminal Offense punishable by jail. It will stop U.S. companies from hiring spammers. Then we put pressure in foreign governments to pass similar laws.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?