Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Novel Method for Universal Email Authentication

CmdrTaco posted more than 6 years ago | from the well-kinda-novell-anyway dept.

Spam 212

MKaplan writes "Most spam is sent using spoofed domains. Email authentication schemes such as SPF attempt to foil spoofing by having domain administrators publish a list of their approved outgoing mail servers. SPF is sharply limited by incomplete domain participation and failure to authenticate forwarded email. A paper describes a novel method to rapidly generate a near-perfect global SPF database independent of the participation of domain administrators. A single email from an unauthenticated domain is bounced and then resent — this previously unauthenticated domain and the server listed in the return path of the resent bounce are entered into a globally accessible database. All future emails sent from this domain via this server will be authenticated after checking this new database. Mechanisms to authenticate forwarded email and to nullify subversion of this anti-spam system are also described."

cancel ×

212 comments

Sorry! There are no comments related to the filter you selected.

Greylisting? (1, Insightful)

mmcuh (1088773) | more than 6 years ago | (#20801823)

Isn't this the same thing as greylisting [wikipedia.org] ?

Re:Greylisting? (5, Funny)

Anonymous Coward | more than 6 years ago | (#20801865)

No, not at all. If you don't want to read the article, just keep guessing how it works, and we'll let you know if you are getting warm.

Re:Greylisting? (1)

flydpnkrtn (114575) | more than 6 years ago | (#20802177)

You've been here a while, hmm? Next you'll be talking about Soviet Russia

Re:Greylisting? (0, Offtopic)

richie2000 (159732) | more than 6 years ago | (#20802557)

You've been here a while, hmm? Next you'll be talking about Soviet Russia
On Slashdot, Soviet Russia talks about YOU!

Not exactly. I think. (4, Insightful)

khasim (1285) | more than 6 years ago | (#20801913)

He's talking about "bouncing" messages ... but I cannot tell if he means resending an accepted message or denying it at SMTP time.

Then he talks about having people install software:

Auto-Resend software will ensure that almost no one will see or be required to manually respond to the email seen in Figure 2. Auto-Resend software is a simple onetime update for webmail systems, email clients, and local mail servers.

Yeah, installing new software is a great solution.

Re:Not exactly. I think. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20801967)

I believe he means denying at SMTP time, so the sender will try again after X minutes. Spam-senders usually don't wait for that type of stuff, so I think that's where he's going with this, but if everyone does this I'm sure the spam-senders will just adapt to it.

Now if you could bounce the message, it would just go back to the original IP, so I don't see why that would help either though.

That's the problem. (4, Informative)

khasim (1285) | more than 6 years ago | (#20802009)

He does not CLEARLY explain what he is intending.

I believe he means denying at SMTP time, so the sender will try again after X minutes.

Which is kind of like greylisting. The FIRST problem is that the spammers have adapted to this and retry.

The SECOND problem with this is he's saying:
Unique sub-addresses are dispatched in the 'From' field with routine outgoing email. RIAuser@domain.com may send RIAuser^85nxsm@domain.com to one individual and RIAuser^n4sw5z@domain.com to another individual.

Huh? So this is also about SENDING email?

Now if you could bounce the message, it would just go back to the original IP, so I don't see why that would help either though.

And it doesn't address the issue of "fast flux" where the domains are "legit" in that they exist and point to the IP address of the sending machine ... for a few minutes.

So he's talking about "bouncing" messages ... installing new software ... and altering the "From:" addresses on stuff YOU send ...

No fucking way is this going to work.

Re:That's the problem. (2, Insightful)

SCHecklerX (229973) | more than 6 years ago | (#20802363)

Which is kind of like greylisting. The FIRST problem is that the spammers have adapted to this and retry.


This is exactly why greylisting is effective. It pushes the cost of spamming back on the spammers. Now they have to have a semi-legitimate mail relay, vs. fire and forget. If everyone greylisted, then the spammer's mail queues would be huge.

Of course, all bets are off with zombies that start using legitimate SMTP servers, but there are solutions to that already in place:
  1. Many ISPs volunteer their list of non-smtp sending subnets (comcast will let you run a server, and even allow it to send outbound, but many other ISPs then block your mail because comcast submitted this info to the blacklists)
  2. Corporate firewalls should ALWAYS block outbound SMTP that is not originating from their own servers


The only place this fails is if the spammers as part of their owning of zombie hosts begin to check for the proper SMTP server to relay through and configure accordingly. Admittedly, this is not too difficult to do, but they aren't doing it yet.

So? (3, Interesting)

khasim (1285) | more than 6 years ago | (#20803009)

This is exactly why greylisting is effective. It pushes the cost of spamming back on the spammers. Now they have to have a semi-legitimate mail relay, vs. fire and forget. If everyone greylisted, then the spammer's mail queues would be huge.

So? They don't care. They have, effectively, limitless bandwidth and limitless processor power.

Greylisting WAS effective ... before so many people adopted it. Now it only catches the dumbest spammers.

The only place this fails is if the spammers as part of their owning of zombie hosts begin to check for the proper SMTP server to relay through and configure accordingly. Admittedly, this is not too difficult to do, but they aren't doing it yet.

No. It fails when they implement (as they have) a process to resend any temp rejections after X minutes.

Greylisting had THREE features:
#1. It could temp reject spam and if the spammer never tried again ... success.

#2. It could temp reject spam and if the spammer randomized the "From:" username/domain ... success.

#3. It could temp reject spam and if the IP addresses was listed in a blacklist within the temp reject time frame ... success.

Now all that is left is #3. It costs the spammers NOTHING to upgrade the zombies. And if they get the spam through, the spammer wins.

Now, the zombie can appear MORE legit than a lot of the real mail servers out there.

Re:That's the problem. (1)

afabbro (33948) | more than 6 years ago | (#20802431)

He does not CLEARLY explain what he is intending.
The SECOND problem with this is he's saying:
Huh? So this is also about SENDING email?


Ah, I'd wondered where Robert McElwaine had gone...

Re:That's the problem. (1)

canuck57 (662392) | more than 6 years ago | (#20802641)

No fucking way is this going to work.

That is what I thought when I saw it on firehose yesterday and marked it binspam. We do need to get the moderators to research this a little before posting self indulgence stories. As I suspect the posters of such crap are using firehost to notch up their stories.

And you only tipped the edge. What if I sent 5000 messages to 5000 domains with the same senders address... oh the fun.

And more, but I will not bore the /. users with the lengthly list of flaws. He got his moment of fame past the ./ moderators.

Re:That's the problem. (3, Insightful)

FlyveHest (105693) | more than 6 years ago | (#20802677)

I believe he means denying at SMTP time, so the sender will try again after X minutes.

Which is kind of like greylisting. The FIRST problem is that the spammers have adapted to this and retry.


Huh? When I take a look at how many mails are bounced on all my domains, thanks to greylisting, each day, and hold it against how much spam actually enters my mailbox, i'd say they haven't adapted at all.

When you are sending millions of mails, retrying is far, far more expensive than just ignoring it.

Re:Greylisting? (1)

Bogtha (906264) | more than 6 years ago | (#20802215)

It seems to be greylisting, except instead of rejecting the message during delivery and relying on standard SMTP features, he wants to accept the message, send a bounce, have the other party install software to automatically re-send the message upon receipt of the bounce, and then add the sender's mail server to a whitelist the second time the email comes through. Awful idea for all different kinds of reasons.

Re:Greylisting? (3, Insightful)

tacocat (527354) | more than 6 years ago | (#20803293)

I don't know, I didn't get that far. The article and the concept is bullshit.

The 'From' field is the keystone of their identification process. Well, I got news for you if you bothered to read the RFC. 'From' does not have to represent the real sender. I can forge it up all I want into anything I want and you can't tell. I didn't get past section 3 where this is before I determined the rest isn't worth reading.

Once again we have another company trying to come up the next Big Thing and they don't know what the hell they are talking about. SPF is cute -- but relies too much on people setting it up and correctly. I suppose you could pay a service to act as a third party validator, but that's turning into a boondoggle too.

I don't think bouncing email at valid senders is going to win any friends.

Perhaps there is a way to do it successfully and with great accuracy. I would love to say I'm working on it. But quite frankly, if I do figure it out I probably won't mention to anyone since I really don't want the legal hassle of trying to defend my idea against someone else's billions. I can block spam. I can block spam to the tune of 99+%. The rest is trivial. I was even surprised to hear them say 94% was the average. Perhaps people would be better off if they stopped using SpamAssassin.

Sorry, my opinion is that statistical filtering is more than sufficient if it's managed well. I think few people are willing to do the work required of them to make them spam free. Kind of like locking the door to keep out the crooks.

SECOND (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20801845)

Second!!

That's already implemented with Spamcop (4, Informative)

no-body (127863) | more than 6 years ago | (#20801853)

Mail servers are authenticated by Spamcop and forward spam automatically to Spamcop which adds it to their database. When using reject_rbl_client bl.spamcop.net SPAM is blocked.
Works like a charm!

Re:That's already implemented with Spamcop (2, Informative)

no-body (127863) | more than 6 years ago | (#20801867)

&& that's IP based, not domain name based, so the SPAM originating IP is known and can be blocked

Re:That's already implemented with Spamcop (2, Interesting)

John Hasler (414242) | more than 6 years ago | (#20802413)

My ISP uses it. It frequently bounces my Debian mail. I'm moving my mail to Newsguy where I can turn the damn RBLs off and filter my mail myself.

Novell? But doesn't that mean MS-sponsorship? (-1)

Anonymous Coward | more than 6 years ago | (#20801857)

A Novell Method? Because they're linked with Micrsoft, won't that violate GPL3 or something?
Also: Slashdot Eds: you missed a letter "L" at the end of NovelL
Unless you mean Novel as in "book"...well then are we going to be writing down our emails and putting them in books to be steam-shipped across the Atlantic for delivery? If so, I am definitely in favour of that because it will cut back on my spam problem.
Or maybe it's a Novell Novel method which might be a combination of the two, but still it'll violate GPL3 (whatever that might be since I only use Apple) so I won't be in favour of it because everybody here on the Slashdot Tube doesn't like it.

Re:Novell? But doesn't that mean MS-sponsorship? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20801981)

"novel" also means "new" as in the French "nouveau".

Fails to account for SMTP farms... (5, Insightful)

pathological liar (659969) | more than 6 years ago | (#20801863)

So what happens when you receive an email from a big site like Sympatico, Hotmail, or any number of other places that have farms of SMTP servers, where your message isn't guaranteed to be resent from the same IP?

This also requires users to install software to use effectively, and features CAPTCHAs which are a usability nightmare and not nearly as impregnable as the author thinks.

All that effort instead of just adding a TXT record to their domains.

Re:Fails to account for SMTP farms... (3, Insightful)

bennomatic (691188) | more than 6 years ago | (#20801987)

So what happens when you receive an email from a big site like Sympatico, Hotmail, or any number of other places that have farms of SMTP servers, where your message isn't guaranteed to be resent from the same IP?

And OKing the receipt of any address at a domain from such an infrastructure seems less than ideal. I mean, if I send out all my email for "me@mydomain.com" from Hotmail's SMTP servers, I'm not sure I want that to automatically give the go-ahead so that anyone can send spam from "Need-Viagra@mydomain.com" and "refinance-your-house@mydomain.com", etc..., from those domains.

SPF, as I understand it, has some contexts in which it works well. But it doesn't cut with fine-enough a blade as far as I'm concerned. Automating the process so that I (if I haven't set up SPF records) could allow spammers to use my domain with more authority by responding to an automated message just doesn't sound like a good idea. I think this opens up the door for a lot more spam if people believe in it.

If it went a step further and tried to authenticate each time a unique USER@DOMAIN pair sent an email via a particular host, I could see that being useful. The protocol could be extended such that even the SMTP farms could conceivably use something to say, "if authorized at one of my servers, an email should be authorized at all of my servers". But it's a lot of work to get there, and the size of such a universal database would be ridiculous, and it seems that for there to be a single-source host for such a thing, there would have to be a lot of cooperation between some major corp^H^H^H^H sources of funding.

Re:Fails to account for SMTP farms... (2, Insightful)

MightyMartian (840721) | more than 6 years ago | (#20802067)

Let's just try to imagine the resources required for this sort of a setup in the case of a distributed dictionary attack. The ISP I used to work at, which was small and had about a thousand email addresses, was, on average, getting nailed with about 500,000 such attacks per day (and with some days being double that or more). In fact, it got so bad that the crappy IMail server I was forced to use because it ran under Windows would actually become non-responsive. Putting in two old Pentium-233s with Linux and Postfix (well, actually one was Linux and one was FreeBSD, just cause) as proxies saved the primary mail server from its meltdowns, as well as allowing me to do some proper greylisting.

The long and the short of this is that during a very large-scale distributed dictionary attack, having a server attempting to verify return paths, as this "novel" idea suggests would be nuts. Just getting your mail servers to cut the connection is going to be enough work. Why in hell would you want to multiply the traffic that a goddamn attempted spam is already taking up. I guess for that lucky bastard who never has to pay per gigabyte or whatever could use this.

Re:Fails to account for SMTP farms... (1)

pathological liar (659969) | more than 6 years ago | (#20802289)

... right.

I understand that when all you have is a hammer everything looks like a nail, but that's not the problem SPF was meant to address. All SPF does, all it's meant to do, is say "these are the servers that are allowed to send mail from this domain." It makes no statement on whether the email is spam or not, just whether or not it was sent from where it's supposed to come from.

What you want sounds like greylisting. This is different.

Re:Fails to account for SMTP farms... (1)

bennomatic (691188) | more than 6 years ago | (#20803451)

No, no, no.

Everything is not a nail. But SPF is a hammer that does not even get the nail all the way in. What I am suggesting is that SPF is a very limited solution, and that may be why it's not universally implemented. And I'm saying that auto-implementing it will still leave the option of sending out some kinds of SPAM wide open.

I'm saying that if we really want to defeat spam, someone needs to intelligently integrate greylisting, SPF, heuristic filters and a number of other systems into a useful and easy-to-implement "tool belt". Building the article's suggested system will just be a waste of time and solve very little in terms of significantly reducing volumes of spam, in my opinion.

Re:Fails to account for SMTP farms... (1)

eric76 (679787) | more than 6 years ago | (#20803667)

SPF is nearly useless. As far as I can see, the only thing SPF is useful for is to get a list of servers from which e-mail for that domain may originate. Then, if you regularly get e-mail from that domain, whitelist their servers and greylist everyone else.

I completely agree that the author's suggestion is a waste of time. Actually, it is worse than that since it will bounce the spam to the apparent senders. That means that someone other than the original recipient gets the spam instead.

Re:Fails to account for SMTP farms... (1)

Just some bastard (1113513) | more than 6 years ago | (#20802371)

I'm not sure I want that to automatically give the go-ahead so that anyone can send spam from "Need-Viagra@mydomain.com" and "refinance-your-house@mydomain.com", etc..., from those domains.

SPF authorizes outbound mail servers for a domain, it doesn't authenticate [wikipedia.org] anything. Preventing cross user forgery is a matter of policy for 3rd party relay providers, there's nothing schemes like SPF can do about it.

Re:Fails to account for SMTP farms... (1)

bennomatic (691188) | more than 6 years ago | (#20803409)

I totally agree, hence my quote of... "and the size of such a universal database would be ridiculous".

If bandwidth, CPU and data storage and access were infinitely available resources such that an attack as you describe wouldn't make my suggestion effectively impossible, I would push for my idea. However, my idea was simply to address some of the shortcomings of the original idea in the article.

Unfortunately, at this time, there is no magic bullet for spam. I use some heuristic filters, but mostly I just use my delete button.

FUSSP (4, Insightful)

Just some bastard (1113513) | more than 6 years ago | (#20801869)

Basically this guy is proposing an automated whitelist (for domains without SPF records) via a local database. At least I think what the paper is about, I gave up reading it earlier. It lacks a concise summary, doesn't read like a well researched paper and the diagrams don't even display without javascript.

The author may be an anti-spam kook [rhyolite.com] but the paper is so badly written I can't be bothered identifying which.

Re:FUSSP (1)

adrianmonk (890071) | more than 6 years ago | (#20802637)

the paper is so badly written I can't be bothered identifying which.

Thanks. I'm glad to get confirmation it wasn't my reading comprehension skills that caused me to give up after ever single word in the paper caused the mental fog to get a little bit thicker until in the end (actually somewhere in the middle), I had no earthly idea what the damned thing was about.

Cue form response (1)

bperkins (12056) | more than 6 years ago | (#20801887)

I'm surprised I don't see it.

Re:Cue form response (5, Funny)

Epsillon (608775) | more than 6 years ago | (#20801989)

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(*) Open relays in foreign countries
(*) Features in MTA software that can be disabled, such as MDNs
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(*) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(*) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(*) Dishonesty on the part of spammers themselves
(*) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:
(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(*) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

I didn't spend too much time looking through the options, so go easy if I got it wrong. Will that do?

oldie but goodie. (1)

djdavetrouble (442175) | more than 6 years ago | (#20802005)

As soon as I saw a spam Item, I just skipped forward to this good old reliable post.
Funny because its true !
I really love this one...

No, I didn't RTFA.. (5, Funny)

Anonymous Coward | more than 6 years ago | (#20801889)

...but this had to be posted.

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:No, I didn't RTFA.. (0)

MightyMartian (840721) | more than 6 years ago | (#20801985)

Indeed. When will these bloody guys figure out that a header can be a complete fabrication?

Re:No, I didn't RTFA.. (1)

MarsDefenseMinister (738128) | more than 6 years ago | (#20802061)

That's the point of SPF. It detects when the header is fabricated, and the virus detector bounce messages can just be dumped.

Most of the million spams a month I see are from Norton or some other idiot company telling me that the message I sent to them contained a virus. No, if they'd just had the data (but they already do! I use SPF) they could see that my server has one valid mailing IP address, and it's not on a Korean DSL line.

Re:No, I didn't RTFA.. (4, Insightful)

ScrewMaster (602015) | more than 6 years ago | (#20802175)

Which just continues to show that all sophisticated security systems can and will be defeated by morons. There is no force on the planet more powerful than human stupidity.

Re:No, I didn't RTFA.. (0)

Anonymous Coward | more than 6 years ago | (#20802071)

I think it is great that someone has gone to the trouble of making a template for reasons why anti-spam filtering doesn't work. It just goes to show how many stupid anti-spam ideas have come before us.

The idea that interests me most is to have individual client-side white lists with an automated human-verification process. This verification is done via return emails or another method to allow anonymous people to automatically add themselves to your white list. Throw in a few cryptography principles and you won't have to worry about spam for a long time to come. Most people don't receive emails from total strangers and when they do, some sort of human verification process wouldn't be too annoying, if done correctly (inline real time verification within email clients taking less than 10 seconds of my time).

Re:No, I didn't RTFA.. (0)

Matt Perry (793115) | more than 6 years ago | (#20802165)

I wish moderators would start modding posts with this form as a troll. Spam is a big problem for both service providers and individuals. Many people have been working hard on ideas to help fight spam while keeping the backward compatibility of the SMTP protocol. The linked article is attempting to offer something and see where it leads. You, on the other hand, have contributed nothing except a worn out joke. You can't even be bothered to create your post's content, opting instead to use a form. What exactly are you contributing to this discussion? What value or insight does your post offer that warrants a +5 score? At least the author of the paper is making a genuine effort to help.

Re:No, I didn't RTFA.. (1, Insightful)

nuzak (959558) | more than 6 years ago | (#20802229)

Your reply indicates an attitude of:

[ ] "My approach is immune from all criticisms"
[X] "Doing SOMETHING is better than nothing!"
[ ] Willfull ignorance of founded criticism.

Yes, it's a worn out joke (and yes, the form is a JOKE, it applies to ALL current antispam approaches). Yes, moderators are stupid. You must be new here.

Re:No, I didn't RTFA.. (1)

Matt Perry (793115) | more than 6 years ago | (#20802503)

Your reply indicates an attitude of ... "Doing SOMETHING is better than nothing!"
That's somewhat true. You have to form a hypothesis and see where it leads if you are going to solve a problem. I doubt that anyone is going to come out of the woodwork and say "I have the solution" and be correct. We have to try many different things to see what works and what doesn't. Dismissing things out of hand isn't going to help find a solution to the spam problem.

Re:No, I didn't RTFA.. (2, Interesting)

plover (150551) | more than 6 years ago | (#20803299)

What his joke is offering is the insight that every easy route (and most moderately complex routes) to blocking spam has already been tried and failed. Every "new" whiz-bang spam filtering idea these days is merely a rehash or mashup of previous filtering ideas that still retain the problems that plagued the original ideas. The method described in this paper is not novel -- it's a complex mashup of whitelists, CAPTCHAs, Bayesian filters, and new mail client software, each of which has been tried and has their own set of well-understood problems.

The spam problem is not that any new anti-spam idea is "unproven" or "untested" or "novel." The true underlying problem is that the mail protocols in place are not securable, never having been designed to be secured. Any true anti-spam change will require a protocol change and the total securing of every box on the net, and like the form letter also points out, that's not going to happen.

Spam filters are the modern equivalent of patent applications for perpetual motion. Eventually, the patent office realized that it had to reject them out of hand, because they were claiming to solve an unsolvable problem. Spam filters fall in that same category, and this form letter is a nerdy way of rejecting them out of hand. "We gotta try new things" is a fine attitude that solves a lot of problems that do have solutions. But it can't solve a problem whose only solution can not exist -- a new protocol relying on perfectly secured endpoint computers.

There is one place where spam filtering does work, and it's part of why I dislike these ideas: private filters can be very effective. That means if you invent a novel spam filter and want to enjoy its benefits for as long as possible, the best way to do it is to keep it quiet. My old simple perl scripts full of regexps worked great up until someone decided to mass-market spam blockers and apply the same principles at the ISP level. At that point my scripts were useless. Spammers really don't care if a handful of nerds block their stuff, but they are out of business if the blocking process can be automated and applied at the ISP or corporate levels. At that point they invent a workaround, rendering the previously working ideas useless.

Re:No, I didn't RTFA.. (1)

alienw (585907) | more than 6 years ago | (#20803655)

I think your post is quite silly. Think about this: a human operator can generally tell spam from non-spam with 100% accuracy and zero false positives. This means the problem is possible to solve. The real question is how to do it easily and efficiently, and this is where the real problem starts. Most of today's approaches are simplistic and, thus, unreliable. This doesn't mean a good approach is impossible to implement. With some tuning, a basic SpamAssassin setup can be quite good -- I get about 130 spams a day; on average, only 1 or 2 get through the filter, and I've never had a false positive. If tuning and heuristic generation could be done automatically, it would probably perform even better.

Another objection (1)

knorthern knight (513660) | more than 6 years ago | (#20803681)

(X) and I don't trust ideas from an idiot who can't put up simple text web page with a few gifs that will display properly in browsers that have javascript disabled.

Major flaw in methodology (5, Insightful)

Todd Knarr (15451) | more than 6 years ago | (#20801965)

The proposed scheme ignores one thing: the majority of bounce messages today are false bounces caused by spammer joe-jobs, therefore they themselves get flagged as spam and deleted/ignored. In addition, it also increases the annoyance of greylist authentication schemes, since a spammer forging my address in the From field will cause every host participating in this scheme to send me a verification e-mail for a message I didn't send which I'll have to deal with. The proposed scheme makes a very fundamental mistake: assuming that you can trust the sender's address in a message to be the true sender's address. You can do that only after you've determined the message is authentic and not spam, at which point you don't need this scheme anymore.

Re:Major flaw in methodology (3, Informative)

Dan B. (20610) | more than 6 years ago | (#20802113)

Not so, most of the backscatter is sent to snckjwe@mydomain.com which is either quietly dropped if you have smart filters that look for mailer-daemon@ etc as the sender, or passed to your 'no one by that name' catch all mailbox. Some mail systems will in fact be terribly misconfigured for backscatter, but then how is that different from what we have today?

The worst email storm I got was when some spammer decided to use my domain as the sender of all his junk and send all hi junk twice. I do have SPF entries in my DNS so ANYTHING that would encourage others to actually USE this system is a GOOD THING.

Now if there were just a few simple packages available that would give us the one-click (tm) ability to add SPF filtering to Sendmail/Postfix/Qmail/etc, and MS Exchange 5.5/2000, then I would guess that 50% or more of the domain spoofing spam would cease. That can only be good, as I only get UCE from real domains that I can't check for authenticity, from spammers who bother to follow RFCs and send twice after postgrey (greylist filtering) blocks them first time around.

Re:Major flaw in methodology (1)

jswinth (528529) | more than 6 years ago | (#20802261)

In addition, the scheme has the same flaw as SPF for those spammers who setup new domains. If the spammers setup SPF and the auto-reply software in the article then they can spam a great deal of people until caught by each receiving domain. Rinse... Repeat.

I'm not sure you understand what SPF solves (2, Informative)

Degrees (220395) | more than 6 years ago | (#20802465)

SPF only solves the problem of SpammerS sending mail to MailserverB with a forged header to make the message look like it came from MailserverA. The assumption is that UserB might open the message if it says it comes from UserA.

SPF causes MailserverB look up DNS data for the email domain for MailserverA, and compare it's SPF published IP addresses with the IP address of the incoming email connection from SpammerS. If the two don't match, then MailserverB hangs up on SpammerS with a 566 eat-shit-and-die error code.

That's all SPF does: eliminate impersonation.

For that, it's a great idea.

If you think that SPF is going to eliminate all spam, then you have misplaced hopes. Don't throw out SPF just because it is a piece of the solution instead of the whole solution.

The problem you describe is solved with SURBLs.

IMO, people should use both.

For a nerd, this is easy, but... (1, Funny)

Anonymous Coward | more than 6 years ago | (#20802013)

Put this into use and it'll never work. I didn't read the entire paper, but after looking over the pretty pictures it looks like the sending party has to resend the message? That will only happen 50% of the time. I do support at a university and the types of calls I get lead me to believe the average user (not average linux geek) would be totally and completely confused and would call the helpdesk every time they got one of these replies.

Re:For a nerd, this is easy, but... (1)

nuzak (959558) | more than 6 years ago | (#20802331)

I didn't read the entire paper, but after looking over the pretty pictures it looks like the sending party has to resend the message? That will only happen 50% of the time.

It could be greylisting, where the resend will be automatic. From the sender's point of view, there was just a delay. It's hard to say -- the article is not terribly well-written. The author's name is familiar, so googling on it turns up some other papers:

http://home.nyc.rr.com/spamsolution/UniversalAuthentication.htm [rr.com]

some discussion can be found here:

http://www1.ietf.org/mail-archive/web/asrg/current/msg12403.html [ietf.org]

Its hard to tell from his summaries, but assuming the approaches are the same thing, it looks like he reinvented tagged addresses among other things. ALl in all, it looks grotesquely complex.

utrollkore (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20802019)

The BIG issue (4, Interesting)

Skiron (735617) | more than 6 years ago | (#20802041)

Is MS windows boxes that are comprised and doing this - you can see this where the spam mails get 'chinese whispered from one box to another and end up incoherent (to say the least).

Any ISP should/could get suspicious of thousands of mails sent from one 'home user' source at anytime. But when you have thousands of 'users' doing the same thing, it gets lost in the noise.

One simple solution is:

if account == home user & running MS
      if mails sent > 10 per minute
          block it
      fi
fi

etc.

Very easy.

Re:The BIG issue (2, Informative)

crossmr (957846) | more than 6 years ago | (#20802105)

I have a friend who works for a large ISP here in town and they do something like that but the thresholds are much higher. He told me a story about a woman who had been blocked multiple times but refused to clean the viruses off her computer but would call and bitch that she couldn't send any e-mail. I guess each time you trip the system and get blocked its a longer block. The last time she had called in he said it looked like she'd been blocked at least a dozen times based on the length of that block.

Re:The BIG issue (1)

Skiron (735617) | more than 6 years ago | (#20802163)

Well, what can you say? I would say - tough shit. Until this gets stopped, users have to be hurt (even though it is a MS issue really). If MS deem their customers to be idiots (which they do) then what more can you expect?

Participation in SPF (4, Informative)

Anonymous Coward | more than 6 years ago | (#20802069)

"SPF is sharply limited by incomplete domain participation"

That's not a big problem. 99% of non-participating domains fit in default SPF record "a/24 mx/24 ptr -all", we use it in qmail for few years. Together with Spamassassin it results in 99,8% antispam accuracy (warning: one big exception is yahoo.com, you should use domainkeys or add ptr:yahoo.com to default spf rule)

Re:Participation in SPF (1)

terminal.dk (102718) | more than 6 years ago | (#20803727)

Any description on how you did this ? Sounds like something we might like to try.

"Office Live" link (1)

hey (83763) | more than 6 years ago | (#20802117)

Whats with the "Office Live" link at the bottom of the article?!
Suggests a Microsoft-owned site.

Re:"Office Live" link (1)

smithtodda (225580) | more than 6 years ago | (#20802551)

Not to mention the MS Live Search field at the top.

Re:"Office Live" link (0)

Anonymous Coward | more than 6 years ago | (#20803487)

A whois shows that the IP for the site is indeed owned by Microsoft. So, to add to the spam form:

[x] It depends on Microsoft, which is not known for security, and is continually contributing to the problem.

average user (1)

kcpearly15 (1161509) | more than 6 years ago | (#20802129)

*lead me to believe the average user (not average linux geek) would be totally and completely confused and would call the help desk every time they got one of these replies.* I would have to agree with Anonymous Coward to say that as a self-declared "average user" I would be completely confused. And aren't the average users who we should be targeting anti-spam technology to? I mean, your average computer genius can figure out how to get rid of spam on their own I would think, making the "user friendly" aspect of any anti-spam technology a key factor if the object is to get rid of spam for the masses!

So how does this stop (1)

c0y (169660) | more than 6 years ago | (#20802185)

Spammers from forging the valid domain that the source IP would be originating if it were legitimate mail? Now we'd have to verify not just domains but individual addresses in the database, and that would simply cause the spammers to turn around and use the compromised user's own address (at which point, the blowback will hopefully indicate something is wrong at the least)

Still barking up the wrong f'ing tree... (1)

damn_registrars (1103043) | more than 6 years ago | (#20802221)

I'm frankly rather baffled at the lengths that people will go to in order to try to {filter / reject / stop transmission of} spam. We've already seen for years that such efforts are futile, because the same spammers will just adapt and find a way to pump out their crap anyways.

I have said before, and am saying again, we need an economic solution to an economic problem.

The spammers continue to send out spam becuase they make money at it. If we can make it less profitable for them, then they'll stop doing it. However, the spammers have so many partners in crime that we can't easily hinder them until at least one of their cohorts will agree to work on the right side of the law.

The way I see it, we still should be going after the registrars. A good chunk of the spam comes from a small portion of the spammers (and their gangs). We know who these people are, and so do the registrars. But currently, we just play the same game ad naseum:
  • Spammer registers adress
  • Spammer sends out bazillions of v!@gra / $0ftw@re spams
  • Some number of idiots buy said illegal products
  • Eventually domain gets shut down
  • Spammer buys new domains from same registrar

And the game repeats. And the only party who can easily be contacted about it is the registrar - who will of course deny all wrong doing, or just hide behind the security of whatever communist country they reside in this week.

If registration was instead restricted to actual respectable registrars (at least for common TLDs) then a lot of this could be short-circuited.

Instead, we allow registrars who don't speak English (or at least claim to not speak English when you contact them) to sell .com domains, which are used to sell illegal products to foolish customers here in the US. If the registrars had some degree of decency, they wouldn't keep supporting the criminals - but since they get a cut of the action, there's no good incentive for them not to.

Re:Still barking up the wrong f'ing tree... (4, Informative)

SCHecklerX (229973) | more than 6 years ago | (#20802537)

I dunno. I've been pretty spam-free for the past several years using mimedefang, milter-greylist, and spamassassin.

The key is to reject the obvious nonsense before invoking your cpu-intensive analysis. I reject on the order of 90+% of everything that my mail server sees (even more at the last place I worked where they were using the same system). False positives on my home mail server are near 0. The ones that are mistakenly flagged, are simply flagged as spam, so I still see them, they weren't rejected or discarded. More at work got through, but that is because we have to be more conservative due to not having a good way to do bayesian filtering for individuals (I left before I had the time to run that project with the internal mail admins).

  1. Implement Greylisting. Spammers don't retry
  2. Reject if sending server is in zen.spamhaus.org or list.dsbl.org
  3. Reject if helo is not a FQDN or IP Address
  4. Reject if envelope sender claims to be an address from your domain (obviously our real users get through)
  5. Reject if helo claims to be your own mail server
  6. Reject if helo is an ip address from RFC1918 (again, short circuit on your own routing)


Then call spamassassin on anything that is left (SA will increase/decreas scores based again on RBLs that we don't outright reject, SPF records, etc):
  1. use sa-update daily both with standard spamassassin rule updates, and, more importantly, the stuff at saupdates.openprotect.com
  2. if you are able, create a way to easily train your bayes on false positives and stuff that wasn't rated high enough. I do this with specific courier IMAP folders that get checked once an hour
  3. Tune your sa rules to taste. I had to decrease some things (lots of friends use yahoo mail), and increase others (Stock image spam. Ugh).

Re:Still barking up the wrong f'ing tree... (1)

Just some bastard (1113513) | more than 6 years ago | (#20802763)

1. Implement Greylisting. Spammers don't retry

Nearly all MTA software is configured to reattempt delivery. Now, thanks to greylisting even Zombies are beginning to retry on temporary failure. This sucks if (like me) you always thought greylisting was pointless but are rejecting clients for lack of forward resolvable rDNS.

Re:Still barking up the wrong f'ing tree... (1)

damn_registrars (1103043) | more than 6 years ago | (#20803357)

I dunno. I've been pretty spam-free for the past several years using mimedefang, milter-greylist, and spamassassin.

Except that the mail has already been delivered to your network at that point. So I would say we've already lost. Even if you aren't using any significant CPU time at that point, you're still wasting bandwidth. The spam has already traversed the internet to get to you. Even if you didn't acknowledge that it got to you, it still came in.

So really, we need to ask why it was sent to begin with...

As much as we'd like to say it was because of some evil-doer who we would like to see strung out on 1st street ala the old days of the London Bridge, it is simpler than that.

It was sent to you because of the potential to make money. Spam is still big business for a certain number of people. Obviously we'll never 100% of people who use the internet to stop buying from spam, and even 99.99999% isn't close enough to remove the incentive from the spammers.

The only way to win against spam is to take away the profitability. And all the filtering in the world can never accomplish that.

Re:Still barking up the wrong f'ing tree... (2, Insightful)

Bogtha (906264) | more than 6 years ago | (#20802543)

I'm frankly rather baffled at the lengths that people will go to in order to try to {filter / reject / stop transmission of} spam. We've already seen for years that such efforts are futile, because the same spammers will just adapt and find a way to pump out their crap anyways.

I receive approximately one spam email every 45 seconds. Constantly. Without spam filtering, I would go to bed with an empty inbox and wake up to 500 spam emails. Spam filtering, far from being futile, is the only thing that makes email usable for me. Without spam filtering, I would simply have to give up on email.

Can it stop all spam? No. Do filters have to adapt? Yes. But that hardly means that filtering is futile, it just means that it's not as easy as we'd all like it to be.

Re:Still barking up the wrong f'ing tree... (1)

damn_registrars (1103043) | more than 6 years ago | (#20803279)

Can it stop all spam? No. Do filters have to adapt? Yes. But that hardly means that filtering is futile, it just means that it's not as easy as we'd all like it to be.


I would say that indicates that filters are losing the war on spam, because the spammers just find new ways around them. Its not about whats easy. I'm not looking for an easy solution, I'm looking for a solution that will actually work.

And a working solution would have to remove the incentive behind spam. Your filters do nothing to remove the incentive. One could even argue that filters add incentive to spammers, because they know that there are plenty of joe users with machines that have simple geek-squad-installed spam filtering, who just might be willing suckers if the spam can get through.

Hence, filtering does nothing to stop the problem. Its a band-aid for a gushing head wound. Just because you can hide from spam, and turn your back to it for a few weeks until the spammers find a way past your newest algorithm doesn't mean that you're winning at all. Indeed, we're all losing because the spammers are still making enough money to pay for registration and hosting costs. As well as their addresses in Tahiti, Finland, China, and Siberia.

Re:Still barking up the wrong f'ing tree... (1)

Bogtha (906264) | more than 6 years ago | (#20803669)

I would say that indicates that filters are losing the war on spam, because the spammers just find new ways around them.

Spammers "just" find new ways around them about as easily as spam filters "just" adapt to new forms of spam. You can't consider one to be an insurmountable task that indicates failure while the other is an easy way of mitigating the progress of the other side. You are applying a double-standard here. Both pose problems for the other side and both can be adapted to.

Your filters do nothing to remove the incentive.

My filters? I don't come up with my own filters, I use common anti-spam filters that are used by many people, including ISPs. For instance, I'm a web developer and I provide mail service to my clients. All the spam that is filtered out on behalf of my clients is spam that my clients could have bought from. The incentive is diminished by every spam that could have made it to a willing recipient but did not.

One could even argue that filters add incentive to spammers, because they know that there are plenty of joe users with machines that have simple geek-squad-installed spam filtering, who just might be willing suckers if the spam can get through.

This makes no sense. Without the filters, they would still be willing suckers.

Hence, filtering does nothing to stop the problem.

Problem: My email is unusable because legitimate mail comprises 1% of my incoming mail. I use a filter. My email is now usable. The problem is stopped.

Sure, there's a larger problem of how to stop the spam from being sent in the first place, but that doesn't mean that spam filters don't solve problems in a very real way.

Just because you can hide from spam, and turn your back to it for a few weeks until the spammers find a way past your newest algorithm doesn't mean that you're winning at all.

Have you ever maintained a mail server? While spam filters do have to be upgraded every so often, it's not a case of turning your back for a few weeks and then disaster strikes as all the spammers in the world find a new technique and implement it together. Unmaintained filters slowly become less effective over time, but things like sa-update etc mitigate this and the problem is not at all how you characterise it.

Indeed, we're all losing because the spammers are still making enough money to pay for registration and hosting costs.

Our disagreement is that you define anything other than bankrupt spammers as a total failure, while I think that there are lots of problems that can be solved that make things better for users and worse for spammers. I don't think solving those problems is "losing".

Re:Still barking up the wrong f'ing tree... (3, Insightful)

Anne Thwacks (531696) | more than 6 years ago | (#20802583)

we need an economic solution

Nope. We need a solution involving cruise missiles though bedroom windows late at night.

We need Spam Assasin Ninjas clad in impregable black carbon-fibre capes with the knives of cutting edge technology and the deadly intent of artificial intelligence enhanced mania.

We need mountains of spammer bodies piled high on the forefront of technological .

We need chain gangs of spammers publicly televised chanting "The Only Good Spammer is a dead Spammer" to the sound of hammers hitting rocks.

IN Summary: Cruel and inhuman tortue is not enough for these guys

Re:Still barking up the wrong f'ing tree... (1)

UbuntuDupe (970646) | more than 6 years ago | (#20802785)

Your post advocates a:

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Still barking up the wrong f'ing tree... (1)

Xtravar (725372) | more than 6 years ago | (#20802947)

We need a solution involving cruise missiles though bedroom windows late at night.
So... would you say this is a "War on Spam"?

Maybe our government could declare spammers as "enemy combatants".

Re:Still barking up the wrong f'ing tree... (1)

maxwell demon (590494) | more than 6 years ago | (#20803383)

Instead, we allow registrars who don't speak English (or at least claim to not speak English when you contact them) to sell .com domains, which are used to sell illegal products to foolish customers here in the US.

And how is the registrar to know that the person registering the domain will pretend not to speak English later on? Do registrars have crystal balls, or what?

Re:Still barking up the wrong f'ing tree... (1)

damn_registrars (1103043) | more than 6 years ago | (#20803449)

And how is the registrar to know that the person registering the domain will pretend not to speak English later on? Do registrars have crystal balls, or what?

Perhaps I wasn't clear. I could care less whether or not the person to whom the domain is registered is willing to speak English or not. I was talking instead about whether or not the registrar of US-based TLD's will actually speak english. For example, I have seen that spammers are enjoying the registrar services of bizcn.com. If you go to their website, there is virtually no English on it. But yet the registration data they make available for the .com domains that they sell is in English. Though if you try to contact them about a spamming domain that they sold to a known criminal, their reply is (shockingly) a canned response in Chineese.

So no, I don't care what kind of balls the registrars have. Indeed, I would say they have too large of cajones already. I'd like to see some castration done to get them in line to help remove the economic incentive that they make for the spammers.

will not work (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#20802253)

Disclaimer: you may think posting these is lame. I work in the antispam industry. I get a lot of this at dinner-parties, to the extent I'm thinking of getting properly printed versions made up...

Your post advocates a

(X) technical ( ) legislative (X) market-based ( ) vigilante


approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your
particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.
)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Mis-read (1)

johnw (3725) | more than 6 years ago | (#20802305)

Am I alone in having read that as "Novell Method for Universal EMail Authentication"? Might have been more interesting.

Re:Mis-read (1)

damn_registrars (1103043) | more than 6 years ago | (#20803315)

That was aided by someone's clumsy use of the "dept" name:

from the well-kinda-novell-anyway dept


CmdrTaco needs to double check that. At least someone with the qualifications was smart enough to tag the story as "!novell" to try to clear it up.

email has already been replaced (4, Interesting)

Chapter80 (926879) | more than 6 years ago | (#20802321)

The spam problems of email are causing people to migrate to trusted systems.

As I stood at a kiosk at a trade show this week, and waded through my spam-filled email on a few services (work email, hotmail, and gmail), the young woman at the kiosk next to me accessed her myspace and facebook accounts and responded to friends only.

She turned and said that only old people use email. And she was a VENDOR at the conference.... Things that make you go hmmmmmmmm......

Re:email has already been replaced (1)

adrianmonk (890071) | more than 6 years ago | (#20802629)

The spam problems of email are causing people to migrate to trusted systems.

As I stood at a kiosk at a trade show this week, and waded through my spam-filled email on a few services (work email, hotmail, and gmail), the young woman at the kiosk next to me accessed her myspace and facebook accounts and responded to friends only.

If you think myspace users don't get spam through myspace, you apparently haven't ever used myspace. And if you think myspace handles the spam that does exist well, you really have not used myspace much. For one thing, when an account is marked as a spammer and then deleted, messages in the recipient's inbox from that account get marked as messages from spammers but don't disappear from the inbox. Because the people who implemented myspace are absolute geniuses.

Re:email has already been replaced (1)

Chapter80 (926879) | more than 6 years ago | (#20803045)

I am far from an expert on Myspace. I've only used it to research job candidates. My only MySpace accounts are courtesy of bugmenot.com. So don't interpret what I say as researched opinions.

I was more just stunned that she sat on that kiosk and "worked" away on facebook and myspace.

Maybe LinkedIn or some other "more trustworthy" business-oriented social network site will help address the spam problem, by only letting you communicate with people who are in your "circle of trust".

Not a perfect solution (and I HATE LinkedIn* and will resist using it every step of the way), but it's coming, and according to this young woman, the time has arrived, and these sites have replaced email for the up and coming business woman.

* the reason I hate LinkedIn is because it's often listed among a set of sites that can expose too much information. Once, I witnessed someone researching their competitor's "network" of contacts using a site like this. This person was able to gather far too much information, for free, about the people that his competitor was calling on.

Re:email has already been replaced (1)

hab136 (30884) | more than 6 years ago | (#20803305)

Maybe LinkedIn or some other "more trustworthy" business-oriented social network site will help address the spam problem, by only letting you communicate with people who are in your "circle of trust".

The spam I get on Myspace is from spammers inviting me to be their friend.

If you can communicate with someone (even just to ask to be added to someone's "circle of trust") then you will receive spam over that channel.

Re:email has already been replaced (1)

damn_registrars (1103043) | more than 6 years ago | (#20803483)

She turned and said that only old people use email. And she was a VENDOR at the conference.... Things that make you go hmmmmmmmm......

That's when I shake my cane at her and tell her I won't be buying anything from her company...

And to get off my lawn, daw-gonnit.

Re:email has already been replaced (1)

jez9999 (618189) | more than 6 years ago | (#20803767)

In Korea, only old people use e-mail.

Bounces Won't Work (2, Interesting)

maz2331 (1104901) | more than 6 years ago | (#20802333)

Many if not most mail servers now drop messages to invalid recipients at SMTP time and don't send bounces any more. I've had to implement this on every mail server I set up to keep the mail queues from backing up to several thousand messages to invalid "bounce" addresses.

It would work if bounce messages were still sent.

tootin' horn - I vote e-stamps (1)

Tablizer (95088) | more than 6 years ago | (#20802381)

A title like, "novel method to rapidly generate a near-perfect global SPF database" bothers me because there are too many "brag words": "novel", "rapidly", and "near-perfect". Horn tooters are usually crackpots and cons.

As far as spam solutions, I think some kind of purchased "e-stamp" is the way to go. Until zombie owners get hit in the pocketbook, nobody will clean up the crap.
   

Re:tootin' horn - I vote e-stamps (1)

Ant P. (974313) | more than 6 years ago | (#20802721)

There's already hashcash, but nobody will use it.

Re:tootin' horn - I vote e-stamps (1)

Epsillon (608775) | more than 6 years ago | (#20803569)

I'm not really surprised. Would you trust someone who plonks an open relay on the net [hashcash.org] (1c) and then wonders why he ends up in an ORBL? I can understand if it was a mistake but, to further incriminate himself, he goes on to say he then set up SMTP_AUTH (which should have been done in the first place and also proves he could have done it correctly) and moans about "blacklist operators and ISPs... intentionally sabotag[ing]" his poor mail server. I would laugh if it wasn't so tragically typical.

Rearrange: Himself. Blame. Got. Only. To. And shit happens.

Why didn't I think of it? (1)

louzer (1006689) | more than 6 years ago | (#20802497)

May be because my slashdot nick sounds like my real name.

Not SPF, and similar to what I use... (4, Interesting)

argent (18001) | more than 6 years ago | (#20802555)

This is just an additional layer over automatic whitelisting of addresses using tagged responses.

Some years ago I set up for my family a pretty simple set of procmail rules and scripts that bounced messages that hadn't otherwise been classified as spam or been whitelisted with requests that they be resent with a certain keyword in the subject line. For example:

"Hello, you just sent me the following message. Could you send me the message again with the word 'leisure' in the subject line? You can reply to this message if you like, just be sure to add 'leisure' to the subject line."

Over a period of several years the only spam that's gotten through this has been from a 419er.

The advantage of a subject line token like this is that you can tell people the token to use, or put the token in the subject line when you send the message so it's usually there when the recipient replies.

Whether you take the resulting message and whitelist the sender address, or some other information in the header that you consider reasonable, that's up to you. It's not really the same thing as the SPF database, though, even if you choose to make the same kind of information the key you use for whitelisting. The point of SPF is that it's supposed to be authoritative for the organizations involved, and doesn't include things like "I sent something with my work address from Earthlink and now you're accepting mail from my work domain through Earthlink's servers".

And using this to whitelist the sender rather than their whole domain gives you a lot finer control.

Re:Not SPF, and similar to what I use... (1)

alexmeaden (165589) | more than 6 years ago | (#20802599)

And thus you are spamming the people whose email addresses have been forged, well done.

Re:Not SPF, and similar to what I use... (1)

argent (18001) | more than 6 years ago | (#20802675)

And thus you are spamming the people whose email addresses have been forged, well done.

That's true for pretty much any sender verification mechanism, or any mechanism that operates during the initial conversation exchange (like, say, SPF or DNSRBLs) because of secondary bounces. I got one of my domains forged a bunch, and by far the most common secondary spam isn't people running sender verification systems... it's bounces from intermediate servers that were rejected by the destination, and next come messages from anti-spam or anti-virus software telling me "my" message is spam or a virus. THAT kind of bouncage is bizarre, since viruses and spam have had almost universally forged addresses since last century.

At only one message per address, ever (modulo lossage in the database of people who've been already seen), and only if they haven't been handled on the server (which takes care of the vast majority of spam during the initial conversation or via simplistic content filters).

Re:Not SPF, and similar to what I use... (0)

Anonymous Coward | more than 6 years ago | (#20803105)

I have yet to see a reasonable challenge-response system that handles the scenario where you fill out a web form and an automated process sends you a wanted email.

In your case, it sounds like you reply back to an unmanned mailbox "hi, add this word to your subject". And that ain't happening!

If it walks like a duck... (3, Informative)

jumperboy (1054800) | more than 6 years ago | (#20802701)

This is clearly Challenge/Response with automated whitelisting. The following Wikipedia entry addresses every facet of this system:

http://en.wikipedia.org/wiki/Challenge-response_spam_filtering [wikipedia.org]

Re:If it walks like a duck... (1)

eric76 (679787) | more than 6 years ago | (#20803707)

Bingo. You hit the nail on the head.

It's a Challenge/Response system that in and of itself adds to the problem instead of solviong anything.

Greylisting and SMTP TLS (1)

o517375 (314601) | more than 6 years ago | (#20802803)

We implemented greylisting. It is the answer. Tens of thousands of emails per day are bounced by our servers away into oblivion. Server CPU is neglible. Let's not reinvent the wheel. Why don't we just build greylisting right into the SMTP protocol? Sure some spammers will resend, but at what cost. How many _can't_ resend?

Also I believe SMTP over TLS is the second part of the answer to the spam problem. It adds one more cost to the sender i.e. exchanging certificates and encrypting email. If you send out 2 million emails and have to exchange 1.5 million certificates then encrypt the email with the certificate you downloaded, well, I think you see the problem for the renegade spammer whose sending email over cheap DSL/dial-up links. We have HTTPS. Why not enforce SMTPS? I believe the protocol has already bveen established.

Re:Greylisting and SMTP TLS (1)

Just some bastard (1113513) | more than 6 years ago | (#20803189)

We implemented greylisting. It is the answer.

The answer is zombies retrying indefinitely? I have a "legitimate bulk mailer" who effectively tarpits himself by retrying every 4 mins for 5 days on 45x for each message. Multiply that by the amount of zombies out there - and welcome to DOS city! If botnet operators are going to give up because of greylists, is my "legitimate bulk emailer" going to monitor his mail queue or prune his address lists? These people are spammers, we already know they don't care.

TLS won't stop the botnet operators either, modern desktop PCs are powerful enough to do the certificate exchange. It's our servers that would struggle with TLS and some (most?) SME servers are in fact NAT'd behind the dedicated IP.

Cancel e-mail for any bounce (1)

RandomPrecision (911416) | more than 6 years ago | (#20802877)

Why not just cancel the sending of any e-mail that would cause a bounce? If someone is attempting to send an e-mail to addresses A, B, C, and D, check each address to see if a message would bounce, and if even one (say, C) sends a bounce reply, don't send the e-mail.

The only legitimate use I could see being interrupted is mailing lists, if someone's e-mail address is suddenly terminated, without them first leaving the mailing list. But surely, it shouldn't be that much of an issue if each message of the mailing list is opt-in from a link in the previous message, unless complete an unexpected e-mail address termination is far more common than I assume.

calculating math to detect spam (1)

tfiedler (732589) | more than 6 years ago | (#20802971)

I read something a few years ago regarding a potential solution for catching spammers. It was based on the presumption that because spammers send millions, if not 100s of millions of messages at a time, that it would be computationally impossible for them to calculate the results of a math problem and then checksum the result/sign the result against the message and then send it and the problem as part of the header. Or something to that effect. The assumption was that the home or casual user send so little mail that it wouldn't introduce a delay into their mail sending flow to perform this operation. So when you receive the message, you then check the result sent against the result you calculated and if they match, give it a better score.

Of course, I don't doubt that I missed something in my recounting of it but it sounds on the surface like a better idea than the article describes.

Re:calculating math to detect spam (1)

bobintetley (643462) | more than 6 years ago | (#20803781)

I think you're referring to something like HashCash [hashcash.org] . Sounds interesting, but I'm not convinced it would work.

My current approach (2, Interesting)

eric76 (679787) | more than 6 years ago | (#20803785)

I've been using greylisting. For me, it really hasn't become less effective, but I have noticed that the mix of the spam has changed dramastically.

I'm getting ready to switch to two methods.

First, on one specific account that has become inundated with spam (probably because it is on just about every web page with registered IANA port assignments), I'm in the process of switching it over to the point where it will only accept unencrypted e-mail from a select list of whitelisted sources. If someone is not on that list of whitelisted sources, they are going to have to encrypt the e-mail using my public PGP key for the e-mail to be delivered.

Second, our mail server has something in the range of 100 to 200 users. I am generated thousands of additional e-mail addresses and aliasing them on the server to a single account. Those thousands of new e-mail addresses, initially 8,192 e-mail addresses, will be listed on various web pages for the spammers to harvest.

As e-mail starts to be delivered to those addresses, I will opt-out of all the e-mail so that they know the e-mail address is real and gets read. Once the spam reaches a certain level, I will then start blacklisting every incoming server delivering e-mail to one of those 8,192 addresses.

The length of time on the blacklist will vary. No IP address will be removed until a reverse DNS lookup for it exists.

If the reverse DNS lookup gives any idea that it may be a dialup, dhcp, or anything else that makes it look like it is probably a home computer (e.g. dialup-10-1-1-99.example.com), the IP address will be blocked for a month or more.

If the reverse DNS indicates that it is an smtp server (e.g. mta09.example.com), it will be blacklisted for maybe 24 or 48 hours.

Anything else will be blacklisted for one to two weeks. If additional e-mails arrive from a blacklisted IP address, the clock will start over.

I figure that with 8,192 spamtrap addresses and 100-200 user addresses, most spam zombies will be far more likely to hit the spamtrap addresses first where they may be automagically blacklisted.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>