Slashdot Mirror
Turing Tests to Stop Spam
cexy writes "The Register has a story about how Hotmail and Yahoo! are using Carnegie Mellon developed captcha technology (completely automated public Turing tests to tell computers and humans apart) to stop spammers from automating signups for accounts from which they can send spam. These guys are using captcha too, but to stop incoming spam."
my Spam filter in Yahoo catches way, way, more than the one at hotmail. It is always surprising to me when you open a new hotmail account that it takes only like a week to be flooded with Spam. A week of doing nothing with the account but initially opening it. *sigh*
Neuromancer flash back.
that is why. all the spammers are targetting hotmail. I hate the anti-ms bias. I use a filter on my hotmail. It is an allow only filter. Those are the best kind because I make the decision of who gets through to me.
For those who dont know, The CMU developed captcha project is great. Check out their work here:
http://www.captcha.net/
Where it shows you a smeared image of a number that you have to type in to register with a site? I think Slashdot has had this for a while now, and I know I have seen it on other sites as far back as a few years ago.
I don't have much personal experience with SpamAssassin, but from what I heard it does a fine job already.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
Does Hotmail really think that I have friends named things like ilikeitinthebutt?
I've only had my Yahoo account since last year and my Hotmail account since 1997, so this may not be a fair comparison:
Yahoo spam today:
0
Hotmail spam today:
18
Which is doing a better job at stopping spam you say?
Saskboy's blog is good. 9 out of 10 dentists agree.
What about mailing lists?
I would rather Yahoo stop spam from getting to my mail acocunt before they concentrate on stopping people from signing up automatically. I'm one of the few people who actually pay for Yahoo "additional" services. I thought I would get better anti-spam support. Not so far. I literally have 10 to 20 an hour and I can't block anymore because Yahoo only allows 100 addressed to be blocked. And considering the smammers are using 12374614187641874@optinmail.com along with other numerous addresses, it's impossible to block the majority of them. Hell I would even be happy if they would start allowing people to block entire domains. That would be a good first step.
My sig of choice is Marlboro
I have SpamAssassin at my isp (Verio) and it kicks ass. Probably a false positive per week (and that's often a slashdot Daily Stories email), and a false negative every 3-4 days. Pretty damn good. Cut inbox crapola from 10-20 per day to, well, zero.
sulli
RTFJ.
The idea is far from foolproof. Computers could be programmed to try multiple different phrases or spammers could hire people to manually create accounts. Also the idea does nothing to stop spammers harvesting email account details from the Net in the first place.
Any serious spamming outfit will quickly defeat this type of protection. It seems to me that the number of accounts a spammer needs to set up to generate spam can be fairly limited.
And I recently noticed that spam, while smaller in quantitiy, are much larger than normal (non-html image bloated crap).
First, I would like to know if there is a server-side daemon I could run that goes through all user accounts and weeds out spam (without knowing their passwords.)
Second, I would like to know if I have any legal recourse against unsolicited email hogging my bandwidth. Could I stockpile a years worth and send the spammers a bill for the used bandwidth?
You can't judge a book by the way it wears its hair.
18 Hotmail spam today!
Which is doing a better job at stopping spam you say?
You may have heard that you can buy or sell anything on eBay!
Dr. Seuss, I presume?
sulli
RTFJ.
When someone would send you mail, it would send back a link to a small image, in the image was a 'click here' dot, only a human (or some software that no spammer would take the time to write) can get their email into your mailbox.
.com "troubles".
Kind of offensive though, a lot of people took offence to clicking a link to send me email.
MsgTo.Com dissappeared some time ago during the
Hedley
According to the article, it says that the spammers could pay ppl to signup instead of using scripts. IANAL. but this would seem to be intentional misrepresentaion and "transferrance"(sp?) of the email account. I would think there would be some legal ramifacations of this.
"Completely automated public test to tell males and females apart".
.....
a/s/l?
"18f,Florida"
Do you mind if I ask you to take a quick Captmfa?
"Sure, go ahead"
Test completed. Result = 34m, Detroit.
Instead it's something they hacked up because new programs were getting around the old OCR blockers. Blah.
The truth is accounts like Yahoo and Hotmail only exist to turn a profit for their owners. I know not everyone can get an e-mail address that they can use for personal means in any other way, but you have to accept what you are getting into when you open one of these accounts.
Personally, I have several e-mail accounts and only use my hotmail and yahoo for things like web page registration.
Now if they could just come up with a turing test for slashdot
2 /1 2/30/1740211&mode=thread&tid=111
repeats!
http://developers.slashdot.org/article.pl?sid=0
Granted this is not a direct repeat but the articles are just different sources for the same story.
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
Don't you think it would be possible to write a program that could handle one of these captcha tests? Has anyone tried this, to validate their claims? Otherwise it's like roll-your-own crypto, worthless if you don't know if it can be defeated.
You can use SA as filter when accepting mail for all your users. It will tag based in some rules. You can then delete the mails, or let users classify (better, otherwise false positives will mean lost mail) or whatever you want (manual check? quarantine?).
Seriously, this is nothing new, the technology isn't exactly ground breaking....why is this even worthy of a post?
"The saddest words of mice and men, are not those which were, but should have been."
have you tried to add '@spammailer.com' to the mail blocker? And things still get through?
I turned on my hotmail filters so now only people on my whitelist can send mail directly to my inbox.
0 spam for months now.
The only negative is if someone not on my whitelist sends mail, I have to rummage throught the rest of the junk to find it.
"No Matter Where You Go.. There You Are." -- Buckaroo Banzai
I recently had to create an e-mail address that I could use for posting to a mailing list where the addresses are all public. I tried Hotmail first, and although I passed part 1 of their Turing test, the captcha test, I think I failed part 2: once I was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891), I got some kind of mystifying error message saying something about my .NET account (which I don't have). I guess if I was human, I'd have been able to figure out what they meant.
Oh well, I passed Yahoo's captcha test, and they didn't have a part 2...
As a recipient of spam, I also don't see this having any benificial effects. I gets lots and lots of spam from hotmail.com and yahoo.com addresses. They're all forged headers, so it doesn't matter that Yahoo and Hotmail have botproofing -- the accounts I'm getting spam from aren't even real Yahoo and Hotmail accounts. It's great that they're trying to make sure they aren't spam havens (and of course it costs them money if spammers use their services), but I really think the whole e-mail infrastructure needs reworking in order to get rid of spam. Sending e-mail should cost some token amount of money, and there should also be some way of tossing out mail with forged headers (e.g., my mail client should be able to tell whether the cryptographic signature on an e-mail indicates that it really came from hotmail.com or yahoo.com).
Find free books.
It's time for my regular rant regarding PopFile and Bayesian excellence and how SPAM WOULD DISAPPEAR IF BAYESIAN TECHNIQUES WERE APPLIED AT THE ISP LEVEL!!!!
And now, back to our regular show.
It's Christmas everyday with BitTorrent.
click mail options:
go to
"Enter email address (or domain) to block:"
enter domain in text baox, such as
whatever.com
click, add block
The Kruger Dunning explains most post on
A whole week? I copped about 20 within the first 24 hours in my most recent hotmail account, without disclosing it to anyone/anything.
blocking automatic signups, will go a long way to stopping spam sending. I'm sick of seeing spam complaints from clueless people who know just enough to be dangerous. We currently have one of our IP addresses being forged in mail coming from one or more yahoo POP mail accounts. Unfortunately our complaints have fallen on yahoo's deaf ears. And our company's reputation continues to be blackened.
Its getting to the point where the only way to get yahoo to act would be to sue Yahoo Australia for Defamation through inaction and seek damages.
A correction. Seems since that they do now allow blocking if domains since the last time I tried. My bad.
My sig of choice is Marlboro
I was a big Hotmail fan until I found Yahoo to have twice the room for free, and literlly NO SPAM.
The custom filter option in Hotmail now is restricted to just 10 filters. I have 32, and if I edit them once now, I'm sunk. 10 can't possibly keep out all I'm succeeding with now.
Boobs [I wish I had real email with this in the title, but I don't]
Virgins [Once again, wishful thinking]
DVD [Don't own a drive yet]
FREE [Do your friends tell you you are getting something for free?]
And I don't bother reading any "Re:Your Inquiry" emails. I mean, how stupid do you have to be to send an email to someone with the subject "Your Inquiry"?
Saskboy's blog is good. 9 out of 10 dentists agree.
These Turing tests do not stop spam. They discourage spammers from using bogus Hotmail etc accounts to originate spam from. They do this by making it incrementally more expensive to create the accounts; rather than using a bot to create an account a second you have to use a human to create accounts by the minute. So 60 times the effort.
But I don't think that translates into 60 times the cost. The Turing tests are interesting but I don't think that the creation of the accounts ever was a bottleneck in the process in sending spam. You could get a high school kid to create all the accounts you would need for a month in about an hour, and pay him in pr0n.
If the truth were known, Hotmail and Yahoo are just trying to decrease server loads. I bet that when bots create accounts they create hundreds or thousands more than are used, which take up server resources during creation and later as the accounts eat up storage. With Turing tests it is more likely that not too many will be laying around waiting to be used.
=^..^= all your rodent are belong to us
That Reg story was posted a WEEK ago. It's old news. /. needs to get some news that's actually NEWs.
Repeal the DMCA!
As many of you have written, it only takes a few days after you open your hotmail account until you start getting 100+ spams everyday. Why don't the administrators of hotmail create an account, add all the email addresses and topics of the emails that are sent to that address and delete / block all emails that correspond with those on the list from everybodys account. I know this would probably use a lot of CPU-time, but that will be saved by being able to block many of the spams that are sent to regular users. I also know that the senders address sometimes is accountholdersname@spamsender.com, this can also easily be avoided by enabling the user to block all email sent to him having that address. This is in no way waterproof -- I know. But it will certainly make life easier for the hotmail / yahoo users. The problem is of course that when these siter start using it, the spammers will find ways to work around it. It is important however, that we do what we can to make life as misorable as possible for those SOB's
In Soviet Russia, Kharma is devided equally among all comrades.
During the animation at Spamarrest, I kept expecting to see a doodie! Yucky!
I guess this isn't used to prevent Hotmail users from receiving Spam. It is to prevent spammers from signing up for Hotmail accounts to use against the rest of us.
:)
Do you know why Hotmail is called Hotmail btw? HoTMaiL.
The Internet is full. Go Away!!!
Uh oh, looks like Spam Arrest is inflicted with Patent Priapism, a horrible disease in which you feel you must patent some stupid thing you "invented", when you actually just combined two or more existing things in a most un-original way.
They have patent pending on "calling back to verify a phone number" except it's email.
I would suggest avoiding this company's products and services.
Blocking by address is almost useless, unless you're getting mail from a legitimate spammer (i.e. you didn't read the fine print before signing up for something) and in those cases, you can normally opt-out anyways. The return addresses on regular spam are always forged--even though it says bighairyclit@hotmail.com it's really routed through a server in China and there's no such hotmail account.
Warning to Malda & Co.: Now that Slashdot uses a visual CAPTCHA as the only way to create a new account, blind users have no way to sign up for an account. Thus, Slashdot is not accessible to blind people and not compliant with Section 508, a US law that requires web sites of companies that do business with the US government to be accessible to the disabled.
Will I retire or break 10K?
Those images you get in spam are usually bugged, specifically if they have a unique name and are going to a special server, they can confirm that your email address is still good. Also, they may be able to get something out of your browser too as to who you are.
There are only 3 ways spammers can get your email address:
1.) you sign up for something with that email
2.) they randomly generate it
3.) yahoo/hotmail sells/gives it to them or they get hacked
Repeal the DMCA!
From the captcha site:
"[...] humans can read distorted text as the one shown below but current computer programs can't:"
I think they mean "non-blind humans". How exactly will they ever solve that problem? If a blind
man's OCR program can read the text, so can the spammer's.
I see a lot of posts here comparing the relative merits of different spam filters, based on how little spam gets through. The thing I worry about a lot more with spam filters is how much of my non-spam mail gets blocked. And yes, I've had this happen with every spam filtering mechanism some sysadmin has inflicted on me. This is the main reason I like spam filtering at the user level, not the ISP or system level -- at least you have some control over the imperfections.
Tired of flames?
- Use the emacs psychologist to determine the mood of people sending you email!
Any sufficiently advanced libertarian utopia is indistinguishable from government.
This idea means licensing them so that they are properly registered, Meaning we know who they are and where they live.
Meaning that they can be billed for use of service, etc. and jail those not properly licensed.
Meaning that we can send bill collectors and tax collectors hunting after them.
The bottom line is that IF we can make it profitable to go after these guys, someone will make a business of it. We just go to figure a way how.
Then we get to use the scum of society, such as bill collectors and tax collectors, and turn them to some good, going after spammers.
And we can use the money collected to subsidise the cost of something useful.
Now Lessig has also proposed something similar to this:
http://www.cioinsight.com/article2/0,3959,533225,0 0.asp
Which essentially means that there are more eyeballs to track the scum down. And a financial reward to do so.
The twist in my proposal is to mach spam have a cost even if sent "legally" - [lots of states have finance problems], and make the penalties truly painful if done illegally. I want to set my own fees for receiving spam
"It is a greater offense to steal men's labor, than their clothes"
Damn Slashvertisements. I don't care if it is to block spam, it doesn't belong.
On the other hand, the banners are just fine and for those of you who have their banners turned off, Blizzard has an opening for a Unix Admin and a great ad. I'd link to it here but you should really turn banners on. I know they are annoying, but banners bring in money for slashdot. That $49.99 or $9.99 or whatever you pay for your ISP is NOT giving that money to slashdot, and for them to remain free, they need you to download those damn ads.
Now, turning off pop-ups, that's accetable. But think of all the porn you're missing!
Every time you want to send an e-mail to someone, their ISP (or even their own mail server) quickly replies to you with a challenge (image for you to decipher), when you decipher the image, and reply ("as in confirm you're a human") your original message appears in the in-box of the person to whom you've sent it. Anyone can define their own tests if they're not happy with default ones, and you never see an e-mail which hasn't passed YOUR tests.
And since these tests are interactive (ie: you're asking the PERSON who e-mailed you a question, they can be quite hard to fool with a computer).
Non-challenging e-mail addresses (or mailings) can still exist, and will be clearly marked as haven't bee 'verified'... ie: streated as bulk e-mail.
"If anything can go wrong, it will." - Murphy
Well, it's not, but you know...
Mozilla now comes with it's own Spam Filter starting with 1.3Alpha. Anyone know how well it works? I haven't had a chance to try it.
Think this is off topic? Read the last line of the slashdot story and click the link, where you can take a "Free 30-Day Trial!!"
=)
Mail.app's filtering is fantastic. I only look at around one spam message every two weeks, and I've only had one false positive (which was adveritising something, as it was) in the year and a half that I've been using it. The filter is probably too CPU intensive to use on any large scale, though.
I get advertisements for spamarrest on the bottom of my spam quite often.
This has got to be a spammer that runs it.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
this isn't offtopic you moderating moron, it's FUNNY! read it again.
Will I retire or break 10K?
Stop putting your email address all over the internet. I've had a Yahoo account for years and truthfully _never_ get spam. That's because when I sign up for cheesy web sites, I use a hotmail address that I check only occassionally.
I like this idea with some modifications...
I want to be whitelisted for x number of days. Or maybe a setup similar to DHCP where I've got a lease for x number of days that doesn't expire until I haven't used it for y number of days.
This would allow email to remain FREE like it should be and solve the problem at the same time.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I fried some of that canned meat up the other day, and was quite surprised, it tasted ok.
Mind you its no GOETTA a pork and oats fried dish found in the finer parts of the globe, however Spam was rather tasty.
Those punks still better have the promotion where ya by a few cans and send for a hat or t-shirt still, or i'll be pissed.
OH email spam well yeah those guys should be shot.
I've watched Spamarrest movie. The exactly same system (you have to read a word, obscured to defeat OCR programs) is beeing used by one of Polish mobile phone operators. If you want to send SMS from www->sms gate you also have to read a word. You can see it here.
:wq
AFAIK, /. doesn't do business with the government.
Are you sure? I'd figure that Congress has set out a pretty broad definition of "doing business with the government", just like the government tries and usually succeeds to classify virtually all commerce as "interstate commerce".
Besides, a blind person could always get a sighted person to help them with the one-time account signup.
Likewise, a person using a wheelchair could always get a walking person to help them with climbing the landlord's stairway to sign up to rent an apartment.
Will I retire or break 10K?
What do you get if you eliminate the human from the above? Why, a protocol link. Might as well require me to type in TCP/IP packets and consider me human if I make too many erorrs :-)
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
people who post in tt should be castrated
was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891
I'm a 70 year old Afghan woman who is the head of a major multimedia corporation, making less than $20,000 per year. At least, that's what the New York Times thinks...
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Spamassassin
I am quite a frequent user of Yahoo, as you can probably see from my e-mail address. I like its portability and the fact that I have 6 Meg to play with, which seems to suffice as far as what mail I get is concerned. I have had little or no problem with spam.
However, I'm also a frequent user of Yahoo Groups, and probably subscribe to something approaching 90. Many of these, I have chosen to visit the group proper, rather than receive e-mail, even in Digest form. Why? Because as far as I'm concerned, Yahoo actually condones the practice of spamming, because they bloody well don't even try to do anything about the sheer volume of spam, (pr0n, of course), in some of these groups. As the owner of a few groups myself, I can tell you that the tools to deal with the problem JUST PLAIN ARE NOT THERE! The only way you can delete the offending spammer is to catch him in the act...damn near impossible and futile anyway, because they simply change their name and do it again the next day.
Although they have put in place a couple of thins, including a "This is Spam" link of any given message to report it as such. I have little or no faith in these, because nothing ever seems to get done about it...the same spammer just keeps it up! I have had a few instances where the spammer has managed to infiltrate a Group calendar and had messages posted automatically from that! So whatever Yahoo pretends to do, the spammers most certainly are very much further ahead!
Am I the only person who thinks that Yahoo condones the practise?
If you happen to be in the fortunate position of ISP, you can play at racketeering and generally get away with it: offer your subscribers' email addresses for a fee, then offer them spam blocking for a fee. Repeat until your customers are all gone.
Don't think that'll work? Your phone company is already doing it with telemarketers.
An "autonated Turing test" is an oxymoron.
The Turing test is where a human talks to a computer and tries to decide if the backend that's answering him is a human or a computer program.
This is more of a reverse turing test, where the computer asks questions to try and find out if it's interacting with a person or a program.
It would be possible to write a program to beat this system, but it would not qualify as having passed the Turing test, because it would have only fooled another computer program, not a real person. Of course maybe said program could go on to pass the Turing test.
Wouldn't it be weird if spam was the driving force behind the creation of the first real AI?
Skynet began learning at a geometric rate.......by 1800 hours every mailbox in the world was jammed with unfilterable spam.
Life is too short to proofread.
Comment removed based on user account deletion
Stop being so sarcastic and just call a rat a rat
You score...another...rimshot!
The way SPAMmers seem to outsmart anti-SPAM filters with every new advancement, they just might make a big leap in AI to get past these new filtering techniques.
I was thinking that a technique that might help is to set up two accounts - something like a hotmail account in addition to your normal email account. One account is the valid one you use for whatever, the other address you don't give out to anyone you expect mail from.
Then, when you get mail at your "real" account that mail is examined to see if it matches any of the mail received at the "fake" account.
This is sort of like the digital camera technique of taking a "picture" of the CCD image with the shutter closed after a long exposure, to get an idea of what just the noise from the CCD looks like so it can be subtracted from the image data collected.
Of course, I'm not sure how well it would work in practice or if you'd really get the same spam very opten in both accounts...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
TURIN TEST STOPS YOU!!!
Offtopic? The article is about "Turing Tests to Stop Spam", specifically CAPTCHAs used to make sure that a person signing up for a free account has visual cognition on par with a human being's. Slashdot has installed such a CAPTCHA. Yerricde was complaining that such a CAPTCHA excludes blind people from participation in Slashdot with a nick.
[begin spock influence]
I declare unto you:
I must rate your conclusion as highly illogical. Microsoft's hotmail.com eMail service is registered as a for-profit organization. Being registered as such, it is logical to assume that hotmail.com will do whatever in their ability to reach a profit with the last effort. Statisticly, organizations that have reached profit from "spamming" have been low, yet other than anti-spam software, there is no evidence supporting the statistic of this trend to fail. We must consolidate our knowledge that the many data networks, which compose the modernly-known "Internet", are highly regulated by service providers and any such users of defined-excessive inter-networked bandwidth will be regulated for so-called "service fee." The Internet, in respect to organizations advertising services for varrying tangible and non-tangible data-performances, is not free and is contracted by administrative bodies throughout its range including and not limited to the FCC.
Such is the cost for the "stability" that is inherent from the "internet" and its vary administrations and governments which regulate it.
[/end spock influence]
But I'm sure you already Gnu that.
Read both FAs. There's one of each.
This is the typical case of spam on ./, just a profit free one.
Less is more !
Is to make it a crime to send email from a bogus account. I'm thinking this crime would be called.. oh I dunno maybe fraud. If I have a real email address then I can request to be removed and am not, then it should be just like telemarketing and I could sue for $500.
As long as you spam me from a legitmate email address I can request that the ISP delete your account. If the ISP chooses not to do so, then I can block the whole damn domain guilt-free. If the ISP has a decent EULA they could sue their subscriber for breaking the terms of their agreement and use that money to pay their various postmasters to take care of spam complaints.
You had me all excited when you said we should be able to "hunt" spammers. I though you meant really hunt them. I was all ready to go get my hunting license and a buy a gun. ;)? What better way is there to 'opt-out'?
They definatly seem to have overpopulated, given the volume of spam I've been getting. Don't you think it's time we thinned the herd
Makes you wonder.....do spammers taste like spam?
Life is too short to proofread.
Very recently (within the past month?) ticketmaster.com has begun using gimpy-styled captchas, presumably to prevent automated ticket-buying applications.
Anyone know of any other "mainstream" sites using these tests?
(Moreover, there also isn't yet any standard mechanism for users to report spamminess or nonspamminess back to normal IMAP or POP mail hosts -- and Bayesian algorithms require sampling both spam and non-spam mail, not just spam reported to an abuse address.)
Over IMAP this is exeedingly simple. Create two standard folders for the user, say 'Valid' and 'Spam.' Have them sort the mail manually into those folders.
Since IMAP orginizes the mail on the server, reading the contents of those folders after the user sorts his mesages and using it as a base for filtering would be no problem at all. Additionally, it has the benifit that the user could simply chose to ignore or delete those folders, side stepping privacy issues.
I'm well aware that an admin *can* read my mail... Fuck, I'm the admin after all... But I don't think running a filtering program over the contents of two folders is anymore invasive than running SpamAssasin or SpamBouncer over their incoming mail. It does become an issue if the admin pokes his nose into a person's scoring system... But then again, an admin could just as easily collect the same statistics using a simple shell/perl script.
The biggest problem is that this type of filtering is that it's an administration/support nightmare. I wouldn't be willing to hand hold a few hundred users through the conversion to IMAP, explain how they are supposed to sort their mail, or deal with the inevitable issues accompanying a complex system like this.
Plus, are filteres of this type even available as a semi stable product?
P.S.: IMAP rocks. ^_^
Has anyone tried ASK? Active Spam Killer. It's freeware in linux that will do the same thing.
the project itself is pretty interesting, but something rubs me the wrong way about the term "automated turing test". The turing test is based on the idea that sentience can not be defined in any simple mechanizable way.
maybe it's just my cognitive science degree making me touchy, but i'd prefer the term "automated coherence filter" or something(even "automated intelligence test" would be an improvement).
lysergically yours
From my understanding, the use of image recognition in the captcha test would make it nearly impossible for blind people to pass the test.
Very similar to Atqui
How, praytell, would you get e-mail addresses or domains to put in the block list without first getting spammed by them? Consult Yahoo's new Magic 8 Ball service?
I noticed a change recently with the amount of spam that my Yahoo email is collecting. Previously, a spam emails trickled in, but now, I am getting more spam which are obviously aimed at circumventing the spam filter. They all use the same technique -- adding unusual characters into the subject text. I am suprised that Yahoo has yet to figure this trick out. And Yahoo's spam reporting feature has had no visible effect on the spam volume in my inbox.
FTC Consumer Complaint form
It's that simple. Once the federal government starts to get half a million reports of spam a day, may be someone will realize that it's costing a lot of money to a lot of people and maybe Congress will act.
there's no place like ~
you could just include 4.) and 5.) in the category 1.) of "giving out your email address"
I guess I was too specific.
Repeal the DMCA!
I just apt-getted it and I'm trying it out now. mailfilter works well, but it has to be added to each users cron scripts (blech!)
You can't judge a book by the way it wears its hair.
Three weeks ago I went to Radio Shack to purchase some extra Cat 5 cable that I needed. The manager wanted 34.12 for 25 feet. I informed him that I'd just bought 50 feet of cable at another Radio Shack for 32.28. I also informed him that in the future our houses would come pre-wired with Cat 5 even though we wouldn't need it because they wireless would be ubiquitous by then. He turned to me with a wry smile, laughed and said, "LOL, Spam-stopping Turing tests".
I have gotten spam on my fastmail account, but I'm not using their spam filters. The thing that fastmail does that I haven't seen is that in addition to allowing the usual (for recent email systems) tagged login format like username+tag@fastmail.fm , which lets you give everybody email addresses with a different tag value, it also automagically translates between this and tag@username.fastmail.fm - this not only avoids confusing web forms and avoids confusing your mother, it also reduces the risk that spammers will guess that simply using the untagged "username@domain.com" will reach you.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"Make something idiot proof, and they will design a better idiot."
I Browse at +4 Flamebait
Open Source Sysadmin
http://spamarrest.com/products/howitworks.jsp
If this is the first email from the sender, the email is held in a temporarily holding location and the sender is sent an email with a challenge which only a human is capable of completing. The sender only needs to complete the challenge once, and their email, and all future emails that they send you, will immediately be placed in your inbox.
TDMA does that and it's free ;)
Turing test is a bit of an exaggeration. They have you look at some garbled text and type what you see. And it's been going on for a very long time.
The Register article had absolutely nothing of value to add. As you were.
Donate background CPU time to fight cancer.
There are a couple of less than obvious ways one gets Spam, in my opinion. If you have DSL or Cable, someone on your local hub can troll IP addresses which are logged on then use NetBIOS to get additional information. Some ISPs put the Spam directly into your INBOX; that is they have worked out an "arrangement" with the Spammers and save themselves the extra network traffic and make a little money by accepting a single incoming Spam and dropping it as incoming mail on all of their users.
The overwhelmingly most likely reasons /. created a totally different project are:
/.'s "captcha," for crying out loud. All I would have to do to defeat it would be to mask out all but the black pixels. What a joke. It's like one of those "this house protected by ..." signs when the closest you've come to installing an alarm system was hanging up on a telemarketer. (although some of cmu's systems also use gratuitous color changes that add nothing to security, at least they do have some genuinely challenging methods besides.) Did it really take them months to come up with this? You've got to be kidding.
:) -- so I'm not sure why you're getting all snotty about it. I can't imagine it taking more than a couple days, much less months, to integrate it.
/. programmers. heh. Look at the code before you diss it based on what someone else of dubious ability says. Understanding other peoples' code takes practice to be good at, and not just because of sturgeon's law. :/
1) they didn't know cmu's project existed
2) they really aren't very good programmers
I'd lean towards 1), but there's ample evidence for 2). Look at
I have looked at CMU's code and it's by no means an impenetrable mess -- especially when you consider they were handicapped by using perl
Professional
1. Decide which hotmail/yahoo/whatever account you want to sign up.
2. Send most of the (fake) registration info until it sends you a "turing test" image.
3. Display the image in the next webhit on your popular porn site saying "to get free porn, type these characters"
4. Send whatever they type to hotmail/yahoo/whatever & complete your registration.
5. Profit?
Some people have already produced excellent results in breaking visual CAPTCHAs.
... why don't they use the Voight-Kampf test to tell them apart?
I fuse with Mercer every single day...
Is Paul Graham's statistical filtering of spam applied anywhere?
:)
To me, it seems as an obvious step forward in spam filtering and achieves amazing results.
Somehow though, most good ideas get ignored
A lot of spammers like to guess names, like datacommarketing.
:)
On the mail servers I manage, they just keep sending mails to all kinds of addresses. like this:
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: damien@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: bart@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: agustin@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: hans@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: stan@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: adolfo@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: murray@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: curt@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: russel@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: erwin@DOMAIN.com... User unknown
Dec 22 07:18:14 www sendmail[50726]: gBM6IAcC050726: from=joe@nowhere.com, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mx01.datacommarketing.com [65.242.117.50]
After a while it get's annoying and you block their entire subnet in the firewall.
I can't figure out why Worldcom wants to provide them with traffic. Maybe they need the money.
I visited their site once where they claimed that all their emails where opt-in. So is it opt-in as in "the email-adr exists so they must want spam"?
my sig
I only use SpamAssassin to tag suspect emails. I have a filter rule in KMail that sends tagged mail directly to it's Trash folder. A quick scan of the subjects and froms suffices to weed out the (rare) false positives. Note that I don't have to read the spam bodies to verify them and I've already been spared the trouble of weeding them from my legitimate mail.
Use a little imagination; it isn't necessary for a spam filter to immediately trash suspect mails. By default, all SpamAssassin does is TAG the emails in their subject lines and add a scoring report to the body. It suffices for me to have probable spams all collected together so that it is only one quick scan and a button click away from destruction.
Come to think of it, if my quick from/subject scan method doesn't suffice, that attached scoring report does. A mail with a score of 33 with a web bug is certainly bogus. I'll cheerfully trash that without reading the rest of the body and those reports can be quickly parsed as well. Not that I usually bother. Simply having your signal not interleaved with the probable noise is useful and SpamAssassin can certainly be trusted for that.
I would rather Yahoo stop spam from getting to my mail acocunt before they concentrate on stopping people from signing up automatically.
How about both? The XMail.net system requires signups to pass the turning test. It ALSO requires EVERY email that has unknown email addresses to pass the Gimpy Turing test before allowing access. Unknown email addresses are auto-responded to and given a five day grace period to pass the turning test before they are passed on to a potential black list. If a unknown senders ip address ends up on the potential black list too many times, zap. If the turning test is passed within the grace period then the email is passed on to the receiver and the sender is placed on a white list. Of course the sender can place the address on their black list at any time. This eliminates all spam to your email account as it blocks ALL email that is unwanted and automated. It allows strangers to send you an email if they are really human and have a legimitate reason. If you don't like their reason then you can easily block them.
Does this work if I am SpamArrest User #1 and e-mail Spam Arrest User #2 for the first time? Won't my request for them to pass a turing test just be met by another request for me to pass a turing test, neither e-mail of which will get through to my inbox?
What about e-mails to validate registrations? The originator will get an e-mail, and I'll never get an e-mail with my password.
Do they account for these scenarios in this solution?
I think this method could very easily be used to create an almost spam-proof email client.
The idea is to have a buddy list in your email client, which is a list of all the people authorized to send you email. If one of those people sends you an email you simply get it.
If someone not on your list sends you an email, the mail client automagically sends them a reply explaining that they need to pass a test. That test could be one with a scrambled text image or whatever. Once they pass the test (replying to the email with the right answer) the email client tells you that a new buddy sent you an email, and if you want to permanently add them to your list.
The list could also contain wildcards to use when you expect to get an automated email (like a bill from a credit card company) but you don't know the exact email ahead of time.
It sounds like a good idea to me, I was wondering if anyone could think of reasons why this wouldn't work
Has anyone really used the new "This is Spam" reporting mechanism that Yahoo provides? Once I selected 20 spam emails and marked it as "This is Spam". Yahoo gave me a message back saying "2 messages reported". So at least it means that Yahoo is already aware that the other 18 are really spam mails and ignores them, or they explicitly allow spam from certain domains. They don't even get filtered into the Bulk folder automatically, even though most of them are from the same spamming domains.
The classic problem with so many "click the picture to prove you are human" email checks is that we don't always care if the user is human.
The default case, my friend sending mail to me, is easy to come up with. And for signups for services, its nice to know that we have a breather on the other end of the line.
But I don't really care that the "your order has been shipped" email or my "$100 gift certificate code" is sent by a person. If I have a turing test on my email system, no one will click... and I will never see my messages. And will I really, honestly add domains or ips of every company I interact with to some whitelist? Should companies have to hire "clickers" to just deal with all these turing responses?
And, of course, don't forget all those lists you are on: the "new version" announcement lists, the "changed page" lists, the "weather alert" mailers... there are lots of mails I do want, which are machine generated, and will never have a human to turing test with.
The average user has no way of knowing the mailer IPs or domains of all the mail they may want to get... and so requiring all those mails to have a human behind them means that we give up some of the power and magic of our technology.
Tech, from the lever to the rocket, is about empowering a person to do more than they could do alone. Instead of requiring a person to send out thousands of "your order has shipped" announcements manually, we empower him or her to send out thousands automatically in seconds. Let's not throw away some of this power just because we think every mail should be sent and confirmed just by a person.
Let's make sure to differentiate "person to person" messages from "entity to person" messages, where entity may be a company, a service, an alert, or any other type of object which can message me. Whatever solution we wind up with, we have to find a way to make it easy to know about and allow these, while still eliminating bad bulk.
Michael
Last year I had the (somewhat) good fortune to capture relay spam from a spammer who used reply-to addresses at freemail providers to receive his responses. Good fortune? Yes. The spammer had large numbers of these - most (maybe all) appeared in spam I captured. A simple string search and a single email message to the freemail provider got all of the accounts nuked. That spam run was largely lost to the spammer.
c om +group:*.*.*.email+author:brad&hl=en&lr=&ie=UTF-8& selm=3C7B0714.749B048D%40mail.tds.net&rnum=1
But what I'd like to mention is that if the freemail provider paid much attention at all to patterns in the logs I think it could fairly easily identify many spammer dropboxes.
Additionally I'd like to mention that rather than nuke the account I'd prefer the freemail provider simply blackhole any mail to that account - nuking tells the spammer the account is dead, he moves on. If nuking isn't in accord with the TOS then I suggest changing the TOS.
One example, listing Reply-to addresses:
http://groups.google.com/groups?q=snowboarding.
and SPAM is just a part of it. CAPTCHA systems are very critical, they are used to distinguish a human from a computer. Paypal have such a system on their signup forms, it is to prevent bots from automagically creating accounts and then use the account to launder money (thus bypassing Paypals individual account value limit). This has great implications for people looking into *content protection*. Though if anybody had bothered to read the accompanying research paper, you would see that the creators indicated that CAPTCHA systems are not full-proof.
The easiest method that an attacker could use to bypass a CAPTCHA would be to involve a human at that step of the process, and only for that part of it. Leaving the more mundane tasks for the machine (after all, that is what machines are for). It could simply extract the images and present them one after another to a human, or the attacker could even relay these images and entry boxes to users on their *own* sites to enter. Either way the CAPTCHA system adds a slight overhead on the human, with the bot still performing 99% of the task.
With the amountof spam that I receive in the ones I subscribe to, I'm not so sure.
I've never had a hotmail account, but it seems to me that everyone says you get spammed even if you don't give it out.
I just this minute remembered a yahoo account that I created about 6 months ago, and went back and checked it... I'd given the address to some of my friends but never posted it in the internet in any way...
So when I checked it, it turns out I had 0 spam messages in the last 6 months. So I guess this means that yahoo definitely doesn't sell your addresses?
I've been quite pleased with yahoo mail with their spam filter. It seems to catch about 80% of the spam.
One thing you could do to help if you're a yahoo user, is to make an account exclusively for catching spam, logging in once in a while and reporting all the messages... only takes a couple of clicks...
... Microsoft can integrate the feature into Outlook (as can other email software packages), so a fee-based service really isn't needed. Just make the Turing-test generator a plug-in, and if SPAM starts to get bad again, frustrated hackers will generate new harder tests and distribute them for free. It will not eliminate spam - just increase the costs, so that spammers change to using more focused mailing lists. Still, it should mean a great reduction in the volume of SPAM.
Just find bogofilter. It works and no, spammers won't find a way past this one.
There's yet another nasty form of SPAM hitting the streets, and this one has a cost beyond the time and bandwidth wasted...
Fax-SPAM.
I work for Fax machine tech support for HP, and a common complaint from users that live in highly populated areas is that they recieve large volumes (10 sheets or more per day) of unsolicited fax advertisements. Over time, with the cost of paper and ink/toner being what it is, money wasted from fax-marketing adds up!
Some people claim that they have only had their fax machine, and the associated dedicated lines, for a few days only.
Possibly there is some way that Spammers can call phone numbers, and somehow poll for fax tones? Of course, if that were the case, they would have to call each number specifically and wait for a device/person to pick up to snoop the tones....
- - - - - - - - - - -
my name is BeyondTheBlue, I just forgot my password. =\
The idea of a "piece of software" sending a response to the supposed 'sender' and requiring a unique response before actuallying allowing the sender's message to go through. Hello. How long has majordomo been around? More patently absurd patents...
Half the spam says lose inches from your waist every day.. ..and the other half says add inches to your penis size every day.
I think I can see how it's done!
Luckily for you, I can ignore your highly disturbed dreams of people going blind and deaf and mute - but man, that's just sick. You need professional help if all you can respond to an argument with is that.
And YES, the BRAILLE ON ATM MACHINES WAS DEMANDED. It wasn't offered. It was forced. Special interest groups SUED to force banks to put braille on their machines. And it's USELESS. BLIND PEOPLE CANNOT DRIVE. (and notice in my original post I specified *drive-up* ATMs) Damn, get your head out of your Utopian ass. Who the hell taught you all that garbage?
The ADA is not anything like the BSA, it's not an organization, it's a frickin set of laws that mandate (not 'offer') assistance to the disabled. It didn't spring out of the kindness of anyone's heart - it was generated by lobby groups who bought off Congress, just like every damn other law we have. Laws don't join together in common bond of love or anything else. And sometimes people go overboard with it and abuse them, which is what I'm talking about.
At least have the intelligence to get your analogies correct.
http://www.usdoj.gov/crt/ada/adahom1.htm
I:
The best way to make a silk purse from a sow's ear is to begin
with a silk sow. The same is true of money.
II:
If today were half as good as tomorrow is supposed to be, it would
probably be twice as good as yesterday was.
III:
There are no lazy veteran lion hunters.
IV:
If you can afford to advertise, you don't need to.
V:
One-tenth of the participants produce over one-third of the output.
Increasing the number of participants merely reduces the average
output.
-- Norman Augustine
- this post brought to you by the Automated Last Post Generator...