Earthlink Deploying Challenge-Response Anti-Spam System

deliasee writes "The Washington Post reports that Earthlink is preparing to offer new spam filter technology that requires sender authentication. AOL is still concerned that such technologies will put too much burden on consumers." The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...

Nice moves

[hendridm]

I was hoping more ISPs would adopt the challenge-response system, like MailBlocks, previously featured on Slashdot. Way to go Earthlink! If I was interested in dialup, this would be a big selling point for me. I'm still waiting for a service that offers the challenge-response feature of MailBlocks but allows me to forward to my existing provider. I mean, a 12MB inbox is pretty lame. There are free providers that can give me that much space...

Re:Nice moves

[apoc.famine]

I dunno. This may be painful for a bit, and increase the amount of mail, but in the long run it might be worthwhile. While I agree that it makes some peoples' jobs harder, those people probably aren't using the major ISPs/mail-services. If the major players do this, it makes it that much less profitable for spammers to do business.

I mean, if you're a spammer, a brute force mailing to joeuser.org is MUCH less profitable than mailing the same million messages to hotmail.com. Go big guys, go! It won't bother me at all.

Re:Nice moves

[bozojoe]

Anybody know what the most popular method of droppping spam? I was wondering if the rules based approach (spamassassin.org) or the Challenge/Response approach works better. Perhaps it depends on the target audience. ...looking at ask.slashdot.org next

Re:Nice moves

[d_lesage]

It drives network traffic as well up to the sky

But wouldn't the added traffic be more than compensated by the reduction in traffic that would ensue when the spammers go out of "business"?

Re:Nice moves

[darien]

Er, what?

eMail was not designed for such a challenge

So what? This system works within the standard. Who cares whether or not the designers foresaw it?

It drives network traffic as well up to the sky.

Hardly. If you're on Earthlink and decide to opt-in for this, it simply means that everybody you know has to send you one extra email once. Earthlink's traffic may be a bit higher for the first few days, but once people get their whitelists in order it'll drop back to where it is now - and below, because there'll be less spam floating around.

However, I do hope (the article didn't say) they've come up with a smart solution to the problem of spammers putting real (but stolen) addresses as their From: address. Otherwise people unlucky enough to have their addresses stolen may indeed find their network traffic increases, thanks to a million challenges from Earthlink.

Re:Nice moves

Mailblocks is a piece of junk, I had nothing but trouble dealing with them. And I wonder how Earthlink got out of being including in the numerous lawsuits Mailblocks are filing based on their patent covering challenge/response.

I think Mailblocks is the perfect example of a company the /. crowd would hate: rich guy comes into the market late, drops a bundle of money, scoops up some shaky patents, and tries to sue/shutdown their competitors (some of which have been in business for over a year longer than them).

By the way, Spam Arrest, one of Mailblocks' competitors (and currently being sued by Mailblocks) has no disk quota. (10 MB max message size though). Their enterprise product will forward messages through to your smtp server. A little pricey, but good for businesses.

Matador also does challenge-response (in addition to filtering) but runs on your desktop, if you are into that kind of thing.

Yes, I've done a lot of research into the anti-spam products!

Re:Nice moves

[tacocat]

These systems don't work that well. I have been designing and building my own for about 8 months now and have come to the following conclusions.

They are easily bypassed using a smart enough auto-responder. If all you do is fire back the original message then you're on their list.

They sometimes fail to pick up the human response. I have several cases where people will simply respond to the email, removing enough of the critical content, to render the reply useless. This comes in two flavors. Email clients will strip out the Header information needed, or people will strip out the Body information needed.

To impliment this upon a very large system like this is going to be a nightmare not only for their email administrators, but for everyone that they touch.

One of the biggest problems that these systems have is that they are totally incapable of handling Solicited email from a Bot. Examples include:

• Payment Confirmations (amazon.com)
• mailing list confirmations
• Profile Update Notifications (paypal, ebay..)
• Password changes or resets

It's going to be a pretty ugly system of implimentation.

Re:Nice moves

Hey, you're closer to the real answer than you may realize. Earthlink's proposed system is like establishing a TCP connection based on getting one packet and then no ACKs from the real host.

Any halfway reasonable confirmation system would only generate challenges in response to properly formatted initial handshake mails. Think of the initial mails as the SYNs, and the challenge as the SYN/ACK.

No proper initial mail equals no challenge. That means no backscatter from forgeries unless someone forges an address *and* makes it look like an initial message.

The thing is, if the initial message is tightly defined to not be able to carry any commercial content, what spammer would forge those? The only person who would forge such a thing is someone who's looking to create a DDOS by bounces, and that's already possible now.

Re:Nice moves

not necessarily.

Assume they have 3 email lists:
1) Challanged and passed. Email from this user gets dropped into the inbox
2) Challanged and pending. Email is queued up for the challenge to pass, or timeout (fail).
3) Challanged and failed. /dev/null for you!

If the sender is still pending, they could challange them for every email they sent, or, say, challange once per day for a week before throwing them on teh fail list.

Still won't help against the next outlook email worm, if they were challanged earlier.

Re:Nice moves

[BlackHawk-666]

I've had good experiences with using this sort of software (TMDA). It creates a onetime reply address, so it doesn't matter what the user does to the subject and body, it is still a valid email reply. As to spammers just auto-replying, generally they don't provide a valid reply-to address (never in my experience) so they never even receive the original challenge.

Re:Nice moves

[spectro]

They are easily bypassed using a smart enough auto-responder. If all you do is fire back the original message then you're on their list.

No if you include a thing like the one ebay or ticketmaster use to trap bots.

One of the biggest problems that these systems have is that they are totally incapable of handling Solicited email from a Bot. Examples include:

• Payment Confirmations (amazon.com)
• mailing list confirmations
• Profile Update Notifications (paypal, ebay..)
• Password changes or resets

That's what whitelist are for...

Re:Nice moves

All else being equal, I think it would be much smarter for Earthlink to phase this in over 6 weeks or so.

Step 1.

Assign every user a date in the startup period at random, either evenly or in a distribution thats weighted a little heavier early (since the traffic spike from each user could last a few days).

Have the filtering activate on that day for the user. That way, everyone doesnt jump on and go validate crazy on the same day, generating a massive traffic surge.

Step 2.
Step 3. Profit.

Re:Nice moves

These systems don't work that well. I have been designing and building my own for about 8 months now and have come to the following conclusions...Email clients will strip out the Header information needed, or people will strip out the Body information needed.

That's because you don't know what you're doing. The envelope sender and receiver are the ONLY places that information can expect not to be tampered with. See http://tmda.net/.

Re:Nice moves

[phat_joe23]

It drives network traffic as well up to the sky.

Hardly. If you're on Earthlink and decide to opt-in for this, it simply means that everybody you know has to send you one extra email once.

And that every time you get spammed from a new address (read: constantly), the system fires off another confirmation email from you. It effectively doubles the number of network connections spam generates. /joe

Re:Nice moves

[spacefight]

However, I do hope (the article didn't say) they've come up with a smart solution to the problem of spammers putting real (but stolen) addresses as their From: address. Otherwise people unlucky enough to have their addresses stolen may indeed find their network traffic increases, thanks to a million challenges from Earthlink.

Sorry, there we are again. Same problem: someone is spamming me trough this system. And then? Again a second challenge? Spammer will breakt it. And then? It goes on an on. Such a system will be broken by the scumbags, I am sure. They are assholes but not dumb (well, some are, some not).

Re:Nice moves

[datavortex]

There are general load protections for a single email addresses as well as for a mail server. There are reasonable daily limits to how many challenges a person or server will receive in a 24 hour period.

Re:Nice moves

[spacefight]

There are general load protections for a single email addresses as well as for a mail server. There are reasonable daily limits to how many challenges a person or server will receive in a 24 hour period.

Ok, but again, this is a limitation as the email we know it currently. And I prefer not to have such limitations. Imagine a software failure on one side of the challenge (the occure, even if its rarely) - boom, a user will be excluded from receiving emails 24h until someone (or an automated job) cleans up the banlist. No thanks, honestly.

Re:Nice moves

[dorzak]

They also just sued a ring of spammers in Buffalo, NY today. Sounds like they are on the offensive.

Re:Nice moves

[datavortex]

I'm sorry, but I can't understand your hypothetical. If you could rephrase it, it would probably help.

As for a using losing mail for any period of time, every precaution has been taken against that possiblity. Even in the event of catastrophic server failure, multilple safeguards against mail loss exist. No system is perfect, but this one affords as much protection against fault as any out there.

Re:Nice moves

[nfg05]

Way to go Earthlink! If I was interested in dialup, this would be a big selling point for me.

Earthlink also offers Cable and DSL. Of course, it uses the lines of either your local cable or telephone company, but if this spam tool is what you want then you can get Cable or DSL with Earthlink.

Re:Nice moves

I use a server-side challenge / response system I found on the Internet http://thespameater.com/ . It's a "POP-scrubber" and I picked it because I could just keep my existing address(es). That way I'm not locked into anybody's anti-spam software, and I can always move on to something better later with no harm done.

Too drastic?

[mao+che+minh]

Drastic times call for drastic measures. The situation caused by the relentless onslaught of SPAM (which supposedly is rendering "damages" in the billions annually) can certainly be categorized as drastic. Is Earthlink's counter attack too drastic a measure, though?

On one hand it (Earthlink's new "technology") seems reasonable enough to the every-day-joe. I'm sure that the majority of Earthlink subscribers don't utilize news or mailing lists, and don't bother paying their bills online. For these people, it's fine. On the other hand, many others use online banking and other such automated tools (even account control mechanisms for online games will be affected). How quickly will all of these vendors conform to Earthlink's new technology and make the needed changes in their automated systems? Will Earthlink simply render many of these domains exempt?

The answer to solving SPAM resides in the current mechanisms used for the actual transmission and delivery, the mechanisms that all participants must use, not just Earthlink. This is of course the mail servers themselves.

Re:Too drastic?

[mark_lybarger]

at least they're doing something and they're doing it with / around their mail servers and not through some legislative BS that them there lawYers are trying to get a little face time with.

will it work? who knows, it might really help. if not perhaps they'll learn from the mistakes. someone has to improve smtp into a sstp (simple secure ...)

Re:Too drastic?

[iangoldby]

People who want to continue to receive messages from mailing lists, online banking, etc, will have to add these sources to their whitelist.

It's a bit of a faf though, and I suspect many people will either not understand how to, not bother, or forget at least one address.

The solution is to have the incoming messages moved into a 'holding' folder that the recipient can see, and check in just the same way as checking through a 'spam' folder. This would remind the user to add false positives in the 'holding' folder to the whitelist. After a while, you can safely stop checking your 'holding' folder. Wouldn't it be good if this is what Earthlink are doing?

I think a scheme like this could be made to work, at least for webmail. For POP3, it could be a bit more tricky...

Re:Too drastic?

[Binestar]

Too drastic? I don't think so. This is something that is off by default, and needs to be turned on by the user. That user can also pre-approve e-mail addresses from his address book and mailing lists that he is on so that the challange never reaches those people.

This is just an added feature that users can use if they choose to.

As for the automated systems: It is the users responcibility to add those addresses to the accept list when (s)he signs up for the services.

Since this challange responce system has to be turned on by the user, it is only the user's fault if (s)he forgets to whitelist the address of places (s)he gives his e-mail account out to.

All in all it's definately a good option to have, but it's also a good thing that it is off by default, with the option to turn it on left upto the user.

Re:Too drastic?

[letxa2000]

Challenge-Response is bogus. I don't know of any such systems that have been deployed without significant problems for their users, the people that send mail to their users, and especially mailing lists.

If challenge-response is largely deployed, I suspect spammers will just unite such that one spammer sends a message, gets the challenge, answers it and is then "unlocked" to send message. He'll then distribute that email address in real-time to dozens or hundreds of other spammers who will send their spam immediately with the same newly-unlocked address.

Or, perhaps, spammers will change their tactic from spamming millions of users with 1 spam at a time to spamming 1 user at a time with dozens or hundreds of spam. You unlock the system with a valid response to the challenge and then flood them with spam until the user blocks that address.

I just don't see where challenge-response is anything more than a very stopgap measure. It's not particuarly "clean" now and will become more and more useless in the future.

Almost a year after Paul Graham's "A Plan For Spam" Bayesian is still the easiest system to develop as well as the easiest for the user to use. It is extremely effective (99.5%+) with very few false positives and doesn't require any additional effort for the sender and only requires that the user report false positives and false negatives--and that is mostly only needed at the beginning. Once it is initially tuned it's not necessary to do much of anything--it just keeps learning and working.

Re:Too drastic?

[MCZapf]

For POP3, it could be a bit more tricky...

IMAP! I don't know why more places don't use this. Especially if they already let your store mail on the server and access it via webmail. IMAP is just another access method to add.

Re:Too drastic?

[linuxwrangler]

How quickly will all of these vendors conform to Earthlink's new technology and make the needed changes in their automated systems?

Why should they bother? I don't see any "Here's how to send to Earthlink" RFC. Suppose I order something online and request an email confirmation, delivery status, etc. and then I reject all those messages. Whose fault is that. The business? NO! They sent the message as requested. Making matters worse I may in one step be requesting a receipt from the business and delivery updates from a separate shipping company. Of course people will most likely start bitching at the company - "where's my receipt?" and rejecting those responses as well.

I hate spam, too (I reject 55% of general inbound mail to my server) but I don't think this is the ultimate solution.

The answer to solving SPAM resides in the current mechanisms used for the actual transmission and delivery

Here, here! If the biggies (Earthlink, AOL, Hotmail, MSN, etc.) enforced best practices, for example reject all mail where the EHLO is not FQDN, resolvable and the primary name of the sending machine (per the RFCs) and verified by DNS check to match the connecting IP there would be a massive cleanup of misconfigured mailservers and the rest of us could add the same rejections. This has to be done by the big guys. Unfortunately operators of smaller domains have no clout in requesting repair of BigCo's screwed up server but if lots of their mail got rejected they would fix the problems (marketing or the CEO would make sure of it).

Strict adherance to best practices would go a long way toward denying the vermin the dark hiding places they crave and force them into the light where they can be squashed.

Re:Too drastic?

[capnjack41]

Almost a year after Paul Graham's "A Plan For Spam" Bayesian is still the easiest system to develop as well as the easiest for the user to use.

I don't know why more people/ISPs aren't using this. This system seems to be the most effective because it doesn't have silly little measures (that block the word "cock", for example, but not the word "c0ck") -- it seems to rate the spam based on its content, which no spammer can get around.

Please check it out.

Also, does anyone else forsee spammers hiring people to sit around and answer verification questions all day? It's a hell of a lot faster to do than actually placing calls to people and talking to them, and people (well, if you want to call telemarketers "people", I think they're sub-human) do this all the time.

Re:Too drastic?

[Tackhead]

> People who want to continue to receive messages from mailing lists, online banking, etc, will have to add these sources to their whitelist.

Problem is, you don't know what that email is necessarily going to be.

I ordered something from foo.com and got order number 12345.

A few seconds later, I got a confirmation mail from confirm-12345@foo.com telling me what I bought and when to expect delivery. (Or worse, from order-12345@foo.com telling me there was a problem, and that I needed to fix something!)

If challenge-response becomes widespread, foo.com will say "Now you must whitelist the address confirm-12345@foo.com" when processing the order. (Or switch their order-processing back-end software to use something more sane, like "confirm@foo.com" and put the damn "Order 12345" in the Subject: header where it belongs!)

Problem is, until then, some vendors and some users using challenge-response are gonna be up the proverbial estuary without a utensil for propulsion.

If foo.com is disreputable, of course, challenge-response solves the donkey pr0n spam problem, but not the mainsleaze part of the spam problem. A mainsleazer at foo.com will simply start spamming his customer list with a From: of "confirm@foo.com" - Subject: "New Dealz from foo.com!" *sigh*)

Re:Too drastic?

[demo9orgon]

Nice run at "sophistry".

Earthlink is a service I value and gladly pay for. My email box has remained spam-free ever since I started with them. Of course I'm partly to blame for that because I simply don't give the address to any lists or do anything goofy with it. It's a valued resource. If more providers like Earthlink emphasised the importance of this and took active steps to secure it we wouldn't have the problems we have now.

We have an Internet culture of denial and over-reaction when it comes to how we have been dealing with email issues. RBL's are not the way to go for domestic providers with massive userbases like Earthlink. RBL's are ok for a private company, but an ISP has to be many things to many people.

Trying to force compliance between smaller companies and individuals with multi-homed private domains and international interests and RFC's is a pointless pissing contest. Some admins are unaware of the RFC's, or apathetic...in some cases it's not in their interest to fill in all the blanks and setup proper headers or within their ability.

I gladly applaud any move by a big provider to secure their services and give customers more protection. And since I'm an Earthlink customer I look forward to seeing how it all shakes out. I may pay more for Earthlink but I think it's money well spent if it keeps them around and keeps my email box from being stuffed with offers to grow my manhood, refinance my home, or join in some pyramid scheme. Contrary to belief's of email marketeers that people absolutely have a need to be informed of these things, if we ever need to find such information there are search engines...they should pay for their shingle and keep their pablum out of my filespace.

Re:Too drastic?

>On the other hand, many others use online >banking and other such automated tools (even
>account control mechanisms for online games will
>be affected). How quickly will all of these
>vendors conform to Earthlink's new technology
>and make the needed changes in their automated
>systems?

If the vendors can make changes to their automated system so that they can answer the challenge, then so can the spammers.

Re:Too drastic?

[Admiral1973]

Earthlink already does this "holding" of spam via their Brightmail "Spaminator" system. I've had it enabled for years and my Spaminator storage area is always filled to capacity with spam. I think it's the overflow from that system that gets into my mailbox.

So I don't see them adding another "holding" area, unless they drop Brightmail completely and go with another system.

Re:Too drastic?

[letxa2000]

I don't know why more people/ISPs aren't using this. This system seems to be the most effective because it doesn't have silly little measures

I agree. It's so simple yet so effective. It really makes me wonder why people invest time and money in silly, less-friendly and potentially less-effective solutions such as C/R.

it seems to rate the spam based on its content, which no spammer can get around.

They're starting to try. When they start breaking up words so that "cock" is "c.o.c.k" they're making an effort to avoid filters, but also are addressing the Bayesian filters since that will normally get broken up into 4 tokens, one for each letter. Of course, if they do it enough then a single token "c" might actually become a commomn characteristic of spam for that user.

Anyway, Bayesian works great now. I think spammers will evolve to deal with it, but all that is necessary is to implement new token-identifying logic in the Bayesian filter... the Bayesian approach itself is very solid.

It's a hell of a lot faster to do than actually placing calls to people and talking to them, and people

I agree. I suspect you will see spammers actually analyzing the C/R responses. If it's something the software has seen before and is capable of responding automatically, it will. Those that it can't will be forwarded to someone to quickly deal with it. If some of the megaspammers make as much as they supposedly do, hiring a teenage kid at $6/hr to spend the day answering C/R responses is not a huge investment.

Re:Too drastic?

If there was a standard for challenge-response email, the automated order system could simply respond to the challenge. Right now, the burden is on the user, because most legitimate automatic mailers won't respond to the challenge in order to push the first email through. The idea behind challenge-response anti-spam measurements isn't to involve human interaction. It's that spammers have to fake the FROM addresses if they don't want to drown in bounces and hatemail. Spammers rely on links / contact addresses / phone numbers in the body of the mail. In consequence they can't respond to the challenge. They simply don't get it. Automating the response to the challenge does not affect the efficiency as an anti-spam measure.

Re:Too drastic?

[Gunfighter]

I disagree. It's not too drastic. I work for an ISP, and we recently piloted a similar program using Tagged Message Delivery Agent. I must say that it works flawlessly with almost zero false negatives. We even have a web interface so that people can go and look into their pending queue to manually approve or reject messages. Unconfirmed messages are automatically deleted after a week. For the mailing list problems Mr. Minh mentions in the parent post, this has proved to work great. When one of our customers gets a bank statement, he or she can manually approve that email for delivery. The approval adds the bank's from address to the user's whitelist, and all subsequent emailed bank statements pass through without the need for confirmation.

Read the TMDA FAQ and you'll get answers to many questions about the process. In addition, it will explain to you how you can set up your list so that less than 10% of your legitimate senders never even see a confirmation message. It explains how to handle mailing lists as well.

This IS the current answer because it is a mechanism used for delivery once the mail server has receives the message. It does not require all participants use it, yet it performs beautifully for those who choose to use it. Until the SMTP protocol and related software are re-written (and everybody upgrades en masse), this is definitely the answer. I promote the solution anywhere and everywhere I have the chance.

-- Gun

Re:Too drastic?

[lommer]

Yes, I think the Earthlink measure is FAR too drastic, and whitelisting (with a holding folder), while it does solve many problems, is very inconvenient.

I am currently in the process of applying to universities as I am graduating this year. Many universities contact me by email. If I miss ONE important email from these universities, I am in danger of losing my application. Further, some emails that the universities send me are time sensitive, so that mandates checking my holding folder daily. Finally, many universities use auto-mailers to send out announcements and such that have an invalid return address, so confirmation emails don't have a hope in hell of getting through.

Combine all of this with the fact that many people at a university, with many different email address (sometimes in different domains even) may have to deal with my file and you can see my problem. Spam needs to be stopped at the source, not at my inbox because the consequences of even one false positive are just too high for me. Yes, this will mean that legislative measures will be required, not just technical measures. I realize that many slashdotters are not in favour of this, but this is the only way the spam problem will be solved IMHO.

Re:Too drastic?

What message is the foot-in-the-door spammer going to send? And to whom? The helper spammer has just the same reason as the real spammer not to use his real FROM-address: it would reveal his identity and a massive amount of bounces would clog his mailbox.

Re:Too drastic?

[RollingThunder]

People (meaning Joe Average) don't use it because it's tricky to set up.

ISP's don't use it because it massively increases the load on their mail servers, which are likely wheezing at the load of simply bouncing all that spam mail anyways.

Provided Earthlink has an efficient method to break up the load of tracking all those "pending ack" emails, it should be quite a bit lower load on their servers than something like SpamAssassin's multiple full-body pattern matches.

Don't get me wrong - I love SA and use it on our server here - but it adds a lot of processing to what is generally a lightweight accept/store process.

Re:Too drastic?

[BlackHawk-666]

I didn't check my pending folder for two weeks and found 450 emails in it 8-0 Half of them were spam and most of the rest were from the only casualty of my use of TMDA, BugTraq. Unlike many mailing lists BugTraq doesn't set itself as the originator of the email, so all the emails appears to come from individuals who I haven't whitelisted. It's too onerous to keep checking the pending list for this one mailing list, so I have moved it further up in my procmail handling and deliver all mail *addressed to* BugTraq straight into my security folder. Problem solved.

Re:Too drastic?

[BlackHawk-666]

TMDA utlises shortlived email addresses for this purpose. It will create an email alias that anyone can send to...but just for x (5 for example) days. Give this to the company as you sign up and you will receive their confirmations. You can either leave it like that and then 5 days later they can't spam you, or whitelist them and give them your permanent address.

Re:Too drastic?

[Ronin+Developer]

I found myself pondering this question yesterday even before I read this article. While the challenge/response will work to some degree, how long will it take before optical/pattern recognition will catch up?

I wonder if the solution doesn't exist in the judicious use of public key encryption and a secure clearing house of certificates as well as a clearing house for known abusers.

Digitally signed and encrypted e-mail will allow for quick identification of the sender as well as preventing the viewing of the message if it is not decrypted. If then sender is on the abuse list, the recepient can decide whether to download the appropriate certificate or not to view the message. By default, the certificate should not be downloaded if on the abuse list.

With the proper PK infrastructure, ISPs can issue certificates to their customers pending certification of the customer's credentials. Now, hold the issuer of the certificate to the test as well as the issuee. If an ISP gives out certificates to known spammers, the ISPs certificate can be revoked by the ISPs issue authority. If none of the ISPs mail goes through, they probably won't stay in business for long. This, I would like to think, would make them a little more responsible and inclined to keep on top of their customers.

Businesses and such can be given issuing authority as well. If they abuse their e-mailing priveledge, they lose their ability to send mail. How many businesses in today's world can afford this? Not many.

Additionally, the relay receiving the initial mail can apply their digital signature to validate the message came from an authenticated user. If that signature matches on receipt, the message hasn't been forged regardless of what other headers are added (they aren't signed).

I realize my suggestions would require redesigned mail client and server software as well as a revamping of how e-mail is handled in general. But, I think the concept is sound. Whether it can be made practical (or even acceptable to the user community) is another issue.

A major downside to this is that by providing non-repudidation of the e-mail, anonymity goes away and messages can be tracked and analyzed through traffic analysis even if their content can not be viewed. So, while we would gain privacy of content, the sender's identity would not remain private.

I'd love to hear what others think of the idea (both good and bad). Maybe a grass roots approach might make some inroads into this problem and eliminate these cretins altogether.

RD

Re:Too drastic?

[BlackHawk-666]

The big spammers send millions of emails per day. You would need an army of teenagers to man the reponse desk, and you can bet they'd all be stoned all surfing the web for porn instead. This is moot anyway since spammers don't actually provide return email addresses.

Re:Too drastic?

[creideiki]

It's a bit of a faf though, and I suspect many people will either not understand how to, not bother, or forget at least one address.

Agreed. I think the optimal solution to allow for independently certified e-mail. Certification authorities would raise the bar (by requiring REAL forms of ID) for getting a user id which would need to map to a public key. Normal users could have this taken care of by their ISP, after all, they know who's paying for the service. This id would be guaranteed by the certification authority to map to a person or business, though, to protect privacy, no personal information would be stored - only for creating an ID hash.

Recipients should be able to file a complaint once per message per sender. The rating of a person or business would be cumulative (though possibly normalizing toward zero over time as old ratings "drop off"), recipients could just set a maximum evil amount or whitelist specific ids/keys that'd otherwise be considered too evil. This makes it very easy for recipients as they don't have to do much work and they can still recieve mailings that they just signed up for.

If a spammer or some other malicious type sends out a million messages and everyone complains, he'd have to wait until his rating normalized before he could reasonably expect people to recieve his messages again. Additionally, due to the requirements of proving who you are before getting an address, one couldn't just create another account (which also has the side-effect of ruining his other business ventures or his personal life as his only recourses would be a legal name change for himself or his business, or using non-certified e-mail).

Just my two cents, but I firmly believe that it's the ease of getting an e-mail address and the vunerability of implicit trust that allow spam to be rampant. Phone companies just don't give out numbers, a similar model for e-mail would be beneficial (though it would require the collaboration of ISPs and possibly independent certification authorities). Furthermore, spam is a technical problem and needs a technical solution not a legal one.

Re:Too drastic?

One poster has continuosly exaggerated, made-up, or flat out lied about specific things on these sites. I have been harshest towards that poster, because there is enough bad sites out there that there is no need for misrepresentation.

Lastly I just did not umderstand all those that called for Child Services to take Cindy away, Uncle Curt is a deviant, throw them in jail, etc.

Mu position has been that you may disagree with family decision to make a site, you may find the site offensive, and you may want to have site and family investigated or go through counseling,

but to think we as non-perfect human-beings should be calling out for hurtful and harmful things to happen to a family (including Cindy) based on a one hour show (less with commercials) is simply not right. We have to know more about a situation before making such charges. It feels like "lynch mentality" to me.

That is my opinion and I thought I tried to present it reasonably. Most here have been quiet about it, some got upset. Moderation to sites or other solutions do not seem acceptable, it is: you are with us or you are a "bad person". Well I know I am not a bad person, but I can never join the crowd that is on the extreme about this issue.

Thank you very much for your thoughtful post. I did think message boards were open for discussions and/or debate and that is what I was trying to promote

Re:Too drastic?

[letxa2000]

ISP's don't use it because it massively increases the load on their mail servers,

I've recently implemented my own Bayesian system on my server. While my first-cut was very CPU intensive, very straight-forward techniques can be made to make it extremely CPU-friendly. In fact, I'll bet my current Bayesian system is less CPU-intensive than a simple keyword-filter that has 5000 "keywords" in its database.

I don't use SpamAssassin and can't comment on its toll on the CPU, but there is no inherent reason why a Bayesian system can't be deployed by ISPs. About the only drawback I see is that you have to store a corpus for each user and that ends up being between 1MB and 2MB per user. But disk space is cheap...

Re:Too drastic?

[letxa2000]

This is moot anyway since spammers don't actually provide return email addresses.

Oh, I'm sure they'd start using actual return addresses... at yahoo, hotmail, etc. As long as they (the free email accounts) last long enough to collect some challenges that's all they need. Even if the accounts are closed by hotmail you can still send email "from" that account.

C/R doesn't even have a chance of working large-scale while there are free email providers such as Yahoo.

And even if it does, as someone else said, you just start sending spam with email addresses that have a high chance of being whitelisted. orders@amazon.com, orders@cdnow.com. So now instead of sending 1 spam to each user they'll send the same message 100+ different times from different addresses that they have concluded are more likely to be whitelisted in the hopes that one of them actually is whitelisted.

At best, C/R doubles spam traffic by generating a C/R request for each spam sent--now instead of just getting bounces sent to some poor innocent victim, the innocent victim will get bounces plus thousands of C/R requests. At worst, spammers will take the brute-force approach mentioned above of sending hundreds of copies of the same spam to every user using different "common" whitelisted email addresses. Either way the spam problem arguably gets worse, not better.

Re:Too drastic?

[iangoldby]

Recipients should be able to file a complaint once per message per sender. The rating of a person or business would be cumulative (though possibly normalizing toward zero over time as old ratings "drop off"), recipients could just set a maximum evil amount

I love it! Slashdot Karma for email 8-) Who will metamoderate the users?

Re:Too drastic?

[valmont]

first off, this feature is OPTIONAL, on an OPT-IN basis. A user will have to make the conscious choice of activating this feature. So the poster's claim that the day it is turned on, all mailing lists will fail is FALSE. Second, NO MAIL IS EVER LOST, it just goes to a holding box. The user can quickly notice if they've forgotten to add an address to a whitelist. Third, mailing lists or any originating email address for that matter can be added to a user's whitelist. The interface makes this all very practical and highly painless.

TAKE THIS UP YOUR ASS ALAN RALSKY

Re:Too drastic?

[valmont]

ALL YOU HAVE TO DO IS NOT TURN THE FEATURE ON. Again, EarthLink's spam blocker feature is on an OPT-IN ONLY BASIS. This feature is NOT for everyone, it is only for people who make the conscious choice to activate it. Furthermore, checking your holding box won't be more painful than checking your real box. at all. And you can add any arbitrary address, even invalid return address to your whitelist. easily. EarthLink did score big time.

Re:Too drastic?

[valmont]

please mod parent up. people don't seem to grok the very simple fact that this feature is OPTIONAL ONLY, users must make a conscious choice to activate it. While it is not the end-all be-all solution, it is *a good* partial solution to a complex problem which would still remain complimentary to other initiatives such as legal actions and improvements of the SMTP protocol.

Re:Too drastic?

[valmont]

uhm okay. then all the user has to do in the first place is to not whitelist the spammer. Tell me how in the world a spammer could effectively manage to trick a single user, much less multiple users into believing they are their friends? They'd have to:

1) get past the initial challenge-response step which offers the spammer an image whose content they must identify and replicate to prove they are a human being. there currently is no known automated way of doing this.

2) trick the potential future recipient of their email into believing they are friendly to whitelist them.

Even if they make it past 1) and 2), since the originator's email must remain somewhat valid, if the user gets spammed en-masse, he/she can easily cut their balls off for good.

i challenge you to find a flaw in this system. The Bayesian system you believe ALSO uses the concept of a holding box, just like the earthlink system does.

the only difference is that bayesian system can still yield algorithm-induced false positives while enforcing passiveness on the email user's side.

C/R model puts the control into the hands of the user. this may or may not be a good thing, but if the interface is friendly enough, explanations clear enough, this should definitely be a GOOD THING.

Also, when you consider the fact that this system can only be activated on a user's mailbox if the user chooses to activate it, things are looking pretty good.

Re:Too drastic?

[corz]

Unlike many mailing lists BugTraq doesn't set itself as the originator of the email, so all the emails appears to come from individuals who I haven't whitelisted. It's too onerous to keep checking the pending list for this one mailing list, so I have moved it further up in my procmail handling and deliver all mail *addressed to* BugTraq straight into my security folder. Problem solved.

The TMDA filters can take advantage of simple wildcards in a rule. I use the following for mail from Bugtraq:

from bugtraq-return-*@securityfocus.com ok

Re:Too drastic?

[valmont]

keep in mind that in this model, messages are not rejected, they are placed in a holding box. no message is ever lost unless the user takes the active step of deleting it. BIG, BIG difference. that holding box is conveniently surfaced in the user interface and identified as such, a holding box, NOT a trashcan or assumed spam box.

Re:Too drastic?

[corz]

Almost a year after Paul Graham's "A Plan For Spam" Bayesian is still the easiest system to develop as well as the easiest for the user to use. It is extremely effective (99.5%+) with very few false positives and doesn't require any additional effort for the sender and only requires that the user report false positives and false negatives--and that is mostly only needed at the beginning. Once it is initially tuned it's not necessary to do much of anything--it just keeps learning and working.

Personally I use a combination of SpamAssassin's bayesian abilities along with TMDA, a challenge/response system. I only require confirmation for messages that SpamAssassin identifies as being over my threshold of 5. In my .tmda/filters/incoming file I have the following rule:

pipe "/usr/bin/spamc -c" ok

That means that if SpamAssassin says its clean, then no confirmation is required and TMDA delivers the message to my inbox.

Simple, effective, the best of both worlds.

Re:Too drastic?

[jetlagQ]

You're on the right track. The only way to solve this is to have every email accompanied by a second (non-email) transmission that includes payment information linking something encrypted and financial from the sender to something in the email. if the user doesnt like the email they can simply go somewhere and "charge" the sender using that information. Nice thing is: 1. Spammers will pay out the wazoo 2. Legitimate companies doing online statements or order confirmations will not get charged back or can stipulate that any customers charging back will be either backcharged themselves or dropped 3. Joe user doesnt have to care. What do you think?

Re:Too drastic?

[evilviper]

People who want to continue to receive messages from mailing lists, online banking, etc, will have to add these sources to their whitelist.

Not necessarily... Mailing lists usually have a reply-to address that reaches a human. Since this is a big ISP doing this, I wouldn't be surprised if mailing list admins would weekly go through their inbox and reply to the challenges.

The solution is to have the incoming messages moved into a 'holding' folder that the recipient can see, and check in just the same way as checking through a 'spam' folder.

Which then makes this system more work than just deleting the spam. Now you check an inbox, then a spambox, setup whitelists, move messages, etc. Bah! Since Earthlink has decided to put this in place, I presume they've done a good enough job that tons of crap isn't needed on the part of the user. This is Earthlink, not Microsoft.

Re:Too drastic?

[Zaphod+B]

This is exactly how Hotmail works with the Junk Mail filter set to Exclusive. It's a whitelist system. It reminds you to add people to your whitelist when you send them mail, and it filters everything not on your whitelist to the Junk Mail folder. You can allow entire domains, or entire blocks of IPs. I check mine every other day just to make sure nothing slips through, but other than the once-every-two-months or so "Member Services" e-mail touting their ridiculous pay-for-use service, I haven't had a spam in my Hotmail inbox since I started.

Re:Too drastic?

[letxa2000]

then all the user has to do in the first place is to not whitelist the spammer.

A C/R system does not require the user to place the would-be spammer in the whitelist. C/R means that anyone can send the user a message but if the sender is not already whitelisted he is automatically sent a message with a "challenge." If the sender receives the challenge and goes through the automated system, the sender is automatically added to the user whitelist and the message that was already sent is delivered--and subsequent messages will be livered without a challenge (i.e. open door for spam).

Best case scenario is that the sender sends a spam, gets the challenge, responds and the original spam is delivered--and the spammer immediately sends a ton more spam to the user. The user will obviously realize that the newly added address is a spammer and will remove it from the whitelist and add it to the blacklist, but unless he checks his email every minute or two he's going to have a ton of spam by the time he realizes what happens and removes the automatically-added whitelist entry for the spammer.

Tell me how in the world a spammer could effectively manage to trick a single user, much less multiple users into believing they are their friends?

He doesn't. The C/R system does NOT ask you, the receiver, if the sender should be added to your whitelist. C/R is precisely a system that asks the SENDER to PROVE that there is a human on that side. If the spammer spends the several seconds necessary to prove that, he is automatically added to the receiver's whitelist and can send all the garbage he wants UNTIL the receiver realizes the system has been duped and adds the address in question to the BLACKLIST.

1) get past the initial challenge-response step which offers the spammer an image whose content they must identify and replicate to prove they are a human being. there currently is no known automated way of doing this.

Maybe not automated, but if a spammer receives a C/R request and he KNOWS that if he takes 10 seconds to complete the C/R procedure that the spam he sent WILL be received then I suspect there ARE spammers that will do that. They don't want to spend 10 seconds per email now because they know most aren't even delivered--but if spending 10 seconds guarantees the spammer that the email will be placed in the inbox, it could very well be a worthwhile investment.

2) trick the potential future recipient of their email into believing they are friendly to whitelist them.

Please understand that a C/R system does NOT ask the future recipient to add them to the whitelist. By going through the C/R procedure that address is AUTOMATICALLY whitelisted. You don't have to convince the receiver of anything, you just need to convince the C/R system that there is a real human on the spammer side. That opens the door and then the spammer (or his spam buddies) can flood the email address with any number of spams until the receiver realizes that the system has whitelsited a spammer and the user specifically blacklists that user. But that won't stop spammers from doing it again with a different email address.

i challenge you to find a flaw in this system.

See above. I think you misunderstand what a C/R system involves. It does not require any action on behalf of the receiver. If the sender responds to the C/R, his email/spam is delivered until the receiver specifically blacklists that address--but the spammer can just do it again with another address.

The Bayesian system you believe ALSO uses the concept of a holding box, just like the earthlink system does.

Yes, but unlike the C/R/Earthlink system, it will not generate a C/R email for every spam received. Unlike the C/R system, the spammer cannot simply answer a challenge to get his spam into my inbox--he has to send me a message that doesn't have any of the traits of being spam. Simply put, a determined spammer will have an easier time getting throu

Re:Too drastic?

[vanyel]

A mainsleazer at foo.com will simply start spamming his customer list with a From: of "confirm@foo.com" - Subject: "New Dealz from foo.com!"

A good way to marginalize your business as you drive away all but the stupidest customers.

Re:Too drastic?

[RollingThunder]

I'll bet my current Bayesian system is less CPU-intensive than a simple keyword-filter that has 5000 "keywords" in its database.

I'm sure it is - but that's not the comparison the ISP is having to make.

The ISP is generally running with virtually nothing, or perhaps is using some realtime blacklist.

The RBL's aren't CPU dependent, they're latency dependent, so your hardware still trundles along just fine, although the messages may take a little longer to come in, and your DNS server gets more of a workout.

Instead, the ISP is looking at going from no matching at all - just a simple user lookup, copy data to user folder, exit system, which is generally going to be I/O bound, to some kind of processing of the data. That's going to be a large difference from a "bare" mail server.

If they've already got something else in place, then the difference won't be as drastic, but from what I've seen, most ISP's have a bare minimum on their mail servers and that's it.

Re:Too drastic?

[letxa2000]

The ISP is generally running with virtually nothing, or perhaps is using some realtime blacklist... If they've already got something else in place, then the difference won't be as drastic, but from what I've seen, most ISP's have a bare minimum on their mail servers and that's it.

Well I can't argue with that. If they aren't running anything but sendmail it'll cost them a little more CPU time to do Bayesian, although I think you'd be surprised how little CPU time a well-developed Bayesian system requires.

But, fact of the matter is, those ISPs that haven't deployed any anti-spam solutions yet will probably have to soon. The flood of spam demands it, and their users will demand it more and more as spam continues to increase.

So if an ISP is considering an anti-spam solution there is no reason why Bayesian should be discarded as CPU intensive. In fact, it is one of the fastest, least CPU intensive spam filtering methods available.

Re:Too drastic?

[RollingThunder]

Spam filtering, in general, doesn't actually save the ISP where it's getting hurt.

A non-filtering ISP gets hit in two places:
- storage
- bandwidth

When running filtering on the system, you generally DO NOT automatically bounce the message. Certainly not as an ISP, as the risk of a false positive is just too great. Instead, you tag it, and pass it on to the end user for them to decide what to do.

So, you're still getting hit for:
- storage
- bandwidth
and now you've added on more CPU cycles for the same amount of mail.

I'm not saying they won't put this type of stuff in - but it won't alleviate the main problems they've been seeing, and it will put more load on the servers. If the servers were anywhere near CPU capacity, they'll need more iron to handle it. If they were just near I/O capacity, then they should be fine.

Re:Too drastic?

[letxa2000]

A non-filtering ISP gets hit in two places: - storage - bandwidth

You're forgetting a third place that is potentially more critical in terms of profits: customer satisfaction. If their customers are receiving hundreds of spams per day they may very well be tempted to jump ship and go with another provider that either has better anti-spam technology or, at the very least, will give them a new email address to start from scratch.

When running filtering on the system, you generally DO NOT automatically bounce the message.

Agreed. But if you are running a Challenge/Response system and a message comes to a user who is "new" for that user, the C/R system automatically generates a challenge email that it sends back to the sender. That is automatic. And when it's spam a challenge will be sent to the "sender" of every spam, even though many spams don't even have a valid "from" address. So if it sends a challenge to an invalid email address that's when you could get a bounced message.

Instead, you tag it, and pass it on to the end user for them to decide what to do.

That's the way spam FILTERS work, but that's not the way a challenge/response system works--which I believe is what we were originally talking about.

So, you're still getting hit for: - storage - bandwidth and now you've added on more CPU cycles for the same amount of mail.

Storage is relatively cheap (although not free, I agree). Bandwidth is being consumed by spam anyway whether you filter it or not. If you implement a C/R system you'll end up consuming MORE bandwidth because you'll have to send a C/R email for every spam that comes in. As for CPU cycles, I agree it requires fewer CPU cycles to do nothing about spam (in the short term). But in the long-term doing nothing may cause you to lose customers to ISPs that ARE doing something about it, and will also result in more spam since more spam will get to users which will tend to drive up response rates encouraging more spam. You can't use CPU cycles as a justification for not doing anything. Doing nothing is the worst thing an ISP can do as it relates to customer satisfaction and encouraging even more spam in the future.

but it won't alleviate the main problems they've been seeing, and it will put more load on the servers.

Again, you have to do something about spam to avoid customer dissatisfaction in the short-term and to avoid encouraging more spam in the future. Either of these aspects is going to be much more expensive than the cost of the server load. And if you do nothing and spam volume continues to increase you're going to start reaching server capacity anyway. So you can spend CPU cycles filtering out the spam or you can spend CPU cycles accepting ever-increasing amounts of spam that give your customers an ever-increasing motivation to cease being your customers.

If the servers were anywhere near CPU capacity, they'll need more iron to handle it.

Cost of doing business, I'm afraid. First, if they were near CPU capacity they probably should upgrade their hardware anyway to handle peak load. And, again, I'm not saying that battling spam is free or even cheap. But it's a battle that has to be fought and I believe the best way to do it is with Bayesian, not C/R systems.

Re:Too drastic?

[valmont]

please mod parent way up.

Re:Too drastic?

>> If challenge-response is largely deployed, I suspect spammers will just unite such that one spammer sends a message, gets the challenge, answers it and is then "unlocked" to send message. He'll then distribute that email address in real-time to dozens or hundreds of other spammers who will send their spam immediately with the same newly-unlocked address.

So, what's the cost of an e-mail? Let's say somebody built a system that would queue up the challenges, and present them to a human, who could respond to those challenges at the rate of 1 per second. 3,600 an hour; roughly 30K a day, or 150K in 5 days, by which time the first e-mail addresses start to expire, and you have to do it all over again. (The system would send these addresses to various spammers quickly, so they'd be used quite a bit in that week.) So, that's 150K addresses per person. You employ this person in a 3rd world village for, lets say $20 / month, or $5 a week, so that's $0.03 per 1,000 addresses.

Admittedly, this is a lower bound (150K a week is probably high, and $20 a month is probably low), but yeah, it pencils out.

Re:Too drastic?

[Reziac]

Having RTFA (I know, it's embarrassing :) it seems the entire challenge/response program is optional for Earthlink customers.

As an ELN customer, I do NOT plan to use it, since whitelists are not practical for me (customers who email me out of the blue, mailing lists, order confirms, etc. probably account for half my incoming mail).

Re:Too drastic?

[Reziac]

More like, instead of doing a good business selling confirmed-live email addresses, spammers will do a good business selling confirmed-good challenge-response keys.

Re:Too drastic?

[SpaceDogDN]

If challenge-response is largely deployed, I suspect spammers will just unite such that one spammer sends a message, gets the challenge, answers it and is then "unlocked" to send message. He'll then distribute that email address in real-time to dozens or hundreds of other spammers who will send their spam immediately with the same newly-unlocked address.

This can easily be overcome by initially limiting the number of messages a newly whitelisted email address can send in one day. If the user sends a user-configured number of emails to this address, the emails-per-day restriction is automatically lifted, and the user has the option of removing the restriction manually. In this way, spammers can only use the whitelisted email address a few times before further emails are blocked.

How do two people with C/R communicate?

[corsec67]

How do two people with challenge and response communicate?
If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
If they don't get through, then you would have a nasty mail loop.

Re:How do two people with C/R communicate?

[Nutcase]

very good point. I would mod you up if I could.

You can't have an automated challenge/response system, because that defeats the point.

You can't have a non C/R address for the challenges to be sent to, because it would end up getting spammed.

Basically, there is a no communications barrier in place until they communicate.. which makes no sense.

Re:How do two people with C/R communicate?

[PerlGuru]

with most systems you can automatically add address from your addressbook and address from outgoing mail, problem solved. Of course that's just one problem, I don't really know where I stand on this issue but I think it is a good thing to have out there so people can choose for themself.

Re:How do two people with C/R communicate?

[grantsellis]

How do two people with challenge and response communicate?
If the challenge always gets through, then the spammer will just issue challenges as spam.

Would it be hard to add a few lines to a C/R program so that you remember addresses you've sent mail to?

At least, if they don't use the lame C/R my brother uses, which sends its challenge from a different address than the one you send to.

:)

Re:How do two people with C/R communicate?

[IIEFreeMan]

> How do two people with challenge and response communicate?
> If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
> If they don't get through, then you would have a nasty mail loop.

In TMDA (a challenge response system in python) at least, when you send a email to somebody, they don't get a challenge when they answer. It's logical because if you send him an email, you know he will not spam you :)
So i assume earthlink system will act the same.

Re:How do two people with C/R communicate?

[stratjakt]

The way I read it, earthlink, up on recieving an e-mail, sends a challenge to the email sender. If the e-mail sender responds, it delivers the mail.

From the article:

When someone sends an e-mail to a challenge-response user, he or she gets an e-mail back asking to verify that the sender is a live person.

Once the sender does that by replicating a word or picture displayed on the screen, the original e-mail is allowed through. The system automatically recognizes future e-mails from the same sender, so the verification needs only to be performed once. Without the verification, the e-mail is not delivered.

So if earthlink people are on your mailing list, you'll get a challenge next time you send it out. It should only happen once, and from then on, you're email addy is "legit".

It's not like you get 9000000 challenges from everyone on the list. But if every ISP did it, you'd get a challenge from every ISP on the list.

This is the first step towards email being such a pain in the ass, that people just no longer bother using it.

Kiss SMTP and POP3 goodbye.

Re:How do two people with C/R communicate?

[Garion911]

One idea: Any emails you send out, the recpt is automaticly added to the "ok, let through" list.

Re:How do two people with C/R communicate?

[Chester+K]

How do two people with challenge and response communicate?

My C/R setup (TMDA) automatically put anyone I send email to on my whitelist; therefore I'd get their challenge message.

Re:How do two people with C/R communicate?

[SomeoneGotMyNick]

The challenge is probably a randomly generated code to be returned before the original e-mail gets sent to the intended recipient.

Most spammers use fake return addresses anyway. The challenge will never arrive and the mail gets tossed. Thus, it never gets to the recipient. Voila, one less potential viagra purchase.

Re:How do two people with C/R communicate?

[esme]

Here's how it works:

1. Alice sends an email to Bob.
2. Bob is automatically added to her access list (b/c she's sending him mail, he's not a spammer).
3. Bob's mail server sends a confirmation request.
4. Alice recieves the confirmation requestand responds.
5. Original message is delivered to Bob.

-Esme

Re:How do two people with C/R communicate?

[demonlapin]

Thank you, thank you, thank you, for spelling "voila" correctly.

You're probably right about the method, though; the post someone made about OCR ignores that it is brutally computationally- and bandwidth-intensive to do that for every single message they want to be received. (Imagine having to C/R every single spam.)

Re:How do two people with C/R communicate?

[blibbleblobble]

"My C/R setup (TMDA) automatically put anyone I send email to on my whitelist; therefore I'd get their challenge message."

Okay, what happens when someone sends spam "from" someone on your whitelist?

Re:How do two people with C/R communicate?

[hamsterboy]

So you have to email all your friends and family before they can email you? How else can somebody get on your whitelist?

Re:How do two people with C/R communicate?

1. Spammer sets up account on public server like Yahoo.
2. Spammer sends out 1 email to earthlink. Replies to the challenge-response system.
3. Address is now in earthlink's database.
4. Spammer spams earthlink from email address that was valid for precisely 1 use. Yahoo gets to clean up mess left by spammer.

The only thing accomplished is to add an extra step into the process for the spammer --or-- the challenge/response has to be on a per-user basis, in which case, you've now added in a new problem.

Re:How do two people with C/R communicate?

[1729]

You can't have an automated challenge/response system, because that defeats the point.

That's not true. There is an approach where you show a "proof of computational effort"; that is, your computer spends 10 or so seconds computing the response to a challenge. Here's a paper on the subject.

Re:How do two people with C/R communicate?

[Paul+Neubauer]

That works fine, most of the time. There will times such I experienced recently where I had an old address and got a reply from a new address.

Getting challenged to reply will annoy people.

While C&R seems like a good idea, the resistance it will encounter will be one misplaced burden - the burden falls on non-spammers, who have done nothing wrong. This will cause offense, no matter how well-intended it may be.

Re:How do two people with C/R communicate?

[aster_ken]

SMTP was designed in the days where network administrators could trust each other. There was no spyware. There were very few viruses. Open relays were not only common, but it was considered "rude" not to have one. Software was distributed as source code so that everyone could benefit... Ah, the good ol' days.

Unfortunately, commercial interests, greed, and stupidity has perverted all of that. SMTP needs to be rewritten to take these "bad things" into account. There was a recent Slashdot article about this: The Case for Rebuilding The Internet From Scratch.

It must be done eventually. Unfortunately, it will take a lot of people a long time to get it out to the "masses". Look how long it's taken us to get absolutely nowhere with Ipv6!

Re:How do two people with C/R communicate?

[tacocat]

True. But now the mail administrator has to deal with thousands of spam mail that doesn't get a reply.

And how long are they supposed to wait for a response. Remember, email is not supposed to be a Real Time system. Email servers frequently have a delivery retry schedule of about 4 days. That would mean that Earthlink has to carry the entire spam volume of four days in some kind of mail pending queue and to periodically attempt a redelivery.

I've tried this myself. When you can easily run 100+ spams per day per account, imagine what you are going to be dealing with for an entire ISP. You can easily scale into the million email queue.

Their servers will not be able to handle their entire population and the resulting network load on themselves and everyone else will be prohibitive.

Consider this. AOL and HOTMAIL are the largest spam address sources, real or imaginary. So, when they get spam from AOL, they have to attempt a delivery. If AOL's system doesn't allow for immediate failures based on "address unknown" then EarthLink will hit AOL with thousands of bogus email delivery attempts. Now the two goliaths are beating each other to death over bandwidth.

Someone will be suing for a DOS attach.

Re:How do two people with C/R communicate?

[Ed+Avis]

Hmm I was going to respond saying 'shouldn't there be a grave accent, as voil?' but apparently this isn't used in English.

About OCR: I don't think it is computationally expensive, or at least even if it is now it will not be in five years' time. If you want to inflict computing expense on spammers you need a system which can be easily stepped up from year to year.

However, challenge/response does require that the sending address exist in order to reply to the challenge. You can't set up an account, send millions of messages and then scram. You have to wait around for the challenges to arrive and then try to answer them. The longer the delay between original message and getting a challenge, the harder life becomes for spammers, but also a long delay spoils the point of email.

What I'd expect spammers to do is spoof the headers so that mail appears to be from random addresses. If there's one resource spammers can be guaranteed to have at their disposal it's a list of random addresses :-(. Then the challenges will be sent to random users. If those users are accustomed to responding to challenges they may fill them out so the spam is delivered. Of course if spammers adopt this tactic then people will have to wade through a mass of challenges in their inbox, sorting the few genuine ones from the mass of spam.

There is a small possibility for improvement in that the mail client could discard challenges that don't correspond to any message in the sent-mail folder, but doing that automatically would require a machine-readable format for challenge messages. (The puzzle itself can require human intelligence, but the stuff about 'you tried to send a message to x@y.com and its content had MD5 sum 43243242' could be in a standard format.)

Bandwidth is also a good point. The trouble is that any bandwidth costs you inflict on the spammer you also inflict on yourself and other ISPs.

Re:How do two people with C/R communicate?

[kiatoa]

As has been mentioned elsewhere in this discussion: take a look at http://sourceforge.net/projects/a-s-k. Those guys have already figured out most of the questions being asked here. Setting up ASK is on my to-do list for sure...

Re:How do two people with C/R communicate?

[SomeoneGotMyNick]

Thank you, thank you, thank you, for spelling "voila" correctly.

No problem. After all, "Voila is not a musical instrument" :)

Re:How do two people with C/R communicate?

[platypus]

And what happens if ReplyTo != From ?

Re:How do two people with C/R communicate?

"Consider this. AOL and HOTMAIL are the largest spam address sources, real or imaginary."

Huh? Try yahoo.com so many forged addresses that is is not even funny.

Re:How do two people with C/R communicate?

[makapuf]

6. Bob thanks Alice about her penis enlargement method.

Re:How do two people with C/R communicate?

[Gunfighter]

The confirmation messages are sent to the Return-Path: header address. If you're using TMDA (or similar products) correctly, you will receive the user's confirmation request and be able to confirm delivery of your original message.

Click here for an explanation of the TMDA way.

-- Gun

Re:How do two people with C/R communicate?

[orthogonal]

Thank you, thank you, thank you, for spelling "voila" correctly

No, no, it's spelled viola. Like viol, or violin.

As in, "Voilà! I finally played Eine Kleine Nachtmusik correctly on my viola!"

Re:How do two people with C/R communicate?

[demonlapin]

I'm fairly certain that British English would use the accent grave, and I almost mentioned that in my post, but accents in originally-French words are almost always excluded from the American spelling for the simple reason that we don't have keys on our keyboards for them. As a result, we don't know where they belong, even if we're aware that they should be present.

Your concerns are well-founded, but I'd go a step further: the next Outlook-address-book-reading virus won't do anything except send the spammer your address book, which will logically consist exclusively of whitelisted email addresses.

It's a nice step forward, though. I didn't mean to imply that OCR was terribly expensive, just that it's hard enough to do it for tens of millions of messages that it will tend to cut down on spam.

Re:How do two people with C/R communicate?

That's not necessary. Being able to receive the challenge is enough proof that you aren't a spammer. Spammers don't fake FROMs for laughs, you know...

Re:How do two people with C/R communicate?

[BlackHawk-666]

It's a textfile...how about you type their email address in and save the file?

Re:How do two people with C/R communicate?

[Ed+Avis]

You don't need a special key to type an accented 'a', you just press the normal key slightly harder.

Re:How do two people with C/R communicate?

Here how it get attacked:
1. Malory send a email to Bob spoofing Alice email
2. Bob's mail server send a confirmation request
3. Alice mail server send a configmation request
4. Bob's mail server send a confirmation request
5. Alice mail server send a configmation request ...

Re:How do two people with C/R communicate?

Alice and Bob sure do spend a lot of time on electronic communication. They should just move in together, already, and just talk to each other. It'd save an awful lot of effort on the part of the research community trying to keep their relationship going.

Re:How do two people with C/R communicate?

Having 90% of my-dial-up time wasted downloading html/javascript/flalsh/mpeg junk mail is the first step to making email such a PITA that I don't want to use it--or risk having the kids see it!

Re:How do two people with C/R communicate?

[corz]

See this TMDA FAQ for it's solution. Of course, the Earthlink folks may have some other method, but my point is that it is not necessarily a problem.

Re:How do two people with C/R communicate?

[corz]

Obviously it gets through. But thats not the point, TMDA is a Spam _Reduction_ system. There are no claims that you will never receive spam again. Is your whitelist going to be filled with so many users that its possible a spammer may figure out who is in your list and try targetting you specifically? Of course not. Spammers spam because it is economically for them to do so. If they begin spending a great deal of time trying to figure out ways around your whitelist then you are causing more work for the spammer, and its not as economical for him anymore. Give the whole process some thought, you will see that challenge/response systems are actually very nice.

Re:How do two people with C/R communicate?

[Chester+K]

So you have to email all your friends and family before they can email you? How else can somebody get on your whitelist?

Challenge/Response. If someone not on my whitelist sends me an email, they get an automated challenge email they need to reply to before their original message will get delivered. They're also added to the whitelist when they reply. The challenge message comes with a cryptographically created Reply-to address which verifies that they're actually responding to the challenge and not just trying to circumvent it.

Re:How do two people with C/R communicate?

[Chester+K]

Okay, what happens when someone sends spam "from" someone on your whitelist?

It would get through, of course -- but that requires spammers to know who's on my whitelist, and I don't publish my whitelist. Security via obscurity works quite well in this case.

Nothing's perfect, of course, since an Outlook email virus might be a vector for delivering spam via trusted relationships (operating on the theory that if I'm in someone's Outlook Address Book, odds are higher that they're conversed with me via email and are therefore in my whitelist), but if that becomes a problem from someone on my whitelist, I can take them back off the whitelist and require a C/R from that person for every email.

Re:How do two people with C/R communicate?

[demonlapin]

But then how do you make the accent that points the other way? I'm guessing you just lean really hard on the right side of the key when pressing it, right?

Let's see: à

Yep, it works. Cool. I never knew it could do that.

Oh, sorry; that's an accent grave, and á is an acute accent.

Re:How do two people with C/R communicate?

[inbox]

Hrm... I think that yes, in fact, you do get 9000000 challenges from everybody on the list. The sender's e-mail address is not whitelisted at the Earthlink mail server, it is whitelisted at each e-mail account.

Otherwise, a spammer just sends one message from an address, responds to the challenge, and then spams away.

Or am I misunderstanding it?

Forged Headers

I think forged headers are the calamity of the inprocess SMTP transfer mechanism. If we can liberate the dynamic IPs saturated on the IPlanet web matrix, then we could perform 3-way LDAP POP3 authentication with a digital certificate.

The other way this could be accomplished is to triangulate a 801.11b WAP source into an array of POSIX message headers that would reflect the consistency of the mail protocol.

What do you think?

Re:Forged Headers

I'll take two, please!

Re:Forged Headers

[Abm0raz]

I can't tell if you actually know what you are talking about or whether you are a PHB that used some techno-babble-speak generation script to try and sound 'hip and cool' to today's /. youth. :)

Re:Forged Headers

He's a scriptwriter for Star Trek.

Re:Forged Headers

[jazman_777]

What do you think?

I think you're really Lavar Burton.

too much hassle

[chabegger]

I think this will create way too much hassle. There are some people who wouldn't mind, but others (such as grandma) who have to be told three times where the power switch is won't really know what is going on. At least now when I don't reply I'll have a decent excuse... "but grandma, you forget to send it twice, so i didn't get it"

Re:too much hassle

[koreth]

Only if Grandma changes E-mail addresses for each letter she sends.

Re:too much hassle

[NanoGator]

"I think this will create way too much hassle. There are some people who wouldn't mind..."

You mean like the millions of people that use ICQ?

Re:too much hassle

I think SPAM is the biggest hassle. When you need to wade through 80 messages to find the 3 legitimate ones... now that is a hassle.

Add to that the aggravation caused by the legitmate mail you swept into the trashcan by accident, I would have to say the SPAM is the bigger problem.

Now, lets start talking about the backbone bandwidth that gets chewed by *billions* of emails that no one even asked for.

Once everyone adopts this, I bet you any money that your browsing experience will improve as the bandwidth gets freed up. Few spammers are polite enough to wait until after hours before sending messages. I get an average of 5 emails between noon and 1PM.

I hope every last one of them is forced out of business. Since the industry doesn't bother to police itself, the legitimate opt in companies will go down too. Too bad. Maybe they should have been a little more active in helping to support the effort to reduce SPAM.

If I wasn't an earthlink subscriber already, I would be dropping my ISP *today* to get an Earthlink account.

L8,
AC

Now the spammers get address validation for free

[chefbimbo]

Seriously, what are they thinking? TMDA might seem like a nice idea in theory, in practice, it's a pain to use and not exactly safe either. Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).

Mainstream Users

[PerlGuru]

It will be interesting to see how well this method works now that it is going to be out there for mainstream non-geeks to use. I am a little curious about how the address will work for order confirmation, the article seems to hint at throw-away type address but doesn't give much detail.

Good idea, but...

[onemorehour]

This seems like it might be a good step, but it's missing the point. The only thing that will truly curb spam is to rework the SMTP protocol to not implicitly trust every host, as was mentioned in an earlier /. article.

Re:Good idea, but...

[stratjakt]

This is step 1.

Make email more of a pain in the ass.

Once the spammers work around this (and they can, i mean you only have to respond once to get the full run of earthlink), they'll find another way to make SMTP a pain in the ass. Like charging a nickel for email, or some shit like that.

Eventually, when it's such a hassle or expense to use, and noone uses it, then it can be replaced.

Look at satellite radio. Why would anyone pay 40 bucks a month for a new kind of radio? Simple, they made regular FM radio suck. So if you want to hear anything but the top 40, you need to pay.

Re:Good idea, but...

[drgroove]

you only have to respond once to get the full run of earthlink
You can't simply 'respond once' to have full access to Earthlink email accounts using their challenge/response system. Each individual user has to 'whitelist' each email sender that asks them to. The system really will prevent spam, as long as users are smart enough to figure out how to work the system correctly (that is another matter entirely).

Like charging a nickel for email, or some shit like that.
You're correct... eventually, some company or companies will develop some kind of email system that they think is worth charging for, and they'll start charging people to send email. Some email systems will likely remain free and co-exist w/ these, however, much like other industries (TV vs. Cable vs. Digital Cable vs. Sattelite; Radio(FM/AM) vs. XM; Geocities web hosting vs. Paid web hosting; etc etc). The 'pay for priveledge' vs. 'free, but you suffer' product design model is a hallmark of capitalism.

they made regular FM radio suck
Also, fwiw, the 'they' that made FM radio suck are the FCC, FTC, and Clear Channel Communications, which has a monopoly on radio stations that is essentially endorsed by the aforementioned federal commissions. But, you're absolutely correct that FM now sucks - the demise of the indy DJ after the '70s due to the mass conglomerate, national-brand, vanilla-format stations that replaced the indies have definitely killed radio.

Re:Good idea, but...

Reworking SMTP isn't absolutely required. For instance, here's a solution that would work fine with SMTP:

Basically the idea is to allow e-mail senders to have a public/private key pair (which they can choose on their own) and use this to sign their messages (actually, just part of the header). Then, every time you receive a message, you have the option of filing a testimonial about the sender in a (distributed) database. The testimonial basically says, "alice@test.com sent me, bob@example.com, a message on such-and-such date, and I consider it to be a legitimate, non-spam message." (Unless it is spam, of course.)

Over time, alice@test.com builds up a reputation as being a non-spammer, because she has a bunch of positive testimonials and virtually no negative ones. Everyone can then accept her messages without fear, because she is known not to be a spammer (unless there is a huge conspiracy).

To make the system more secure, when Bob's e-mail program receives a message from alice@test.com for the first time, it doesn't just try to verify the reputation of alice@test.com. It also randomly selects individuals who have filed some of those testimonials and checks their reputation as well. (And it applies the same process to them, recursively, also, so that it may occasionally go several levels deep.) This makes it very tough to create an account and then give it lots of fake positive testimonials. A given testimonial's believability is based on the reputation of the one who filed it.

Any address a spammer uses for long will very quickly develop a terrible reputation, so the spammer's only choice is to switch sender addresses constantly (for every few repicipients). But addresses with no reputation at all will really pretty darned rare, so the mail client's filter can safely treat such a message with suspicion. In fact, this system would complement a Bayesian filter quite well. Since most legitimate senders would have a good reputation, the problem of false positives would be almost completely eliminated. That would allow the Bayesian filter to be even more aggressive. And for the relatively rare case when you receive a message with no reputation at all, you have two important pieces of information: the Bayesian filter's ranking of the message, and its lack of a reputation. (If the Bayesian filter sees nothing really wrong with it but its sender has no reputation at all, the e-mail client can pop it up for review and maybe suggest that you review it and submit a testimonial as to its spam status either way.)

There would be one kinda weird effect, though, which is that when you open a new e-mail account, you'd have to phone a few friends and ask them to file a positive testimonial for you, so that you can build up a good enough reputation to actually get people to accept your e-mail.

Finally, once all these testimonials are on file somewhere, there is a lot of information out there that can be used not just by the mail clients but also by the infrastructure (i.e. mail servers). A mail server could, for example, automatically throttle traffic from IP addresses that keep sending lots of messages from a variety of addresses that all have no known reputation.

Earthlink should look for mailing list headers...

[phallstrom]

If earthlink looked for mailing list headers or signs that the message is a mailing list they could allow it through... at least for awhile to avoid the challenge responses to mailing lists...

ugh.

Michael's comment

[Rev.LoveJoy]

This is true, but perhaps it illustrates an opportunity for developers of mailing list software more than it exposes a flaw in Earthlink's plan to thwart spam?

As a network admin, many of the remote users I support (sales reps, on-the-road types) use Earthlink dial-up while travelling. At times, some of the program's that Earthlink has used to stop people from using their services to spam have make my job harder. However, I do not begrudge Eartlink for these inconviences, at least they, as a major ISP, are doing *something* about this problem.

My two cents,
-- RLJ

Correction

[robbyjo]

every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers

Not exactly right. It happens only for the first time to detect whether the sender is legitimate or not. Quote the article:

The system automatically recognizes future e-mails from the same sender, so the verification needs only to be performed once.

The problem with this system is that the spammer can still spam using legitimate e-mail accounts as a camouflage (or expired e-mail accounts). Once the legitimate e-mail address is procured, the spam still goes on. It is futile, IMHO.

Re:Correction

[Freudounet]

The problem with mailing list is that you often have to confirm you registration by answering an automated email they send you. This email will be "chalenged" but no onw will respond the challenge..

Re:Correction

[Ed+Avis]

Spammers seem to be sending a whole bunch of crap from my address (ed@membled.com) even now. At least, I keep seeing what appear to be genuine delivery failure notifications of Russian spam sent from my address. Any system which trusts individual email addresses, without relying on some real authentication such as PGP signatures, is broken.

A simple rule is: Headers can be forged. Don't trust anything in the headers for antispam purposes. This includes the sender and recipient.

Re:Correction

[twstdr00t]

excellent... know i'll be able to sell my email accounts to spammers.

Re:Correction

It happens only for the first time to detect whether the sender is legitimate or not.

A system like this really wouldn't have to challenge every sender. Earthlink already has available a spam filter. That filter could be made much more aggressive in detecting spam, and issue challenges for those. This way most non spam wouldn't be challenged, and false positives could still get through by challenge/response.

The problem with this system is that the spammer can still spam using legitimate e-mail accounts as a camouflage (or expired e-mail accounts). Once the legitimate e-mail address is procured, the spam still goes on. It is futile, IMHO.

Earthlink could also add some nice legal babble to the challenge that disallows spam. If a spammer responds to a challenge, then uses that legitimate address to send spam, some receivers would inevitably complain, and Earthlink could take legal action against the spammer.

Earthlink could also make the challenge/response system an opt-in feature, so users can choose if they want this protection or not, as they do now with their spam filter.

Re:Correction

[Fishstick]

hmm, and it isn't on by default, is it?

The challenge-response system will be optional and free for EarthLink subscribers, Anderson said. It will allow users to automatically clear the e-mail addresses of friends, family members and other associates in their electronic address books, so those people would not receive the challenge e-mail.

That would probably be dumb to turn it on by default. This way, users opt-in and have a chance to set up their "white list" of addresses to let through (mailing lists, for example)

Re:Correction

[errxn]

That's why I prefer my anti-spam system, known as "Firing Squad". Use it once, and all spam will stop.

Re:Correction

"Once the legitimate e-mail address is procured, the spam still goes on. It is futile, IMHO."

If a user recieves spam from a verified email address they can simply have that address invalidated, forcing the spammer to verify again.

Cunt.

Re:Correction

How about a system where senders can prove that they really are a given u@h?

foo@example.com tries to mail me, ac@example.net. My mail system creates a message that says "Is this guy really foo@example.com?" and includes a magic cookie that only I know. It then signs it with my system's private key and encrypts it with example.com's public key, so only their system can open it. A mere user like Mr. Foo can't.

My mail server returns that message to this guy, perhaps as part of a bounce. It's now his job to hand it to whatever backend process on example.com will vouch for him. It decrypts the message using their private key, verifies that it's really from example.net by looking up my system's public key, and answers the question my system presented.

He exists, so it creates a message that says "This guy really is foo@example.com, and your magic cookie was (whatever)", signs it with their private key, and it gives it back to him. He can now present this to my mail server as proof that he really is who he says he is.

At this point, we have relatively strong proof that a given u@h is real and valid and more importantly - this guy is authorized to use it by whoever's running that backend.

The big problem here is obvious: how do I get the public key for an arbitrary domain? I want to say DNS, but DNS itself can be compromised/spoofed/hijacked easily. Solve that, and you can start doing a bunch of interesting things based on it.

Re:Correction

"The problem with this system is that the spammer can still spam using legitimate e-mail accounts as a camouflage"

There seems to be a general misconception about this on slashdot (I've seen this similar comment posted before).

My impression from the article (this is really the only system that makes any sense, anyway, unless you assume that the third largest ISP is in fact full of idiots--as the first largest ISP clearly is) is that the challenge is not issued by earthlink only once for every person sending to earthlink's systems, but rather each individual earthlink user has his or her own whitelist, making it necessary for a spammer to reply to every single spam he sends (and an autoresponder won't work, since they are using images, etc, like they do to confirm free email subscriptions currently).

If the system used a universal earthlink whitelist, clearly it wouldn't work, because a spammer would simply have to be an earthlink user to add himself to the universal whitelist. Hence the individual whitelists.

Re:Correction

[axxackall]

Neither a header or a body are forged if e-signed (like with PGP).

I want to protect my mailbox from all spammers, including human beings being capable to read the picture, therefore Earthlink does not protect me. However I do: I use whitelists. At least I try and I know it's not enough. I want to require all senders to sign their email messages with a certificate I could trust. But the only way to make it work is to have a global (even international) infrustructure of trusted, available and affordable (!) CAs. Do we have such thing yet?

Re:Correction

[Ed+Avis]

If example.com has a public key which is widely known, they might as well just use that to sign all outgoing mail to start with.

OSS Challenge-Response

[planet_hoth]

Does anyone know of any open source challenge-response anti-spam projects similar to what Earthlink is developing? I've wanted something like this for a long time. While I don't have time to start a project myself, I'd like to contribute to someone else's.

Re:OSS Challenge-Response

ASK.

Active Spam Killer

http://www.paganini.net/ask/

Re:OSS Challenge-Response

TMDA ~j-dawg

Re:OSS Challenge-Response

[Foosinho]

I used to use Whitelight (over at Sourceforge), but I've since switched to Popfile (which uses Baysian filters rather than challenge-response, also at Sourceforge).

I ran whitelight on my mail server, but Popfile resides as a POP proxy on my LAN.

Re:OSS Challenge-Response

[vseryakov]

http://www.maverixsystems.com

Re:OSS Challenge-Response

[datavortex]

Having looked at commercial and OSS systems, I reccomend TMDA over any other existing system. It has a great web interface for your n00bs, and way more features and temporary addressing tricks than anyone else. It's light years ahead.

Re:OSS Challenge-Response

[ssentinel]

I've got to concur. TMDA is the best Challenge/Response system I've ever used, and what beats all is that it's open source.

Loops?

[91degrees]

Does this automatically allow messages from people you've sent email to?

I'd hate to think that there are two messaging systems sending challenges out to each other before they let the other one's challenge through.

Warning: Infinite loop detected

[Marx_Mrvelous]

Ha! I can just see it... Alice@me.com send and e-mail to Bob@you.com. Bob@ send a challenge to Alice. Alice, never having heard from Bob, send a challenge back to Bob. Either Bob ignores the second e-mail, or sends another challence. Of course, if the e-mail software allows any outgoing e-mail address to reply without challenge, this wouldn't be a problem.

I like it

[Mundocani]

I'm not convinced whether it'll actually work, but I'm willing to give it a chance. The SPAM problem is obviously getting way out of hand. It's sort of like evolution -- if the system works, then it'll become more widespread. If it doesn't work, well that's the nature of evolution isn't it?

Some experts see problems with the technology and doubt that consumers will warm to a process that adds another step to e-mail delivery

I don't really agree with the article's assumption here. It's true that it's another step, but it's one-time-only, which makes it much more palatable in my opinion.

Yes, but...

...does the spam filter run on Linux?

Re:Now the spammers get address validation for fre

[PerlGuru]

the article implies that an image would be part of the response, such as ticketmaster's please type the word in the picture into the box.

This is much better

[s4ltyd0g]

than just blindly blocking mail comming from small sites using dynamic DNS.

Re:This is much better

[esquimaux]

Blocking mail from small sites using dynamic DNS is also a useful tool. No single tool in the effort to stop spam is sufficient, nor are most of them painless.

The industry is considering several anti-spam measures that would form a "web of trust" between SMTP senders. The burden of joining that web of trust will likely be too high for Joe Linux User, just as hosting a permanent SSL/TLS-protected site with a *valid* site certificate is generally too much trouble for a home access user.

If you want your mail to be accepted, smarthost it to your upstream provider or to any major mail provider that provides SMTP relay services. Their relays had better be authenticated, of course, because ISPs will continue to crack down on mail through open relays.

Just do what I do

[greechneb]

I use my filters this way:
upon recieving move all messages to folder spam
unless message is from "email@address.com"
if message in folder spam is older than 10 days move to folder trash

Each time someone I know sends me an email I add their address. Very rarely do I get new addresses once all of mine are set up. When they do, I add another address.

It takes a while to set up, but I don't have to depend on my ISP, and I can switch with no problem.

Re:Just do what I do

[Binestar]

While this will cut your spam down to virtually nothing, you are limited in that the method you describe is accepting only messages that you whitelist. You will lose e-mail from anyone who you havn't whitelisted, even if it is a legitimate message.

Without further working this would make most mailing lists be filtered into spam, as well as anyone who was trying to contact you for the first time.

I've found that using something like SpamBouncer or MailScanner is much better in regards to not losing AS MUCH legitimate e-mail than a pure whitelist is. Of course you add a whitelist beyond using the various spam filters, but a whitelist alone is way too restrictive to use in a corporate (or even personal IMO) environment.

Re:Just do what I do

[greechneb]

I just make it a point to go through my spam folder weekly. I don't get email from people I don't know - Just my family and friends. They all send out notices when they change email, most of the time, I am the one helping them with that. 9 times out of 10 when someone sends me a message without me expecting it, I don't want it anyway. I have no problems with it.

Good idea, bad idea.

[numbski]

How to set up SpamAssassin Milter on OSX <- Easily adapted for other platforms. I wrote it.
Squirrel Mail
SpamAssassin Config for Squirrel Mail <- Register Globals must be turned on in php.ini to use this.

Now, that being said, I run an ISP in St. Louis, and spam is a problem, but for the precise reason mentioned on the submission, I can't use a challenge-response system. The reason is that our support staff equals myself plus 1. If I want to answer phone calls all day from people complaining about not being able to get mail from their daily spamming of mailing lists, I best allow all. The problem is that these same people complain about all the spam they get...ugh. The above solution is elegant and leaves the ability to control the filter to the end user via webmail. If they don't like it, set the threshold high and it's 'off'. Been using this for months without a complaint.

Now if you don't use lists, and it's for your own mail server...go for it. That has to be the most effective method available, but not appropriate for wide scale use.

Re:Good idea, bad idea.

[numbski]

Easily adapted for other platforms. I wrote it.

Errr...the article, not the software. :P

Re:Good idea, bad idea.

[corz]

I am also in the business of email hosting. I offer TMDA, and the customers who are using it having nothing but good things to say about it. Also, the tmda-cgi project is now taking shape, and it allows your users to manage their own filters, whitelists, etc. Give it a look.

They should offer it with new email address

[dnoyeb]

me@challenge.earthlink.com

something like that. So that it allows users to gradually changeover to the system. That would allow them to be more extreme in their refusal to accept emails and much less compromising.

I like it.

Re:They should offer it with new email address

[Ed+Avis]

I hope it's not obvious, if each me@challenge.earthlink.com has a corresponding me@earthlink.com then spammers could figure this out pretty quickly.

Re:They should offer it with new email address

[akadruid]

no, the challenge system will only run on the new system.
Although the spammers can get the new address, they cannot spam without responding to the challenge.
I think it is a good idea actually.
That way people can choose to use it or not.

Response...

[Duncan3]

And in day 2, spammers automate the responses.

Results:
1. Spammers get free AUTOMATED account verification.
2. The load on the email system doubles.

Conclusion:
Nice "solution" dumbass.

Re:Response...

They automate converting a picture into a word? OCR in perl? Unlikely. If they do just send a picture of a orange and say 'what is this?'

Re:Response...

[Have+Blue]

For that to work, it requires that the spammer include a reachable (valid and static) email in the spam. And he'll have to use the same address for each spam he wants to get through. So filter based on that, and report him as a spammer so the ISP can filter him before the CR stage.

Re:Response...

You wrote: "And in day 2, spammers automate the responses."

From the article: "Once the sender [confirms] by replicating a word or picture displayed on the screen, the original e-mail is allowed through."

This would be similar to the effective methods currently in place on major free webmail providors, which require new account applicants to replicate a fudged graphic on the screen, something software can't currently do reliably (some are so tough I even have trouble with them).

And if a spammer has confirmation of an address using this system, he'd be wiser to just remove it from his list and not bother sending any more to it, because he knows his spam isn't getting through.

Conclusion:
Nice "reading the article" dumbass.

Great, so long as they drop the RBL.

I'll be happy to do authentication in exchange for actually being able to send e-mail to Earthlink subscribers from my home computer/vanity domain.

Earthlink was doing OK as is...

[q2k]

It's been about a year since I was an Earthlink customer, but they had Brightmail implemented and it was blocking 95+% with no false positives. I had gotten so confident in it that I never even bothered to log in to the web site to check the caught spam. Has that system gotten worse? It seems like a challenge response system will put even more of a burden on their network with incoming spam being the same, but now you add all the authentification requests, replies etc.

Needs to be 'hard' in some way

[Ed+Avis]

Of course it is no good if the spammers can set up automated systems to respond to the challenge. There are only two ways around this:

- Make the challenge 'AI-complete', that is, to give a correct answer you must be a thinking human being and not a computer. But then how can the other end check that the answer is correct? Having humans generate a fixed number of questions and provide sample answers also isn't going to work, since spammers will learn the correct answers. You need a way to generate an unlimited number of questions and to mark the answers automatically, and clearly this can't be done if the questions are intended to be too hard for a computer.

- Make the response computationally burdensome, so a computer can do it but only at the cost of some CPU power (so large bulk mailings would be impractical). This is what Hash Cash and similar systems suggest.

It looks like Earthlink's system will rely on sending pictures you have to look at. Apart from the practical problems of clogging the wires with image files, I worry about OCR potential. The examples of this stuff I've seen on Yahoo, where you have to type in a number shown in a partially 'obscured' image, wouldn't have been difficult to develop OCR software for if you were so minded.

There's also the question of the spammer taking the challenge and sending it out to some other user. That user, by now used to replying to challenges from Earthlink and other addresses, will respond to the question and send the correct answer back to the spammer. D'oh!

Re:Needs to be 'hard' in some way

[BillFarber]

The challenges are typically characters in a squiggly font or in a font with holes, so that humans can plainly see what the characters are and type in the characters as the response. The response cannot be automated because software is currenly unable to decipher these characters. The challenging program stores which characters where sent with each challenge so that the program effectively has the "answer sheet". No human intervention is necessary.

Re:Needs to be 'hard' in some way

[Cirvam]

So how do you respond to a challenge if you are just using a terminal or are blind? Obviously if the characters are obscured, the screen reading program can't read it, and they would have to be a graphic of some sort. Unless they just make an alt tag that tells you what it is. :)

Re:Needs to be 'hard' in some way

[Ed+Avis]

Maybe no software exists to OCR this stuff now, but if such systems are adopted for challenges you can be pretty sure the software will be written. (It would be useful to have already, for Yahoo registrations and similar things.)

Re:Needs to be 'hard' in some way

[BillFarber]

Thank you. Yahoo registrations are a perfect example of how they work and why they will continue to work. This is a VERY difficult problem to solve. If the spammers manage to solve it, they will be doing some excellent research for us all.

Re:Needs to be 'hard' in some way

[Ed+Avis]

OK I will take your word for it since I am no OCR expert. Anyway, even if someone did manage to OCR the current Yahoo login pictures, the job could be made a lot harder by allowing nonalphabetic symbols such as dingbats (then give a hint to human readers 'please write A for the telephone symbol and B for the knife-and-fork symbol').

Re:Needs to be 'hard' in some way

Yahoo Auctions requires human intervention for signing up to the their service by providing this test:

http://tinyurl.com/b7ib

To see this test, scroll down to the bottom. You'll see an image of a word after geometric deformation and transformation. AI systems are unlikely to correctly "read" this image. Yet. :)

-M.

Re:Needs to be 'hard' in some way

[Broodje]

Why not just keep the question simple and wrap it up into a PGP'd vessel. I know it forces people to use encryption (and generate public/private keys, oh the humanity), but while we are discussing "uncomfortable" things to do for grandma, lets through in some good technology while we're at it, and not hide behind obscurity ;)

Re:Needs to be 'hard' in some way

[Progman3K]

spammers CAN'T make a response automatic; that would expose the ISP account they are using to send the spam, and said account would get closed pretty quickly.
the spammers would have to create accounts incessantly, and wait for them to become active before using them.
Even if they prepared them ahead of time, they'd still need to pay for the accounts.
It makes a spammer's job MUCH more difficult.

Re:Needs to be 'hard' in some way

[BillFarber]

Good point. However, How often do blind people send email to people who are not expecting email from them? In other words, how big of a problem is this really. If you are blind, and I give you my email address, then you better give me yours so that I can add you to my white-list. If I didn't give you my email address, then why are you sending me email? I don't mean to minimize the difficulties that blind people would experience with this. I just think that compared we could work around them.

Re:Needs to be 'hard' in some way

[AndrewRUK]

How often do blind people send email to people who are not expecting email from them?

Probably just as often as anyone else. And if you only accept email from people who you're expecting to get email from, you don't need a challenge/response system, as you can just whitelist everyone who you're expecting email from.

Re:Needs to be 'hard' in some way

[dpletche]

I solved this problem a couple years ago when I was working on a problem with fraudulent mass account signups at idrive.com. I display a warped image of random characters and requested that the user enter those characters in a text entry box on the signup page. (Yes, now you see that everywhere, but we did it first; Yahoo was next, a couple months later, then PayPal.) Now it has grown into a whole field called CAPTCHAs. I called it our "Turing test".

Re:Needs to be 'hard' in some way

[knobmaker]

If I didn't give you my email address, then why are you sending me email?

If, like me, you had an online business, you wouldn't be asking this question.

Good thing this brilliant idea is optional. If it were mandatory, I'd have to let my earthlink account go. I'm not willing to risk confusing or offending any potential customers by making them respond to a challenge.

In my opinion, this is yet another demonstration of the folly of imposing spam solutions from above. The most effective, and least destructive solutions are applied by endusers, not government, and not ISPs. If you really want to do something about spam, develop Bayesian filters that are trivial to install, and easy for even the most computer-illiterate users to set up and use. Make 'em free, and seed the net.

Re:Needs to be 'hard' in some way

[BillFarber]

Clearly, most businesses would not use C/R to protect their inboxes. You generally welcome unsolicited email as a business prospect. However, if you, the business, send ME unsolicited email, then why wouldn't I want to use C/R to make sure your email isn't spam? Even if you are sending out unsolicited email to addresses that you got from, say, a promotion where people had to submit their email address, it would still just be your business that had to deal with the C/R responses, not the potential customers.

Re:Needs to be 'hard' in some way

It's hard to beat a system that displays a graphics of a number, then asking you to type in that number before authentication. it's almost impossible to get around it.

Re:Needs to be 'hard' in some way

>How often do blind people send email to people
>who are not expecting email from them?

Every day. As often as you. Probably more.

what about mailing lists?

[greechneb]

What will it do with mailing lists?

They won't accept return emails, so they will never get the challenge?

I won't know what email address they are coming from until I get one, so how could I manually add an address to accept?

Like Vacation

[nuggz]

Like vacation messages?

Maybe spammers will just submit "verfication" messages instead of actual messages.

I can't wait to see the piles of accumulated cruft on earthlinks servers.

Oh great, now spam has its own protocol

"...the spam client MUST provide a Accept-Topics: header, where the value is one of 'penis-enlargment', 'make-money-fast', 'repair-credit', or 'any'. The server MUST reply with a Spam-Type: header, specifying the type of spam transferred. In addition, the server MUST respond with a Spam-Encoding: header, where the value is one of the options 'all-caps', 'many-exclamation-points', or 'broken-english'..."

I dunno...

[toasted_calamari]

While it seems obvious that something needs to be done to slow down the spammers, I dont think this would be the best way.

One of the great things about email is that it is fast, I send a message and it arrives almost instantly. However, this system would remove alot of this advantage.

Now i might be wrong here, but as far as I can see, this attempts to solve the problem by requiring users to send two messages instead of one. Not only will this greatly slow down the speed with which one can send a message, which is probably part of the point, but it will also increase bandwidth traffic. Also, you can bet that the spammers will find some way to get around these turing tests.

This is a good start but I am concerned that it will only increase bandwidth unecessarily.

why challenge-response won't work

[X_Bones]

What if I'm registering at eBay or PayPal or some other site which sends an automatically-generated email when I complete the first step? What if I subscribe to a mailing list where I can't get a response from a human to a challenge? What if I'm applying for a job online and the company sends me an email saying they've received my resume, which I will not be able to see?
I think this kind of scheme is only useful when the message sender is human and you know who they are, in which case the system is pointless anyway. What I think we need is to phase in a new, secure version of SMTP where emails aren't relayed unless the sender's ID can be verified.

Re:why challenge-response won't work

[NanoGator]

"What if I'm registering at eBay or PayPal or some other site which sends an automatically-generated email when I complete the first step?"

That's a good point, but the solution is simple: throw-away addresses.

If you are an earthlink subscriber, you get an email address like nanogator@earthlink.net. (Hey, that useta be my address!) Then, Earthlink could provide a service where you create a unique address that expires after x amount of time. so nanogator.dkaf3fj39@earthlink.net becomes active, and that's the one you use. From there, you can add them to your whitelist.

It's a bit round-about, but that's the beauty of Earthlink. They're a major ISP. Surely places like Ebay will have to stand up to comply with the upcoming standard. It'll never happen if some people don't have issues like this.

Re:why challenge-response won't work

[F1_Fan]

That's a good point, but the solution is simple: throw-away addresses.


That's what I do and it works great. Because of the way my virtual domain works at my ISP any address ending in @mydomain.com gets to my inbox (assuming it makes it through a very good set of spam filters I have + SpamAssassin).

So... let's say I sign up for something at... I dunno...Playboy. I use playboy@mydomain.com to register then when the spamming begins I simply put a bounce rule in my spam filters for that address. Easy-peasy.

Re:why challenge-response won't work

The easiest was is to reimpliment that, so that when they are going to send automated email, they let you know of the email address the automation is coming from, then you could add it temporarily to a whitelist, maybe with a timeout (1 day) or so, or without a timeout.

Re:why challenge-response won't work

[ssentinel]

TMDA already has this ability.

I can create custom addresses for all my needs with TMDA including:

• dated addresses
• sender specific addresses (which only let a unique from addresses through)
• keyword addresses

Additionally since TMDA acts as my SMTP server for outgoing email I can tell it to automatically change any of my headers to one of these addresses. So for example I could send an email to somone in my blacklist rewrite my from/envelope/replyto address to be a dated address and the recipient will be allowed to respond to my mail for a set period of time after which the address expires, and the sender will no longer be able to contact me.

These generated address also work great for when SPAMers are spoofing an address on your whitelist. In this case just give the real email account holder (eg bob@guys.com) a sender tagged address (eg alice-sender-cryptographic_hash@dolls.com), and remove the senders email address from your whitelist. Now as long as Bob uses the alice-sender-xxx address Bob will be able to comunicate you.

That's great!

[Enahs]

I hope they do something that will actually serve their customers well, now, like improving their ability to handle the number of customers they have now, make sure that people going to their web site can actually learn about their broadband offerings (instead of getting error messages from servlets) and other things that make it look like they give a damn about their customers.

Fill up the ISP servers

[nuggz]

So when a spammer fires a few hundred or thousand emails to an ISP, they will sit on the mailserver waiting for him to respond.
Since the from address is faked, that same ISP will launch an acknowledgement flood against a third user.
Excellent.

I just see so many tricky things that someone somewhere will screw up.

Re:Fill up the ISP servers

[stratjakt]

The ISP sends only one challenge. You respond once, and henceforth are allowed to send as much as you want.

Now if I wanted to Joe Job some guy, I just pick someone who's chances are good that he's already allowed through earthlink. Say the maintainer of a mailing list with earthlink subscribers.

I've said it before. This is just a step towards making SMTP a pain in the ass, and obsolete. We can look forward to a high tech pay-per-use replacement in the future. Yay! Paying to send e-mail, I cant wait. But at least the two or three spams I get a month will be gone.

Re:Fill up the ISP servers

[nuggz]

1 Challenge, then SPAM, excellent!!

Re:Fill up the ISP servers

[Progman3K]

The ISP that now needs to issue the challenges will simply issue the first one, find out the return address DOESN'T exist and drop the remaining challenges.
Simple.
No authorization floods need to happen.

Re:Fill up the ISP servers

[AndrewRUK]

And what about when the return address does exist, but is someone completly unconnected with the spammer? Now the person being joe-jobbed will get not only a big pile of bounces for the spammed addresses that don't exist, but a big pile of challenges.

Re:Fill up the ISP servers

[Progman3K]

The address exists, but did the user answer yes to the challenge?
If he answered no, the pending e-mails get discarded.

Re:Fill up the ISP servers

[AndrewRUK]

I think you miss my point. Quite clearly, a system with a global whitelist of senders who have responded correctly is useless, as it is easy for the spammer to get onto the whitelist and then spam everyone. So, a challenge must be issued to the same sender for each address they try to send mail to.
So, a spammer sends out spam that claims to be from $someoneElse. From the spammer's end, the spam gets through to anyone not using ahcallenge-response system, so the spam reaches sopme recipents, so the spammer is happy. The recipents who have a challenge-response system never see the spam, because the challenge goes unresponded. So far, so good. But what about $someoneElse? *boom* They get a shit-load of challenges to deal with (along with the shit-load of bounces they already gets.) Poor $someoneElse gets it real bad.
"But, $someoneElse's email will be protected by a challenge-response system, so they won't see those challenges," I hear you cry. Quite right, $someoneElse's mail server will send a challenge in response to the challenge it just recieved, and we all know what happens when auto-responders start sending each other email, don't we?

Re:Earthlink should look for mailing list headers.

[PerlGuru]

I think that might even work out very nicely perhaps with a little notice at the top of the message with instructions to add the address to the allowed list (perhaps a link) or deny further messages from the address

Probably won't work...

[Sebby]

doesn't matter to me either way; I don't support companies that cripple innovation by patenting their crummy software.

Not a cure

[mugnyte]

Every spam-subject /. post here eventually brings about the idea of an email system that doesn't moves bytes until requested.

What would be so painful if all email content was simply a web link to the sender's server, their "outbox". When the receiver went to read it, they could store a copy then if they wanted mobility. Or, their email client could follow these links automatically when given the notice.

The differentiation between a content link and a malicious one would be a delicate but solveable problem.

However, since no transmission is until demand, we're not shipping terebytes of crap around the wires for naught. Thats the real issue here. Spammer's email content must be served to the receivers as they open the email. Since spoofing would be akin to removing the content, nobody could get a message across without it.

I know I've read about a formalized version of this idea here. Somebody post it again.

mug

Challenge - Response doesn't work

[tshak]

What happens when the customer orders something from Amazon - the purchase confirmation email comes from a non-human address.

Just the other day I got an email from a company that I ordered software from describing a free upgrade that I could download. It came from donotreply@[host].com, meaning, if I was using Earthlink's system I probably wouldn't have received it.

The problem with Challenge - Response is that it makes the assumption that if there's not a human behind the email that it's spam. In practice, there are many legit emails that are not individually sent by a human.

Re:Challenge - Response doesn't work

[Ed+Avis]

They could have a dual system: send challenges normally, but if a message has enough Hash Cash postage paid then no challenge is needed. This would let automated mailings get through if the sender was prepared to spend some amount of CPU time. Presumably the company with whom you have a business relationship would be willing to spend ten seconds of their server's CPU time to send you a message, but a spammer would not.

Re:Challenge - Response doesn't work

[BillFarber]

Simply add donotreply@[host].com to the white list. No problem.

Re:Challenge - Response doesn't work

Simply add donotreply@[host].com to the white list. No problem.

Who's whitelist? My whitelist? How would I know what addresses to add if their emails don't even get through to me due to this challenge response system?

Re:Challenge - Response doesn't work

[Phroggy]

Simply add donotreply@[host].com to the white list. No problem.

This assumes I know in advance what that address is going to be, without having received mail from them yet.

Re:Challenge - Response doesn't work

[virx]

But how would you know, what address to white list, if haven't received the mail yet.

Re:Challenge - Response doesn't work

[BillFarber]

When you are using the system it would tell you where the email will be coming from.

Re:Challenge - Response doesn't work

[Phroggy]

When you are using the system it would tell you where the email will be coming from.

Well, I think I've seen one or two sites that do tell you in advance. I guess a lot more are going to have to start, if they want to do business with people who use whitelist systems (challenge-response or otherwise). I think Earthlink's current effort will almost certainly fail, and make a lot of people very angry. We'll see how it goes.

Re:Challenge - Response doesn't work

But it DOESN'T! I have yet to see a single site that tells you in advance where email correspondence will come from. NOT ONE. Now pretend you are a ignorant user that turns this on. Now how the hell with they have the slightest idea what to do? They won't. They won't get email they were expecting. They'll call the ISP's helpdesk and bitch and moan and want their money back. I've dealt with this shit before. Even though the user accepted the risk and turned on the feature that lost their mail, you as a business have to bend over backwards to keep their business because they don't realize THEY did something wrong. You can't tell them either. It's a lose lose situation. It's just not worth it.

Re:Challenge - Response doesn't work

If you use challenge-response, you have to get serious about using tagged addresses. Create a new one, and make it wide open. Give it to Amazon when you place your order, and allow the mail to come through. Now go in there and limit it to their domain.

If they sell your address, the spammer will have to forge amazon.com to get through. This is far from ideal, but they'll pretty much have to start doing this if they're serious about this C-R stuff.

Re:Challenge - Response doesn't work

[Polo]

And what if the spammers started using donotreply@amazon.com as the source address for their email messages? Would they always get through?

Re:Challenge - Response doesn't work

[Bob9113]

What happens when the customer orders something from Amazon - the purchase confirmation email comes from a non-human address.

This has been my single opposition to challenge response from the first time I heard of it. As I was reading your post, I hit on an idea that borrows from an idea posted by another user.

Put challenge response on my primary email address.
Rotate my non-challenge response email address every 30 days.

So Amazon uses wog23t5s@traxel.com, while all my friends use my real address.

Toss in some accepted domains if you want to permanently accept from *.register.com (reversible, of course), and I think it might be a flexible, functional system.

Re:Challenge - Response doesn't work

[tshak]

I'll tell you what I do. I have my own domain name with unlimited aliasing. I have one personal email address, and then I use the company's name or the product for my email. For example, I decided to sign up for MS Passport but I was worried about MS spamming me. So, I created passport@mydomain.com (fyi: I haven't gotten a single unsolicited email to that address). Also for Amazon, I created amazon@mydomain.com. It makes it real easy to manage spam, and track where your spam came from.

Re:Challenge - Response doesn't work

[IMarvinTPA]

You could look in your "challenge-response que" when you know you're expecting something from them.
Or you could use one of the time-limited pre-approved e-mail addresses.

Take your pick,
IMarv

Re:Challenge - Response doesn't work

[Bob9113]

I use the company's name or the product for my email.

This is what I do now too. But with dictionary spam becoming more popular (my news@ alias gets hit more than any other address), I'm guessing it won't be long before they start hitting hertz@, ebay@, amazon@, etc.

Yay!

[freality]

The big guys have been dodging this obvious solution the whole time. Ever since instant messaging took off, it was obvious everyone was capable of using challenge-response, but of course, it hits email advertisers in the pocket. This led to moves by the likes of MS to counter anti-spam legislation in California. Hopefully this move by Earthlink will start the rush.

The neat thing here isn't that you choose who to accept - because that in itself is a pain - but that the sender has to allow for the possibility that you won't, which is currently not handled well in e-mail. Once legitimate senders generally have this capability, spam filters (either complex or just a rule to reject unknowns) will become more useful, as there's then a decent way to handle a bounce. Spam be gone!

Pure nonsense (and there is a better solution)

[marcink1234]

Sending often 50 mails a day (business conversations with cooperants, mailing lists, friend communications,...) I really hate the idea. I must say it will be easier for spammers to employ character recognizing software than for me to reply to all those confirmations.

The problem is somewhere else and there is solution. The real problem with spam is to force senders to identify themselves correctly (if they identify, they can be easily filtered, maybe including databases of the spam senders being just the lists). And the solution is to require the email to be digitally signed so one can verify it against the sender public key.

Re:Pure nonsense (and there is a better solution)

And the solution is to require the email to be digitally signed so one can verify it against the sender public key.

Yes, exactly.

There are some challenges to be overcome:

The chicken-and-egg problem. People won't be inclined to adopt it on the receiving end unless most legitimate senders are using it.

Deployment and trust of public key infrastructure. Come to think of it, this may prove to be a relatively benign way to bootstrap a global PKI. We get to discover who the trustworthy certification authorities really are, and let market forces take care of the rest. That is, not only do we have the option of blacklisting individual spammers, if a CA is playing fast and loose, we can also blacklist further up the certificate chain.

Legal enforcement. If digital identities are grounded in civil identity, those who suffer losses as a result of spam stand a much better chance of getting satisfaction through the courts, and of course legislation specifically intended to restrict spam will be much more effective as well.

It'd work w/ a white list.

[x00101010x]

The challenge-response thing is a great idea for yet-unknown senders. However, users should be able to have a white list that doesn't require a challenge. Using that, they could sent out an email/insert into paper bill statement that would give users information on where to grab a quick self-installing tool for their platform/email client that would allow 1 click additions to white lists... (or just add it to their Web Mail interface) Then, earthlink would give users 2 more months of spam (while they build their white list and such) before turning on the challenge-response system. Another idea, is take email that isn't obvious spam yet fails the challenge-response system and put it in a Junk folder of some sort where users can 1 click white list the sender... So Timmy goes, 'Hey, where's my starwars newsletter?' and Timmy checks his junk, finds the starwars newsletter and in 1 click sends it to his inbox and white lists newsletter@starwars.com or whatever. Of course, if a month or two goes by and you haven't pulled an item from the junk folder, it's assumed you don't care and it gets deleted. And yet another solution is to have earthlink build it's own white list of responsible, trusted senders (such as rhn-admin@rhn.redhat.com and such) so that users will only have to check that junk folder if it's either A) a sender that misbehaves or B) a sender that earthlink hasn't heard of yet. And to that matter... could always add a sender rating so that if enough people put a certain email address (rhn-admin@rhn.redhat.com) on their whitelist, earthlink would then either add it automatically or give some admin the task of checking out that the sender is really cool and then adding them to the earthlink wide white list. Anywho, that's just my 0.02USD

Re:It'd work w/ a white list.

[gurudude]

take email that isn't obvious spam yet fails the challenge-response system and put it in a Junk folder of some sort where users can 1 click white list the sender...

This is pretty much how my account with mailblocks.com works... Though it allows obvious spam in, I scanned the PENNDING folder every day for the first few weeks and white listed everyone that I didn't trust to figure out the C/R (grandma, etc)... I can also add email to the white list from the web interface... Mailblocks also offers "throw-away" email addresses (they call them TRACKERS) that you can subscribe to lists through... I have noticed in my PENDING folder that there are several C/R cycles going on, most specifically with "LuckyDeals" where they send me multiple "Unsubscribe successful" emails and mailblocks re-challenges them and they again send a "Unsubscribe successful" email and so on and so on - some days to the tune of 20 or so "Unsubscribe successful"'s... Not perfect, but it's cut my inbox form 150-200 emails every morning down to the 15-20 a day I actually want... I'd have to second the opinion of the gentleman who suggested that they allow approved emails to be forwarded as the email scanner I used doesn't like IMAP accounts... I'd also like to see mailblocks send challenges back to people with a "from" address that matches the originally-sent-to address instead of the mailblockers.com one (I use one of my vanity domains for almost everything forwarded to the mailblocks domain i.e. e-bay@eccentrics.us for e-bay, verizon@eccentrics.us for verizon -- makes it easy to see who's selling my email addresses)

Re:It'd work w/ a white list.

The whole point of the challenge/response system is centered around using a whitelist. With programs such as TMDA, you can setup your whitelist and even populate it with entire domains (although, this makes it easier for a spammer to guess a valid address). Also, TMDA includes an SMTP solution and tagged addresses for use with mailing lists. Looks great to me! I'm going to install this next week for my users...

~j-dawg

Regarding mailinglists

[CausticWindow]

Just do the preemptive thing and remove all earthlink subscribers from any mailing list you admin.

Protocols like this are bad, especially when people like earthlink are the masterminds.

Re:Regarding mailinglists

[letxa2000]

That's what my mailing list does automatically. Basically, my mailing list sends out about 4000 emails per night to people that previously signed up (which requires signing up, receiving a single email, and confirming that you want to sign up). My mailing list does NOT expect any reply back. If it gets a reply back it assumes it's a bounce and the email address is invalid and they are automatically removed from the mailing list.

If Earthlink starts bouncing my mailing list messages, no problem. I don't have to do anything--my mailing list software will automatically turn off every Earthlink user that sends a C/R response back.

I don't make a dime with my mailing list so I'm certainly not going to make an effort to make sure that everyone with a poorly-designed anti-spam solution can receive it.

bad protocal: SMTP

[JDizzy]

The answer is not attaching more bad ideas to an already bad protocol. The ultimate answer is in the protocol designers. A government/state can pass as many laws governing the interaction of people/things with the bad protocols, but the IETF/IEEE will still create them, and certify them. People should just wake up and realize that SMTP is to blame for this big mess. ISP's should stop offering SMTP outright, and think of ways to replace it. Chat programs are probably a better way to pass messages anyways. SMTP has become a massive bazaar that is full over everyone on earth, and since it is completely open, its also completely ok to send bulk mail. Forging headers is another issue, but simply spewing email is intrinsically allowed by the protocol, and thus taken advantage of. If everyone one on earth had a computer, and everyone on earth sent email to everyone else on earth every day, would that be spam? No, because it would cross the line into accepted practice, and that is what we are starting to see due to the sheer bulk of spam sent to everyone on a daily basis. The point is that as long as SMTP exists, so will spam. The answer is to replace SMTP with something that doesn't allow spam to exist by removing the ability to anonymously send people messages.

Re:bad protocal: SMTP

[Richy_T]

Exactly.

The thing to remember is that SMTP came into wide use in a time when enarly everyone on the internet was identifiable. Nearly everyone was either edu, mil or com and had a shell account on a Unix box and all the people running the boxes were pretty much seeing eye to eye. Transgress and you could lose your account.

Now, *anyone* can hook a host into the internet and look where we are.

I would propose a new transport layer consisting of a "club" of voluntary participating ISPs. (Or why even have it be ISPs? Have commercial e-mail account providers too). All ISPs agree to validate their users and if any ISP consistently allows spammers onto the network, they are out of the club.

Ideally, this would also include e-mail portability so that if your ISP gets booted from the club, you can just transfer your address to a different ISP (or one of the pre-mentioned commercial providers)

Rich

Re:bad protocal: SMTP

http://www.irtf.org/charters/asrg.html Go to the above URL. There is already a project underway that's working on the problem.

Re:bad protocal: SMTP

[greenrd]

ISP's should stop offering SMTP outright, and think of ways to replace it.

Hello???

That's like saying "ISPs should stop offering Internet access outright".

Can I have some of what you're smoking?

Re:bad protocal: SMTP

[JDizzy]

Uh.... yeah... hello, reality here!

ISP's do not need to offer SMTP services because it could be an add on service, an extra thing to pay for. ISP's could simply let other companies on the net offer email services, and the ISP only act as the go between for you. It's a good idea to slowly unload the email to somebody else, and replace it with something else. Your reaction is typical, and the reason SMTP still exists, and will not die.

Re:Now the spammers get address validation for fre

[stratjakt]

Because no OCR routines have ever been written, this is absolutely foolproof.

Even so, you only have to respond once, and you then have the full run of earthlink. So you spend a day responding to challenges from all the ISPs, then go back to business as usual.

AOL complaining about Earthlink antispam efforts?

[opusbuddy]

Ironically, AOL is delaying email from Earthlink members...seems a little funny that they might complain about positive efforts to control spam...

Members may see delays in mail being received by AOL members

Is sender pay model even discussed?

I can't believe nobody talked about ISP's business models. Relying receiver to pay for someone else's spam is not going to cut down the amount of spam being sent, no matter how powerful the filter is. Sure, spammers will just forward spams to remote server, but operators from those nodes are nuts for accepting spam requests, especially knowing when their nodes are going to be blacklisted. Ever wonder why SMS from cellphone companies suck?

Yeah, OK...

[Lord+Jester]

I had an Earthlink (Mindspring) dial-up account for quite a while.

I never gave out the address that was earthlink's (jester2@mindspring.com). However, I got tons of SPAM to that address. Seems earthlink is trying to play both sides of the fence. They want to lure customers with anti-spam feature, but they are still going to sell your address.

Re:Yeah, OK...

[esquimaux]

Right, a dictionary attack would never, ever guess jester2. I mean, it's a dictionary word PLUS A SINGLE DIGIT NUMBER! If you could see the mail logs on any major ISP's servers during a spam dictionary attack, you'd know that spammers will blindly try a great number of combinations.

Furthermore, I had a similar problem with an e-mail address that I know wasn't sold because I was the one hosting it. It turns out that somehow I had taken some spyware onboard, and it was sending all my form submissions to some unscrupulous collector.

(Yes, I use Linux, too; no, it can't replace Windows for everything I need to do.)

Re:Yeah, OK...

[ran-o-matic]

I had the same problem with an Earthlink account. The only time I used the mail account was to get updates from Earthlink itself, but I started getting spam anyway. Earthlink does NOT sell their lists. I suspect that the email address was taken from my Earthlink home page. They use your account name for the home page name, making it easy to automate harvesting accounts automatically.

Re:Yeah, OK...

[Lord+Jester]

I had no page under jester2, I used jester@wolfenet.com whiuch was my ISP before they sold the dial-ups to Earthlink.

I never used it period. I have pobox.com accounts I have used instead and my personally hosted server. The dial-up was a backup only.

Hotmail System?

[EtherBoo]

The idea sounds good. Reminds me of the hotmail system that fowards everything on a safe list to the inbox and everything else to the junk mail folder. The user is then able to allow or deny future mails from that sender. Hopefully more providers will follow in the same direction.

Folks, It's Opt In

[davewill]

The article clearly states that the user turns this on or off. So it seems unlikely that a large number of challenges will start going out. As far as Grandma is concerned, you can add her email address to the OK list yourself so that she never sees a challenge. The only minor problem I see is receiving email from text only people, (Pine, etc..), or portable devices that might not render the bitmap correctly. But it seems a minor complaint, really.

Re:Folks, It's Opt In

[Misch]

Good point. I wonder about blind/visually impaired people. Is this technology going to leave them behind? (I was going to say "in the dark", but that would have been just mean.)

Re:Now the spammers get address validation for fre

[Sylver+Dragon]

the article implies that an image would be part of the response, such as ticketmaster's please type the word in the picture into the box.

I give it about a month before someone figures out a way to use something similar to OCR technology to bypass this sort of thing. If this sort of challenge/response idea becomes very wide spread, the spammers will suddenly have a huge need to find a way around it, and they have the money to throw at it. It will eventually fail, just like every other filter out there. SPAM is here to stay, the best we can do is fight it constantly, and never respond to it, but even still we will never win.

Phaeton Sez

I could be horribly ignorant on the whole subject, but...

I think that making the ISPs and users at the recieving end of UCE take the brunt and actions against spam is the wrong way to go about it.

It needs to be attacked from the offence, not bolstered up at the defence.

We're still increasing the costs and hassles for the victims, while the perpetrators are still able to send volley after volley with no financial consequence.

Admittedly, i don't have any better ideas either, though.

Except for requiring a short time delay between messages sent. Just like anything else, difficult to enforce.

There's a whitelist

[Spittoon]

Jeez people, read the whole article, it's not that long:

The challenge-response system will be optional and free for EarthLink subscribers, Anderson said. It will allow users to automatically clear the e-mail addresses of friends, family members and other associates in their electronic address books, so those people would not receive the challenge e-mail.

That's called a "white list"-- a list of addresses you know are legitimate.

When someone responds to a challenge and you accept their response, they go on your whitelist.

When you turn on this gadget, add your mailing list addresses to your white list. If you suddenly stop getting a list, go find out if they changed their sending address and add it to your white list.

If that's too much of a burden, feel free not to use the service, and go back to complaining about spam.

Re:There's a whitelist

[platypus]

When you turn on this gadget, add your mailing list addresses to your white list. If you suddenly stop getting a list, go find out if they changed their sending address and add it to your white list.

Only to find out that the mailing list admin was fed up with umpteen "challenges" when he changed the sending adress and banned you for life.

Re:There's a whitelist

[brakk]

I just started using Qurb and it works basically the same way. It integrates with Outlook and when you install it, it looks at your address book and all the emails still in your Inbox and adds those addresses to the white list. Then when you download new email if it doesn't know the sender, it saves it in a directory and reminds you at preset time intervals to look through and approve any of the senders. if you approve the sender of an email, it automatically adds all the other recipients of the email, since most likely friends of friends are your friends too. It also has the option of sending a challenge and auto responding to challenges sent by other people.

Re:There's a whitelist

[akalashnikova47]

What I was wondering is if there was a way to get one the whitelist for all Earthlink users, perhaps through earthlink itself. I assume if they had something like this you would have to present credentials and policies that indicate that you do not send or relay spam, but as an employee of an internet company I want to know if our customers are going to be calling us because they can't get email from their earthlink friends. Faxing some credentials would be worth the headaches to many I think, and would still prevent much of the spam.

Wow, nobody understands this!

[MrPerfekt]

I see a slew of people saying "blah blah blah, they'll automate the response blah blah blah". And apparently, to alot of you, this is all new.

This is something that's been around for a few years and gee, spammers haven't gotten around it yet. C/R antispam systems work because spammers don't use valid Reply-to: or To: addresses.

If they did and the spam gets through the system, then great! There's one more point where we can nail them on when/if we go to hunt them down. Oh, you used your dialup with an SMTP server to auto-respond to the challenge (which is probably alot of work for the average evil spammer), great, email abuse@isp and have his account shutdown.

Since I have started using ASK to C/R my email. -zero- spams have gotten in my Inbox (which is what annoyed me the most about spam, the false positive I got when the little sound would ring telling me I had new mail.)

Intrusive? PLEASE! How lazy are you? Hit reply -once- and you'll never have to see it again when sending email to me. I'd say getting pelted with 200 spams a day is slightly more intrusive to me than what you're going to have to do to send an email to me.

Re:Wow, nobody understands this!

[realdpk]

And then what do you do when you say.. sign up for online banking for the first time. They try to send you an e-mail to confirm, but you never receive it. You don't know if they're using thebank.com, thebankonline.com, thebankaccess.com, genericonlinetemplate.com, etc, so you can't whitelist them ahead of time.

The bank could tell you "You will receive an e-mail from foo@bar.com", but they don't at this time, and getting them to change seems like an uphill battle..

Re:Wow, nobody understands this!

[Elwood+P+Dowd]

The only problem I see is that now the spammers will just forge headers so they use a reply-to/forged headers from someone that's already authenticated.

If they've figured out how to avoid that problem, then this seems like a solid system.

Re:Wow, nobody understands this!

Better yet, how about I just not e-mail you at all? I can tell you're a prick without having to send mail to you anyway, you ruined the surprise.

Re:Wow, nobody understands this!

[MrPerfekt]

You can keep all denied mails in a seperate folder instead of going to /dev/null (which is what I do), works pretty well when you're bored and want to see if anything automated was of interest to you.

In any case, any automated message worth something should have the domain you were at when you "signed-up" _somewhere_ in the headers. Either in the From: or the Reply-To: or elsewhere. You can whitelist based on any header.

But you're telling me, you'd rather have all your spam than occassionally not get the receipt for the dvds you just ordered online? Spam is the most evil of evil things to me. If a system works and not getting one or two significant emails immediately is the trade-off, I'm sorry, but I'll take it with open arms.

Let's not forget the fact that, this exists now.. RIGHT NOW! You don't have to wait for an act of god like a SARS virus that targets spammers or legistation or the looney-toon concept of signing each packet to be implemented.

But the bottom line is whatever, dude, it's your email!

Re:Wow, nobody understands this!

[shepd]

How is the spammer going to know who is on your whitelist without hacking your computer?

Just wondering...

Re:Wow, nobody understands this!

[Elwood+P+Dowd]

Anyone who's gone through the challenge-response system once is whitelisted. For everyone on Earthlink. They could just try a bunch of harvested known-good email addys until one doesn't get bounced. Then they forge sender, and pour in the email.

Re:Wow, nobody understands this!

[MrPerfekt]

Read that article again. It is not domain-wide. It is per-user.

Re:Wow, nobody understands this!

[shepd]

>Anyone who's gone through the challenge-response system once is whitelisted. For everyone on Earthlink.

Oh, now that's really stupid of them!

I like being able to have a separate whitelist and blacklist from others. There are some legitimate email addresses that have assholes operating them that I like to blacklist, but others wouldn't.

In the case of ask, each user has their own whitelist, so they don't have to worry about lameness like you mentioned.

Re:Wow, nobody understands this!

[Tokerat]

No, dude, everyone on Earthlink doesn't share a whitelist, you each get your own. I think that last sentance should have had a comma between "Earthlink" and the next sentence.

Re:Wow, nobody understands this!

[realdpk]

I'm not so quick to sacrifice the usefulness of e-mail in order to stop receiving spam. "If your software miscategorizes incoming mail as spam, the terrorists have already won."

But I guess that's the difference between us, the thresholds we'll allow, for a bit of short-term comfort.

The "ask process queue" the other guy posted about sounds like it could be neat. Better if it was a URL you could go to and just click reload periodically.

Re:Wow, nobody understands this!

[Elwood+P+Dowd]

No, you can still whitelist/blacklist whomever you like.

I'm just suggesting that Earthlink maintains the "This is a human" information system-wide. However, on closer reading of the article, it is absolutely unclear whether I am correct or not. There's not enough information to tell.

I don't feel too bad, because most of the /. comments assume one way or the other.

Re:Wow, nobody understands this!

Catch SARS?

Re:Wow, nobody understands this!

[Tokerat]

Why whatever do you mean? *chuckle*

How has this problem escaped me?

[Cobralisk]

But spammers have found ways to defeat them and spam accounts for 40 percent of all e-mail

Is this true?

Of all my email accounts, the only one I ever get spam on is my yahoo account, which I set up pretty much to get spam on, since any websites I visit that require registration, I always give them the "spam" address I got for free. I don't even check that email for anything. Human beings are the only recipients of my paid email addresses. I am for measures like this though, because even though I'm not affected directly by spam, increased traffic on the net is bad for everyone.

We need to punish the sensless posting of one's own email address to anonymous sources. These are the same people that give out their address and phone numbers when they buy batteries from radio shack. Use your head, they don't want to know where you live so they can send you a case of scotch. They want to drink your beer, crash on your couch, sleep with your daughter, and have you pay them for the privelege.

Re:How has this problem escaped me?

[kindbud]

Is this true?

Oh yes, very. I have collected an immensee pile of spam that grows at the rate of 40/day (2/3 my email volume) which you can have a copy of if you ever need to train a Bayesian system.

Of all my email accounts, the only one I ever get spam on is my yahoo account...

Good for you. I get spam on my Yahoo account and never gave it out to anyone. Only used it on Yahoo Groups.

We need to punish the sensless posting of one's own email address to anonymous sources.

Oh please. I was using my real email address on Usenet more than a decade ago, when it was actually totally acceptable and normal to do so, and mail bombs from some kook were the only thing to worry about (and then only if you engaged in flamewars on alt.guns or something stupid like that).

Of course, Deja Vu and now Google Groups has preserved my true email address for all posterity to spider until the end of time (2038, when time_t rolls over and the Internet crashes :). But it isn't because I'm naive or careless.

Re:How has this problem escaped me?

I have never given my email address to anybody and I made sure the user name wasn't vulnerable to dictionary attacks and I got the account on an obscure server. Unfortunately, no one ever sends me email.

You can do this yourself.

[Malcontent]

Take a look at this

Re:You can do this yourself.

[WetCat]

Well, imagine you have no job and selling yourself
You posted the resume, and waiting for emails.
Do you seriously expect that prospective employer will have time to respond to "confirmation" message?

Re:You can do this yourself.

Pretty simple. Just add the employers address to your address book. Right?

Re:You can do this yourself.

[StarOwl]

I use TMDA to provide a challenge/response mechanism in my antispam filter.

When I first started using TMDA, I had problems with people not understanding the mechanism. My grandmother, for example, complained about "bounces" (how she interpreted the challenges).

So, to avoid those problems, I:

• Actively manage my whitelist. For example, if I needed to send a resume, I would make darned sure that the prospective employer's domain was on the list.
• Use challenge-response only in conjunction with other antispam tools. My system is roughly: if I know it's spam (tagged address known to be in spammers databases), it gets trashed. If spamassassin or spamoracle thing it's spam, I refer to tmda for possible challenge/response. Otherwise, the mail gets delivered.
• Warn people about the system. If I know that someone new is about to send me email, I warn them: "You might get an autoresponse back. If you do, just hit 'reply'."
• Use some care in writing the challenge email. Trying to craft a letter that is understandable to non-geeks wasn't that easy.

I still have the odd piece of spam leak through that process, but it's nowhere near the quantity that's actually sent to me.

The only problem with the scheme: there are some spammers who are dumb enough to not get the hint, and respond to the challenge. They don't seem to realize that their response probably constitutes harassment via 'net, which is a crime in the U.S. (Spammer go to jail. Do not pass go. Do not collect $200.)

Re:You can do this yourself.

[Fishstick]

Then don't sign up for this free, optional service.

Re:You can do this yourself.

[BlackHawk-666]

I also use TMDA and I can tell you it has vastly reduced the amount of spam I receive from approximately 20-30/day to 1 in the last two months. I've never been happier ;-)

Whitelisting is important, and easy too. Just export your address book to a text file and copy the results to your whitelist (which is also text).

It's worth noting that you can also auto-whitelist anyone you send mail to by using their nifty little mail proxy. It sits and proxies for SMTP and adds all outgoing mail automatically to your whitelist, so whoever you sent that resume to will never see a challenge...neat!

P.S. Can't recommend the product enough.

Re:You can do this yourself.

[WetCat]

And do you really know that address? You can get mail from the employer you never heard of!

Re:You can do this yourself.

[Shrac]

Only if you can add the entire domain to your address book. It would be rather unusual to do all correspondence with a prospective employer at a single e-mail address.

Re:You can do this yourself.

[evilviper]

I also use TMDA and I can tell you it has vastly reduced the amount of spam I receive from approximately 20-30/day to 1 in the last two months. I've never been happier ;-)

And it won't be long before spamers all spoof the source address of all e-mails as: dilbert@dilbert.com, or whatever their mailing list is...

It doesn't take much effort to get around these systems.

Re:You can do this yourself.

[tuxlove]

I have built an extremely small challenge-response system as a procmail script. It's tiny, and has completely eliminated my 200-spams-per-day problem (I have a very well-known email address, unfortunately). You can grab a copy of it for yourself to try out. See my journal for info.

Re:You can do this yourself.

[datavortex]

And it won't be long before spamers all spoof the source address of all e-mails as: dilbert@dilbert.com, or whatever their mailing list is...

Which is really why TMDA is such a spectacularly wonderful tool. When you subscribe to the mailing list, you use a tagged address. For instance, I could use: datavortex+sender+9e0531@datavortex.net to subscribe to the Dilbert mailing list. For the sake of discussion, let's pretend that it's a discussion instead of an announcement-only style list. I send emails to the mailing list and the from address is seen by all, and saved in web archives. Thanks to TMDA, I'm still spam-free. The tagged address above is a sender style address. This means it's a one-to-one channel for communication. dilbert@dilbert.com is the only from address that's accepted to the unique addresses TMDA made for me (via a web interface that even a Windows user can use and love!). Even if that address gets harvested from the mailing list, no problem, it's useless to them. They would have to try and spoof the mailing list to my specific address (at which point I could easily kill that addy I made for the Dilbert list) - and when harvesting is that difficult it's no longer the path of least resistance, and not economically viable for spammers.

Re:You can do this yourself.

[lobotomy]

Or better yet, what happens when a confirmation message is sent to confirm your confirmation message? Is there any looping message detection built in? Maybe if both sides are using the same program, but this could be disasterous if two users have different challange-response systems that don't know about each other.

Re:You can do this yourself.

I used to use TMDA. It has some issues that I could deal with, but what killed it for me was my ISP. They made a rule that I couldn't run a mail server from my DSL connection. (No doubt to cut down on spam...) Without control over the mail server, I can't use TMDA. A pity.

Re:You can do this yourself.

...They made a rule that I couldn't run a mail server from my DSL connection...

Fetchmail running as a POP-to-SMTP gateway would have solved your problem.

Re:You can do this yourself.

[mazor]

Yes, TMDA has loop detection built-in, both for TMDA responses and for other mail agent autoresponses. Mail storms are caused by people who don't follow the RFC standards for mail processing.

-mazor

Re:You can do this yourself.

[mazor]

I use TMDA too. It's great! Mail from real people (including people I don't already know) gets through, mail from spambots does not.

-mazor

Re:You can do this yourself.

[nametaken]

I'm trying to imagine how a company that has a massive database of clients with constantly changing email address, would pull this off without the clients getting irritating challeges.

Authenticate from address

[soundman32]

I've just implemented a POP3 email checker that makes sure the FROM address is valid. It removes about 25 spams per day (out of 100) and MailWasher takes care of the rest.

If anyone is interested in trying out my program, drop me a line.

Earthlink spam filtering

[ceswiedler]

I use Earthlink, and they already have a decent spam-filtering system. I still use both SpamProbe and SpamAssassin, and the combination of all three works well enough that I'm not afraid to give my real address just about anywhere.

Well, except maybe Slashdot.

But perhaps with the new system, I can post it even here!

Re:Now the spammers get address validation for fre

[PerlGuru]

I don't know about earthlink but ticketmaster's sys uses random different patterns obscuring the text. As for the text, the fonts they use vary, size varies, lines are not straight, and most of the fonts look like they are hand written (with even a single letter appearing differently in the same image)

I'd guess there system is pretty effective.

Proper scenario, better way

[phorm]

Nope, more like:

Alice@me.com sends an email to Bob@you.com

Mailing program adds "Bob@you.com" to Alice's list of valid emails (after all, you're not often going to send email to somebody that you don't want responding, right?).

Bob@you.com sends a challenge to Alice@me.com

Alice@me.com accepts the challenge, since she already sent the original email to "Bob" and had him added as an authorized user

Alice authenticates to Bob's system, and all is good


Another way would be to make all "challenge" type emails follow a specific pattern - with little to no allowance for anything other than the challenge. Then, challenges will be accepted as legit without bouncing back-and-forth, and spammers cannot simply send a message as a challenge with extra spamcrap attached - and still cannot send non-challenging email.
Now, an ignorant spammer could send a flood of challenges just to be annoying, but this isn't very profitable as they wouldn't be able to contain penis/viagara/etc ads.

Re:Proper scenario, better way

[Contact]

Okay, so anyone sending a message automatically whitelists the recipient.

But what happens the first time a spammer sends a message to an Earthlink subscriber... with a forged "from" address of another Earthlink subscriber? Neither account will have authorised the other, so theoretically it'll hit a loop.

I'm sure they've worked this out, I'm just curious what the solution is...

Re:Proper scenario, better way

(after all, you're not often going to send email to somebody that you don't want responding, right?)

Virus gets on Aclie's computer.
Virus sends out e-mail to spammer e-mail addresses (they will then all be added to Alice's whitelist).
Spammer authenticates e-mail, and is now able to spam Alice to death until she get the whitelist and the computer cleaned. Until next time.

In other news...

[PHAEDRU5]

The people not hired to service homeland security webcams will be hired to service challenge/response programs for all the major spammers.

What the challenge needs is a pledge not to spam

[Thagg]

One problem people are complaining about is that spammers will deploy OCR or other technology to answer the challenged. I believe that this is much harder than it sounds, OCR is hard even in the best cases. With 10,000 fonts in 100 sizes with lots of noise, it would be extremely difficult to do OCR correctly. People that bright aren't spamming.

What would also help is a pledge in the email, that by sending this mail you agree that this is not unsolicited commercial email. This would be used to sue the spammer if he is indeed spamming.
Of course this would only work for spammers from the civilized world, but that is still the majority of the spam.

thad

Re:Now the spammers get address validation for fre

[Have+Blue]

No, then the spammer would have to provide a valid and static reply-to in the email, and we'd filter based on that. Even if they had a large number of domains/addresses, distributed spam-cataloging tools would make that ineffective.

I assume

[ceswiedler]

I assume that the challenge-response is intended for messages already tagged as potential spam. In other words, low-scoring messages (spam-wise) wouldn't get the challenge. I certainly wouldn't expect a perfectly not-spam message to require the CR. Earthlink's (and other) spam-rating systems are pretty good, I think using it for the 'grey-area' emails would work well. And block the obvious spam without hesitation.

One question: shouldn't it be REALLY OBVIOUS to ISPs what is spam and what isn't? It seems that if a nearly-identical message gets sent to a large enough percentage of their users, it's clearly spam. Is this hard to do? Are spammers clever enough to distribute emails to avoid this?

Re:I assume

[realdpk]

It's really hard, especially when spammers start playing tricks like putting 3 character random comments between every other letter. If ISPs started checking that out for each message, their load would increase, and spammers would find a new way around it. Ever escalating, with the ISP bearing the brunt of it.

Re:I assume

Yes, they are clever enough. I've seen it first hand. While searching through my users' mail spools for a hit on a domain once, I found a particular piece of spam. It ws intriguing enough that I search all the mail spools for specific pieces of that message. As I found a message I dumped it into another spool. When I was done I looked through that spool and sorted the messages by received date/time. This particular spammer hit our domain every 5 minutes on the dot with a message aimed for 3 users at a time. That's crafty. Had I not done what I'd done I wouldn't have seen it. They don't always flood you with 1000 messages at a time. They can easily spread the love.

Which planet are you from?

[mccrew]

Education is the way to go for spammers.

Other than using a cow prod or a red hot poker, how on earth do you "educate" a spammer? Send them to Spammer School? Enroll them in self esteem classes? D00d, this is just about the stupidest thing I have heard in in a loooooonnnnnnngggg time.

Perhaps education is the way to go for Slashdot posters...

Sue them if you're richt (read: AOL), complain about them if you're poor (read: everyone else)

Sue them if your rich? Perhaps you can enlighten the techno-elite here how exactly you find a spammer who is sending e-mails with forged headers, connecting through open HTTP proxies? If you're going to sue them, you gotta find 'em first, right?

and be happy if they loose your DSL connection because of you as one guy dig who pissed me of days ago.

Ohhhh great job, kiddie! Sounds like you did a denial of service on some average home user who didn't happen to know that he had an open web proxy server. Whoo hoo! You da man!

Re:Which planet are you from?

find them??? how hard is that?? I mean they are selling something (99%) and surely they want their money......

so how hard is it really to find them??

Re:Which planet are you from?

[shawn.fox]

how on earth do you "educate" a spammer?

Haven't you ever seen Clockwork Orange?

Re:Which planet are you from?

[spacefight]

You should be modded as troll, really. If each and every time someone is abusing a system (no matter what) and you want to cure the symphtoms instead of killing source, we will all lose in the end.

And for your information: the other guy with his terminated DSL account was spamming directly from his home computer to my MX - nothing about denial of service, open web proxy or such (yeah, dumb people are everywhere).

As long as one could identify spammers (numbers are identified, few are getting sued), one should try to sue. Of course some bastards are deeply hidden somewhere in the net, but you have to start somewhere.

Re:Which planet are you from?

[mccrew]

You should be modded as troll, really. If each and every time someone is abusing a system (no matter what) and you want to cure the symphtoms instead of killing source, we will all lose in the end.

Actually, I was surprised to see it modded as funny. I was trying to be informative in a sarcastic way. Anyhow...

But to answer your question, how do you you know the source? If the spammer is connecting through one or more open web proxies - and if you run your own server that's what the endless probing on ports 3128, 8080, and 8000 are for - and all the information is the e-mail headers are faked, then how exactly are you going to know who to lay the smackdown upon? The IP address in your SMTP logs are just the "innocent" web proxy machine, not the spammer. The fact is, many times the machine you think is the spammer is just one that happens to be misconfigured, unbeknownst to its owner (not a good thing, but ).

Of course the sales pitch will have some kind of contact information, but again, its not the spammer, it's the spammer's customer, and they rarely include an e-mail address or a toll-free telephone number. The spammer's customer might be considered a legitimate target, but you still haven't answered the question: who is the spammer? The answer is that you really don't know.

As long as one could identify spammers (numbers are identified, few are getting sued), one should try to sue.

I am curious. How much of your own money would you be willing to spend on lawyers, investigators, etc?

There are already lots of judgements against spammers. However, I have yet to hear about any plaintiff collecting a dime on their judgements.

How big a check are you willing to write to a lawyer to follow your own advice? $100? $1000? $10000? More?

And you still owe us an answer to "How on earth do you 'educate' a spammer?"

Freedom of Speech: Where is the EFF

[stilleon]

After all my arguments about whether copying music on Kazaa is theft (which, until the light of the millions of mighty /.'ers reigned down upon me), I realized no one should impede free speech. How dare these bastards try and stop spam. They have a right, like everyone, to step on somebody's else's right to freedom and property just like the MP3 traders.

We need to contact the EFF for support on this.

Relative speed

[SunPin]

Way to go Earthlink! If I was interested in dialup, this would be a big selling point for me.

Earthlink offers DSL and cable. I'm using it right now.

I am definitely in favor of a little pain up front in increased traffic from challenge-response to get the spam boys off the net.

I suspect that when the spammers stop sucking up so much bandwidth, net speeds will increase for everyone--including dial up users.

Remember when 14.4K was fast? So do I. And I think with a correction in the system, it can be a decent speed.

Re:Relative speed

[dasunt]

The parent poster writes:
Remember when 14.4K was fast? So do I. And I think with a correction in the system, it can be a decent speed.

Nope. Sorry. There are 2 reasons why 14.4K will never be fast again:

1. Graphics. There are plenty of web pages that are not optimizing for graphics, and plenty of web pages that are using more complicated technologies (such as flash) where simple technologies (such as gif) will work.
2. HTML Mail. Isn't it wonderful how a simple "Meet you at 5" can end up being bloated to half a meg with a "pretty" html background?

Re:Relative speed

[SunPin]

I should have been clear about my point: Because of spam, faster speeds have not realized their potential. Allowing HTML into email is another story...probably the worst aspect of spam. I couldn't imagine someone coming into my house or my mailbox selling this crap without a major economic cost along with a significant social problem... I'd call the police if some jerk came to my door selling this stuff. Challenge response is better than taxation and quicker than education. Definitely better than demonizing spammers. Why give Congress a role here? They don't deserve to legislate anything in my view.

Re:Relative speed

[ncc74656]

Nope. Sorry. There are 2 reasons why 14.4K will never be fast again:

1. Graphics. There are plenty of web pages that are not optimizing for graphics, and plenty of web pages that are using more complicated technologies (such as flash) where simple technologies (such as gif) will work.

That sounds more like a problem of webpages that suck than a bandwidth problem. A webmaster who pays for hosting sees a higher bill at the end of the month if (for instance) he's sending out 3MP images straight from a digital camera instead of cutting them down to a more reasonable resolution and applying a reasonable level of compression (something like cjpeg -Q 40 -opt foo.bmp >foo.jpg at a minimum).

2. HTML Mail. Isn't it wonderful how a simple "Meet you at 5" can end up being bloated to half a meg with a "pretty" html background?

Bouncing HTML mail back to the lusers who send it takes care of that problem 95% of the time. HTML mail is nearly as annoying as top-posting to Usenet.

(All that said, you can have my cable modem after you pry it from my cold, dead fingers. :-) )

Re:Relative speed

[evilviper]

Heh... My first response when reading this was "Good for them..." That was until I remembered that Earthlink is my ISP... I just don't happen to use their E-Mail service. Guess I'll have to pop over to their website now and figure out what their e-mail settings are.

Remember when 14.4K was fast? So do I. And I think with a correction in the system, it can be a decent speed.

Well, the solution can be implimented on the user's end... I personally use Privoxy to filter out just about every ad and flash animation out there.

What I would like to see, is browsers giving preference to content, rather than bloat. Just imagine, you have an incredibly slow modem, but web-pages open-up instantly. You open 10 links at the same time, and they load right away...

The only thing browsers have to do is load the HTML first, then, only after each HTML page has been fetched, should it begin to fetch the images (smaller ones first, preferably), and flash animations or other embedded content last. That would be a great way to counter web-site bloat, and I'd consider it rather fair too.

If you look at the page for a seconds, and decide it isn't what you want, the bloat won't even be loaded... If you read it for a few minutes, the ads will be loaded eventually. Text ads, will be loaded instantly.

Re:Relative speed

[Zeinfeld]

I am definitely in favor of a little pain up front in increased traffic from challenge-response to get the spam boys off the net.

Yes, but the pain is not for you, it is for other people. I do not respond to C/R challenges because I find them objectionable. That is not an uncommon attitude.

The first thing that happened on the IRTF anti-spam group list was that someone with a broken C/R filter spammed the list repeatedly with challenges untill he was booted off.

Earthlink really needs to think twice about this one, there are much less intrusive and much more effective means of doing authentication. The consensus in the anti-spam community is that C/R is only acceptable as a last resort if the alternative is bouncing the email. It is not acceptable as a first resort.

Re:Relative speed

[batobin]

As a web host AND web designer, I can say that larger web pages aren't the fault of poor design. Page sizes are simply larger these days. Take for example loading this thread at +2 or +3. It would take minutes to load on a 14.4. Is that the fault of large images? Of inefficient code? Nope.

I have a feeling if you saw pages designed for 14.4 today, you'd be deeply disappointed.

Re:Relative speed

[evilviper]

http://slashdot.org/comments.pl?sid=63385&cid=5902 827

Re:Relative speed

[jazman_777]

Bouncing HTML mail back to the lusers who send it takes care of that problem 95% of the time. HTML mail is nearly as annoying as top-posting [demon.co.uk] to Usenet.

I'm digressing (well, _you_ brought it up), but I found this little blurb once about top-posting:

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

Re:Relative speed

[shaitand]

True and not true. There is no shortage of bad design out there.

Take... any site in which you can go down more than 4 levels (and 4 levels is getting pretty outrageous) by a level I mean you load the page and navigation options... that's one level, you go into a subsection, that's another level, that subsection has yet more suboptions, there's another level, after going to one of those subsections there should NEVER be links except back to higher menu levels or to external sites. This is one example of bad design today. See sites likes amazon, ebay, microsoft.com, msn.com, excite.com, yahoo.com, and sony.com these are all classic examples of bad cluttered design and wasted page loading.

The next is things like ASP and VBScript. These two should never be used at all, they tie to a specific platform and are slow as dogsh*t. Javascript.... far far too heavily used... there generally should not be more than one script on one page that loads almost nothing else in the entire website... some sites you will find making very very heavy use of javascript. Java, avoid like plague.

Php and any other form of dynamic content generation... this will slow a site severely, avoid it unless there is no other way. As an example, I recently designed a site for a computer store. The owner wanted to be able to update various pieces of information throughout the site. This gave me a few options. Use frontpage (see frontpage rant below), Dynamically pull these bits of information from a database that he updates from a secured local only web interface, or (option I went with) have his local only web interface pull the information from the database only when he updates the site and regenerate static html pages with the updated information (much faster for client than dynamically generating per view, much less burden on the server).

Cut the fsck down on tables!!!!!! Gobs and Gobs of nested tables should not compose a website!

Do NOT use loads of CSS this is how you end up with html code that is more than 500bytes!

Avoid font tags and specifying fonts... let the user and the browser decide his/her own font preferences.

If you find yourself writting extra attributes so various browsers render your page correctly, or putting in javascript checks to see what browser is being used... you did something wrong.

Flash is nice, again, avoid it like the plague, tools like this should only be used if more efficient.

AND... The absolute biggest problem with the web today... FRONTPAGE & PUBLISHER actually this includes any html editor. I've seen a basic front page to a website, that had nothing but text, a small image link, and a row of buttons on the left hand side of the page (8 buttons I think) that was generate by using publisher... the size of the html file was 1.5MB!!!!!!! The buttons were a whopping 3k EACH and had swapovers!!!!

With all that said... the reason web pages would load slow, spam or no on a 14.4 modem is the a 14.4 modem was NEVER FAST! A text only site that enclosed everything in a few giant pre tags that only close to link would STILL be slow to browse on a 14.4!

Re:Relative speed

[abhisarda]

you know.. for a moment I think you were masquerading as Junis from Afghanistan. Avoid that 6 pack of beer or a pizza this weekend and get a 56k modem for heaven's sake. prospective Eartlink customer at 14.4k ?!? Blasphemous!

Re:Relative speed

I just don't get that whole 'top posting on usenet' hatred.

If I write you an email, and you top post your reply, it makes reading your reply easier for me. I already know what I wrote. I don't need you to "help" me out and reply to a sentence/paragraph directly beneath that paragraph. I can keep track of who said what.

I think the people on usenet don't like top posting because it interferes with their fun. They WANT to poke fun at people. They WANT to sharpshoot someone's reply to someone else's question. And they would prefer that you make it easy for them. They don't want to actually read an entire message. :-(
They want snippets. They want little sentences where they can go "you are such an idiot". Forget about reading an entire email and taking everything in context. That takes too much time. ;)

For people who do top post, I say, "More power to you". Screw the little trolls sitting on the side line waiting to pounce on a single reply to one sentence. Screw them!!!!

Top post forever!!

Turn that shiz-nit on

[jason0000042]

As someone with an earthlink email account that gets something like 50 spams a day (and I don't even use the account for much), I will turn this feature on as soon as possible. I'll see how it works, and I'll let you all know.

I do agree with other posters. Earthlink accounts do seem to get tons of spam by default.

Re:Turn that shiz-nit on

[Laplace]

I disagree. I use earthlink, and receive about one junk mailing a week.

Re:Turn that shiz-nit on

Man you must be doing something very wrong. I have had an earthlink account for over a year, use it every day for various mailing lists, etc and i dont get ANY spam at ALL (except from earthlink itself). I have little pitty for people who are inundated with spam because i can only guess that they do stupid shit like give their email to jokes.com or have family/friends with a low IQ. I keep a seperate account for you-must-get-an-email-from-us-to-complete-signup. And even that account gets spam maybe 2 or 3 times a month.

People who get spam are on par with people who get viruses.

AI complete

[kanelephant]

Is it clearly impossible for a computer to generate an AI complete problem? A priori the computer could start with the solution and then work out the question, which may be computationally feasible, whilst working out the answer is not (without intelligence).

Re:AI complete

[Ed+Avis]

What you say may be right but until I see an example of a question which can be worked out backwards but not forwards by a machine, yet can be easily worked out forwards by most humans, I'd prefer to assume it's not possible.

If a computer can generate a question from a solution, then it could also go the other way albeit slowly, by thinking of solutions at random and generating possible questions for them until it finds one that matches.

Re:AI complete

[Elwood+P+Dowd]

Interesting term. "AI complete". You just made that up, admit it.

There's a pretty good automated Turing test package in use by Yahoo. Try getting a new account. Sure, given enough time, someone could write a program to defeat it, but it's going to be a while. By then, hopefully we'll have better automated Turing tests.

Re:AI complete

[Ed+Avis]

No, I picked up the phrase 'AI-complete' from some online forum, probably Slashdot. It's defined at Foldoc, although it might be better to use the definition 'a program that answers an AI-complete problem could pass a Turing Test without too much extra effort'.

I think people would have used 'Turing-complete' but that was taken :-). It's more than most ordinary folk can dream of to be associated with enough important concepts that they start being unable to name them all after you.

Re:AI complete

[idontgno]

It's defined at Foldoc

<pedantic>
Foldoc's reference is quoted from ESR's "Jargon File". (This fact foldoc does indirectly acknowledge).
</pedantic>

So far as I can tell, the Jargon File's definition is canonical in the geek community. I believe it's the oldest, anyways; I recall seeing the definition in a early-90s text version.

Challenge Response Works great

I've been using ASK (http://www.paganini.net/ask) which is an Open Source PHP based Challenge-Response system. It has a "Whitelist" which allows you to add approved senders and listserves as you can have either a From or a To address. It works so well because virtually all spammers use phony email addresses. Until spammers use valid email addresses, this type of system will continue to work. If they start using valid email addresses, then they can be dealt with in other ways.

Ah well...

[The+Fanta+Menace]

Earthlink customers won't be able to receive any email from me in the future then.

If it takes more than one message to send them a email, it's too much effort on my behalf.

Another way to circumvent this...

[Winter]

What happens if the spammer just uses the same address in the To: field and in the Reply To/From: field?

A challenge will then be sendt to you, and will be accepted (since it comes from yourself....)

Re:Another way to circumvent this...

[mdfst13]

Unless they default to not allowing email from your own email address, which is sensible behavior anyway.

Btw, for anyone who thinks they have a way to beat the challenge/response system, check out tmda.net (http://tmda.net/faq.cgi). Every potential workaround that someone has suggested is discussed there.

I still think that best way to address the spam problem globally (C/R is an individual response) would be to add a new type of record to DNS that holds authorized mail senders for a domain. Under the current system, any mail server (even one included with a virus that is running on a personal computer) can send email with *any* From: email address. Under this system, only a limited number of email servers could send email for a particular address. Those servers can also demand authentication to send email (already supported in SMTP).

This would eliminate the current problems with open proxies and relays. People could still spam, but they would have to use their own identity to do so. All of a sudden, blacklists are effective again.

Re:Another way to circumvent this...

[valkraider]

Unless they default to not allowing email from your own email address, which is sensible behavior anyway.

Why is that sensible? I send email to myself all the time... Especially since I am not always using the same computer - but I do always use the same email account. So phone numbers - bookmarks - anything that I want to keep, I email to myself...

Re:Another way to circumvent this...

[mdfst13]

Not accepting mail that purports to be from your own address prevents mail forwarding loops.

If you are using IMAP or web mail, you can set it up to save email that you send to yourself. The blacklist will keep you from receiving the email, but you will still have the copy in the sent folder. Alternately, you can send to a variant of your email address that does not require the challenge/response (the same kind of thing you do with automated mailers like Amazon's).

Re:Now the spammers get address validation for fre

[Palos]

It seems like the current techniques they use to obscure words/etc works well enough. I remember reading on here a few months ago about a technique that used easily identifyable images as a means of verification. For example a picture of a clown which you'd respond with clown. Granted this would only work for english speaking users, but it seems like a good start. I'm sure it wouldn't eliminate spam entirely, but I don't doubt it'd reduce it at least.

Filtering instead of Blocking

[thehun101]

It would be useful if the system could be used to filter instead of block, at least for the first few months. Perhaps, if there is not response to a challenge after 72 hours, and email could be redirected to a 'Spam' or 'Bulk' filder.
This way, If I get monthly newsletters from donotreply@... and I want to keep getting it, i can approve that email. After about 3 months of this type of filtering and I would probably have approved everything I want to receive. Then, I could turn it back to blocking instead of filtering.

-the Hun

Reducing the cost

[JohnWiney]

Here's an approach that would reduce the bad effects. For the first month after someone signs up for the feature, there are challenges sent. All messages are assumed to be legitimate, delivered, and the sender recorded as if authenticated. After the month, authentications actually start, and the user can go in and remove addresses that shouldn't have been added to his acceptance list during that month. The month gives enough time for for most users to communicate with most of their regular mailers, so they won't be affected - just the few that never sent messages during that month will be affected. Adding a few more features, like autmatically recording the addresses to whom the user send messages, and allowing the user to add an address before any messages were received from that address, would eliminate most of the remaining unwanted challenges.

Re:Reducing the cost

[JohnWiney]

That should be "there are NO challenges sent."

Spamcop.net was like that

[PeterHammer]

Spamcop.net used to provide a service much like the one earthlink is proposing. I used the original system, but they have since replaced it with a blacklist filtering and SMTP chain verification solution only.

Speaking from experience, the challenge-response solution worked like a charm. Sure the occasional contact made fun of the whole thing, but it was generally intuitive and easy to interact with. There was no image transcription or the like, just a link that the sender had to visit (The assumption there was that spammers never used a real address as the reply-to) so no need to thwart auto-responders.

One other big feature was that the mail recipient always had the ability to release emails from the quarantine, as well as the ability to white list particular senders (very important for mailing lists and other bulk commercial email you actually do want to receive).

In general I loved the challenge-response system, and I was a little peaved when they did away with it. But as it turns out the SMTP chain verification, combined with the filters does a very good job too (Only one piece of spam has passed their filters in the last 9 months or so)

Re:Now the spammers get address validation for fre

uhh.. that's the whole point, that the responses are NOT easy to automate.

Adaptive teergrubing anyone?

[Tackhead]

Instead of challenge-response (putting the burden onto the end user), why not put the burden on the inbound mailserver?

A residential broadband customer mailing through his ISP's mail server is whitelisted (most stuff from that server is nonspam). An rr.com luzer with an open proxy is tarpitted into oblivion (everything else in 24.0.0.0/8 is spam). Yes, Joe Linux running (non-relaying) Sendmail on his Linux box is also tarpitted, but he's not trying to send a million mails a day. So he's not hurtin'.

I can see a scaling problem in that you'd have to run some sort of adaptive filtering process on the receiving end, which might be prohibitive CPU-wise. OTOH, if you only scanned 1% of all inbound mails for "spamminess", you'd still rapidly figure out that for a US ISP, 24.0.0.0/8 is an ocean of spam with a few islands of real email, and 200.0.0.0/7 is a shitstorm of spam. You don't need to analyze every inbound mail - you only need a statistically-valid sampling of the inbound mail queue to figure out which netblocks are teh sux0r.

Having it be adaptive would be cool - because a South American ISP (which probably has less of a problem with 200.0.0.0/7 than, say, Earthlink does, because they have legitimate users emailing each other from within those netblocks). So an ISP in .mx would end up with a different set of teergrubing weights. They might end up letting most of 200.0.0.0/7 in, only tarpitting the worst /24s, and teergrubing all 24.0.0.0/8 because so few of their users get anything but spam from rr.com netblocks.

Think of it as combining the best part of SPEWS (naughty netblocks are noticed semi-automatically), without as much collateral damage (if you're an ISP, a 10 second delay to anyone emailing one of your customers from a naughty netblock will never be noticed, but it'll *kill* some dirtball trying to spam to 10000 of your users through an open proxy.)

Re:Adaptive teergrubing anyone?

[Nonsanity]

Tackhead said:

They might end up letting most of 200.0.0.0/7 in, only tarpitting the worst /24s, and teergrubing all 24.0.0.0/8 because so few of their users get anything but spam from rr.com netblocks.

I'm sorry, but Babelfish isn't doing anything for this post. Anyone have a translation? It SOUNDS interesting... :)

~ Nonsanity

Re:Adaptive teergrubing anyone?

Translation:

"Instead of using nuclear weapons that cause a lot of colateral damage, use smart bombs that don't kill quite so many civilians."

Re:Adaptive teergrubing anyone?

it'll *kill* some dirtball trying to spam to 10000 of your users through an open proxy

Uhm.. Threads?

Re:Adaptive teergrubing anyone?

[Tackhead]

> I'm sorry, but Babelfish isn't doing anything for this post. Anyone have a translation? It SOUNDS interesting... :)

ROFLMAO.

"teergrube" - German word for "tarpit".

Teergrubing FAQ

Teergrubing is a good idea, but it dates back from the days when open relays, not open proxies, were sending the emails. One spammer (with dialup) would hit you from one relay (with broadband) from the spammer's own (dialup) connection, and the goal was to slow down the open relay so that the open relay wouldn't be able to spew as many emails. Eventually, the admin of the open relay would wonder why his outbound queue was so huge, or why Sendmail fell over and died because /var/spool got full, and secure his server. In the old environment (spammer has narrowband, must hunt down broadband by finding open relays to steal from), one teergrube could "fix" one open relay at best, and at worst, would at least prevent delivery of several hundred thousand spams.

Doesn't really work as well in a world with millions of open broadband proxies. The spammer no longer cares if any individual open proxy hits a teergrube, because there's plenty more bandwidth where that came from. (And because open proxy luzers tend to be clueless twits, they're less likely to notice even if their machine crashes.) In today's environment (plenty of bandwidth on both the spammer's end, and plenty of proxies to steal bandwidth from), teergrubing in its original form is somewhat less effective.

Re:Adaptive teergrubing anyone?

[milo_Gwalthny]

Take a look at the front page article in the WSJ today... about one of Earthlink's most virulent spammers. He used 300+ dial-up accounts, set up with fraudulent/stolen billing info and was sending (they say) 1 million+ spams per day. Took them like a year and a John Doe lawsuit to finally figure out who he was and stop him. Interestingly, one of the ways they were tracking his accounts was by which passwords he used (he tended to use just a few for all of his accounts)--thought he would catch on to that.

Great article, wish I could post a link. To your point... wouldn't this guy have been automatically whitelisted?

Re:Adaptive teergrubing anyone?

[BuckaBooBob]

Well what happends when you have 2 Challenge responce systems on each end... Any mechanism that is put in place can be abused by spammers. This will also Fail. White listing Challenge responce servers wont work due to SMTP being broken and the list can easily be spoofed. only buy digital signing by white listed challenge responce servers will work or some thing similar to verify server source. This will drastically reduce spam if it actually works.

Yeah great ...

[jgerman]

... seems like they thought it through really well. It's going to go down in flames. Wait till they get flooded with customer calls like : "But I signed up to receive emails from {insert company}, now I'm not getting my coupons. What do you mean I need to go into an ACL and add them, how do I know what to add, what's an ACL" and so on. It won't work.

Won't solve a thing

[gorbachev]

The only solution is to make ISPs hosting spammers accountable for the spammers' abuse.

If there are spammers, there will be spam.

They *will* find a way around this Earthlink system.

Proletariat of the world, unite to kill spammers. Remember to shoot knees first so that they can not run away while you slowly torture them to death

Challenge-response works as part of a whole

[koreth]

I have a homegrown challenge-response system on my mailbox and it's done wonders for my spam flow. The trick, though, is that it doesn't send a challenge to everyone -- it looks at incoming mail and determines how likely it is to be spam (using Bayesian analysis, collaborative filtering, some keyword filtering, and a couple other things). Mail that doesn't trip any of the checks goes through without a challenge. Mailing lists I subscribe to are also whitelisted, as are addresses I send outgoing mail to.

In theory, someone could send me a spamlike message and would have to reply to the autoresponder. In theory, a spammer could validate himself. In practice, those two things almost never happen. The system catches about 150 spams a day and over 90% of its autoreplies immediately bounce. Last time I analyzed it, only about 2% of my legitimate correspondents had hit the autoresponder (note, that's a fraction of a percent of my total legitimate email, since a given correspondent only has to validate once.)

I have yet to see a notification from Amazon, my bank, or other similar email trip the filter. Haven't had any of my correspondents complain yet, but I have had a couple of them ask how they can set up the same thing for themselves.

So if it's implemented carefully, I think this could be a big win for Earthlink subscribers and more or less invisible to everyone who communicates with them.

Re:Too drastic? (not drastic enough?)

[egoff]

In addition to requiring senders to verify themselves, users would have to use special e-mail addresses when registering to purchase goods online, because vendors often send sales confirmation notices by computer. The special addresses are designed to route such messages to a user's regular in-box.

So, they'll be a way around the system? And people will be giving this email address to forms without reading the privacy policy, same as usual? Sounds like this won't work at all, at least when it comes to accidentally subscribing to new "opt-in" lists.

It can work - if implemented correctly

[dracol1ch]

I've been using Mailblocks since they opened publicly. I can't speak for the implementation that Earthlink is planning on utilizing but the Mailblocks system works very well.

First it is important to note that the challenge system at Mailblocks is not something that can be automatically replied to. Much like the signup verifications for many forum systems out there the Mailblocks challenge email is simply a link to a web site. On that web site is a dynamically generated .gif of a number. The image is formatted in such a way so as to make it difficult for screen scrapers to write an algorithm which can decipher the numbers in the image (multiple fonts, different colors, background noise). If ever a spammer figured out how to programatically decipher the image then Mailblocks simply has to rework their image generation system and stay one step ahead of the spammers.

Next you have throw away addresses. Maiblocks calls these trackers. When you create a tracker a number and short ID are appended to the end of your username. This email address is then immune to the challenge response and can either be delivered to a purpose built folder or directly to your inbox. So if you wanted to have an address to get receipts from you simply make a tracker named say [username]+receipts4325@mailblocks.com. Then any email to this address can be delivered to the +receipts folder in your inbox. If you start getting spam at that address you just delete the address and create [username]+receipts5563@mailblocks.com and start giving this out. It can be a little bit of work to maintain your trackers but compared to deleting 20-30+ spam mails from my accounts each day it's well worth it.

When an email is successfully delivered to your main address the originating address is entered into your address book including the reason why this address was validated (completed puzzle, user added). Mailblocks also adds the address of any outgoing mail you write to your address book so that responses can be properly delivered without challenge. Finally, if you are expecting something to appear in your email that doesn't the 'pending' folder holds all email that hasn't been validated for a certain amount of time before deleting. If you really want to you can go back and dig through the email there to find the one you want, validate it, and it will be delivered to your inbox. If something gets validated you don't want simply go to your address book and either delete it or check 'do not deliver mail from this address'. Viola. Also of interest is the fact that Mailblocks can provide the same security to any other mail account you have. It can check POP3, IMAP, accept forwards, and even screen scrape web mail to bring all of your mail to a central location. When it does it provides the same callenge-response capability through these other accounts.

Re:Now the spammers get address validation for fre

[letxa2000]

the article implies that an image would be part of the response

An image? So now to stop spam you'll have Earthlink "spamming" senders with image-laden emails? Or perhaps they will display an image that is loaded from their server? The latter won't work because I (and many) people don't allow our email clients to load anything off of remote servers. And it really pisses me off when I get images embedded in emails.

I know someone once sent me an email as I run a niche technical website and someone was asking me for some advice. I don't always have time, but in this case I did make the effort to reply and actually wrote up a pretty decent answer. Sent it off and a few minutes later I got a challenge-response mail saying that if I wanted to email the user that I'd have to verify that I was human. Screw that, I just deleted the challenge message. Who knows if the guy ever got my response.

Challenge-response would be ok if email was used only by people sending and receiving emails from their friends and family. Everyone would just do it once for each of their contacts and bam, you're done. But that's not how email is. Many people contact many (unknown) people regularly. We receive shipping receipts when we order something from a website. We have mailing lists.

A C/R system is the right solution for a certain type of email usage, but I don't think that particular type of email usage is representative of what most people use their email for.

Not to mention one of the biggest problems: Every spam message sent will consume the bandwidth it always has consumed, but will now trigger the C/R system to send a message back. So you have twice the email traffic. And have you ever been the victim of a spammer that used your email address as the From/Return-Path and you received all the bounces? Now imagine a spammer doing this and not only receiving all the bounces but also all the C/R requests.

No, C/R is just wrong in so many ways.

This is *optional*

[Tim+Macinta]

The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...

I was worried there for a second and thought I might have to ditch my Earthlink account, but from the article:

The challenge-response system will be optional and free for EarthLink subscribers, Anderson said.

I'm planning to opt-out myself since I could see this discouraging people from sending me email. I have to think of the fact that whenever I'm surfing the web and come across a page that requires registration, I usually don't bother and just move along to something else. I would be inclined do the same with email if it becomes a hassle to communicate with new people. I don't want to miss out on email because of this and SpamAssassin has effectively eliminated the spam problem for me, so I'll probably pass. However, I do think challenge-response is a good idea and could work well for others.

Can you say mailblock

[digitalgimpus]

I would think it's safe to say earthlink email addresses will be blocked from mailinglists in the future.

It's going to be like using Mosaic to browse the web. Or telnet port 80.

Re:Now the spammers get address validation for fre

[S.Lemmon]

I guess blind people will just have to give up on using email then? Sounds like an ADA lawsuit in the making.

I used to use this...

[All+Names+Have+Been]

I was using this until I realized I was spending more time enabling/disabling the C/R system or screwing with the whitelist that I was dealing with SPAM. Everytime I wanted to sign up for some mailing list (it it coming from company.com or parentcompany.com or ???) or a user would sign up for some service that sent an email automatically, which, of course, would never appear, causing complaints and yet another trip to vi to modify the whitelist.

Don't even get me started on all those damn email card companies - lots of missing Easter cards because dumbassonlinecards.com wasn't in the whitelist and again, noone is going to send confirmation mails from an automated system.

The whole thing got dumped. Back to SpamAssassin, which causes far fewer headaches. Fortunately, this Earthlink deal is an opt-in system. I couldn't stand to use it myself and I bet few customers will live with this long-term.

Re:I used to use this...

[josepha48]

My boss uses something like this. He set it up somehow such that it crashed the email server at the company. Good thing he's a VP at a tiny company, I guess, otherwise he could have lost his job or gotton in trouble. Instead he just caused more work for our mail admin.

Since I use earthlink, I have to say I'd rather deal with the mailing lists then the spam. I only belong to two right now, and both are pretty quiet. So unsubscribing may be best for now. I get hundreds of emails a day and it is ALL spam. It has made me give up my inbox and filter my email based on people I know. It sorta works. I basicaly move mail from people I know using the sender is in my address book of mozilla 1.3 to another folder. Revice what is left in the inbox and then delete.

I do get occasional mail from places like apc and a few mailing lists, so they better figure out how I can specify what mail should come though or not.

To me spam is like juml smnail mail. There is just more of it and its free.

Re:Now the spammers get address validation for fre

[PerlGuru]

It would also be a problem for people with text based email clients

Know someone who wrote his own

Someone I know put together his own challenge response setup; seems quite happy with it. I have never been challenged by it, so it is probably setup to allow for him to specify knowen addresses / people.
Email lists are accumulated gradulay, so there will not be such a big flood of challanges. A person switching to the challenge response system just lists all known addresses and the process is transparent for family/coworkers/lists. (other than a possible change of email address).
While it will not be hard to automate any challenge response system from the spammers side, it will require that there be some way for the origional challange get back to the spammer; This should provied for easy filtering of spam sources. (And a back trail for legal action that can't be entirely fictional.)

Um, the blind?

[cnoocy]

So does this mean that if you're blind, you don't get to send mail to C/R users? Another hurdle for blind users is just what the net needs.

micro payments

[goombah99]

Challenge response is going to be effective but intrusive since a human must read the challenge and reply. this will suck when I sent the family newsletter to 40 friends I havent written to in a couple years and get 40 fresh challenges because my presence on their whitelist had expired. likewise even for automated things I sign up for like like slashdot updates or t rowe price stock reports

I'd like to suggest a way this could all be done automatically, so transparently your an AOL grandma could do it, and almost non-intrusively. Like the lessig-style stamp, all users would be charged say 0.01 cents to send ME an e-mail. but I would automatically refund this payment if either 1) the sender was in my addressbook/whitelist or 2) I did not file the e-mail in my junk mailbox.

what is needed is some sort of distributed postal service to handle the actual micropayments. And this is the main problem--how to collect these. I think the least intrusive method is that when you get an e-mail account you put down a pre-payment, lets say $10 on account at the postal service. when you send messages that are welcome your account is not depleted. when you send messages that aren't it slowly drains.

the cost of the postal service ditributed servers could probably be paid for by
1) the charges for unwanted e-mail
2) interest on the deposits on account.
thus people would be willing to set up these servers.

the final missing ingredient is a centralized server that coordinated the actual postal servers. all this would be would be like a DNS that told all of the remote servers the names of the other ones so they could communicate account info.

the transactions themselves would be in number about twice as the number of e-mails handled (one to the post office from the first ISP to receive the mail to validate the payment code in the header, one from to the postal service me to authorize refund/no refund), and the accounting message size very small.

Perhaps this is a rotten idea. its main benefits are 1) its not intrusive and is nearly transparent 2) it pays for itself 3) requires changes only at the browser level.

I does not stop spam from showing up in my inbox, but makes it very expensive to mass mail.

flame on! or suggests problems and their solution.

Re:micro payments

"I does not stop spam from showing up in my inbox, but makes it very expensive to mass mail."

Not really, no. There are plenty of states with laws against spammers. I even know a guy who sued a company that gave out his email address for something like $50 per junk mail.

The big problem is with enforcing these laws, and your proposed fee. Spammers don't exactly put contact information on the bottom of the email. They hide where they come from.

The only real solution I see to this is prosecute the people who's products are being advertised. Obviously their contact information is valid. This would of course require added legislation, but a charge along the lines of conspiracy to commit spam might do the trick.

Re:micro payments

your objections dont quite find the right analogy.

first, collecting the money is not a problem since its a pay-first scheme. no-prepayment, no mail delivery.

Second, the inertial and legal hassle of collecting that $50 fine makes it an infrequently excersized option. thus per milllion e-mails the cost is low in regards to fines. under the micro-payment scheme, a million e-mails might cost 10,000$ or more in PRE-PAYMENT.

Calling all perl wizards and poor college kids!

[MattGWU]

Perl gurus, start your editors!
How many lines will it take to write a script to automatically reply to challanges? As long as the messages have predictable structure, you should be able to write a parser to pick out the word or picture they want, then throw it back.

College kids: Are you bored, broke, and of weak moral fiber? You too can make money while sitting on your ass by replying to email challanges for the princely sum of 3 cents per message! Combine the first suggestion with the second, and you've got yourself a money machine.

It's great to see an ISP take some decisive steps, but this scheme has weaknesses. Interesting to see how it goes. Despite the concerns, I'm cautiously optimistic.
As a twist, it would be interesting to see how that anti-spam vs. spam lawsuit with the copyrighted haiku goes (don't recall the parties names, but it's gotten coverage here). Maybe something similar could be combined with the challange-response system to make it illegal to respond to the challange under false pretenses. Raises a few slippery-slope legal issues that if you're going to touch, you might as well criminalize spam outright (which would be fine, of course).

Re:Calling all perl wizards and poor college kids!

[BillFarber]

>>As long as the messages have predictable structure, you should be able to write a parser to pick out the word or picture they want, then throw it back. That's just it. They don't have something that a parser can pick out. Check out yahoo registration for an example.

Re:Calling all perl wizards and poor college kids!

[west]

You too can make money while sitting on your ass by replying to email challanges for the princely sum of 3 cents per message!

Are you kidding? If spam cost spammers 3 cents a message, they'd go broke in a week! The whole point of spam is that is must cost the senders less than 1/100 of a cent each or they lose their shirts.

Re:Calling all perl wizards and poor college kids!

[$criptah]

The problem is that if a challange is in a form of image, like text that is sent in a JPG file, there no simple Perl script will determine what is the challange.

Re:Calling all perl wizards and poor college kids!

[MattGWU]

Good point. I was looking for a figure that was pretty small, but still large enough to be a feasable rate.

Figure at 1 cent/message and 15 seconds to reply to a challange, that's 240 messages and $2.40/hour. 3 cents/message bumped it up to a little above minimum wage, and roughly what you'd make as a book re-shelfer at the library (which really isn't all that terrible a job. You don't have to be in league the Great Deceiver, for example).
Don't know about the bottom line, but the hypothetical spammer would have to make the pay at least attractive to potential spam mules.

The punchline is that this disparity works out nicely for the forces of good. If the spammers can't afford to pay well enough without a huge hit to the bottom line (assuming even a buck an hour ~= 240 message; it's not like they report to the Department of Labor or anything), nobody will do it, and thus the challange-response system will hold against this form of circumvention. Now...problem becomes how many college kids would be willing to work for porn, bottom-dollar domain names, or weight loss pills...

Re:Calling all perl wizards and poor college kids!

Your auto spam reply still needs a valid reply address, and still must be done on a message-by-message basis. That's a lot of work to sell counterfeit Viagra(R). And you provide a nice documented trail in case Earthlink wants to sue you for violating various state UCE laws. It's not worth it for an individual to sue, but when Earthlink has thousands of claims against you and a valid return address to start with, they might decide to increase revenue by turning the lawyers loose. I can't wait to see it!

great idea.....for ddos attacks!

so me and my spamming buddies get together and start creating accounts on a mail system that uses Challeneg-Response. When we we have enough, we start sending mail to each other left and right. Now can anyone here think of the next step we take which will max out the cpu on this mail server? Now suppose we somehow just found a way to automate account creation on this server, so now we have accounts in the thousands! Think about it.

Re: Above

[MattGWU]

Then again, when do spammers use real replyto: addresses. Maybe responder bots aren't such a big dea.

This seems pretty good idea

This seems pretty good idea but this will not work in solar-system-wide Internet in the futer.
But that is in the futer.
Together with MTA ID verfication the spam will be enlimitied, I think.

-Baldur J
(sorry for my bad spelling ;)

How to fix it

[JorenDahn]

What they need is a new mail protocol. One that would probably be much the same, but carry with it some basic, enforcable restrictions. Like all advertisements, solicited or not, are labeled as such. And all unrequested ads have to be labeled as such. Thus, the E-Mail programs can identify them and place them in different Inbox folders appropriately.

Of course, people are going to want to mark messages as non-ads, which is why it needs to be enforcable. It would be a standard that a country would have to agree to uphold in order for access to that system to be available, so that when spammers break the rules, regardless of where they are, they get in trouble. Also a great help would be if all E-Mails in this system had more definite information about their origins, meaning headers can't be forged. How this would happen, I don't know. Maybe it's a myth like "unbreakable encryption".

Can anyone else think of ideas along these lines? Or has E-Mail simply outlived it's usefulness? Should we all just resort to Instant Messaging and forums?

This would generate a lot of extra mail..

[Scooter]

I like the idea of C/R, but one problem I can see is that if a spammer sends some mail to a C/R user, his mail relay send the challenge mail to the reply-to address. This almost never exists, so some relay or other sends the C/R system an "undeliverable". If C/R catches on, thats a shed load of "undeliverable" messages being fired back. Sometimes the undeliverable messages are not aimed at the reply-to address but "postmaster" or something similar. I stopped sending 550's to known spammers as well - you just get back more crap! In one case, it set up a mail loop that took down the relay.

I just let it arrive at my ISP these days, and then zap it all off with Spam Assassin. I know it's a bit of a blunt instrument, and I have it set to be more aggressive than normal too, but then if someone I know really is trying to reach me, they can phone, and I'll add them to the whitelist. The only problem with this, is that the spam is still using Internet bandwidth. Perhaps it's time to build email filters into the core routers of the Internet?

Doesn't work with text-only mail readers!

[laing]

So apparently Earthlink is saying they will no longer accept e-mail from people who use text-only mail systems. Now a graphical, html aware mail reader will be required to successfully authenticate in response to the challenge.

Re:Doesn't work with text-only mail readers!

[slide-rule]

No, I haven't read the details of the earthlink "solution", but why would the e-mail necessarily have to be html-based? They could put a "view _this_ page with a web browser ..." flat link in the message of the challenge. (I got such a C/R message a year ago myself that pointed to an image-based challenge.) Or they can go for the gusto and have an html version (with image?) and text version in the same message, and your client uses what it can. Now, on the other hand, if you've limited your system to a *purely* text solution, then that is your right (certainly), but when in Rome, don't cry about the majority of other people being Roman.

Re:Now the spammers get address validation for fre

[Chester+K]

Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).

In order to send responses to the challenges, it means the spammer has to provide at least a valid return address, and dedicate resources to responding to those requests (even if it is automated). It raises the cost of sending spam, and increases accountability due to the valid return address requirement, which is the best we can hope for with a SMTP-based solution for the time being. It's not perfect, but nothing is.

How to defeat Earthlink in one easy lesson:

[hoggoth]

mail from:<>
rcpt to:<clueless@earthlink.com>
data
From: MAILER-DEAMON
To: <clueless@earthlink.com>
Subject: Mail delivery failure

Your mail could not be delivered because...

YOU NEED TO BUY WIDGETS NOW! WIDGETS ARE GREAT!
Now if you`re bald it`ll give you hair
If you got straight trousers it`ll give you flares
Feeling up you`ll get depressed
Out of style here`s a brand new dress
The stuff we sell is just the best
Passing all consumer test
Days of heaven nights of sin
Voodoo stick and sharks fin
When all around you seems like hell
Just one sip will make you well
Multipurpose in a jar
If you ain`t ill it`ll fix your car
In days of yore for all bad feelings
Washing socks and stripping ceilings
Nowadays its used medicinally
For all known human malady

Re:How to defeat Earthlink in one easy lesson:

[ssentinel]

mail from:

doesn't match any entry in my whitelist, so I wouldn't get this email.

Re:How to defeat Earthlink in one easy lesson:

[hoggoth]

> mail from:<>
> doesn't match any entry in my whitelist, so I wouldn't get this email.

Then you also won't get any bounce messages if you ever mistype an address, or someone changes their address, or any of your outbound mail doesnt get delivered for any reason whatsoever.
But I think it's more likely that Earthlink will always let Mail from:<> through because the SMTP RFC requires it.

The problem with Challenge-Response

is that it actually *doubles* the amount of network traffic caused by spam. It's a great Interim product that should be employed until a *real* solution can be found, but in the mean time? Challenge-Response merely creates MORE hassle for network admins and the like. This is why it *ISN'T* going to be the defacto standard anti-spam 'solution' any time soon.

I will not use it

If ANYONE I know wants to use this system, I WILL NOT confirm myself. They can go fuck some other protocol as far as I'm concerned. I will not participate in their fucking of the SMTP protocol. IMHO someone should create a blacklist of all sites that use these shitty challenge-response system. I'll use it to reject mail at my ISP. There's nothing like breaking a protocol in the name of a good fight.

Active Response increases mail volume

[actappan]

Broad use of a challenge/response type system actually massivly increases the mail volume - a legitimate email (one that's not yet been whitelisted) will usualy generate traffic = 2x the origional message.

1. Initial message is sent.
2. Challenge system responds with request for verification, often attacing origional message.
3. If the end user is real, they then respond to authenticate.

Traffic volume is actually less then for the illegal spammers. Of course in theory, no one sees is.

We experimented for a while here using Marco Paganini's Active Spam Killer project - it did do an admirable job of preventing users from having to see unsolicited emails, however there were a couple of issues.

1. The challange/response model added substantial additional traffic to our primary MTA

2. The challange itself REPLIED to a UCE, thus verifying the address and making it a saleable commodity.

I finally settled on a combination that utilized Spamassassin as an initial test, then checked used ASK as a challenge response system for those users who wanted additional protection.

Challenge-Response + Bayesian + Whitelists

[SpyderFan]

The Challenge-Response system works great provided that the system also uses Bayesian or other methods to accurately detect spam. That way the filters can be "aggressive" while still giving Grandma a way to tell the family that Grandpa is on Viaga.

The Spam Sleuth program from Blue Squirrel has added Challenge-Response. They call it the Turing Test. The same program also has other methods built-in like Bayesian, EMail Stamps, Simulated NDR (Bounce), Whitelists (Friends), RBLs, executable attachment detection and removal, regular expressions, etc.

It appears their Enterprise version works with any e-mail server, but the POP3 version is Windows only :(

How much of a problem is spam for you?

Spam... I really don't see the big deal; why do geeks spend so much venom and effort on bitching about such a trivial problem as spam? If you don't want an e-mail, just *press delete*! Is it that difficult, or is it just because the geek mentality is closely affiliated with the anal retentive mentality?
Pathetic

que?

They are easily bypassed using a smart enough auto-responder. If all you do is fire back the original message then you're on their list.

Did you read the article? A picture of a word is sent to the sender. The sender then has to TYPE the word in a response email.
The autoresponder would have to be able to analyze a picture and interpret what 'word' was being shown. There are ways to make this more difficult for an AI to do.

They sometimes fail to pick up the human response. I have several cases where people will simply respond to the email, removing enough of the critical content, to render the reply useless. This comes in two flavors. Email clients will strip out the Header information needed, or people will strip out the Body information needed.

Maybe the system YOU designed words that way, but there should be NO reason why a response email should be rejected if the respondee followed directions.

One of the biggest problems that these systems have is that they are totally incapable of handling Solicited email from a Bot

You have a point here.
The fix would be for the enduser to be able to manually enter approved addresses. I.e.: I manually add in the rule that says mail from amazon.com is allowed.

ac

stealing return address

[ux500]

What happens if a spammer start putting cowboy neal (pater@slashdot.org) in as the return address? The amount a spam just doubled...

Denial of Service and RBL's

[Titusdot+Groan]

I'm sure the Spammer's want to nip this particular mechanism in the bud so I foresee the following scenario:

1. Spammer sends tons of email to earthlink with the Reply-To: set to be a random known good non-earthlink address.
2. Earthlink starts mail bombing Yahoo, AOL and Hotmail addresses.
3. AOL, Yahoo and Hotmail gang up and RBL Earthlink.
4. Earthlink rethinks it's approach
5. Profit!

There are many reasons why most commercial email vendors don't have this feature on their mail servers ...

sender-stored e-mail (Re: Not a cure)

I know I've read about a formalized version of this idea here. Somebody post it again.

D.J. Bernstein's Internet Mail 2000

I am for this 100%.

[AyeRoxor!]

It needs to be done.

But... "The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers... " is a good point. It should be done slowly. Say, the first week only affects people whose address begins with 0. Next week, 1. Then 2, all the way through Z. Sure it will take almost 40 weeks. But it will be better that way. And we've gone longer than 40 weeks without this. What will another 40 hurt? I am SO there... This *IS* a service for which I'll gladly pay.

Re:I am for this 100%.

[valmont]

This service WILL NOT be automatically switched-on on anyone's mailbox. The user MUST make the conscious decision to CHOOSE to turn this feature on. It is off by default for all users.

you too can enjoy it. heh.

Viral like growth of email is as bad as spam...

[gatkinso]

...as far as hogging bandwith if one has their mail client to include the text of the email being responded to.

Every time you have a back and forth email exchange the conversational thread gets longer... and longer... and longer... every single time one sends.

While I find this feature useful - 99% of the time it is wasteful. Especially if you include full header information in the text!

Bayesian Filter + Challenge Response

[juggler314]

A number of folks have pointed out how this really doesn't work so well in a real world situation. This is pretty much true, there are myriad problems. What can work fantastically is a two tiered approach though: 1) Use a Bayesian filter to sort your mail however you want (for simplicity lets just say spam/not spam). 2) Forward all filtered mail marked as spam to your CR prog of choice - this chunk of mail should already be confirmed in the high 90%'s to be spam - the few false positives should get caught. The reason this works so well is that the Bayesian filter approach is pretty solid, but there's always a worry of a few important false positives sifting through. This gets rid of those. If you really want to go balls-out you could make use of a service such as spamgourmet.com for ordering processes. Whenever you order something where you are expecting some automoted return mail that might hit the Bayesian filter AND also not respond to the CR use one of the self destruct e-mails. You should never get more than 5 or so e-mails from an order anyway. You can then just filter everything from your bogus self destruct e-mails into a generic "orders" folder.

ASK PROCESS QUEUE

[shepd]

Enter that in the subject line, email yourself, and it will show you a list of undelivered mail.

Click the link for your bank (with the "add this user to whitelist" option) and the email will be delivered to you, and the bank added to your whitelist, without them having to respond.

It takes just seconds, and it even works in pine. W00T.

Of course, you only do this when you are _expecting_ a non-whitelisted email, so the spam still isn't a problem.

As a sidenote, one spammer did make it through, once (ever). It was a company I did business with once (but never have again, due to them spamming me). One *PLONK* later, and I was spam free again. No big deal, really.

Re:Now the spammers get address validation for fre

[platypus]

Excellent idea, NOT!

Now one spam message creates a reply which has 100 fold the size of the average spam message, and, since the mail is forged anyway, goes nowhere.

Worse, if spammers forge valid adresses, one poor sob get's 5 Gigs of useless pictures of "validation emails" in his inbox instead of 1000 hatemails from lusers accusing him of spamming.

At least they should send pictures of naked supermodels with the confirmation secrets tatood on their butts.

Re:Now the spammers get address validation for fre

[Malc]

Of course, Ticketmaster are spammers themselves. I booked tickets through them last year. I did it on a Thursday for a concert on Saturday. I create a unique email address (alias) for them (mf_ticketmaster_ca@my-domain.ca), on the following Monday I received mail from a third party on that address. I'm careful to ensure I'm opted-out from these things if the option is provided. Almost a year later, I still see occasional attempts in my logs to deliver to that address, even though I commented it out immediately after the first spam.

Why put the burden on people sending you e-mail?

[Admiral1973]

I've been an Earthlink customer for six years. I'm not about to implement a system that makes others do additional work to e-mail me, even if they are legitimate correspondents. I use my Earthlink address extensively for mailing lists, shopping, communications with family and friends, etc. People have been using my address for a long time and I don't want to force them to jump through hoops to send mail to me, even if it's just a one-time step.

Instead, I'd rather keep this burden to myself. I've been using the Bayesian junk mail filter in Mozilla Mail for a few weeks now and it's made a significant reduction in the amount of spam I see in my mailbox. It's not perfect: some messages still get through, but no spam elimination system is. At my office, we've spent thousands of dollars on mail servers that are designed to reduce spam, yet many of our users complain that they still see the same amount of spam or more than they did before we installed the servers. We're back to giving people the same old response about spam in their mailbox: delete it and move on with your life.

Re:Now the spammers get address validation for fre

[platypus]

Not to mention one of the biggest problems: Every spam message sent will consume the bandwidth it always has consumed, but will now trigger the C/R system to send a message back. So you have twice the email traffic. And have you ever been the victim of a spammer that used your email address as the From/Return-Path and you received all the bounces? Now imagine a spammer doing this and not only receiving all the bounces but also all the C/R requests.

Excellent idea, instant DOS attack:

From: support@microsoft.com
To: everyone@earthlink.com
Subject: GET A BIGGER (whatever) NOW!!!!!!

[...]

The funny thing is, that a system like this might _drive_ spammers to use From: adresses which the deem more likely to be whitelisted (esp. since the possibility of whitelisting complete domains seems to be a nice feature at first).

RTFA! Challenge-response will be *optional*!

The challenge-response system will be optional and free for EarthLink subscribers

If you don't specifically turn it on, you won't have to use it. The setting will probably live on the user's account page at Earthlink Support, alongside the existing option to enable the current "spamguard" system (which is also turned off by default).

This type of system is probably best reserved for a public email account (ie: listed on a web page / business card) - not one used for shopping online or emailing family.

It will not "destroy the intarnet" overnight.

Re:Why put the burden on people sending you e-mail

[gatkinso]

To the user spam is [not..extremely] annoying.

The the telcoms and ISP's, spam is [very] expensive... which drives up the price if internet services for us all.

If it were simply a matter of otherwise harmless irritation as you seem to contend, this would be a nonissue.

Precedence: Bulk

[Euphonious+Coward]

All they need to do to handle legitimate mailing lists, at least at first, is to challenge only mail that is not explicitly labeled with "Precedence: bulk". Legitimate mailing lists carry that label, but spam never does.

Once the spammers are obliged to label their stuff "bulk", half the battle is won. Then they start collecting a "white list" of legitimate mailing list sources, and label every bulk message not on it as "suspected spam" and dump it in a separate folder.

Re:Precedence: Bulk

[giraffecock]

I'm obliged to label your mother "bulk", asscunt.

Re:Precedence: Bulk

[bobsledbob]

... explicitly labeled with "Precedence: bulk". Legitimate mailing lists carry that label, but spam never does.

The last thing I want to do with my legit mailing list is to include 'Precendence: bulk' in the header as this is a sure fire way to end up in, for instance, Yahoo's Bulk mail folder. Maybe rightly so, however my Yahoo Bulk mail folder only ever gets emptied, never read, and I'm sure I speak for the majority of Yahoo email users. I'm sure many spam filtering software use this header as criteria for identifying spam. Too bad really.

Doesn't actually work...

[haraldm]

every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...

Not me. I put earthlink.net in my blacklist ages ago. Too much Spam from this domain.

I had such a challenge/response system for a while, based on procmail and some handy Perl scripts around it. It basically worked - incoming mail was quarantined until the response came, then delivered. Was pretty smart - the challenge included an MD5 checksum of the original message, making bypassing the system next to impossible. Fake responds with no corresponding pending messages were dumped. But - it pissed off many people who wrote me legitimate e-mail for the first time, and I got all the bounces from the poor open mail relays. No big win. I dumped it and moved on to Spamassassin. I'm now down from 40-60 visible spams per day to one or two which Spamassassin doesn't yet know about. I report them and don't see them any more.

It's only "offered"

[Slime-dogg]

The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...

Geesh, Michael. You'd think that it would become the default choice or something. When something is "Offered," it usually means that you have to turn it on. If someone is geeky enough to be a member of a real mailing list, he/she is probably not going to use this. Granted, there will be a few loonies that do, but when they realize that they got 0 messages in 5 minutes from Gentoo-users, they're going to suspect something.

Otherwise, I think it's fantastic. I just sifted through 2,500 spam messages yesterday, from a period of time starting April 20th.

Thoughts and observations

[cr@ckwhore]

First of all, the system is completely optional for earthlink users. For the users that are stupid enough to opt-in, they deserve the extra hassles they'll receive.

But here's what it means to me, a publisher of a popular website...

When a new user signs up for an account, they get a confirmation email. Since I'm not about to check the server's return-path for C-R messages, C-R users will be out of luck. This means that at the very least I'll have to update my site with a special notice during the sign-up process that will notify earthlink users to expect problems.

The crux of the matter, there are automated emails that will fall victim to this C-R paradigm that AREN'T spam!

So, what is earthlink's "fix" for this problem? Well, it appears as though they will assign special addresses that users can use for sign-ups, sales receipts, etc. that will bypass the regular C-R system. Ok, great. Two problems with that ...

1. If the special bypass addresses are only temporary, then my users' accounts will become invalid because their email address is no longer valid and I don't allow ghost accounts.

2. If the special bypass addresses are permanent, and they're used for sign-ups and sales receipts, well fsck! Thats where SPAM comes from. duh. Great ... all their spam will arrive via bypass addresses. Awesome!

Re:Now the spammers get address validation for fre

[StarOwl]

Once [TMDA] gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).

There are currently three defenses to this:

1. Most spammers dummy up their headers. The challenge never gets delivered to them, and therefore the spam goes undelivered.
2. Spammers who use legit email addresses usually see their inboxes fill quickly to the point of bouncing mail. Again, they don't see the challenge, so the spam goes undelivered.
3. Spammers who use legit addresses and have large inboxes are likely to be trackable. If they're in your country, and if your challenge message is worded correctly, there is some legal exposure on their part.

Admittedly it's not foolproof. There is no 100% effective way to combat spam (short of abandoning SMTP). There's always going to be a risk that some spam will leak through or that some legit email will bounce.

Mailing lists = no problem

[supabeast!]

"The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers..."

The challenge response system is opt-in. Earthlink customers who use mailing lists don't need to use it.

Re:Mailing lists = no problem

[IMarvinTPA]

Or, they'll manually white-list the mailing list. I have a number of rules in Outlook Express for my various mailing lists. (Usually keyed off the list's name in the subject line.) The only real challenge would be the lists that don't change the from address, or a blocking system that doesn't let you also use the subject line.

IMarv

Ugh.... This system is broken before it started

[jonniesmokes]

As I understand it, you can have a whitelist from online services that send out mail from robots. But spammers will just forge mail from these whitelisted email addresses.

What we need is similiar to this solution. Multiple send-to addresses generated either on the fly by a secure interface that the owner of the email account can use. Or you could have a Challenge/Response system to generate a send-to address.

Unfortunately, because there will be lots of send-to addresses and they will have to be kept track of, it will be necessary to incorporate this information into the mail reader/address manager. Not my idea of fun, but SPAM sucks more.

This way if some online retailer sells your address, you will know who did it and you can cancel that email address.

This could be a separate header in the mail too, and in that case this could be entirely done in the mail reader and code generator and wouldn't require any modification of the current internet mail system. But the senders of mail would have to add the headers to their mail.

Just think. It could be awesome!

duhhh, you could just do the unthinkable.

[twitter]

Imagine a law against unsolicited comercial email with stiff penalties for those who break it. Yes, you can track down spammers easier than you can file swappers. Nah, way too drastic. Let's just make it impossible to email each other instead with "white lists". S-T-U-P-I-D.

No, they won't.

[JonTurner]

"Once this gets widescale usage, the spammers will simply start responding to the challenges..."

No, they won't, unless there are some breakthroughs in machine vision. You see, the challenge "key" is more than just plain text that needs to be repeated, parrot-fashion, back to the server. In its best form, it would be encoded as an unusual font with a curving baseline on an image with lots of "noise" in the background.
People are extremely good at picking out text like this but it's a very difficult problem for machines.

Re:No, they won't.

Not only would OCR have to validate the code, it would have to do it quickly. If the spammer wants to validate 1,000,000 challenges that might impose a substantial time-cost...

little burden on addresses in your address book

[kgregg]

There should be very little burden on people in your email address book. Part of article reads.... "It will allow users to automatically clear the e-mail addresses of friends, family members and other associates in their electronic address books, so those people would not receive the challenge e-mail." So, grandma will never see any of the C/R email msgs. kgregg

Why not just use a key system

[BlueWolverine]

Why not make it so that every email header has a auth key. When a user gives out his email address he generates a unique key for that person that can be placed in the address book along w/the email account. Now when a person recieves email, he can "trust" the keyed messages and knows where they came from. It would also make it easier to find who is being a bit "loose" w/a persons email address. So if you start getting spam, and its key was assigned to Amazon, well now you know what they do w/your account data. Effectively, it makes a unique email address for everyone you want to email you.

Re:Now the spammers get address validation for fre

Either that, or the picture is included via a link to their web page...which is even worse, since you should always disable loading linked content in a mail - to avoid spammers getting verification of the validity of your address!

And users of non-graphical e-mail programs aren't going to be having fun...

If I use mutt in order to be able to access my email from anywhere I can get ssh-access from, I'm sure as hell not going to bother to manually fetch and view an image just so I can send somebody e-mail.

Re:Now the spammers get address validation for fre

Again, you utterly miss my point, and the REALITY of the situation, so i will leave you to your charmed rose-colored life.

Your friends images are on countless pedophiles hardrives. If her site is holier than Mother Theresa, so be it. Maybe only the Angels log in to her site.

I am talking about this cute-z garbage, and this Uncle Curt, and the rest.

Its sick, its evil, its game playing, it is a CARGO OF LIES, and the children will pay the price. Many children will be victimized in the place of these rampant child sexual images. So go ahead, give more "theatrical pose coaching", and sleep with a sound conscience, knowing that everything in the Internet Child Erotica Wonderland is all nice and safe.

My niece, and others i know, would never ever in a MILLION YEARS be allowed on the internet with their "pictures". If she wanted to be a "model-actor", then you get a portfolio, and go around. And you put your acting photos on the PRIVATE SECURE sites for certified agents only. And then 99% of the people don't get any work. Them's the breaks! Only one in thousands can "model", and very few get to do movies. TOUGH. I don't even put my own picture on the internet unless i HAVE to.

Unfortunately, i have to live in the REAL world, not a wonderful, rose-colored paradise of idealism, and outright lies, and deception.

Re:Earthlink should look for mailing list headers.

Depending on the rules used and the mailing list conventions, the challenges wouldn't necessarily even go to the mailing list, they would go to the person who sent mail to the mailing list.

If I ever send mail to a mailing list and in response get challenges, I'm going to send a list of the challenging addresses to tha mailing list maintainer and ask those people to be removed from the list.

Naive

[siskbc]

find them??? how hard is that?? I mean they are selling something (99%) and surely they want their money......

so how hard is it really to find them??

What do you do if they're foreign? What do you do if they host their site through temporary web pages that use IP numbers instead of URL's for links? What if they use PayPal to collect money?

There are a lot of ways that spammers can be anonymous. So suing them isn't always an option, as gratifying as it might be.

See "Guarded Email" paper

[dwheeler]

For more details on a challenge-response system, see my paper on "Guarded Email" at: http://www.dwheeler/guarded-email.

Guarded email completely deals with some of the problems noted in these comments:

1. How do you receive challenges? Yes - if you SEND a message to someone, then you can set things up to automatically RECEIVE messages from that someone.
2. Can blind people send email? Yes - the challenge should be human-readable, but not computer-processable. That's easy.
3. Can you prevent loops? Yes - you have to think about it, but there are simple loop-prevention techniques so that EVERYONE can use these kinds of systems.

Re:See "Guarded Email" paper

1) See my paper blah blah blah

2) See my paper "I just wiped my ass on it"

3) See my paper "How to be a pretentious academic twat"

Hey this might actually work!

Lets think about this. if sending out 100 million emails were to cost a spammer a million dollars this would obviously not happen. that's good since it kills spam dead. but its bad in the sense that without spam, who payes the servers? Since its a pre-payment system the spammers cant escape paying either.

so the payments to the postoffice servers would have to come principally from the interest on the pre-payments and from mail messages people mistakenly classify as spam. lets say I were to erroneously mark as many as 1 in a hundred e-mails that I actually solicited as spam--its probably less than that. then a senders 10$ deposit would drain away in 1000 e-mail messages. a bit fast i'd say by about a factor of ten. (e.g. a company sending out 10,000 emails per day legitimately would probably be willing to pre-pay $10 per day to account for mis-fillings by receivers)

suggested improvements:
this suggests the per-email charge perhaps outght to be lower, say 0.001 dollars. also there should be a time window, say 1 month that receivers have before the money is auto-refunded. that way unread messages dont clog the system. and e-mail program could auto-white list anyone who had unjonked messages in your mail folders.

Alternative solution.

[$criptah]

The system described in the article is doomed from the beginning. Some people, like my mom, do not dislike spam to a high degree; they simply delete it when/if they get it. For these users it is much easier to erase irrelevant messages rather than use a method that will slow them down. The spam vs. anti-spam issue is just another variant of the famous cop vs. criminal deal: both sides get more and more advanced with time without completely winning or losing. In order to make spam less efficient it will be wise to educate users. For example, I found that as I started to replace my email address blah@blah.com with 'blah at blah dot com' I almost eliminated all my spam that was a result of web crawlers which went through message boards and all the other places where people would normally put their email address. Finally, if ISPs are worried about bandwidth, won't this new method generate more load?

Re:Now the spammers get address validation for fre

[AndrewRUK]

I have seen a challenge/response system that defeated the OCR problem. It's in an online game, Planetarion, that had a problem with cheats using programs to manage their accounts while they were away and to run large numbers of accounts (both against the game's rules.) To log in, you first have to give your username and password, and then answer a question that's in an image. The questions are always obvious to a human, but a computer would need to be able to understand English before it could answer them. Since they implemented the login question, the bots have (as far as I know) disapeared.

Senseless Objections to SMTP

[Voivod]

SMTP is just a message passing protocol. What features are missing from SMTP which would solve the spam problem? The idea that AIM is a suitable replacement for SMTP is laughable.

What are the protocols and environments which are already being spammed? E-mail. Faxes. Telephones. Chat rooms. Web guestbooks. Weblog comments. IM. Religious nuts knocking on the front door of your house. What all these interfaces have in common is that you can't offer them to your friends without it becoming available to strangers.

The solution is to either add authentication, try to decrease instances of spam through legislation, or ignore the problem. Examining how we reduced problems such as fax, telephone, and front door spam may provide uselfull lessons in how to fight this.

Re:Senseless Objections to SMTP

[JDizzy]

I like the notion of electric fences around the front door to kill door to door sells men, but thats just me. =)

Pre-emptive Anti-Spam Measures

[akedia]

I've used Earthlink as an ISP for going on 6 years now, and I must say, I've never dealt with better. For one thing, in the years that I've had my earthlink address, I'd say I never get more than 3 or 4 spams per week. What is my secret? For starters, if I need to provide an e-mail address for something that may result in unsolicited messages, I use one of the free webmail providers (Hotmail, Yahoo!, etc.) I can check those to confirm what I wanted, then never check it again, and my Outlook (with my primary e-mail) doesn't fill up with useless crap.

Another way to stop the spam before it starts is to keep your e-mail address from getting on those lists in the first place. When posting to Usenet, BBSes, forums, even Slashdot, use some sort of clever cloaking (Slashcode does this already), or even a fake email. Encryption for e-mail such as using a free personal certificate from Thawte or a GPL encryption such as GNU Privacy Guard is always a good idea.

In addition, Earthlink's Spaminator is a Godsend. With that baby enabled, I'm lucky if I get one spam a month. Case in point: my mother has an Earthlink address that she uses for her business contact. She complained that she's getting hundreds of porn spam and "enlarge your penis"-type e-mails (no idea how these got here.) Setting up a few Outlook Express filters and enabling Spaminator cut the dirty messages by about 90%, and she is grateful she no longer has to wade through such filth to get to her real mesages.

The bottom line is, the fewer spammers that have your address, the fewer spams you're gonna get. I have a Hotmail that gets 1000+ spams a day. My real e-mails get next to none. It's just like telemarketers, they get your number from companies who need a contact info for whatever reason. However, Hotmail address are free, whereas extra phone numbers to give the telemarketers, and then never answer, are not. Well, we do have Caller-ID for that, but that's another post...

Re:Now the spammers get address validation for fre

Ticketmaster's system is effective enough to defeat real humans with less than perfect vision a fair fraction of the time. I'd say that's a bit too much filtering for a site that's actually trying to sell to people.

It doesn't work that way.

[Gendou]

An image? So now to stop spam you'll have Earthlink "spamming" senders with image-laden emails? Or perhaps they will display an image that is loaded from their server? The latter won't work because I (and many) people don't allow our email clients to load anything off of remote servers. And it really pisses me off when I get images embedded in emails.

It does neither. I'm using the beta-test of the Earthlink C&R system right now. The response sent to someone who e-mails me doesn't contain any images at all, just an URL that must be visited. It's there, on Earthlink's site, that the challenge is presented.

Re:It doesn't work that way.

What? Someone who actually knows something is writing here?!? Quick, mod him down!

Email order submission?

[Gorimek]

Amazon and other could move to a system where the order is submitted via an (encrypted) email. That would put the receiving address on the white list, and automatically allow the confirmation email to get through.

Or you'd still send the order through the web, but generate an additional email just for this purpose. But then it's not one-click shopping anymore.

Could help slow some worms, viruses. . .

[GeorgieBoy]

. . .as long as people aren't getting them from their buddies. Even so, if emails are scanned for viruses/worms in attachments before they get to the user, there can be more wins than just stopping spam.

How Earthlink's system actually works.

[Gendou]

I'm using the beta-test of this system now, so I know the news article doesn't describe it very well.

Here's the internal description of the service, which, by the way, is always going to be optional -- users have to turn it on manually. So fears of mass confusion from users when Earthlink turns this system on are a bit unfounded.

What is Suspect Email?

With some messages, only you can decide whether they are junk. When you turn on Suspect Email Blocking in addition to Known spam Blocking, you'll only receive messages from senders who are in your TotalAccess or Web Mail Address Book. Other messages will be temporarily held in your Suspect Email folder, and the unknown senders will receive an automatic reply message telling them how to ask to be added to your Allowed Senders list.

This is what the automated reply looks like:

From: automated-response@earthlink.net
To: user@somedomain.net
Subject: Re: How are you doing?

This is an automatic reply to your e-mail message to earthlinker@earthlink.net.

This email address is protected by Earthlink spamBlocker. Before earthlinker@earthlink.net can receive your message, your email address must be added to a list of allowed senders.

Click the link below to ask earthlinker@earthlink.net to add you to this list:
http://webmail.earthlink.net/wam/addme?a=ea rthlink er@earthlink.net&id=xxxyyyzzz

And finally a more detailed description they supply:

Suspect Email Blocking is disabled by default, and includes Known spam Blocking. You must activate it yourself if you wish to use it.

With Suspect Email Blocking, spamBlocker examines any message that Known spam Blocking has not intercepted. If the sender's email address or Company (Domain) (i.e., the portion of the email address after the @ symbol, such as earthlink.net) appears in your Address Book, spamBlocker allows the message to reach your Inbox normally.

If the sender's address or Company (Domain) does not appear in your Address Book, spamBlocker does three things:

Intercepts the message and stores it online in your Suspect Email folder (which you can open by clicking the Suspect Email tab in the spamBlocker interface).
Automatically replies to the sender with instructions on how to ask to be added to your Address Book
Notifies you about the intercepted message in a summary you'll receive periodically via email (see spamBlocker Settings for more about email summaries)
Note: Messages in your Suspect Email folder remain on EarthLink's incoming email server and count toward your 10MB mailbox storage limit. spamBlocker automatically deletes Suspect Email messages that are more than 14 days old.

Suspect Email Blocking practically ensures that your Inbox will be spam-free. To be effective, however, Suspect Email Blocking requires that you maintain a list of email addresses and Companies (Domains) you want to receive email from in your Address Book.

Suspect Email Blocking works in conjunction with Known spam Blocking. You cannot use Suspect Email Blocking by itself.

No, SMTP is a great protocol

[mossmann]

SMTP does exactly what it's designers wanted it to do: provide universal delivery. Any message from any source, verifiable or not, will be reliably delivered to any valid recipient address. It's a very simple concept (and "simple" is what it is called), but it is very important that we have a protocol which meets this need.

Should we be using a limited delivery protocol for personal email rather than a universal delivery protocol? Maybe. But there will always be certain needs for universal delivery, and, if we don't completely destroy the system by implementing knee-jerk spam solutions, SMTP will always be there to meet those needs.

The problem isn't with SMTP; it is a problem inherent in any universal delivery system.

What about this?

[cl]

How are you supposed to be able to decode a challenge response on a text only terminal? What about the blind or (insert other person with special needs here) how are they supposed to respond to the challenge?

this wont work

What if the payment authenticator is down or DDoSed? all e-mail just stops!

how long?

[spectro]

How long until spammers sue Earthink to stop them from deploying this?

sliding scale

to prevent the slow leakage from mistakenly classified e-mails perhaps one could have some grace built in to the system for white-hat companies.

if the cost of sending an e-mail was proportional to the number of e-mails that recpients marked as junk then costs for "good" companies would be near zero and costs for spammers would rise exponentially.

for example, suppose my bike parts company sent out 10,000 emails each month to existing customers and only ten of those did not refund my 1 cent pre-payment. well then the actual charge to my account would be 10 * 10/10000 cents.

on the other hand if 90% of them collected the junk tax then. the charge would be 9000 * 9000/10000 or almost the full amount.

one could even include a little grace in this. say, if less than 1% receivers of my mail said it was junk I got no charge at all.

On the other hand

Others have already responded to point out that spammers responding to challanges must have valid return addresses. This alone is a huge improvement. It means less spammers will be masquerading under someone elses's legitimate domain. While working at an ISP, some of our customers had this happen to them, and there's NOTHING they can do about it.

Spammer sends through relay in third-world country, with From, Reply-To, and other headers pointing at innocent-unrelated-domain.com. Bounces AND complaints then go to innocent-unrelated-domain.com.

With the new system in place, the recipients of the spam don't care if the return address is wrong because they'll never see the message anyway because it will go unconfirmed.

If the spammers use a legitimate return address, then they can be tracked and sued, or even counter-harrassed. Spammers thrive on annonymity, and challange responses completely undermine that. This won't stop spam, but it will certainly be a big improvement.

The only thing that could be better would be widespread use of PGP/GPG keys.

Procmail...

[Brew+Bird]

Don't know where I found this at, but it's pretty old... Share and Enjoy!
.procmailrc

----------Cut Here-------------

#Define the password
PASSWD_=PASSWORD

#Whatever other recipes in between.

# Email is not challanged from:
:0
* ^From: myfriend@aol\.com
${DEFAULT}

#Return email if the password is not there
:0:passwd.lock
#
# Check for (the lack of) the password
* $ ! ^Subject:.*${PASSWD_}
#
# Avoid email loops
* ! ^X-Loop: your-addrs@mail\.isp\.net
* ! ^From:.*your-addrs@([-a-z0-9_]+\.)mail\.isp\.net
#
# Prepare and send the notification
# Be sure to customize your sendmail path
| (formail -r \
-i"Subject: Returned email: Password or privileges required" \
-A"X-Loop: your-addrs@mail.isp.net" ; \

echo "* This is a computer-generated response message *" ; \

echo ; \
echo "Email password required!" ; \
echo "Please include (${PASSWD_}) anywhere on your subject line." ; \
echo "Then kindly resend your email to your-addrs@isp.net") \
| /usr/sbin/sendmail -t

Blindness

[druske]

If the challenge is based on an image ("please respond with the fuzzy word in the subject line" or somesuch), where does that leave vision impaired email users? How do they respond to a challenge to get their email delivered?

CR can be an interim method

[SunPin]

My first hour as an Earthlink customer saw 20 spam messages to my account. My last name is hardly common (though it is short) and I've never used a major ISP besides Time Warner Cable. CR would have kept it empty.

The only other alternative is PGP but that requires widespread deployment of decent processors and computers that aren't bogged down with spyware and other crap.

To get acceptance of PGP, email needs to become a little more inconvenient. First, people need to accept the idea of "ok, it's frustrating but it stops spam." Then they need to get the idea that, "ok, spam is over. Is there anything that can eliminate this irritating CR stuff?"

Then, and only then, PGP can be deployed. /.ers tend to be so smart that we forget that most people loath change.

Re:CR can be an interim method

[Zeinfeld]

The only other alternative is PGP but that requires widespread deployment of decent processors and computers that aren't bogged down with spyware and other crap.

PGP is NOT the only alternative, it isn't even the most widely deployed alternative. Pretty much every major email client out there supports S/MIME and has for 5 years. The main problem with both S/MIME and PGP is that you have to accept the whole post before you can check the signature. They are also end-to-end which is not the only way to deal with spam. But that is fixable, writing these protocols is not rocket science.

Most mail servers support STARTTLS. Exchange, Notes and EXIM all do. You can even do it with sendmail if you must. You can even authenticate on IP address via RMX.

There are a lot of options. But C/R for personal email is not one that most are ready to accept.

wont matter

The mail is always received since it goes by normal routes. if the post office is down it just means the refund is not credited till the post office goes back up.

One problem with this system.

[illumin8]

Did anyone notice that in order to workaround automated systems that need to send legitimate email, such as Amazon when you buy something, or mailing lists you subscribe to, they give you a second email address that will not be protected by Challenge/Response?

I can see this being a big problem. In my experience, people only get spam if they have done one of several things:

1. Published their email address on a web page to be picked up by harvesters.
2. Given their email address to an online retailer that sells it.
3. Signed up for some spyware scam where they again give their email address to someone that will add it to a spam list.
4. Opened a Hotmail account, which, it seems is automatically sold to all the various spam providers.

In almost all of these cases, the act that caused spam to be received was the user giving out their email address to a non-trustworthy source.

How is having a second email address that people will just type into any webpage that promises free porn and bypasses Challenge/Response going to curb the spam problem? I give this system only 1-2 months before spam is back at it's initial volume, just using the new email address instead of the old.

You need to also educate users about the problems of giving their email address out to unreputable places on the net. A lot of users don't correlate their spam problem with the fact that they typed their email address into some website to get a free porno password the night before.

Re:One problem with this system.

[mzs]

What if you were able to get these sorts of email addresses for a temporary amount of time. Say you have a UI where you can specify a duration for the temporary email address that is generated on your behalf. Also the UI allows you to request an email address that was not time limited. When you were through with the transaction you could go back to the UI and disable that one. The email provider could limit the number of temporary addresses you have open at any one time to a small number to encourage you to remove the ones where your transaction was completed. (Also to limit abuse of the system.)

As a concrete example imagine that your name was John Doe and you are ordering some widgets from foo.com and your email service provider is bar.com. You have a UI that asks for the following which you might fill-in something like this:

Description: Buying widgets
From: foo.com
Duration: open ended

You might get a temporary email address to use something like this:

john.doe-buying.wid-foo.com-fhl9s4q1@bar.com

The UI would list your temporary email addresses with the full descriptions and expiration dates to make it easier for you to manage them. The last eight charaters are some sort of one time hash that is likely different for each temporary email address that you create and difficult to predict from the prior hashes. Most of the work in generating the temporary email addresses could be done on your client with the server verifying that you maintain no more than the maximum number of addresses that you are allowed.

Re:One problem with this system.

[datavortex]

Then, if you added a dozen more equally clever features, and a nifty web interface availible, you would have TMDA

:)

Re:One problem with this system.

[illumin8]

Nice solution. I think that would work just great. I believe there is a service like Hushmail that does this already, but I can't think of the name. I don't know if they do the challenge response thing, but they do allow you to create many one-time email addresses, even enough to give every online merchant you buy from a different email address, so when you start to get spam from one you can immediately tell who's been selling your info.

Re:One problem with this system.

Wow! Thanks for the link to this.

What about "unsubscribe" messages?

[Kyont]

Maybe I'm missing something, but what about "unsubscribe" messages? By definition, it's to an address or domain from which I no longer want to receive anything... I guess you just have to remember to go and delete it from your "sent to" whitelist before the spammer picks up on your address being legit?

(Most of us probably gave up back in the early days on trying to unsubscribe to anything, due to the prevalence of bogus headers, but people who try to unsubscribe may do themselves more harm than good - kind of like the current situation)!

Earthlink DOS themselves

From: postmaster@earthlink.net
TO: customers@earthlink.net
BCC: user1@ear......user100000@earthlink.net
Subject: Changes to our email system

Our Email system will implode in an effort to combat spam. Blah blah blah...........

Mailing lists no a problem for the clueful (rtfa!)

The challenge-response system will be optional and free for EarthLink subscribers, Anderson said. It will allow users to automatically clear the e-mail addresses of friends, family members and other associates in their electronic address books, so those people would not receive the challenge e-mail.

This means that all list traffic won't bounce for earthlink subscribers. Only those who enable challenge-response are affected. When they do so, they can upload their "whitelist" to avoid problems. So linuxgazette-announce and the other lists I subscribe to won't be bounced.

Drastic measures, NOT stupid measures

Drastic times call for drastic measures, we're agreed - but NOT for STUPID measures that won't work!

If one can look ahead and see that this measure will be easily defeated by spammers, then envision a counteractive step to make the system work again, then see it being defeated again, then imagine another counteractive step, ad infinitum, then it makes no sense to take the first step, especially given the enormous cost and disruptive effects of that step.

All of the "solutions" people are proposing so far are stupid because they're going to be ineffective even though they will only be implemented at great cost:

- cooperative filtering by volunteers.
+++ Easily defeated, subjective.

- spammers must set the Evil Bit
+++ Well then they wouldn't be spammers, would they?

- ban spam with laws
+++ Who's going to enforce them when the spammers are in china or using compromised systems in china from elsewhere?

- challenge-response or automated bounce whitelists
+++ Breaks all kinds of things, turns email servers into an even bigger than normal distributed denial of service attack tool (forge the from to be the target).

- "simple" whitelists
+++ Relies on easily forged and guessed From headers, does nothing to lower spam's bandwidth burden.

- Relay blocking based on network address (MAPS)
+++ Rejects too much legit email, doesn't get a high percentage of spam.

- PGP signing of messages
+++ Have to accept and check the entire message in order to decide whether it's valid, doing nothing to deal with the spam bandwidth burden.

Each and every one of the ideas above WILL NOT WORK. Therefore they shouldn't be implemented.

But it's not hard to imagine what WILL work. Combine whitelisting with a protocol that allows whitelist checking to be distributed and ensures that whitelist sender addresses are impractical to forge.

Take any one of those three things and think about them and they're simple:

- whitelisting: Only accept email from people we pre-approve.

- protocol for distributed checking: A sender's ISP email server should be able to check the recipient's whitelist server to see whether the message will be accepted before it even attempts delivery, saving bandwidth all the way back to the originating ISP. The protocol should allow a recipient to easily update his whitelist settings on his ISP's server.

- prevent whitelist sender forgery: PGP *is* good for validating identity, although it may need to be tweaked a bit.

With those three things in place, whitelisting becomes an effective tool far into the foreseeable future. Without them, whitelisting is just one more expensive half-measure waiting to be compromised.

Here's an idea for a typical email sending session with such a system in place:

1. Spammer sends email towards target, via his ISP's mail relay.

2. His ISP's mail relay checks for a whitelist server designated for the recipient domain. It finds one, so it asks the recipient's whitelist server whether the spammer is allowed to email the recipient.

3. The recipient's whitelist server checks the spammer's credentials and decides they're invalid or missing, so it says, "No, not going to accept it."

4. The spammer's ISP then rejects (either immediately or after accepting) the message. Never did it make an smtp connection to the destination mail server, and only a small amount of network traffic happened.

At this point, you may be thinking, "But that was still quite a bit of traffic to the recipient whitelist server." That's true - but the whitelist server doesn't have to be the recipient's mail server, and it doesn't have to be connected via bandwidth that the recipient pays for.

For example, even if a company runs its own mail server on the remote end of an expensive T1 link, its whitelist server and its primary MX may be set to an ISP-provided server on the other side of the T1. The ISP can provide this as a service to

wont work

[Cynikal]

"The system automatically recognizes future e-mails from the same sender, so the verification needs only to be performed once."

and how long do you thik it will take for spammers to then obtain "pre verified" email addresses? they may even use yours... so not only will it make life difficult for the regular joe. my idea has always been completely server side.. you send an email, my pop server will challenge your smtp server to be sure that you have an acount on it, that the acount is valid, and that the ip you're using is on their network.. the idea goes a bit deeper than that, but im at work right now and dont have the time to go too deep into it right now.

Studies show...

[EdMcMan]

The number of procmail recipes increasing greatly

Sounds good to me...

[StressGuy]

As an Earthlink customer with a couple of small kids it would be nice to at least block the porn (and BTW - my penis size is just fine thank you very much). I see this challenge-response approach as a minor inconvenience that clears up a major one. The only problem I can see is with spammers that put someone elses e-mail address in the "from" column. Even so, this should mitigate a lot of it.

Re:Earthlink should look for mailing list headers.

Or they could look for routing headers that don't agree with the return address, and challenge those specific messages. Challenging the forged return addresses targets the majority of the spam traffic, especially that from "kingpin" spammers and con-artists (who need the anonymity to survive). Perhaps that could be an optional level of protection? It solves most of the clueless average user problems while blocking most of the spam. Of course, the spammers will look for new ways...arms races seem to be eternal!

Re:Now the spammers get address validation for fre

[Ark42]

Hire poor college kids to wade thru the validation requests and manually get your spam thru. I'm sure it will happen if spammers really want to get their message thru.

Having written a similar system, I have questions.

[kaoshin]

If someone from earthlink emails someone else from earthlink, how would challenge response handled then? Do they make all mail that is sent returnable without challenge responses, and if so is this a temporary rule or are the addresses of all mail you send permanently whitelisted?

If the challenge response triggers a mail daemon reply, is it filtered or do you get flooded with those replies caused by all the spammers with forged addresses? If they are filtered, how do you know when mail you send doesn't go through without the use of message reciepts since mailer daemon replies are all different.

If I mass email tons of earthlink addresses with a forge from address, would it mailbomb the fake address, or do they have flood protection to prevent this?

Re:Now the spammers get address validation for fre

I thought the verification is once per Earthlink user, but I've reread the story and it isn't clear. I still believe it's once per sender-receiver pair, but I'm not willing to seach out the truth.

Re:Now the spammers get address validation for fre

All they need is an 800 number for alternative verification. Next you'll say, "I guess blind and deaf people will just have to give up on using email then?" I say, "Get a life!"

What's wrong with you?

Jesus, someone offers a way to do the same thing from your own account w/o involving dependency on a third partyand you have to be a fishstick about it. chill.

please send me SpamAssassin Config for Squirrel M.

[urbieta]

Please send me SpamAssassin Config for Squirrel Mail to cucnews at yahoo doot com ;), I cant get anything from the website you sent

thanks

Re:Now the spammers get address validation for fre

[deblau]

after all, it's not like that couldn't be easily automated

Sorry, that's the whole point behind C/R. I show you an image of a bicycle (or a teepee or a mountain or a list of numbers, etc etc) and ask you 'what is this image'. If you can show me an image processing program that responds correctly in all cases, let me know, I've got $1 million for you. And don't tell anyone else I asked.

Re:Top-Posting??

[cayenne8]

Hmm..interesting, I'd never known about 'top posting'...in fact, I got annoyed when I had to read through a TON of stuff that hadn't been snipped just to get to the 3 lines of an answer.

Because of this..I had thought that posting the answer first, where you could read it quickly would be best...

You find this really annoying when reading groups through Google, where the long messages are continued through another link..so, you have to read 2+ pages to get to the bottom of LONG threads to read the 3 line answer at the bottom....

Anyway, nice to learn something new every day...

Why legislative measures?

Legislative measures against spam are useless without enforcement. Enforcement usually requires two things: (1) a reduction in the choices citizens can make (to curb activities that lead to spam), and (2) a decrease in privacy (to expose information to find spammers). The decrease in liberties affect *everyone*, not just the spammer.

Why would I give up any liberty, no matter how small, so law enforcement can protect me from a spammer?

Re:Why legislative measures?

[lommer]

What liberties would you have to give up? The right to send mass unsolicited emails is all. If you do a lot of mass emailing for legitamite purposes, then you can simply include a checkbox (on paper or online) that gives the recipient's express consent to be emailed. Enforcement is easy, anytime someone recieves a spam, they can forward it to the FTC (as is already implemented). The FTC can then launch a case against the spammer. Even if the spammer disguises their identity, this can be revealed by bringing the advertised company into court and serving them a subpeona to reveal their financial records to see which spammer they hired. It would probably also be appropriate to serve the company some sort of punishment for hiring the spammer in the first place. If spammers spamvertise companies without their express consent, then the company could be free to pursue a civil suit against them for damages.

How this entire process infinges on you civil liberties is completely beyond me. This is NOT the patriot act or something. The ONLY problem that presents itself is the international nature of spam. However, if enough countries cooperate on this issue then other countries (e.g. Korea) will be forced to comply or else many people will simply block ALL email from that country.

Oh, it's possible

[xant]

Some of these tests can be beaten by computers (with much CPU time), some of them cannot yet. All of them are nearly "AI complete" and all of them are backwards- but not forwards-solvable. The important thing is that the cost of solving the problem by a computer is far greater than the benefit derived by solving it, to keep spammers away.

How about another approach...

[mpthompson]

Sorry, I just don't see this system of authentication working. This system seems like it would filter out far too many useful emails that are automatically generated such as on-line sales receipts, shipping status information, newsletters and such. As bad as SPAM is, this alone would make it a no-go for me.

I always wondered why legitimate email servers can't obtain a signed certificate similar to the ones for SSL. There is a fairly lengthy, well-established process for getting a properly signed certificate with a definite lifetime that firmly identifies who is at the other end of a TCP/IP pipe. These certificates would be exchanged at the start of a TCP/IP session between email servers similar to SSL certificates. If they so choose, an organization can then configure their email server to only accept email from other email servers that have properly signed certificates. Mail could also be accepted from servers with unsigned certificates, but these would have to be manually installed at the receiving end similar to how you would install an unsigned SSL certificate in your browser. Also, email from originating servers without certificates or with unsigned certificates could be so marked in the headers for disposal by the end user if they so desire.

Such a system would seem to have many advantages. The vast majority of legitimate email servers could easily obtain and renew certificates for sending email using a well-established process they are already use for obtaining SSL certificates. These servers would form a trusted network of identified servers where SPAM could be detected and offending servers cut out from the trusted network in a variety of ways. Ultimately, organizations that flaunt the system would be unable to renew their certificates and they would be permanently tossed out of the trusted network.

As an end user sending email, to be sure that you are able to send email within the trusted network, your organization (school, business, charity, whatever...) needs to have an email server with a signed certificate or you need to belong to an ISP with a signed certificate that you use for sending email. If you didn't have this, you would still be able to use the existing email infrastructure, but you would probably find that an increasing number of servers would reject your email as coming from a non-trusted source.

I'm certainly not an email protocol expert so I wouldn't be surprised if someone could poke 100 holes in the system I described above, but I am pretty sure that the ultimate solution will require a combination of technology (signed certificates) and bureaucracy (Verisign, et al.) to form a trusted network for email that SPAMmers can be quickly and efficiently ejected from.

Re:How about another approach...

[grishnav]

I run a legitimate e-mail server for my family, but cannot afford an SSL certificate for it. I instead use a self-signed one.

If self-signed certificates would be allowed, then spammers would make their own. So that can't be allowed.

If they are prompted, as you suggested earlier, it would inevitably lead to people who just ignore invalid ones, because they are sick of being prompted. My little mail server gets creamed.

Nice idea, but unless you get Verisign to give away free certs, I can't see it working.

Room 101

I believe that room 101 would be suitable for re-educating spammers

100% Correct

The thing you can trust is the MX record from DNS. 'Is this server trustworthy?' is a far better question to ask than 'is this account trustworthy?'.

This solves the mailing list problem, as once I send the request to listserv-request@somedomain.com the server is whitelisted.

This solves the accountability problem, as you can track who added the server to the whitelist.

Finally, this keeps the size of the whitelist feasibly small.

One more to consider

[vseryakov]

Check out

www.maverixsystems.com,

it is appliance which sits between MX and mail server and
does all work. In production on couple sites, works great.

GET CHALLINGE DATABASE TODAY

[istartedi]

ALL NEW DATABACE. OVER 50,000 CHALLENGES AND RESPONSES. GAURANTEED TO WORK. JUST SEND $29.95 TO IVAN RIPITOV, PO BOX 456, MOSCOW, RUSSIA.

Send e-mail to ivan@mafia.ru for more info on daplamas, diploomas, penice and virginia enlargement.

Answers - TMDA FAQ

[corz]

Almost all of the questions I have seen here about challenge/response systems have already been answered in the TMDA FAQ. If you have a question about how these systems work, try looking there first, you may find your answer.

Hmm, not the solution - what about ....?

[leeet]

Most spammers fake their domains. I've seen spam coming from big companies like apple.com (probably using a spoofed address).

So what do you do? Other than "white listing" each and every email you get, this will still allow spam to come through...

Beside, even if a challenge is sent, wouldn't you want to make sure those emails are all spam? Maybe (most likely) automated emails (like noreply@store.com or customer@company.com) won't reply to the challenge, thus you won't get those emails. So basically, you'll still have to take a look at the spam just to make sure you get all those emails.

What I see is a similar solution but at the sendmail level. Make it an automatic challenge/response issue. If a sender sends an email, there should be a flag set on the server. When you get an email, the software should check to make sure the flag exists on the remote server. If not, this is a spam (the email was basically spoofed).

Re:Hmm, not the solution - what about ....?

[grishnav]

Interesting idea, but what exactly is the "sendmail" level? I use qmail myself...

Re:Why put the burden on people sending you e-mail

[Admiral1973]

I agree with you that spam is more than just an irritation. But *I* don't think that the burden of spam prevention needs to be placed on my friends and family. I'd rather see anti-spam filters like the one in Mozilla Mail applied on a larger scale. I don't know what criteria Earthlink's Spaminator uses, since it misses at least 15-20% of the spam that I receive. But it's a good start.

I'll be interested to see how Earthlink promotes this new system to its subscribers, and how many of the non-technical ones decide to implement it. I'm concerned that it's going to be too awkward for everyday users to use.

1st rule - Fix sendmail

[leeet]

1. Spam would greatly be reduced if people wouldn't allow sendmail to use unresolvable domain names (dfkljdsf.com). There is a flag and it's up to (lazy) admins to fix this problem.

2. Spam would be reduced if the same admin would turn off open relaying on their own machines. It's "ok" to use it internally, but PLEASE not on a mail gateway!

3. Upgrade sendmail and read http://www.sendmail.org/antispam.html - if you're using windows, well hmm I don't know :)

Quit slashdotting and fix your sendmail.cf

PS: Also fix your broken proxy and vulnerable mailto scripts - if you need help, hire me :)

Who stands to make money?

I can see it now: Verisign and others charging $895/yr for a certificate that allows you to sign your messages. Without it, nobody can receive your mail.

I wonder

[dybdahl]

I wonder if they're using Active Spam Killer:

http://a-s-k.sf.net/

Re:Having written a similar system, I have questio

[datavortex]

If the challenge response triggers a mail daemon reply, is it filtered or do you get flooded with those replies caused by all the spammers with forged addresses?

As you will find to be the case with most C/R systems, the challenge is sent with a null envelope.

If I mass email tons of earthlink addresses with a forge from address, would it mailbomb the fake address, or do they have flood protection to prevent this?

Yes. There are daily (and other) limits to how many challenges are sent to an address or server.

You guys still get spam? Ha ha. Losers.

[LesPaul75]

I can't believe how behind-the-times you all are. The spam problem has been solved for over a month. And it was covered on slashdot FOUR times, for crying out loud:

one
two
three
four

All you have to do is filter e-mail packets with that bit set. Get with the program, people.

Nobody here gets it - C/R based on FROM is doomed

Email addresses are forgable. The from / reply-to fields are NOT TRUSTWORTHY - they are effectively USELESS for ANTISPAM purposes. Once an effective whitelist system is in place that relies on from, we'll see spam that works like Klez.

The only way to effectively defend against SPAM is at the IP level - via MX from DNS.

Hotmail, yahoo, free mail clients etc. are all doing a good job of policing themselves. If they can't police themselves, then punt the server. The spamboxen which increase the scale of spam that can be sent are the real problem.

The other important thing to do is to TAG the messages that aren't on the whitelist rather than deleting them, so the user can still find them.

Is this harder to use than current mail? I say NO because the amount of spam that people have to deal with is now so bad that the costs of dealing with managing the list is less than the cost of managing the spam.

But half the poseurs/posters here don't even understand how whitelisting or SMTP work before they go blathering off about 'throw out SMTP' or 'I won't get my f*cking mailing list'

Does mean...

[Esekla]

that Earthlink/Mindspring will give up on blocking "residential" IP addresses? AOL seems to have already given up on that scheme.

I will not send mail through my local ISP's SMTP server as I'm not so hot on the retry settings. Consequently, I've told Earthlink/Mindspring customers that they just won't get mail from me anymore unless they change ISPs. Some of them are hopping mad at Earthlink about the whole thing. I'm sure they'd be happy to hear that Earthlink is finally going to stop blocking their incoming legitimate mail.

This DOES work.

[Anonymous+Psychopath]

I've been using TMDA (http://www.tmda.net) for well over a year now, had maybe five or six spam emails sneak through the system in that entire time. Twice a day it sends me a list of "pending" emails so I can manually release and/or whitelist a message.

Challenge/response systems DO work, and they work extremely well. I think those who have not used one should give it a try before throwing rocks.

Won't work

[anthony_dipierro]

The Washington Post reports that Earthlink is preparing to offer new spam filter technology that requires sender authentication.

I guess earthlink customers can't sign up for a slashdot account.

This solution won't work until webmasters realize that providing an email address is no more evidence that you are not a troll than providing a driver's licence is that you are not a terrorist.

Automated whitelisting will NOT work

[3.1415926535]

Automated responses to whitelist queries will not guarantee that the Reply-To address is valid. Somebody can create an address dedicated to responding to e.g. TMDA queries, and then everyone and his brother can use that as the sender. Bounces, flames, and whitelist queries would go to that address and be promptly ignored.

Whats the struggle?

[crazysim]

On and off switch and a faq if u bitch

I did that years ago!

Years ago I did that (in Perl) for my Waffle (DOS-based e-mail & Usenet) system. Basically it kept a list of authorized mailers. E-mail from unauthorized sources got an automatic reply with random selection of message (you could write as many of these as you want, to try to avoid automatic message parsing) and passcode. They had a predetermined time (default 3 days) in which to respond and have their e-mails after that passed on through. (You could also disable specific sources forever, though that's of less value.)

Never ported it after I shut down Waffle, though
the code's out there in some public archive somewhere. The announcement is probably in the Google Usenet archives (for Waffle) too.

An alternative solution?

[NanoProf]

A fundamental problem of Spam is that the sender of an email cannot be identified and verified with 100% accuracy, so it is difficulty to filter 100% effectively. However, there is one and only one part of an incoming message that must of necessity be accurate- the To: address. So use the To: address to identify the sender! Publish your public address: "foo@bar.com". Any email to foo generates a reply "Thanks for the note. Mr. Foo loves you so much that he's generated a special personal email address just for you to use: 'foo_RANDOMSTRING@bar.com'. Please use this address in the future- sorry but you'll need to resend the message just sent to this new address. Don't ever give out this secial address to any else, because if Mr. Foo begins to receive spam on this To: address, he will automatically filter all future messages to foo_RANDOMSTRING straight to the trash." Every sender gets a unique RANDOMSTRING, so you can filter on the To: address. It's similar to throw-away email addresses, but coupled to a public address that triggers auto-generation of new RANDOMSTRING addresses. The sender has the inconvenience of adding foo_RANDOMSTRING@bar.com to their address book. Also, spammers can read the auto-reply and then add foo_RANDOMSTRING to their spam list, but this could be made difficult by putting it in a distorted gif image. The email client would also need to be configured to set Reply-To: correctly on folowups. One nice thing is that for user-requested bot-generated emails, one can simply give them a new RANDOMSTRING-based email address right off in the registration form or whatever. The ever-expanding number of foo_RANDOMSTRING@bar.com addresses adds to the overall load on the servers, but is that handle-able (nasty things could happen if your inbox got Dos'd)? In such a world, people would get used to pinging new people with just a short message to obtain their personalized RANDOMSTRING address. Kind of a weird system but maybe it's interesting to think about?

Challenge Response is a DDoS tool.

[vipul_ved_prakash]

Challenge/Response is a DDoS tool hidden in an anti-spam system. Consider this scenario: mallory@spamcompany.com sends out a million spams in which he puts alice@wonderland.com in the "From" field. Those running a challenge/Response tool automatically send out a challenge to alice@wonderland.com on receipt of this spam. If there were 10,000 people running a challenge/response tool, Alice will receive 10,000 challenges! If all of these had 10k+ graphics in them (as they usually do), Alice would receive 100Mb of mail in a matter of few minutes. This might disrupt Alice's mail servers, cause her to lose legitimate mail, waste several hours of her time, and quite likely force Alice (or her mail administrator) to drop all future challenges generated by Challenge/Response softwares involved in the incident; even those sent on receipt of emails that were written by Alice. (See my complete response to PC Magazine reviewers on whitelisting and Challenge/Response here)

What happens when 2 systems challenge each other?

[Mustang+Matt]

Maybe I'm missing something but what happens when I send an email to you and your system sends me a challenge using a different email address? Then my system sends yours a challenge and it could go on forever...

Is there some simple way to prevent this?

Am I the only one that doesn't get spammed?

[illumina+us]

I rarely get e-mails. I might get 1 a day, maybe. I don't get spam, or anything of the ilk. So why should I worry about people who give out their e-mail address on every website known to man and put it on every form so they can get unsolicited e-mail, then I have to click two buttons to send a message rather than one!

Thank you Earthlink!!!! but

[Darth+Gambit]

As a happy Earthlink customer I've noticed the shockingly large amounts of spam that get through their normal filter, so I'm happy that they're moving to a better system.

However,

What happens to normal mailing lists? I'm on a few lists at Yahoo.

Feature not a bug!

[bluGill]

Before you say that, try living someplace where you actions are illegal? My church has several ministers in China. They store all their mail, both snail and real outside the country. They don't write letters back home (and some write excellent letters) while they are in the country. They must travel outside the country to do those activites that most of us consider everyday.

Sure there are many bad uses to forged headers. However if even once it can be used to get legitimate communication out of a repressive country then I'd prefer all the Spam I get (60+/day, most of it offensive) to losing that one communication.

The key part is that it reverses the work ratio

[Otisserie]

Right now spam-catchers spend a lot of time designing a system to spot spam, and the spammers spend a tiny fraction of that time defeating the new system. A challenge system, ANY challenge, reverses that equation: the challenger spends a small amount of time creating a new challenge, and the spammer has to spend a lot of time figuring out how to make an automated response. Thus the arms race shifts from the bad guys to the good guys. Don't get hung up on what the challenge is to start with, it can be made harder with little effort.

You know what else will happen after it's deployed

[autopr0n]

Earthlink users will stop getting spam.

Challange response is the way to go to prevent spam.

RTFM

Dumbass

Re:What happens when 2 systems challenge each othe

[surgeonsmate]

I suggest that no two Earthlink customers will be able to communicate with each other unless they work something out beforehand to add each other to their approved senders list.

Challenge-response

[Scooby+Snacks]

Well, probably no one will see this, but it had to be said.

The Challenge-Response Authentication Protocol! ;-)

Please mod me gently. :)

Re:Top-Posting??

[techno-vampire]

Top posting isn't the answer; trimming the quoted text is.

Re:Now the spammers get address validation for fre

But then the software analyzing the response needs to recognize bicycle, or bike, or Huffy or whatever else a real person might describe it as. (and account for capitalization, spell mistakes, etc.)

Re:Now the spammers get address validation for fre

[chefbimbo]

You're honestly believing that I'll go type text from an image just to send you a mail? I might clink on a link like with TMDA or hit reply but that's about as far as I go out of my way to help you getting a spam free inbox.