Slashdot Mirror
Earthlink Deploying Challenge-Response Anti-Spam System
deliasee writes "The Washington Post reports that Earthlink is preparing to offer new spam filter technology that requires sender authentication. AOL is still concerned that such technologies will put too much burden on consumers." The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...
On one hand it (Earthlink's new "technology") seems reasonable enough to the every-day-joe. I'm sure that the majority of Earthlink subscribers don't utilize news or mailing lists, and don't bother paying their bills online. For these people, it's fine. On the other hand, many others use online banking and other such automated tools (even account control mechanisms for online games will be affected). How quickly will all of these vendors conform to Earthlink's new technology and make the needed changes in their automated systems? Will Earthlink simply render many of these domains exempt?
The answer to solving SPAM resides in the current mechanisms used for the actual transmission and delivery, the mechanisms that all participants must use, not just Earthlink. This is of course the mail servers themselves.
How do two people with challenge and response communicate?
If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
If they don't get through, then you would have a nasty mail loop.
If I have nothing to hide, don't search me
I think this will create way too much hassle. There are some people who wouldn't mind, but others (such as grandma) who have to be told three times where the power switch is won't really know what is going on. At least now when I don't reply I'll have a decent excuse... "but grandma, you forget to send it twice, so i didn't get it"
Seriously, what are they thinking? TMDA might seem like a nice idea in theory, in practice, it's a pain to use and not exactly safe either. Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).
This seems like it might be a good step, but it's missing the point. The only thing that will truly curb spam is to rework the SMTP protocol to not implicitly trust every host, as was mentioned in an earlier /. article.
me@challenge.earthlink.com
something like that. So that it allows users to gradually changeover to the system. That would allow them to be more extreme in their refusal to accept emails and much less compromising.
I like it.
I dunno. This may be painful for a bit, and increase the amount of mail, but in the long run it might be worthwhile. While I agree that it makes some peoples' jobs harder, those people probably aren't using the major ISPs/mail-services. If the major players do this, it makes it that much less profitable for spammers to do business.
I mean, if you're a spammer, a brute force mailing to joeuser.org is MUCH less profitable than mailing the same million messages to hotmail.com. Go big guys, go! It won't bother me at all.
Velociraptor = Distiraptor / Timeraptor
So when a spammer fires a few hundred or thousand emails to an ISP, they will sit on the mailserver waiting for him to respond.
Since the from address is faked, that same ISP will launch an acknowledgement flood against a third user.
Excellent.
I just see so many tricky things that someone somewhere will screw up.
What happens when the customer orders something from Amazon - the purchase confirmation email comes from a non-human address.
Just the other day I got an email from a company that I ordered software from describing a free upgrade that I could download. It came from donotreply@[host].com, meaning, if I was using Earthlink's system I probably wouldn't have received it.
The problem with Challenge - Response is that it makes the assumption that if there's not a human behind the email that it's spam. In practice, there are many legit emails that are not individually sent by a human.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
The answer is not attaching more bad ideas to an already bad protocol. The ultimate answer is in the protocol designers. A government/state can pass as many laws governing the interaction of people/things with the bad protocols, but the IETF/IEEE will still create them, and certify them. People should just wake up and realize that SMTP is to blame for this big mess. ISP's should stop offering SMTP outright, and think of ways to replace it. Chat programs are probably a better way to pass messages anyways. SMTP has become a massive bazaar that is full over everyone on earth, and since it is completely open, its also completely ok to send bulk mail. Forging headers is another issue, but simply spewing email is intrinsically allowed by the protocol, and thus taken advantage of. If everyone one on earth had a computer, and everyone on earth sent email to everyone else on earth every day, would that be spam? No, because it would cross the line into accepted practice, and that is what we are starting to see due to the sheer bulk of spam sent to everyone on a daily basis. The point is that as long as SMTP exists, so will spam. The answer is to replace SMTP with something that doesn't allow spam to exist by removing the ability to anonymously send people messages.
It isn't a lie if you belive it.
It drives network traffic as well up to the sky
But wouldn't the added traffic be more than compensated by the reduction in traffic that would ensue when the spammers go out of "business"?
Ich werde nie wieder denken
I see a slew of people saying "blah blah blah, they'll automate the response blah blah blah". And apparently, to alot of you, this is all new.
This is something that's been around for a few years and gee, spammers haven't gotten around it yet. C/R antispam systems work because spammers don't use valid Reply-to: or To: addresses.
If they did and the spam gets through the system, then great! There's one more point where we can nail them on when/if we go to hunt them down. Oh, you used your dialup with an SMTP server to auto-respond to the challenge (which is probably alot of work for the average evil spammer), great, email abuse@isp and have his account shutdown.
Since I have started using ASK to C/R my email. -zero- spams have gotten in my Inbox (which is what annoyed me the most about spam, the false positive I got when the little sound would ring telling me I had new mail.)
Intrusive? PLEASE! How lazy are you? Hit reply -once- and you'll never have to see it again when sending email to me. I'd say getting pelted with 200 spams a day is slightly more intrusive to me than what you're going to have to do to send an email to me.
I just wasted your mod points! HA!
Er, what?
eMail was not designed for such a challenge
So what? This system works within the standard. Who cares whether or not the designers foresaw it?
It drives network traffic as well up to the sky.
Hardly. If you're on Earthlink and decide to opt-in for this, it simply means that everybody you know has to send you one extra email once. Earthlink's traffic may be a bit higher for the first few days, but once people get their whitelists in order it'll drop back to where it is now - and below, because there'll be less spam floating around.
However, I do hope (the article didn't say) they've come up with a smart solution to the problem of spammers putting real (but stolen) addresses as their From: address. Otherwise people unlucky enough to have their addresses stolen may indeed find their network traffic increases, thanks to a million challenges from Earthlink.
So how do you respond to a challenge if you are just using a terminal or are blind? Obviously if the characters are obscured, the screen reading program can't read it, and they would have to be a graphic of some sort. Unless they just make an alt tag that tells you what it is. :)
These systems don't work that well. I have been designing and building my own for about 8 months now and have come to the following conclusions.
They are easily bypassed using a smart enough auto-responder. If all you do is fire back the original message then you're on their list.
They sometimes fail to pick up the human response. I have several cases where people will simply respond to the email, removing enough of the critical content, to render the reply useless. This comes in two flavors. Email clients will strip out the Header information needed, or people will strip out the Body information needed.
To impliment this upon a very large system like this is going to be a nightmare not only for their email administrators, but for everyone that they touch.
One of the biggest problems that these systems have is that they are totally incapable of handling Solicited email from a Bot. Examples include:
- Payment Confirmations (amazon.com)
- mailing list confirmations
- Profile Update Notifications (paypal, ebay..)
- Password changes or resets
It's going to be a pretty ugly system of implimentation.It would also be a problem for people with text based email clients
Well, imagine you have no job and selling yourself
You posted the resume, and waiting for emails.
Do you seriously expect that prospective employer will have time to respond to "confirmation" message?
The parent poster writes:
Remember when 14.4K was fast? So do I. And I think with a correction in the system, it can be a decent speed.
Nope. Sorry. There are 2 reasons why 14.4K will never be fast again:
Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).
In order to send responses to the challenges, it means the spammer has to provide at least a valid return address, and dedicate resources to responding to those requests (even if it is automated). It raises the cost of sending spam, and increases accountability due to the valid return address requirement, which is the best we can hope for with a SMTP-based solution for the time being. It's not perfect, but nothing is.
NO CARRIER
They are easily bypassed using a smart enough auto-responder. If all you do is fire back the original message then you're on their list.
Did you read the article? A picture of a word is sent to the sender. The sender then has to TYPE the word in a response email.
The autoresponder would have to be able to analyze a picture and interpret what 'word' was being shown. There are ways to make this more difficult for an AI to do.
They sometimes fail to pick up the human response. I have several cases where people will simply respond to the email, removing enough of the critical content, to render the reply useless. This comes in two flavors. Email clients will strip out the Header information needed, or people will strip out the Body information needed.
Maybe the system YOU designed words that way, but there should be NO reason why a response email should be rejected if the respondee followed directions.
One of the biggest problems that these systems have is that they are totally incapable of handling Solicited email from a Bot
You have a point here.
The fix would be for the enduser to be able to manually enter approved addresses. I.e.: I manually add in the rule that says mail from amazon.com is allowed.
ac
First of all, the system is completely optional for earthlink users. For the users that are stupid enough to opt-in, they deserve the extra hassles they'll receive.
...
... all their spam will arrive via bypass addresses. Awesome!
But here's what it means to me, a publisher of a popular website...
When a new user signs up for an account, they get a confirmation email. Since I'm not about to check the server's return-path for C-R messages, C-R users will be out of luck. This means that at the very least I'll have to update my site with a special notice during the sign-up process that will notify earthlink users to expect problems.
The crux of the matter, there are automated emails that will fall victim to this C-R paradigm that AREN'T spam!
So, what is earthlink's "fix" for this problem? Well, it appears as though they will assign special addresses that users can use for sign-ups, sales receipts, etc. that will bypass the regular C-R system. Ok, great. Two problems with that
1. If the special bypass addresses are only temporary, then my users' accounts will become invalid because their email address is no longer valid and I don't allow ghost accounts.
2. If the special bypass addresses are permanent, and they're used for sign-ups and sales receipts, well fsck! Thats where SPAM comes from. duh. Great
Skiers and Riders -- http://www.snowjournal.com
There are currently three defenses to this:
Admittedly it's not foolproof. There is no 100% effective way to combat spam (short of abandoning SMTP). There's always going to be a risk that some spam will leak through or that some legit email will bounce.
Well, the solution can be implimented on the user's end... I personally use Privoxy to filter out just about every ad and flash animation out there.
What I would like to see, is browsers giving preference to content, rather than bloat. Just imagine, you have an incredibly slow modem, but web-pages open-up instantly. You open 10 links at the same time, and they load right away...
The only thing browsers have to do is load the HTML first, then, only after each HTML page has been fetched, should it begin to fetch the images (smaller ones first, preferably), and flash animations or other embedded content last. That would be a great way to counter web-site bloat, and I'd consider it rather fair too.
If you look at the page for a seconds, and decide it isn't what you want, the bloat won't even be loaded... If you read it for a few minutes, the ads will be loaded eventually. Text ads, will be loaded instantly.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I've used Earthlink as an ISP for going on 6 years now, and I must say, I've never dealt with better. For one thing, in the years that I've had my earthlink address, I'd say I never get more than 3 or 4 spams per week. What is my secret? For starters, if I need to provide an e-mail address for something that may result in unsolicited messages, I use one of the free webmail providers (Hotmail, Yahoo!, etc.) I can check those to confirm what I wanted, then never check it again, and my Outlook (with my primary e-mail) doesn't fill up with useless crap.
Another way to stop the spam before it starts is to keep your e-mail address from getting on those lists in the first place. When posting to Usenet, BBSes, forums, even Slashdot, use some sort of clever cloaking (Slashcode does this already), or even a fake email. Encryption for e-mail such as using a free personal certificate from Thawte or a GPL encryption such as GNU Privacy Guard is always a good idea.
In addition, Earthlink's Spaminator is a Godsend. With that baby enabled, I'm lucky if I get one spam a month. Case in point: my mother has an Earthlink address that she uses for her business contact. She complained that she's getting hundreds of porn spam and "enlarge your penis"-type e-mails (no idea how these got here.) Setting up a few Outlook Express filters and enabling Spaminator cut the dirty messages by about 90%, and she is grateful she no longer has to wade through such filth to get to her real mesages.
The bottom line is, the fewer spammers that have your address, the fewer spams you're gonna get. I have a Hotmail that gets 1000+ spams a day. My real e-mails get next to none. It's just like telemarketers, they get your number from companies who need a contact info for whatever reason. However, Hotmail address are free, whereas extra phone numbers to give the telemarketers, and then never answer, are not. Well, we do have Caller-ID for that, but that's another post...
If someone from earthlink emails someone else from earthlink, how would challenge response handled then? Do they make all mail that is sent returnable without challenge responses, and if so is this a temporary rule or are the addresses of all mail you send permanently whitelisted?
If the challenge response triggers a mail daemon reply, is it filtered or do you get flooded with those replies caused by all the spammers with forged addresses? If they are filtered, how do you know when mail you send doesn't go through without the use of message reciepts since mailer daemon replies are all different.
If I mass email tons of earthlink addresses with a forge from address, would it mailbomb the fake address, or do they have flood protection to prevent this?