Slashdot Mirror

← Back to Stories (view on slashdot.org)

Earthlink Deploying Challenge-Response Anti-Spam System

Posted by michael on from the bringing-out-the-big-guns dept.

deliasee writes "The Washington Post reports that Earthlink is preparing to offer new spam filter technology that requires sender authentication. AOL is still concerned that such technologies will put too much burden on consumers." The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...

15 of 501 comments (clear)

  1. Too drastic? by mao+che+minh · · Score: 4, Insightful
    Drastic times call for drastic measures. The situation caused by the relentless onslaught of SPAM (which supposedly is rendering "damages" in the billions annually) can certainly be categorized as drastic. Is Earthlink's counter attack too drastic a measure, though?

    On one hand it (Earthlink's new "technology") seems reasonable enough to the every-day-joe. I'm sure that the majority of Earthlink subscribers don't utilize news or mailing lists, and don't bother paying their bills online. For these people, it's fine. On the other hand, many others use online banking and other such automated tools (even account control mechanisms for online games will be affected). How quickly will all of these vendors conform to Earthlink's new technology and make the needed changes in their automated systems? Will Earthlink simply render many of these domains exempt?

    The answer to solving SPAM resides in the current mechanisms used for the actual transmission and delivery, the mechanisms that all participants must use, not just Earthlink. This is of course the mail servers themselves.

    1. Re:Too drastic? by iangoldby · · Score: 5, Insightful

      People who want to continue to receive messages from mailing lists, online banking, etc, will have to add these sources to their whitelist.

      It's a bit of a faf though, and I suspect many people will either not understand how to, not bother, or forget at least one address.

      The solution is to have the incoming messages moved into a 'holding' folder that the recipient can see, and check in just the same way as checking through a 'spam' folder. This would remind the user to add false positives in the 'holding' folder to the whitelist. After a while, you can safely stop checking your 'holding' folder. Wouldn't it be good if this is what Earthlink are doing?

      I think a scheme like this could be made to work, at least for webmail. For POP3, it could be a bit more tricky...

    2. Re:Too drastic? by letxa2000 · · Score: 4, Insightful
      Challenge-Response is bogus. I don't know of any such systems that have been deployed without significant problems for their users, the people that send mail to their users, and especially mailing lists.

      If challenge-response is largely deployed, I suspect spammers will just unite such that one spammer sends a message, gets the challenge, answers it and is then "unlocked" to send message. He'll then distribute that email address in real-time to dozens or hundreds of other spammers who will send their spam immediately with the same newly-unlocked address.

      Or, perhaps, spammers will change their tactic from spamming millions of users with 1 spam at a time to spamming 1 user at a time with dozens or hundreds of spam. You unlock the system with a valid response to the challenge and then flood them with spam until the user blocks that address.

      I just don't see where challenge-response is anything more than a very stopgap measure. It's not particuarly "clean" now and will become more and more useless in the future.

      Almost a year after Paul Graham's "A Plan For Spam" Bayesian is still the easiest system to develop as well as the easiest for the user to use. It is extremely effective (99.5%+) with very few false positives and doesn't require any additional effort for the sender and only requires that the user report false positives and false negatives--and that is mostly only needed at the beginning. Once it is initially tuned it's not necessary to do much of anything--it just keeps learning and working.

    3. Re:Too drastic? by Tackhead · · Score: 5, Insightful
      > People who want to continue to receive messages from mailing lists, online banking, etc, will have to add these sources to their whitelist.

      Problem is, you don't know what that email is necessarily going to be.

      I ordered something from foo.com and got order number 12345.

      A few seconds later, I got a confirmation mail from confirm-12345@foo.com telling me what I bought and when to expect delivery. (Or worse, from order-12345@foo.com telling me there was a problem, and that I needed to fix something!)

      If challenge-response becomes widespread, foo.com will say "Now you must whitelist the address confirm-12345@foo.com" when processing the order. (Or switch their order-processing back-end software to use something more sane, like "confirm@foo.com" and put the damn "Order 12345" in the Subject: header where it belongs!)

      Problem is, until then, some vendors and some users using challenge-response are gonna be up the proverbial estuary without a utensil for propulsion.

      If foo.com is disreputable, of course, challenge-response solves the donkey pr0n spam problem, but not the mainsleaze part of the spam problem. A mainsleazer at foo.com will simply start spamming his customer list with a From: of "confirm@foo.com" - Subject: "New Dealz from foo.com!" *sigh*)

  2. How do two people with C/R communicate? by corsec67 · · Score: 5, Insightful

    How do two people with challenge and response communicate?
    If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
    If they don't get through, then you would have a nasty mail loop.

    --
    If I have nothing to hide, don't search me
  3. Now the spammers get address validation for free by chefbimbo · · Score: 5, Insightful

    Seriously, what are they thinking? TMDA might seem like a nice idea in theory, in practice, it's a pain to use and not exactly safe either. Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).

  4. They should offer it with new email address by dnoyeb · · Score: 5, Insightful

    me@challenge.earthlink.com

    something like that. So that it allows users to gradually changeover to the system. That would allow them to be more extreme in their refusal to accept emails and much less compromising.

    I like it.

  5. Re:Nice moves by apoc.famine · · Score: 4, Insightful

    I dunno. This may be painful for a bit, and increase the amount of mail, but in the long run it might be worthwhile. While I agree that it makes some peoples' jobs harder, those people probably aren't using the major ISPs/mail-services. If the major players do this, it makes it that much less profitable for spammers to do business.

    I mean, if you're a spammer, a brute force mailing to joeuser.org is MUCH less profitable than mailing the same million messages to hotmail.com. Go big guys, go! It won't bother me at all.

    --
    Velociraptor = Distiraptor / Timeraptor
  6. Fill up the ISP servers by nuggz · · Score: 5, Insightful

    So when a spammer fires a few hundred or thousand emails to an ISP, they will sit on the mailserver waiting for him to respond.
    Since the from address is faked, that same ISP will launch an acknowledgement flood against a third user.
    Excellent.

    I just see so many tricky things that someone somewhere will screw up.

  7. Challenge - Response doesn't work by tshak · · Score: 5, Insightful

    What happens when the customer orders something from Amazon - the purchase confirmation email comes from a non-human address.

    Just the other day I got an email from a company that I ordered software from describing a free upgrade that I could download. It came from donotreply@[host].com, meaning, if I was using Earthlink's system I probably wouldn't have received it.

    The problem with Challenge - Response is that it makes the assumption that if there's not a human behind the email that it's spam. In practice, there are many legit emails that are not individually sent by a human.

    --

    There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  8. bad protocal: SMTP by JDizzy · · Score: 4, Insightful

    The answer is not attaching more bad ideas to an already bad protocol. The ultimate answer is in the protocol designers. A government/state can pass as many laws governing the interaction of people/things with the bad protocols, but the IETF/IEEE will still create them, and certify them. People should just wake up and realize that SMTP is to blame for this big mess. ISP's should stop offering SMTP outright, and think of ways to replace it. Chat programs are probably a better way to pass messages anyways. SMTP has become a massive bazaar that is full over everyone on earth, and since it is completely open, its also completely ok to send bulk mail. Forging headers is another issue, but simply spewing email is intrinsically allowed by the protocol, and thus taken advantage of. If everyone one on earth had a computer, and everyone on earth sent email to everyone else on earth every day, would that be spam? No, because it would cross the line into accepted practice, and that is what we are starting to see due to the sheer bulk of spam sent to everyone on a daily basis. The point is that as long as SMTP exists, so will spam. The answer is to replace SMTP with something that doesn't allow spam to exist by removing the ability to anonymously send people messages.

    --
    It isn't a lie if you belive it.
  9. Wow, nobody understands this! by MrPerfekt · · Score: 5, Insightful

    I see a slew of people saying "blah blah blah, they'll automate the response blah blah blah". And apparently, to alot of you, this is all new.

    This is something that's been around for a few years and gee, spammers haven't gotten around it yet. C/R antispam systems work because spammers don't use valid Reply-to: or To: addresses.

    If they did and the spam gets through the system, then great! There's one more point where we can nail them on when/if we go to hunt them down. Oh, you used your dialup with an SMTP server to auto-respond to the challenge (which is probably alot of work for the average evil spammer), great, email abuse@isp and have his account shutdown.

    Since I have started using ASK to C/R my email. -zero- spams have gotten in my Inbox (which is what annoyed me the most about spam, the false positive I got when the little sound would ring telling me I had new mail.)

    Intrusive? PLEASE! How lazy are you? Hit reply -once- and you'll never have to see it again when sending email to me. I'd say getting pelted with 200 spams a day is slightly more intrusive to me than what you're going to have to do to send an email to me.

    --
    I just wasted your mod points! HA!
  10. Re:Nice moves by darien · · Score: 5, Insightful

    Er, what?

    eMail was not designed for such a challenge

    So what? This system works within the standard. Who cares whether or not the designers foresaw it?

    It drives network traffic as well up to the sky.

    Hardly. If you're on Earthlink and decide to opt-in for this, it simply means that everybody you know has to send you one extra email once. Earthlink's traffic may be a bit higher for the first few days, but once people get their whitelists in order it'll drop back to where it is now - and below, because there'll be less spam floating around.

    However, I do hope (the article didn't say) they've come up with a smart solution to the problem of spammers putting real (but stolen) addresses as their From: address. Otherwise people unlucky enough to have their addresses stolen may indeed find their network traffic increases, thanks to a million challenges from Earthlink.

  11. Re:Now the spammers get address validation for fre by Chester+K · · Score: 5, Insightful

    Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).

    In order to send responses to the challenges, it means the spammer has to provide at least a valid return address, and dedicate resources to responding to those requests (even if it is automated). It raises the cost of sending spam, and increases accountability due to the valid return address requirement, which is the best we can hope for with a SMTP-based solution for the time being. It's not perfect, but nothing is.

    --

    NO CARRIER
  12. Having written a similar system, I have questions. by kaoshin · · Score: 5, Insightful

    If someone from earthlink emails someone else from earthlink, how would challenge response handled then? Do they make all mail that is sent returnable without challenge responses, and if so is this a temporary rule or are the addresses of all mail you send permanently whitelisted?

    If the challenge response triggers a mail daemon reply, is it filtered or do you get flooded with those replies caused by all the spammers with forged addresses? If they are filtered, how do you know when mail you send doesn't go through without the use of message reciepts since mailer daemon replies are all different.

    If I mass email tons of earthlink addresses with a forge from address, would it mailbomb the fake address, or do they have flood protection to prevent this?