Slashdot Mirror
Are People Using TMDA to Kill Spam?
NewtonsLaw writes "With spam becoming an increasingly frustrating part of life in the Net, I have to ask why more ISPs aren't implementing systems such as the excellent Open Source Tagged Mail Delivery Agent (TMDA) strategy? Using this system would mean that only those spammers who used bonafide email addresses in their headers would get through -- and means virtually all the penis enlargement, weight-loss and other scams would be blocked. Even the those habbitual "brand name" spammers (like Real, PayPal, etc) could still be blocked by adding them to the blacklist. With TMDA, email to and from regular correspondents is passed transparently and there's no risk of genuine messages being accidentally discarded by over-active filters. If enough ISPs at least offered TMDA as an option to their users, the effectiveness of spamming could be shattered almost overnight -- oh, wouldn't that be lovely?"
" I have to ask why more ISPs aren't implementing systems such as the excellent Open Source Tagged Mail Delivery Agent (TMDA) strategy?"
Most ISPs are lazy and incompetant and only interested in collecting your money. The rest are in bed with the spammers.
Wouldn't a spoofed email address get through? I see that particular method used quite often.
Yes, there is a risk of a legitimate messages being blocked, if the sender does not understand the "confirmation request" mail sent by TDMA, is not willing to answer it (think mailing lists), or blocks it as spam.
A second reason is false positives. Users have really quite different view on them. Some people hate spam so much that to avoid it, they are willing to block a real message every once in a while, and spend lot of time configuring and tuning their filters. For others, hitting "Delete" 30 times a day is less trouble than the nuisance in losing real legitimate messages.
Every time /. does a story on spam we have the debate about address verification. There are plenty of existing "challenge-response" spam control services and the reason they're not widely used is because they still require a lot of manual work to control spam.
Mailing lists are a simple example. For every mailing list you legitimately want to be on, you will need to manually set up the address on the whitelist because the mailing list software won't repond to the challenge message.
Now lets say that the mailing list programs make some mods to automatically respond to the message, assuming it has a standard format. Now a spammer can use the mailing list's address as their return address and take advantage of its response to a challenge! Of course, the challenge could contain other validation data such as a reciept number and/or a digital signature but now we're talking about major mods to the Internet's mail infrastructure and mail clients.
spammers don't care too much about effectiveness, they already deal with less than half-a-percent response rates anyway, and they don't give a darn if they're blocked... the fact of the matter is that spam is so freaking cheap to send, it will never go away. the way to kill it altogether is to raise the cost so much that it no longer becomes an attractive option. i hate to say it (being somewhat libertarian), but the only way to do that is to have anti-spam laws with some teeth that include some time in a state "correctional" facility. that would send the message.
dum spiro, spero
Okay, so a lot of spam comes from forged email address, and having a whitelist+confirm would stop mail from those addresses, but what is to stop spammers using valid addresses (free ones maybe), and a script that automatically replies to any confirmation requests?
When confirming the test email address noted int he article, I just hit reply and send the email as is, and I'm sure a script could be written to automatically send a blank message to the Reply-To: address if this became widespread.
The spammers task would become harder, but far from impossble.
I think the strategy may work well for a bit, but I can write code to mimic/steal a bona fide email address easily and put it in the header, so I don't think it will help in the long run.
;-)
I have my own ideas on how to stop spam, but I'm thinking I'll save them for my thesis
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
I tried TMDA, and I really like it. However, there are some drawbacks that make it impractical for me.
First of all, I've had trouble white-listing my friends. I could just give them the address ac@mydomain.com and white-list them, but sometimes they will change email addresses or send me mail through a third-party source (like sending a news item from a web page or sending a greeting card). The alternative is to give each friend an tagged address that will go through, but it is hard for them to remember ac-friend-a751af@mydomain.com
Second, some of my friends can't handle the concept of replying to a message to let their first message through. (Obviously this happens when they use an address that I haven't white-listed.) I've tried to customize the message to make it easy to understand, but I guess I have dumb or stubborn friends. In particular, if a relative sends a joke to me and a long list of other people, and one of those people replies to everyone ("ha, that was really funny!!"), the sender gets really confused about getting a confirmation request from someone they haven't heard of before.
I've had one on-line store refuse to use my tagged email address because it was too hard to type. (Apparently their brain-dead system had them manually retype the address into another system.) They processed the order, but I didn't get any status from them.
The killer was my ISP changed the rules on me and doesn't allow having a mail server on my local system. Further more, the provider I was using for out-going mail now blocks mail from my Linux box because they detect it going through exim and declare that it is relaying through their system. (It works for a simple mail client, just not for a MTA!)
Another provider I could use has their MTA configured such that it doesn't work with the tagged addresses. Of course, many ISPs now block in and outgoing port 25. The anti-spam efforts of ISPs keep breaking my attempts to avoid spam and TMDA is the latest victim.
Again, I like the concept of TMDA. Jason Mastaler and company did a lot of things right, but it just didn't work out for me. When the general public becomes educated on the concepts and it is easier to find an ISP that will work smoothly with TMDA, I'd be happy to use it again.
I think many clients are heading in the right direction with spam filters that learn based upon a user saying "This is spam" and "This is not spam".
Personally, I use SpamAssassin which was primed with 1200 spams and 6000 hams. Since that point, it has captured 200 spams with 0 false positives and 2 false negatives.
The hard part is priming the databases. Maybe it would be worth it to have a database that can be downloaded and used as an initial point for new users - combined with "Spam", "Not Spam", "Whitelist" buttons in their client to automatically tweak the db to their usage patterns.
- Tony
What about my order confirmations? I'm never quite certain what e-mail address they'll use as the from. Maybe they have an e-mail order tracking system and they use a unique from: for each order. Talk about a TMDA nightmare... especially if the implementation is out of your own geeky hands (read: controlled by the ISP).
Because they're a terrible solution. All you wind up doing is pissing off the poor people whose email address the spammer used in the forged From: line, and not to mention the quagmire that is making these things play nicely with mailing lists.
.com>
But, I think John Levine does a much more eloquent job of explaining why C-R systems are not the answer:
Date: 11 May 2003 21:41:35 -0400
Message-ID: <Pine.BSI.4.40.0305111408240.28246-100000@tom.iecc
From: "John R Levine" <johnl@iecc.com>
To: "Declan McCullagh" <declan@well.com>
Subject: Re: FC: MailFrontier.net, poor anti-spamware, and future of mailing lists
In-Reply-To: <5.2.1.1.0.20030511122149.00b1a710@mail.well.co m >
> My reluctant conclusion is that C-R systems with flawed implementations
> have the potential to end legitimate mailing lists as we know them today.
No, it's worse than that. The collateral damage from widely used C/R
systems, even with implementations that avoid the stupid bugs, will
destroy usable e-mail.
Challenge systems have effects a lot like spam. In both cases, if only a
few people use them they're annoying because they unfairly offload the
perpetrator's costs on other people, but in small quantities it's not a
big hassle to deal with. As the amount of each goes up, the hassle factor
rapidly escalates and it becomes harder and harder for everyone else to
use e-mail at all.
A relatively easy to solve problem with challenge systems is that most of
them are written by dimwits who don't understand the way that e-mail
really works. In 1983 the 4.3BSD Berkeley Unix "vacation" program
correctly dealt with mail from lists and other mechanical sources, yet 20
years later I still see out-of-office replies from Lotus Notes and MS
Exchange to list mail every day. (Is there really nobody at IBM or
Microsoft who used 4.3BSD or knows the rules of thumb to recognize
non-personal but legit mail?) Challenge systems have the same bugs, and
list managers are now routinely kicking people off lists whose broken
challenge systems spam out stupid challenges to everyone who posts to the
list, and ignoring challenges to signup confirmation messages. These
particular problems are soluble; the few challenge systems used by
experienced mail users like Brad and Dan Bernstein avoid them.
But the real damage from challenge systems will come when spammers start
attacking them. Challenge systems all have user whitelists so that each
correspondent only gets one challenge, then mail goes through directly. So
spammers will start trying to send spam with forged sender addresses that
are on the recipients' whitelists. That's not so hard, sign up for a
mailing list, scrape addresses from the list traffic, then send NxN copies
of spam, to each list address from each list address. Similarly with
addresses scraped in groups from web pages, usenet groups, and anywhere
else scrapage happens.
So what will the effect of this be? You won't be able to trust that mail
from your friends is actually from your friends, since an increasing
fraction will be spam leaking through your challenge system. What will
people do? Given the basic principle of challenge systems, which is that
it's someone else's job to solve your spam problem, people will dump their
whitelists and start challenging every message. At this point, it's
possible to automate much of the work, most challenge systems are
scriptable, so that for example I have a few lines in my mail sorting
filters that catch the per-message challenges from submissions to Dan
Bernstein's mailing lists and automatically send confirmations. But of
course, if I can send responses from scripts, spammers can and will too,
so challenge systems will increasingly include "prove you're human"
features like showing you a picture and asking you how many kittens are in
BlockStackers
2001 Woodlark Dr
PARK, MI 49424
616-399-3125
Let's give their mailbox a slashdotting!
I'd install it myself, as a proxy MTA, but it's not a Mail Transfer Agent; instead it requires one to use one of a particular set of MTA.
In short, there's not way to use it under Windows or even cygwin (as far as I can tell).
I wrote much of a TMDA, but never completed it, as a plug-in for Microsoft Outlook -- I abandoned that project when I decided it should be wriiten as an extension of an SMTP/POP3 proxy. (And I wrote it first as a Visual Basic "macro" before I understood how to add plugins written in C++ to Outlook; that was the antithesis of fun.)
I was unable to find an open source SMTP/POP3 proxy that runs under both Windows and linux -- I've looked, but what I've found has been either for Windows but not linux or vice versa, or SMTP but not POP3 or vice versa. The one thing I've found is Hamster, which is quality software, but written in Delphi, and it doesn't run under linux.
Basically, I'll use a TMDA as soon as I can run it myself, under Windows -- or the OS of my choice.
The TMDA softweare currently available seems to be aimed at ISPs, and this seems to be a political decision of the TMDA software authors.
It probably makes some sense, in the long term battle against spam, to keep it off the desktop so as to put pressure on ISPs to install it, but it sure doesn't make it easy for me to use.
Opinions on the Twiddler2 hand-held keyboard?
Sure, the spam ads are pesky and take time to DL and delete, but they really aren't that intrustive or obnoxious. At least not for me using `pine` or `mutt`. Then I had to use a GUI browser to get my mail on vacation. Using a GUI was bad enough, but suddenly I _saw_ the obscene cr@p that was being foisted on unsophisticated lusers. Oh my.
The pornographers have somewhat dubious morals, else they wouldn't be practicing their craft. We can hardly expect them to voluntarily stop. And coercion is likely to require excessive force and loss of general liberties.
My beef isn't so much with the spammers as it is with the GUI browser/email coders. HTML email is a Bad Idea. I delete it on sight. But maybe somebody likes the formatting tags. Barely OK. But why would _anyone_ autoload images, load URLs or run poxy javascript? At least, not without explicit user permission for listed URLs? Greeting cards might be nice, but they can tolerate some trouble (certification?).
I think the biggest problem with SPAM is the MUAs. And this can easily be fixed with a few defaults, but MS mostly makes egregious decisions.
There are better methods. Message analysis (ala SpamAssassin), spam clearing houses (ala Razor), RBLs, bayesian filters, and sender address verification. I use all five at my site, and my users are happy.
Plus, can you imagine a potential client of your company e-mailing for information, only be sent a TDMA message? I'd bet money that person would either not no what to do, or just ignore the message and think you never got back to them.
Joe e-mails Fred. Fred's TMDA sends a confirmation e-mail to Joe. And Joe's TMDA sends a confirmation e-mail to the confirmation e-mail, then the cycle continues.
I don't like the looks of this.
Being called a dork on Slashdot must be like being called the retard in special ed.
I used ASK (http://a-s-k.sf.net/) for a while. It blocked virtually 100% of my spam (it is VERY rare for a spammer to have a valid email address and have them respond to a challenge).
It also blocked a lot of valid automated email that I wanted to get. Airline confirmations, advertising/announcements that I had signed up for. That kind of thing.
Now I use tess.sf.net (baysian(sp)). I don't get false positives ever, and I nail about 90% of my spam (and getting better).
For the curious - I receive about 550/week and only see about 50. I'm very promiscuos(sp again - sigh) with my email address...
all they gotta do is find one of these confirmation boxen that mails a copy of the message you sent, and bounce a million messages off it with the being the target for each spam.
The problem with using the filter described is that a good portion of spammers DO send from legitimate e-mail addresses...just usually not their own. Sometimes it's even being sent from the person receiving it (by simply faking the from: tag)
I personally blacklist all domains that use TMDA. It's a fucking joke. I will not jump through hoops to send you email. If that's the kind of shit you want me to do then I sure as hell don't want to email you. Welcome to my blacklist.
who thought: How does Time Division Multiplexing Access combat spam? :)
Well, first off, why, oh WHY are people still using email lists?
:)
Fuggedaboutit. These types of things belong on web forums or usenet. Both work exceedingly better on so many levels its laughable that anyone is on anything but a receive-only mailing list right now.
If, for some idiotic reason you really need to deal with two-way listservs, you are probably "elite" enough to have a separate email account just for that without the spam protection, or at least with non-whitelisting protection.
Next, if you plan to send out a confirmation email from a web-form (like so many BROKEN sites do) it is only polite to let the user know in advance what the seding address will be, so whitelists can be updated. If you don't, I think it's only fair that you have to deal with confirmation messages.
Then they worry that spammers will confirm the messages, even if the confirmation requires a lot of computational power to solve. HUH? Do you have any clue how much effort and bandwidth the spammer will need to buy to deal with this? These people are working on perhaps 1 out of 100,000 people buying their idiotic product. Even if each email cost them just $0.01 to deal with, that's $1,000 wasted per sale. Ain't gonna happen, no way in hell.
The only legitimate worry is that a malicious from address might be placed in a spam to deluge an anti-spammer with email. That's what we need identity laws to protect against. Those are the only anti-spam laws I now think should exist. You should be able to trust the from line isn't forged to DoS attack someone.
>Now we'll have challenge systems duelling to the death, since
everyone will be insisting that everyone else confirm first.
??? That's just stupid. This guy has enough knowledge to know how to deal with vacation replies properly, but can't think of of a way around this?
Simply have a check string in your signature that, if it exists in a reply email, the email is allowed through. What a concept! *(and it's already done)*
So, let's see:
- People who need to reply to mailing lists are special and generally have the knowledge needed to deal with this already.
- Spammers won't forge real email addresses in the from field because they'll be seeing a judge (even now, DoS is illegal in most countries).
- Spammers won't want to read all your confirmation messages, even automatically, because they can't afford to. Already, as it is, spammers use hacked servers, and sometimes open relays to lower their expenses. Imagine if they had to deal with the emails themselves. HAH!
So, I remain spam free, and the internet works. It hasn't been a problem for me yet, and it hasn't been a problem for anyone else I know yet.
Just my 2 cents. Perhaps you can come up with a better argument?
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
I know companies that sell spam generating software have been talked about but what about the people doing the coding?
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
What does TDMA (time division multiple access) have to do with spam? :D
Methinks the first bundle of posts to this topic were made by people in too much of a hurry to get first post to pay any attention to what they were typing.
Going back to basics, into the way-back machine of the 80's to 90's and such - the entire MTA system was built on implied trust and courtesy - open-relays, which wasn't even a buzz-word back then, were shined upon as the polite attempt to maximize the delivery success of e-mail . A e-mail to a typically friendly fellow geek administrator cleaned things up.
Today, it's been abused for years.
Users actually don't care about or know e-mail addresses these days - since all the "good names" are taken, you get these e-mail addresses like "thisisreallylong_06@somelongdomain.com". Users just click on reply or forward to get the e-mail address, and less often save them to an address book.
If we could find an easy seamless way that didn't require *any* or a minimum of user input to certify the validity of users sending and receiving, we'd have the spammers licked. The no user input required way would be much better.
That this will only create a sense of accomplishment. Eventually spammers will provide throw away addresses that simply reply to get on the white list anyways. The reason they don't do it now is because this challange-authenticate is not widely accepted.
I still think, and am quite happy with, a Bayesian Filtering application that Mozilla Mail currently offers. Very little spam leaks through and I have only had one false positive in almost 3 months of using it.
D.O.U.O.S.V.A.V.V.M.
I know your mum might prefer Outlook, but Mozilla Mail/Thunderbird is a really really good mail client AND it uses Bayesian spam filters, the best around!! Just mark the Junk messages a couple of days and leave the rest to it.
Didn't you hear - I come in Six Packs