MailBlocks sues Earthlink over Anti-Spam Tech

goombah99 writes "Mailblocks is suing Earthlink , claiming patents on Challenge-Response as a means of blocking spam. Slashdot recently discussed Earthlink's plans to implement a challenge-response email system. The next day mailblocks filed suit to defend their turf in the $118 million dollar anti-spam solutions market. MSNBC has a complete discussion."

I did that

Years ago... 1997 to be exact.

Mailblocks has no right on that patent.

Re:I did that

[Keebler71]

I am next! Every time I knock on someones' door I am in violation of their challenge/response patent. Same goes with calling someone on the telephone (assuming they answer).

Re:I did that

[otmar]

Checking my mail archive shows that have such a procmail rule since at least early '96.

In fact, I posted it to Usenet later in '96. I'm pretty sure that you can find lots of similar prior art in the google usenet archive.

/ol

Re:I did that

[Zeinfeld]

Checking my mail archive shows that have such a procmail rule since at least early '96.

John Mallery at the MIT AI Lab used the mechanism in 1992 for the political participation project.

There are probably even earlier uses. Lots of mailing lists were using the idea simply to validate addresses.

Re:I did that

You and a couple of other people.
I found very generic patents 6,546,416 and 6,199,102 from 1997 and 1998.. I cant belive that such simple concepts are valid for patent. There is not enough information to deterimine if Mailblocks actualy owns the rights to either of these.

Re:I did that

[joe_n_bloe]

June 3 1997 is the timestamp on my first challenge-response filter ....

-joseph

Re:I did that

[letxa2000]

If I were Earthlink, I'd let Mailblocks keep their patent. Challenge-response was probably a reasonable solution half a decade ago. Filters have improved since then and with a well-maintained filter list of domains PLUS a working Bayesian filter there is no reason to make innocent senders go through the hassle of verifying themselves while at the same time doubling spam traffic (one spam received = one challenge response issued, so instead of a billion spams per day we have a billion spams plus a billion challenge/response mails).

C/R technology is inconvenient and obsolete. I'm not even sure why Earthlink decided to implement such an obsolete approach that has the side effect of doubling the amount of emails related to spam.

Re:I did that

[AnotherBlackHat]

Do you have a reference to a published document?
I.e.. something that could be used in court,
or a patent re-examination case.

-- this is not a .sig

Re:I did that

For an ISP, it gets even worse. Imagine an out queue of messages all addressed to non-existant people at non-existant domains. The mail server will try to deliver the challenges once ever 12 minutes for 72 hours. The storage space and processor load quickly becomes worse than the spam itself.

Re:I did that

[geniusj]

every 12 minutes? I think most mailservers implement exponential backoff.

Re:I did that

[MrFredBloggs]

>I cant belive that such simple concepts are valid for patent

Believe it:

http://patft.uspto.gov/netacgi/nph-Parser?Sect1= PT O1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm &r=1&f=G&l=50&s1='6,368,227'.WKU.&OS=PN/6,368,227& RS=PN/6,368,227

Cutting edge anti-spam tech stuck in the courts

[yorkrj]

...and this ladies and gentlement is why the spammers win.

Re:Cutting edge anti-spam tech stuck in the courts

[kindbud]

Well, if it's really cutting edge, then they deserve a patent for it, don't they?

Hah.

That MSNBC has a complete discussion makes me so happy! MSN.. hello?

Wouldn't you know it...

"...founded in July 2002 by Phil Goldman, a former Microsoft vice president..."

Have they patented the idea of challenge/response email authentication? Geez

So, can Earthlink respond?

[jkrise]

"Mailblocks is suing Earthlink , claiming patents on Challenge-Response"

If Earthlink responds to this legal challenge, they'd be in violation of this Mailblocks patent? A nice merry-go-round.

I think I'll patent these as well, just in case:
1. Pleading guilty.
2. Pleading innocent.

and so on...

Re:So, can Earthlink respond?

[spydir31]

if Earthlink responds to this legal challenge, they'd be in violation of this Mailblocks patent? A nice merry-go-round.
actually, I think this will only happen if they respond electronically.

*gets sued*

Re:So, can Earthlink respond?

[Bull999999]

Oh that means that I can still patent; 3. Pleading No Contest 4. Pleading not guilty by reason of insanity

Re:So, can Earthlink respond?

[molarmass192]

Enough already ... I've patented the concept of protecting menial IP through government assigned monopolies. All patent holders must pay me royalties for reading/disclosing/enforcing their patents or risk my legal wrath. I've got $27 bucks in my wallet and I'm NOT afraid to use it. Think about it, do you really want Lionel Hutz knocking at YOUR door? Well then pay up!!!

Re:So, can Earthlink respond?

[daveatwork]

3. ???
4. Profit

Re:So, can Earthlink respond?

[freeze128]

There is no money in patenting the guilty or innocent pleas... You should patent something like a filibuster...

Re:So, can Earthlink respond?

[fishbowl]

"If Earthlink responds to this legal challenge, they'd be in violation of this Mailblocks patent? A nice merry-go-round."

Not to mention the tradition of gospel singing!

Or the Tibetan Buddhist tradition of Tak-tsey Tong-ya!

Re:So, can Earthlink respond?

Flamebait? Uh..hello? Anyone there? It's a fact! You'd think with all the moaning about lawyers and the legal system on this site there'd be at least a basic understanding of the basics!

And I am suing Mailblocks!

[teamhasnoi]

Because of them, I have missed out on thousands of opportunities to rid myself of my tiny wiener.

I could be a mile long by now! You'll pay Mailblocks, YOU WILL PAY!

Re:And I am suing Mailblocks!

your wonderful misspelled 'wiener' is payment enough.
UR DA LOSR!

Re:And I am suing Mailblocks!

[csteinle]

Because of them, I have missed out on thousands of opportunities to rid myself of my tiny wiener.

Try a kitchen knife. It'll take your shrunken member right off. Quite why you want to do this I'm not sure, however.

And so the Alan Ralksky's Win...

[LordYUK]

Because all the "good guys" are stabbing each other in the back trying to be the one that fixes this problem.

I say we need to send the One (a large man with a nail bat) to the Source (the companies that PAY the spammers) and let him Disseminate the Code (splatter their heads against the wall).

Yeah, I saw Reloaded three times since last Wednesday... so sue me. =P

Re:And so the Alan Ralksky's Win...

That's the most clear explanation of the Matrix Reloaded plot I've seen! And with a metaphor I can understand...Jolly good show, sir!

$118 Million

[cubyrop]

From this number, would I be wrong in assuming that there are many people besides spammers themselves who have no problem at all with spam remaining legislation-free? I had no idea anti-spam was such a lucrative business, and I suspect many others hadn't either.

Re:$118 Million

[goombah99]

Hence the fight over this. Can you image if Challenge Response were part of say, outlook or built into Longhorn or WebTV, and no-one lese could use this fundmental approach? very valuable indeed.

Re:$118 Million

[WCMI92]

"From this number, would I be wrong in assuming that there are many people besides spammers themselves who have no problem at all with spam remaining legislation-free? I had no idea anti-spam was such a lucrative business, and I suspect many others hadn't either."

Yeah, just like the anti-virus vendors... Some of whom have been caught playing both sides... Mcafee, etc.

Just as AV companies "allow" certain virus-like programs/trojans, etc to sit undetected (keyloggers, spyware planted by the government, etc), it stands to reason that commercial anti-spam vendors will do the same. Accept a little kickback from Ralsky, but block spammers that don't pay up...

Which is why I use Popfile. It's GPL, and over 99% effective, and my mail accounts get HUNDREDS of spams a day.

Re:$118 Million

[WCMI92]

"Hence the fight over this. Can you image if Challenge Response were part of say, outlook or built into Longhorn or WebTV, and no-one lese could use this fundmental approach? very valuable indeed."

WHY would Microsoft do this? They are the company (only company that I can think of) that makes a web browser that makes your desktop the bitch of every shyster pop-up ad scheme in existance... And through ActiveX (which thank GOD only IE supports!) people can even play with your OS...

I'd imagine that MS probably makes some money through spam. Or wants to.

If Outlook does anything it will be to BREAK 3rd party spam filters, CR schemes, etc.

Software patents.

[MartinG]

Don't you just love software patents.

Europeans, contact your MEP now or else we will have this stupidity as well. The vote is next month and it looks most likely to give the go ahead on allowing software patents in Europe.

I have contacted my MEP and am trying to set up a personal meeting with him. Please do the same. There aren't many of us doing this kind of thing.

Hey, wait a minute...

[djh101010]

Didn't Jeff Bezos {amazon.com} invent that? I'm pretty sure he holds the patent for it...

Re:Hey, wait a minute...

[Bull999999]

Nope, they copied the code from SCO.

Re:Hey, wait a minute...

[ccwaterz]

TMS which became TMDA.

Re:Hey, wait a minute...

[phallstrom]

No, it was Al Gore...

Re:Hey, wait a minute...

Die. Now.

Re:Hey, wait a minute...

[AnotherBlackHat]

Sorry, but probably not.
US 6,199,102 - Cobb patent. Filed: 1997-08-26

So the key date is 1996-08-26, which is before all the copies of TMS I've been able to find in the public record.
Prior art between 1996-08-26 - 1997-08-26
may or may not be relevant, depending on the "date of invention" for US 6,199,102.

-- this is not a .sig

and the cycle repeats....

All hail the "new" dark ages...where instead of guilds and religion repressing knowledge and progress, we have "intellectual property rights"!!!
Good news is, in about 1000 years will have another
"new" industrial age and be able to move on...

Re:and the cycle repeats....

That's just great. RIAA, MPAA, patents, copyrights and atheism all working together to suppress knowledge and progress. feh.

omg ! I will go to jail

[MoZ-RedShirt]

From the article: "Mailblocks developed and owns patents for Challenge/Response"

They will sue me as soon as they find out that I dial in to my ISP using the CHAP protocol.
RedShirt

Is this paranoid enough?

[jc42]

Wouldn't it be interesting if the "privately-funded" Mailblocks were to win and then refuse to license their patent to anyone? Or maybe offer to license it, but for exorbitant license fees. Then, 20 years from now, we'd find out that their private funding came from companies with an interest in Direct Marketing? Or that Mailblocks itself exists as a marketing tool, to collect email addresses and sell them?

One of the very real uses of patents is to prevent people from using the technology.

So am I paranoid enough yet?

Re:Is this paranoid enough?

[Joe+the+Lesser]

Hmm, this sounds like a good plot for the next Bond movie.

(You may be paranoid, but not android.)

Re:Is this paranoid enough?

So am I paranoid enough yet?

well you actually have an account so not quite.
But i do tip my tinfoil hat to you

Re:Is this paranoid enough?

[slide-rule]

So am I paranoid enough yet?

Yes... you are hereby granted field membership. Remember to pay your dues by anonymous drop prior to the 5th of each month. In the meantime, *here* is your tinfoil hat. ;-)

Mailblocks been around since 2002?

[stanmann]

I know that challenge response has been around longer than thatPRIOR ART.
And challenging Earthlink is a bit foolish. All Earthlink needs to do is come up with the hundreds of thousands of examples of Challenge-Response systems in use as early as 1995 in order to verify an actual person was on the other side.

Re:Mailblocks been around since 2002?

You'd think that, but can they find a challenge-response system specifically designed to require a human to read the challenge for the purpose of fighting spam?

You have to show prior art on the whole patent, not just one part of it. I haven't read the patent, but I'm pretty sure it's not just on challenge-response.

Re:Mailblocks been around since 2002?

[stanmann]

Yup, as someone else pointed out majordomo and all the other ancient(dark ages) mailing lists required you to type a phrase or word into the subject line. And as I recall there was a case sensitivity that was required.

Re:Mailblocks been around since 2002?

ie: You mean something like the Turing test???

Re:Mailblocks been around since 2002?

There is evidence of prior use of challenge/response in the USA. I'm sure it is the anti-machine tech which is in the patent, although that would be a moving target due to constant research in giving computers abilities similar to humans (even ignoring simple solutions by spammers), so a concept would have to be what is patented.

Re:Mailblocks been around since 2002?

[mniskin]

Sure. I remember when i got my yahoo mailbox they used authentication exactly like that. I requested the mailbox, they sent over a form with a confusing GIF that only a human could look at and make sense of, i answered some question about the GIF, and they knew it was a human requesting the mailbox and not a machine.

I know a few people who have used this sort of anti-spam for years. Look in the NYLUG mailing list archives, i think they're all in there.

Re:Mailblocks been around since 2002?

Vegetarians eat Vegetables, BEWARE the man who claims to be a Humanitarian.

Yes, they eat human tables.

Re:Mailblocks been around since 2002?

[dbirchall]

I knew I should have saved the PERL code I wrote (and used) back around 1997 when I was shag@emanon.net, which specifically did challenge-response spam-blocking for my inbox.

But folks in the know (names like Vixie come to mind) pointed out that such things were too antisocial and didn't scale well. (Which is still true, but anyway.)

(I later decided that there was no hope for that address, and put in a .forward that sent a vacation message with the contents of my mailspool -- all spam, of course -- to each new spammer.)

mailing lists prior art? Patents = good this time?

[SuperBanana]

Majordomo, Mailman, elzlm...almost all mailing list software sends you a confirmation email, requiring your reply(nowadays via a URL with an embedded authentication string, or via email simply by replying.) Kinda seems like prior art, since I'm guessing "Mailblocks" hasn't even been around as long as majordomo, which dates back into the Dark Ages.

However, in all honesty, this is probably one of the few cases where everyone wins- for many of the reasons folks cited in the comments on the last article that mentioned Earthlink's move... challenge-reply is a VERY half-baked idea, and anything that supresses the market for that software(ie, patent) is a darn good thing in my book.

I'm a mailing list manager, and if Earthlink does manage to get out of this one and fire up the challenge-response business, I'm damn tempted to simply block every earthlink user, possibly at the mailer level, because the users simply aren't smart enough to handle whitelisting the mailing list(s). Hell, most of the hotmail/yahoo mail users can't even keep their mailboxes under quota. We're talking rocket science compared to keeping your mail folder clean...

This should not be patentable

[MrJerryNormandinSir]

Gee... I use a a Sendmail AntiSpam list. It works.
I was going to write a filter that would do a
lookup on the incoming emailaddress, If I don't
find them I refuse the email. That's not patentable. And it should not be.

Re:This should not be patentable

Sendmail already has that capability.

Now, me, I want to look up the domain and IP of every Email that comes in, and if it's registered out of Boca Raton, FLA I'll just throw it out immediately.

If you live in Boca Raton, you should be calling the mayor... before long we're going to just have to cut the damn wires leading into your little spamsville.

M$ ugly face again..

Does the phenomen need any more explenation ? :)

The patent/ip mob is on the move again..

Quote: "Mailblocks, Inc. is a new class of Web-based email service for consumers founded in July 2002 by Phil Goldman, a former Microsoft vice president and a founder of WebTV."

Just Great

[fobbman]

Why can't it be that the penis enlarger companies are the ones that are suing each other into bankruptcy over patent infringement?

Re:Just Great

[stratjakt]

Because I've got prior art.

Ask yo momma if you dont believe me.

Re:Just Great

[teromajusa]

Just wait till my patent on self-enlarging penises comes through. Soon you'll all be paying a liscense fee for each erection!

Re:Just Great

[haggar]

Why can't it be that the penis enlarger companies are the ones that are suing each other into bankruptcy over patent infringement?

'coz they're smart.

Re:Just Great

[AndroidCat]

Because you usually need a working invention before you can patent it.

Re:Just Great

Eighty-One Conservatives on my Freaks list.

Man, I love this service! You find conservatives for me to mod up faster than I can myself. Thanks!

Re:Just Great

[WCMI92]

"Why can't it be that the penis enlarger companies are the ones that are suing each other into bankruptcy over patent infringement?"

I don't know... Go file for a patent for selling sugar pills on the internet. The USPTO should grant that in lightspeed, and you can sue them ;)

The ruling...

The Hon. Judge VanDelay ruled against me, so as it turns out, I cleaned myself out pretty good!

Would TMDA be prior art?

[ptbarnett]

TMDA implemented the challenge-response mechanism long before Mailblocks came on the scene. Would that invalidate Mailblock's patent?

Besides, TMDA works, while Mailblocks doesn't. I grabbed a Mailblocks account while I could get a good username, and found that Mailblocks doesn't send out the challenge: it just discards my test messages as spam after 14 (?) days.

Re:Would TMDA be prior art?

[hahnfeld]

TMDA, April 2001: http://tmda.sourceforge.net/history.html

TMDA was based on TMS (1997 or earlier), although I don't think TMS provided the confirmation part.

Re:Would TMDA be prior art?

[Matts]

Mailblocks' patent dates from 1997. Unfortunately TMDA wasn't around then.

I'm sure there's other prior art though.

Re:Would TMDA be prior art?

[Cyno]

If so I hope Earthlink sues Mailblocks and its execs out of existence. I hate childish corps and any members of the board that thinks these type of actions are justified. They should be shot on site, but I'll settle for life in prison, stripped of all their valuable possessions and enslaved to do repetitively mindless physical labor for the rest of their days.

Re:Would TMDA be prior art?

[stanmann]

Do you have a reference for the patent number?? I couldn't find anything on their site, and the USPTO is rather a beast to search with as little to go on as has been given.

Re:Would TMDA be prior art?

I remember Ian Jackson using challenge-response mechanisms back in 1994 or 1995.

Re:Would TMDA be prior art?

[mverrilli]

Look at 6199102 and 6112227.

And yes, these are them. I asked.

Re:I feel like suing Joss Whedon for killing Anya

[stanmann]

UM SPIKE ISN'T Dead.

Protection racket

[goombah99]

So if no one elese but Mailblocks can implement a decent anti-spam response due to patents. then mailblocks has a perfect protection racket. start spamming everyone to sell....anti-spam software.

marvels of modern technology

"hello?"
"Hi is this Joe Smith of 104 spammark rd.?"
"May i ask who is calling?"
"No, you may not, we've patented the process where you ask who your talking to then decide wethere you want to continue communication, we can license that technology to you though for the special low price of $1 per use."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Excellent

[Syberghost]

I block all challenge-response systems at the MTA level, because they're fscking annoying because their users always use them on mailing lists.

Thanks to this article, I know about Mailblocks. I will go dig up their MXes now. Thanks, goombah99.

Re:Excellent

[brj]

I'm using a challenge/response system from Qurb, Inc. that is smart enough to know that a message is to a mailing list and then it won't send out a challenge to the entire list. It will just sideline the message until you approve it and then it knows that anything to that mailing list is ok.

Re:Excellent

[wkitchen]

Clever, but sounds like a potential spammer loophole to me. They could just make their spam look more like mailing list messages.

Obvious

[FozzTexx]

Oh, come on. This solution is so obvious even my mother thought of it. She had never even heard that anyone was actually doing it, and not long ago she emailed me asking me if I could set it up for her. She had the whole idea down, and was certain it was something that she had just come up with.

Re:Text of first link

[JofCoRe]

Using state-of-the-art technology, an assemblage of talented, passionate and experienced individuals unlike slashdot's crew of moron editors

Am I the only one to notice that...? Somehow I doubt that's in the original. Clever and amusing, however :)

moron not needing to litigate

we'll let the creator sort it out for US.

no need to brIEf va lairIE, as he already has the nearly useless PostBlock(tm) devise, 'working' full bullast.

howsonever, the evile nature of these whoreabull greed/fear based payper liesense stock markup FraUD LIEforms, makes many of US think that hangin' is way too good for the Godless slymebawls, & that we would be better served buy having them receive the citation of the dead rat.

ASK software

[pcjunky]

I have been using the excellent utility ASK (Active Spam Killer). This uses the challenge response technique. It's blocked 670 SPAM messages in the last 10 days. It's been around for a while. I thought that an idea had to be "non-obvious" to be patentable. Lots of people comming up with an idea thats not obvious.

Re:ASK software

[et289807]

This is a very good point... Now my thinking could be wrong, but when MailBlocks "patented" their idea didn't they have to *prove* they were the first to come up with it/it didn't already exist? Thats how I thought patents worked anyways.

Well, according to MailBlocks: "...founded in July 2002 by Phil Goldman, a former Microsoft vice president and a founder of WebTV. "

And according to ASK (Active Spam Killer): "© 2001-2003 by Marco Paganini"

In other words, Earthlink is not infringing on any "ideas" any more than MailBlocks!!!

The ASK website: http://www.paganini.net/ask/index.html

Re:ASK software

[letxa2000]

This uses the challenge response technique. It's blocked 670 SPAM messages in the last 10 days.

So you've blocked 670 spams in the lsat 10 days by sending 670 challenge/response messages to 670 probably-forged addresses which either bounced the challenge response message or went to some innocent guy's email address?

Meanwhile, I've blocked 960 spams in the last 10 days with a Bayesian filter without anyone having to go through a challenge/response hassle and without generating 670 useless C/R messages, which is arguably spam in and of itself.

Challenge/response may have been good in the past, lacking better methods. Better methods now exist and doubling spam traffic by sending out C/Rs for every spam is not helping the problem.

Re:ASK software

[WCMI92]

"I have been using the excellent utility ASK (Active Spam Killer). This uses the challenge response technique. It's blocked 670 SPAM messages in the last 10 days. It's been around for a while. I thought that an idea had to be "non-obvious" to be patentable. Lots of people comming up with an idea thats not obvious."

Obviously that which to a person with a pulse is obvious isn't very obvious to our obviously "fine" public servants at the USPTO.

Re:mailing lists prior art? Patents = good this ti

[theLOUDroom]

challenge-reply is a VERY half-baked idea.

How so?
It seems like a great solution to me (coupled with a whitelist).

I'd put all my friends on the whitelist. When anyone not on that list emails me for the first time, they get an automated message back telling them how to respond. If they do this, the message gets through and they go on my whitelist. If not, they have already been informed that their message will not reach me.

How is this half-baked!?

Obvious Prior Art

[Effugas]

Challenge-Response is the fundamental security mechanism for TCP, the reliable communication protocol used for everything from the web to SMTP itself. During the three way handshake between client and server, each sends the other a randomly generated 32 bit number, and each refuses to communicate unless that number is successfully returned intact. If either the client or the server fakes its identity, it will fail to receive the required value -- one of four billion -- and will thus be unable to complete the handshake.

At least, that's the thinking. Perfect security this ain't, but please -- the spec for TCP came out in 1981. TCP's security technique entirely encapsulates challenge-response systems for SMTP -- the same mitigation of false addresses through an inability to respond, the same caching of credentials once a response is received (you can think of a "trusted address" as a permanently open socket, with all the management headaches that implies!), etc.

In short, this is nothing new. But of course, we already knew that :-)

Yours Truly,

Dan "I Do Way Too Much Stuff With TCP" Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Obvious Prior Art

Challenge-Response is also sort of behind the Turing test...

Re:Obvious Prior Art

[cheese_wallet]

"Challenge-Response is the fundamental security mechanism for TCP"

I think what we are talking about it is a utility patent. Basically it is patenting a unique use of pre-existing technology/items.

For example, whomever came up with the pringle can antenna could patent that idea, even though both pringle cans and antennae have been around for a long time.

Re:Obvious Prior Art

[Effugas]

Yeah, but since SMTP runs over TCP, the core technique being claimed has been part of Internet E-Mail since the beginning. The only thing interesting is that the pre-established technique was tweaked to use e-mail addresses instead of IP addresses and some kind of unique value in the email instead of a sequence number. It's a one to one mapping -- they just moved something to a higher layer.

It's like claiming a patent on, well, raising the steering wheel because people keep knocking their knees on it. If something's too low, you raise it up.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Obvious Prior Art

[Bartmoss]

On a dark and rainy night, a shadowy figure walks slowly down the piers of the harbour city. Stopping at a stack of crates, he pulls out a cigarette.

"The smelly donkey walks a funny walk," a voice whispers from the shadows.

"My rat has a scaly tail," replies the shadowy figure.

"Okay," the first speaker announces, leaving the protective shadows. "I have this package for you.."

Challenge - response, no? Everything else, encryption etc, is just add on. So, sounds to me like the patent fits the "obvious" criteria and should be invalid.

Next!

Re:Obvious Prior Art

[AnotherBlackHat]

Challenge-Response is the fundamental security mechanism for TCP,

US 6,199,102 has a number of claims, but generally speaking they all describe systems that;

compare the sender's address to a list of accepted senders; (friends list)
-and-
send a challenge if the sender's address is not contained in the list
-and-
the challenge is designed to be answered by a person and not a machine.

TCP doesn't match that last part.

-- this is not a .sig

Re:Obvious Prior Art

[gnuber]

The TCP initial sequence numbers were not intended as a security mechanism. Even back then they wouldn't have been dumb enough to use a 32-bit number for security. You mention "randomly generated" numbers as is they were part of the spec, but the word "random" doesn't even appear in the RFC. No stacks (AFAIK) randomized these numbers back then. They used the trivially predictable 64K rule as these numbers were intended for reliability not security.

It is true that this reliability feature makes spoofing slightly more difficult, and that many stacks have been enhanced (mostly in the last 5 years) to make these numbers less predictable. But to call this "the fundamental security mechanism for TCP" and declare this as challenge-response prior art from 1981 is misleading.

All that being said, I wholeheartedly agree that this patent is bogus and that you are right to be looking for any creative examples of prior art you can find! But this just does not cut it.

Re:Obvious Prior Art

[cheese_wallet]

hmmm. I guess I don't follow your steering wheel example. You lost me with the link between physical elevation and protocol abstraction.

anyway, have a look at this:

Utility patent covers new and useful process, machine, manufacture, or compositions of matter (such as chemical compositions and compounds), or any subsequent new and useful improvement.

That's from findlaw.com

So if you had an e-mail client, or server I guess, that did pretty much exactly what blockspam's or whomever's client or server does, before 1997, then I'd say you had prior art.

It's at a totally different level than the protocol, at least TCP, and serves a different purpose. Yes, they're both about authentication, but that arguement is like saying there is no difference between a security guard and a lawyer.

If you had a scheme that defeated spam using challenge & reply/response at the SMTP protocol level, and it wasn't patented yet, go get it. Blockmail's patent won't cover that, and you could do the world a service by getting a patent and freeing the covered items to the world at large.

Re:Obvious Prior Art

[Effugas]

"If you are who you say you are, repeat what I tell you."

It's a pretty thin line between pinging the TCP stack and pinging the email box. Indeed, the only reason why the latter exhibits any more security than the former is the moderate dependancy upon getting into DNS (which is mandatory for email, and non-existent at the level of TCP).

You're doing the exact same thing though -- providing some information to a remote party, and trusting them because they're able to reflect it back to you. You're providing that information to them based not on who they are, but on their ability to respond to you. You hand them data, they hand it back. The only difference is that it's at a slightly higher protocol layer -- the user is involved. I'm sorry, that's dead obvious -- this happens _all_ the time, once a protocol fails some critical requirement.

SMTP has been using challenge-response since before it was SMTP. The idea that it's some brilliant idea to patch challenge-response into higher layers -- when it was failing at a lower layer quite visibly -- can't be called obvious.

A simpler analogy? Fine. It's like you've gone twenty years with the blender on medium, but now circumstances demand something more intense.

So you put the blender on high.

Look at the definition: New _and_ useful. This ain't new. It's just the same old challenge-response kicked up a notch.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Obvious Prior Art

[Effugas]

I never said it was a very good security system -- but you can't deny:

1) You can't reset(RST) a connection without knowing the port pair and position along the sequence continuum,
2) When Mitnick (actually an associate of his) cracked Shimomura's machine using a blind spoofing attack, people were quite surprised.

Going from insecure challenge-response to secure challenge-response (due to deploying an actual RNG) to secure challenge-response at a higher level than TCP fails to add anything new -- we're talking about obvious moves on a clear continuum in direct response to exposed threats.

The moment people started attacking the 64K clock, people stopped using it. You can't say it was a novel idea to replace it; the attack exposed the defense. It's the same with SPAM: The moment you're receiving email from large numbers of false email addresses, it's obvious to test those email addresses before allowing a connection to get through. That's what you're already doing at the TCP layer -- no data generally passes until the handshake is complete; you're refusing to accept data until some level of authentication has occurred. But TCP isn't enough, because IP doesn't map well enough to identity. The IP can be true but the email is false. So we test email instead.

--Dan

Re:Obvious Prior Art

[Effugas]

Again, we're just pinging at a higher level. We were already pinging the IP address through TCP, but people were abusing open relays and BGP hacks so IP became insufficient -- tons of fake email addresses were still being attached to spam. So we test the email address instead of the IP address, because that's where to spoofing is coming from.

That's not novel. That's taking the old solution and applying it to where the new problem lies. The left hand has the finger in the dike over there; a new sprig pops out on the right...whatever is the little dutch boy going to do? I'll give you a hint, his right hand is still free...

Just because an email address is managed by a person and not a stack doesn't mean it needs to be (and indeed, we'll almost certainly see email clients, both genuine and malicious, that autorespond to email pings). Since at the end of the day bits are bits, you never really know that a response came from a human and not a machine. There are systems out there that try to do human identification based on patterns that are difficult to parse without human senses -- text on noise, certain shapes, etc -- but they're just making reference to present state of the art in computer aided response. (They also can't really be deployed en masse, since they're inherently illegal under ADA.)

--Dan

Re:mailing lists prior art? Patents = good this ti

[fafaforza]

> Hell, most of the hotmail/yahoo mail users can't even keep their mailboxes under quota.

Well, when Hotmail hands out your email address, and your mailbox ends up being bombarded with spam, and Hotmail's spam "filters" catch about 13 of the 400 spam messages in your Inbox, emptying your mailbox every other day just to make room for more spam ends up being a pointless exercise.

At least Yahoo mail seems to be an improvement over Hotmail. Over 3 years on the same account and not one spam message.

Prior Art

I can't believe these patents are being granted so freely. There is NO WAY the patent office could have overlooked examples of the challenge/response method for restricting email delivery. Honestly I can't think of a specific example at the moment. But I doubt it would take long to find it in use prior to the patent application. These patents are ridiculous.

Re:Prior Art

How about this automated challenge from 200 years ago? Control-F to find "blanket coat", about 1/3rd down.

In this case, a hostile sender (rebel snipers) was challenged by a nonhuman (sentry sculpture). The challenge to that action was sent back (the visiting officer was shown the attacked device), so such unthinking actions would be removed and only real activity would arrive (shooting at sentries would be stopped, as all it does is injure one of an endless supply of sentries -- sentries should only be attacked in order to remove them during a full attack).

its a flawed wayt to block spam anyways

Of course, this is something of a stupid way to block spam anyways. How does it let legit mailing lists that you sign up for through? How does it let emails for orders you placed through online shopping through?

Now we know who the real spammers are...

This proves, anyone against useage of anti-spam obviously has a perfected interest in pro-spam technology.

Next story: United States LLC takes away everyone's rights, puts them in a small box, so the terrorists can't take our rights away.

Story after the next: The Constitution of the 13 united States of America DID NOT need to be ammendmended; anyone that thinks all men are created equal WITH EXCEPTION TO NEGROES AND WOMEN, simply needs an attitude change and statutory rights are actualy granted privileges that may be revoked. In short, Civil Rights need not be around whilst people think they are equal. In a time where near everyone owned a negro slave, the believed (religion) that negroes are only to be owned. I say blah, that is evil and I consider every man my equal and not my adversary.

Next story after next story after next story: CowboyNeal gets married...discloses bacelor party via the opensource phylosophy! :D

MOD THIS IDIOT DOWN!

-1 offtopic
-1 shit-brained
-1 possible homersexual

Re:mailing lists prior art? Patents = good this ti

...since I'm guessing "Mailblocks" hasn't even been around as long as majordomo, which dates back into the Dark Ages.

Lord EndUser: Hail, good knight! As you are traveling, send word to the neighboring lands of our bounteous faire, which is nigh upon us!
Sir Michael The Patient: 550 Relaying denied
Lord EndUser: Curse thee, Major Domo!

I wonder if they will start employing spammers?

[sam_handelman]

Spam filtering companies are proliferating at a rate almost akin to the growth of spam itself, and not all of them are going to survive.

Remember when there was a similar growth in companies delivering anti-virus solutions? Remember when several of them were caught propogating viruses?

Given how little it costs to Spam - especially if you're willing to accept a response rate of ZERO - I wonder how long it will be before some of these companies start hiring people to send out spam; spam tailored so that the anti-spam company has patented the most feasible defense!

Help make virtual black mail legal.

Re:I wonder if they will start employing spammers?

[Tancred]

There are a couple reasons I don't think this is likely to happen. First, there are plenty of people spamming already. No reason to work that end too if you're an anti-spam company. Second is that the cost of sending spam is low, but non-negligible. OTOH, with a virus, it's some small cost to start it out and then ignorant outlook users do the rest of the work for you.

Discouraging Progress

[DarkBlackFox]

This exactly what's wrong with corporate America (a.k.a. the "legal system") Rather than willingly share technology and ideas, people hoarde whatever they can in the hopes of becoming the next overnight Joe Millionaire. The problem is, the success of the one in no way benefits the many. In fact, the contrary is true- this sort of crap hurts the industry more than anything. Meanwhile consumers are complaining to their providors, threatening to take their business elsewhere, crippling an already painful market. If people weren't so damn selfish, and freely shared concepts and ideas (e.g. Open Source), without the need to excessively profit, imagine where technology would be.

Re:Discouraging Progress

[stratjakt]

If the patent/trade secret system didn't exist, you could look forward to "All your inventions are belong to MegaCorp".

Anything you think up, be it a physical device or piece of code or whatever, can be produced cheaper and marketted more effectively by a large corporation.

It's a good sign that it's little upstart nobodies running around suing each other. It's flawed, but it's better than one big company owning everything.

Re:Discouraging Progress

[DarkBlackFox]

Then tell me, how would a MegaCorp become a MegaCorp without patents in the first place? Where would MS be if it couldn't "protect" it's valued Windows code? Where would any major corp be if it couldn't patent what it built it's success on?

Preportionally, where would the legal system be without large corps? Would Napster still exist if there was no RIAA to shoot it down? Would Napster even be created if music wasn't protected and procured by major corporations?

Re:Discouraging Progress

[geekoid]

Inventor invents widget A.
Inventor take widget A to factory to be mass produced.
Factory owner say "Hey, this is a neat invention. screw you, I'll make it at sell it myself"
Factory owner makes another million, on its way to mega-corpdum.
Inventor decides never to invent anything, or never tell anyone about an invention. Society suffers.

Get it?

Re:Discouraging Progress

[Cyno]

Exactly, now you're starting to understand.

This is why we have to get rid of money.

Don't you see the real problem? Its human nature plain and simple to act stupidly. Get rid of the carrot and they won't have any incentive to act stupidly. Plus it will give us scientists and people who really do use our brains the ability to educate the rest of you when you stop worrying about so much about money and jobs and thinks that really don't matter.

We could use civilization and society to give everyone everything they want. We already do, for the most part, but we waste so much that we have to work 8 hours a day to make up for it. Some of us have to work more than that. And that isn't right, is it?

Re:Discouraging Progress

Hey, talk like that in the US will get you locked up in a nice Cuban camp!

Remember, the US is the land of the free, well free as long as you don't wanna be a communist or a list of other stuff.

Your talk makes people like Bill Gates nervous, why shouldn't he have the right to have as much money as 1/3 the rest of the US population? Screw the folks starving in the streets, they aren't giving him any money so he doesn't care about them anyway.

Remember, in the US, he with the most toys wins!! Their entire system is based on greed and the selfisness of becoming as rich as the next guy above you.

Don't worry though, none of it will change until the US empire collapses entirely.

Re:Discouraging Progress

[nolife]

Factory owner makes another million, on its way to mega-corpdum.

But nothing prevents factory owner B and C from taking the same product and attempting to make money off of it also, therefore factory owner A will not be the only one making the millions and the result for consumers would be increased competition do to three sources which means cheaper prices and/or better quality.

Those micro remote controlled cars that were such a hit in some areas last christmas is a perfect example of this concept.

Re:Discouraging Progress

[DarkBlackFox]

Yes, if you think in terms of the way corporations operate today as a direct result of copyright and IP protection. Which is exactly the problem- Human greed.

If Factory owner wasn't corrupted by the MegaCorp market, he'd have no incentive to want to screw Inventor. That aside, if he did screw Inventor, wouldn't that discourage Inventor from inventing widget B, and choosing Factory to produce it? If Factory discourages Inventor from inventing, Factory looses future production. However, if Factory does good business with Inventor, when widget B, C, and D come along, there will be a good working relationship between Inventor and Factory that will result in the procurement of additional invention.

Re:Discouraging Progress

[letxa2000]

Inventor invents widget A. Inventor take widget A to factory to be mass produced. Factory owner say "Hey, this is a neat invention. screw you, I'll make it at sell it myself"

That's what NDAs and contracts are for. You don't need patents to protect intellectual property. If your inventor has an NDA with the factory and the factory owner does that, he sues his butt based on either the NDA or a contract. Patent wasn't necessary to sue...

On the other hand, if the inventor does something cool and starts making money and others say "Hey, good idea, let's compete!" That's a GOOD thing and should not be discouraged by patents.

I think the key is protecting the inventor from initial exploitation like you mentioned above. But that can be covered with NDAs and contracts. Protecting the inventor from competition? I don't see where that benefits society and only benefits the inventor in the short-term since it delays any motivation to improve or innovate on top of the invention since there's no competition...

Re:Discouraging Progress

[1029]

Yeah yeah yeah, bitch and moan about people being selfish. Its not ever going to change. Society itself is just a bunch of selfish people who decided that they get more out of a cooperative socieity then they put into it. You just need to face the fact that people wouldn't do a damned thing if they didn't something in return (even that generosity is only done because it makes you feel good inside).

Don't belive me? If you paid taxes (assuming you are an American), but didn't get to drive on any roads, the 911 operators blacklisted your number, you were only allowed into private schools, couldn't vote, etc. etc., would you still be willing to pay your taxes?

No? You selfish bastard.

Re:Discouraging Progress

[Walter+Wart]

Two things come to mind here, Benjamin Franklin and the Hatch Act.

Franklin, a prodigious inventor, was asked why he never sought patents for his creations. He said (I think this is pretty close to an exact quote) "Just as I have benefited from the work of others others will benefit from mine."

Fast forward to the late nineteenth century. The Federal government created the land grant universities and their twins the Extension Services to improve agriculture. Science was done with a stable funding base for the benefit of American agriculture. And for about a century it worked very well as a way of creating new crops, improving techniques, and disseminating knowledge to farmers.

In the 1980s it all began to go sour. "Business - Academy partnerships" used federal money to directly support proprietary research. Extension agencies began to be used as means of pushing the resulting products to farmers. Research was subverted not to improve agriculture but to improve the bottom lines of the new "partners".

There was a corresponding drop in the number of strains of crops and animal breeds produced by the universities. The original recipients, family farmers, were pushed aside so that the benefits of public money and research could go to the agricultural firms owned by the same people who were using taxpayer money to support their own products.

This is bad. But worse is coming out of it. Research at the land grant colleges used to be open to all. Now it is almost all proprietary. New information doesn't get to the farmers who need it. Scientists can not engage in the absolutely vital presentation of papers and discussion with their peers which is essential to sustained progress.

The good of each is not the good of all.

I see the same thing happening here. There is, of course, a need to protect one's investment. But we are moving so far in that direction that we are destroying the preconditions for scientific progress - the free, promiscuous exchange of information and ideas.

Re:mailing lists prior art? Patents = good this ti

[dave+at+hostwerks]

The first thing I thought of when I read this was "How are mail list posts handled?" The first message from your underwater basket weaving list comes in, Mailblocks sends out it's challenge, it's sent to the entire mail list but the actual user never sees the challenge because Mailblocks won't let posts from the mail list through.

And I thought the people who have vacation responders on their email accounts were bad. Talk about a vicious circle.

How do competing CR programs handle each other?

[will_die]

Kind of interested if thier is a solution for this already.
What happens if I have one of theses CR set up and a friend has another one we are not on each others lists. I send him mail, which gets me a piece of mail asking for a responce, since my system does not know the address it then replys, and so on......
I presume with the same product they watch thier know thier own responces so they can put a stop to this.

Re:How do competing CR programs handle each other?

[kohlyn]

When you email them you automatically add their address to your whitelist, or, you use a specially coded address as your envelope address. So their response will go directly to your inbox.

Re:How do competing CR programs handle each other?

[szmccauley]

That was my first thought, but then I figured that since you sent them the message it would come back to you and you could respond t the challenge.

But then I thought, well what if a spammer just issued an automatic repsonse, then the spam would end up in the L^Husers inbox anyway.

Probably would cut down on spam though.

BTW, zombo com rocks!

Someone should patent the "click here to remove"

[AwesomeJT]

Kill spam with tech patents -- patent on sending email in bulk, patent on the "click here to remove me", patent on email header forgery, and of course patent on screwing with the subject field to get by most spam filters. Obviously, you have to actually *find* the spammers to sue them. Oh well.

Chilling

[CmdrSanity]

I understand the need for companies to protect their intellectual property, what I don't understand is how you can classify such a simple, dare I say obvious, spam prevention scheme as "intellectual." It's scary to see such a huge legal throw-down over code that any programmer worth his weight in thumb-tacks could write in 30 minutes using VBScript. And really, if your entire company is based on something so trivial that little Johnny 12 year-old could reproduce it during recess and still have time to play 4-squares and get in a round of hoops, then it's time to close shop and start flipping burgers because you aren't going to last in the business world. Take heart MailBlocks; Micky D's is always hiring, and the little Johnnys of the world will always want fries with that.

EU Software patents.

[Martin+Spamer]

I second this.

Brits can find out who your MEP is by entering your postcode here. Set aside any personal feeling you may have on the EU, ranting against it is more like to do harm than good.

Some ideas point to raise.

Point out you are a IT professional and you are writing in that capacity as well as a voter.

US companies have been allowed to accumulate large number of software patents for 30 years by a poorly managed US patent system.

European Companies will be forced to pay royalties to US corporations, even ideas they invented, but patented in the US.

European Companies can be prevented from competing in some areas by patents, either by cost or denial of access to certain technology.

Patents prevents fair competition and promote monopolies.

An expansion of the patents system in the EU to cover computer software is extremely damaging to the European IT sector.

Point out that software is about maths and numbers, if you cannot patent algebra B or numbers so why software.

If possible point out a simple example of a patent in your particular field, even better if you can rightly claim it was invented in Europe but patented in the US.

Re:EU Software patents.

Set aside any personal feeling you may have on the EU, ranting against it is more like to do harm than good.
The brits are so funny. Why did we accept them in the EU, why?

Re:EU Software patents.

[BrokenHalo]

Brits can find out who your MEP is by entering your postcode here

Can't I take out copyright against my postcode? Maybe send all those junk-mailers invoices for royalties?

OK, only kidding... :-)

Re:EU Software patents.

[Martin+Spamer]

Maybe send all those junk-mailers invoices for royalties?

Alternatively if you're in UK, you can register with the Mail [Fax|Phone) Preference Services, I have and it works.

Mail Preference Service
Phone Preference Service
Fax Preference Service

Whilst these are private sector they are subject to oversite by the UK Data Protection Commissioner.

Re:EU Software patents.

>Why did we accept them in the EU, why?

Because you`re all full of horrible, dirty peasants and you needed our money. After Germany, we`re the richest country in Europe, and the 4th in the world. Why? Where you you from? Spain? Italy?

"complete discussion"?

[Horny+Smurf]

If it was complete, there wouldn't be any comments here, now would there?

Re:"complete discussion"?

The question is whether these comments actually add anything...

Patenting a concept?!

CONCEPTS aren't patentable, are they?

The CONCEPT here is that of requiring a human response from a sender of an email before the recipient receives that email.

There are thousands of ways it can be implemented, I would imagine, be it with something written proprietary for a company, or through something open source (procmail recipes like I use?). Am I the next target because I run Procmail with a recipe set that requires a response before I receive an email from someone? Could the person who wrote this recipe set and gives it away free be a target?

The only way I can see Mailblocks even stands a chance to win anything is if it's proven that Earthlink is using something written by Mailblocks without the authority to use it. But that's licensing violation, not patent infringement. I would hope that a patent revocation would arise from this case.

Re:Patenting a concept?!

[axxackall]

Unless there is a proprietary hardware behind or proprietary technology to make such hardware - ALL SOFTWARE IS ALL ABOUT CONCEPT. In other words, in software there is nothing else but concept. Either it a concept of a single bit, or the concept of their combinations, or it's a concept of language: symbols and their meening.

US patent system is going to screw whole US economy more and more. Soon, any software development will be outsourced offshore not b/c of the price of american human resource (americans are the most expensive and that already really unreasonable counting their low intellectual quality), but b/c it will involve less IP problems to develop a software in a free world rather than in USA.

Personally, I think that American industry of software development is dead. Partially - thanks to US Patent Office.

Re:Patenting a concept?!

If only that were true.

Unfortunately, it now seems that anything can be patented.

SpamArrest

[dave+at+hostwerks]

Here's a link to an interesting article that's relatd to this discussion:

Grip2Ed.com

It discusses SpamArrest and some of the snakiness it's pulling when unknowing users respond to their clients mail. Kinda scary.

Re:Text of first link

[Shagg]

When users wish to receive email that will be computer-generated, such as confirmations of email purchases or newsletter subscriptions, they can use a special email address to automatically allow those emails to be sent directly to their inbox.

How long before that "special email address" which you're giving out to online retailers shows up on the spammer's list? We all know that online retailers and mailing lists never sell their email databases to spammers, right?

Re:Text of first link

[BrokenHalo]

I suspect they slipped that in to prove that nobody on /. RsTFA.

Looks like they were right, with two exceptions :-)

Re:mailing lists prior art? Patents = good this ti

[SuperBanana]

challenge-reply is a VERY half-baked idea.

How so?

Well, try reading the top rated comments in the last Earthlink-does-challenge-reply business slashdot story. A few of the ideas that occured to me(with varying degrees of seriousness/risk/whatever):

• increased load on mail servers
• everyone's challenge-response system will be different and incompatible
• spammers will figure out how to reply to them
• businesses won't be able to send legitimate automated email(shipping notifications, confirmations, etc.) because everyone will be using different challenge-response systems. You think the average earthlink user is going to be smart enough to even REALIZE they need to whitelist a business, much less what address?
• Loops when dealing with any of the dozens upon dozens of mailing list software, autoresponders, and legitimate automated email systems. Remember when one of the relay testing groups got a big surprise when their relay testing crashed some obscure mail server? You simply never know how your stuff is going to "play" with the rest of the world's email processing/sending software.

This is like "can't defend yourself against crime"

[MickLinux]

Just my thought here: Many states, maybe all, have made spam a crime.

But they have not been effective in stopping it.

Now, normally, when I am victimized by a crime, I am justified in defending myself. Mailblocks, however, is saying "You can't defend yourself against this crime, because we own the intellectual property for the methods of defense"?!?!

Okay, so whenever a new technology comes out, the mafia just needs to figure out (1) a way to victimize people (2) the best ways to defend against it. Then patent the defenses, and subsequently hit people from both sides.

Our government is coming to a real decision. Either defend IP at let criminals roam free, victimizing all and destroying the economy, or give up IP, and maintain order.

Meanwhile, Ralsky and his friends are going to be down at the patent office in a flash.

Something is rotten in the state of our legal system.

Let the hunt for the first prior art begin....

[originalhack]

Unfortunately, Mailblocks does not cite their patent number and it is not listed under either of the principles' names.

Possible prior art:

Patent Filed December 1998....
US6546416: Method and system for selectively blocking delivery of bulk electronic mail.
Owned by Infoseek.

TMDA on Sourceforge, April 2001

Re:Let the hunt for the first prior art begin....

[kmilani2134]

They may have cited two patents in their case. The one I am familiar with is authored by a guy named Cobb with patent number 6,199,102 patft.uspto.gov

The Abstract from this patent is as follows:

The present invention provides a system and method for filtering unsolicited electronic commercial messages. A system and method according to the present invention for screening out unsolicited commercial messages comprises the steps of receiving a message from a sender, sending a challenge back to the sender, receiving a response to the challenge, and determining if the response is a proper response.

My boss knows what the other patent number is, but he is in a meeting at the moment. :( I am going to try to respond back later with a more detailed response to all of this.

Prior Art

[Bruha]

I've seen this system used for the last several years. There are several cgi/pl scripts out there that email processors or mail clients would use to do the same function.

And lastly I'll never let a 3rd party process my email other than my ISP holding it on the servers there.

It isn't just earthlink they are suing

Mailblocks has previous filed suits against Mail Frontier -- makers of the Matador plugin for outlook and outlook express, Digiportal -- makers of ChoiceMail, and Spam Arrest who offers end user and enterprise services that directly compete with Mailblocks.

Recent articles haven't mentions Digiportal or Mail Frontier, so it is possible that they have come to an agreement with Mailblocks.

Full article (dated 4/05/03) from the San Jose Mercury News.

Re:Text of first link

[KheldarMAS]

I was wondering if anyone else noticed that. Glad I'm not the only one who thinks this is an obvious gaping hole in the system.

Re:Text of first link

[VudooCrush]

The addresses that it talks about are disposable. Mailblocks.com calls them "trackers". For example - my email address at mailblocks.com is draino@mailblocks.com , but I can add and delete as many trackers as I want. For example a tracker would look like - draino+something1234@mailblocks.com . The only problem with this is that some places are unable to validate a "+" as a valid character for an email address. A great example is Ebay.. I have now lost access to my ebay account because it let me change my email address to that, but it won't let me login. It deciphers the "+" as a blank space..

A telling comment

[dr_eaerth]

Mailblocks Inc. ... is pursuing this legal action to ensure its survival, says Mailblocks CEO Phil Goldman.

If I worked for a company whose very survival was based on patenting obvious things and suing other companies for using obvious things, instead of a software company, I would be very sad. I would be sad to find that I'm not competing with TMDA, but PanIP.

Re:A telling comment

[geekoid]

OTOH you could walk out from your beach side mansion, get on your yaught and go deep see fishing until the sadness passes. ;)

Bloody Patent Office

[Toad-san]

When are we going to take those idiots at the Patent Office out and shoot them all?

Gods .. any collection of rational citizens could do a better job than they at rejecting the obvious.

Actually, I submit a local Hells Angel chapter could do as well.

Re:Bloody Patent Office

[MImeKillEr]

Actually, I submit a local Hells Angel chapter could do as well. ..and would actually have the spine to refuse to grant patents to those looking to patent prior-art.

Re:Bloody Patent Office

[geekoid]

How about we take all the idiots that refuse to get involved with their government and shoot them? I would be more effective.

More prior art....

[jdreed1024]

Here's an example of challenge-response from 1999,before Mailblocks was even incorporated:

Kyle: Who is it?
Gregory: I'm here for "La Resistance".
Kyle: What's the password?
Gregory: I don't know.
Kyle: Guess.
Gregory: Uh.. bacon?
Kyle: OK.

See? Challenge-response. Worked perfectly.

Re:Text of first link

[stanmann]

The "Trackers" are dyanamic and can be turned off. I don't think that challenge response is ready for mainstream use, however if earthlink can get theirs working with the "average" computer user, then perhaps there is hope on the spam front.

I don't think that the dynamic Username+pin@mailblocks.com is as clean as other dynamic solutions for example the method used at cotse.net where the dynamic range is *@username.cotse.net. But that is just MHO. However for only 9.95 per year for mailblocks vs 5.95 monthly for cotse... I like absolute control and "expiring" addresses.

patents

[VanillaCoke420]

I have registered the patent for "Any technological solution to anything. Ever." I expect to be really rich, really soon.

It's starting to make sense now . . .

[dheltzel]

in the $118 million dollar anti-spam solutions market

This looks like it's becoming another "unholy alliance" like the virus / anti-virus market. It's as if the net had no native problems, so people have had to think up some so they could sell solutions for them. I wouldn't care if there wasn't so much collateral damamge to the net's reputation and so much extra effort on my part for "trash removal" in my corner of the net.

I'm a proud capitalist, but this is sickening. It's like embedding nails in the road to increase sales of tires and towing services. Surely if there were ever a "solutions market" that deserved to be trashed by OSS, this is it.

Go SpamAssasin and Mozilla!!

It Figures, Mailblocks run by former Microsoft VP

[elysian1]

From their 'about' site:

Mailblocks, Inc. is a new class of Web-based email service for consumers founded in July 2002 by Phil Goldman, a former Microsoft vice president and a founder of WebTV.

The implications of this patent

[rollingcalf]

So now somebody can patent a spam-blocking technique, then bombard you with spam which you can't legally stop because they have patented spam blocking. Then a virus creator will patent virus detection and removal, so you can't legally eliminate their viruses. And they can do the same thing with ad blocking, firewalls, and the list goes on.

The evils brought on society by software patents far outweigh the good brought by the 1% of useful software patents.

Re:The implications of this patent

[Cyno]

I think the same thing can be said about all patents and probably trademarks too.

Re:The implications of this patent

[Procyon114]

And copyrights!

Re:mailing lists prior art? Patents = good this ti

[sqlrob]

You forgot:

DDOS against whoever's name happens to be in the From line of a spam

From a Mailblocks customer..

[VudooCrush]

I am very happy with Mailblocks' challenge-response system. Their webmail based system is blazing fast and just plain works well. I can drag and drop emails to different folders, etc. The account is also a regular IMAP account so you can just pop their settings into your regular email client. However, a couple of companies ( namely some online casino and 1-800 Flowers ) managed to get through the challenge-response. I have a hard time believing that someone from 1-800 Flowers waded through all of the bouncebacks and performed the challenge response. It's very possible but not likely.. So that sounds fishy to me. I hope they stick around, I really like the service. Having a really fast/cheap 50MB IMAP account that I can check from anywhere with a web browser is pretty slick.

Freemasons license secret handshakes

Freemasons (similar to the Stonecutters in an episode of The Simpsons) have recently licensed the Challenge-Response technology developed by Mailblocks.

"We saw a need for technology allowing our brethren to recognize one another. The use of Challenge-Response in the form of Secret Handshakes (tm) seemed to be a good way to go about it", says an anonymous member of an unidentified lodge.

Some masons did express concerns, however, regarding the potential spread of cooties and other infectuous diseases through the use of this recognition system.

Most mail systems implement a challenge-response

[wayne]

A challenge-response system is one where the mail system sends a "challenge" to the sender of an email that makes the sender prove that they are human.

In case anyone hasn't noticed, this is basically what a "bounce" message does. The challenge of figuring out what caused the bounce and how to get around it not only makes you prove that you are human, but that you can think. Bounces caused by DNSBLs make prove that you know how to send email from some place that doesn't send spam or have an open relay/proxy.

Re:mailing lists prior art? Patents = good this ti

Let me put it this way: be happy that I don't write email harvesting tools and spam sending tools.

One day I asked me "can I defeat the email obfuscation many people use?" I downloaded one /. discussion page, it contained circa 100 email addresses. 90% of those were obfuscated in some way or another. After 20 minutes of perl, I could defeat 75% of the obfuscation methods. And yes, there was a case of a valid email address that got "deobfuscated" and therefore rendered useless. How would I go about this? Spam the emails in the database, check the bounces. Deobfuscate the bounces, reinsert in database. After a couple of rounds, mark the address dead.

Spam sending tools? Defeating the challenge-response systems in use is almost trivial. You get a cookie, you send the cookie back. The only trick is _finding_ the cookie. For some of the systems, it's trivial, since they have been designed with ease of use in mind: just quoting the whole thing and sending it back does the trick.

You really need authenticated email to defeat SPAM once and for all: it's getting to the point where I will accept only email which is cryptographically signed by signatures that I have signed myself or in the general case, by signatures which can be traced to me. People who don't have such signatures can receive temporary certificates, but they have to _sign_ the dammed thing. Eventually it will evolve into accepting IPSec connections from machines that are trusted. Mailing lists? I don't care about email in mailing lists. I care about my inbox.

Highlights?

[pabl0]

• Does it surprise anyone that the CEO of the company bringing legal action is a former Microsoft exec? It's clear that Mailblocks is more interested in making money than in fighting SPAM. I can't say I blame them for that, but it's a shame that they're attempting to supress useful technology in order to eliminate competition. In fact, the MSNBC article alludes to several other similar lawsuits brought about by the same firm. Survival via settlement, just like the article said.
• Limiting SPAM using challenge/response would be far more effective on the whole as a draft RFC that any MTA (or add-on) could implement, rather than a closed system that even individual developers can't duplicate for fear of a lawsuit.
• Opinion alert: The problem of SPAM is far more important than the problem of keeping one startup in business. Those on the anti-SPAM side of the "war" argue about how to define SPAM, how to combat it when it occurs, and sue each other over who thought of it first. (I personally discovered long ago that if you let a group of technical folks argue the technical merits of a solution until the end of time, they will.) Thus, the spamming minority continues to win, because they don't have anything to fight about -- they just keep pounding out those weight loss and penis enlargement ads. Sue the damn spammers, not other spam-fighters.
• Challenge/response isn't exactly new or exciting, even as applied to e-mail. How about PGP? It already provides the ability to authoritatively assert the identity of a sender and recipient. The only missing link is what to do with a rejected or non-PGP signed message. Couldn't generating a keypair be made as simple as the ch/resp method Mailblocks uses? The implications of trust levels as implemented in PGP are profoundly interesting too. Generating an initial whitelist becomes far more useful once you can say, 'I trust all my senders, and all my mother's senders, and all of Uncle Joe's senders...' IANAP*, but it seems like an idea that would work!

* - I Am Not A Programmer

Re:Highlights?

Small note.

SPAM is a meat product which is copyright of hormel.

They have an article on the way they would like the word to be used.
(in lowercase letters when not referring to them)

Of course I'm just being anal-retentive here so feel free to ignore me.

bottom line....

[Rooked_One]

The ISP is the only one (besides the user, which we won't dare bring into this picture) that can effectively block spam.

That being said, it is every ISP's job to do whatever they can to block whatever spam that might hit their users. I certainly don't pay my isp to let spam pass through. To put it another way, I don't pay my DSL provider for crappy service, outages, and ping fluctuations. Same thing here only theres a company that sees a big name like Sprint but only sees $$$.

Re:bottom line....

[dracocat]

Actually, I think its your ISP's job to provide internet service. ISP actually means Internet Service Provider. Asking you ISP to do more is asking for trouble.

For example, a lot of people don't secure their machines very well, so by extension your ISP should also protect you by blocking all incoming traffic to your machine, and only letting you get out. Additionally, a lot of files have viruses, and therefor you shouldn't be allowed to ftp out. In fact most normal users only use the Internet to browse the web, so lets block all traffic except web traffic.

ISPs should do what they are paid to do: Provide a connection to the Internet that follows standards. If you want mail blocking, install it on your computer. Or if we need it at the ISP level develop standards. But don't trust a company where most of their clients are people that don't do anything but e-mail grandma and read cnn.com to make decisions about which packets and which information you actually receive.

On a non-related note, did you know the latest version of office blocks ALL .exe file attachments, with no way of turning it off? I couldn't believe this when I sent my friend a file and he couldn't open it!

Re:bottom line....

[Rooked_One]

I didn't think of it that way...

but chew on this... I've know someone that works at an ISP who spends about 80% of his day and 80% of his bandwidth gets chewed up from dealing with spam. I mean, really, its just a matter of time before the "spam-bubble" bursts.

Re:mailing lists prior art? Patents = good this ti

Uhm...

> From: your@friend.addy
> Subject: Hey there
>
> You've been spammed! Ha! Ha! Ha!

no, really. It works that way.

Re:mailing lists prior art? Patents = good this ti

[theLOUDroom]

• increased load on mail servers

The load increase is manageable. Challenge response would only need to happen a small percentage of the time for valid email. For spam, yes up to 1 email would be sent per spam recieved. I think the internet can handle that. It's not like there are going to be large attachments or anything.

• everyone's challenge-response system will be different and incompatible

That's the whole point of the challenge response system. The idea is that the message can only get though if an actual person is willing to sit there and read how to make it get through. If if isn't worth this unknown sender's time to figure out how to make the email get through, they're probably just wasting my time anyways.

The other idea would be to make the response be the results of a computationally expensive task. With a new RFC, the format for this could be standardized, and it could all be made totally invisible to the user. Since CPU power costs money, it would still be effective at reducing spam.

• businesses won't be able to send legitimate automated email(shipping notifications, confirmations, etc.) because everyone will be using different challenge-response systems. You think the average earthlink user is going to be smart enough to even REALIZE they need to whitelist a business, much less what address?

First off, they can just whitelist the whole domain of the business. Hey, the could even tell it to auto-whitelist any email addresses in that domain from which they recieve email in the next 2 hours. Second, yes I do think people will be able to maintain a whitelist. Using a whitelist would be voluntary, so if you can't use it, you don't have to. Once they get fed up with the amount of spam they're getting, it will provide them with enough incetive to learn. Most people can learn how to do simple things with their computer, they typically just don't see it as worth their time to do so. Beside you could make the whole "it's hard to use" argument about the WWW itself. People just eventually decided if was worth learning to use.

• Loops when dealing with any of the dozens upon dozens of mailing list software, autoresponders, and legitimate automated email systems.

Other that implementing some basic sanity checking, these would be flaws on their end of the system. The should be no message I can send an automated mail system to make it go apeshit. All the challenge response software would need to do is ignore replies the weren't even attempting to respond correctly. This could be done for N hours after recieving the first message from a source.


The only really big problem I can see is what happens if someone sends out spam with your email address. It seems like a potential DOS-style attack. It seems that there's an obvious solution to this: Add a standard string to be include in all response requests.
This way your mail software can check to see if you've sent mail to that address, and ignore it if you haven't.


I looked at the comments in that story, but it still don't see why this idea is half baked. One of us must be missing something.

Seeking Intelligent Discussion

[mobileskimo]

Call me crazy but I'll ask anyway. Since everyone is so gung-ho about how evil software patents are,
imagine for a moment that software patents were abolished. Do you think companies and people would continue to innovate software? Or do you think software development would stop? What would be the consequences to industry? Would the economy collapse due to a severe outage of software companies (The entire world has a huge stake in it, anyone know the numbers and percentages? percentage of GDPs?) ? What about the Hardware Manufacturing companies? How would they be impacted? Inquiring minds want to know.

Re:Seeking Intelligent Discussion

I dont think people here are against software patents in general, rather they are against obvious software patents.

Re:Seeking Intelligent Discussion

[mobileskimo]

Define obvious in legal terms. That requires judgement. God forbid we ask a judge to judge things. It's the reason we have written laws, and judges interpret them.

Re:Seeking Intelligent Discussion

[tweek]

I think people like to paint all software patents with a broad brush. It's actually a bigger and broader scope. Work with me here:

"All patents related to software are evil"

The fear is that (and rightly so), the patent office doesn't have the tech knowhow to decide a valid patent or not. Mailblock wants to patent "challenge and response" email. To me that is plain silly. The concept of a challenge and response has existed long before email in regards to communications. Applying such a broad concept to email is nothing new and is only a matter of who got there first.

What SHOULD happen is that a company is granted a valid patent on METHOD. At least in regards to software. Let's take Adobe. What if they were tto be granted a patent on ALL graphics designs programs? It would kill competition in it's tracks. Gimp? nope. PSP? nope. MSPAINT? probably but only because MS would pay the license fee.

You see, in terms of software, the traditional patent model does not work. There aren't enough new ideas out there. The concept of a drawing is as old as caves and berry juice. You can patent YOUR style of pen but not the concept of a pen. What happens is that companies patent more than just THIER way of doing something. Software patents in the current form are diametrically opposed to competition and freemarket operation.

The rules need to be rewritten to take into account this new model. Things like lifetime of a patent on software needs to be rethought as well as the whole process of granting the patent. In the software world, things move too fast. Patent lifetimes are NECCESARY to ensure non-stagnation.

Take the drug market. The patent on the drug (chemical makeup not concept) is the motivation for R&D. Patents encourage companies to develop something to make a profit by guaranteeing those companies the ability to have exclusive profit from that R&D. But this only goes so far. You've got only a few years before the patent expires and anyone else can make a generic version. They can't call it the same thing you do, but the can sure as hell color the pill the same as you.

What now for a company? They must reinvest the money earned from the short term exclusive right of patent and develop a better version. Or something new all together. The company that trys to live on one product dies a quick death. Ever wonder why there are so many versions of sudaphedrine? Patents FORCE innovation. The rules are simple. You come up with something new (such as a drug to inhibit HIV) and you get exclusive right to it. But only for a while. After so many years, anyone can produce it. It's now up to you (the company) to make a bigger and better HIV blocker. You know the rules. Everyone has to play by the same ones. Because a patent is public (has to be or else how would anyone know if they might infringe), you get that exclusivity= bonus for making it public. Don't like that rule? Keep it as a trade secret. The rules are different there. Much more difficult to enforce.

Almost done.

People also link patents to copyrights which have become a bastardized version of what they were. The current Micky Mouse is much better (to some) than the Steamboat Willy '46 version. Copyright terms forced Disney to make a better Mickey Mouse. The problem now (as we all know) is that Disney and the other large lobbies have decided that they don't want to play by the same rules that put them where they are. They are most undoubtedly an enemy of the freemarket and capitalism.

Sorry for such a long rant. Copyrights and patents aren't a bad thing unless misused. This is the case with the Sonny Bono Act and most software patents.

Re:Seeking Intelligent Discussion

[geekoid]

since software was written before there were software patents, and it wasn't a multi billion dollar business, I would say the software industry would work fine without them.
As a whole, we might be able to progress faster.\
I have written a lot of different typs of tracking software for use in logistics to hospitals. they all basically do the same thing, and the core of most of them could be used for another tracking. Instead, I get to re-write the same thing over and over again. I'm just one guy, and I can believe there are a lot of other companies paying people to do the same thing I have done. I've seen legact apps that have the same function and variable name that I have used.
How much money would corporations save, as a whole, if there was a common repository for code? Sure, company A might need something thats not in the repository and have to pay for it to be written from scratch, but overall they would need to do that a lot less.
This is the reason I feel companis should chose open source, long term cost reduction.

Re:Seeking Intelligent Discussion

I don't believe you should be able to patent a concept like this, only a specific method. The comments about lack of patents stifling innovation don't make sense to me... what if the concept of username / password authentication on the Internet had been patented (and this is similar to the challenge / response system in question here - challence / response systems have been in use for thousands of years)? That would have killed all Internet innovation in one go.

Re:Seeking Intelligent Discussion

[Procyon114]

What incredible irony!

The post directly above yours expresses reservation about releasing software (i.e. "innovating") because of intellectual property concerns.

Far from enhancing software development, software patents and other IP tools are the things being utilized to inhibit it. Think about the recent history of IP litigation. Typical cases involve established entities with mature product lines suing upstarts with limited resources and new "innovations." It's a venal process intended to limit competition and there's no macroeconomic morality implicated.

It's fair to say that virtually every factual IP litigation scenario over the past 10 years supports this hypothesis.

Re:Seeking Intelligent Discussion

[spitzak]

No, the patents are totally useless.

Name a single profitable piece of software that depends on a patent, rather than trade secrets or copyright, for it's survival.

There are none.

Microsoft has made tons of money, and though some of their methods are questionable, they have not done it by enforcing patents and actually have not filed very many at all.

Re:Seeking Intelligent Discussion

[mobileskimo]

Well, partial to the theory of patent enforcement is the threat to prevent infringement. The whole concept of law is to discourage the activity. Lack of prosecution is an indicator that the law is working well.

The real argument is whether the idea or law itself is ethically a good one or not.

Let us think about the fundamental reason why patents were created and perhaps we can get to the bottom of it. Patents provide a monetary motivation for inventors, but more importantly for corporation. Are there no other motivations for creating new ideas?

Re:mailing lists prior art? Patents = good this ti

[mengel]

While I agree there are issues, I disagree with one or two of the points above:

• Load on mail servers should go down, as it is less overhead to look up if sender S is on recipient R's white list already than it is to run 75 content filter algorithms and compute the score, etc. And you can do it before you actually accept the body of the email.
• Your second point and your third point don't play together well -- if they're all different, it makes it much harder for spammers to reply to them.
• If spammers figure out how to reply to them, they at least have to start using reply addresses that work to the first order; a first step to other forms of remediation.

The later points are fixable:

• When you make your first order with the company they send you your email confirmation, and they have to have a person reply to the responder that first time. From then on they can email you. A person is generally involved with the order anyway, so it isn't that much overhead.
• You make a whitelist reply have headers like any other delivery error report. People have been sending bounce e-mails for decades, and RFCs describe how to avoid bounce-bounces.

Of course, to work at all the system has to work in a symmetric situation -- you must automatically whitelist folks to whom you send e-mail, otherwise you can't receive their auto-responder query...

The thing to do is bring up issues in designs like this that might be a problem, and try to solve them; not to say "It's a bad idea because I can think of 20 potential problems".

I don't understand this

[Azghoul]

So, a patent can tell a company to stop doing something even if they develop it themselves?

I'm curious.

If you patent A, then I come up with A on my own time, for use in my own company, you can still tell me to stop using it?

I mean, I guess Earthlink is advertising that they're going to be using a challenge/response system, but they're not selling it, are they? I don't understand how the patent system even applies here.

Someone help, my head hurts. :)

Re:I don't understand this

[ericesposito]

Yes. That's why prior art can render a patent invalid.

Re:I don't understand this

[psxndc]

Unless the prior art is disclosed as prior art and why the prior art doesn't apply when filing the patent application. Patents are all about "I came up with this novel idea/invention/whatever and this is how it is different from any existing system, even if the existing system is 99% similar"

psxndc

Re:I don't understand this

[cpt+kangarooski]

If you patent A, then I come up with A on my own time, for use in my own company, you can still tell me to stop using it?

Yes, during the life of the patent. Independent creation is a good defense against suits predicated on trade secret and copyright claims, however.

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

# increased load on mail servers

No, decreased load on mail servers. Spam comes in. A challenge is sent and it bounces (due to the spammer having forged an address). The spam is discarded, saving space on the server. If the server is smart, it will automatically discard all bulk e-mail purporting to be from that address. The user retrieves their e-mail and that traffic does not included the discarded spam. Spammers, recognizing the futility of sending spam to challenge-response mail servers, will stop spamming that domain.

# everyone's challenge-response system will be different and incompatible

Since a human being has to follow the simple instructions in the message, that is not a problem. You don't want something that is easily scripted anyway.

# spammers will figure out how to reply to them

Only if the spammers give a legit return address. And how many of them do? Probably less than .001%. Most challenges will bounce.

# businesses won't be able to send legitimate automated email(shipping notifications, confirmations, etc.) because everyone will be using different challenge-response systems. You think the average earthlink user is going to be smart enough to even REALIZE they need to whitelist a business, much less what address?

That's a legitimate concern, but one which can be addressed by ISPs creating whitelists of trusted businesses. The businesses, in order to be able to continue getting legitimate e-mail through, will not spam and risk being removed from the list.

# Loops when dealing with any of the dozens upon dozens of mailing list software, autoresponders, and legitimate automated email systems.

That's a very legitimate concern. One way to deal with it is to send one challenge per sender/recipient. In other words, mailing list A sends e-mail to you. A challenge is sent. No response is received. Mailing list A continues to send e-mail to you. Because they are not whitelisted and because they did not reply to the original challenge, the e-mail is discarded/refused.

Challenge-response is a very good way to deal with spam, though I am sure that there will be some setbacks here and there. Overall, I think that it's a very reasonable idea.

makes me wonder about my project

[joeldg]

I am writing a project called "honeymail" ( http://lucifer.intercosmos.net/index.php?display=h oneymail )
I am now thinking maybe I should look into a few of the laws before I get to release 0.1

Yes

[Ececheira]

Yes. Patent's are agnostic about whether they were developed independently or not. The only thing that matters is who filed first.

Re:Yes

In the USA, the first person to come up with the idea gets the patent. In most of the rest of the world, the first filer gets it.

This difference is one of the things holding up a world-wide patent system. The USA system is designed to protect against somebody beating you up on your way to the patent office and stealing your invention (which was supposedly a problem in the 1800s). Technology Review had a story about this subject last month.

Re:Yes

[EvilBudMan]

--Yes. Patent's are agnostic about whether they were developed independently or not. The only thing that matters is who filed first.--

Not exactly, "invented first", would be more accurate. Remember prior art counts too.

Re:Yes

[ryanvm]

I think you misunderstood the parent poster. His question was whether or not you are allowed to use a "device" in house that somebody else has patented.

For example, could I build and operate my own flash memory device even though other companies may hold various patents on the process?

Re:Yes

[Ececheira]

You still wouldn't be allowed to use the device. I don't recall the specifics, but years ago DEC and Intel were sparring over patents between Alpha and one of the Intel chips.

What it boiled down to was there's only a few possible ways to do a certain thing, but DEC happened to patent it first. That Intel also happened to do it the same way (despite the fact that there were few "other" ways), was irrelevant. DEC won that round of the fight.

Re:Yes

[Monkeyman334]

I'm still not clear on this. I think he's asking if earthlink can develop their own solution in house and, as long as they don't sell it, have it not matter what patents say. For example, there's a patent on laser pointers for the purpose of entertaining cats. If someone gets a regular laser pointer and uses it to entertain cats they're okay. If someone packages "The Amazing Laser Cat Entertainer" then it's a patent violation. So ... is earthlink developing their spam solution in house, and not selling it, a patent violation? I think it isn't, but I'm not a patent lawyer (or any other kind of lawyer).

Re:Yes

[WEFUNK]

That someone might come up with an invention independently is one of the good reasons that patents (and theoretically copyrights) have limited terms.

In exchange for sharing the description of an innovation with everyone (by describing it publically in a patent) the right to that innovation is temporarily taken away from everyone else - even if they independently think it up themselves. IP "ownership" is not a fundamental right that is given up at the end of a term - it is really a denial of public rights that is tolerated only in order to encourage more rapid disclosure of innovations, even though most innovations (and probably all useful ones) would eventually be thought of, developed, and shared by someone else.

It's actually hard to think of any useful innovations that would'nt have been thought of and developed within 10-20 years after the initially disclosed invention (or usually much less). I think the only real exceptions are the ones that actually prove the rule - either broad, speculative, but revolutionary patents that launch a field well before anyone else was even thinking about it, or perhaps patents for innovations like drugs that still require significant capital and time before commercialization. These types of patent disclosures can help to accelerate the attention of other researchers and engineers, since such a patent might not be in force for very long by the time the innovation (and derivatives) actually hit the market.

Re:Yes

[Ececheira]

Unfortunately, it would still be a violation. It doesn't really matter whether they intend on offering it to the public or whether it's strictly for in-house use.

I'm not saying that I agree with it--I most certainly don't--but that's the current state of the law.

The best bet in that case would be to try to get the PTO to review the patent on the grounds that it's obvious and has prior art.

Re:Yes

this is a scary thread.

i'm going outside.

I did this with sendmail in 1996.

[Dark+Coder]

I'm sorry. This is a definite prior-art by truly me.

We all gain, and MailBlock loses.

Example of prior art

[inimicus]

http://www.angel.net/~nic/spam-x/ (with revision history dating back to 2001.

The only thing that it doesn't address is the potential for a spammer to bulk-mail accept-list confirmations prior to or as part of their mass-mailings.

So maybe use a digest of the headers to ID the original message, recover the e-mail address from it, and add it to the whitelist?

Re:It Figures, Mailblocks run by former Microsoft

[AndroidCat]

Well, there have to be hundreds of ex-MS VPs. They had to end up somewhere. (Hell, there's probably hundreds of current MS VPs.)

Re:mailing lists prior art? Patents = good this ti

[bassett]

"For spam, yes up to 1 email would be sent per spam recieved. I think the internet can handle that."

the internet might NOT be able to handle that. (but i do think the challenge/response system has potential...)

from http://www.gallup.com/poll/releases/pr030520.asp: The basic facts are staggering. Internet service provider Earthlink estimates that 40% of the e-mail that comes through its system is spam. Brightmail, a spam prevention company, says that 45% of e-mail sent is spam. AOL claims that 70% to 80% of its incoming e-mail is spam. Jupiter Research reports that the average e-mail inbox gets 42 spam messages a day. USA Today quotes an estimate that more than 2 trillion pieces of spam are expected to be sent over the Internet this year. That's trillion with a "t."

How long until the spammers figure a workaround?

[WaysideWeasle]

It just seems to me that this method will only be effective for a short period of time. Eventually, as this technology becomes more prevelant, the spammers will develop a way to have their mailers expect this challenge/response, and be designed to respond appropriately. Until something better can be devised, I will continue to use three email addresses (hotmail for signing up for various websites, my ISP account for any billing info that requires an email address, and my personal address for friends and family) - Funny how the only spam I get is from in my hotmail box.

Easily thwarted

[Remlik]

Just pay thousands of third world children .002 cents for every email they "authenticate." Or, with computer vision growing in leaps and bounds this too would eventually be replaced by a computer with a $20 web cam and some nifty software.

Anyone remember the guy who wrote a program to let his computer play Tetris by taking screen grabs?

Enforceability

[ajs318]

In this country, and probably many others, software cannot legally be patented. I am not an expert, but I would guess that this means software patents granted in other countries are not enforceable in the UK - and therefore no offence would be committed using "patent-violating" software here.

Governments should, if they don't already, have the power to annul any patent, and that power should be exercised against abusers of the system.

Meanwhile, if your ISP offers virtual hosting, you can always use disposable addresses. (well - at least until the spam merchants twig onto that). This is my attempt at disposable addressing.

So whose patent does this violate?

Re:Enforceability

[EmagGeek]

Hey this looks pretty cool! So it seems from your site that people don't have to strip out the added digits. My question is, how would I tell sendmail how not to freak out when it received the bizzarre TO: address that was actually supposed to be valid?

Re:Enforceability

[ajs318]

As long as your ISP provides True Virtual Hosting, the extraneous digits don't matter. Virtual Hosting allocates an entire subdomain to each user, and anything sent to that subdomain goes into a single mailbox. When you receive your e-mail (usually by POP3 though most ISPs should be able to push SMTP to you if you have a static IP address) your own procmail (or Inbox Assistant for Windoze users) can sort out the addresses if you want. If you don't have VH then you will need to get a proper domain registered and have all its e-mail sent to one address.

Any address that attracts one piece of spam can be safely barred. Since each address gets used multiple times (people sell them on .....) you ought to be able to reduce your spam intake, even if not eliminate it.

Re:Enforceability

[EmagGeek]

ahhhh ok, I see the mechanics now.. so say I have a box (mail.ie-ap.org) and it has something like 40 users receiving mail, would I have to assign each user their own virtual domain (i.e. username.ie-ap.org) and everything going to that domain, regardless of what is before the '@', woudl end up in that user's inbox... do I have it right now?

Re:Enforceability

[ajs318]

Yes, exactly. Good luck setting up your sendmail, though if you have only 40 users then exim might be a better choice simply because it's less hard (as opposed to 'easier') to configure.

Prior art ...

Halt, who goes there?

There is only one way to end this stupidity.

[pair-a-noyd]

Public executions, first offence, for spammers.

Broadcast immediate, ALL channels, satellite, cable, OTA, AM/FM. ALL channels.

We interrupt this broadcast for another public execution of a spammer and as a bonus execution, three patent lawyers. Please stand by, after the executions you will be returned to your regularly scheduled programming.
Thank you."

Re:There is only one way to end this stupidity.

[Flavius+Stilicho]

"We interrupt this broadcast for another public execution of a spammer and as a bonus execution, three patent lawyers. Please stand by, after the executions you will be returned to your regularly scheduled programming. Thank you."

You forgot to add: "Would you like to know more?"

Re:There is only one way to end this stupidity.

[mobileskimo]

I'm doin my part ;)

Re:There is only one way to end this stupidity.

[spacefrog]

Public executions, first offence, for spammers.
Broadcast immediate, ALL channels, satellite, cable, OTA, AM/FM. ALL channels.

• Don't forget to send out a mass unsolicited email to make sure everyone knows. And of course, this campaign will need a sponsor.... Herbal viagra, anyone?

Re:mailing lists prior art? Patents = good this ti

[schon]

That's a legitimate concern, but one which can be addressed by ISPs creating whitelists of trusted businesses.

Think so?

Quick - list all of the businesses that all earthlink subscribers will do business with this year. Don't miss any.

MOD PARENT UP

that's good info

I have possible prior art from 1993/1994

[Dr.+Zowie]

In 1993/1994 I was a graduate student at Stanford University and designed a simple challenge/response spam filtering system that works substantially the same as the one being advertised. Unknown incoming addresses were entered into simple ASCII database, and the associated mails were stashed in individual files in a particular directory. Unique challenge letters were to be sent out, and the mail was to be delivered or canned depending on the response (or lack thereof) from the challenge.

I never finished implementing the system (I wrote my dissertation instead) but still have a midsized collection of emails about it.

Challenge/response has got to be "obvious to one versed in the art" -- I can think of at least three other people at Stanford who had the same idea at about the same time.

Re:I have possible prior art from 1993/1994

Please do be sure to inform earthlink's legal department of this; I'm sure your academic work would be handy in shooting down this bullshit lawsuit.

Re:I have possible prior art from 1993/1994

[Skapare]

And also pass the information on to your elected Congressional representative and Senators explaining to them that an "out of control" USPTO which issues frivilous and obvious patents is doing harm to the economy by causing businesses to waste resources arguing and litigating over such things. This is yet another example of a patent that would never have been issued had the USPTO been mandated by law to only issue patents to genuinely new and unique ideas.

Insanity BBS system had

Challenge-Response authentification routines in place, but not activated, years ago, can you say in 1993? Besides, the CONCEPT of challenge-response is older than dirt! "Halt!!, Who goes there?!" "Able Baker Carley!" "What is the password!?" "Blow Me You Patenting Bastards!" "That was the improper response!" BANG BANG. So some yokel in the patent office let this shit slip through? Naturally, they are public servants.

Wow... my first patent infringement

[26199]

I hacked together a challenge-response system in Perl without too much trouble about a year ago. Hardly rocket science.

I don't use it any more, though, since I neglected to whitelist a mailing list and got an angry response... it's not worth the hassle. I just use a whitelist, and every so often I manually check if anything has slipped through... works nicely.

Re:How long until the spammers figure a workaround

[EmagGeek]

$obligatory_hotmail_spamming_rant

Patent pleading innocent

[DeadSea]

I'll bet the patent office wouldn't allow you to patent just plain pleading innocent or guilty.

However I'll bet that they would allow "method for pleading innocent to an internet lawsuit"

Re:Patent pleading innocent

[prowley]

No, the road to serious riches, and the one I am sitting on until there are enough infringers that a license fee small enough to make everybody pay to shut me up is: "Method to claim patent infringing actions on obvious methods and devices for fun and profit" And just to make sure nobody gets by I got this one: "Method to claim patent infringing actions on fundamental laws of the universe for fun and profit" Dude, I'm getting a Dell.

That's Alan Ralsky

[macdaddy]

subject says it all

Re:That's Alan Ralsky

[macdaddy]

Why was this modded down? It was very factful. The guy's name is Alan Ralsky, not Alan Ralksky.

Re:mailing lists prior art? Patents = good this ti

[blunte]

increased load on mail servers

There would be a spike of traffic, since every spam would generate a challenge, but that would roll off in reasonable time as spamming became a less attractive marketing tactic.

everyone's challenge-response system will be different and incompatible

How hard is "Did you send this? Reply if you sent it." ? Seems like the only variance would be whether you reply, or whether you click a special link. You don't have to be a rocket ship, you know.

spammers will figure out how to reply to them

I'd like to see how they do that. Short of logging into my hotmail and yahoo accounts and manually replying, they couldn't do it.

For all but the order confirmation and mailing list cases, challenge-response is quite workable. For the latter two cases, I recommend special email accounts. I create an email account for each mailing list I join, and I have another account I use when ordering products online.

Re:Text of first link

[mobileskimo]

And I suppose spammers won't start parsing the disposable addresses?

Prior Art?

[Jumper99]

Back when I was in the Army I clearly remember learning the "Challenge" and "Response" system. "Halt, what's the password"? If you get the correct response, you let them in, if not, kill them.

Kind of seems like the same thing huh?

I'm going to love the new dark ages

[asscroft]

Innovation was starting to suck anyway.

Re:Someone should patent the "click here to remove

[henrygb]

Sadly the spammers already have prior art, and I wouldn't be surprised if they also have these patents hidden away somewhere.

Re:mailing lists prior art? Patents = good this ti

[Florian+Weimer]

Any UBE supression scheme which generates more mail messages is a perverse idea. After all, we all want receive less irrelevant mail, not more.

Re:mailing lists prior art? Patents = good this ti

[John+Allsup]

Possibly an easier solution, though one that will take a little while to get accepted:

Have each user's whitelist associated with a bypass code, which can be entered into online ordering systems, website account registration, etc.

If standardised in an RFC, one could require the email to have 'Spamfilter:xxxxxxxx' as the first line in the message (how to do this with html and html/text emails is a bit of a problem... possibly headers could be used, but this would require email user agent support for the user to be aware that the bypass code was used.)

If spammers somehow get hold of the code, the user should notice, and can do something (e.g. complain somewhere, change the code, etc.) Companies that use the bypass code for things other things than confirmations (and do this to multiple users) could get blacklisted somehow. (Again, blacklist policy needs thinking out.)

Something like that anyway. Basically, if you get spam with a certain spamfilter code, you go to a webpage on your ISP, request a new code, the old one expires after say 1 week (so as to allow legitimate messages to still get through, 1 week should be enough) and then you use a new code.
(This is basically a rehash of some other idea that's been around a while... I can't quite remember which one.)

Re:mailing lists prior art? Patents = good this ti

[NeXTer]

Since a human being has to follow the simple instructions in the message, that is not a problem. You don't want something that is easily scripted anyway.

And how do you propose this will work with businesses that deal with hundreds or thousands of customers each day? You have to come up with some way to deal with that little problem.

That's a legitimate concern, but one which can be addressed by ISPs creating whitelists of trusted businesses. The businesses, in order to be able to continue getting legitimate e-mail through, will not spam and risk being removed from the list.

And if you have default whitelists, what's to prevent the spammers from forging a whitelisted sender? You could of course build into the new standard that all mail should be GPG/PGP signed, but that's a serious amount of overhead for an automated business server to handle.

I don't think call/response will fly as it's currently designed. I think a system where only servers with certificates are allowed to propagate mail would have a better chance of success.

If a server is found to be propagating spam, it can simply have its license centrally revoked.

You could make it into a system similar to DNS and only allow mail from registered and signed MXes through.

Other stupid patents...

[AwesomeJT]

How to excerise a cat with a laser:

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PT O2&Sect2=HITOFF&p=1&u=/netahtml/search-bool.html&r =4&f=G&l=50&co1=AND&d=ptxt&s1=5443036&OS=5443036&R S=5443036
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PT O2&Sect2=HITOFF&p=1&u=/netahtml/search-bool.html&r =1&f=G&l=50&co1=AND&d=ptxt&s1=5443036&OS=5443036&R S=5443036

The CR patent reminded me of silly patents like this.

Enjoy

Re:mailing lists prior art? Patents = good this ti

[SCHecklerX]

Try to order something online, where your confirmation is mailed to you, or be a member of a list, and then get back to us on how well this works.

Getting rid of communists?

"Remember, the US is the land of the free, well free as long as you don't wanna be a communist or a list of other stuff."

These are the guys who think it was fine to execute 80,000,000 civilians during the 20th century, and to try to enslave the ones that are left. Good riddance.

"Their entire system is based on greed and the selfisness of becoming as rich as the next guy above you."

Working for what you get is not greed.

Re:Getting rid of communists?

[Cyno]

Working for what you get is not greed, its slavery.

Greed is hiring hundreds of thousands of people to work for you, then taking a nice big chunk of the profits as your salery.

We shouldn't be forced to work. Everything should be free so we can choose what we want to do with our time. Some of us have to work but all that work can be volutary.

There was a time, before computerized industrial automation, when everyone had to work in order to make enough for everyone. But today that is not neccessary.

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

Quick - list all of the businesses that all earthlink subscribers will do business with this year. Don't miss any.

I can't. No one can. In the short-term, ISPs will need to create lists with the big guys (amazon.com, walmart.com, ebay.com, etc.). As smaller businesses note that automated e-mail is being rejected, they will have to contact the ISPs to get on the whitelist.

It would be market-driven. ISPs that use challenge-response systems will have to develop good whitelists or customers will leave for ISPs that have better ones. Businesses will not want it to be difficult to communicate with customers and will actively try to get the ISPs to whitelist them.

I expect that companies like TRUSTe will eventually start handling the process of maintaining trusted business lists and the ISPs will use their services.

I have no doubt that, in the short run, there will be some problems. In the bigger scheme of things, I think that these problems will work themselves out.

Re:mailing lists prior art? Patents = good this ti

[letxa2000]

The load increase is manageable. Challenge response would only need to happen a small percentage of the time for valid email. For spam, yes up to 1 email would be sent per spam recieved. I think the internet can handle that. It's not like there are going to be large attachments or anything.

You are forgetting that spam is quickly becoming the MAJORITY of email being transferred. As you said, 1 challenge/response mail is being sent for every spam received. Challenge/response DOUBLES the number of spam, and since most spam isn't too big it's not impossible that challenge/response would double the VOLUME of traffic attributable to spam.

Whether the Internet can *handle* it isn't the issue. The issue is that you are INCREASING useless traffic instead of reducing it and I don't see where that helps anyone, and certainly not ISPs or backbone providers.

The only really big problem I can see is what happens if someone sends out spam with your email address.

So this great challenge-response solution essentially doubles spam traffic (by generating 1 useless C/R request for each spam received) and has the potential for creating a new way to DDoS an email user.

Sorry, but C/R is really obsolete technology.

Prior Art

[arudloff]

Seriously, My company (atqui.com) filed a patent some time ago on challenge/response as a defensive measure. The application was pulled due to a wealth of prior art that we came across. If anyone is looking for information concerning this, let me know and I'll see what I can provide.

What?!

[Greyfox]

One patent lawsuit and we get "This is why the spammers win"? I mean, I hate software patents as much as the next guy, but spammers have been winning for a decade now. I don't believe this patent suit is to blame.

No... It's obvious that the spammers are winning because... they have big penisses. We can't do anything because of our tiny little penisses. Spammers have huge, gargantuan penisses. That's why they're winning (Apologies to South Park...)

Re:What?!

[Saint+Nobody]

I mean, I hate software patents as much as the next guy, but spammers have been winning for a decade now.

okay, so i'm being a bit pedantic here, but the first known spam was sent on april 11th, 1994. that's almost a year short of a decade. plus, that's when the first spam was sent, not when they started to win.

Re:mailing lists prior art? Patents = good this ti

[schon]

I can't. No one can.

That was pretty much my point.

As smaller businesses note that automated e-mail is being rejected, they will have to contact the ISPs to get on the whitelist.

Or: the customer gets pissed off at the ISP for blocking their email confirmations.

Or: the company doing the emailing sues the ISP for interfering with their business... hmm, maybe you covered that with this: :o)

Businesses will not want it to be difficult to communicate with customers and will actively try to get the ISPs to whitelist them.

White list / Black list patent... 6,421,709

[ttroutma]

Want to see something really ridiculous?? Regardless of what challenge system is used it's hard to get around this one... 6,421,709 "A system and method of filtering junk e-mails. A user is provided with or compiles a list of e-mail addresses or character strings which a user would not wish to receive to produce a first filter. A second filter is provided including names and character strings which the user wishes to receive. Any e-mail addresses or strings contained in the first filter will be automatically eliminated from the user's system"

How much does a patent cost?

[Unregistered]

I wonder what i could patent. "A motorized vehicle designed to carry passangers or cargo" I'll sue the hell out of Ford for violating my patent.

Obviously

[yerricde]

True, patent law makes no explicit distinction about independent invention, but I can see independent invention being used as evidence that the invention was obvious. The USPTO isn't supposed to grant patents on obvious inventions, but...

Maybe Mailblocks is spamming Earthlink ...

[Jeehoba]

Seems strange that you can sue someone over blocking spam. If Earthlink is protecting their customers, where does Mailblock even have the right to sue? Is it Mailblock that is spamming people and then forcing them into a corner to use their software to stop it? The conspiracy has just begun ... but the truth is out there. Or maybe not.

Source Code not in trouble...

Here is some Free source code that is not in trouble of this patent as it uses a 3rd party, and the challenge response issue deals with 2 parties. It also is not in trouble because of the e-stamp patent, as the e-stamp patent states that an stamp, or identifier needs to be inside the email. This solution does not do that.

Paidstamp Source code has been placed on our GotDotNet Workspace

We do have a wish list for this to be developed and free, in other languages, and have the ui be simpler for first time users. See flowchart if interested in doing it for other languages as it has the basic flow of our initial project.

Hopefully you Open Source community can develop this, before someone else tries to take the idea over and Market it as theirs. Although by me putting this out, I think we have some documentation on prior art.

Anthony Loera

Brainclone Enterprises

Re:Source Code not in trouble...

Oh yes..

if you want to know if it works... I currently have the code running for one of my emails here at brainclone.

anthony@brainclone.com

Try it if you like.

Anthony Loera
Brainclone

Re:mailing lists prior art? Patents = good this ti

[letxa2000]

No, decreased load on mail servers. Spam comes in. A challenge is sent and it bounces

No, increased load. Instead of dealing with one spam, you receive the spam, send out a useless C/R email (creating load on a third server), and then get a bounce back again requiring time to deal with on your mail server.

The spam is discarded, saving space on the server.

Disk space is cheap compared to bandwidth and CPU load dealing with all of it.

Spammers, recognizing the futility of sending spam to challenge-response mail servers, will stop spamming that domain.

Either that or a spammer will set up an account at Yahoo, send an email to the targetted user, will receive the challenge, will respond, and then will spam the target using that "From" address--and maybe even pass the "unlocked" Yahoo address to other spams who will send in a ton of spam taking advantage of the fact that it is currently open. The target eventually logs in, downloads a ton of spam and nukes the newly-unlocked Yahoo address... but the spam still made it through.

Or, another possibility... Spammers may deduce commonly unlocked email addresses. Perhaps a full 1% of users have unlocked "Support@microsoft.com" and another 1% have unlocked "list@bigmailist.com." So instead of dealing with the challenge response, spammers will just send the same email to each user with a hundred different "commonly unlocked" email addresses. So you'll get spam with forged email addresses that are often unlocked, and instead of a spammer sending the user the email once he will attempt to send it 100 times.

This second approach is what I think the spammers' response to challenge/response would be. They'd make a good guess at the most commonly whitelisted addresses and just send email to the user from all those addresses in the hope that at least one gets through.

So much worse than doubling spam (by sending a C/R response for each spam), you may have increased it by an order of magnitude by giving spammers an incentive to send the same spam multiple times from different forged addresses hoping that at least one is unlocked...

C/R is an unworkable solution to spam.

Re:mailing lists prior art? Patents = good this ti

[jci]

spammers will figure out how to reply to them

I saw an iteresting system, I forgot where though. For registration for an account, there was an image that had text in it, but was ofset, crooked, and had crooked lines through it (IE hard for a machine to OCR the image). The registrant was asked to type in what they saw to register. Simple enough for most people that do have a graphical browser. It doesn't have to be in the email as an image, but in a link somewhere else.

Re:mailing lists prior art? Patents = good this ti

[jetmarc]

> > challenge-reply is a VERY half-baked idea.
>
> How so? It seems like a great solution to me.

1. You use a challenge-resonse system.
2. I use a challenge-resonse system.
3. You post a message in usenet.
4. I reply (privately) to your posting.
5. Your challenge-response system challenges me.
6. My challenge-response system challenges yours.
7. Your challenge-response system challenges mine.
8. My challenge-response system challenges yours.
9. Your challenge-response system detects a loop and discards
further messages from me without notice.

Marc

Do people here live in NY see those Lava Life ads?

[cp5i6]

http://about.mailblocks.com/challenge.html

Those pictures look AWFully like the subway posters advertising Lavalife.com ...


muhahahah Pit copyrights against patents!!

typical Microsoft "technology"

[g4dget]

Mailblocks, Inc. is a new class of Web-based email service for consumers founded in July 2002 by Phil Goldman, a former Microsoft vice president and a founder of WebTV.

That "technology" is a couple of decades old--people used to use awk scripts to do that kind of mail processing. Well, what can you expect from a former Microsoft VP.

Let's hope Earthlink does their background research rather than rolling over for such a ridiculous patent.

Call to all /. mailblocks users

[snakecoder]

Please complain to them. I use mailblocks and I will be writing a complaint letter in a few minutes.

Some points.

1) They have a right to try to make money but there is so much prior art in this, it is obvious this lawsuit is designed to delay the inevitable. They are killing good will

2) Somehow I don't see much difference in this lawsuit and lawsuits where spammers try to block their business to protect their own business.

3) I love your product, you are cutting edge and are a showcase for completely blocking spam and you are convenient and worth the $11 a month in my book, but if you piss me off as a customer, I will move to TMDA and never evangelize your product again.

Bad Guess

[multipartmixed]

The passwoid is "Ken Sent Me".

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

And how do you propose this will work with businesses that deal with hundreds or thousands of customers each day? You have to come up with some way to deal with that little problem.

They call the ISPs and get put on the whitelists. No more challenges.

And if you have default whitelists, what's to prevent the spammers from forging a whitelisted sender?

The whitelist could be IP address list based (e.g., amazon's IP range would be whitelisted rather than Amazon's domain name). Also, the threat of tangling with, say, Amazon.com's attorney's would make most spammers hesitate to forge "customerservice@amazon.com".

I think a system where only servers with certificates are allowed to propagate mail would have a better chance of success.

And then Verisign could charge between $350 and $800 per year for a certificate -- like they do for SSL web server certificates now. Microsoft and Netscape would include only certificate authorities that paid them enough money to be included as "trusted." And mail servers run by individuals, small non-profits, and even some small businesses would disappear.

Who would police the list? Who would be authorized to revoke certificates? How would you handle it when someone forged spam in an effort to get the certificate pulled? How would you handle it when some small group in Ghana wanted to run a mail server? Who would vouch for them and say that the mail from there should be trusted? What happens when the small server in Ghana happens to be something that Ralsky set up, knowing that he could spam for days before being investigated by the certificate authority?

I hope that we never see an all-controlling entity that, in essence, "licenses" mail servers, presumably for a fee. That's way too much power to put in the hands of any organization.

Re:mailing lists prior art? Patents = good this ti

[jci]

Spamgourmet kind of allows such an idea, by allowing a section of the false e-mail address to be anything, like
name.anythinggoeshere.number@spamgourmet.com
In the case you describe, multiple bypass codes could be used, and whichever one is misused has a good idea of who gave it away.
The same idea I have seen used with normal mail, by either adding a dept or a C/O.

There are mailing lists, & there are mailing l

[yerricde]

They could just make their spam look more like mailing list messages.

Spammers already disguise their spew as newsletters.

Hotmail solves the problem of discussion lists by letting users whitelist specific addresses as mailing lists, and then (I'd assume) it tweaks the spam filter in response. For instance, it has probably already whitelisted the IP addresses of sourceforge.net, yahoogroups.com, and other popular discussion list service providers.

Prior Art

The company is no longer around (but I'm sure someone still owns the patent), but NetExchange used to do this in the 1997-1998 timeframe. If I recall correctly, they even held a patent (or maybe a patent pending) on the concept. So there is definitely prior art here.

Re:mailing lists prior art? Patents = good this ti

[Delphix]

businesses won't be able to send legitimate automated email(shipping notifications, confirmations, etc.) because everyone will be using different challenge-response systems. You think the average earthlink user is going to be smart enough to even REALIZE they need to whitelist a business, much less what address?

There's no need to whiltelist whole domains, etc. The Mailblocks (and Earthlink) impelementation allows you to create alias addresses to give out. You can give them to companies and e-mail coming to those aliases will bypass your whitelist. If you see an alias is being abused or distributed it's a very simple matter to remove it and you'll never see spam coming from them again. They also suggest them for 1 shot e-mails where you need to provide an e-mail to receive registration info, but don't want future e-mail from them.

You get the convenience to receive all your e-mail in one box without the risk of giving out that e-mail address to unkown / untrusted parties. And the ability to cut them off if they get out of hand. Seems like a great idea to me. I hate checking 3 separate e-mail accounts because I don't want to give out my personal address to corporations who might just decided to change their privacy policy and opt you into a bunch of things you don't want without your consent. (a la Yahoo!)

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

Or: the customer gets pissed off at the ISP for blocking their email confirmations.

-- and the customer leaves, going to an ISP that has a better, more comprehensive whitelist. This will encourage ISPs to actively try to keep their whitelists up to date and comprehensive.

Or: the company doing the emailing sues the ISP for interfering with their business.

On what grounds? Your ISP has no contractual obligation to to some business trying to send you something. They can accept or reject any e-mail that they choose. They could reject all e-mail from SCO just because they are pissed off about the recent lawsuits. They could reject all email from the RIAA because I don't like their lobbying efforts. Unless the RIAA and SCO had contracts with your ISP guaranteeing delivery of their e-mail, your ISP is within their legal rights.

Spamming is, unfortunately, not illegal. Would you feel that a spammer had grounds to sue an ISP that didn't deliver penis enlargement ads sent by the spammer? That's "interfering with their business", disreputable though that business may be.

Re:mailing lists prior art? Patents = good this ti

[NeXTer]

All valid points, but the thing is that this would only involve the servers themselves. In essence, it could be tied to the DNS system, so that only MXes are allowed to propagate mail with reverse checking to prevent spoofing.

The signing would be part of the domain registration process, providing the registree with a license to propagate mail with their server. If found guilty of spamming, that license could be revoked.

This would of course require fundamental changes in the way the internet is built, but if spam is such an enormous problem (personally I get one or two spams per month without filtering), then maybe it's time for extreme measures?

spam patent situation is depressing

[g4dget]

I suggest searching for "spam" on the USPTO site under current patents. It is depressing. Every conceivable 10 line Perl or awk hack that people have been using for filtering spam has more or less recently been patented.

For example, patent no 6,167,435, applied for in 1998, patents E-mail verification for mailing list subscriptions. I couldn't find the Mailblocks, which would at least have to reference 6,167,435 as prior art, which leads me to believe that it hasn't been published yet. Patent attorneys may be stupid or brazen enough to ignore decades of actual practice, but they wouldn't ignore another patent.

Mailblocks itself is an anachronism--a bubble-era startup with no realistic business proposition, financed, in this case, by the winnings from the founder's previous dotcom. Most likely, Microsoft will buy them out to own the technology for Hotmail. If not, they will keep suing people until somebody does buy them.

Re:spam patent situation is depressing

[fishnuts]

Why would microsoft buy them out? Phil Goldman and webtv are(were?) practically in bed with microsoft.

I'm sure they already have some under-the-table agreement to let microsoft use the technology, and seeing that microsoft was basically responsible for webtv's success (when it was successful), Goldman would be stupid to bite that hand by refusing microsoft the "privilege" of that technology.

When was their patent filed?

[lpq]

While tons of us know of prior art on things like this, I've seen (to my surprise) some patents dating back 10-15 years. Things I think that are obviouos ideas -- well someone else thought of it 15 years ago. I didn't read through every word of the articles, but just because the company is new doesn't mean they didn't buy the patent from someone who filed it ages ago.

The interesting question comes up is how this relatest to SBC's phone number blocking technology, distinctive ring technology and additional password technology (or going through 'voice mail') to reach the recipients voice mail box.

I.e. -- How about a voicemail type maze for emailers -- please return your message with option #1 selected if you want more info on my mental condition,
please select option #2 if you want the P.O. Box to send free money to, please select option #3 to leave a message for my dog or select option #4 to route your message to me.

Now you have an automated email-response exactly like many voice mail systems (well, many voice mail systems are worse). But wasn't there a ruling that simpoly taking a real-world process and using it on the computer wasn't sufficiently unique to qualify for a patent?

We've got to contact our congress critters and let them know that software patents are just plain 99% abused.

Sigh...
-l

I have prior art - what should I do?

[frostman]

I'm sure others out there have prior art to present in this - particularly TMDA.

My own anti-spam system, which will be launched very soon (sorry no link, my dev server couldn't survive a slashdotting), also uses challenge-response. The predecessor of this also used challenge-response, and has been in use for around three years, "publicly" at least in the sense of the many thousands of people and spammers who interacted with it.

Any suggestions how I ought to present this to the patent and/or lawsuit people? Sure it would be helping a competitor, but I feel it's the right thing to do.

Sounds like MapSoN

[Beave]

Sounds like everyone has written something like this at sometime. I've been using MapSoN ( http://mapson.sf.net ) along with Spamassasin for quite some time. MapSoN is a basic challange/response type of system. It's not 100% perfect, but then thats where SpamAssassin steps in.

Please send me prior art

[AnotherBlackHat]

I'm collecting prior-art for this.
If anyone has anything they think is relevant, please email a copy to prior-art@spamwolf.com

The relevant stuff (what I consider relevant) is being posted at http://www.spamwolf.com/patents/

The best candidate so far (IMO) is this post to news.admin.net-abuse.usenet on 1996-11-17.
I'd really like something prior to 1996-08-26 though.

I'm looking for anything prior to 1997-08-26 that;

compares the sender's address to a list of accepted senders; (friends list)
-and-
sends a challenge if the sender's address is not contained in the list
-and-
the challenge is designed to be answered by a person and not a machine.

-- this is not a .sig

Just Because You're Paranoid Doesn't Mean ....

[jefu]

I don't think you're all that paranoid. Exactly the same notion came to my mind when I read the intro.

And this raises all sorts of interesting questions.

This would seem to be legal - has something like this been done before (that is patenting something to prevent someone else from using it) ?

Could such a patent be used with a GPL like (or even more inclusive) license? That is, you can't use the technology covered by this patent in a product unless you release any other technology you use in that product under a similar license?

Could the FSF use this kind of manoeuvre effectively?

How about using a patent as a punitive device? Perhaps by licensing a patent cheaply to a competetitor of a competitor.

Re:Just Because You're Paranoid Doesn't Mean ....

Fascinating idea.

Seeing as how the granting of idiotic patents seems to be on the increase, this could indeed be an interesting weapon.

Patents used in an offensive instead of defensive manner, hmmm... Does anyone have any examples of such use?

Re:mailing lists prior art? Patents = good this ti

[AnotherBlackHat]

However, in all honesty, this is probably one of the few cases where everyone wins- for many of the reasons folks cited in the comments on the last article that mentioned Earthlink's move... challenge-reply is a VERY half-baked idea, and anything that supresses the market for that software(ie, patent) is a darn good thing in my book.

Grr.....
Sure, let's just forget about advancing the human condition by experimenting.

All ideas are half-baked at some time in their developement.
While I agree with Sturgeon's second law,
I think I'll wait until after Earthlink's actually deployed something before deciding if it's 10% or 90%.

-- this is not a .sig

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

No, increased load. Instead of dealing with one spam, you receive the spam, send out a useless C/R email (creating load on a third server), and then get a bounce back again requiring time to deal with on your mail server.

Then you delete all 142,675 copies of the spam, keeping it from being downloaded 142,675 times by your customers. Then spam decreases by 99.9% because spammers know that their messages don't get through. Use some foresight, man! Don't just look at the first 50 transactions. Consider the implications down the road. If spammers know that their messages will be blocked because of challenge/response mechanisms, then they will stop spamming that ISP.

Disk space is cheap compared to bandwidth and CPU load dealing with all of it.

There's a bandwidth and CPU cost for spam that is received. There's cost when it is received. There's cost when the customers retrieve it. There's cost when the e-mail clients retrieve images from the spammers' servers. ISPs like Earthlink recognize that keeping spam out of customers' mailboxes helps them attract more customers, keep the customers they have, and decreases their costs long-term due to the projected reduction in spam.

Either that or a spammer will set up an account at Yahoo, send an email to the targetted user, will receive the challenge, will respond, and then will spam the target using that "From" address--and maybe even pass the "unlocked" Yahoo address to other spams who will send in a ton of spam taking advantage of the fact that it is currently open. The target eventually logs in, downloads a ton of spam and nukes the newly-unlocked Yahoo address... but the spam still made it through.

Or, another possibility... Spammers may deduce commonly unlocked email addresses. Perhaps a full 1% of users have unlocked "Support@microsoft.com" and another 1% have unlocked "list@bigmailist.com." So instead of dealing with the challenge response, spammers will just send the same email to each user with a hundred different "commonly unlocked" email addresses. So you'll get spam with forged email addresses that are often unlocked, and instead of a spammer sending the user the email once he will attempt to send it 100 times.

I run the domain anti-spam.org. I understand how spammers work. I know that spam would be economically infeasible with either of the methods you describe above.

You ignore the fact that the receiving server could easily determine, by IP address, that the mail purporting to come from "support@microsoft.com" or "enlarge_your_penis@yahoo.com" was, instead, coming from an open relay in China. Drop that connection and the problem is gone.

So much worse than doubling spam (by sending a C/R response for each spam), you may have increased it by an order of magnitude by giving spammers an incentive to send the same spam multiple times from different forged addresses hoping that at least one is unlocked...

If you sharply increase the number of times that a spammer has to try to get a message through, you make spam unprofitable. While he may be making money with a .01% sales rate, he won't be making it at .001%

C/R is an unworkable solution to spam.

You are incorrect. It is, in fact, an elegant solution that does not require legislation or a fundamental change to the e-mail infrastructure of the Internet.

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

In essence, it could be tied to the DNS system, so that only MXes are allowed to propagate mail with reverse checking to prevent spoofing.

Many large organizations use different servers for sending e-mail than receiving it. The SMTP servers that send e-mail for an ISP may not be listed on the MX records at all because they don't handle incoming e-mail for the domain.

If found guilty of spamming, that license could be revoked.

By whom? What worldwide authority would you trust to pass judgement on whether a domain was spamming? Would you trust the registrars?

This would of course require fundamental changes in the way the internet is built

But challenge/response does not require those changes and I expect that it will be very successful. I was advocating it years before the company that's claiming patent rights on it ever existed.

Filtering spoilers?

[junics]

I shure hope this isn't a spoiler, because I haven't seen the movie yet. :\

Perhaps it is an idea to add a spoilerwarning checkbox and/or dropdown menu of the latest movies to the Post Comment page or moderation system.
And the same to the users /. account filter prefs.
Or is that also a patented filtering technology, perhaps?

Won't Last

Eventually some partially computer literate friend or family memeber will submit your spam free e-mail address to a web site.

My own dear sister just sent me an e-post card for my birthday. You know, the kind where you get an e-mail saying click here for your card.

Anybody got a good procmail Bayesian filter recipe?

Re:mailing lists prior art? Patents = good this ti

[theLOUDroom]

Wrong. You should have said:

1. You use a challenge-resonse system.
2. I use a challenge-resonse system.
3. You post a message in usenet.
4. I reply (privately) to your posting.
5. Your challenge-response system challenges me.
6. My challenge-response system let's the challenge through, since sending someone email automatically adds them to your whitelist.

Re:mailing lists prior art? Patents = good this ti

[NeXTer]

Many large organizations use different servers for sending e-mail than receiving it. The SMTP servers that send e-mail for an ISP may not be listed on the MX records at all because they don't handle incoming e-mail for the domain.

Valid point. Basically I'm just mindstorming here, so I like the bubblepopping.

By whom? What worldwide authority would you trust to pass judgement on whether a domain was spamming? Would you trust the registrars?

Enough to give them money for my domains.

But challenge/response does not require those changes and I expect that it will be very successful. I was advocating it years before the company that's claiming patent rights on it ever existed.

And how would automated servers handle the sender verification without being bogged down? Or should my mother have to remember to whitelist companies she deals with before any server generated mail is sent?

Re:mailing lists prior art? Patents = good this ti

[dodobh]

vacation(1), Lotus Notes, Exchange, autoresponders, new mail sent to C/R system from someone that goes on vacation and the challenge gets delayed.
I leave you to figure out the implications of infinite loops.

MailBlocks: Patent Info & Corporate Shenanigan

[multipartmixed]

- MailBlocks is owned by Phil Goldman, the WebTV millionaire
- Phil Goldman is skilled in the art of computing, and so he _obvious_ly thought of using a Challenge/Response system for stopping Spam.
- He's a .com millionaire, and former employee of Apple, Generial Magic, and knows what patents are worth, so he did a patent search
- Found patent 6,199,102 (Granted March 2001), and bought it from Christopher Alan Cobb
- Found patent 6,112,227 (Granted August 2000), and bought the owner, Jeffrey Nelson Heiner, who signed over all rights
- Patents are "one of the largest expenses that we (at Mailblocks) have."
- MailBlocks has also sued Spam Arrest (case pending in WA), DigiPortal, and MailFrontier (resolutions unknown)
- MailBlocks actually started suing before releasing a product of their own.
- Goldman regularly responds to penis enlargement spams with his credit card number and a request to have them delivered in a plain brown paper wrapper
- So far, none of them have worked (somebody should tell him creation != enlargement)

Here is an interesting article: http://www.siliconvalley.com/mld/siliconvalley/556 5843.htm

Re:Text of first link

[good-n-nappy]

vigorously enforce our rights to the fullest extent permitted by law

Enforce our rights? The whole thing sounds like /. IANAL speak. What a boob.

Re:mailing lists prior art? Patents = good this ti

[theLOUDroom]

You are forgetting that spam is quickly becoming the MAJORITY of email being transferred. As you said, 1 challenge/response mail is being sent for every spam received. Challenge/response DOUBLES the number of spam, and since most spam isn't too big it's not impossible that challenge/response would double the VOLUME of traffic attributable to spam.

The thing is, each of those response messages can have an easily identifible tag in them. This allows and ISP to see that 500 challenges have to been sent to "foo@bar.com". This can automatically set off at ISP-level block of messages from "foo@bar.com" originating from host W.X.Y.Z, since they are obviously sending bulk UCE.

Also "obsolete" is not a proper term to use, at least not with the argument you're making.

The patents

[AnotherBlackHat]

This is really sad, I can't find any info on Mailbock's patents in any of the articles.

They are;

US 6,199,102 (the Cobb patent) Filed: 1997-08-26
and
US 6,112,227 (the Heiner patent) Filed: 1998-08-06

WHY is it...

[WCMI92]

That the USPTO will grant a patent for ANY idea that exists and has existed for DECADES if you just add "on the internet" to it?

Go figure...

Re:mailing lists prior art? Patents = good this ti

[letxa2000]

Me: Instead of dealing with one spam, you receive the spam, send out a useless C/R email (creating load on a third server), and then get a bounce back again requiring time to deal with on your mail server.
You: Then you delete all 142,675 copies of the spam, keeping it from being downloaded 142,675 times by your customers.

That's not a challenge/response system. You're talking about a networked solution to spam where spam identified by one user is used to identify other people's spam. That's fine, but the same system can be implemented with Bayesian or pure filters without having to resort to generating C/R traffic for each spam.

Then spam decreases by 99.9% because spammers know that their messages don't get through... If spammers know that their messages will be blocked because of challenge/response mechanisms, then they will stop spamming that ISP.

On what do you base that assumption? History has shown us that every time we make it harder for spammers to get their garbage to us they respond by mangling their spam, getting around the solution, and sending MORE spam, not by reducing it.

ISPs like Earthlink recognize that keeping spam out of customers' mailboxes helps them attract more customers

Yes, but C/R is not the best way to keep spam out of customers' mailboxes for reasons that I and others have already explained here.

I run the domain anti-spam.org.

Oohh, I didn't realize I was dealing with royalty. Let me cower in my lack of knowledge because I am a commoner that doesn't run anti-spam.org. :)

I know that spam would be economically infeasible with either of the methods you describe above.

You underestimate labor costs for the first one when using teen-labor and/or folks in 3rd-world countries, and I don't understand why you think the second one would be too expensive for a spammer. If they can send a million spam they can send 100 million spam to brute-force their way through commonly-unblocked email addresses.

You ignore the fact that the receiving server could easily determine, by IP address, that the mail purporting to come from "support@microsoft.com" or "enlarge_your_penis@yahoo.com" was, instead, coming from an open relay in China. Drop that connection and the problem is gone.

You ignore the fact that that's NOT challenge/response and not what we're talking about and that same solution (which is not a bad one!) could be applied to Bayesian or traditional filters without the hassle of challenge/response and without generating MORE mail traffic (from C/R requests) in the process.

If you sharply increase the number of times that a spammer has to try to get a message through, you make spam unprofitable. While he may be making money with a .01% sales rate, he won't be making it at .001%

You seem to assume that it costs 100 times more to send 100 million emails than it does to send 1 million. I don't believe that is the case. In fact I KNOW it's not the case.

It is, in fact, an elegant solution that does not require legislation or a fundamental change to the e-mail infrastructure of the Internet.

As is Bayesian which doesn't require legislation or a fundamental change to the e-mail structure of the Internet, and which DOESN'T worsen bandwidth problems by sending out C/R requests to each spam received, and to which your other anti-spam techniques (networked deleting of identified spam and checking IP address to see if the mail is from who it supposedly is from) can also be applied.

and so

mailblocks advertising the mailblocks service (commerical) in *every* CHALLENGE request it sends merely CAUSES MORE SPAM!
This is exactly why I didn't implement a service such as this many years ago when I came up with the idea. It adds to the problem, not fixes it.

COBB filed 1997-08-26

The filing date of the Cobb Patent (US6,199,102) is 1997-08-26.
(You can find a PDF of it
at this site.)

If you *published* prior art before that date,
do let the world know! Let us know where
and when it was published, how it can
be cited, where it can be found.

This is important -- but don't just say
"I did it too" -- give us something that can help
fight it!

Re:COBB filed 1997-08-26

[mkldev]

All you have to do is argue that granting the right to post to an individual mailbox is not substantively different than granting the right to post to a mailing list in any way other than in scale. If you can convince a judge of that, you're home free, as mailing list servers were doing this for an entire year prior to when that patent was initially filed.

From info.bsdi.users newsgroup:

Date: Mon, 26 Aug 1996 20:48:32 -0600
From: Brent Chapman <Brent@GreatCircle.COM>
Subject: Re: Denial of service ... Netcom listservers (Markowitz, RISKS-18.38)

I don't know anything about this incident or about Netcom's installation of
Majordomo (the mailing list management software in question), but speaking
as the original author of the software, let me quote the original design
paper ("Majordomo: How I Manage 17 Mailing Lists Without Answering
'-request' Mail", USENIX LISA 6 conference, 1992):

... the goal is not absolute security, but to avoid people
making a nuisance of themselves by abusing the Majordomo server.

By today's standards, Majordomo's "security" measures are incredibly weak;
they weren't particularly strong even 5 years ago, when the software was
written. Most lists are configured so that users can subscribe or
unsubscribe themselves, which is determined simply by checking that the
"From:" line in the header matches the address they're trying to
subscribe/unsubscribe, and thus trivially subject to forgery. Furthermore,
those operations that are "protected" are accessed through reusable
passwords sent in clear-text through e-mail, and thus trivially subject to
interception and reuse.

The next release of Majordomo (which will be version 1.94) will include a
simple challenge/response "confirm" mode for lists, where a supposed
subscriber will be sent pseudo-random confirmation string that they must
turn around and send back to the server before their subscription is
finalized. This should significantly cut down on the spam subscriptions.
Version 1.94 is in alpha test now, and due for release sometime in the next
few months; send e-mail to majordomo-announce-request@greatcircle.com if
you'd like to be added to the list for notification when it's released, or
to majordomo-workers-request@greatcircle.com if you're interested in helping
with the development and alpha/beta test)

Clearly, I should have worked harder to keep folks from making a nuisance
of themselves with the original version of Majordomo. Some days, I think
that releasing the damn thing was the biggest mistake I ever made... :-)
And I now have a _lot_ of sympathy for folks like Eric Allman (author of
Sendmail), whose creations have taken on a life of their own on the net...

Brent Chapman | Great Circle Associates | 1057 West Dana Street
Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041

Feel free to verify this in google's newsgroup search.

Re:COBB filed 1997-08-26

Ahh yes, majordomo. Just don't let the lawyers get Brent drunk though. It took four of us to move him when he passed out at a party a few years back... And before he passed out? It wasn't pretty folks...

Does anybody else see the connection

[Lord_Dweomer]

I've been thinking about all of the ridiculous patent issues that have come up in the past couple of years. Does anybody else here see a direct link between whats happening there and the "Tragedy of the Commons"? For those who aren't familiar with the economic/socioeconomic concept, here's a somewhat brief rundown of it at http://members.aol.com/trajcom/private/commons.htm

I really can't wait till the various "commons" that our society houses collapse on themselves. The IP commons is one of the ones that I think will be first to go....unless the corporate bank accounts and lawyers can somehow manage to delay it ad infinitum. Another contender for First Commons to Collapse is the entertainment industry....lets see if you can figure out why.

Load increase NOT manageable

[WoodstockJeff]

* increased load on mail servers

The load increase is manageable. Challenge response would only need to happen a small percentage of the time for valid email. For spam, yes up to 1 email would be sent per spam recieved. I think the internet can handle that. It's not like there are going to be large attachments or anything.

Try a near-doubling of mail load. No, check that, more than doubling, in our case.

Today alone, ONE SPAMMER has added over 200 new fake return addresses and over 180 new proxies to our internal lists. With a challenge/response system, our server would have had to accept all those spam attempts (whatever their size), then generate a challenge to the invalid address, then process the bounce messages from YAHOO, AOL, and HOTMAIL for all the invalid addresses.

Assuming a spam of 10K length, over the time period the "attack" ran, that's the major portion of our T1 bandwidth... As it was, the load was only a few percentage points, because we blocked them via other means.

Challenge/response sounds great, but the spammers have already made it a pending nightmare.

Re:Load increase NOT manageable

[theLOUDroom]

I don't that challenge-response would work by itself. I don't think any anti-spam mechanism proposed so far works that well on it own. It the challenge response + some basic sanity checking (has this host just sent me 200 emails that generated challenges?) could work.

Re:Load increase NOT manageable

[WoodstockJeff]

It the challenge response + some basic sanity checking ...

The "problem" lies in the way challenge/response advocates seem to think it is the "best and only true solution", because other methods (RBLs, local block lists) have too many false positives. As you and I seem to agree, it is not a solution in and of itself.

Your example sanity check is a matter of having to set threshholds; On the first day of a C/R system being implemented at a large ISP, a lot of popular list servers are going to exceed that threshhold, especially if they encode the receipient address into the return address, to handle automatic removal on bounces. It's quite likely that a lot of subscribers would suddenly find themselves UNsubscribed, because the bounce would be processed as a request to leave the list...

Re:mailing lists prior art? Patents = good this ti

[DaphneDiane]

• If the server is smart, it will automatically discard all bulk e-mail purporting to be from that address.

This sounds like a risk for a denial of service attack. Spammer's already forge headers... The poor person who happened to have his email address forged might not only get deluded by tons of challenges... but would have to answer a lot of the challenges just to prevent their address from being black listed. Furthermore I imagine a responible time period would have to be selected before blacklisting... else you would block legitimate senders that didn't answer the challenge immediately. (Say they sent the email and then shutoff their computer for the night, etc...)

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

That's not a challenge/response system. You're talking about a networked solution to spam where spam identified by one user is used to identify other people's spam. That's fine, but the same system can be implemented with Bayesian or pure filters without having to resort to generating C/R traffic for each spam.

Yes, it is C/R. A challenge is issued. The challenge bounces. All e-mail from that sender is deleted. (Maybe you would issue the challenge twice spaced 30 minutes apart in case technical problems that caused the first bounce.) There is nothing stopping the ISP from issuing only a single challenge when one sender delivers mail for hundreds, thousands, or more recipients. A single response could cause all of the mail to be delivered.

On what do you base that assumption?

Economics and need for a valid return address -- the latter of which you will not find on 99.99% of spam.

History has shown us that every time we make it harder for spammers to get their garbage to us they respond by mangling their spam, getting around the solution, and sending MORE spam, not by reducing it.

But what happens when you go from "harder" to basically impossible, which is what C/R does? There has always been fairly simple ways around the earlier forms of spam filtering. C/R has no simple, low-labor, low-bandwidth, low-exposure means to circumvent it.

Yes, but C/R is not the best way to keep spam out of customers' mailboxes for reasons that I and others have already explained here.

So you know more than all of the people at Earthlink who have investigated this problem? You know more than people at MailBlocks? I could believe that, but you couldn't know more than me. ;-)

Oohh, I didn't realize I was dealing with royalty. Let me cower in my lack of knowledge because I am a commoner that doesn't run anti-spam.org. :)=

I was only trying to show you that I am someone who has done a lot of investigation into this problem. You may rise. ;-)

You underestimate labor costs for the first one when using teen-labor and/or folks in 3rd-world countries

Any time that there is significant labor, no matter how cheap, it slows things down and the spammer is unlikely to be able to spam profitably -- even if he has a whole shop full of people in India creating Yahoo! accounts.

If they can send a million spam they can send 100 million spam to brute-force their way through commonly-unblocked email addresses.

Again, it's pretty easy to tell that "support@microsoft.com" is not going to be sending e-mail through the net.edu.cn domain, so that e-mail could be dropped without ever issuing a challenge.

Bandwidth is both time and money to spammers. Many of them have systems running 24/7 using all of their available bandwidth. While they may be able to cover the costs of their T1 bandwidth to send spam now, they won't cover the costs of the OC3 that they would need to handle the additional volume.

You seem to assume that it costs 100 times more to send 100 million emails than it does to send 1 million. I don't believe that is the case. In fact I KNOW it's not the case.

I agree. And whether it costs five times, ten time, or 50 times as much makes little difference. If the spammer is not rolling in dough now, he will be behind the curve when the costs go up substantially.

As is Bayesian which doesn't require legislation or a fundamental change to the e-mail structure of the Internet

But that costs CPU cycles and is less effective than C/R.

Patents were acquired .. check their dates

[DulcetTone]

Goldman purchased all patents he thought relevant before launching MailBlocks. Therefore, before attempting to raise prior art examples, it would be worthwhile to check their filing dates.

tone

In Soviet Russia

the STATE sues EarthLink !

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

Enough to give them money for my domains.

It's one thing to trust them to do data entry. It's another thing entirely to trust them as judge, jury, and executioner for spam violations. GoDaddy is not going to charge $7 a year for domain registration and then launch a multi-day inquiry to determine if you really spammed or if the people claiming you did are just out to get you.

And how would automated servers handle the sender verification without being bogged down? Or should my mother have to remember to whitelist companies she deals with before any server generated mail is sent?

I don't believe that Amazon.com would get 211,376 challenges just because they sent 211,376 e-mails to customers at your ISP. I think that the ISP would issue one challenge. It would be read by the customer service people at Amazon. They would respond. All automated e-mail from Amazon would then be delivered without further challenges. I also believe that ISPs will develop whitelists of trusted senders and that the quality of these lists will be instrumental in keeping customers satisfied.

I really do think that C/R can work and I really want to see if Earthlink can do it right. If they do, I think that the spam problem will start to go away. Other ISPs like Yahoo!, MSN, AOL, etc. will implement it and that will be the end.

Another advantage will be that most AOL users will be completely confused by the challenges sent to them and they will stop sending e-mails to the rest of us. ;-)

what changes?

[gfody]

how does a challenge/response system solve anything? a spambot can answer the challenge just the same as a human would

Re:what changes?

[fishnuts]

Unless you code your 'spambot' with a viable Turing engine and/or OCR software, AND you use a valid working email address as the sender address, your spambot is effectively useless.

An AI or other relatively smart parser/evaluator would be needed to solve the challenge puzzle, or an OCR system to read the obfuscated text in an attached image would be needed to solve the challenge, and you wont even get the challenge if your From: address is forged.

It's a very effective system if done right. No spammer would go through the trouble of implementing these things AND expect to receive and reply to as many 'challenges' as the initial emails he/she sends out.

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

vacation(1), Lotus Notes, Exchange, autoresponders, new mail sent to C/R system from someone that goes on vacation and the challenge gets delayed.
I leave you to figure out the implications of infinite loops.

Improper responses to the challenge address (e.g. challenge_response@yourISP.com) would be scrapped.

Bob sends e-mail to Tom before going on vacation.
Tom's ISP sends a challenge.
Bob's autoresponder sends an out-of-the-office e-mail.
It's not a proper response, so it is discarded.

No challenge would be issued. No infinite loop.

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

This sounds like a risk for a denial of service attack. Spammer's already forge headers... The poor person who happened to have his email address forged might not only get deluded by tons of challenges...

I think that you meant "deluged." ;-)

but would have to answer a lot of the challenges just to prevent their address from being black listed.

Good point. But only a bounce would automatically blacklist the user. If he did not answer the challenges and later sent messages, he would be challenged again and could respond appropriately.

Furthermore I imagine a responible time period would have to be selected before blacklisting... else you would block legitimate senders that didn't answer the challenge immediately.

I would not blacklist a user for not responding. I'd hold their e-mail for a week or two and then discard it if no response was received. If they later sent mail to my servers, the servers would again challenge them and if they responded, deliver their message.

I would also have the blacklists expire. If you are blacklisted, you would only remain so for maybe a week to thirty days. If you sent again, you'd get another shot at responding. You don't want a situation where a spammer forges bobsmith2004@yahoo.com, gets it blacklisted, and Bob Smith, who signs up next year, finds himself with an address from which no one will accept e-mail.

...and atheism...

[moogla]

Right-o, because belief in the invisible man upstairs and everywhere is going to bring us into a new golden age. Exactly what knowledge does atheism suppress? It doesn't mean you can't read the bible.

Feh indeed.

they just want visitors to their website

[yigalirani]

There is no patent. And if there is they are probably going to loose. All they wanted is people to click into their website. And they succeeded greatly. I wish I were them Yigal Irani

Re:they just want visitors to their website

[yigalirani]

by loose I mean lose

Re:mailing lists prior art? Patents = good this ti

[letxa2000]

Yes, it is C/R. A challenge is issued. The challenge bounces. All e-mail from that sender is deleted.

I agree that if you implement C/R and the response bounces that you could choose to assume that all the emails from that address should be deleted. But in and of itself C/R is the challenge and the response. What you do with an email deemed to be spam is separate and can be applied to any anti-spam technique, not just C/R. Perhaps when I get a spam that has a 100% Bayesian score I go out and kill all the other "same messages" for everybody else... Does that make the "go out and kill all the same messages for everybody else" part of the Bayesian technique? No, not any more than it's part of the C/R technique. It's just a question of what you do after you've decided you've identified spam.

There is nothing stopping the ISP from issuing only a single challenge when one sender delivers mail for hundreds, thousands, or more recipients. A single response could cause all of the mail to be delivered.

What? Are you suggesting that when one sender (spammer) delivers mail for hundreds or thousands of recipients instead of issuing hundreds or thousands of C/Rs you issue only a few, and if a few are responded to you let the mail through to all hundred or thousand emails? Now THAT would definitely be vulnerable to spammers since they could just answer a few of the C/Rs and be happy knowing that was all it took to get their spam to the other hundreds or thousnads of emails.

Or perhaps I misunderstood you there...

Economics and need for a valid return address -- the latter of which you will not find on 99.99% of spam.

I'd submit the economics are not a problem since you can send more mail for little extra cost. As for a valid return address, it's not hard to open up some accounts at Yahoo that are valid and can receive replies. Sure, they'll get shut down sooner or later but you've already received and answered quite a few C/Rs before that happens--and even once the account is shut down you can send spam with that forged email address without Yahoo's help (unless you implement the other feature you were talking about regarding dumping email based on IP != professed sender's host). Even this feature is not necessarily workable because it IS possible (granted, not so common) that people use Yahoo via POP3 and send email with @yahoo.com addresses that don't necessarily go through Yahoo's outbound server.

There has always been fairly simple ways around the earlier forms of spam filtering. C/R has no simple, low-labor, low-bandwidth, low-exposure means to circumvent it.

If they go for the "send the email 100 times using 100 different commonly-unlocked email addresses" solution then it's still low-labor. Bandwidth has never seemed to be a problem for spammers, neither has level of exposure.

Plus, if they DO find a way around a given C/R system, they'll be able to spam all the people that are protected by that system. With Bayesian there's really no way to get around it since getting around a Bayesian filter requires knowing what the "innocent" words are for a given user, and they're just not going to know it. If they happen to guess a couple that doesn't automatically mean all the users using Bayesian are going to become victims as well.

Plus Bayesian is better in the sense that the spammer doesn't know what he's up against. With C/R, he knows that there is a challenge and he CAN deliver the spam if he wants to take the time. With Bayesian, he has to assume his message got through--there's no indication that it didn't. His response rate just drops through the floor and it's not going to be obvious why, or what the spammer has to do to get response rates back up.

So you know more than all of the people at Earthlink who have investigated this problem? You know more than people at MailBlocks?

I would hope that is not the case. But I've seen article after artcile in the mainstream press abou

Re:mailing lists prior art? Patents = good this ti

[letxa2000]

The thing is, each of those response messages can have an easily identifible tag in them. This allows and ISP to see that 500 challenges have to been sent to "foo@bar.com". This can automatically set off at ISP-level block of messages from "foo@bar.com" originating from host W.X.Y.Z, since they are obviously sending bulk UCE.

This could be done without the hassle of C/R, though. If you see 500 messages coming from a certain IP address then you could just assume that it's all spam. This same technique can be applied to any anti-spam technique without having to implement the C/R portion.

Yes, there are ways to reduce the damage C/R can do and the volume of mail it creates. But, again, why do we need a solution that creates MORE mail and has to have special logic for damage control when that same logic would be applied just as well to other anti-spam techniques that don't require the generation of the C/R requests?

Also "obsolete" is not a proper term to use, at least not with the argument you're making.

When there are easier-to-use anti-spam techniques that achieve an extremely high level of success without adding any hassle to senders and without generating more email traffic in the process, yes, I think a system that requires a sender to go through hoops (even if only once) to get their message delivered and that has the potential of generating quite a bit more mail traffic is obsolete. It is obsolete in the sense that there are simpler, less bandwidth-intensive and more user-friendly ways to achieve the goal of keeping spam out of the inbox.

Prior Art

[warkeng]

Mailblocks acquired two patents for challenge-response, which were granted in 2000 and 2001, respectively.

I've been a Spamcop member for at least three years now (oldest spamcop mail I have is Nov 1999). Spamcop has (did have?) a challenge response system back in the early days. Not sure if it's still available (I've set my filtering to always block a long time ago). But I'm sure that Spamcop's challenge response system predates Mailblock's.

Re:mailing lists prior art? Patents = good this ti

[fmaxwell]

What? Are you suggesting that when one sender (spammer) delivers mail for hundreds or thousands of recipients instead of issuing hundreds or thousands of C/Rs you issue only a few, and if a few are responded to you let the mail through to all hundred or thousand emails? Now THAT would definitely be vulnerable to spammers since they could just answer a few of the C/Rs and be happy knowing that was all it took to get their spam to the other hundreds or thousnads of emails.

I really should have been more clear. I meant that they only need to send one challenge if it bounces. After that, the messages can all be considered trash.

I'd submit the economics are not a problem since you can send more mail for little extra cost.

That's something that needs to be quantified. Many spammers are saturating outbound connections already. I know it's not cheap for me to quadruple my bandwidth and I don't think it is for them, either.

I agree that's a good idea--but I again stress that that isn't in itself C/R. That same technique can be applied to any spam filtering technique to make it even better.

Within limits. You can't assume that the sender domain and the address domain will match (as you know) unless it is a major corporation like Microsoft, IBM, etc. That's where one needs some tuned whitelisting.

But from what I understand the bigtime spammers aren't right on the edge, they're buying big houses and earning more money than I am...

They may be getting more money than you or I, but they are not earning it.

Bayesian is extremely effective, doesn't cause a hassle for the sender, requires very little effort on the part of the receiver once it starts getting "tuned", doesn't generate a swarm of C/R requests, and doesn't announce to the spammer what kind of system is in place to block his spam...

But can it be implemented at the ISP level? Every implementation I have seen has been at the client level, partially because it needs to learn what you, personally, consider spam. I may have signed up for a get-out-of-debt list server that delivers messages that you would consider spam. If it's at the ISP level, the accuracy will probably be unacceptable.

If the user must abandon their current e-mail client in order to use Bayesian filtering, then it is not low-hassle. If the user has to install software to perform the Bayesian filtering, it's not low hassle. If the user has to train the Bayesian filtering, it's not low-hassle -- and you will find that most will not do it or understand why they should.

One big problem with Bayesian filtering is that the end-user has to download the entire message and then, and only then, determine if it is spam. Another problem is that spammers will be able to rely on less than 100% client-side participation. There will be a large subset of users who just accept all e-mail, many even welcoming the spam and clicking on the links. If it is blocked by C/R or some other means before getting to the user, the ISP saves bandwidth, CPU cycles, storage, and admin costs.

like macrovision?

[asquared256]

They patented the obvious ways to defeat their copy protection scheme, right?

Re:mailing lists prior art? Patents = good this ti

[letxa2000]

They may be getting more money than you or I, but they are not earning it.

I agree. But the point is that I think they have a profit margin high enough that they can take some pretty big hits and still be GETTING enough money to keep spamming.

Me: Bayesian is extremely effective
You: But can it be implemented at the ISP level? Every implementation I have seen has been at the client level, partially because it needs to learn what you, personally, consider spam. I may have signed up for a get-out-of-debt list server that delivers messages that you would consider spam. If it's at the ISP level, the accuracy will probably be unacceptable.

It absolutely can be done at the ISP level. That's where it SHOULD be done. But on a user basis.

Check out the site in my signature. It's a service, but it could just as easily be implemented on any given ISP. The Bayesian filtering takes place at the ISP level so the user doesn't even have to download the spam. Retained emails are visible on a website and if there's a false positive by all means tag it for downloading. If any spam gets through, there's a link in the headers you click on to report that message as spam so the ISP can update your Bayesian corpus.

Bayesian *should* take place at the ISP level, but it should be done on a user-by-user basis since that's the only way Bayesian can work.

If the user must abandon their current e-mail client in order to use Bayesian filtering then it is not low-hassle.

Not necessary. Again, see site below--you just point your POP3 client to the site. Or if the ISP implemented it you wouldn't even have to point your client to another server at all.

If the user has to install software to perform the Bayesian filtering, it's not low hassle.

Again, see site below. Just point your POP3 client at the site and you're done. Nothing to install.

If the user has to train the Bayesian filtering, it's not low-hassle -- and you will find that most will not do it or understand why they should.

This is the one weakness to Bayesian, and I see three solutions that would be great to see implemented: 1) Site below also has traditional filters which will catch 85-90% of spam. With normal filters enabled the Bayesian filter will largely train itself. 2) While a users' Bayesian corpus is small, a generic could be used which represents the best and worst of email. This could help suplement the traditional filters until the user's personal Bayesian corpus grows. 3) There should be an RFC for reporting spam to any given server, defaulting to the POP3 server. It could be as simple as opening the connection, giving a username, password, and message ID#. But there should be a standard way for all email clients to report spam to whatever spam-filtering service or procedure is being utilized.

The training of a Bayesian filter is the ONLY downside, but it only lasts for a little while. I have largely trained my Bayesian filter and even though I've received nearly a thousand spam in the last week, not a single one has gotten by--and no false positives. So an ounce of effort at the beginning with Bayesian can pretty much eliminate the spam problem for any given user.

One big problem with Bayesian filtering is that the end-user has to download the entire message and then, and only then, determine if it is spam.

Again, see below. The site below does the filtering and only good email is downloaded to the client. If an ISP implements it, that's how it should be implemented as well. If a user has to waste time downloading it before any given filter works then the solution is largely useless.

Another problem is that spammers will be able to rely on less than 100% client-side participation.

I doubt *any* given spam solution is going to achieve 100% client-side participation. In fact, to tell you the truth, I'd just assume that everyone NOT use Bayesian. While Bayesian filters remain in t

Re:This is like "can't defend yourself against cri

[1029]

Now, normally, when I am victimized by a crime, I am justified in defending myself. Mailblocks, however, is saying "You can't defend yourself against this crime, because we own the intellectual property for the methods of defense"?!?!

Kinda like US gun-control ain't it? The government is saying "You have no right to protect yourself from violent crimes, because we don't trust you with guns."Even people who shoot in self-defense tend to be brought up on all sorts of charges that you wouldn't get stuck with if it was your intent to go commit a crime the whole time (way to go Legal System, reward them criminals!).

As a side note, something has been rotten in the sate of our legal system for a very long time now...

Re:Text of first link

[f0rt0r]

Try putting in the ASCII equivalent to the plus sign preceded by a percent sign. I only have the space character memorized, so I will use it as an example.

draino%20something1234@mailblocks.com

Re:mailing lists prior art? Patents = good this ti

[Emrys]

And then all the spammers have to do is send mail with headers forged to make it look like it came from "the big guys". They're already doing this, actually.

Re:mailing lists prior art? Patents = good this ti

[Emrys]

The whitelist could be IP address list based (e.g., amazon's IP range would be whitelisted rather than Amazon's domain name). Also, the threat of tangling with, say, Amazon.com's attorney's would make most spammers hesitate to forge "customerservice@amazon.com".

IP address based just means they'll forge the headers to show the IP address. Unless you mean you're going to configure your MX to only accept mail from the IPs on your whitelist, which would turn into a supreme pain in the ass.

As for "amazon.com's attorney"... er, something makes me wonder how much you've actually dealt with fighting spam. They've been forging those kinds of headers for years. They couldn't care less (spammers or amazon).

Re:mailing lists prior art? Patents = good this ti

[Emrys]

The most important problem with whitelist systems is that the whitelists themselves become a commodity. People who are now selling their internal distribution lists on the sly will start selling their company whitelists as well. Have a business partner you *always* accept mail from? Expect more and more of your spam to look like it's coming from that domain. Spammers are already doing it. On the individual level they're crawling for "good" mail routes into given mail boxes along with the mail addresses for those boxes; e.g., if they find foo@bar.com in a mailing list archive on the web, they'll also note that that person probably accepts mail from that mailing list, and forge their spam to that person accordingly.

Whitelists were routed around by spammers and obsoleted within weeks of becoming a fad. Adaptive content-based filters are the only thing that stand a chance in the long term.

Re:mailing lists prior art? Patents = good this ti

[jetmarc]

> since sending someone email automatically adds them to your whitelist.

Oh, so you like their products so much that you not only use their mailreader,
but also their newsreader, their sms-to-email gateway, their home surveillance
system with email alarm, and even their internet-enabled fridge.

Re:brits are so funny.

[Martin+Spamer]

The brits are so funny.

and smart, stylish, modest, really great infact.

Why did we accept them in the EU,

because we are just great, that's why we are called the Great British!

Re:There are mailing lists, & there are mailin

[Syberghost]

For instance, it has probably already whitelisted the IP addresses of sourceforge.net, yahoogroups.com, and other popular discussion list service providers.

Then it definitely sucks, 'cause I used to get all kinds of spam from Yahoogroups. Since you can create an account for free, create all the lists you want, add people without confirmation, and then let Yahoo foot the bill for your sending, it's a spammer magnet despite their "we'll delete the abused account that never would have been used again anyway" policy.

Re:mailing lists prior art? Patents = good this ti

[dodobh]

The reply comes as a new mail, necessitating another challenge.
On the other hand, maybe this will finally get Microsoft and IBM to fix their crappy clients.

mailblocks just broke their news page

[EvilSheep]

I was looking for the actual patent #s (Patent 6,112,227 (Heiner) and Patent No. 6,199,102 (Cobb), as per an internet news story.

When I tried to return there via the mailblocks press page, all the links pointed back to mailblocks.

Looks to me like they are trying to hide those patent numbers. But it could just be a bug in their web site.