Slashdot Mirror
Microsoft Researching Anti-Spam Technique
Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.
How do you "make" senders do anything?
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
Well actually yeah they did. At Crypto'03 a method for memory bound HC was presented.
So while MSFT didn't invent the original HashCash concept MSFT did improve upon it. So before anyone gets the bright idea of flaming MSFT ignorantly.... know your facts!
Tom
Someday, I'll have a real sig.
Typical. Delay the time it takes to send an email to make email less profitable. Ever notice that whenever Microsoft says, "1 minute remaining" you end up waiting for about three?
This is not a solution... as *I* still have to check for something on my end, and then discard if that condition is not met... my bandwidth and time are still wasted.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Comment removed based on user account deletion
Is it something that will require using Outlook on Windows to work? Alternatively, will I be force to use some MS software just to send mail to people who are using MS based web/mail/etc client/server programs?
The law of excluded middle : Either I'm foo or I'm foobar
We studied this in a computer security course I took. This technique has been proposed to TCP establishment as well. It involves the server calculating a hash of a particular nonce (random value). The server then provides the hash and a certain number of bits of the nonce. It becomes the clients job to complete the nonce such that the value hashes out correctly. The server can vary the number of bits it provides to vary the difficulty of the puzzle...
"The payment is not made in the currency of money, but in the memory and the computer power required to work out cryptographic puzzles. "
Phew!!! For a second there I thought I was going to have to do a math problem for each email I was going to send. I woulda been fucked!
Buy Steampunk Clothing Online!
...and I'm sure all the spammers in countries I've never heard of with .xyz top-level domains would be happy to use their $0.28 copies of the latest and greatest Microsoft OS to comply.
The spammers will find a way to automate it. Or, they'd take advantage of an Outlook bug to spam via other messages. An infected client could send out spam with every regular message you send! Perhaps they can just use an MS backdoor that lets any messages from billg@microsoft.com through.
I know, I think microsoft should charge the customer for each and every message that is routed through a exchange server. Just think of the money they could make and help curb spam.
Got Code?
close Hotmail
Can't we get any laws so any spam asshole gets publically humilated/executed for their crime? I don't see why microsoft has to work around with this (and there is always being an alterior motive to their actions), shouldn't the governments just kill these assholes so we don't have to worry about spam? Take care of the problem at it's root : the spammers.
Problem is, if it takes 10 seconds on a modern computer, it takes three minutes for Aunt Edna to send you photos of her dog, and a distributed spamming network will still churn out spam. I think real cash is the only cost that makes sense if you want to go that route.
Even today, the most annoying spammers are not using their own computers, but insteady they are bouncing e-mail off virus infected and trojaned PCs.
So 8,000 emails / day is fine, if you have a couple thousands relays to pick from.
---- join dshield.org Distributed Intrusion Detec
Glad the guy from MessageLabs hit the nail on the head right away... what are the chances Microsoft will go along with THAT idea? They'll implement this as an Exchange/Outlook only feature, if they can get away with it...
And, a poster above me states that Microsoft basically invented this, giving me reason to believe there is no reason why they couldn't get away with keeping it all to themselves.
And (getting WAY ahead of myself here, but...) since it's encryption oriented, it would most likely be against the DMCA by default to even attempt to reverse engineer, and provide an open and compatible alternative...
Sig.i>
Count on Microsoft's "cure" to be worse than the disease itself. You would think for $40 billion they could buy just a little more intelligence than that.
SMTP needs to be redesigned. Not by Microsoft, who will use any change in the protocol to tighten their monopoly grip, locking in their customers (and locking out the non-Microsoft world), but by the IETF.
Spammers having to do a computation before delivering email isn't going to limit them to 8000 pieces of mail a day, it simply means they're going to cluster all of those Windoze boxes their custom worms have infected, and let those millions of PCs do the work for them in parallel. SPAM won't decrease one bit, but the load and toll it places on those who use the net will go up significantly.
The solution isn't to increase the cost of email (computationally, bandwidth-wise, or financial), the solution is to repair the design flaws in SMTP (and, for that matter, USENET, something that remains the most useful medium on the 'net despite its widespread abuse) that make SPAM a viable methodology.
The Future of Human Evolution: Autonomy
so, mr spammer with his swarm of zombie WinP4s will have to up the number of machines, while i'm still on my 486 linux machine...
is that 10 seconds p4 3Ghz time, or 10 seconds 486 66/2Mhz time?
and if it depends on the sending computer, how hard will it be to get the sending machine to lie, and clame to be a 8080 10Khz?
In a completely unrelated press release, Microsoft announced that they plan to sell processor time in quantities of thousand years, beginning march 1st...
Making e-mails "expensive" to send is stupid. There are many ways to fight spam effectively without doing that.
We could start by adding sender e-mail address verification to smtp - the recipient looks up the e-mail address's MX record, and asks if that specific e-mail was sent from that mail server. If not, it's probably spam.
The more server that implement this scheme, the more points will be given to those e-mails (by spamassassin etc.) that do not have this sender verification set up. Within a year or two, all serious mail providers, companies etc. will have sender address verification.
Combined with law enforcement, blacklists etc., this can become extremely effective.
Dybdahl
We'll be do Microsoft's math for them
Browse at -1, because trolls are often the most creative part of
How is my older hardware (or even pretty recent hardware on a huge ISP, with lots of SMTP activity) supposed to be able to handle this? Bah. It seems to me that adding computational difficulty is not such a great way to combat spam. Do you have any idea how effective IP blocklists and statistical filters alone are? (Or, you could combine them as this project is doings).
If this works as stated, then I can see issues.. For instance, large mailing lists. Would they have to be white-listed? 3000 seconds of computation is a heavy tax on a community based program like the Linux Kernel Mailing List, which averages 300 messages to my inbox a day. Also, there's the issue of viral spammers.. Those that send out viruses to do the spamming for them. If you infect enough, 8000 mails per day per computer can still be quite a bit.
Personally, my whole take on spam is that everything needs to be done on the user end. Laws have loopholes in every situation (foreign spammers being a large one,) server restrictions are either too restrictive on small servers, or can be defeated with distributed computing.. I say we stick with Bayesian filtering. It works _wonders_ for me, and I'd love to see more people use it.
This statement is false.
I don't want spammers to pay to have the right to send spam... I want them to stop sending spam!!
I seriously don't think this will work as (a) spammer won't use Microsoft products to send their wares or (b) because they will find a way to crack the security of this system (I mean, come on, this is Microsoft we are talking about here!).
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
This sounds almost exactly what Checkpoint implemented for IKE DOS prevention. When the client sends a request to the server, the server in turn returns a cookie like algarithm that must be decoded by the client before the server will accept the next request. Or at least thats how it was explained at a CP convention.
The technique seems to work and could be easy standardized I would think.
If they build this into Outlook, a spammer using Windows will just switch to another e-mail program.
If they build this into Exchange Servers, will it comply with e-mail standards so that my co-workers will still get e-mail I send from my Linux box at home, or will it lock out e-mails sent from any non-Microsoft box?
If so then this is another example of closed source/proprietary technology being created in opposition to already existing standards.
Comment removed based on user account deletion
1) Needs to work between MTAs. Your Exchange server might trust the Outlook client, but my exim server doesn't trust your Exchange server. Be prepared to pay again.
2) No-one discovers a mathematical short cut for the hash.
3) What are the calculation costs on the recipient?
4) The Intel "Spammer Edition" Pentium 5 with a half gig of L1 cache. Memory bandwidth is no longer a bottleneck.
--
E_NOSIG
Microsoft Research is no different from other industrial research labs: IBM, Bell Labs, etc. They hire the same kinds of people and get the same kinds of inventions out of them. One can't expect any more or less from any big company with a lot of money to spend. However, so far, MSR has not had much positive impact when it comes to driving innovation into the marketplace.
If Penny Black is all there is, it doesn't look like that's going to change. It will probably be decades before we know whether MSR will have had lasting impact. By that time, Microsoft will probably be a benign, lumbering giant, just like its monopolistic predecessors, AT&T and IBM.
My group alone generates hundreds of e-mails to people outside our domain every day. I'm sure they whole company easily exceeds the 8000 mark mentioned here.
Expect spam advertising e-mail accelerators.
Send email in just 1 second not 10. Get email accelerator pro today.
I wrote to abuse@msn.com about an ongoing spam stream from 241272@msn.com.
The fact that this account is a string of numbers should tell MSN something. The fact that 5 million e-mails per day come from one account should also be a clue. MSN is a spam factory, the best spam solution would be to blacklist msn.com
I still recieve spam from 241272@msn.com
(Yes it gets filtered and deleted)
I am the unwilling control for my Origin.
I think real cash is the only cost that makes sense
Then how many spammers have you taken to court so YOU get some of thier money?
What about mailing lists? Until we recently upgraded, we were doing reasonably OK with a Axil 320(Sun Sparc clone. No, not an UltraSparc, a sparc. Yes, that slow) for about 3,000 subscribers. One of our lists was at least 30-40 messages a day.
Ten seconds of P4 3ghz time is about....half a year for a 110mhz microsparc ;-)
We've since upgraded- but I can tell you right now that anyone who tries to make us leap through these hoops will simply find themselves removed by Mailman for bouncing. Like those challenge-response things. Etc.
Please help metamoderate.
Why do you say it's only good for exchange server? It could be implemented on anything just as easily.
Sig is taking a break!
I searched the article for Mozilla and Thunderbird, but Firebird reported the words were not found.
:)
Hummm...doesn't look like Microsoft is really serious.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
This is just a fancy way of saying "Microsoft is trying to figure out how to turn off Hotmail"
THIS GUY TOTALLY TOOK THE PARENT, RIPPED HIS ARMS OFF, AND PISSED ALL OVER HIS STUBS.
I GOT HARD THE MINUTE I READ THIS POST!!!!!
Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
This is an interesting idea -- I don't know how it works in a world where some people are running 133 Mhz computers and others are up at 3Ghz. But it's interesting.
I think that any postage scheme should be hybridized with a white list to avoid imposing burdens on people you want to talk to. The postage (economic or computational) should only apply to people who you don't know.
In other words, if I know you, you should be able to email me for free, but if I don't know you, it should cost something -- not much, but something.
With a hybrid system, most of the problems I would have with having to pay some small amount of real money evaporate.
People could pick charities -- if you want to email me and I don't know you, you have to give a nickel to the salvation army, or whatever. Or maybe just a tenth of a penny. Whatever number makes sense.
The idea was originally formulated to use CPU memory cycles by team member Cynthia Dwork in 1992.
;)
But they soon realised it was better to use memory latency - the time it takes for the computer's processor to get information from its memory chip - than CPU power.
Don't GPU's have a lot smaller memory latency?
hmm, whats this?
BrookGPU: General Purpose Programming on GPUs
Would this technology be applied to microsoft products and services only, or would it be pushed down everyones throats in true microsoft style??
Microsoft is putting this in the mail client? Why not put it in the mail server? Either way, this isn't going to combat spam. Spammers will simply not use Microsoft mail programs.
Ouch! The truth hurts!
RTFA
If it takes a long time to send out bulk email, what about all the mailinglists people subscribe to? How would lkml or sourceforge lists continue to operate?
I am a viral sig. Please help me spread.
Microsoft should implement an smarter method, such as a replica of SpamBayes , which works already well.
Every wrong attempt discarded is a step forward - T. Edison
Have you ever tried to send an e-mail using outlook through a m$ exchanger?? ... it may take several minutes to get out!!!! = )
WTF am I doing replying to an AC at 5 A.M on a Friday night?
It's an attack on Open Source development. If SourceForge was limited to that few emails a day it would kill many projects run by mailing lists. Worse, think about LKML - it would take years for the latest BK patches to be distributed via email. Wait, maybe this is Larry McVoy's subterfuge and not Microsoft's...or they're in cahoots...after all, they're both on the dark side (i.e., non-open or closed) of the source.
I was just wondering (and I hate to play the Devil's Advocate but ....) what it would take to spawn multiple independent processes on one computer each running its own email client ... I know something like this should be easy with *nix ...
The nub of using memory is that it is question of "time." You can't fit "generated time" serially as the day is only 24 hours, but you can fit the "generated time" by putting it in parallel to fit within 24 hours with multiple processes ... and the parallel processes ONLY have to run the lightweight email client and nothing much else.
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
Please, sir, before you post your outsourced retard punjab here, please read the article.
PARENT IS SPAMMER
Parent IS a spammer.
MS Research labs made an antispam technique in 97, no one cared about spam so they put it in storage. I heard that the technique was encorporated in Outlook 2003.
Anyway, MS is trying to find a blanket solution to spam. There is none. Blacklists do more harm than good. Not to mention IPs can be spoofed. Spammers could start using bush@whitehouse.gov is they wanted to and spoof the IP to make it look like it is from him.
The best way to limit spam would be to have every router, switch and hub in the world check to see if packets coming from an IP block have IPs from that IP block. That way the origin can't be spoofed.
While this seems useful at first glance (at least open relays would stop working), how does your technique address these issues:
1. Clueless admins (of windows or *nix servers) who refuse to use SA or similar? These are the same who leave the mail servers as open relays in the first place.
2. People who use their own SMTP server
Sure, go ahead and say that you can add reverse domain lookups. But registering a domain is quite cheap these days ($4.95 a year) and point the NS to your machine, set up MX records, and you're on your way.
Your solution is useful, but not comprehnsive. I doubt there is a comprehensive solution short of making the spammers incapable of accessing the internet.
--
Clueless People? Everywhere I look, I see them. And some of them, they WORK here!
US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
What a swell idea. Instead of it taking 5 minutes for me to download all that spam, it will now take me 50 minutes. Yay Microsoft! Innovating new ways of wasting my time.
This is my sig. There are many like it but this one is mine.
This seems to be a "let's fix this by limiting what technology can do" case.
Instead, they should focus on adding more functionality to the smtp protocol. For instance, they could add sender e-mail address verification. You can't check the actual e-mail address, but you can make a "dial-back" TCP connection to check, if the e-mail is known by the mail-server that belongs to the sender e-mail address.
Combined with law enforcement, blacklists etc., this is extremely effective.
Rework email so that it can be secure,authenticated like Paypal's system. If your email isn't registered with the mail servers(false email origins) then it wont even be sent clogging the networks. Email is the perfect medium for criminals & garbage businesses. It has zero authentification and is low cost. Maybe the government will also 'strengthen' the current donotcall list. have faith. The gov can do good things.
I don't know what they did to Hotmail recently, other than the facelift, but is seemes to have helped reduce the amount of spam. I'm sure it could, at least partially, be attributed to the "Report Junk Mail" feature that they've added, which, supposedly, is used by MS to improve the quality of their junk mail filters.
The question that always comes to mind when people propose spam relieving solutions is how do you expect to implement it? It's not like you can just flip a switch and all of the sudden every email server and client out there understands the new routine. It would take years to roll out something that changes the current implementation of email. And what do you think everybody is going to do in the mean time? Ignore the new method so they don't loose important email from someone who hasn't "upgraded" their MTA. Rendering the new method useless.
Let's not even get into the hardware costs for anybody who actually legitimately sends more than 8000 emails per day. Large ISPs or mailing lists come to mind, now all of them are expected to spend more money just because you want less spam? I don't see that happening.
Which F.A. should I read? the /. FA or the BBC FA? I already read the BBC FA (and I'm not new here)
/. quotes from the BBC, which just says that the user be forced to do some sort of (crypto?) computation; but it does *not* suggest that the server use an SA like system to auto-reject spam.
Because the
--
I RTFA and all I got was this lousy post!
US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
This will only drive the spammers to hijack machines to carry out the calculations. Moreover, if I send a single e-mail I have to throw a cpu minute at it?
I don't want to wait ten minutes to send an email! Don't inconvenience everybody just because of a handful of criminals!
There are LOTS better ways to check for this, like for instance, see if the attachment is a Trojan? THAT would be nice and eliminate most of the Spam right there!
I do NOT consider it a violation of my privacy to not get a virus! I expect no privacy in un-encrypted emails anyway!
ALSO - might they not notice that something is funny about someone sending 100,000 emails? Hmm?
All with VIAGRA or PENIS in the title?
Stopping Spam is EASY if they just get a grip! No need for any stupid protocols at all!
It's Christmas everyday with BitTorrent.
So, if I have a mailing list about government secrecy or some such, I will have an artificial scarcity imposed upon me with regard to how much free speech I can have per day?
This is the problem with the economic approach to controlling spam. It is impossible to do that without restricting free speech.
who are those slashdot people? they swept over like Mongol-Tartars.
The real problem with spam is that it is starting to clog the net. Sure, the available bandwidth goes up every year, but the spam-bots multiply even faster. If a spammer needs to send out 1M messages to get a hit now, and filtering requires him to send 1B to get a hit next year, do you think he'll stop spamming? No, he'll get 1000 more cracked home PCs and send that 1B messages. And 1T messages the next year, etc.
Spam must be stopped at the source, or it just keeps growing.
So this would have the effect of making legitimate high-volume, high-subscribership mailing lists expensive to operate (unless subscribers configured their MTAs to accept "unstamped" messages from the list, which is annoying and error-prone -- and has an obvious "workaround" for the spammers).
<tinfoilhat mode="on">Ha! Now we see Microsoft's *real* goal... to slow Linux development by shutting down the kernel mailing list!</tinfoilhat>
Seriously, though, any attempt to make e-mail expensive hampers those who have a legitimate need to send lots of e-mail.
Plus, there are obvious workarounds that will be developed in short order. A hardware stamp-generator could probably cut the stamp generation time to practically nothing, particularly since their approach somehow depends on memory/CPU latencies rather than processing time. You might be able to make a much faster stamp generator by running it on your graphics card, and custom-built hardware could certainly do it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
..."they were hoping you wouldn't bring up that particular problem"...
Typical microsoft...come up with a "brilliant" solution that can be solved with 10 seconds of critical thought.
Mr Wobber and his group calculated that if there are 80,000 seconds in a day, a computational "price" of a 10-second levy would mean spammers would only be able to send about 8,000 messages a day, at most.
That's nice to hear, but will it work on Earth, too? Are they going to increase the rotational speed of our planet?
This idea has been around for more than 10 years. There are a bunch of research papers and patents on it. The big stopper is that these kind of systems can only work is ALL mail clients implement it. Although if MS actually implements it, all the others would have to follow, or else it would become impossible to sent non-spammed-tagged mail from a non-MS mailer to an MS mailer... So... maybe ...
Truly a waste of CPU time, more than anything else.
I like the very short comment that it would have to be based on Open Standards. Yeah, right. Microsoft? Don't make me laugh! I would rather trust the Government than Microsoft.
All that aside. I think it would be a serious waste of time if they didn't come up with anything useful out of all these CPU cycles. Imagine what would happen to SETI@HOME if they were able to get 20 seconds of CPU computation for each email sent?
You would have to assume that you could afford to keep each connection open during this 10-20 second pause in computation. That means that you are not only limited to how many emails you can send at any one time, but how many connections you can manage. For a high population corporate server, this would be too much.
But it's still mostly free to send spam. With the CPU doing all the work and the email getting delivered eventually, it really won't stop spam getting delivered. Just increase the cost a little bit, if any.
And how would it affect the spammers who send email through virus infected zombie computers? The spammer could unload their spam onto the 150,000 zombied computers that they own and let them manage the 8,000 emails per day, giving them an effective throughput of still well over millions per day.
If Microsoft had some security on their system, then then might be able to actually limit the spam in the world.
Just jump on that instead, I'm convinced it could be done in a year or two; a truly secure, authenticated protocol for sending mail across the Internet, that's still free and open, but also accountable.
Luck favors the prepared, darling.
IBM defending linux from SCO..Microsoft stopping spam..
However, since there are 86,400 seconds in a day, the 10-second levy would mean spammers could send 1 billion messages a day.
I'm New Here
I like the idea, but unless EVERYONE who sends you legitimate email upgrades their servers to handle this, you'll still have the spam problem. If you make exceptions for non-upgraded legit email, then the spammers will adapt to those exceptions.
Also, from the article, there isn't any mention of how a 10 second delay would be handled by the receiving server. Without understanding that, this process would turn become an instant DoS attack. How many 10 second connections can your server keep open while the calculations are done?
Handling the spam problem will be a bit complicated and take a few years of upgrading the infra-structure.
Bad idea. It will just result in spammers taking over even more zombies to spam.
so, everyone who drives has to get a license first (done)
now there are no accidents right?
and if there are, just sue? you must be an american, so what if someone steals your vehicle? Even locked, are you responsible? After all, people do still steal cars in your utopia in the future, right?
Before you chuck the entire protocol, do you have a solution for a better one?
Until you know how you're going to repair the problem, let's not get too excited about scrapping a protocol that still has a lot of flexibility. I've learned a lot about SMTP in the last few months, if there was universal agreeement as to WHAT to do, we could probably accomplish it in place.
What are the options? Whitelists, blacklists, red lists, gray lists, hash cash, filters, etc. No one can agree HOW to combat the problem. A new protocol would accomplish nothing without a planned solution that makes palpable the limitations of SMTP. Til then, let's not get hasty about blowing it off.
Ok, I'll bite - why not just insert a "sleep (10);" line into the connection response of sendmail (or qmail, or whatever MTA you are using)? By making the sender wait 10 seconds before delivery can begin, you get the same effect as a tar-pit...
Ron Gage - Westland, MI
The programmer who works next to me used to be a construction worker. Every so often, I come up for an idea for some kind of home project, explain it to him, and he tells me a way to accomplish it that is much simpler and more reliable.
This MS solution is almost a caricature of one of my own over-done home improvement ideas. Why bother with some elaborate cryptographic system to delay inbound emails? Why not just have the receiving SMTP process call sleep(10) at the beginning of the SMTP session? You get the same desired slowdown, and all you have to change is the SMTP server software. There's no need to modify MTAs, promulgate new standards, or fit yourself more tightly into the MS monopoly noose.
Proud member of the Weirdo-American community.
This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years. From one computer, if I understood correctly. Quite worthless, considering recent Security Focus spam column.
SOMEBODY DOESNT KNOW HOW ANONYMOUS COWARD WORKS!!!!!1
NICE JOB , DIPSHIT!
hahahahahahah
You eat cock.
Kobe Bryant was 9/26, that's not very good.
So this would have the effect of making legitimate high-volume, high-subscribership mailing lists expensive to operate
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
Stop the presses! Microsoft has found a way to slow down email! This is news? ;-)
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
...would be to simply perform a Netcraft-like fingerprint of the incoming TCP port 25 connection request, and it it detects a Windows TCP/IP stack at the sending end, just simply close the port and refuse the connection. That'd stop a *lot* of spam.
there is no way to impose a reflexive server penalty under the SMTP protocol. Should SMTP change, most likely the imposed penalty will hit open relays, not the spammer's smtp factory.
So why bother with all the computation and hashing, and just refuse to accept connections from a given IP except every 10 seconds? So if an email was sent from AAA.BBB.CCC.DDD at 00:00.00, don't accept another from that IP until 00:00.10.
This makes it happen entirely at the recipeient server side, so you're not breaking SMTP, and it's backwards compatible with everyone else.
On the other hand, if it's 10/sec per email it doesn't sound like this would be feasable to implement:
Receiver MX server processes an incoming message.
From: field header value is stripped as well as last MX host header value.
Receiver MX server contacts sender MX server (obtained from last MX host header value) to verify authenticity of sending party (obtained as From: field header value).
If authenticity isn't verified e-mail message is automatically dropped and not delivered to intended recipient.
I'm sure that mail transmission methods likely exist that follow similar protocol, or something similar. A lot of the issues surrounding security on the Internet involve the fact that the Internet was developed without inherent security built into the model. It was intended to be a closed WAN between military sites and college campuses. Physical security was the main constraint. E-mail has been developed in an inherently insecure manner.
How about the receiver have the sender complete a set of operations that contribute to distributed projects like Set@Home or Folding@Home?
The receiver sets the project (or project percentages), and an amount of raw CPU cycles (which would obviously be scaled up over time). The calculation engines would have to be written to be self verifying and self checking so the spammers couldn't spoof the calculation with garbage, but these are just details.
There should be a way to write this as a mail filter to all platforms and OSs. It should also include a buddy list that make the calculation portion unneeded.
Letter To Iran
Something that the Redmond Empire conveniently neglects to mention is that an awful lot of the spam is due to virus-compromised systems running -- you guessed it -- Microsoft Windows! I've lost count of the number of broadband IP ranges, notably from Shaw Cable and Comcast, that I've had to dump into our domain's local 'Reject' list thanks to their endless attempts to propagate Swen, SoBig, or whatever the latest spammer-zombie trojan is.
Perhaps, if Steve 'Uncle Fester' Ballmer and his cronies had paid more attention to basic security to begin with, or had taken the trouble to actually try and educate their customers about the most basic computing security steps, there wouldn't be such a huge problem now.
This 'Penny Black' nonsense looks like nothing more than a means for them to make money off a mess that they created in the first place.
Bruce Lane, KC7GR,
Blue Feather Technologies
What are the odds of legitiimate mass emailers wanting that? And once it's developed for legit emailers how long before spammers get it?
First, let us note that the S in SMTP stands for simple. What may look like a "flaw" today was indeed an attempt to make a standard that is usable with no regard for OS, system, bandwidth, transmission medium, or any of the other factors which complicate computers today now that everyone and their grandma has one.
... that way, it does not matter how old or new a computer is because the system does not rely on processor chip speeds..."
Micro$oft's proposal has several issues. First, the proposal itself:
"If I don't know you, I have to prove to you that I have spent a little bit of time in resources to send you that e-mail."
This changes the effort to convincing the system that I know you and we can bypass all of this. Microsoft's track record tells me that this will be accomplished quickly (likely before the software even reaches final release.)
"...use memory latency
No, it relies on bus speeds and memory speeds, not to mention caching schemes. These change almost as rapidly as processor speeds these days.
All of that is meaningless when you look at the greater problem:
"For this scheme to work, it would want to be something all mail agents would want to do,"
There are 2 ways to implement such a solution; on the server side and on the client. As for the server:
Not just want to do but be able to do. Since SMTP severs began requiring authentication (several years ago), most spammers have turned to using old servers still alive on the net. These would not have new schemes implemented. Denying them to play if they don't update would kill several servers (including several universities).
As for the client:
Anyone who can say "HELO" can send a mail (see RFC 821, RFC 1123, RFC 2821). This means that any decent coder can write a mail SMTP client in about 30 minutes. We will never be able to assume all spammers are using any e-mail client.
"It is certainly not going to stop all spam for good"
And in the aftermath, we will all have slowed our systems with no effect on spam levels.
Regards,
lbd@dybdahl.dk
This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years. ;-)
Yeah, because they did not hear of parallel processing yet
ato
I guess we could combine this with distributed computing so if you send out an e-mail you are helping solving one of the puzzles like for example RC5, OGR or ECC2. And make the world better.
But I think microsoft is intending to create a complete new business model for e-mail providers (and ofcourse for microsoft's hotmail.com) by selling the computing power to companies who need it.
why couldn't it be done at the ISP?
Makit is simeple, the first 50 emails in a 24 hour period get sent as per normal. the rest sit in a queue for 10 seconds each, limit the queue to 500.
A full queue would give an indication that that person is either spamming, or hit by some rogue program that is sending out emails for them. either way, that person needs to get a call.
The real issue is the ISPs and Telecomunication providers that market to spammers.
The Kruger Dunning explains most post on
I actively subscribe to a lot of tech sites that have tens of thousands of subscribers. Slashdot is one of those sites. How many people have Slashdot e-mail their mail to them? How are legitimate bulk mailers (of their own content, not ads) supposed to send out newsletters, etc.)? If a retail outlet with a legitimate opt-in newsletter needs to send it to 50,000 or 100,000 people, what kind of hardware upgrades are they going to be looking at. I mean, I can add them to a trusted senders list on my side, but that doesn't tell them that they no longer have to run the computations. "If I don't know you, I have to prove to you that I have spent a little bit of time in resources to send you that e-mail. How do you know whether you "know" me or not? Does the user's mail client alert the sending server that it approves of mail from that SMTP server? Once senders have proved they have solved the required "puzzle", they can be added to a "safe list" of senders. Whose list? My personal list that is part of my mail client? My mail service's white list? Microsoft's special white list?
If you mod me down, I shall become less powerful than you could possibly imagine.
No it isn't. Spammers can negate the effects of tarpits simply by multitasking, and dealing with many connections to many servers at once. Tarpits don't consume CPU cycles or memory latency like this idea.
I've been using a similar system for about 6 months (SpamAssassin first, then using a whitelist/sender verification process with Active Spam Killer (ASK)). It works very, very well - zero false positives, and zero spam (with an account that had been getting ~100 spams per day). It seems like most people who don't like whitelist systems generally don't understand them ("it'll loop if the sender and the reciepient both use whitelisting!". uhhh, no).
SMTP is being redesigned. its called AMTP.
Go read the drafts.
I see a few replies along the lines of "But that won't help, all the spammers will do is use a cluster of zombies to send their spam out".
I don't think you get it. I don't think this is meant to be a panacea, just another weapon to use against the spammers. Saying that is almost like saying "what's the point of using a firewall, when there are so many email-borne viruses that you're bound to get one of them? Why bother protecting against worms and remote exploits, when no-one uses them anyway?" The point is that you use this, and your filtering, whitelists, etc. It's just another tool in the hands of the end users who want to cut down on the amount of crap that gets to their inboxes. Besides, this will slow them down - they'll now need a damn sight more zombies to maintain the same rate of mailing. Meanwhile, others can work to help users secure their machines, making those zombies ever harder to obtain.
Someone brought up mailing lists - now that is a good point. But in that case, you (the end user) can whitelist the mailing list's address, as you've probably done anyway (if your system allows you to). If you start getting spam from the list, complain to the list owner, as they're not doing their job properly (imho, part of their job is to keep the list as spam-free as possible).
I don't think this is sufficient to kill spam, but I do think it'll help make life harder for spammers, and that has to be a good thing.
It's official. Most of you are morons.
Does anyone find it odd that MSFT is researching this when Hotmail is the absolute WORST email system when it comes to spam? I get more spam in my hotmail than any other email account.
Outlook and Outlook Express' lame mail filtering need a complete overhaul. It is more likely to catch and trash real mail more than junk mail.
MacOS X mail.app which uses Bayesian filtering to weed out the spam should be the model on which Microsofts programs are built. What self respecting email spammer will use that stupid idea of sending out emails? None. It is up to the recipient to manage their spam and Microsofts tools are not up to the job.....this one of the many reasons I let my Mac handle my mail and not my PC.....that and I don't think my mail program needs to install other programs without asking me.
Um. So I'm a successful spammer. I invest in a small cluster of multi-CPU machines and reduce that 10 second calc down to a 0.5 second calc or less. Feh.
Thats all well and good - but this is going to drive up ISP costs. As an independent ISP who has really struggled to survive against the "Pay .02 per month" hosting bait-and-switch deals and try to provide a quality service, I do what I can keep costs down. Having to program my mail servers to send a reply to each and every of the over 1,000,000 emails that my mail server processes in a day would tripple my bandwidth needs which are already rather high... not to mention possibly require additional hardware.
That said, I really don't have a solution to offer... but God knows I've looked into what others are doing.
You know how mailing lists require you to confirm your membership? Well, this confirmation mail would have you add the mailing list to your whitelist. As a result, future mailings on that list would be let through without having to do the computation.
The mailing list could simply refuse to deliver mail if you ask it to do the computation, or it might give you a one time warning that you have to add it to the whitelist, or similar.
But all it takes is to add the mailing list to your whitelist once, and it won't be a problem anymore.
With that said, spammers could start pretending to be mail from various mailing lists. I am not sure how big a problem this would be, but it would definitely make an impact on spammers if they couldn't just spew out millions of e-mails to random people in a short period of time. They would have to either go through the computations, or figure out which mailing lists you are a member of and use it to spam you, and so on. But this sounds like it would take too much time anyway, so the spammer would hopefully just give up. And if they did start spoofing mailing lists, then I'm sure there would be ways to prevent that as well. Most mailing lists don't accept mail from people who aren't subscribed, right?
The reason spam "works" is that you can just press a button and the rest happens automatically. If the spammer has to start doing manual labor, my guess is he'll be looking for something else to do. (Such as taking a swim off the deep end wearing concrete shoes, I hope...)
Clever signature text goes here.
One of them went to Verisign and asked for info to be sent to his corporate account and then dumped the resulting email into the "spam folder" I have setup for feeding SpamAssassin.
If I had not caught it, SpamAssassin would have up'ed the ranking on similar emails from Verisign.
My point is that I cannot trust my users to understand what is "spam" and what is not. So I accept just about everything (SpamAssassin deletes at 15+ which weeds out the most obnoxious spam) and flags it "ooo_SPAM_ooo" and then drops it in their inbox.
In the past, they have dumped the following into the "spam folder":
Their eBay account info
Email from their bank (complete with userID)
PayPal crap (again, with userID)
And it isn't just the users. I have to keep two entries in my local DNS system to handle two companies that we deal with that have admins that refuse to setup their email servers and DNS entries correctly.
I swear that there is something about email that makes people stupid.
I like the idea of slowing down the sending of email by half a second or even 1 second. 10 seconds is a bit much. My company sends out a lot of messages on some days and I'd prefer that they didn't have to wait 8+ hours to actually be sent. (Only so many threads running the mail process and each one has to wait X seconds.)
I just don't have much hope that the admins out there will correctly upgrade their servers to handle this (there are a lot of them out there that still operate open relays which the spammers use) nor that the users will be able to correctly operate a "friends list".
If the "friends list" is at the user level, then the Internet connection is still being used by all that spam.
Maybe I just have to find smarter end-users. Yeah. That would solve most of these problems.
Oh, I almost forgot to mention, the guy who put the Verisign email in the spam folder also signed up on all kinds of sites like that stupid high school classmates one with his CORPORATE EMAIL ADDRESS so he's constantly bombarded with spam. Another woman was replying to the spam she was getting so she's in the same situation.
Yet if I were to bludgeon them, I would be the bad guy.
I'm not generally in favor of solutions that require changes to SMTP or user behavior. My preferred solution to the spam problem would be for it to become legal to track spammers down and bludgeon them to death. Joking, a little...
But, instead of requiring a 10-second drain of CPU resources, why not simply configure the SMTP server such that a minimum of 10 seconds must pass before accepting an incoming email? I mean between receiving HELO and RCPT, for example. If less time passes, drop the connection.
I realize the computation is dependent on memory bus speed, but it does unfairly burden people who are running obsolete or very low end hardware.
At worst, I suppose Microsoft could make it's own scheme
"Its" and "it's" ARE NOT INTERCHANGEABLE!
"It's" means "it is." Thus, you have said "At worst, I suppose Microsoft could make it is own scheme."
Seems like this is a little easier to implement - rather than requiring a significant chunk of core, make a slight alteration to ones' zone file.
This sig no verb.
8000 emails per day per box.
easy get 50 boxes.
Or as many as they can afford.
walmart has em for $200.00
There is an internet draft proposal to extend the smtp protocol to use a Reverse Mail eXchanger (RMX) record. Seems a much nicer solution to me ;)
http://www.ietf.org/internet-drafts/draft-danisch- dns-rr-smtp-03.txt
Sounds like a plan for M$ to make more $
Most spamming is done through another person's computer anyway.
So the spammer pays 1c, then uses a security hole in windows to infect another computer, and the owner of that computer sends out thousands of emails...
Now in addition to being a victim of a security hole, the man is forced to pay hundreds of dollars.
Maybe the man will sue M$, and in effect M$ will be paying the bill
God spoke to me
A zombie spam rendering farm makes an interesting mental picture.
One line blog. I hear that they're called Twitters now.
why couldn't it be done at the ISP?
Makit is simeple, the first 50 emails in a 24 hour period get sent as per normal. the rest sit in a queue for 10 seconds each, limit the queue to 500.
First, that wouldn't slow down SPAM in the least in that, since, as mentioned before, the SPAMmers will simply offload the work to millions of compromised Windoze boxes in parallel. Each could be told to send 50 mails and stop, completely bypassing this methodology. Or not, if the spammers don't care how burdonsome their behavior is to their victims (not just the recipients of their trash, but those unwittingly sending it).
Second, what happens to all of those legitimate mailing lists? Microsoft may not have communities that form around mailing lists (or perhaps they may, I neither know nor, to be honest, really care), but the free software world certainly does. Whether it is Gentoo, Blender, transcode, moveon.org, or anti-DMCA poltical action work, there are all kinds of legitimate mailing list activity that would be crippled by such a design, even with your "friendly" margin.
The point remains, however. This will add tremendously to the burden of those using the net, and those victimized by the SPAMmers, while not reducing SPAM in the least. It is the worst kind of "cure", one that not only is worse than the disease (with or without your 50 email "grace" period), but to make matters worse, it won't cure the disease regardless.
The Future of Human Evolution: Autonomy
Having read the article, I was impressed by how clever their proposed solution was, though since I don't have a CS background, I don't understand how a mathematical computation can be essentially bottlenecked by memory latency -- I'd love it if someone could give an explanation of how that works.I'm guessing that some cryptographic hash needs to be held in memory, such that the nature of the data structure and physical access to it proves a bottleneck. This is probably way off.
But having read the /. comments, it becomes clearer to me that this solution, and many other proposed solutions face problems insofar as they "break" the assumed contract under which email has worked for so many years. To me, this seems to boil down to a challenge / response system (allbeit one that increases the overhead of the transaction signifigantly). The problem with these systems is that for a time, email will be broken for certain people, or broken when trying to communicate with certain people depending on whether or not one has migrated to the proposed system. I'd worry that this would have the effect of segmenting email users into little fiefdoms determined by which email system they are using.
I don't think a migration can happen unless there is some "benevolent dictator" who can force everyone to migrate to such-and-such a new email model and system, and frankly, I wouldn't want that forced on us.
It seems that the challenge to any such spam-reduction system is that migration must be immediate and non-backwards-compatible, and universal, otherwise for a time email users will be segmented into little fiefdoms based on whether they've migrated, and solution to which they've migrated.
All one has to do is hit the right keys at the right time and the instrument plays itself. - Johann Sebastian Bach
I think this is a bit too late. It would have worked when spammers were sending through their own machines or through spam-friendly ISPs. But, when spammers are sending via networks of tens of thousands of compromised Windows machines acting as relays, all that ten-second delay means is that they need to send out more worms to add more machines to the network. Do the math. At 10 seconds per e-mail, ten thousand machines means 1000 e-mails per second aggregate. A hundred thousand machines = 10,000 e-mails/second. All this does is give the spammers more incentive to crack machines, it won't appreciably slow them down until it either a) takes their own machines off the network or b) costs them money out-of-pocket per e-mail sent.
zero false positives that you know about. you don't know for sure that there are zero false positives unless you look through all of your rejected mail. which you probably don't because that's the point of using the filter in the first place.
Wave upon wave of demented avengers March cheerfully out of obscurity into the dream
Because the /. quotes from the BBC, which just says that the user be forced to do some sort of (crypto?) computation; but it does *not* suggest that the server use an SA like system to auto-reject spam.
Who said it did? I suggest you re-read the first line of the post I replied RTFA to.
ITYM: to die from.
Why mod up things that have been addressed several times already? This does not have to be a problem for mailing lists at all!
Basically, most mailing lists require you to confirm your subscription, and doing so, you would add it to your whitelist. So regular list mailings would never be required to do the computation. Only the confirmation e-mail.
Clever signature text goes here.
Mailing lists have already been covered, and it is not an issue .
I'm confused. I keep hearing about a "Microsoft Research" group somewhere in Redmond, but everyone knows that Microsoft Research is actually located in Cupertino, CA. To protect their trade secrets, it's cleverly disguised as a fruit store -- it even has a sign that says "APPLE" on the front of the main building.
They even have a completely independent platform that they use for testing new features, called "McIntosh" (it's a clever pun, you see, as McIntosh is a kind of apple, so it goes along with that fruit store disguise). If you want to see what next year's version of Windows will look like, all you have to do is take a look at this year's "McIntosh" test platform.
Some people say that the test platform is actually better than the real thing. That's why Microsoft deliberately made the test platform incompatible with shipping versions of Windows, even to the point of using a non-standard CPU in the test computers to run it on.
With such a complete and rigorous research group in Cupertino, I don't know why people continue to believe that there are any researchers at the Redmond campus.
Tired of FB/Google censorship? Visit UNCENSORED!
We need a new mail protocol where you can not send annonymous email.
Well, considering that our system generates on average one outbound email per second, and our customers call to bitch if their messages aren't delivered instantly, even if it's their provider's fault--a 10 second cost to deliver each message would sink our system into a hole from which we'd never return.
idea.
Except that this wouldn't accomplish the same effect. The idea is to slow down SMTP clients, not servers. You don't want to make servers work harder than they already do. A typical SMTP server can't handle more than a few dozen emails per second due to the ridiculous email infrustructure we have today.
Teergrubes do the same thing without the necessity of getting Microsoft into the act.
/. -- check them out.
All it does is act as a tarpit to slow down the spammer, who finds himself needing more and more open relays that stay connected for longer and longer periods of time sending less and less mail. And the best part is that it has no real effect on onesie-twosie emails from point to point.
It's been reported on in different comments here on
Mit der Dummheit kämpfen Götter selbst vergebens.
internet and some of its protocols like html :/
allow small and not very powerful clients to
access it. if we ask each email sending machine
to compute a kind of "proof" why not but what
takes some time on a XP2800 or a Pentium 2.8
is not gonna be the same for a small and not very
powerful machine used by a nomad user
how are we gonna find a solution to the fact
that a lot of very different clients in power they
have get to have internet access ?
(gilbertf (at) netbsd-fr (dot) org)
ahhahahahahahahaah
The other posts addressing this weren't visible due to my treshold settings...
I am a viral sig. Please help me spread.
jackass.
Mailing lists require you to confirm your subscription, right? So add it to your whitelist at the same time. IT IS NOT A PROBLEM!
There is a different proposal, to change the economics of spam at
http://cr.yp.to/im2000.html
The basic idea is to make the sender responsible for mail storage shifting
costs onto the sender in a way that makes large mailing lists simpler.
>Some ramifications of this concept
>
>Each message is stored under the sender's disk quota at the sender's
>ISP. ISPs accept messages only from authorized local users.
>
>The sender's ISP, rather than the receiver's ISP, is the
>always-online post office from which the receiver picks up the
>message.
>
>The message isn't copied to a separate outgoing mail queue. The
>sender's archive is the outgoing mail queue.
>
>The message isn't copied to the receiver's ISP. All the receiver
>needs is a brief notification that a message is available.
>
>After downloading a message from the sender's ISP, the receiver can
>efficiently confirm success. The sender's ISP can periodically
>retransmit notifications until it sees confirmation. The sender can
>check for confirmation. There's no need for bounces.
>
>Recipients can check on occasion for new messages in archives that
>interest them. There's no need for mailing-list subscriptions.
>
>Some advantages
>
>In the old Internet mail infrastructure, keeping track of
>undelivered messages takes a lot of work. The mail client (e.g.,
>ezmlm) and mail transfer agent (e.g., qmail) have to support
>variable envelope return paths; bounce messages then have to be
>parsed by an automated bounce handler that matches bounces with
>original messages. In IM2000, each message in the sender's archive
>carries its own delivery status.
>
>In the old Internet mail infrastructure, bounce messages are often
>misdirected by low-quality software. Users end up receiving bounce
>messages that should have been sent to an automated bounce handler.
>In IM2000, there are no bounce messages.
>
>In the old Internet mail infrastructure, mailing-list managers have
>to keep track of mailing-list subscriptions. Typical subscription
>protocols are slow, complicated, unreliable, difficult to automate,
>and trivially subject to forgery. In IM2000, mailing lists are a
>purely local matter for the receiver's software.
>
>In the old Internet mail infrastructure, the receiver's ISP has to
>carefully write every message to disk, so that messages will not be
>lost if the computer crashes. This limits the amount of mail that
>can be received. In IM2000, the receiver's ISP can keep
>notifications in memory.
>
>In the old Internet mail infrastructure, a message to a large
>mailing list is written to disk on a huge number of computers. In
>IM2000, a message to a large mailing list is written to disk only by
>a few receivers who want to save local copies of the message.
Isn't Moore's Law going to make this look silly in a couple of years?
Even if they changed the algorithm every few years, the would just create an even greater disparity between people with old and new computers, and force people to upgrade even more than now.
You've probably noticed that people's noses get bigger as they get older. That's because old people are huge liars.
If you had read other comments before posting, you would have seen that this is a non-issue. If these people asked to receive those mails, they will have you in their whitelists anyway.
Clever signature text goes here.
Open proxies are the real problem, I believe usage of open proxies has eclipsed usage of open smtp relays by quite a bit. For example, look at this incredibly disgusting, blatantly evil crap: http://www.mailinglistmaster.com/. these people should be thrown in jail, what they're doing is blatantly illegal.
Well it would increase your bandwidth usage but it wouldn't be THAT bad. Of 1,000,000 emails: - how many would be from people/addresses that were already on your whitelist? For the "average" user, probably a lot (Yeah, I know - I don't have numbers to back this up). - using a "pre-processor" like SpamAssassin to just trash stuff that's blatant spam would further reduce the number of verification requests you'd need to send (Real life example: I get about 100 spams per day, and SpamAssassin with a "reasonable" (for me) setting of 5 generally gets all but 3-4 of these. Not bad, IMHO and pretty tweakable.
This has been covered many times already. If the recipient asked to receive mail from your company or your mailing list, he will have you in his whitelist. Remember how that mailing list required you to confirm your subscription? Well, not you confirm it by adding it to your whitelist.
The technology is fairly old, it's known as Hash Cash.
It has known shortcomings, but it is one of the best solutions out there.
Its main problem, however, was not yet known when it was invented: That spammers would control huge zombie networks, as they do today.
With 100k zombies (which is not uncommon), the spammers can still send out 10k mails per second, or those 25 mio. spams the topic speaks about in under one hour.
Assorted stuff I do sometimes: Lemuria.org
> The email is sent and the server runs it through
...their email would go to someone else's
...and they would just trash it...
> the scoring process. If the message scores more
> than 6/10 the server sends the sender an
> authentication message, asking to validate the
> email.
So you are one of those resposible for bomabarding me with those damn things.
> This would require spammers to manually
> intervene and waste tons of their time. if they
> forged the sender email...
They always do. My domain is a favorite.
>
> email...
Yes. Mine.
>
Isn't that what the spammers say? "If you don't want it, just delete it. What's the big deal?"
The big deal is that about a quarter of my email is bogus bounces and useless "confirmation" message from systems such as yours.
_NEVER_ _REPLY_ _TO_ _SPAM_
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I think it should be such that if an incoming email isn't on my white list, then it gets notified it must do a computation to email me - it must compute the full value of pi.
Yeah, that'll work just fine. Not to mention it'll be good for their computer systems - computing the value of pi tends to get rid of that spirit called Jack the Ripper, when it takes over your computer.
See, it's a win-win!
why couldn't it be done at the ISP?
Simple, because most ISPs don't give a shit. Remember, American ISPs may have to conform to American law, but most spam is routed through Asia, specifically China, or other offshore sites. ISP level blocking only would work on the way in, which would probably require extra work, and therefore, higher costs for you, the consumer. On the way out just can't be trusted.
No, a much better solution would be to prevent spam from reaching its destination. If not, the next logical step is some sort of unique ID, which the receiving server could key back via reverse lookup to verify the e-mail's point of origin. If it looks to be a fake - aka, not generated by the server it reports - then it is tossed.
but while on the toilet i came up with this.
I was going to tell you that that was too much information. But then I admit that sometimes I come with pretty neat solutions to programming problems during my visit to the toilet. Maybe Billy G. did the same? X-D
Spammers generally hijack other peoples machines. There are very few static IP addressed spammers. Most spam I get is from US based ADSL lines - you can usually tell as there is a pattern in the reverse DNS name. Rest from China and similar.
Fact is 95% of the 200 or so spams per day on my two main emails I get is stopped by Brightmail at my ISP. The remaining few that leak through are junked by Mozilla. Then of the stuff that gets through (say 2 per day) I pick 1 out of 10 which may be via subscribers that are from well known ISP like Yahoo or other major ISP and email back the abuse department asking why they permit spam to be sent to me from their subscribers.
Come on Microsoft - why not have an excessive SMTP alert on your PC event monitor ?. Why not verify reverse DNS matches helo or domain of reply email ?. Why not have browser visit any links in background and check content against filters (imagine if every spam email cause an automatic hit of the bad web site then the spammers would NEVER be able to work out what was a human and what was automatic thus poisoning their live-email lists with false positives (obviously no need to visit a site if the domain of the SMTP server was the same as the reply email or the links ) ?
We don't want 8000 spams we want NO SPAMs. Read our lips: NO MORE SPAM.
This has been covered several times already.
If someone wants to receive bulk mail from you, they will have added you to their whitelist. When signing up for mailing lists, you have to confirm your subscription. You would do this by adding the mailing list to your whitelist. So regular mailings are not affected at all, since the mailing list could just drop the delivery and remove you from its distribution lists if your client asks for the computation to be done. Or it can add you to a list of people to send mail to to remind them to add the mailing list to their whitelist.
Simple.
Clever signature text goes here.
its not that big of a deal
I mean its not like the your computer is going to blow it'self up if you misspell something. your dog isnt going to bite it's own tongue off
Spamcop would parse the headers of those complaints as if your network was the originating (spamming) network, then send a report to your ISP's abuse department.
This is not the end solution to spam, but it would surely make their lives harder. It would make it more expensive and time consuming, and thereby attacking the spammers where it hurts: Their wallets. People do spam because it pays. If it pays less and is even more hassle, it is not worth it for many of them.
Clever signature text goes here.
I think we have enough trouble already with protocol-mandated bounces annoying innocent people. Please don't reimplement a voluntary protocol based on the same flawed model. I would not report you to SpamCop for it, but I might blacklist your mail server or entire network for sending me nothing but unsolicited validation requests (UVR).
And this "requirement" and the associated key will be spoofed in
I say 3 months.
"No, but this will be an 'un-hackable and un-spoofable' system."
"Right. Pass me another DVD-R please."
------ The best brain training is now totally free : )
This is exactly why it will make an impact. It will cost spammers time and money, and will therefore make their lives harder. The result is less spam for us, and more expenses for spammers.
Clever signature text goes here.
This morning as I was waking up I had a vision in which slashdot.org was used to help combat spam.
A number of fake e-mail accounts are created and posted in various public arenas so that the addresses will end up on spam lists. Soon the inboxes of these accounts will be flooded with spam.
A small program crawls through these junk e-mails and collects the links contained in them. The URLs are compared to a database where new URLs are added, and things like first appearance, life, and number of occurences are tracked.
When people access slashdot.org a small background script is executed. It uses the client computer to hit some of the URLs from the spam database without the client actually being aware of it.
URLs in the database are periodically checked to see if they are still online. If they are unresponsive, then they are not accessed by the spam killer scipt, and if they remain unresponsive for x number of weeks then they are considered to be dead and are removed from the database.
1. MS doesn't make anything from this. You pay with CPU time, not with money.
2. Spammers are ALREADY using infected zombies to spew out spam. With this, you would limit the spam regardless since the zombies are limited as to how much they can send out. And people might get their systems fixed when their CPU is red hot.
Read the damn story and comments before making an ass out of yourself.
I suppose this will be as effective as Slashdot making one wait 20 seconds before posting was at curbing the trolls.....
C - A language that combines the speed of assembly with the ease of use of assembly.
"What do you mean the latest version of Outlook takes ten seconds per mail?"
Let's cripple all industry by tailoring products to the needs of the worst-case users. That seems like a great idea.
Actually we always tag the subject on spams and have them filter to a junk box. The point isn't that you never have to look at the spam, because you do, nothing is perfect. The point is that 90% of the time you can open your mailbox and look at just legitimate email and go back and sort the junk about once a week or month (depending on how much you get) just scanning through the subjects instead of reading them since it's a safe bet there isn't anything you want in there.
This seems most useful when combined with other ideas. For instance, a system with several lines of defense, starting with a whitelist, so known good mail wouldn't hit the rest. Follow that with the 10 second puzzle, and then your choice of spam filters. If the sender passes the 10 second test (ie they're using lots of systems to send, so they don't care) but spam filter says it's spam, give them a puzzle that takes 5 minutes (more?). This serves the purpose that individual users who lose at the whitelist and spam filter can still get their email through, but mass mailers lose a ton of spam sending time.
few people that post here have more than a very shallow understanding of computer science, engineering and academia. Those of us who do actually have an education - or even degree - in said fields only wish we had the kind of budget and intellectual resources MSR has.
Cause you know, writing shell scripts makes you an expert at all things electronic... at least compared to the rest of your high school computer literacy class.
-
In fact, spammers hijack legitimate hosts and use them to deliver the spam. The computational resources required to send the spam are provided by the hijacking victim. The DNS entry of the sending MTA will have all the assurances built in. Since it is no harder to hijack 10,000 victim hosts than to hijack one, it takes little more time to send the millions of spams.
This also makes it impossible for ISPs to provide MTA service for hosts on their subnet. While your average Windows box isn't doing anything else useful for the ten seconds, it's not the host being asked to authenticate. Who is? The ISP's MTA. But if end users' MTAs contact receiver MTAs directly, they hit blackhole lists.
Furthermore, it makes legitimate mailing lists impossible to operate.
Of course we've heard of this idea before, but it was shot down immediately, for the reasons given above. Few would give it another moment's thought if MS weren't promoting it.
Ah, so, if I'm joe shmoe, and I don't control my own SMTP server (that's about 99.999% of all email users), I can't very damn well do anything to the whitelists for a program that operates at the SMTP level, can I?
who are those slashdot people? they swept over like Mongol-Tartars.
This reminds me of the Monty Python skit from the Holy Grail where they have to answer a question about the speed of a swollow before crossing the bridge.
I guess that the idea does have some merit, however, I don't want to slow spam down, I want to stop it. I don't really see how the solution will work, spammers will just find a different direction - probably hijacking computers to do the calculations they need.
My experince with programming is if it can be written, it can be automated.
None of these issues are applicable to his solution. What he is saying is to have the SMTP server that recieved the mail hold the offending possible spam in an inactive queue. The SMTP server sends an email saying please reply to this message email (tagged for that specific email) to the reply to address on the email. If you don't have a valid reply to address it can't be validated and if nobody ever replies the message could be deleted or marked as spam and forwarded to the appropriate recipient. This could easily be implemented with any spam filter and if the user has access they could whitelist addresses that might get caught. The only issue would be emails to false positives not replying and you possibly missing an important message.
Its not going to work based on what little information is currently available on this very limited technique. Seriously, its not going to be a net disaster either. Most MTAs use the free "Sendmail" which, unfortunately has a long history of exploits. "Postfix" and "Qmail" are popular alternatives and any one these standard MTAs are far more popular than all M$ solutions combined. It may work with M$ clients that use the rare M$ MTAs. Some solution.....
It is very unlikely the Unix world will have to comply to this in any way. If there were ever an RFC requiring this, all RFCs would be regarded as garbage and that would be the net disaster!
Such a scheme would appear to only slow down the least sophisticated net abusers. Every provider (and every private MTA) should do their part to assure their MTAs are correctly configured to atleast RFC standards. While both standards and the resulting MTA will evolve, don't expect anything to change radically no matter what M$ tries. The M$ plan is very likely non-compliant which could lead to a warning and ultimately removal from the Internet.
In some ways it is nice that even computer illitterates can use our Internet, but unfortunately this brings in the excess baggage like spam, Microsoft and laws that govern Internet use. Since there is really no going back, a worldwide ban on spam, very stiff fines ($1000 per complaint has often been suggested) and prison for repeat offenders seem to be the only way, now, to stop this abuse.
Either this system penalises old hardware, or it's vulnerable to emulation.
I suspect that a microsoft already sells the software you need to break this, since 20 virtual PCs running on a fast box act a lot like 20 slow PCS.
If not, how long will it take spammers to write a multiple instance mail client that runs slowly? Will fooling this system take much then setting a flag that says 'sender_processor=i386-25'?
A pizza of radius z and thickness a has a volume of pi z z a
Answering backwards:
A quarter? You lucky bastard, I'm at 2500% spam and rising, after filters!
However, on the whole trash it argument, if everyone installed these filters, the "Please confirm" messages would never be delivered to someone who didn't send the message in the first place. Not that I'm saying I _like_ this option, just that it seems to work.
...the same company who has been claiming that security is their top issue while getting exploited MORE times in 2003 than ever before to stop spam? I think they will likely do what they've always done and fix one problem only to create five more... ;P
Un-news
This seems exactly like the sort of thing microsoft would push to quash competitors MTAs. Major ISPs will need to push far more than 8000 messages a day (even if that's a per box quantity), and will need to find a solution for that. One I'm sure microsoft will provide. Some kind of "e-mail hash co-processer", or something. Something spammers could buy too of course... basically, I don't think it's a good idea, and I think Microsoft's going to be using it to their own profit, not the benefit of anyone. No surprises I'm sure.
Microsoft's solution to a problem is always crippling the service, or using something proprietary, and additionally involves creating tertiary problems.
"If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem."
--Not to be worried, Pitr fix.
We've reported on this before.
Perhaps it's just me, but doesn't that seem like a big ole "We're posting something for the second time".
(it may well be that this time there's an update, but the blurb doesn't mention it.)
So the solution is for spammers to set up compute farms of cheap old hardware with an open soure version of the mailer. Since memory latency matters, and not processor speed, the solution is to have access to more than one computer. A farm of 10 machines then sends out 80,000 messages a day. A real super computer farm funded by a spammer alliance could get back to shipping millions of spam messages a day. What was the cheapest supercomputer cluster mentioned on Slashdot, something like $30,000? Is that really all that much money when you consider that a group of spammers could split that and amortize over many years? Remember, age of the hardware is not a consideration, just CPUs with access to memory segments. How about a very large system with hundreds of virtual 386 processes running 128k memory segments?
I think in the long run only something more expensive will deter most spam, but will not succeed completely. Case in point is all the junk mail we still get in our real mailbox. Someone out there is paying for postage to send that crap, yet they still ship it to me so that I can place it in my trash can.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
I'm talking about domain hosters that do mail forwarding, like register for example, or joker. Actually any mid sized hosting company that does mail forwarding. From mx to mx. I'm not talking about opt-ins.
Luck favors the prepared, darling.
Instead of hitting the delete button I started putting spam in a folder for later analysis. What I found is that spammers use affiliate programs. For example, I recently got a porn spam with an image from
://www.silverstate.co.sy@click.com-click.com.ph/cl ick.php?id=sicosyl
1 &c ampid=
http://gallery7.withsex.com/
All I do is block withsex.com with an expression filter and all spam that's afilitated with that site goes away. Spammers can't ofuscate an URL otherwise it won't work. The image linked from the same site is 28KB. If that spam was sent out to 25 million people and all of them looked at it once that cost the spammers 667GB of transfer. On a standard DSL line it would take about 6 months to transfer that. These companies need a dedicated host to allow them that kind of bandwidth. The company may have a number of domains for the site but spammers aren't going to be using random ones to advertise it like they use random from e-mail addresses. They also have to keep the domains functional or all that spam goes to waste.
Not many hosts would allow that kind of bandwidth transfer without charging up the nose for it. Which limits the number of hosts that spammers will use for images. 2004Hosting.org/.net is a big one for the cable filter and "banned CD." 530000x.net is also affiliated with those spams.
http
click-net and click-com are what spammers use to get paid. If you click on a spam link, most likely it goes through a common domain to log the referal to calculate how much the spammer gets paid. Block the referal site and all spam that uses that referer to get paid is gone.
For example
http://www.xswcde.biz/index.php?id=173&affid=56
342
Is a big e-bay spammer site. I block xswcde.biz with an expression filter and all e-bay spam from that company goes away.
It basically boils down to blocking the company and not the spammer. My spam count went from about a dozen a day to 1 or 2 and they also have obvious tells. If possible I also block the domain in the from address. Using a web-form cut down on spam quite a bit as well.
Ben
Work Safe Porn
The ideal solution is simple: remove common carrier as a defense in civil spam cases (along with copyright infringement, but repeal the DMCA also).
Any network that transmits spam (or material infringing on copyright) is liable for the spam/infringement. The damaged party is then able to sue up the chain.
You receive a spam. You sue an ISP with operations in the US. You win the judgement.
At this point, the ISP passes the liability onto their customers, either by suing the customers (or peer, if we're getting international) who originated the spam, or by simply incorporating the insurance premiums to protect against spam-suits into their pricing (much like how insurance companies can immediately turn around and sue someone for causing them to pay out a claim).
If the first approach is taken, then non-spamming customers are not affected. Spammers themselves end up paying the costs.
If the second is taken, ISPs that issue pink contracts are going to end up having to charge more to the non-spammers (who are effectively subsidizing the spammers). Naturally, the non-spammers would leave as better and better deals became available, thus forcing the costs to be born more by the smaller fry in the spam industry (who would thus drop out).
Imagine having Comcast say to their customers, "You're running an open relay on your end of the cable connection. Fix it or we're bumping you to a $1,000 a month plan." Or "You're running an unpatched Windows system that's spewing spam; fix it within 24 hours or we're either permanently barring you from service or putting you on a $1,000/month plan."
The same is true of international peering. Say that C&W is routing packets from Korea to the US. They start getting sued heavily for transporting spam. They respond by either going after the Korean ISPs that are harboring spammers or by simply declaring that, since business in Korea is so fraught with liability, that they're quintupling their bandwidth rates for Korea.
This is news?
It's also ironic that this supposed spam fighting is coming from Microsoft, a company that spams me in several ways, including to an address that someone gave them falsely when they wanted a passport account and Microsoft ignores all e-mail from me requesting that the address be removed from their e-mail lists.
I'm an American. I love this country and the freedoms that we used to have.
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
As somebody who hosts low-volume mailing lists, I have to agree.
Whitelists are nifty (we use them extensively), but what worries me on that score is that if they become frequent, I suspect we'll just see spammers hijacking address books along with machines, and forging "trusted" From lines.
Slashdot's token middle-aged housewife
And again, where does the whitelisting occur?
If it's on the mail server, this is effective, but how is the server going to know that a given address should be whitelisted? And on what criteria would it whitelist (and the server determine that an address has been whitelisted)?
If it's on the client side, well, you've cut down on the number of spams the user sees. You haven't cut down on the storage and transmission costs for the ISP.
There are mailing lists with already confirmed subscribers, running from properly configured email servers, on safe networks that do not allow spammers. They should not be forced to deal with this idiocy. Most mail systems do not have these automatic whitelist tools in place, and it will be years before it can be universally deployed.
The best answer is the one that will work in a mere months if everyone were to decide to do it. That is to blacklist, ban, deny, or whatever, the entire address space of any and every ISP that hosts major spammers. Even if only the top 40 such ISPs were treated this way, it would put a substantial damper on spam. Just give a few days advance notice what ISP is being banned, and legitimate users can flee to other providers if they care (and if they don't care, then why should I care about them).
now we need to go OSS in diesel cars
No, if it takes 10 seconds for a spammer with the latest dual Xeon CPU (or hacked into a superfast company computer), it will take several minutes for the average user, and hours for my mother on her old P200 (which is more than good enough for sending email), or days for myself on my 20MHz PDA.
Of course, this will incite people to buy new PC's, which comes with a new operating system, made by guess who?
Nah, I'm not cynical. It's probably worse.
Regards,
--
*Art
People still get spam? Haha, they're probably still tormented by popups and limited to browsing in a single tab!
Seriously, I almost never have a spammer get through to my inbox, because I have spent a little time up front in prevention:
1) Switch off that preview pane for HTML messages. (Every time you look at one of those things, it is a confirmed hit for the spammer).
2) Install a bayesian filter on your local machine (I use PopFile as a classification tool, but if you just want to prevent spam, then Thunderbird's builtin seems ok too)
3) Train bayesian filter
4) Once per week, scan the email subjects of your "spam folder" for items that may have been mis-classified. Repeat (4) as needed.
5) Never post on a newsgroup with your real email address. Ever. You will regret it. Some viruses/worms scan newsgroups for email addresses, and then send themselves to you. Even with spam prevention, it still hogs your email bandwidth and space usage.
Realistically, most people will do none of the above. The whole spam problem can only really be solved with new email clients, which do all of the above automatically.
It will never be solved legistatively, because there are always special interests that cause loopholes. And technical changes just impose a higher barrier to entry; they do not prevent the problem, just consolidate it to a few powerful spam-service providers.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
He's not talking about SpamAssassin. He's talking about the idiotic whitelisting schemes (ala TMDA), that assume that all mail not whitelisted is spam and do not deliver it. In short, they always have a "0%" false positive rate, because they silently throw away all mail that's positive (and often blacklist the sender of that mail, so there's no way to tell them that their software dumped mail).
As a matter of policy, I do not respond to whitelisting requests because the sender of the whitelisting request has already accused, with zero basis in fact, of being a spammer, and beyond that, there is zero ground for a civil relationship and thus no reason whatsoever for me to communicate with them.
While you can be punished for not having a locked gun safe, the fact remains that it is (relatively) trivial to lock said safe so that only a determined criminal can break into it.
However, the same can not be said of computers, for the average user. Thus, until it is easy for the average user to lockdown their computer properly, punishment should rest on the person who mis-used the computer.
Many of these viruses are only trojans, and it's the humans who click "yes" when asked if they want to run a file they just received that is actually the root of the problem.
As seen with OpenSSH and such this year, no OS is immune to security breaches.
Stop beating this stupid dead horse.
This is not effective since spammers run parallel machines, processes, threads, or logical tasks to send out spam. A typical email might take 100 milliseconds to deliver without the delay. So you multiply the time by 100. Now the spammer that previously had 100 open SMTP connections has to now have 10000. That's not that hard to do, given that the traffic volume still remains the same, and RAM is cheap. I can get 1000 concurrent connections going out per process. I can run 1000 processes doing that. I could get 1000000 connections going. Yes, that would bog things down, but it would be possible to do on one machine. Many spammers have a thousands servers. Some have a million spam engines running all over the world on the ends of cable and DSL connections. They won't be affected by sleep(10) at all. In fact the latter group won't be affected much by the CPU requirement of the proposed crypto idea, either, given all those home computers spamming a little here, a little there, in parallel.
now we need to go OSS in diesel cars
Actually, it seems you are partially correct. Bill gets all of his ideas upon visits to the toilet. This time, however, he sat down instead of picking something out.
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
Well, I would imagine for such a scheme to work, you have to have a number of precomputed puzzles known, otherwise, you have to compute the answer to your own riddle everytime. That is not efficient, either.
So, if such a scheme existed, I would imagine I only have to compute the answer to riddles I don't know, and once I know them, store the answer. So, every time I want to send a SPAM message, I look to see if the riddle is already known and send the answer with the mail. If not, then compute the answer, add the riddle to my store of known riddles and go on, since I will at some point be given the same riddle.
It sounds like a great idea at first but I don't want sending an e-mail to be computationally expensive. So if it takes my desktop PC 10s to caclulate this hash it means it takes my IPAQ 45s+ and that assumes its an interger function, if you go floating point it will really put the hurt on mobile devices. I don't really want sending mail to be compuationally expensive on my PC or laptop, having my MP3 skip or my recording from my capture card dropping frams sounds like it could get irritating real fast. I realize that the article talks about it being more memory intensive then cpu intensive but lots of fast memory I/O will bother mulitmedia stuff. My other issue is even though memory speed does not increase as rapidly as cpu speeds, memory is getting faster how long untill the delay becomes usesless on bleeding edge hardware and what will that mean for older boxes when the have to make the hash more complex to slow things down again.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
$5 / month hosted VPS on linux = awesome!
Comment removed based on user account deletion
Try TMDA ... not 100% foolproof ... (YET!) but it is currently eliminating 99% of my spam on the server. Challenge/response loops work.
If everybody used Microsoft software only, it would "work" too, according to its own standard.
It should have been called the "Kettle Black" project.
What exactly do you mean by "Don't touch this button?"
If they can pull this off, maybe the world won't see them as the profit-mongering 800-pound gorilla monopoly corporation they are. They will be heroes to us working-class.
Unless, of course, they make it proprietary and charge huge license fees.
Oh, well. It was Christmas... we all can wish...
There is only 65000 ports per IP address, and each connection requires it's own port...
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Simply de-allocate the IP blocks of any ISP that continually harbors spammers, meaning it refuses to terminate them immediately? They can't spam if they can't connect to the internet!
And to "strongly discourage" any ISP that would consider flaunting this rule, they get zero compensation for that netblock they paid for and are denied from buying any new netblock for a time (possibly a week).
Because this would necissarly work on the level of ARIN and the root DNS servers, you can't avoid it, because those are known, reputable organizations who will have no choice to comply.
Can anyone think of a way you *could* avoid this?
It was a goddamn joke you fuckwit. Mother fucking Mohammed! Can't you step back from the sheep's anus for a MINUTE and try to think deeper than your 3 inch ewe penetration?
Wow, 2500:1 spam ratio? Change your filters or use a service. My company provides a service from Postini that seems to get rid of _all_ of that crap. And no, I don't work for them.
I don't think this is a good idea.
First, it would kill legitimate mailing lists. Imagine what the perl5-porters list or the Linux kernel list or any of the other high traffic mailing lists would have to do to keep operational. Large mailing lists already have problems with lag. This would just add to that.
Also, there does not seem to be anything that would stop them from doing these operations in background and just contact multiple sites while working on the problem. They would just multi-thread the mail spammer or just hijack more machines to use as their slaves.
This technique requires replacing every mail program out there to support the protocol. Of course, they will just make it a condition to connect to exchange. Might be a way of getting people away from having to talk to compromised Windows mail servers.
This is a bad solution for a big problem.
"Something must be done! This is something, therefore we must do it!"
"Trademarks are the heraldry of the new feudalism."
Say I send out 5000 spam messages and specifically make sure that the message is crafted in such a way that it will get marked as spam, and I don't use my email address as the sender. Instead, I use your email address as the sender. You'll be the one getting 5000 authentication messages, not me.
Increase the scale of that example. Lets do 1 million messages. I'll be able to do a DoS via email to most anyone I want to.
As a matter of policy, I do not respond to whitelisting requests because the sender of the whitelisting request has already accused, with zero basis in fact, of being a spammer...
If you got a whitelisting request from him, it would have been because your message looks like spam. That is not a zero basis in fact from his perspective.
In fact it would be because you did something in your email to total a high bayesian filtering score.
As the sender *I* would not be insulted if that were to happen. In fact, it would be great to know that the mail I send is not being silently trashed. How unimportant is your message that the perceived insult is of greater importance?
I always wonder these days whether a mail got through, when it is not answered. I find I end up on the phone more often than not, because mail is no longer a reliable method of communication due to spam.
If you continue to get a lot of whitelist requests after such a system is implemented, it would behoove you to make your mail look less like spam. For instance, not using Base-64 encoding, or sending purely HTML mail, or including trademarked names of pharmaceuticals, or including random strings of characters, linking to spam domains, putting lookalike accented characters or too much punctuation in the subject line, or cc'ing or bcc'ing everyone in your mail.
And no one claimed this to be the ultimate solution, but fewer spams can be sent, and as a result we have made life harder for spammers. Many will drop out since doing spam will take too much time, effort and money.
The ISP will save money as spammers stop spamming. Again, if the spam doesn't reach as many recipients it doesn't pay off.
M$ should consider out-sourcing it since well....my hotmail account still gets spam even though I set it to exclusive (meaning only email from ppl in your address book will get through); spam with obvious fake addresses. And the spam that goes through this "exclusive filter" also seem to fly passed my custom filters that have the words that the spam has ("financial", "viagra", "herbal", etc.)
Yahoo works better with regards to spam though I wish it would empty the bulk mail folder more often.
And my pop3 acct has something called greylisting and that alone cuts 95% of spam. Plus black and white listing IPs and domains helps too (for instance, only allowing email from hotmail.com if it originates from one of hotmail's servers, etc.) and blocking known spam-haven Class C ranges (eg x.x.x.*).
This *is* /.
He doesn't have to RTFA before making comment on it.
Not that I'm interested in helping spammers, but it sounds like an interesting challenge to me.
Whitelists are nifty (we use them extensively), but what worries me on that score is that if they become frequent, I suspect we'll just see spammers hijacking address books along with machines, and forging "trusted" From lines.
I think the hash-cash technique would be most effective when combined with something like SPF, which effectively (and very cheaply) prevents forging mail from a domain that isn't yours.
Comment removed based on user account deletion
Wrong. Each connection requires a totally unique combination of source host:port and destination host:port. It is perfectly valid to make a connection from the same source host and source port as long as the connections go to a different destination address or a different destination port. A spammer only needs to use a variety of different source ports and destination addresses to achieve a massive number of concurrent connections. They might only be able to make 65000+ connections to your IP address, but they can make 1000000+ to lots of different IP addresses. In reality spammers would be making those multitudes of concurrent connections only to large providers like AOL (which have their own means to deal with it). But they can still easily achieve the 1000000 connections mark and go well beyond it.
now we need to go OSS in diesel cars
Bill gets all of his ideas upon visits to the toilet. This time, however, he sat down instead of picking something out.
/. reader when they pick something out of the toilet?
/. user.
/. reader picks something out of the toilet they just have a handful of shit.
Q: What's the difference between Bill G. and the average
A: When Bill G. picks something out of the toilet he has a handful something that will make him millions of dollars in income and is smarter than the average
When the average
...just like my new hard disk has 160 GB space available. What next, PI = 3?
Those mailing lists will have to deal with it. It will probably be trivial to set up automatic tools for that. Just send out information before the system is put in place that people have to do this-and-that to whitelist the mailing list. No antispam measure is without negative sides, but this one is easily overcome.
Really? I was new here before you :)
So that MS isn't the only one who can do this.
Wouldn't it be 25:1?
Oh, thank you for your insight. What I don't understand: By doing so it would make big mail server impossible. Because they're sending thousands of emails per hour (or minute or second) but have only limited CPU power.
I.e. by using (up) the sender's CPU you would hurt even "innocent" mail servers (which are sending thousand of email per minute but not using the same other mail server).
M$ should be spending the time and money preventing their mail servers from becoming compromised and finding ways for its desktops to not get so easily owned and that would prevent the majority of spam that comes to my systems.
/. Bill should pay for tech support if he wants to own the code.
This "spam filter" stuff when performed by M$ is an insult when it does little to address the problem which it has a contributed to.
---
Please stop discussing M$ fixes on
The BBC article doesn't mention one point that's very important to me: How open will the publication of the technique be? I have to be suscpicious of any proposed new internet standard coming from a research foundation funded by Microsoft. Yeah, call that MS bashing, but the fact remains that there's a STRONG precedent here for that suspicion. MS would love to have a new standard adopted that can only work if both the sender and recipient have to use MS products.
In general, the solution they propose is great. Add a slight resource cost to sending an e-mail and it doesn't affect most legitimate e-mails but it does affect massive spam floods. And they came up with a resource cost that will work the same even on a faster computer - so it doesn't get 'fixed' by waiting for faster hardware or by running a bunch of machines in parallel. BUT the really BIG BIG problem here is that it requires that the sender be using a compatable e-mailer. What exactly will it take to be comptable? Is it going to be a published standard that will be easy to implement in the wide variety of mailers out there? Will it be *legal* to do so? If not, will people who reverse engineer it so that they can send e-mails from non-MS platforms be slandered by the industry claiming they are spammers? (In EXACTLY the same way that people trying to view DVD content on non-approved platforms get labelled as DVD pirates.)
The idea at it's core is sound, but I want these questions answered before I would trust that there aren't alterior motives at work here.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
I was referring more to those who view whitelisting schemes as the be-all and end-all of spam-fighting and who deploy TMDA for all incoming mail.
Actually, the biggest problem with SMTP is that there is no way to assure whom the mail is coming from, and thus there is no accountability. If anonymity was not possible, then spammers would disapper because they'd be found and subjected to their own treatment back on them.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
You receive a spam. You sue an ISP with operations in the US. You win the judgement.
Goodbye P2P networks too..
If C/R was implemented at the SMTP level as stated by the original poster? Wouldn't you 1) have a hard time forging headers in the first place? and 2) Have the spammer's IP since they had to connect to the outgoing SMTP to do their dirty work?
Sounds good to me. No?
Any network that transmits spam (or material infringing on copyright) is liable for the spam/infringement. The damaged party is then able to sue up the chain.
OH, MAN! NOOOO! No way! That would be the worst possible solution. When you hold the middleman legally responsible for things he has no control over, he starts enacting draconian poilicies to GET that control so he can cover his ass. These policies end up being overly restrictive out of fear that something might slip through the cracks. This is where a lot of the bullshit in various Terms of Service items in ISPs is already coming from. "Nope, you can only use approved programs on the service". "Nope, if we haven't heard of it, you can't run it." "What's that? Your niche OS has a normal, benign service that we don't understand? Then you can't run it. It's not listed as a typical Windows service, so it must be something illicit."
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
First, the protocol is overly complex. The receiver sets the puzzle. How does the receiver to this. But sending the puzzle before receiving the email? That is complex, perhaps involving connections that must remain open for tens of seconds, or lists that correlate puzzles to particular senders, and the sender must match the answer. How will the puzzle be generated. Will it be psuedorandom or pad. How will we gauge the strength of the puzzle. I do not see how this is superior to current filtering.
Second, alternate filtering methods will still be needed. Whitelists will have to be kept so that friends, interoffice mail, and current customers will not be challenged. Email that does not meet the challenge will still have to be accepted and filtered. The only advantage is that certain email will be tagged as 'safe' because the sender solved your puzzle. This 'safe' email will still often have to filtered to meet the specific needs of the receiver. For instance, a 'safe' email may still contain graphic sexual content unsuitable for the office.
Third, there may be no way to know whether the calculation was done. If the puzzle is pseudo-random, the sender may exploit some weakness. If the puzzle is off a standard one-time pad, and the number of puzzles are finite, or can be cataloged into a finite number of sets, the sender may have database that already contains complete or partial answers. So, even if the spammer is not using owned hardware, there is no way to know that each email is in fact generating any specific liability.
Again, this is a ploy for MS to sell servers to advertisers. The number of machines, and related number of MS licenses, is going to be non-trivial. The client will be built into outlook and the marketing will convince consumers that anything marked safe is legitimate advertising and not spam. This does nothing to solve the spam problem.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Yeah, for all intensive purposes their the same word anyways. The grandparent needs to loose the attitude.
But what about legitimate bulk e-mail?
There is only 65000 ports per IP address, and each connection requires it's own port...
I don't think so. If that was the case, then sendmail (and a variety of other classic internet server programs) couldn't work the way it does. You can only have a server *listen* on 65535 unique port numbers, but once a connection is made and a child process of the server is spawned to deal with that one client, a new client can come in on the same port number and get it's own child spawned for it, and so on.)
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Actually were both wrong.
A quarter? You lucky bastard, I'm at 2500% spam and rising, after filters!
That is 25 houndred parts in a hundred which means he gets 250,000:1 email ratio. I don't argue that it isn't possible but his filters must actually not filter anything and even then must have replied to as many spammers as possible.
The way this is typically solved is to call it a tax instead of punishment or a fine. Average users will simply be taxed for having an insecure PC on the net; smart users will purchase "tax shelters" (e.g. firewalls, virus/malware scanners, Mac's, etc.) Quite similar to how some states offer a break on auto registration fee's for vehicles using alternative power (electric, natural gas, etc.)
Yet again the same "SMTP has no authentication" canard. Explain to me what this is.
More cluelessness. Spammers are not anonymous and never have been anonymous. We know who they are and have known all along, the only reason they continue is that law enforcement doesn't give a shit about spam. In fact, now that the US has legalized spam with the you-can-spam act, we can expect it to increase further still.
The way to stop spam is to throw the spammers in jail. As long as the political will to do that is lacking, spam will continue to get worse.
When you sign up for a new hotmail or yahoo account you are required to type in the word that appears in a bitmapped image (the bitmap is sufficiently distorted to prevent automated CR). Why not require all email senders whom are not on the recipients "accept list" to perform a similar verification before their email gets through. This wouldn't present a problem for mailing lists because presumably the recipient of the mailing lists would place the email address on it's "accept list" by default. This should reduce spam considerably since it requires human effort for each email sent.
So what? You could just send me 1,000,000 copies of spam directly. IT won't be 'Distributed', but you could vary the content and the (spoofed, of course) From address to make it seem that way.
How do they perform this alchemy? Well, whilst CPU cycle times shrink exponentially from year to year, DRAM access times do not. Over the past decade DRAM access times have decreased, but not that much - that's why CPU designers keep on increasing the amount of cache in their systems, to reduce cache misses. Therefore, if the task you're computing causes memory accesses in a pattern where most are cache misses, the performance differences between a fast and slow computer are comparatively small.
It appears, from the sketchy description in the article, that these researchers have figured a function that has this property that meets the other criteria you need to make the scheme work.
So, kudos to Microsoft for funding useful research. Of course, if it were ever to be implemented, Microsoft would have to remember to either a) not patent it, or b) make the patent available royalty-free.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
An interesting solution is to use a computation that is intensive in memory access, as the speed of access does not increase as quickly as calculation speed.
This is just hashcash.
Hashcash is wasteful... it just runs processes at full blast for tens of seconds to tens of minutes at a time, which is a small energy waste but overall a loss.
Hashcash is impotent... any hashcash scheme cheap enough to let someone with an older computer send mail in less than minutes won't slow down a P4-3GHz at all.
Hashcash is harmful, because it makes no distinction between solicited and unsolicited mail. How would you subscribe to Slashdot without whitelisting it?
And once you're whitelisting senders, you might as well just whitelist everyone you get mail from, and now you only need to discourage unknown senders. And hashcash is still a silly solution there, how about real cash?
Here's one way to do that. Whitelist not a sender, but a server. A server at a company that simply charges a few pennies to a few dollars to forward mail (you pick the level of unsolicited mail you want), or one that requires other hoops...
Much simpler, doesn't require new proprietary Microsoft technology, and allows all kinds of alternatives...
Uh, small problem: PROCESSORS ARE ALWAYS GETTING FASTER! If you create a problem that takes today's processors 10 seconds to solve, what happens when the all-new 20gHz processor comes out? If they keep the same "challenge" at this point, it is effectively negated. If you make it longer to compensate, then grandma's 300mHz system will now take about a day to send a single email. Either way, Microsoft loses.
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
The idea of "hash cash" postage isn't new, but I'm glad that Microsoft is getting interested, because - like it or not - there's exactly one company that can introduce a new de facto standard for email, and that company is Microsoft. It's easy to write new protocols, but without support built into Outlook, Exchange and Hotmail, any new standard is going to have a hard time catching on. However, it should be noted that Microsoft Research does a lot of work that doesn't end up being incorporated into Microsoft products.
People usually call or email because they want something. Some people won't leave a message, because they don';t want their wants known. Others won't talk to a machine, but either way they don't get what they want.
If they wanted to defeat spam even a little bit, this would be a free, mandatory upgrade to Exchange. They might even donate open source implementations to other clients and server.
Within a few months, after all the griping and bitching (or maybe not, if they actually fixed something)about mandatory patches, the problem would die.
Spam is about forcing things through open relays and gross scriptkiddyish hacks... what happens when my SMTP claims it already has performed the computation?
More so, there are some legit (needle in haystack) bulk mailers... the few technical mailing lists I'm signed on for shouldn't be made to invent a new non-email protocol.
And this totallu fails to focus on non-email spam. It will simply migrate to slashdot spam, to AIM spam...
This problem is a problem of human nature. Until little children who think its ok to sell things to others when there is no interest, are tortured nearly to death, we can't solve this.
Sell something real. You get to live in a better world, make money, and I'll come to you!
SPF solves the correct problem: mail spoofing.
Wasting CPU time of all senders isn't very helpful because spammers are already effectively using distributed computing. Legitimate people running large mailing lists (50,000 isn't unreasonable) would require much more hardware to operate. Take bugtraq for example. Should it have to take 3 days for everyone on the list to get an advisory?
This might be another good tool to use against spam. Like filtering based on content, black/white/grey listing, laws against spamming, etc. But all of these are of limited effectiveness if something is not done about the widespread spoofing of headers.
Widespread adoption of SPF will make all of these things much much more effective.
The basic idea of some kind of designated senders protocol came to me and when I did some research I found several proposals already. I'm conviced that it's the best solution to the spam problem. I'm implementing SPF in C and integrating it into qmail, postfix and sendmail. qmail is already working. There is another incomplete C implementation in the works called libspfquery. There is a perl implementation on CPAN already. If you hate spam please pay attention to this rfc draft and publish SPF info for your zones.
http://spf.pobox.com/
This is not how you fight spam, except if you have an I.Q. in the low 70s.
_NEVER_ _EVER_ _REPLY_ _TO_ _SPAM_
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
1. Headers can always be forged by whomever gets to write them. The implementation of a C/R mechanism by itself does nothing to eliminate header forgery; it's still up to the recipient to decide what kind of response to the challenge will result in e-mail delivery. Headers sent with each message are subject to manipulation by the sender, and you can usually only trust header lines added by your own server (if even that).
2. The client IP address is always known by the server, or it wouldn't be able to engage in an SMTP session over TCP/IP with the client, which may or may not be the spammer's own host (usually not). Adding a C/R system does nothing to reveal the spammer's real IP address; all it does is require someone to verify the authenticity of the original message.
Even when implemented "at the SMTP level" (meaning that the server will simply reject any message lacking the necessary credentials rather than deliver it to some higher-level user agent), there is no way a C/R system can obtain new information about the sender not already available without changing the SMTP protocol itself, something that requires cooperation from all sides involved. People keep asking for changes to SMTP, but I'm skeptical about any such efforts until someone tells me exactly what they want to change.
I have sent ISPs full message headers of spam and asked them to identify the actual sender, of course to no avail, even when the spammer has been one of their own customers. If they cite "corporate policy" to avoid disclosing even the real e-mail address of the sender, why should they be willing to provide that same piece of information automatically, as part of message delivery?
... i get to leech some of your processing power. sounds good to me. I could create a super computer simply by making sure heaps of spammers want to send email to me :)
Even better than burning cycles to calculate the answer to question that doesn't matter, why don't you force the sender to compute something useful, eg seti or one of the other distributed computing things around these days?
This might help the spammers restore the karma balance a little. On the one hand, they pissed a billion people off by sending unwanted email, but they were directly responsible for curing 3 types of cancer and discovering life on Pluto.
On a more serious note, how do you cater for the variations in computing power of computers around the place? A mail server doesn't normally require much cpu power, just network and io. What takes one server 10 seconds to calculate might take another 10 minutes.
Option 1: If an ISP is known to be a good ISP, and enforce "Penny Black" on all it's clients, then there is no need for any downstream server to impose a further penalty on the ISP server.
Option 2: Destination mail client always requests the originating computer to do the work. It's not performed by every computer the messgae passes through.
There are many ways of achieving these and similar requirements.
You know, spam control might be the killer application for so-called "trusted" computing (TCPA). Someone could develop a mail protocol that would only accept connections from clients that present a credential that comes from a TCPA app or a whitelisted peer. The TCPA app would only be willing to sign say 5 challenges/minute or whatever, so to send messages faster than that, you'd have to buy multiple PC's or (say if you're running a legitimate mailing list) get on the whitelists of the people you want to send mail to. With enough advertising, pretty soon most people might refuse to accept mail from any clients except for the damn Windows-dependent TCPA thing. Since unlike DRM, escaping spam is a very real benefit for actual users, that may make it far easier to foist off TCPA. Be very afraid.
One problem is that it's difficult to decide whether it's someone who challenged as a matter of course or because SpamAssassin or whatnot flagged it as needing extra care. Perhaps the challenge mails containing the SA results would make this known. I can't see any issues with that... if a spammer actually gets and reads the challenge mail, the challenge/response system is broken anyway.
That said, I get better results with SpamAssassin (with Bayesian filter) and a procmail filter that sends SA-tagged mail to a special folder, where mutt automatically tags for deletion (so one key, after scanning senders and subject lines, deletes the spam).
most effective when combined with something like SPF
True, but if the spammers have a hijacked machine, and is already using the address book, they might as well use the domain the hijackee's allowed to use (if there's another user from the same ISP in the address book, forging their name will slow down discovery).
You'd have to combine it with ISPs throttling individual users' sending permissions to have a hope of doing any good.
Domains are so throwaway that I'm not sure SPF will help all that much, though. I'm for it (or something like it), though.
Slashdot's token middle-aged housewife
Huh? Ok, here it goes...
First of all, a group of large, influential ISPs get together and decide to make their users do something irritating, like solving a puzzle or computing a hash, on the sending machine before it gets sent out by the ISPs mail gateway.
At the receiving gateway a machine could look for the solved puzzle, hash, token or whatever. The mail gateway could assign different modifies to an arbitrary but agreed on scale to indicate it's opinion on the goodness of that email.
For instance mail.***.net gets an email from a domain in Taiwan that it thinks it not a part of this proposed system. The email would get -1 Taiwan and a -1 Outsider modifiers. The administrator of the receiving gateway could either throw it in the bit bucket or bounce it back. Maybe something that is really annoying to the originator's ISP, who knows.
Let's say that mail.***.net gets an email from a domain that it thinks is part of the system. The email might be assigned a +1 Insider and a +1 Not above 200KB modifier. It could then be passed on to the user without futher delay.
If the end recipient, using Bayesian or whatever other filtering system thinks that the email is spam, it could then tell the receiving gateway. If the receiving gateway got enough of this it could then start assigning a -1 Jackass, -10 Ralsky, or whatever other modifier to the sending domain's reputation.
Basically, in order to participate with the least hassle, a domain would have to be known, participate in the system and behave itself. The system would accept email from outsiders, but extract a price. If implementing the system isn't too much of a pain, good admins everywhere will jump at it. Unknown servers, good or bad, will have a hard time, but they won't be totally shut out.
Obviously servers get hijacked or unfairly labled as spammers. If an automatic decay over time is applied to good reputations and bad reputations problems will slowly correct themselves. Those that can't wait could talk to a trusted third partywhich could then be automatically asked by mail gateways about their opinion.
For example, Jim Bob's Bait & Computer Consulting has their own DSL mail server that gets hijacked by a spammer. All of a sudden bunches of their emails are being bounced back and their mail gateway's reputation is in the toilet. Let's say they fix the rogue email issue, but that still leaves them with a problem. The administrator of Jim Bob's Bait could call up another trusted party, Spamhaus or a paid arbitrator, and tell them what happened. The arbitrator could set a + 1 Contrite flag on a public list that could be consulted periodically by mail gateways. This would speed up overcoming a bad reputation.
Quite obviously I am not a much of a programmer and am light on the details, the core of this solution is not mine. But this solution could avoide some of the major objections of other plans.
First, it could be implemented without government intervention and could start out relatively small. Second, it doesn't require any physical changes to the internet. Second it is somewhat self correcting. Third, and perhaps most important, it motivates sending mail gateways to ride close herd on their senders but allows those that don't to still halfway function.
This systems still leaves a lot of useless bits coming down the major backbones, but it's a start.
Ok, what do you all think?
Why do I have this? I don't smoke.
This
Yes, I can count, especially when I'm not tired. Sorry.
First, it could be implemented without government intervention and could start out relatively small. Second, it doesn't require any physical changes to the internet. Second it is somewhat self correcting. Third, and perhaps most important, it motivates sending mail gateways to ride close herd on their senders but allows those that don't to still halfway function.
Why do I have this? I don't smoke.
> > ...and they would just trash it...
>
> Isn't that what the spammers say? "If you don't
> want it, just delete it. What's the big deal?"
> The big deal is that about a quarter of my email is
> bogus bounces and useless "confirmation" message
> from systems such as yours.
Oh come on, think a little.
If this system were common, your email client would only bother you with confirmation requests that originated from people you recently emailed.
Free Gamer - Free games list and commentary
Rather than sending those 10 seconds to a meaningless cause, we could all be running distributed computing clients, helping whatever cause we want. Perhaps you recieve a token for every 10 minutes of background work you do, which allows you to send one email.
Domains are so throwaway that I'm not sure SPF will help all that much, though. I'm for it (or something like it), though.
I agree -- SPF won't magically stop all spam (not that it was really intended to). I'm mainly interested in it because it will stop spammers from forging mail that looks like it's from MY domain...
This won't kill mailinglists, as these can easily be whitelisted (simply trusted, you trust their digital signature).
This will make a difference when you mail someone who doesn't know you. Does it seem so unrealistic that you (your computer) make an effort to show you really are serious? "Wow, he spent 10 minutes calculating this really hard stuff just so he could email me." (How about doing it while you're typing it up? Unless the solving also needs the finished mail for signing in the process.)
See, once he knows you (got your sig), all you need is to sign your mails and voila they get through (whitelisting).
I like the dial-back idea. It is very similar to what I was thinking about.
We could make SMTP V2, which is backward compatible with good old SMTP. At some time in the future sysadmins could disable the SMTP compatibility.
SMTP V2 would ask for the headers and then disconnect. "Dial-back" the sending MTA using the IP address in the TCP packets (stop the IP spoofing) and do a sender email verification (which spam-bots will fake, but...) and then request the body of the message.
The amount of time between initial contact and dial-back can be configured by the local sysadmin. For white-listed email addresses the dial-back could happen right away.
For unknown addresses you could configure it, say 1 minute. Or even send the headers on to the receiver address and let them decide. That would require email client software to have some minor rewrites...
For blacklisted addresses, never dial back. Local sysadmin could configure his MTA to dump the headers for blacklisted emails or even allow them through to the receiver address "just in case". These headers would be marked as suspected spam so spam filters would pick them up and route them correctly.
All of this, with the exception of "headers only, let the user decide" could be done with only a new SMTP standard and rewrite of MTAs. No client software would have to be changed, which really helps with distribution of a new standard.
Spambots will be rewritten to take all this into account, but at least there won't be any IP addr spoofing. If ISPs would make their customers fix their virus infected Windows boxes this would also go away to a large degree. Having the IP address of the spambot would help with that issue.
Knowing should of course mean having the digital signature.
So, sure it may still be possible, but only through weak crypto or flawed implementation.
I suppose this will be their dose of "innovation" for the year.
... into money. Need more CPU --- install a Linux cluster to send E-mails. Turing test? Set up a sweatshop. Yes, it will cut down on the amount of spam but won't eliminate it. It will be more expensive to mass E-mail, but more worth it: if you only get, say, 4 unsolicited messages per day you may even read them before deleting.
In the end it will mostly hurt the legitimate mailing lists. They will have to institute membership fees.
The net result: the end user will pay. So why not stick to end-user filtering?
Explain to me what this is.
A technique that doesn't work if your goal is to authenticate the recpient all the way back to the source, rather than just verify that the sending machine is a real hostname.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
You can't throw spammers in jail until you can get a fair definition that seperates spam from non-malicious unsolicted e-mail. (ALL e-mail is unsolicited. The recipient doesn't know you are about to send the message, therefore it's unsolicited, even if it's a good friend that wouldn't mind getting mail from you.)
(And your spamhous list only proves that *some* spammers are known. Finding some spammers is not equivilent to spammers being unable to be anonymous. Some are less anonymous than others, and become known because of it.)
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
could someone please mod the parent post up. it deserves a +5 for the link, imho.
thanks
We have used a technique very similar to this in the anonymous communication network we are writing.
Our design helps to protect against both Sybil attacks and flooding, and works rather well against collusion (better than Penny Black).
Note that if you're going to do this, you may as well throw away the entire existing email infrastructure - so we have. Psuedonymous strongly encrypted and signed mail using a web of trust key authentication model (partially hybridised with some pre-trusted keys acting as semi-CAs), extremely rapid delivery, limited distributed storage per nym.
Yes, the downside is that mass-mailing of any kind is impossible. Mailing lists with this system are not practical at all. Neither is spam.
We definitely consider that desirable, as mailing lists are an evil hack we don't need, trying to force private email into being a distribution medium.
We have a much better distributed system already in place for that mode of communication; it far more closely resembles Usenet.
Applying any of this stuff to the existing email infrastructure is in my view a tremendous waste of time, as it requires sender and recipient support - both are rather unlikely, unless completely integrated and as widely deployed as the underlying tech; people have enough trouble using OpenPGP.
it will stop spammers from forging mail that looks like it's from MY domain
Yea verily. And will (hopefully) stop rejections from people who complain that mail can't possibly be legitimate if it comes from a secondary domain on the same IP address.
Slashdot's token middle-aged housewife
And then I throw my OpenMOSIX cluster of 100 cheap 486/P1 computers at it, and that 8.000/day goes to what? 800.000? No biggie.
And if they think that in order to work every one of these computers will have to run Windows, they've gotta be kidding themselves (no idea if they do, but from their other "innovations," I'd bet that it will).
I'll just stick with my Baysean spam filtering, thank you. (I only get maybe 1 false positive a week, and the majority of those are just legitimate commercial email that could easily be taken as spam).
from their FAQ:
14. Can I use Spam Interceptor with Hotmail?
No. Hotmail is a spam machine and we don't want all that spam coming through our servers. Sorry.
These guys (Spam Interceptor) really are class A tools. Hotmail is not a "spam machine" - they just trust the From: implicitly, despite the fact that almost all spam has forged From: addresses.
Please, Spam Interceptor, show me an example of a spam that *really* came from Hotmail. I dare you.
I've seen this behaviour with people who don't know much about the 'net, but never a project that believes something like this (ok - maybe MailWasher too, dicks).
Just goes to show - there are people out there who will prey on anyone's incorrect beliefs in order to make money.
Since SMTP severs began requiring authentication (several years ago)
Huh? What are you talking about. The only thing that happened was that now most servers are not open relays. Only allowing your IP range being able to send mail is hardly authentication.
If you are talking about some authentication method like pop before smtp, you are not talking about most of the world. You are not even talking about a good deal of it - pop before smtp is only really useful for roaming clients dialing in from some other ISP or connection which is not normally allowed to relay through your server. 9 times out of ten they could just send through the server that did accept mail from that IP range. I never really got the great thing behind pop before smtp, except people who can't configure their mail client to send through a different SMTP server depending on who they are connected with.
Unlike this and some other techniques S/MIME is 1)widely available, 2)proven and 3)adds value instead of wasting money or cycles.
Widespread use of S/MIME would help to seriously cut on spam without re-inventing a wheel.
This has to be the goofiest idea Microsoft has ever come up with. Only a company with monopoly-type power could even consider implementing such an ineffective and wasteful scheme.
Ultimately it comes down to something similar in nature to a whitelist, but automatically defeatable at the expense of time, bandwidth and cpu resources. I don't see how this would thwart any spammers as they basically steal these resources from third parties, so this boneheaded scheme would only penalize innocent networks. So spam propagates a little slower? You can slow down spamming a lot faster by locking a few of these sleazebags in jail and not cause every network in the world to have to boost their resources.
I keep saying, the real solution to this problem is incredibly simple: a sanctioned smtp relay whitelist. Unlike Microsoft's crazy idea which would require a complete overhaul of the smtp system, a sanctioned whitelist could be implemented very easily with the existing systems in place.
It's funny that MS's idea is to mimmick the postal service in some form, but my idea of an smtp whitelist is more analogous. The USPS won't deliver to any arbitrary address. It has to be recognized and registered. As opposed to the analogy involving MS's idea where a postman would simply ask someone at a new address a goofy trivia question they'd have to answer before being able to accept mail.
IMO, there are certain universal truths that need to be taken into account when we address this problem:
1. The pay-per-email model, in any form cannot and will not work. It doesn't matter whether it's Cringely's idea of charging cyber postage, or MS's idea of offloading the burden to mail relays. Nobody is going to sign up.
If anyone managed to actually get an effective pay-per-postage e-mail model, it would end up being an smtp relay whitelist!
2. All recipient authentication models eventually gravitate towards the concept of a whitelist. Why beat around the bush? Let's call a spade a spade and work on models that directly address the issue of creating an authoritative method of controlling the smtp WAN.
3. The spam problem is not about e-mail or the content of e-mail messages; it's not about people getting mail they didn't ask for. The real problem with the spam epidemic has to do with theft and unauthorized exploitation of third-party resources. In most cases these are criminal offenses, that the authorities have not been able to deal with properly.
So the idea of implementing more elaborate hardware or software to thwart spam is meaningless. Why force those that are already suffering reduced bandwidth and resources to endure even more for a system that WILL NOT WORK?
There are two essential ways to solve the spam problem:
1. Beef up enforcement and prosecution of the crimes involved in spamming, and work on getting cooperation and consistency in policy among all the various nations online.
2. Implement a voluntary smtp whitelist where mail servers register and agree to adhere to certain ethical standards. Let networks choose if they wish to take advantage of the smtp whitelist.
Problem solved.
an easy way, that would be backwards compatible, would be to have the server do a sleep(3) after recieving the from and rcpt commands, just before accepting the data command.
by simply reducing the speed that the mail server interfaces with it's clients and peers, we can make a delay that affects mass mailings, but has little effect on normal email usage.
What? Me? Worry?
Interestingly if this were implemented, Hotmail would see less spam BUT would need a lot more processing power to SEND e-mails!
But a group of researchers at Microsoft think they may have come up with a solution that could, at least, slow down and deter the spammers.
Actually no, this is not anything like "original research" on the part of Microsoft. This is an often discussed and well-known concept that Microsoft are investigating the practicalities of comercialising. The Project Page on Microsoft even cites several references to earlier work by (gasp!) non-Microsoft "researchers".
But, for some reason, The BEEB manages to miss those facts entirely.
Visit CryptoGnome in his home.
Spammer using linux will just use 10 machines and do a email every 1 sec or more. Effect will be nil.
Spam shields are far more effective. By removing spam will stop more. Basicly email servers have to support spam removal.
Now it take 10 secs but in 2 years it will take 5 or less. So the spammer will be back. Spam hunting and http blocking click though from spam and removal of email messages be able to directly link to web sites. All these features stop Spams from getting money. Final one is to pass law making spaming classed as drug selling ie you get caught you lose everything.
Spam is a double sided thing spams need to get click tos or read confermation or they don't get payed. A non payed spammer will find something else to do.
Now with spammer using viruses to relay spam they will just get more ralay machines to make up for the delay.
This won't work. The spammers will just offload the computation tasks to their trojaned Windows systems, creating a huge distributed computing network that can send mail at any rate they like.
Now they are using them as open proxies, and most likely they already have the capability to download new software to them. Just download the 10-second computation code to your one million compromised systems and you can still send 100.000 signed e-mails per second.
However, there would be a load on the server handling the mailing list, as in the case of a client/server system like SMTP, when you make a connection, you're acting as a client. In a 'typical' mail setup these days, sending to a mailing list, when you're not reading mail local to the server:
- The sender generates the message on their local system, and sends it to their local outbound SMTP relay.
- The local outbound SMTP relay delivers the message to the MX for the mailing list.
- The list server multiplexes the messages, and delivers a copy of the message to the associated MX for each list recipient
- The recipient pulls the message down from their local server
So, in this, we have three SMTP transfers, and the last connection is IMAP, POP, or whatever. The mailing list has overhead, as they have to perform the check each time they have a new mail server to send to. Therefore, the issue isn't linked to the number of new messages pumped through, but to the number of new signups on the list. So long as the list server sends out a 'welcome' message, the load is spread out with the new signups, not a sudden hit of a message going out after a hundred new signups.And with a good confirmation system, that would happen spread out with the list subscription, not when the list is sending the message. So, it's not a real issue, but the list server does originate the transfer at one stage in the message path.
Build it, and they will come^Hplain.
Count on Microsoft's "cure" to be worse than the disease itself. You would think for $40 billion they could buy just a little more intelligence than that.
SMTP needs to be redesigned. Not by Microsoft.
I don't follow your argument. First you say that Microsoft should be researching a better solution to the spam problem, namely a better SMTP - and then you say that Microsoft should not be researching a better SMTP?!
Please, enlighten me - what should Microsoft be researching?
Ok, now that I read this and went back to your first post, I see how I misconstrued your comment.
Now I get to debate whether it's fair to classify both entire corporations as "benign, lumbering giants" :-). And in fact a similar discussion applies, in that AT&T was a monopolistic giant that has been felled, while IBM was a monopolistic giant that has IMHO been transformed. It's still huge, sure, but it's far from lumbering and the implication (in my interpretation) of benign as minimizing its impact does not apply. You may have had a different meaning in mind. I certainly disagree with that characterization of IBM in its present form.
Mencken had it right. So glad that's old news.
A lot of spam filters already work this way. If you're not in a whitelist of genuine emailers, you get a verification email back for *any* email you send out. If you verify yourself one time, it'll add you to the whitelist for that recipient, and accept emails that appear to come from your address. Though I haven't heard of anyone pairing it with other spam filtering software, and only verifying spam that tripped a threshold.
The biggest problem with this (that I've experienced) is that when such users participate on discussion lists, anyone who posts to the list gets a pile of emails back requesting action on the sender's part.
It also makes it hard or impossible to receive auto-generated emails that the recipient actually wants. Simple examples: order confirmation or email validation. Plus, if the sending side uses such a technique, the validation request email from the recipient might never get received (another auto-generated email). This is true of other error messages also. Both sides could then blindly email each other, not receive any error messages, and thinking their email is getting through when it is not.
Slay a dragon... over lunch!
To me option 2 sounds better than option 1 - simply because it is very hard to be sure you don't give your services to a spammer (operating with false identities etc.)
What happens when Slashdot runs an article linking to a New York Times story and 50,000 people all sign up for the free registration? We all have to wait 24 hours before the computer can manage to send the emails out?
Ugh. DDOS galore.
as far as i can tell this solution requires the recipient to also perform the same computation. if this assumption is incorrect please let me know. if it is correct, then this solution is as stupid as other have suggested. What is to stop a spammer from just attaching fake headers to their email? if it is just some sort of hash, then a simple random number generator could be used to generate fake headers that you'll have to waste time just figuring out that they're fake... (this is a common attack wrt to other security systems). the spam gets through to those not using the new system, and frustrates those that are until they quit.
Which then turns the issue into who maintains the whitelist? (Has to be done on the inbound mailserver to be used in combination with Penny Black or HashCash.)
Some issues:
- Reliably identifying senders when SMTP is easily forged
- How do senders get added to the whitelist?
- Rogue user X is secretly on the payroll of a spammer and adds the spammer to the whitelist
- User A says that sender S is okay, user B says that sender S is a spammer
There are some underlying problems (mostly related to forgery) that would need to be corrected first.
Wolde you bothe eate your cake, and have your cake?
Boy, that filter sure is a dog eh!
Eclectic beats from Leeds, UK
handmadehands.co.uk
Well, that's what I meant, anyway. What I should have put is 96% spam. Oops
Once bitten, twice shy. By my calculations, the computing public should be about sixteen billion times shy of technology pioneered by Microsoft.
Got time? Spend some of it coding or testing
"Intensive purposes" are porposes that require a great deal of focus (like midget arm-wrestling). What you meant was "for all intents and purposes" and in fact it was originally "to all intents and purposes".
Got time? Spend some of it coding or testing
...when my Mom's computer has a zombie on it? Poor old mom just wants to send email to her family. She doesn't know some dirty spammer has hijacked her computer. Now every customer of her ISP gets cut off for a week or more? Or even if the ISP was responsible, and cut her off.. Can you imagine the volume of tech support calls for people that get their internet service cut off for something "they didn't do" ?
Health is simply dying at the slowest rate possible.
I am not a CS grad. So someone out there explain why this company hasn't "solved" the problem yet? Is it really that good as they say? http://www.titankey.com/productInfo/whitepapers/wp EndSpam.pdf
I have only managed a couple of mail servers in my life, so perhaps you have more info on this topic than I. The way I understand it, the majority of the mail servers out there do both send from specified IP range AND an authentication method such as POP before SMTP or actual authentication in your SMTP software. Within your IP range, you have a decent amount of control and if someone in your building is running a spam server, you can walk over there and shut it down (and fire him). My point was that we are not talking about most of the world complying. This is the reason spam exists. The servers are not hard to find. The point of limiting the access is that even though I may pass the spam along, _my_ server woln't be the one that allowed the spammer spam.