Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Researching Anti-Spam Technique

Posted by michael on from the penny-for-your-thoughts dept.

Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.

6 of 660 comments (clear)

  1. Re:Question... by tomstdenis · · Score: 4, Informative

    The technique is on page 426 of Advances in Cryptology -- Crypto 2003 [LLNCS2729].

    Not exactly a monopoly here as anyone else can implement it.

    Tom

    --
    Someday, I'll have a real sig.
  2. Re:10 seconds by tomstdenis · · Score: 4, Informative

    Mod parent down [-1,unsightful]

    The research this is based on [presented at crypto'03] is designed to level the difference between a P4-3000 and a P2-233. They use problems where cache hits will be lower [e.g. use a 8MB buffer or something] so you end up computing at the speed of your memory bus.

    If you had done some research before posting your crap you'd know this.

    Tom

    --
    Someday, I'll have a real sig.
  3. How about my old hardware? by bigberk · · Score: 3, Informative

    How is my older hardware (or even pretty recent hardware on a huge ISP, with lots of SMTP activity) supposed to be able to handle this? Bah. It seems to me that adding computational difficulty is not such a great way to combat spam. Do you have any idea how effective IP blocklists and statistical filters alone are? (Or, you could combine them as this project is doings).

  4. Re:Proposed "Sender do Something" technique. by hashinclude · · Score: 3, Informative

    While this seems useful at first glance (at least open relays would stop working), how does your technique address these issues:

    1. Clueless admins (of windows or *nix servers) who refuse to use SA or similar? These are the same who leave the mail servers as open relays in the first place.

    2. People who use their own SMTP server

    Sure, go ahead and say that you can add reverse domain lookups. But registering a domain is quite cheap these days ($4.95 a year) and point the NS to your machine, set up MX records, and you're on your way.

    Your solution is useful, but not comprehnsive. I doubt there is a comprehensive solution short of making the spammers incapable of accessing the internet.

    --
    Clueless People? Everywhere I look, I see them. And some of them, they WORK here!

    --
    US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
  5. Re:Question... by the_mad_poster · · Score: 4, Informative

    Calm down, killer. Microsoft's not THAT smart.

    It Is Not A Big Secret

    At worst, I suppose Microsoft could make it's own scheme and try to push other people out, but I doubt that there are enough Microsoft MTAs out there to make that sort of system survive. If they implemented it for Microsoft-only, they'd almost have to give the option to revert to a traditional white-list when the sender can't play Microsoft's Holy Encryption Puzzle. After all. If you send someone an e-mail and outlook Express won't give it to them, just tell them that - Outlook Express won't let you look at it. I sent it, sorry. The problem is clearly on your end, call support for help.

    Microsoft HATES support costs and one thing you don't do on Windows is screw with grandma's emails.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  6. Re:Textbook case of over-engineering by DunbarTheInept · · Score: 3, Informative

    It's about more than just sleeping a while. The problem with a "sleep" solution is that the sender can still queue up messages to send out elsewhere while waiting for the sleep confirmation messages to come back from the first messages sent, like so:

    Thread 1:
    for x goes from 1 to 100000, send message number X to a server somewhere.

    Thread 2:
    In a loop, respond to any 10 second sleep requests that came back from servers being talked to by thread 1.

    Thus, the overall additional cost to the spammer is NOT 10 seconds per message, but 10 seconds overall for the whole batch of messages. Not a big deal, really. (The server-side sleeping solution only works for the case where the spammer is talking to a small list of e-mail servers. So long as the spammer is sending 10,000 messages to 10,000 different SMTP servers, each one can sleep 10 seconds and it won't delay the spammer much overall, provided the spamming program is smart enough to start in on the next message before waiting for a reply from the first.)

    What microsoft's solution does is make the sender pay a resource cost that is more signifigant than just sleeping a few seconds (which costs almost nothing), so that a long delay is guaranteed. (It also makes it impossible to lie and fake out the message - because it has to be an answer to the math question asked by the recipient's server, and until you see that question, the sending program doesn't know what fake thing to put into the header.)

    The idea is sound, so long as the algorithm is well published (not used by MS as a monopoly-enhancer like they usually do), and it's not possible to devise a question which is deliberately problematic for the program to solve. (If there exists a special case of a question to ask the sender which isn't solvable in reasonable time, then a malicious site could set things up so that when you try to send mail to that site your own mail server gets stuck trying to solve an impossible math problem and can't continue.)

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.