Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Researching Anti-Spam Technique

Posted by michael on from the penny-for-your-thoughts dept.

Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.

14 of 660 comments (clear)

  1. Oh yeah they invented this... by tomstdenis · · Score: 5, Insightful

    Well actually yeah they did. At Crypto'03 a method for memory bound HC was presented.

    So while MSFT didn't invent the original HashCash concept MSFT did improve upon it. So before anyone gets the bright idea of flaming MSFT ignorantly.... know your facts!

    Tom

    --
    Someday, I'll have a real sig.
  2. Re:not a solution by notque · · Score: 4, Insightful

    This is not a solution... as *I* still have to check for something on my end, and then discard if that condition is not met... my bandwidth and time are still wasted.

    Whine!

    It may not be the end all be all solution, but obviously we haven't found that yet. This seems like a pretty good solution for the moment. There may be a better one that comes out, making this one null and void, but we are continuing to find ideas which are a little better than the last.

    How can that be a bad thing?

    --
    http://use.perl.org
  3. Spammers don't use their own computers by UnderAttack · · Score: 4, Insightful

    Even today, the most annoying spammers are not using their own computers, but insteady they are bouncing e-mail off virus infected and trojaned PCs.

    So 8,000 emails / day is fine, if you have a couple thousands relays to pick from.

    --
    ---- join dshield.org Distributed Intrusion Detec
  4. This not only isn't going to work, it's a disaster by FreeUser · · Score: 5, Insightful

    Count on Microsoft's "cure" to be worse than the disease itself. You would think for $40 billion they could buy just a little more intelligence than that.

    SMTP needs to be redesigned. Not by Microsoft, who will use any change in the protocol to tighten their monopoly grip, locking in their customers (and locking out the non-Microsoft world), but by the IETF.

    Spammers having to do a computation before delivering email isn't going to limit them to 8000 pieces of mail a day, it simply means they're going to cluster all of those Windoze boxes their custom worms have infected, and let those millions of PCs do the work for them in parallel. SPAM won't decrease one bit, but the load and toll it places on those who use the net will go up significantly.

    The solution isn't to increase the cost of email (computationally, bandwidth-wise, or financial), the solution is to repair the design flaws in SMTP (and, for that matter, USENET, something that remains the most useful medium on the 'net despite its widespread abuse) that make SPAM a viable methodology.

    --
    The Future of Human Evolution: Autonomy
  5. Okay.. by NegativeK · · Score: 5, Insightful

    If this works as stated, then I can see issues.. For instance, large mailing lists. Would they have to be white-listed? 3000 seconds of computation is a heavy tax on a community based program like the Linux Kernel Mailing List, which averages 300 messages to my inbox a day. Also, there's the issue of viral spammers.. Those that send out viruses to do the spamming for them. If you infect enough, 8000 mails per day per computer can still be quite a bit.

    Personally, my whole take on spam is that everything needs to be done on the user end. Laws have loopholes in every situation (foreign spammers being a large one,) server restrictions are either too restrictive on small servers, or can be defeated with distributed computing.. I say we stick with Bayesian filtering. It works _wonders_ for me, and I'd love to see more people use it.

    --
    This statement is false.
  6. Re:not a solution by walt-sjc · · Score: 4, Insightful

    Um, maybe you don't realize what spammers have been doing lately. They use huge networks of compromized machines to spam FOR them (thank you MS and your wonderful security model). There is plenty of horsepower out there to handle any kind of HC type system. The bottom line is that spammers ALREADY have the resources to make a HC system useless.

  7. Uhm by geeveees · · Score: 4, Insightful

    If it takes a long time to send out bulk email, what about all the mailinglists people subscribe to? How would lkml or sourceforge lists continue to operate?

    --
    I am a viral sig. Please help me spread.
  8. Limiting technology? by dybdahl · · Score: 4, Insightful

    This seems to be a "let's fix this by limiting what technology can do" case.

    Instead, they should focus on adding more functionality to the smtp protocol. For instance, they could add sender e-mail address verification. You can't check the actual e-mail address, but you can make a "dial-back" TCP connection to check, if the e-mail is known by the mail-server that belongs to the sender e-mail address.

    Combined with law enforcement, blacklists etc., this is extremely effective.

  9. What they fail to mention... by KC7GR · · Score: 4, Insightful

    Something that the Redmond Empire conveniently neglects to mention is that an awful lot of the spam is due to virus-compromised systems running -- you guessed it -- Microsoft Windows! I've lost count of the number of broadband IP ranges, notably from Shaw Cable and Comcast, that I've had to dump into our domain's local 'Reject' list thanks to their endless attempts to propagate Swen, SoBig, or whatever the latest spammer-zombie trojan is.

    Perhaps, if Steve 'Uncle Fester' Ballmer and his cronies had paid more attention to basic security to begin with, or had taken the trouble to actually try and educate their customers about the most basic computing security steps, there wouldn't be such a huge problem now.

    This 'Penny Black' nonsense looks like nothing more than a means for them to make money off a mess that they created in the first place.

    --

    Bruce Lane, KC7GR,

    Blue Feather Technologies

  10. Re:Question... by MegaHamsterX · · Score: 4, Insightful

    With that question, I thought of another one....

    If this is so computationally expensive, what would happen to the mailserver if I sent...oh half a million emails with bad keys in them.

  11. Re:what's your point? by penguin7of9 · · Score: 4, Insightful

    How is me pointing out that the article speaks of a published paper insult MSR?

    It's patronizing. MSR doesn't have just one journal publication to their credit, they have had a sustained output of quality publications over years. There shouldn't be any question in anybody's mind whether MSR is an innovative and high-quality research lab: it clearly is. They are among the top-rated research labs in computer science, both in general and in specific areas.

    I was hoping to FP to dispel the people who are naturally going to post out how MSFT is not innovative.

    What you are missing is that whether MSR publishes nice papers or not has nothing to do with whether Microsoft "is innovative", i.e., whether the company produces innovative products. MSR is innovative, but Microsoft products are not. That disconnect is common among large companies and their research labs.

    You seem to be agreeing with me while arguing against my post!!!

    You are engaging in the usual confusion between research labs and corporate products. The only thing I can't tell is whether it's out of ignorance or whether you are doing it deliberately (PR departments often like to use releases about interesting research results to cover up inadequacies in a company's product line).

  12. Re:not a solution by schon · · Score: 4, Insightful

    No, it *is* a solution...

    No, it isn't. Three years ago it might have been a solution, but right now, it's just a colossal waste of time.

    The problem with this is that it operates on the assumtion that spammers work within the same boundaries as everyone else. Anyone who has spent even a tiny fraction of their time fighting spam knows this is simply not true.

    The days of spammers sending spam from a single server are long gone - nowadays, they use thousands of trojaned machines to do their work. How many machines do spammers control? Enough to launch effective DDoS'es on some of the largest pipes out there.

    The effectiveness of this 'solution' would be marginal at best.

    Now compare the effect it would have on legitimate users - an individual sending mail wouldn't notice 10 seconds.. but email is not only used by individuals.

    Something to keep in mind when assessing any anti-spam 'solution' such as this is the following:

    From a receiver's standpoint, the only difference between a legitimate mailing list and a spammer is that the user asked to be part of a mailing list.

    Now think about how this would affect legitimate mailing lists: How many mail servers do most mailing lists have? One? Two? Six? Some large mailing lists might have a dozen.

    So how does this affect those mailing lists?

    It would shut them down, is how. They would cease to be useful, as it would take days for their mails to get through.

    So the 'obvious' solution to this problem would be to whitelist legitimate mailing lists, right? Wrong. That's not a solution either (and we'll ignore the point that any 'solution' that requires exceptions is probably not very well thought out.)

    I maintian a mail server for a few thousand people. I have no idea which mailing lists they would subscribe to. It would probably become a full-time job to keep such a whitelist up to date. (And most users wouldn't have any idea to notify me in the first place - so the end effect is that they would subscribe, and then bitch about how they're not getting the stuff they signed up for.)

    This 'solution' does not solve anything, and will create more and worse problems than it attempts to solve.

  13. Re:not a solution by Fjornir · · Score: 4, Insightful
    Sir,

    The idea is not to save you fifty-seconds of time by deleting your spam. That's a fringe benefit. The idea is to stop spam by making it harder and more expensive to do so. If we can up the price and difficulty to a certain point spam will no longer be a viable marketting technique.

    You're missing no voodoo magic whatsoever, I think you've simply failed to think this through in its entirety. You claim you're sending 50 emails a day. In all likelihood most of these emails are not first-contact emails which would require a crypto challenge, but are in fact addressed to an established-contact which doesn't challenge you.

    But for the sake of argument lets say all 50 of these emails are first contact. Dandy. Lets look at how this goes. You write the first letter, and proofread it, and click send. Your system does not immediately lock for ten seconds. Instead your message goes into your outgoing message queue. While you are writing and proofreading your next message the system is busily computing the hash for the previous message.

    Let's suppose even further that you type uncommonly fast, require not proofreading, and get all 50 of the messages into your outbox. You take a deep breath, run to the bathroom or for a refill on your coffee, or whatever -- guess whats happening while you're afk?

    --
    I want a new world. I think this one is broken.
  14. Re:Proposed "Sender do Something" technique. by John+Hasler · · Score: 5, Insightful

    > The email is sent and the server runs it through
    > the scoring process. If the message scores more
    > than 6/10 the server sends the sender an
    > authentication message, asking to validate the
    > email.

    So you are one of those resposible for bomabarding me with those damn things.

    > This would require spammers to manually
    > intervene and waste tons of their time. if they
    > forged the sender email...

    They always do. My domain is a favorite.

    > ...their email would go to someone else's
    > email...

    Yes. Mine.

    > ...and they would just trash it...

    Isn't that what the spammers say? "If you don't want it, just delete it. What's the big deal?"
    The big deal is that about a quarter of my email is bogus bounces and useless "confirmation" message from systems such as yours.

    _NEVER_ _REPLY_ _TO_ _SPAM_

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.