Slashdot Mirror
Microsoft Researching Anti-Spam Technique
Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.
Is it something that will require using Outlook on Windows to work? Alternatively, will I be force to use some MS software just to send mail to people who are using MS based web/mail/etc client/server programs?
The law of excluded middle : Either I'm foo or I'm foobar
We studied this in a computer security course I took. This technique has been proposed to TCP establishment as well. It involves the server calculating a hash of a particular nonce (random value). The server then provides the hash and a certain number of bits of the nonce. It becomes the clients job to complete the nonce such that the value hashes out correctly. The server can vary the number of bits it provides to vary the difficulty of the puzzle...
Comment removed based on user account deletion
On the other hand, IBM Research has done pretty well, though it too has gone through hard times. Its contributions to open-source are substantial, and at the same time, it's much more in touch with the demands of the company.
Now, if someone had beaten me to it and moderated my parent as flamebait perhaps I'd have kept quiet....
Mencken had it right. So glad that's old news.
Ok, I'll bite - why not just insert a "sleep (10);" line into the connection response of sendmail (or qmail, or whatever MTA you are using)? By making the sender wait 10 seconds before delivery can begin, you get the same effect as a tar-pit...
Ron Gage - Westland, MI
I believe you 100%, only Microsoft would come up with a solution that artificially induces inefficiency.
I'm no fan of Microsoft, but this is silly. Lots of security tools "artificially induce" inefficiency. One relatively early example that comes to mind is Unix crypt, the function originally used to hash passwords. It runs a DES-like algorithm many times to produce its results, not because that improves the quality of the hashing, but because it takes longer, which makes brute force attacks harder. The Unix login program also deliberately introduces an artificial delay after every failed login attempt, and it's not to give you time to remember your password.
There are many instances in which slowing down legitimate users a little is an effective mechanism for deterring abuse.
That said, I still think this particular idea is stupid, since there are plenty of people who have a legitimate reason to send large volumes of e-mail, and this would cause them more pain than it would cause spammers.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The point is they did produce a result, it was published in a first tier crypto journal and the results are acknowledged as correct.
And my point is that your comment is both insulting to MSR and misses the point.
Your comment is insulting to MSR because anybody who knows anything about CS research knows that MSR has top people. They have produced hundreds of first tier journal publications over the years. This is just a minor publication among many good things MSR has done.
It's meaningless because you are missing the main problem that all industrial research labs share: making the connection between research and products. MSR has been as unsuccessful at that as any other of the big industrial computer research labs before. Microsoft's problems is the quality and lack of innovation in their products, not their research labs.
mod parent offtopic.
I suppose when your points are weak, you have to fall back on calling on moderators. Why don't you engage your brain instead of falling back on such underhanded tactics?
You are missing the point. Nobody is saying that this is going to be required for all machines. Essentially it is an extra header attached to emails so email recipients can filter messages that don't have this tag. As I see it this is how it would work for most end users.
First setup a whitelist, make this your first spam check. On the whitelist? Email goes through never checking for any other spam criteria. (Mailing list should be accepted here).\
For mail that doesn't pass the white list check we can check for the header created by the MS program. We verify that the computationally intense header is correct and maybe we can let that through if we want, maybe I let emails with this tag pass through my spam checker with a higher spam score.
If we decided to accept mails with the header, we now check the remaining email with a very thorough spam checker and use a very low score.
No matter how many computers they have, it will lower the number of emails that are able to be sent, if people filter on this criteria.
M$ should consider out-sourcing it since well....my hotmail account still gets spam even though I set it to exclusive (meaning only email from ppl in your address book will get through); spam with obvious fake addresses. And the spam that goes through this "exclusive filter" also seem to fly passed my custom filters that have the words that the spam has ("financial", "viagra", "herbal", etc.)
Yahoo works better with regards to spam though I wish it would empty the bulk mail folder more often.
And my pop3 acct has something called greylisting and that alone cuts 95% of spam. Plus black and white listing IPs and domains helps too (for instance, only allowing email from hotmail.com if it originates from one of hotmail's servers, etc.) and blocking known spam-haven Class C ranges (eg x.x.x.*).