Slashdot Mirror
Microsoft Researching Anti-Spam Technique
Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.
How do you "make" senders do anything?
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
Well actually yeah they did. At Crypto'03 a method for memory bound HC was presented.
So while MSFT didn't invent the original HashCash concept MSFT did improve upon it. So before anyone gets the bright idea of flaming MSFT ignorantly.... know your facts!
Tom
Someday, I'll have a real sig.
This is not a solution... as *I* still have to check for something on my end, and then discard if that condition is not met... my bandwidth and time are still wasted.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Comment removed based on user account deletion
Is it something that will require using Outlook on Windows to work? Alternatively, will I be force to use some MS software just to send mail to people who are using MS based web/mail/etc client/server programs?
The law of excluded middle : Either I'm foo or I'm foobar
We studied this in a computer security course I took. This technique has been proposed to TCP establishment as well. It involves the server calculating a hash of a particular nonce (random value). The server then provides the hash and a certain number of bits of the nonce. It becomes the clients job to complete the nonce such that the value hashes out correctly. The server can vary the number of bits it provides to vary the difficulty of the puzzle...
"The payment is not made in the currency of money, but in the memory and the computer power required to work out cryptographic puzzles. "
Phew!!! For a second there I thought I was going to have to do a math problem for each email I was going to send. I woulda been fucked!
Buy Steampunk Clothing Online!
Even today, the most annoying spammers are not using their own computers, but insteady they are bouncing e-mail off virus infected and trojaned PCs.
So 8,000 emails / day is fine, if you have a couple thousands relays to pick from.
---- join dshield.org Distributed Intrusion Detec
Count on Microsoft's "cure" to be worse than the disease itself. You would think for $40 billion they could buy just a little more intelligence than that.
SMTP needs to be redesigned. Not by Microsoft, who will use any change in the protocol to tighten their monopoly grip, locking in their customers (and locking out the non-Microsoft world), but by the IETF.
Spammers having to do a computation before delivering email isn't going to limit them to 8000 pieces of mail a day, it simply means they're going to cluster all of those Windoze boxes their custom worms have infected, and let those millions of PCs do the work for them in parallel. SPAM won't decrease one bit, but the load and toll it places on those who use the net will go up significantly.
The solution isn't to increase the cost of email (computationally, bandwidth-wise, or financial), the solution is to repair the design flaws in SMTP (and, for that matter, USENET, something that remains the most useful medium on the 'net despite its widespread abuse) that make SPAM a viable methodology.
The Future of Human Evolution: Autonomy
Mod parent down [-1,unsightful]
The research this is based on [presented at crypto'03] is designed to level the difference between a P4-3000 and a P2-233. They use problems where cache hits will be lower [e.g. use a 8MB buffer or something] so you end up computing at the speed of your memory bus.
If you had done some research before posting your crap you'd know this.
Tom
Someday, I'll have a real sig.
How is my older hardware (or even pretty recent hardware on a huge ISP, with lots of SMTP activity) supposed to be able to handle this? Bah. It seems to me that adding computational difficulty is not such a great way to combat spam. Do you have any idea how effective IP blocklists and statistical filters alone are? (Or, you could combine them as this project is doings).
If this works as stated, then I can see issues.. For instance, large mailing lists. Would they have to be white-listed? 3000 seconds of computation is a heavy tax on a community based program like the Linux Kernel Mailing List, which averages 300 messages to my inbox a day. Also, there's the issue of viral spammers.. Those that send out viruses to do the spamming for them. If you infect enough, 8000 mails per day per computer can still be quite a bit.
Personally, my whole take on spam is that everything needs to be done on the user end. Laws have loopholes in every situation (foreign spammers being a large one,) server restrictions are either too restrictive on small servers, or can be defeated with distributed computing.. I say we stick with Bayesian filtering. It works _wonders_ for me, and I'd love to see more people use it.
This statement is false.
Comment removed based on user account deletion
Microsoft Research is no different from other industrial research labs: IBM, Bell Labs, etc. They hire the same kinds of people and get the same kinds of inventions out of them. One can't expect any more or less from any big company with a lot of money to spend. However, so far, MSR has not had much positive impact when it comes to driving innovation into the marketplace.
If Penny Black is all there is, it doesn't look like that's going to change. It will probably be decades before we know whether MSR will have had lasting impact. By that time, Microsoft will probably be a benign, lumbering giant, just like its monopolistic predecessors, AT&T and IBM.
This is just a fancy way of saying "Microsoft is trying to figure out how to turn off Hotmail"
The idea was originally formulated to use CPU memory cycles by team member Cynthia Dwork in 1992.
;)
But they soon realised it was better to use memory latency - the time it takes for the computer's processor to get information from its memory chip - than CPU power.
Don't GPU's have a lot smaller memory latency?
hmm, whats this?
BrookGPU: General Purpose Programming on GPUs
If it takes a long time to send out bulk email, what about all the mailinglists people subscribe to? How would lkml or sourceforge lists continue to operate?
I am a viral sig. Please help me spread.
Every wrong attempt discarded is a step forward - T. Edison
While this seems useful at first glance (at least open relays would stop working), how does your technique address these issues:
1. Clueless admins (of windows or *nix servers) who refuse to use SA or similar? These are the same who leave the mail servers as open relays in the first place.
2. People who use their own SMTP server
Sure, go ahead and say that you can add reverse domain lookups. But registering a domain is quite cheap these days ($4.95 a year) and point the NS to your machine, set up MX records, and you're on your way.
Your solution is useful, but not comprehnsive. I doubt there is a comprehensive solution short of making the spammers incapable of accessing the internet.
--
Clueless People? Everywhere I look, I see them. And some of them, they WORK here!
US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
This seems to be a "let's fix this by limiting what technology can do" case.
Instead, they should focus on adding more functionality to the smtp protocol. For instance, they could add sender e-mail address verification. You can't check the actual e-mail address, but you can make a "dial-back" TCP connection to check, if the e-mail is known by the mail-server that belongs to the sender e-mail address.
Combined with law enforcement, blacklists etc., this is extremely effective.
So this would have the effect of making legitimate high-volume, high-subscribership mailing lists expensive to operate (unless subscribers configured their MTAs to accept "unstamped" messages from the list, which is annoying and error-prone -- and has an obvious "workaround" for the spammers).
<tinfoilhat mode="on">Ha! Now we see Microsoft's *real* goal... to slow Linux development by shutting down the kernel mailing list!</tinfoilhat>
Seriously, though, any attempt to make e-mail expensive hampers those who have a legitimate need to send lots of e-mail.
Plus, there are obvious workarounds that will be developed in short order. A hardware stamp-generator could probably cut the stamp generation time to practically nothing, particularly since their approach somehow depends on memory/CPU latencies rather than processing time. You might be able to make a much faster stamp generator by running it on your graphics card, and custom-built hardware could certainly do it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
CPU time is also finite. If 1 process can send 8,000 emails at 100% CPU usage, then 10 processes will send 800 emails each and 8,000 emails in the same time. You're right that a machine with multiple CPUs could send more email, but a 4-CPU box could still send only 32,000 emails per day instead of millions, and a system with more than 4 CPUs (or buying a large number of computers) is extremely expensive.
Before you chuck the entire protocol, do you have a solution for a better one?
Until you know how you're going to repair the problem, let's not get too excited about scrapping a protocol that still has a lot of flexibility. I've learned a lot about SMTP in the last few months, if there was universal agreeement as to WHAT to do, we could probably accomplish it in place.
What are the options? Whitelists, blacklists, red lists, gray lists, hash cash, filters, etc. No one can agree HOW to combat the problem. A new protocol would accomplish nothing without a planned solution that makes palpable the limitations of SMTP. Til then, let's not get hasty about blowing it off.
Ok, I'll bite - why not just insert a "sleep (10);" line into the connection response of sendmail (or qmail, or whatever MTA you are using)? By making the sender wait 10 seconds before delivery can begin, you get the same effect as a tar-pit...
Ron Gage - Westland, MI
The programmer who works next to me used to be a construction worker. Every so often, I come up for an idea for some kind of home project, explain it to him, and he tells me a way to accomplish it that is much simpler and more reliable.
This MS solution is almost a caricature of one of my own over-done home improvement ideas. Why bother with some elaborate cryptographic system to delay inbound emails? Why not just have the receiving SMTP process call sleep(10) at the beginning of the SMTP session? You get the same desired slowdown, and all you have to change is the SMTP server software. There's no need to modify MTAs, promulgate new standards, or fit yourself more tightly into the MS monopoly noose.
Proud member of the Weirdo-American community.
So this would have the effect of making legitimate high-volume, high-subscribership mailing lists expensive to operate
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
Stop the presses! Microsoft has found a way to slow down email! This is news? ;-)
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
So why bother with all the computation and hashing, and just refuse to accept connections from a given IP except every 10 seconds? So if an email was sent from AAA.BBB.CCC.DDD at 00:00.00, don't accept another from that IP until 00:00.10.
This makes it happen entirely at the recipeient server side, so you're not breaking SMTP, and it's backwards compatible with everyone else.
On the other hand, if it's 10/sec per email it doesn't sound like this would be feasable to implement:
Something that the Redmond Empire conveniently neglects to mention is that an awful lot of the spam is due to virus-compromised systems running -- you guessed it -- Microsoft Windows! I've lost count of the number of broadband IP ranges, notably from Shaw Cable and Comcast, that I've had to dump into our domain's local 'Reject' list thanks to their endless attempts to propagate Swen, SoBig, or whatever the latest spammer-zombie trojan is.
Perhaps, if Steve 'Uncle Fester' Ballmer and his cronies had paid more attention to basic security to begin with, or had taken the trouble to actually try and educate their customers about the most basic computing security steps, there wouldn't be such a huge problem now.
This 'Penny Black' nonsense looks like nothing more than a means for them to make money off a mess that they created in the first place.
Bruce Lane, KC7GR,
Blue Feather Technologies
First, let us note that the S in SMTP stands for simple. What may look like a "flaw" today was indeed an attempt to make a standard that is usable with no regard for OS, system, bandwidth, transmission medium, or any of the other factors which complicate computers today now that everyone and their grandma has one.
... that way, it does not matter how old or new a computer is because the system does not rely on processor chip speeds..."
Micro$oft's proposal has several issues. First, the proposal itself:
"If I don't know you, I have to prove to you that I have spent a little bit of time in resources to send you that e-mail."
This changes the effort to convincing the system that I know you and we can bypass all of this. Microsoft's track record tells me that this will be accomplished quickly (likely before the software even reaches final release.)
"...use memory latency
No, it relies on bus speeds and memory speeds, not to mention caching schemes. These change almost as rapidly as processor speeds these days.
All of that is meaningless when you look at the greater problem:
"For this scheme to work, it would want to be something all mail agents would want to do,"
There are 2 ways to implement such a solution; on the server side and on the client. As for the server:
Not just want to do but be able to do. Since SMTP severs began requiring authentication (several years ago), most spammers have turned to using old servers still alive on the net. These would not have new schemes implemented. Denying them to play if they don't update would kill several servers (including several universities).
As for the client:
Anyone who can say "HELO" can send a mail (see RFC 821, RFC 1123, RFC 2821). This means that any decent coder can write a mail SMTP client in about 30 minutes. We will never be able to assume all spammers are using any e-mail client.
"It is certainly not going to stop all spam for good"
And in the aftermath, we will all have slowed our systems with no effect on spam levels.
This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years. ;-)
Yeah, because they did not hear of parallel processing yet
ato
I guess we could combine this with distributed computing so if you send out an e-mail you are helping solving one of the puzzles like for example RC5, OGR or ECC2. And make the world better.
But I think microsoft is intending to create a complete new business model for e-mail providers (and ofcourse for microsoft's hotmail.com) by selling the computing power to companies who need it.
I actively subscribe to a lot of tech sites that have tens of thousands of subscribers. Slashdot is one of those sites. How many people have Slashdot e-mail their mail to them? How are legitimate bulk mailers (of their own content, not ads) supposed to send out newsletters, etc.)? If a retail outlet with a legitimate opt-in newsletter needs to send it to 50,000 or 100,000 people, what kind of hardware upgrades are they going to be looking at. I mean, I can add them to a trusted senders list on my side, but that doesn't tell them that they no longer have to run the computations. "If I don't know you, I have to prove to you that I have spent a little bit of time in resources to send you that e-mail. How do you know whether you "know" me or not? Does the user's mail client alert the sending server that it approves of mail from that SMTP server? Once senders have proved they have solved the required "puzzle", they can be added to a "safe list" of senders. Whose list? My personal list that is part of my mail client? My mail service's white list? Microsoft's special white list?
If you mod me down, I shall become less powerful than you could possibly imagine.
You know how mailing lists require you to confirm your membership? Well, this confirmation mail would have you add the mailing list to your whitelist. As a result, future mailings on that list would be let through without having to do the computation.
The mailing list could simply refuse to deliver mail if you ask it to do the computation, or it might give you a one time warning that you have to add it to the whitelist, or similar.
But all it takes is to add the mailing list to your whitelist once, and it won't be a problem anymore.
With that said, spammers could start pretending to be mail from various mailing lists. I am not sure how big a problem this would be, but it would definitely make an impact on spammers if they couldn't just spew out millions of e-mails to random people in a short period of time. They would have to either go through the computations, or figure out which mailing lists you are a member of and use it to spam you, and so on. But this sounds like it would take too much time anyway, so the spammer would hopefully just give up. And if they did start spoofing mailing lists, then I'm sure there would be ways to prevent that as well. Most mailing lists don't accept mail from people who aren't subscribed, right?
The reason spam "works" is that you can just press a button and the rest happens automatically. If the spammer has to start doing manual labor, my guess is he'll be looking for something else to do. (Such as taking a swim off the deep end wearing concrete shoes, I hope...)
Clever signature text goes here.
Having read the article, I was impressed by how clever their proposed solution was, though since I don't have a CS background, I don't understand how a mathematical computation can be essentially bottlenecked by memory latency -- I'd love it if someone could give an explanation of how that works.I'm guessing that some cryptographic hash needs to be held in memory, such that the nature of the data structure and physical access to it proves a bottleneck. This is probably way off.
But having read the /. comments, it becomes clearer to me that this solution, and many other proposed solutions face problems insofar as they "break" the assumed contract under which email has worked for so many years. To me, this seems to boil down to a challenge / response system (allbeit one that increases the overhead of the transaction signifigantly). The problem with these systems is that for a time, email will be broken for certain people, or broken when trying to communicate with certain people depending on whether or not one has migrated to the proposed system. I'd worry that this would have the effect of segmenting email users into little fiefdoms determined by which email system they are using.
I don't think a migration can happen unless there is some "benevolent dictator" who can force everyone to migrate to such-and-such a new email model and system, and frankly, I wouldn't want that forced on us.
It seems that the challenge to any such spam-reduction system is that migration must be immediate and non-backwards-compatible, and universal, otherwise for a time email users will be segmented into little fiefdoms based on whether they've migrated, and solution to which they've migrated.
All one has to do is hit the right keys at the right time and the instrument plays itself. - Johann Sebastian Bach
The technology is fairly old, it's known as Hash Cash.
It has known shortcomings, but it is one of the best solutions out there.
Its main problem, however, was not yet known when it was invented: That spammers would control huge zombie networks, as they do today.
With 100k zombies (which is not uncommon), the spammers can still send out 10k mails per second, or those 25 mio. spams the topic speaks about in under one hour.
Assorted stuff I do sometimes: Lemuria.org
> The email is sent and the server runs it through
...their email would go to someone else's
...and they would just trash it...
> the scoring process. If the message scores more
> than 6/10 the server sends the sender an
> authentication message, asking to validate the
> email.
So you are one of those resposible for bomabarding me with those damn things.
> This would require spammers to manually
> intervene and waste tons of their time. if they
> forged the sender email...
They always do. My domain is a favorite.
>
> email...
Yes. Mine.
>
Isn't that what the spammers say? "If you don't want it, just delete it. What's the big deal?"
The big deal is that about a quarter of my email is bogus bounces and useless "confirmation" message from systems such as yours.
_NEVER_ _REPLY_ _TO_ _SPAM_
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It's ironic that your complaint about worst-case users and grandmas is tied to mention of industry.
Anything that produces an end product for a userbase must adapt to suit the needs of that userbase at the time that the product is being produced. If the end user is so egregiously stupid that they can't even handle e-mail without someone holding their hand, then rather than evolving toward the next great technological advance, usability must be made the next branch for improvement.
Think about it in relation to industry once. If automakers had blazed trails toward the next great evolution in automobiles, we could have cars that run a 1/4 mile in 4 seconds at nearly 200mph. Oh wait! We do! They're called funny cars! And nobody except a particular niche knows how to use and maintain them, and they're exceptionally dangerous machines. They are not refined for the general public, they are not safe, and when something goes wrong, it's often disastrous. Neutered cars like Corvettes and, for a few adventurous souls, Vipers, are fed to the public as top-of-the-line even though they're not. They're safe, (relatively) easy to use, and, for the most part, attractive to the buying public because, even if they break down it's just an inconvenience, they don't generally erupt into a fireball the size of a small house.
The computer industry will continue to evolve in much the same way. Crippled, blighted, and weak but generally consumer friendly software will drive the marketplace. In the meantime, hobbyists (Vipers and backyard mechanics) and hardcore computer geeks (funny cars and track techs) will continue to use the cutting edge workhorses that are far less refined, but far more advanced.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
So the solution is for spammers to set up compute farms of cheap old hardware with an open soure version of the mailer. Since memory latency matters, and not processor speed, the solution is to have access to more than one computer. A farm of 10 machines then sends out 80,000 messages a day. A real super computer farm funded by a spammer alliance could get back to shipping millions of spam messages a day. What was the cheapest supercomputer cluster mentioned on Slashdot, something like $30,000? Is that really all that much money when you consider that a group of spammers could split that and amortize over many years? Remember, age of the hardware is not a consideration, just CPUs with access to memory segments. How about a very large system with hundreds of virtual 386 processes running 128k memory segments?
I think in the long run only something more expensive will deter most spam, but will not succeed completely. Case in point is all the junk mail we still get in our real mailbox. Someone out there is paying for postage to send that crap, yet they still ship it to me so that I can place it in my trash can.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
Instead of hitting the delete button I started putting spam in a folder for later analysis. What I found is that spammers use affiliate programs. For example, I recently got a porn spam with an image from
://www.silverstate.co.sy@click.com-click.com.ph/cl ick.php?id=sicosyl
1 &c ampid=
http://gallery7.withsex.com/
All I do is block withsex.com with an expression filter and all spam that's afilitated with that site goes away. Spammers can't ofuscate an URL otherwise it won't work. The image linked from the same site is 28KB. If that spam was sent out to 25 million people and all of them looked at it once that cost the spammers 667GB of transfer. On a standard DSL line it would take about 6 months to transfer that. These companies need a dedicated host to allow them that kind of bandwidth. The company may have a number of domains for the site but spammers aren't going to be using random ones to advertise it like they use random from e-mail addresses. They also have to keep the domains functional or all that spam goes to waste.
Not many hosts would allow that kind of bandwidth transfer without charging up the nose for it. Which limits the number of hosts that spammers will use for images. 2004Hosting.org/.net is a big one for the cable filter and "banned CD." 530000x.net is also affiliated with those spams.
http
click-net and click-com are what spammers use to get paid. If you click on a spam link, most likely it goes through a common domain to log the referal to calculate how much the spammer gets paid. Block the referal site and all spam that uses that referer to get paid is gone.
For example
http://www.xswcde.biz/index.php?id=173&affid=56
342
Is a big e-bay spammer site. I block xswcde.biz with an expression filter and all e-bay spam from that company goes away.
It basically boils down to blocking the company and not the spammer. My spam count went from about a dozen a day to 1 or 2 and they also have obvious tells. If possible I also block the domain in the from address. Using a web-form cut down on spam quite a bit as well.
Ben
Work Safe Porn
You mean this paper? In that case, the Pentium IV 3066 (533 MHz DDR), was 2.66 times faster than the Pentium II 266 (PC66), and just as fast as a 1.2 Ghz Pentium III (PC133).
I'd love to see the Itanium 2 results. The entire program could fit in cache... Yes, the array size could be increased in size, but that would futrher penalize users of PDAs, which already suffer quite a bit.
The real question is whether this program is suffiently enough of a unique case that further advances in memory technology (short of the Itanium's rather expensive brute force solution) will not make this program obsolete.
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
As somebody who hosts low-volume mailing lists, I have to agree.
Whitelists are nifty (we use them extensively), but what worries me on that score is that if they become frequent, I suspect we'll just see spammers hijacking address books along with machines, and forging "trusted" From lines.
Slashdot's token middle-aged housewife
No, if it takes 10 seconds for a spammer with the latest dual Xeon CPU (or hacked into a superfast company computer), it will take several minutes for the average user, and hours for my mother on her old P200 (which is more than good enough for sending email), or days for myself on my 20MHz PDA.
Of course, this will incite people to buy new PC's, which comes with a new operating system, made by guess who?
Nah, I'm not cynical. It's probably worse.
Regards,
--
*Art
If they can pull this off, maybe the world won't see them as the profit-mongering 800-pound gorilla monopoly corporation they are. They will be heroes to us working-class.
Unless, of course, they make it proprietary and charge huge license fees.
Oh, well. It was Christmas... we all can wish...
The only problem with your analogy is the fact that you don't have to drive a viper. This scheme would mean that you do.
Simply de-allocate the IP blocks of any ISP that continually harbors spammers, meaning it refuses to terminate them immediately? They can't spam if they can't connect to the internet!
And to "strongly discourage" any ISP that would consider flaunting this rule, they get zero compensation for that netblock they paid for and are denied from buying any new netblock for a time (possibly a week).
Because this would necissarly work on the level of ARIN and the root DNS servers, you can't avoid it, because those are known, reputable organizations who will have no choice to comply.
Can anyone think of a way you *could* avoid this?
I don't think this is a good idea.
First, it would kill legitimate mailing lists. Imagine what the perl5-porters list or the Linux kernel list or any of the other high traffic mailing lists would have to do to keep operational. Large mailing lists already have problems with lag. This would just add to that.
Also, there does not seem to be anything that would stop them from doing these operations in background and just contact multiple sites while working on the problem. They would just multi-thread the mail spammer or just hijack more machines to use as their slaves.
This technique requires replacing every mail program out there to support the protocol. Of course, they will just make it a condition to connect to exchange. Might be a way of getting people away from having to talk to compromised Windows mail servers.
This is a bad solution for a big problem.
"Something must be done! This is something, therefore we must do it!"
"Trademarks are the heraldry of the new feudalism."
As a matter of policy, I do not respond to whitelisting requests because the sender of the whitelisting request has already accused, with zero basis in fact, of being a spammer...
If you got a whitelisting request from him, it would have been because your message looks like spam. That is not a zero basis in fact from his perspective.
In fact it would be because you did something in your email to total a high bayesian filtering score.
As the sender *I* would not be insulted if that were to happen. In fact, it would be great to know that the mail I send is not being silently trashed. How unimportant is your message that the perceived insult is of greater importance?
I always wonder these days whether a mail got through, when it is not answered. I find I end up on the phone more often than not, because mail is no longer a reliable method of communication due to spam.
If you continue to get a lot of whitelist requests after such a system is implemented, it would behoove you to make your mail look less like spam. For instance, not using Base-64 encoding, or sending purely HTML mail, or including trademarked names of pharmaceuticals, or including random strings of characters, linking to spam domains, putting lookalike accented characters or too much punctuation in the subject line, or cc'ing or bcc'ing everyone in your mail.
M$ should consider out-sourcing it since well....my hotmail account still gets spam even though I set it to exclusive (meaning only email from ppl in your address book will get through); spam with obvious fake addresses. And the spam that goes through this "exclusive filter" also seem to fly passed my custom filters that have the words that the spam has ("financial", "viagra", "herbal", etc.)
Yahoo works better with regards to spam though I wish it would empty the bulk mail folder more often.
And my pop3 acct has something called greylisting and that alone cuts 95% of spam. Plus black and white listing IPs and domains helps too (for instance, only allowing email from hotmail.com if it originates from one of hotmail's servers, etc.) and blocking known spam-haven Class C ranges (eg x.x.x.*).
M$ should be spending the time and money preventing their mail servers from becoming compromised and finding ways for its desktops to not get so easily owned and that would prevent the majority of spam that comes to my systems.
/. Bill should pay for tech support if he wants to own the code.
This "spam filter" stuff when performed by M$ is an insult when it does little to address the problem which it has a contributed to.
---
Please stop discussing M$ fixes on
First, the protocol is overly complex. The receiver sets the puzzle. How does the receiver to this. But sending the puzzle before receiving the email? That is complex, perhaps involving connections that must remain open for tens of seconds, or lists that correlate puzzles to particular senders, and the sender must match the answer. How will the puzzle be generated. Will it be psuedorandom or pad. How will we gauge the strength of the puzzle. I do not see how this is superior to current filtering.
Second, alternate filtering methods will still be needed. Whitelists will have to be kept so that friends, interoffice mail, and current customers will not be challenged. Email that does not meet the challenge will still have to be accepted and filtered. The only advantage is that certain email will be tagged as 'safe' because the sender solved your puzzle. This 'safe' email will still often have to filtered to meet the specific needs of the receiver. For instance, a 'safe' email may still contain graphic sexual content unsuitable for the office.
Third, there may be no way to know whether the calculation was done. If the puzzle is pseudo-random, the sender may exploit some weakness. If the puzzle is off a standard one-time pad, and the number of puzzles are finite, or can be cataloged into a finite number of sets, the sender may have database that already contains complete or partial answers. So, even if the spammer is not using owned hardware, there is no way to know that each email is in fact generating any specific liability.
Again, this is a ploy for MS to sell servers to advertisers. The number of machines, and related number of MS licenses, is going to be non-trivial. The client will be built into outlook and the marketing will convince consumers that anything marked safe is legitimate advertising and not spam. This does nothing to solve the spam problem.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
This is just hashcash.
Hashcash is wasteful... it just runs processes at full blast for tens of seconds to tens of minutes at a time, which is a small energy waste but overall a loss.
Hashcash is impotent... any hashcash scheme cheap enough to let someone with an older computer send mail in less than minutes won't slow down a P4-3GHz at all.
Hashcash is harmful, because it makes no distinction between solicited and unsolicited mail. How would you subscribe to Slashdot without whitelisting it?
And once you're whitelisting senders, you might as well just whitelist everyone you get mail from, and now you only need to discourage unknown senders. And hashcash is still a silly solution there, how about real cash?
Here's one way to do that. Whitelist not a sender, but a server. A server at a company that simply charges a few pennies to a few dollars to forward mail (you pick the level of unsolicited mail you want), or one that requires other hoops...
Much simpler, doesn't require new proprietary Microsoft technology, and allows all kinds of alternatives...