Slashdot Mirror
Microsoft, Yahoo Investigate Spam Solution
bllfrnch writes "The NY Times (account required, yada yada) has an article about the suggestion of email postage to stop the advent of spam. Apparently, both Microsoft and Yahoo! support such an initiative, as they are the largest email service providers. Best quote: ''Damn if I will pay postage for my nice list,' said David Farber, a professor at Carnegie Mellon University, who runs a mailing list on technology and policy with 30,000 recipients'."
Story also posted on C-Net (no account required, yada yada).
What hapened to Yahoo's (as yet unveiled) scheme-to-end-all-schemes for authenticating mail? IMHO, I think that SPF:Sender will make great strides towards combatting spam, combined with new laws that make spoofing illegal. And AOL is backing it, so I think there is a good chance for success, as they are both one of the largest sources of e-mail as well as one of the most commonly spoofed domains.
Here is a Washington Times summary that doesn't require registration.
1 23126-8662r.htm
http://washingtontimes.com/upi-breaking/20040202-
And here is a IHT article which appears to feature the same quote as the NYT article. Same article? I won't register...
http://www.iht.com/articles/127677.html
Josh.
How many roads must a man walk down? 42.
Other proposed solutions involve lengthy computations on a sender's machine, which can be trivially verified on the receiver's machine. These will be overcome with faster machines, and spammers can afford better hardware than the rest of us anyway. Legislation is no solution, as the only sort that respects the First Admendment rights of emailers provides the same rights to unsolicited email.
As the saying goes at our local Mensa chapter: wise thoughts may go into your mind, but pultem calidus invado pantorum. At the end of the day postage is the cheapest option, given the cost of enforcement or technology updates.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
or just click here then click the first link.
Or just click here.
That's naive. You know Ralsky and the like use open relays around the world. He's even contracted some in China. You might tighten a net at best, but eventually you come back to the problem of trying to bill non-USA service providers. Lotsa luck. At best you encourage them to clean up their open relays and implement some decent security, lest their IP traffic be blocked at the border. But this should already be happening. Start locking these things out and they'll get around to fixing things pronto.
A feeling of having made the same mistake before: Deja Foobar
The media accounts are wrong. Microsoft is pushing a processor cycles idea. The NPR interview with Ryan Hamlin the GM of the anti-spam division is a more accurate example of what they have presented.
The accreditation scheme that Microsoft and Yahoo are considering mean you pay for sending spam. You do not pay for sending email. It is like ironport bonded sender, you spam, you forfeit part of your bond. You no spam you no pay.
Ryan was pushing the computational scheme hardest. But the basic scheme is, you stop impersonation spam so you know where the message comes from, then you act on what you know about that person. It authentication and accreditation.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Of course, if it still annoys you, there are a few simple steps you can take to drastically reduce the amount of direct mail you get. The majority of the mail I get is now mail I want to get. I still get AOL CDs, but it's down to twice a year - usually due to a new magazine subscription where I haven't told them my preferences.
Experience has shown that those who say "simply replace SMTP" do not understand the nature of the problem. It's no coincidence that one of the symptoms of being an anti-spam kook is that your solution involves replacing SMTP
My next sig will be ready soon, but subscribers can beat the rush
I will say it again too...
That's what is commonly referred to as a "whitelist".
... and bingo, new SPAM also. If people migrate to IM, then Spammers can just use dictionaries to hassle people's screen names (I have already experienced people trolling for sex talk online) and soon we'll be dealing with dozens of pop-up (which makes it worse) windows asking if we want Printer Ink. And it doesn't necessarily help having a buddy list, because all IM services will still pop-up a window "Spammer has sent a message, would you like to see it", so even though you can avoid the Spam, you still have to deal with the window.
It helps that you can be offline, but if IM is the chief communication then we won't be able to stay offline, if we want our messages. And those that collect messages while offline (i.e. Yahoo) will just flood you with back Spam.
If Spammers can break email, they'll break IM. It's just that up until now there hasn't been reason to. Don't give them a reason, either.
What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?
Most spam from @hotmail.com addresses doesn't come from Hotmail. A list of what's currently in my inbox:
From: mail.com
Really from: hispeed.ch
From: mail.com
Really from: hispeed.ch
From: osn.de
Really from: adsl.tpnet.pl
From: tiscali.co.uk
Really from: t-dialin.net
From: artnet.com.br
Really from: ny325.east.verizon.net
From: siba.fi
Really from: dsl.pltn13.pacbell.net
From: cellularpia.co.kr
Really from: cypresscom.net
From: wanadoo.fr
Really from: btcentralplus.com
From: hotmail.com
Really from: megared.net.mx
From: xcelco.on.ca
Really from: bb.netvision.net.il
From: onlinehome.de
Really from: interbusiness.it
From: el-nacional.com
Really from: (IP address)
From: tiscali.co.uk
Really from: cable.ntl.com
From: web.de
Really from: (IP address)
From: sasquatch.com
Really from: dyn.optonline.net
From: julian.uwo.ca
Really from: dsl.lsan03.pacbell.net
These are the spams I've gotten since last night that were not blocked by SpamCop (most of my mail is forwarded through SpamCop, but not all, and SpamCop doesn't always catch all spam). This also doesn't count what gets blocked by my DNS RBL filters. Anyway, notice how many of them came from different countries than the e-mail address used. There's really no correlation.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
It's already impossible to spoof your IP address in TCP/IPv4. Sure, you can forge a bogus source IP address on the SYN but you'll never get the ACK so you can't complete the connection, and any data you transmit will be ignored. The best you can do with address spoofing in TCP/IPv4 is a SYN flood DoS attack; you certainly can't send any spam with a forged source IP address. (Route it through a proxy/relay/zombie? You can do that in IPv6 too.)
Also check-out the Mailbox Reputation Network, which can provide the infrastructure for doing this on a global scale.
You can spoof your IP address in IPv4. It's easier if you're on the same network segment as the spoofed address, though. If the segment isn't switched, it's trivial to get the responses by putting the NIC into promiscuous mode. If the segment is switched then you should be able to steal the target address by using MAC spoofing or ARP spoofing. With ARP spoofing you can also become a man-in-the-middle for extra fun. If you're not on the same network segment the possibilities are admittedly more limited. However, if the machines you're sending your spoofed packets to are running to still don't have a good TCP ISN generator (many don't) it should be possible to predict the ISN and to set up a connection without seeing the replies. You don't have to limit yourself to one guess, of course.