Slashdot Mirror
MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
"Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?"
:-)
Wow......this really sounds like it was written by a marketing director. A Slashdotter could have just as easily interpreted this as "The 800 lb gorilla of the software industry, Microsoft has coerced the long suffering Sendmail to provide Microsoft with a software patch that fixes security holes inherent in Microsoft products that allow for email fraud and spam to run rampant. Another side benefit is that Microsoft can exert their market dominance to further entrench the Microsoft monopoly by refusing email not conforming to Microsoft "standards".
Laugh, it's intended to be funny.
Visit Jonesblog and say hello.
Gee this isn't biased: "Powerhouse software vendor Microsoft and the venerable Sendmail"
Will it be in the free version of sendmail too or only in the commercial buy-version?
They were looking for something with more vulnerabilities than Windows! Seriously, who uses sendmail? I thought we all started using Qmail or other alternatives?
Yay
Simon.
Physicists get Hadrons!
Just adding a tag or a plugin wouldn't seem like it would help all that much...Email is such an open format that anything you add, can be copied and added by spammers too.
Just my opinion.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I posted an idea similar to this on slashdot here, which would essentially involve sendmail digitally signing messages that it sends and then having receiving mail servers verify it. I think most of the people who read the idea misinterpreted it as forcing us to get digital certs through verisign, which was NOT what I was implying.
See, now this is a much better idea than "email postage" and "computationally expensive" sending of email. This way, the accountability falls down to individual email addresses, and domains for sending UCE.
It's FAR easier to track emails and their likelyhood of sending spam than the actual messages themselves (after all, buyviagra@biggerpenis.org is most likely sending you spam).
This, combined with a spam filter could do the trick.
Congratulations Microsoft for actually partnering with somebody who matters is this whole affair. I'm hoping the other companies like Yahoo and AOL follow suit with this strategy, and a solution becomes standardized.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one.
MS is a footnote. Aside from headline, the article mentions nothing about an 'alliance' or even Sendmail and MS working together.
Isn't this one of the signs of the apocolypse?
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
So, is qmail getting in on this solution????
Evolution or ID?
Yahoo & sendmail cooperating
First your cf syntax, now working with Microsoft?! What did we ever do to you?! Truly, a sysadmin's worst enemy.
Game... blouses.
This isn't going to fix it.
A crap load of junk mail comes from insecure personal computers that were hijacked. If these computers send their junk mail, and this system tracks them, it will send the "A-OK" because the mail came from where it said it did.
This will help, no doubt. But fix the problem? No.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
but it will need widespread acceptance to really work
And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.
Spammers will always find the way to spam you. for now what best worked for me is ask http://www.paganini.net/ask/
Is it absolutely necessary to have a sig. ?
Could this be a sign of the beginning of the end of spam?
Dunno... but it could be the beginning of the end of sendmail. Not that it would be a bad thing...
There's much better software out there.
Could this be a sign of the beginning of the end of spam?
No, but it could be a sign of the beginning of e-mail postage.
-Letter
Microsoft working with a Free Software group to produce a standard that will be freely available?
Sounds more like the end of the world than the end of spam to me!
Beep beep.
nowhere in the fscking article does it say anything about MS and Sendmail working together.
It tells of Sendmail launching a plugin for sendmail, and then :
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system."
Does anyone RTFA anymore? Am I alone in this? Is god really a abnormally large crustacean living on the moons of Jupiter?
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
MS put a signature in all emails from outlook, and sendmail blocks everything with that signature?
Stop me if I am wrong, but aren't Sendmail and Microsoft two of the biggest security problems on the Internet today? (Microsoft, of course, is a lot more dangerous, but still).
;^)
I believe it was a former sysadmin at a previous job who told me (speaking of email, of course): "Never install Sendmail. Period". Thats sums it up pretty nicely.
And I don't: Postfix is faster, more secure and easier to configure than Sendmail ever was. Qmail is also quite good.
(Microsoft? Who needs Microsoft??)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
While most of you will jump on the line identifying sendmail as vulnerable, this isn't false.
Sendmail, by far, is the worst application I have ever had the mis-priviledge of having to deal with. It is a security nightmare, SMTP is a simple concept, but somehow sendmail found a way to make it your worst nightmare. The gotcha's on the configuration alone is enough to break someone.
At least now, even if it is help from MS, getting sendmail to NOT be an open relay, AND work appropriatly WITHOUT hitting google for over a week, right from the start.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
sounds like ms now wants to collaborate with open source projects, would be nice if i can get a port of GNOME onto windows. if you can't beat em, join em !
"Could this be a sign of the beginning of the end of sendmail?"
Phil
The two orgs with the worst security records teaming up. The blind leading the blind, for sure.
Looks like a lot of overtime for the Symantec & McAfee programmers
I am always amazed that a commercial version of Sendmail even exists. That company has been around for years and either they aren't releasing useful patches to the free sendmail, or they haven't done a lot to improve the sendmail product. Even if you like sendmail, you have to admit it hasn't changed much in the last few years. It isn't what I'd expect from a commercial venture.
Could this be a sign of the beginning of the end of spam?"
Yes, just like computers have made the era of office paper end (I enjoy my paperless office, do you?), and how Bill Clinton in 1995 ended the era of big government.
Don't blame Durga. I voted for Centauri.
Will my email server I run perfectly responsibly just for my family be able to function without paying Microsoft for the plugin? Afterall, it is not rocket science to code your own SMTP server with Visual Basic.... This will work for the controllable sources, but what about foreign servers and the rest of the World?
With the combined stellar security records of MS and sendmail, guess how secure the new software would be.
That screams safe and secure to me. Then, maybe we could set it up with BIND.. and the computer would be safe..
until you plug it in..
(Flamebait to induce conversation.. calm down)
and I've just written an email tracking program . . .
It says nothing about Sendmail and MSFT working together. Only that they're working on their own solutions to the same problem.
While it's nice to see this type of work being done, the headline is misleading.
wbs.
Huh?
I vote that MS is going to try to embrace, extend, and exterminate anything it can rather than be of help.
If you read the article M$ has no involvement with Sendmails work on this, they are just a foot note. But if you go to the commercial Sendmail site it says that they are helping to build Yahoo's DomainKey system.
"Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Torvalds
The poster should really have his/her coffee before posting this story. The story does not say that Microsoft and Sendmail are working together in an alliance. It simply states that Sendmail is working on an e-mail id type system and oh, by the way, Microsoft and Yahoo! are also working on a similiar in concept system.
Not the big news the story looks like.
While this may be a step in the right direction Spam is just like Jason/Michael in the horror movies we love: it just keeps coming and coming. We may think we are going to kill it but it will get up again. When there is the ability to make money (and lots of it) from spamming, people will always think of new ways to fill our inboxes with this lovely stinking spam. The fight has got to be taken to the source. Kill the companies paying these people to spam us. If the flow of $$ disappears, so will the notorious spammers (who will find some other way to rip folks off). What? You say many of these companies are in other countries and their law enforcement won't do anything? Place embargoes on imports from their countries....drastic step? Yes, but they will listen up fast. Problem solved...meh.
This Inforworld Article is much better then the one posted and mentions how this new Microsoft Idea is very similar to the existing SPF, except that with Microsft's version, the whole message is sent and downloaded before it's rejected.
Did anyone find the specification for this "caller id" system.
Microsoft is motivated because about 99% of unreturnable spam now comes from infected Windows PC's.
But I don't care what the motivation is. If we implement a system where we have a verified sender, this is good.
Spammers used to buy a T1's worth of phone lines and then dial in to several different ISP's all at once and use THEIR mail server to send spam. With the advent of easily hacked broadband connections, this isn't required anymore. I can see it popping back up pretty quickly. While the idea is OK, spammers are adaptable. The ONLY way to make spammers stop, is to make them feel pain and this solution doesn't provide nearly enough pain.
For instance, I ws joe jobbed, I recieved about 2300 bounced messages advertising various web sites. For every bounced message I forwarded a 900k graphic that said "Do not use my return address in your spam campaign, it is illegal". Since I recieved another bounced spam before I had finished responding to these kind people, I decided perhaps another avenue of communication was approriate. I posted an order on each of the three websites I found advertised 2300 times (PERL w/LWP). Since I was unable to get a response via e-mail, I figured that I would get a response via an order form. I posted 2300 times(one for each boucne) with my contact information and a request to not use my e-mail in the shipping information box.
What happened?
1. one of the mail servers stopped responding all together. It didn't come back up for more than a week (qmail queue default lifetime anyone?)
2. During the post to these web sites (ALL on hacked machines running open proxy servers) the web site went down and stopped responding. I guess the concurrency of 2300 was a bad idea.
It appears that my e-mail address is no longer being used, although their websites finally recovered about 8 hours later. These web sites no longer accept orders from my IP address. No imagine if only 1/2 the people that recieved a spam did what I did? Think of the number of bogus orders that have to be sorted to simply get to a legitimate one? Think of the amount of traffic going INTO comcast and RR to these hacked machines (waving flag over here, over here LOOK LOOK security@rr.com!). Of course this would take time, and we alreayd have precious little of this. If enough people took the time, we would also have precious little spam. The cost would be too high.
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Which is worse - that the submitter didn't read the article, that the Slashdot editors didn't read the article, or that most of the commenters didn't read the article?
Microsoft is NOT working with sendmail. They both happen to be working on ways to combat spam. That's not news, we all knew that already. Nowhere in that article does it say anything about cooperation.
I nearly fainted when I saw the headline, but sadly, it simply isn't true.
The article's comment is plain wrong. Nowhere does it say MS and SendMail are forming an alliance...
"Email technology provider Sendmail is launching a sender authentication plug-in which is hoped will combat email fraud and spam."
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."
Since when is 'also working' == 'forming an alliance' ??
There's something at least very similar to that already available as a milter. milter-sender does an email callback to the mx of the domain the email claims to be from and verifies that the address exists. Unlike some of the other solutions available, it doesn't expect the sender to send another mail to verify he's a genuine sender, but accepts the email if the mx doesn't fail to the "RCPT TO" command (exceptions requiring a "full callback" can be configured for mxs that only find out they don't know the recipient after the DATA command has been sent).
Seriously now.. the two most insecure mail server providers are teaming up? I smell a debacle in the making. End of spam as we know it? Unlikely factor: 9.5
;)
And I'm sure DJB will be right on top of this.
Microsoft working on an open standard with Sendmail? Maybe they just figured a way to bring "embrace and extend" to Open Source. You know, get Sendmail to agree to a standard but then change the standard subtly on Exchange in a couple of years. If I were Sendmail, I'd frankly be scared.
As a public service I am providing my sendmail.cf file as a configuration example.
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
HDate:@@_$_$?sfrom^*$%#%!*(()^&^&*#$##
$%@$#%&&_%#__&^#$%_#$%%___*(__Y_JY_*_*(_#$%#_
#@$@@#sonofa@#$%@@#@#$#
I know it just looks like line noise but this is a working config!
I agree, will we send THOSE jobs offshore?? just like Warez, they'll end up in some corner of the planet spamming the hell out of us...
seems to be that identd would do a sufficient job at reducing spam. rather than overcomplicating things, why dont they just start using the underused identd again??
And, after years of whining and in-fighting and bitching and doing nothing constructive FOSS zealots will emulate this new de facto standard. Frankly, I hope MS patent this out the wazoo and make GPL lunixtics beg to be allowed to play.
If you were blocking sigs, you wouldn't have to read this.
In the time postfix has existed, it has had a similar number of vulnerabilities as sendmail over the same time. Calling sendmail insecure because of vulnerabilities from 20 years ago is retarded. Postfix is slower, no more secure, easier to configure, and less free. Wow, big difference there.
Incidentally, a better solution might use Identity Based Encryption. Still has many of the same problems, but it's a tiny bit more elegant.
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Microsoft is pushing a solution called "Caller ID", which involves putting (wince) XML documents into the DNS telling you how to check the (argh) From: header.
A lot of other people are pushing a solution called SPF, which involves putting text "code snippets" into the DNS telling you how to check the MAIL FROM: envelope return address.
This topic will be discussed at the IETF next week in Seoul, Korea. Hot topic!
When Microsoft reigns in it's bcentral spammer arm will they actually do something to combat spam. Also, when we are able to educate Joe Average to stop buying the shit that spammers sell, then and only then will we be able to say goodbye to spam. Right now, spamming is too profitable. We just haven't found what it takes to make it unprofitable.
http://www.sendmail.com/sender_auth.shtml
The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.
Doesn't this just sound like a great way to create a DoS style attack?
I: Flood many servers with email supposedly from server X
II: All servers attempt to contact server X
III: Server X crashes/is overwhelmed with requests, stops responding
IV: Some of the orginal servers might get hung trying to clear email from Server X, now no longer responding...
I admit that IV seems avoidable, but I-III don't seem like a big strech based off of prior MS security exploits...
DJMD - The fourth man - Planetary
Stealing from a comment posted 5 minutes earlier simply for the purposes of karma whoring and trolling... How original!
Does anyone RTFA anymore
Not so you'd notice.
Am I alone in this?
Define 'this'. (Also known as the 'Clinton Defense'.)
Is god really a abnormally large crustacean living on the moons of Jupiter?
No, he is average size.
I hope this has been enlightening for you. Thank you, come again!
I want to drag this out as long as possible. Bring me my protractor.
Next time you blatantly copy-paste a post from someone else, please make sure the post you stole from isn't in the very same thread, and already modded up at +5.
;p
And while we're at it please refrain from deleting the link to the original message in a vain attempt to get some free mod points.
What is this ...article you speak of?
Now my little server can do advanced reverse lookups on the over 90,000 spam messages it handles per month.
I'm thinking not...
How about making all spam a crime and holding the companies who finance it liable. Then giving consumers the power to sue for damages.
I'm not an ISP, under CAN-SPAM I can't do ANYTHING about the over NINETY THOUSAND spam messages sent to my server per month.
Needless to say, my poor little PII-400 linux box gags and chokes during spuratic 'floods' of spam through each day.
I must say, though, any efforts to thwart spam are good in my opinion. However, the problem will _never_ be solved until the companies PAYING for spam are held financially and/or criminally liable for their actions.
After all, if you PAY someone to commit murder for you -- does that make you any less guilty?
No.
IIRC, forwarded emails appear to be from the original sender. But they're sent from the original addressee's account and ISP...
here you can rate diffrent spam tools right now the list include :
sa-exim
Blackmail
spamhole
Mail Scanner
Spamish Inquisition (mtaproxy)
Outclass
amavisd-new
spamprobe
MIMEDefang
TMDA
SpamBayes
POPFile
CRM114
SpamAssassin
e4ward.com
SpamCop
bogofilter
Postfix
Declude JunkMail
SpamBouncer
Mail Washer
Shovel
Spamthis
Thunderbird
Mozilla Mail
Vipul's Razor
Infinospam
GatewayDefender
e4ward.com
Mail Overseer
CRM114
DSPAM
MS and Sendmail are probably responsible for 90% of the spam out there, with default open relay policies, cryptic documentation, and (in MS' case) a corporate culture and influence which means that only chimps and other simian life forms become Exchange admins. Flame all you want, this is from direct experience.
At an old job as a firewall engineer, I had to tell the Exchange Admin for a major medical insurance provider HOW to set up our AV server as their relay. I found it on Google faster than she could fumble through her documentation. At another site, I had to battle an NT/Exchange admin who, after moving the Exchange server to an internal network, wondered why he no longer could receive mail.
MS and Sendmail owe everyone on the Internet countless hours of lost time due to idiotic softawre config problems, its about time that they came up with a solution.
I want to delete my account but Slashdot doesn't allow it.
I hope the IETF is smart enough to not support any solution that would make it impossible for me as a regular joe-home user to run my own mailserver. If some other server wants to talk to mine and ask "did you send me this?" that's great, but if some other server decides to /dev/null a message from me because my IP doesn't backward resolve to the domain claimed when sending, then that's bad.
I'm actually a bit scared that this 'anti-spam' crusade will end with an even bigger wall between "users who should pay and consume" and "legitimate service providers".
Belief is the currency of delusion.
Yeah, what's up with that? To boot, apparently the qmail license is fairly restrictive where distribution is concerned. At least that's what the QVCS guide has been complaining about. I hear they plan on switching to Postfix, or something else.
Sendmail is one of the vendors working on Sender Permited From or Sender Policy Framwork is it not? spf.pobox.com I have no clue, nor did the article, on what Microsoft might be doing.
SPF is basicly a reverse DNS lookup on SMTP servers if I understand it correctly. Basicly under the plan to send mail you have to have a registered SMTP server in DNS so that your mail can be traced back to the sending SMTP server. No SPF records then your mail is most likely spam and can be discarded at the client or even at the POP server. Heck I suppose even SMTP servers could refuse to forward such mail. Will not eliminate all spam but it would halt the span-in-can email virus like SoBig that makes every Winblows box into instant spam machine. It would also stop spoofed email that causes so much headache.
Very needed plan IMHO.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
This is loooong overdue. It will help a lot with spam AND virus autoresponders(although if dumbass sysadmins still have autoresponders on, one wonders if they'll even apply the patch).
Once we verify those companies really sending the spam, they can BLOCK those mail servers. Amazing what a few well placed blocks affecting ALL mail traffic from a domain will do to weed out the spammers, whip them and hang them upside down by their toes.
DEATH TO SPAMMERS! (metaphorically speaking for those pin head terrorist watchers)
And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.
As with any change to infrastructure, the conversion is likely best done in a phased approach.
Step 1: Impliment authentication, but don't block messages from unauthenticated servers.
Step 2: Adjust existing SPAM filters to weigh mail from unauthenticated servers as having x % (where x is initially some relatively low number) greater liklihood of being SPAM than messages from authenticated servers.
Step 3: Increase x gradually over time. At the end of some period (say, one year), x appraoches 90%, effectively blocking most mail not on whitelists from unauthenticated servers. Leave x at this high value for some time (say another year)
Step 4: stop accepting mail from anauthenticated servers completely.
End of SPAM? Probably not (as SPAM mailers can authenticate themselves, and Microsoft WORMS and Viruses can hijack legitimate mail servers which authenticate themselves and send SPAM anyway) but it is a start.
The Future of Human Evolution: Autonomy
As a couple of people have already pointed out, this is a copy of a post that appeared IN THE SAME THREAD! Fer fsck sakes, mods, get a clue.
Corruptissima re publica plurimae leges.
If so, this will bother me to no end. I currently have two main email addresses, one using Cluemail and one using MyRealBox. I check both of these addresses using IMAP with MacOS X's Mail.app. However, since MyRealBox is an experimental server and is not always up and since the free accounts on ClueMail don't have SMPT access, I am using my own machine running QMail to send my emails. Obviously my IP and whatever domain gets assigned to it from So-Net (yay Fiber Optic connection to the apartment!!) do NOT match either of my mail addresses.
So, will something like this spam solution break my set-up?
Disclaimer: I am somewhat clueless about all of this. I only know enough to have been able to set my machine up securely so it is not nor can/will not be a source of spam. So, I appreciate any information. Cheers. :)
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
A large portion of the spam I receive doesn't have my address in the To: field. Why doesn't mailer software look for this kind of mail? Am I missing something?
"Drug related crime" is a misnomer, "prohibition related crime" is the more accurate and correct phrase.
If this ever becomes more than vapor, all your spam will suddenly start coming from <>.
SMTP has built-in limitations that are very hard to get around.
It doesn't look too bad. I'm afraid though that they'd try to sell it for the price of a full sized laptop. I've been looking for something like this, but cheap like less than $400. I'll bet they want some where between $1000-15000 for this. For that price, I'd rather just buy a cheap laptop.
I still have my system up, but I am denied at places becuase I am on Comcast Cable. Yet, I have never had an open relay, nor been cracked. I find it obnoxious that I have issues sending simply due to location rather than an inability to have a secured system.
I prefer the "u" in honour as it seems to be missing these days.
.. that this had to happen now. I ve been experiencing exchange outages due to some vague bug in store.exe. seems to be ating up 100% of CPU time. If they can build something that can clear out these bugs, i might consider continuing with exchange.
Could this be a sign of the beginning of the end of spam?
No, because spam isn't an authentication issue. It's a permission and private property rights issue, which is not going to be solved by a purely technical approach.
But the beginning of two different types of spam, official spam and un-official spam.
\\"You go hole now"
Email doesn't need more bandaids and half-@ssed fixes, we need a ground-up rewrite that replaces SMTP.
It would be a very easy thing for the standards bodies to hash out the best SMTP replacement in 90 days (we've been talking about all of the changes for years, just decide already and take action!) and then announce to the world: "On January 1st, 2005 all SMTP email will be phased out in a 90 day transition period. It will be replaced by [acronym], which will prevent spam in it's various forms".
Anything short of this is a hack that will enjoy only very limited success and only prolong the inevitable.
There is far more wrong with email than just spam, and the protocol is showing it's age. A lot has happened in 20 years (not to mention the last 5 in particular), and it is time for complete replacement (that doesn't involve me paying money for email stamps...).
I know I'm blowing my karma points on this one, but I believe it's justified and realistic.
No business partnership or alliance of any signficance has existed with Microsoft that resulted in a mutually beneficial conclusion. To put it another way, it's like trying to make a deal with the devil.
I don't expect that sendmail will be summarily destroyed as such. But I ernestly and honestly believe that the final outcome of this venture will only result in Micorosoft obtaining an absolute choke hold on email.
To expect anything less is niave and ignorant. There is no past performance which disputes this claim. Even considering legal judgements, Microsoft will not hesitate to make "all your email belong to us".
I apologize if I come off sounding like one of the slashdot anto-microsoft zealots, or some conspiracy theorist. But think it through.
Microsoft develops a means by which all email must be reverse authenticated as to the sender. Believe me, they will patent it and everything that looks like it before the night is over. This sounds great, but then all they do is just modify the email servers to require that this proprietary reverse authentication take place or you can't send any email.
The fact that they are working with sendmail, the company and not the OS project, allows them to license this technology to a Unix platform. This allows them a foothold onto the majority of email servers, which are Unix based, and to establish the means by which they have complete ownership of all email transactions. And it will be a matter of time before sendmail.com has to turn over their assets to pay the licensing fees, but then maybe Microsoft doesn't want them able to pay the fees.
Yeah, Spam sucks. But get a clue! Spam filters account for 99+% of all the spam out there. I would rather have my 1 spam a week out of 600 then to have Microsoft telling me I have to pay royalties to send email. There is nothing cool or encouraging about this.
And the real problem here isn't the spam, or the cost of sending spam, they haven't done anything to reduce either one of these. The problem is the adolescent pimple-butts who really think that herbal viagra will give them a 36" schlong that lasts all month long. Do you really want that? It's hard to pee standing on your head!
Does this sound like a good way to DoS someone? Send a bunch of mail "from their server" and when all the other servers check to see if it's really them ... no more Internet.
Grantid, that'd be relatively difficult to pull off, but it's still a method.
No sig for you. YOU GET NO SIG!
RTFA
If it's sendmail they'll probably push to verify against passport.com.
Microsoft does have the power and the ubiquity to push a standard through but we also know about embrace and extend.
Instead of everyone working on seperate anti-spam standards (yahoo - domainkeys, AOL testing SPF) it would be better if the largest email providers used industry standards bodies (IETF, ECMA) to push through a common verification standard.
- cnb
Q.
Insert Signature Here
ever seen in email from your sendmail MTA where in the header it say "FORGED". usually on spam email. You know you can block on that in sendmail without any add-ons... The problem is that the majority of the internet servers must then go out and update their DNS records for MX and reverse, for this to actually work.
PS: I actually turned this on one time to get rid of spam, blocking a whole bunch of legit email in the process. Ooops. hello internet just enforce the tools that you already posses.. nuff said.
--jboss
Does this mean we have to start hating sendmail now?
SIG: TAKE OFF EVERY 'CAPTAIN'!!
this is great first step, but it wont stop spam. it will only prevent spammers from spoofing their email addresses, etc. what good is that when the spammer lives in a country that has no laws against spam?
Gyrate Dot Org - "Where high-tech meets low-life"
Oh, I thought it was a sign of the beginning of the end of the world. My bad.
More like the middle of the beginning of the end of email. Ever heard of instant messaging, ip telephony? We don't need SMTP and we certainly don't need MSMTP. It's crap.
The core "problem" with the internet is that just about anyone can create a domain and the associated zone files and have them served as authoritative. There are at lesat two free DNS services out there that will host whatever zone data you wish to throw at them. Personally I don't consider this a problem, but a very nice feature.
When you can register domains in bulk for $5, perhaps less, and can host the DNS for free or just a few dollars a year, how exactly is any DNS based verification system going to operate to limit spam? Al the spammers have to do is fudge up the zone file so that any verification system will succeede because the spamming server is "legit". The server may very well be anonyous or hacked or have 20 IP addresses.
I still say the single best solution to spam is for ISPs to start a policy of disposable email addresses. This is a relatively simple matter to impliment with Sendmail and a few CGI scripts, or even via email messages.
An end user is given lets say 8 email addresses. These addresses are never to be given out to anyone for email purposes, they are simply for sorting incoming mail among several family/household members.
Each account can have up to 50 aliases at any time. Aliases are created on the fly by the end user, and can be set to expire at some future date, or be removed manually.
When you go to sign up for a discussion forum you create an alias for just that forum, ex: gjslashdot@ispdomain.com. If you start getting spam on that address, you can simply delete it and create another one, there's no attachment to the address outside that forum.
I've been using this system myself for about a year and have gone from 500+ spams a month to 3-5 a month. Again... as soon as I get spam at an address, I delete it and create a new one if necessary.
What's causing the spam problem is human ignorance. Layering technological complexity on top of the existing system will not eliminate the underlying ignorance. My solution does that.
As far as corporations go.... get your email addresses off of your business cards, and stop using employee names as the basis for email addresses. If someone has access to an email client, they probably have access to a web client. Out-side emailers should use a web form to send email to employees unless there is an existing relationship.
Once there is a relationship, siret email can be used.
Email addresses on business cards... business cards handed out like candy on haloween... no wonder you get inundated with spam.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
I'm sure that any Microsoft/Sendmail solution will be very secure against any sort of attack.
There are currently 3 solutions competing on the internet. Only one actually works right now as we speak.
(1) Caller ID is Microsoft's big proposal. Domain owners put XML in the TXT records in their domain. Receiving email systems can determine if a message is valid only after seeing all of the headers.
(2) SPF (http://spf.pobox.com/) is already implemented and is already blocking joe-jobs and phishing schemes. It relies only on the envelope FROM and the owners of the domain publishing a short TXT record. Currently, aol.com and many more domains (around 6,000?) publish SPF records. Implementations for filtering based on SPF exist in perl, python, C, and for Exim, postfix, qmail and sendmail.
There is a small problem in forwarding email properly, but that is being resolved with SRS (same website).
(3) DomainKeys (Yahoo!'s solution) is still being researched and is looking more and more like S/MIME or PGP but for an entire domain. The domain owners would publish the public key via DNS (probably a TXT record as well) and receving mail servers can verify that the message is indeed from said domain. There are some severe limitations: If someone gets your domain private key, you are screwed. It's also subject to a replay attack. The attacker would send a valid email to themselves through a server using domain keys, and then replay that message to the rest of the internet.
Both SPF and Caller ID can't work around DNS poisoning or IP spoofing. But they both limit the number of machines that are allowed to send email for a domain.
It is important that if you own a domain, that you publish SPF records - even if it is only "v=spf1 !all" or "I don't send any email for this domain". SPF, if it is going to be adopted, is going to be adopted at an exponential rate.
Caller ID is mostly Microsoft's response to the rapid success of SPF. They want to own the solution to spam, and they want to take credit for cleaning up your email box, even though their idea is really other people's ideas + XML. The protocol is heavy, burdensome, and subject to the whims of the XML interpreters out there right now. Plus, it is a huge proposal that is detailed and complicated, ripe for incompatibilities that could force users of Sendmail, Exim, Postfix, or Qmail to "upgrade" to Exchange.
The radical sect of Islam would either see you dead or "reverted" to Islam.
It's called OpenPGP and it works fabulously.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I wonder if these fixes will correct The 'Outlook Blank Folding' vulnerablity? Better yet I wonder if the fix is to get rid of Outlook Express.
There's no shame in being a pariah. -Marge Simpson
The (itty bit of) information in the linked article is presumably accurate, but the article linking to it is just factually wrong.
http://alternatives.rzero.com/
Maybe. It depends on the implementation.
As an email originator, you have an envelope, a From: address, and a ReplyTo: address. I'm pretty sure that they're not going to filter on the ReplyTo: address, but From: and envelope are a different matter.
I have an email vanity domain, and they forward it all to my ISP's POP box. One of the things I like about Exim is that it can easily and *thoroughly* rewrite addresses, including the envelope. My outgoing email goes through my ISP's relay, but in every way except headers, it looks like it came from my vanity domain.
It looks to me as if this scheme will break my current vanity domain usage. Further, it looks to me as if it will require care to make *any* vanity domain usage work.
BTW, the other reason for a vanity domain is to keep your email address constant even when changing ISPs.
The living have better things to do than to continue hating the dead.
thanks to many of the systems you've fathered, it should be possible to write a virus that find the vulnerable systems and close the holes.
perhaps this can even be done with government support in the name of common good.
ms improves security, who'ld've thought..
The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.
How is this to be attained? Checking DNS won't work - one is bound to get false positives when a DNS query fails on an existing domain.
Some mail servers are even configured so you can't lookup to see if a user exists. So you'd have to disable the lookup feature which most email servers already offer to check sending addresses so the server is meant to become a blackhole for spam...
Domain keys - pfft. It's as likely as any other technology - EVERYONE has to unilaterally implement it for it to work. Nevermind that it would be a matter of time before domain keys are spoofed.
Want to be effective for a period against spam? Then do what's needed on an already ailing system - re-write it from the ground up. There's numerous other features that are missing from email like UTF-8 support because English is the only language supported by email for usernames, passwords. In accompaniment, DNS needs UTF-8 support...
The sad truth is that this will never happen unless something catastrophic happened to the existing infrastructure.
I already use a challenge/response system to filter my spam, and it works amazingly well. This is similar to the proposed MS/Sendmail "plug-in" in that it tries to verify that the sender is real and actually sent the email in question.
The one big problem neither system solves is spam from sources that are not forged, and actually have a valid return address. Nigerian spam gets through in either case, because an actual human is there. And sites that have a response-bot get through my challenge system (for the moment). These are the extreme rarity, of course, but if everyone used such a system then the spammers would just start using real verifiable return addresses all the time. It's easy to generate a new domain name every day (some already do) and get new IP blocks on a regular basis, so there's no easy way to automatically block email.
Even worse, spammers could still send out the email using zombies while putting valid return addresses in the spam so that it can be verified. They only need to hack their sendmail plugin to auto-verify any email with their return address on it and they can still use zombies all they like to send spam.
I think it's safe to say, as long as there's email, there will be spam.
Umm... You mean exactly like most linux installs, right?
The whole "sendmail isn't safe" mantra is based on very old versions. Not surprisingly, all from when it was being [primarily] supported and developed by people with 'day' jobs.
Since when has the difficulty to manually configure *nix software been something one should open there mouth about onSMTP is a simple concept, but somehow sendmail found a way to make it your worst nightmare. The gotcha's on the configuration alone is enough to break someone.
Snicker. Well yes the S stands for simple... Are you just talking about RFC 821??? What about 822, 876, 947, 1869, 1870, 1891, 1893, 1985, 2033, 2034, 2045, 2046, 2047, 2048, 2049, 2197, 2487, 2554, 2821, 2822? [BTW I'm sure I missed some, and yes some surpercede others]. You don't often use SMTP anymore, rather ESMTP with extensions.
FWIW it's really really easy to make sendmail a non-open relay. I even think RH configures it that way from the start.
Use whatever MTA works for you, but don't confuse your relative [or subjective] case with the absolute 'sendmail bad, MyMTA good.' As for Sendmail- they deserves some credit, if for nothing else, that it actually pays money to support one of the more important and underappreciated open source packages. Everything post 8.8 or is it 8.9.3 was heavily contributed to by them.
I'll bet a penny you use pico...
--Someone with yellow car; plate Y EHLO
This "plug-in" scheme look totally redundant with SPF to me.
:wq
This is just leading to a monoply and corporate control of the Internet. As much as I'd like to see a solution like this, as I believe it will work, we need to be sure that anyone can still participate
Our LUG recently had a disucssion on x.509 certs and how it could be used to verify a mail server. If a mail server starts to send spam, the cert is revoked and can no longer send mail. This is more drastic, and leads to the same corporate control however.
-- DuckWing
Does this mean you cant send to companies/users that have Exchange or Sendmail servers, in effect?
Nice way to squeeze out all the competition except one.. then buy them later... ( or just make a change to the new 'open standard' that leaves them in the dust.. )
---- Booth was a patriot ----
More likely, it's the beginning of "features" which result in less of the spam we see today, and an equal amount of some other form of advertising annoyance.
today: fr33 \/14Gra dud3!!1
tomorrow: Retreiving email: starting winxp2005.mov (click to pay to skip commercial)
Certainly not. I do however predict it will be the beginning of the end of email. This is a perfect way to segment the email systems from one another; those that utilize this plugin and those that are discriminated against for not using this plugin. I for one will not use something that isn't a damned standard. You don't have to be an evil genius to recognize the evils of introducing non-standard requirements into such a critical system. It's just plain nuts.
Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance
You misspelled vulnerable... HTH, HANDOh, I thought this was a reference to the ident protocol, already supported by sendmail, which would solve the problem in exactly the same way if firewall admins were willing to open up their AUTH ports and run identd daemons.
Nah, this is an elaboration of the same thing but on the email port instead.
Slap a few new buzzwords on it as it goes through the door, of course... PKI! WMD! Cryptographic keys! 40% more trunk room! Compassionately Conservative (Less liberal than the leading brand)! Microsoft Windows Compatible!
Now it's sure to sell. Won't stink up the room as bad as old dead identd I hope.
Offers to join MSN and special pricing on Windows Operating systems are mysteriously appended to millions of emails accross the net there after...
The article does not say much especially around the technicalities of the solution, so all that I can understand is that there would be a scheme of verification. In other words, If I send a spam mail, the receiver will try to verify if the source e-mail server exists.
But what would stop spammers from faking the e-mail source server ? the e-mail header could contain a valid public e-mail server address. There are tons of public e-mail servers around, and each company has at least one public (for its members to send/receive messages to/from the company). How would my company be protected from being a spam victim ?
Another thing that I would like to point out is that the article does not say that Microsoft and Sendmail has formed an alliance. It says that they are working on a solution, each one individually from the other. It would be really bad if each one comes up with a different solution. It would mean that Unix servers would have a problem blocking spam from Windows servers and vice versa. I think that there should be an alliance and a common solution used by all.
Usually when MS forms an alliance with someone for any reason they want to put them out of business somehow, but not sure if that would happen in this case. Isn't sendmail GPL or BSD licensed?
Only 'flamers' flame!
Does slashdot hate my posts?
If Microsoft and Sendmail are working together on Spam Solution, then I guess we can all rest assured that whatever they build, it won't have any buffer overflow problems. I, for one, am looking forward to use 1.0.0 version on my production systems.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Yes, I am certainly aware of all of this. But I am writeing code that is designed to allow the home users/single system to generate ephemeral adresses. This approach works great for a single system, but fails for large outfits. In this way, I give up my e-mail to friends and families, but have a generated address for the web.
I prefer the "u" in honour as it seems to be missing these days.
I wonder if this will have a positive impact on mass-mailing virii that rely so heavily on spoofed "From" fields, or if this will just further slow down our mail servers as it filters through it. I guess it's a matter of which is the lesser of the performance evils: the antivirus engine, or this new fancy schmancy sender verification idea.
Hardly standard bearers for secure software....
Alex
With their combined expertise on preventing system exploitation, I'm SURE they will find a way to stop the spammers!
-R
will the plug-in be available for non-Microsoft systems? If not, then this will just cause a shift in the host OS of choice for spamming, thus allowing Microsoft to blame spam on "those commie hippy pinko open-source zealots."
"Freedom means freedom for everybody" -- Dick Cheney
I'd say the submitter was trying to sneak one by. That article was too short and too straight forward to be misinterpreted that badly.
Djb's qmtp should work agains spam... http://cr.yp.to/proto/qmtp.txt
>Linux is not user-friendly.
It _is_ user-friendly. It is not ignorant-friendly and idiot-friendly.
Nothing would stop a spammer from installing their own mail server, thus avoiding using the ISP's at all...
The problem, i don't think, is really related to existing mail servers being used, but that mail servers will accept messages from other mail servers blindly. I don't even know how much could really be done about that...
So sure, SMTP AUTH will stop client-to-server mail that isn't wanted (althoguh it's much easier for an ISP to do subnet restricted access like they often do)... what will that do for server-to-server.. nuttin.
Could this be a sign of the beginning of the end of spam?
No
If the ISP's mailservers would also check for mail in outgoing mail, and automatically shut off anyone that exeeds a certain treshold. They would have to block all outgoing traffic on port 25 as well.
Certifying the mailservers will make the certified mailservers a more valuable resource (now every virus or spammer brings along it's own smtp engine). In turn this will make the keys to use these resources more valuable. So instead of bringing along a smtp engine, spammers will have to steal the keys to the mailserver (usually located in the outlook configuration).
Blocking outgoing port 25 at the first router will have the same effect, but very few providers have doen that as far as I know. Maybe you are right in that respect that it will not work after all.
This space is intentionally staring blankly at you
Seeing as how there is no alliance between MS and Sendmail at all.
If we're not getting dupes three times from Taco, we're getting completely wrong headlines--or worse, biased ones ("Microsoft Violates Human Rights In China" anyone?).
And who should be the PKG, the third party in whom we trust all authentication of everybody and to be holder of all private keys, if we use IBE?
Remember that in practice it would be Verisign.
IBE is *not* a good solution to this. Actually it is very rarely appropriate.
Xenu loves you!
So they are working on technology to track where mail actually came from? PGP does that for me. It allows you to send mail that only the intended recipient can understand, too. What movies are playing?
Please correct me if I got my facts wrong.
The two most flawed implementors of mail servers team up to give us a new and horiffically flawed anti-spam system? They should just call their project "Get Big Penis Now"! ;p (It's a joke people. Laugh)
Un-news
I noticed that not a soul mentioned the patent issue: guess who will patent the solution?
a) the same folks who try to patent xml?
b) the same folks who try to take over all UNIX-like operating systems?
c) the same folks who like to be clicked only once(tm)?
I know I post too late.
You can defy gravity... for a short time
I use open relays constructively. My ISP doesn't give me an SMTP server, I have to deliver all of my own mail via sendmail. This means that messages from my email account aren't directly from my domain's server. It irritates me when my email is seen as spam by unintelligent spam filters because this is a problem that I have had to deal with for years and I'm sure others are in a similar situation. I personally thing that a scheme like PGP is the only way to rid the world of spam and to authenticate all email messages.
http://spf.pobox.com/spf-draft-20040209.txt
Do you really trust a spammer to send you the real goods? Counterfeit drugs are rampant, and unless you purchased the drug from a reputable (liscenced) pharmacy, it is unlikely you are getting the real deal
Getting fake viagra might be a bummer but imagine getting fake birth control!
Everybody who hasn't heard about web sites ship fake birth control should read this article and warn their friends.
"You done taken a wrong turn."
-Bill McKinney, in Deliverance
that Microsoft is going to stop selling the "forward to" e-mail addresses of their hotmail users?
My Karma is so low that even my own postings are beyond my current threshold
Could sombody please explain me how this SPF stuff is supposed to help fighting spam in any way? Seriously, I don't get it. So, the only thing spammers have to do additionally is to fake the domain part of a faked email address to match the IP or relay they use? That's it to trick the whole system?
The beginnig of the end for spam like OS/2 was the killer of all other OS's... Not like microsoft has a perfect track record when it comes to cooperation and using open standards....
Won't this just result in increased net traffic and not a reduction of spam? It does help trackability. but legitamate email, spam or otherwise, will still get through.
Also, diving into possible implementation space.. in order to not be trivially defeatable, won't it have to authenticate both ends of the verification transaction. Otherwise, spammers will just include a copy of the verification information off some legitimate piece of email for whatever machine they are pretending to send from. Even if the verification is on a per-piece-of-email basis, won't it still have to stay active for a while to allow for resend due to failures? That's a lot of data for an active sitee like Hotlink, AOL and MSN to save.
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
Face it: by any rational standard, sendmail sucks. /etc/sendmail.cf is so obfuscated that makes the Windows registry look simple by comparison. It's track record for security is as bad as anything coming out of Redmond, and has a similar track record for releasing patches which break more than they fix. Fortunately for mail administrators who aren't masochists, there is Postfix. Now if only some of the major Linux distros *cough*redhat*cough* would use postfix as their default MTA, life would be better.
The parent poster is also correct in that Microsoft has made important contributions to ITEF and other open standards boards. They do occasionally manage to do the right thing, even if it's because the engineers managed to sneak it out the back door when the marketroids weren't watching.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
I don't know about that.... just the other day, I got spam selling ass-douche kits.
Do you even lift?
These aren't the 'roids you're looking for.
A: Things would have worked out roughly the same, but with another company or set of companies up top. With any kind of luck that company would have had some better ethics and a less paranoid world-view.
B: Even if you accept the "microsoft invented everything good" notion, take a look at their bank account and try to say that with a straight face.
C: Hardware pricing falling while getting faster is where the real ubiquity comes from.
Pull your nose out of Bill's behind and think for yourself.
emt 377 emt 4
Blackholing entire netblocks BLOWS. Its the worst solution creating a problem as large or larger then the problem it was trying to solve. Always put the authentication into the hands of the user and KEEP AWAY from clumsy, monolithic/authoritarian systems. They don't have the resources or the interest to accurately screen the 100's of thousands of addresses out there.
Quack, quack.
The worlds most cracked mail server teaming up with the worlds most cracked operating system... course on the other hand, I suppose they have the worlds best experience.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Can anyone say - THIS IS CALLED REVERSE DNS YOU MORONS.
What we need are open-relay lockdowns.
While it admittedly takes significantly more real legwork, I'd imagine that much of the protection provided by authenticated email could be bypassed by riding on other people's unsecured wifi networks and sending mail via their trusting ISP's mail server. I'm might just start wardriving in my branded SPAM-van.
I don't get it. So you authenticate the source. Big flippin' deal. I don't know the source of every single email I'll ever want to get, so knowing the source isn't going to help me have a spam-free inbox.
sev
but have you considered the following argument: shut up.
PS: I actually turned this on one time to get rid of spam, blocking a whole bunch of legit email in the process. Ooops. hello internet just enforce the tools that you already posses.
/dev/null'ed, but rather quarantined. 24 hours later, they get compared to digests of known recent spam (requires a spam report clearing house, such as SpamCop). If they do not match, they get sent on, with an attached explanation as to why they were held up for 24 hours.
An idea for dealing with false positives: Any e-mail that fails some spam test (server on a blacklist, server doesn't sign its mail, whatever) doesn't get
Benefits:
1) Few or no false positives
2) Applies pressure on administrators of non-conforming servers to conform - they will get complaints about delayed outgoing e-mail.
3) Because it is less extream than black-holing non-conforming servers, it can be introduced without causing the end of the internet.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Look at the licensing doc at Microsoft's anti-spam site (specifically the Word file licensing doc).
It says you have free license to create a licensed implementation (by which they refer only to the actual code to implement the specific caller-id protocol) if you give them free license to distribute it.
Now nobody is going to run around asking to distribute a few hundred lines of code scattered throughout your mail server, so that's not a serious issue. But, it does mean, if I'm reading this right, that you are not allowed to implement it in GPL'd code.
Am I reading too much into this?
We're not talking about forging e-mail addresses. We're talking about sending perfectly legitimate RFC822 e-mail with correct values in all the headers, which suddenly gets bounced because of SPF.
It is totally legitimate to send e-mail saying
From: myaddr@forwarding-service.com
Sender: login@myisp.com
via myisp.com's SMTP servers.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
You not just let every e-mail take a second to send? Just add a delay(1000) when the client identify it self. Then, for the mass mailer, it would take ages.
"It looks like you are editing your sendmail.mc file. Would you like to add:
..."
1. define('confTRY_NULL_MX_LIST',true)
2. define('UUCP_MAILER_MAX','2000000')
3. define('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
4. FEATURE(`relay_based_on_MX')
5.
The neutrality of this sig is disputed.
The technical specifications for Caller ID for E-mail and the larger Coordinated Spam Reduction Inititative can be found through links on the page http://www.microsoft.com/spam.
My friend's mum was annoyed that her email had stopped working, so I had a look and got it working again - someone had changed the SMTP server.
An hour later, she came back and said it was broken again. I checked, and she was getting "550 Administrative Denial" from btinternet.com, which was the recipient's email server.
Eventually I discovered that her email goes through Freeserve, and a few weeks ago I had rebuilt their network so all the PCs went through a shared broadband connection. The recipient was detecting that this email had come from a machine that was not dialled up to Freeserve, and bounced it!
She now dials up to Freeserve to send email, but carries on using the broadband at other times.
Is there a reason the parent post was awarded so many points? It's simply wrong. Hey, how about thinking about the posts before handing-out points to some of the worst posts.
reverse DNS is problematic for exactly the reason you allude to, namely that ISPs rather than domain owners are in technical control, which puts small users (I is one!) at a big disadvantage. For these reasons rather than rDNS Caller ID instead uses a new forward query to the domain purportedly responsible for a message. If you can admin your incoming MX records, then you can admin your Caller ID outgoing info: the control is in the same place. You can find gruesome details from http://www.microsoft.com/spam.
Thanks for the link -- much appreciated and read.
.doc format. Well, here's my take. The MS solution doesn't provide, as the top sender assumed, a real PKI-based solution, which is what really excited me. That would ultimately solve a lot of problems in a much better fashion.
Sigh. Trust Microsoft to release their techncial information in
The Microsoft solution is not actually very different than SPF. It aims at doing pretty much the same thing -- identifying outbound mail servers for a domain in DNS, and disallowing mail from any mail servers that are not listed in DNS. I *still* feel that this approach is a hack and is going to have undesireable long-term effects.
There are some things to be said for the Microsoft approach, though. It seems to be basically a "better SPF". They considered a number of implementation issues that I was upset over in SPF. They talk about DNS caching and security implications of DNS as a transport mechanism. They address server migration, and provide an attempt at dealing with multiple apparent identities -- one that I feel isn't really sufficient, but which Microsft, being Microsoft, might manage to pull off through control of Outlook.
Having read the SPF proposal and the Microsoft proposal, I do think that the Microsoft work is a lot more mature and builds on SPF, and is a better overall solution.
If one of the two must be implemented in the short term, I would prefer Microsoft's work.
I still think that Microsoft's Caller ID is still vulnerable to a number of SPF holes (such as throwaway domains). I am more than a little irritated, since Microsoft is really the only single player capable of promoting a PKI scheme (given that they control a major mail server and the major mail client). Furthermore, migrating to a PKI-based system would provide reasons to upgrade to new versions of Microsoft software -- pushing PKI makes excellent business sense for Microsoft. My guess is that Microsoft needed a solution *now*, given that they were facing SPF deployment, and wanted to fix some of SPF's problems rather than gambling on a full retrofit of the email system.
May we never see th
Your ephemeral addresses system should be made to work through some kind of outside service that won't appear to be directly an end user of some cable company that saves money (and claims lack of resources) by shifting the cost burden of spam to the recipients. That service would them implement methods to ensure its authorized users aren't abusing the relaying capability, such as a sender cost per message above a base package provision (something the cable company should be providing, but isn't).
now we need to go OSS in diesel cars
Wow, that sounds like the PGP plugin for Mozilla?
Can't we already use digital signatures to verify who's sending us mail? Also, how is this going to affect Windows worms that compromise a host and then send mail to everyone in Outlook's address book?
I was reading that post that you are replying to, & as I got to the middle, which I assume is the quoted text, it began to get blurry, & I got dizzy. So, as I looked away everything cleared. The rest of his post seemed fine. So, I looked @ the middle of the post again, & again I got dizzy!
/. article that I read since I joined many years ago, but hey, what can you do?
It was weird. It was really weird. It's too bad too. That could have been the 1st
Anyways, it's good to know that I'm not the only 1 who can't read articles & quoted text. It's a good chance to practise improvising.
testing out my trending skills
A friend sent me an evite a month ago I checked my spam filter today and it has blocked over 500 emails to my email in the last 2 days. I wonder if I could file for sexual harrassment considering most of the email either want to improve my size, stamina, or show me dirty pictures. Any lawyers out there want to do a pro bono case?
Thanks for giving me the info the article and the idiot slashdot editors failed to, but let's be precise when talking about these things. These are not "solutions" to spam. They are however, if widely implemented (and no, not everyone has to agree on one solution, it could be having different plugins for different authentication schemes and determining the authentication scheme to use for a given SMTP connection by asking the sending MTA what authentication method to use like the IMAP protocol does), they will make joe-jobbing a thing of the past and great simplify distributed blacklists and the lives of mailserver admins. The end effect will be to make things substantially more difficult on spammers and virus writers. Hopefully though, combined with other tools and measures, it will mark the begining of the end for SPAM.
This is not a solution, it's just a short term dirty hack. The long term solution is NGMP (Next Generation Mail Protocol) or similar protocols whch makes mail storage the responsibility of the sender. There is already some form of a working implementation at JabberStudio. Yes, it's also going to integrate with Jabber style open IM fine.
BPG = BGP, by the way. Gotta preview more.
One of my former staff members is now a DBA for Pfizer. When he started receiving Viagra spam, he traced the headers and tipped off the Pfizer legal department. Yes, the idiots were dumb enough to send Viagra spam to people with pfizer.com addresses. I could be wrong about this, but I think Pfizer employees can get prescriptions filled for free so long as it's for a Pfizer drug. I doubt they are looking for a cheap source of Viagra.
At the time, spammers were misusing the trademarked Viagra name to desribe a non-Pfizer product, which is a big no-no. While the Pfizer legal people are powerless to end the spam, the ads for Viagra are now pretty much limited to sleazy prescription factories that claim to sell the "real" product. Now they describe the knock-offs as the generic name "Sildenafil Citrate" or some goofball name-du-jour that claims to be "as effective as Viagra".
Not much of a victory in the war on spam, but it shows how dumb the spammers can be.
Please mod parent up: +5, Funny!
found this in metamod. Figured I'd come over and encourage you. ;)
Mom says my
What, PGP signatures? Been using those for years...
Only problem comes when people say, "WTF is that extra crap in your email?"
Many of sendmail's problems are related to building an extremely general purpose mail forwarder that had to on the Unix of the mid-1980s, support _all_ the popular email protocols of the time (including relaying between UUCP, BITNET, and many other non-TCP/IP things) and providing end-user mail receiving and mail sending services on time-sharing machines, as opposed to running in a dedicated environment with a simpler set of features. On the other hand, the AT&T Bell Labs Research UPAS mailers that became SVR4's mailer was just about as powerful but much smaller, cleaner, and more modular, and even under System III, the mail delivery software didn't need to run as root, so it wasn't the same horrendous security hole.
Microsoft-bashing isn't appropriate here either. Sure, the Exchange MTA and Outlook clients have appalling security and reliability records and used to be pretty much the Mos Eisley of security nightmares, but these aren't the security problems you're looking for. This is about addressing the security problems that are inherent in SMTP when you implement it _correctly_, which allows the mailer to receive all kinds of mail that makes fraudulent, bogus, distracting, or otherwise inappropriate claims about its origin that gives the naive recipient no way to hunt down and kill the evil time-wasting perpetrator (or makes it easy for the naive recipient to hunt down and kill the often-innocent bystander whose name was forged, whether the naive recipient is a human or a mailbot.) The problems have a lot of synergy - the lack of even cursory sender validation makes email an attractive nuisance when delivered to the naive recipient, who can be trusted to click on the happy shiny icon promising a display of dancing pigs (especially since Outlook is friendly enough to hide the ugly details from the user), triggering all the appalling things that can happen when you tell Outlook to trust a message it just received. This work is fundamentally about interfaces and scalability, and Sendmail Inc. is the right group for Microsoft to work with.
The details of the system seem a bit baroque to me, but you knew it was XML within the first couple of paragraphs, and it said Microsoft in the first half-sentence. It's not as lean and mean as LMAP and it has broader goals than SPF (which was originally about joe-jobs, and has suffered from some limitations as its scope has expanded.) And it's not going to solve the entire problem, because nothing short of a worldwide moral transformation or the extinction of the species is going to eliminate human greed and gullibility, but that's ok - even if it only eliminates _half_ the spam, that'll buy us another year of being able to keep reading email, plus it will annoy the spammers out there.
Of course, the continuing success of viruses that depend on the naive recipient pressing the button to watch the dancing pigs means that if SPF/LMAP/RMX/etc becomes widespread, we'll see more exploitation of Mail User Agent bugs that send out spam pretending to be from the naive user (or coworkers of the naive user), and then you can go back to bashing Microsoft while the Enemy continues their side of the arms race.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks