Slashdot Mirror
MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
Yay
Simon.
Physicists get Hadrons!
Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one.
MS is a footnote. Aside from headline, the article mentions nothing about an 'alliance' or even Sendmail and MS working together.
Yahoo & sendmail cooperating
DJB hasn't updated qmail since 1997 and it looks doubtful he ever will. However, I'm sure third-party patches will be available if the idea catches on in any significant way.
I'm hoping the other companies like Yahoo and AOL follow suit with this strategy, and a solution becomes standardized
You didn't read the article, did you? Go RTFA
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."
Open Source Java Web Forum with LDAP authentication
Most if not all Spam sent this way claims to be comming from some place other then the computer that sent it. If you get a message claiming to e from Microsoft and its source is some DSL IP range in the UK, this filter will chuck it. If you are only getting spam from known sources then you dont realy have a spam problem.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
You have a good point, but THIS combined with other solutions could make a difference. Yes most of the PCs sending Spam won't be stopped by this, except that they don't have proper MX/PTR records. So if we use this with some DNS filtering to only accept mail from "real" mail servers, this could take out a large chunk of spam.
"Luke, I am your node.parent();"
It says nothing about Sendmail and MSFT working together. Only that they're working on their own solutions to the same problem.
While it's nice to see this type of work being done, the headline is misleading.
wbs.
Huh?
The poster should really have his/her coffee before posting this story. The story does not say that Microsoft and Sendmail are working together in an alliance. It simply states that Sendmail is working on an e-mail id type system and oh, by the way, Microsoft and Yahoo! are also working on a similiar in concept system.
Not the big news the story looks like.
Eh? The point is that the receiving server will verify with the sending server that the email is really coming from where it says it is. SPAM usually lies about where it is coming from and the servers using this plug in will reject such mail.
If the SPAM isn't lieing about where it's coming from then it's easy to block all SPAM from a web server, notify the offending servers admin if possible, get the spammers accounts revoked, etc.
I don't know, am I missing something? The problem isn't that this won't help, the hurdle is getting the modification to the protocal accepted and used widely.
Not in any dictionary I've seen.
venerable ( P ) Pronunciation Key (vnr--bl)
adj.
1. Commanding respect by virtue of age, dignity, character, or position.
2. Worthy of reverence, especially by religious or historical association: venerable relics.
3. Venerable Abbr. Ven. or V.
1. Roman Catholic Church. Used as a form of address for a person who has reached the first stage of canonization.
2. Used as a form of address for an archdeacon in the Anglican Church or the Episcopal Church.
The article's comment is plain wrong. Nowhere does it say MS and SendMail are forming an alliance...
"Email technology provider Sendmail is launching a sender authentication plug-in which is hoped will combat email fraud and spam."
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."
Since when is 'also working' == 'forming an alliance' ??
There's something at least very similar to that already available as a milter. milter-sender does an email callback to the mx of the domain the email claims to be from and verifies that the address exists. Unlike some of the other solutions available, it doesn't expect the sender to send another mail to verify he's a genuine sender, but accepts the email if the mx doesn't fail to the "RCPT TO" command (exceptions requiring a "full callback" can be configured for mxs that only find out they don't know the recipient after the DATA command has been sent).
1. Those hijacked computers do spoof. I've seen quite a few cases where people who have my address in their address book send email supposedly being from my address.
2. Even if they ARE the verified senders of email, at least you would know which computers need to be cleansed of the trojans. Email the owner or ban the IP.
It's very similar to "anonymous call blocking" in that you don't talk to anonymous (spoofed) callers, and if you don't want to talk to an certain identified caller you don't.
That is hardly productive.
Let mail app makers team up and propose their own solutions, and let the market decide which spam killing system works best.
Top down planning is for communists. While I realize there are plenty on /., you don't need to shove it down the throats of everyone else. Please contain your reflexes.
"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves
Yeah, I see some actual hope that something like this would be effective. Perhaps if the servers simply exchanged certs, for example. Requiring a cert to run a mail server is NOT a heavy burden, and you could always accept unsigned messages if you wanted to. It raises some tech issues, and current SSL certs wouldn't work exactly. But a system of verifying the sending server and tying it to an identifiable individual or company would help a lot. Even the barrier of having it cost $50 or so to get a server cert would be enough to stop a lot of spammers.
Even better, such a solution is implemented at the server level, it's transparent to users, and it's backwards compatible (you could still configure your server to accept unsigned mail, or just filter it more aggressively), making gradual implementation a possibility. So there's a good chance it could catch on if major ISP's were to adopt it.
I confess to not having thought through all the details, but something along these lines is probably going to be the answer. Makes a lot more sense than any of the "pay per message" proposals, that's just Libertarians Gone Wild.
We are running Courier IMAP as well with our setup. watch out if you have mozilla email clients connecting to it, several bugs out there that require special configuration. here is a link for ya that may help.
:)
http://karmak.org/2003/courier-imap/
sqwebmail is a nice addition as well.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
http://www.sendmail.com/sender_auth.shtml
Apparently, 60% of the world does.
That's what DNS is for. If it's not the main server or the MX record throw it away.
Bruce Schneier gives a pretty good argument that this will not end spam.
See : http://www.schneier.com/crypto-gram-0402.html#9
here you can rate diffrent spam tools right now the list include :
sa-exim
Blackmail
spamhole
Mail Scanner
Spamish Inquisition (mtaproxy)
Outclass
amavisd-new
spamprobe
MIMEDefang
TMDA
SpamBayes
POPFile
CRM114
SpamAssassin
e4ward.com
SpamCop
bogofilter
Postfix
Declude JunkMail
SpamBouncer
Mail Washer
Shovel
Spamthis
Thunderbird
Mozilla Mail
Vipul's Razor
Infinospam
GatewayDefender
e4ward.com
Mail Overseer
CRM114
DSPAM
And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.
As with any change to infrastructure, the conversion is likely best done in a phased approach.
Step 1: Impliment authentication, but don't block messages from unauthenticated servers.
Step 2: Adjust existing SPAM filters to weigh mail from unauthenticated servers as having x % (where x is initially some relatively low number) greater liklihood of being SPAM than messages from authenticated servers.
Step 3: Increase x gradually over time. At the end of some period (say, one year), x appraoches 90%, effectively blocking most mail not on whitelists from unauthenticated servers. Leave x at this high value for some time (say another year)
Step 4: stop accepting mail from anauthenticated servers completely.
End of SPAM? Probably not (as SPAM mailers can authenticate themselves, and Microsoft WORMS and Viruses can hijack legitimate mail servers which authenticate themselves and send SPAM anyway) but it is a start.
The Future of Human Evolution: Autonomy
If you look on the sendmail site, it says that they are also working with yahoo on domain keys. It looks like sendmail is going to create their own compatible version of everyone's anti-spam solution
source, http://www.sendmail.com/sender_auth.shtml
-CPM
---You're all I need, When the water runs deep, You're all I need, Now I cry my soul to sleep -- Collective Soul, Needs
There are now other real products (not the v14gra sold by spammers) like Cialis. Oddly enough, they seem to be aiming advertising at the hard of hearing. Haven't seen any spam for it .. yet.
One line blog. I hear that they're called Twitters now.
3) France wins a war (without American help and without being led by a non-frenchman)
Even if you don't count the French Revolution, doesn't the Norman Conquest count? French invade Britain, French win, Britain ruled by Frenchmen for several hundred years. I'm pretty sure William of Normandy was French, and I'm pretty sure the Americans didn't intervene in that one.
Although the parent post was moderated as "funny," I think the question is a serious one. I use sendmail exlusively because it is the only mail server that supports the powerful milter API and allows me to use mimedefang, which cannot work with any other mail server. Mimedefang can drive antivirus software and spam filter, not to mention sanitizing of html email and so forth, is a very powerful piece of software.
For many people postfix or exim work very well, and should be used over sendmail. But in a larger environment, sendmail is the standard. Qmail, well, I've never liked it.
>>I must be missing something.
.05%. In the traditional direct mail world (old style mail), 2% was a huge return.
You are. 5% is way too high, it's more the
RTFA
??? every single alternative mailserver (except MS Exchange..) has a filtering API.
amavisd-new + postfix is a pretty powerful combination too.
This has been rehashed a million times...
Basically forging email addresses is going to have to stop, just like using open relays had to stop years ago. SMTP AUTH has been around for years & every mailserver supports it.
There are currently 3 solutions competing on the internet. Only one actually works right now as we speak.
(1) Caller ID is Microsoft's big proposal. Domain owners put XML in the TXT records in their domain. Receiving email systems can determine if a message is valid only after seeing all of the headers.
(2) SPF (http://spf.pobox.com/) is already implemented and is already blocking joe-jobs and phishing schemes. It relies only on the envelope FROM and the owners of the domain publishing a short TXT record. Currently, aol.com and many more domains (around 6,000?) publish SPF records. Implementations for filtering based on SPF exist in perl, python, C, and for Exim, postfix, qmail and sendmail.
There is a small problem in forwarding email properly, but that is being resolved with SRS (same website).
(3) DomainKeys (Yahoo!'s solution) is still being researched and is looking more and more like S/MIME or PGP but for an entire domain. The domain owners would publish the public key via DNS (probably a TXT record as well) and receving mail servers can verify that the message is indeed from said domain. There are some severe limitations: If someone gets your domain private key, you are screwed. It's also subject to a replay attack. The attacker would send a valid email to themselves through a server using domain keys, and then replay that message to the rest of the internet.
Both SPF and Caller ID can't work around DNS poisoning or IP spoofing. But they both limit the number of machines that are allowed to send email for a domain.
It is important that if you own a domain, that you publish SPF records - even if it is only "v=spf1 !all" or "I don't send any email for this domain". SPF, if it is going to be adopted, is going to be adopted at an exponential rate.
Caller ID is mostly Microsoft's response to the rapid success of SPF. They want to own the solution to spam, and they want to take credit for cleaning up your email box, even though their idea is really other people's ideas + XML. The protocol is heavy, burdensome, and subject to the whims of the XML interpreters out there right now. Plus, it is a huge proposal that is detailed and complicated, ripe for incompatibilities that could force users of Sendmail, Exim, Postfix, or Qmail to "upgrade" to Exchange.
The radical sect of Islam would either see you dead or "reverted" to Islam.
I already use a challenge/response system to filter my spam, and it works amazingly well. This is similar to the proposed MS/Sendmail "plug-in" in that it tries to verify that the sender is real and actually sent the email in question.
The one big problem neither system solves is spam from sources that are not forged, and actually have a valid return address. Nigerian spam gets through in either case, because an actual human is there. And sites that have a response-bot get through my challenge system (for the moment). These are the extreme rarity, of course, but if everyone used such a system then the spammers would just start using real verifiable return addresses all the time. It's easy to generate a new domain name every day (some already do) and get new IP blocks on a regular basis, so there's no easy way to automatically block email.
Even worse, spammers could still send out the email using zombies while putting valid return addresses in the spam so that it can be verified. They only need to hack their sendmail plugin to auto-verify any email with their return address on it and they can still use zombies all they like to send spam.
I think it's safe to say, as long as there's email, there will be spam.
The article does not say much especially around the technicalities of the solution, so all that I can understand is that there would be a scheme of verification. In other words, If I send a spam mail, the receiver will try to verify if the source e-mail server exists.
But what would stop spammers from faking the e-mail source server ? the e-mail header could contain a valid public e-mail server address. There are tons of public e-mail servers around, and each company has at least one public (for its members to send/receive messages to/from the company). How would my company be protected from being a spam victim ?
Another thing that I would like to point out is that the article does not say that Microsoft and Sendmail has formed an alliance. It says that they are working on a solution, each one individually from the other. It would be really bad if each one comes up with a different solution. It would mean that Unix servers would have a problem blocking spam from Windows servers and vice versa. I think that there should be an alliance and a common solution used by all.
If the ISP's mailservers would also check for mail in outgoing mail, and automatically shut off anyone that exeeds a certain treshold. They would have to block all outgoing traffic on port 25 as well.
Certifying the mailservers will make the certified mailservers a more valuable resource (now every virus or spammer brings along it's own smtp engine). In turn this will make the keys to use these resources more valuable. So instead of bringing along a smtp engine, spammers will have to steal the keys to the mailserver (usually located in the outlook configuration).
Blocking outgoing port 25 at the first router will have the same effect, but very few providers have doen that as far as I know. Maybe you are right in that respect that it will not work after all.
This space is intentionally staring blankly at you
Oh, by the way, here's the breakdown of blood in the current Royal Family, just in case you thought my assertion was a little provocative:
Queen Elizabeth is half-British (Scottish, specifically), 7/16ths German, and 1/16th Danish. This comes from the fact that King Edward VII was totally German (as were his parents Queen Victoria and Prince Albert). He married Queen Alexandra, who was half-Danish, half-German. Their three-quarters German/one-quarter Danish son George V married Queen Mary, who was completely German. That made George VI seven-eights German, one-eighth Danish. Lady Elizabeth Bowes-Lyon was completely Scottish, and therefore not crap. And so we have their daughter Lillibet as she stands above.
Brenda married the half-Danish, half-German Prince Philip. This makes Prince Charles one-quarter British, 15/32nds German, and 9/32nds Danish. Lady Diana Spencer was 100% Brit, thereby making HRH Prince William of Wales 5/8ths British, 15/64ths German, and 9/64ths Danish.
If using Linux is about choice, how come people complain when I choose to use Windows?
I use open relays constructively. My ISP doesn't give me an SMTP server, I have to deliver all of my own mail via sendmail. This means that messages from my email account aren't directly from my domain's server. It irritates me when my email is seen as spam by unintelligent spam filters because this is a problem that I have had to deal with for years and I'm sure others are in a similar situation. I personally thing that a scheme like PGP is the only way to rid the world of spam and to authenticate all email messages.
I've done this, the spammer complained to MindSpring, and MindSpring fined me $100 for DDOSing the spammer's site. It didn't seem to matter to MindSpring that the site belonged to a spammer.
The net is a crazy world.
If you really want, you can set SPF ( spf.pobox.com ) to authorize your ISP mail server to relay mail from your own domain (this is useful if your domain does not have its own mail server). However, a better solution is generally to SMTP AUTH to the mail server for your domain (rather than the mail server for your bandwidth, i.e. your ISP). SPF will support both though; it is your responsibility to make sure that this secures you from relaying.
Not sure if the Microsoft/sendmail suggestions work the same way.
reverse DNS is problematic for exactly the reason you allude to, namely that ISPs rather than domain owners are in technical control, which puts small users (I is one!) at a big disadvantage. For these reasons rather than rDNS Caller ID instead uses a new forward query to the domain purportedly responsible for a message. If you can admin your incoming MX records, then you can admin your Caller ID outgoing info: the control is in the same place. You can find gruesome details from http://www.microsoft.com/spam.