Slashdot Mirror
MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
Just adding a tag or a plugin wouldn't seem like it would help all that much...Email is such an open format that anything you add, can be copied and added by spammers too.
Just my opinion.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
This isn't going to fix it.
A crap load of junk mail comes from insecure personal computers that were hijacked. If these computers send their junk mail, and this system tracks them, it will send the "A-OK" because the mail came from where it said it did.
This will help, no doubt. But fix the problem? No.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
but it will need widespread acceptance to really work
And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.
..but it isn't really funny :-/
nowhere in the fscking article does it say anything about MS and Sendmail working together.
It tells of Sendmail launching a plugin for sendmail, and then :
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system."
Does anyone RTFA anymore? Am I alone in this? Is god really a abnormally large crustacean living on the moons of Jupiter?
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Stop me if I am wrong, but aren't Sendmail and Microsoft two of the biggest security problems on the Internet today? (Microsoft, of course, is a lot more dangerous, but still).
;^)
I believe it was a former sysadmin at a previous job who told me (speaking of email, of course): "Never install Sendmail. Period". Thats sums it up pretty nicely.
And I don't: Postfix is faster, more secure and easier to configure than Sendmail ever was. Qmail is also quite good.
(Microsoft? Who needs Microsoft??)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Microsoft is involved, so it will cost you money.
While most of you will jump on the line identifying sendmail as vulnerable, this isn't false.
Sendmail, by far, is the worst application I have ever had the mis-priviledge of having to deal with. It is a security nightmare, SMTP is a simple concept, but somehow sendmail found a way to make it your worst nightmare. The gotcha's on the configuration alone is enough to break someone.
At least now, even if it is help from MS, getting sendmail to NOT be an open relay, AND work appropriatly WITHOUT hitting google for over a week, right from the start.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
"Could this be a sign of the beginning of the end of sendmail?"
Phil
I doubt this will end spam.. however it will put an end to the collaterol damage caused to other people's inboxes when some other jerk spoofs their domain names. (yes I'm mad.. I have 1000 bounces from the other week when someone sent online pharmacy ads while pretending to be ME)
It will also put an end to using a free email account to recieve spam replies.
So it's not a cure but it will make the game more expensive for the spammers.
Could this be a sign of the beginning of the end of spam?"
Yes, just like computers have made the era of office paper end (I enjoy my paperless office, do you?), and how Bill Clinton in 1995 ended the era of big government.
Don't blame Durga. I voted for Centauri.
I vote that MS is going to try to embrace, extend, and exterminate anything it can rather than be of help.
I doubt very much that Pfizer makes the majority of the products sold as Viagra these days. Most of it is either listed as Herbal Viagra (or "Herba1 V1ag*") or generic Viagra.
This Inforworld Article is much better then the one posted and mentions how this new Microsoft Idea is very similar to the existing SPF, except that with Microsft's version, the whole message is sent and downloaded before it's rejected.
Now this makes me feel warm and fuzzy on a dreary Tuesday Morning. Although Bill Gates' popluarity would have been best served to go on Star Trek:TNG as a borg, the next best thing he can do to is to actually be polite to the open source crowd for a change. True, most of us want to crush the Microsoft juggernaut under the heels of the Penguin, interoperability between Microsoft and *nix is for the most part a very good thing. I've been happily using Linux as my main platform since 1998, but not everybody is in love with the command line.
Of course, this is Microsoft we're talking about, so I am sure they will find some way to screw this up.
Well, lets see...spamassassin works with sendmail, so I don't get your point there...I don't think they are looking to replace the functionality of spamassassin, they are taking care of the problem in a different way...
And, as far as postfix being better than sendmail...sendmail has a bad rap because it has been around the longest...
Yes, some older versions of sendmail had security problems. Yes, sendmail has some feature bloat...
But, sendmail is the MTA of choice for UNIX distributions...sendmail is probably one of the most configurable of all MTAs (that also makes it one of the most difficult to configure)...mainly because of its past, sendmail is good in a different way than MTAs like postfix...
Incidentally, a better solution might use Identity Based Encryption. Still has many of the same problems, but it's a tiny bit more elegant.
The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.
Doesn't this just sound like a great way to create a DoS style attack?
I: Flood many servers with email supposedly from server X
II: All servers attempt to contact server X
III: Server X crashes/is overwhelmed with requests, stops responding
IV: Some of the orginal servers might get hung trying to clear email from Server X, now no longer responding...
I admit that IV seems avoidable, but I-III don't seem like a big strech based off of prior MS security exploits...
DJMD - The fourth man - Planetary
Requiring a cert to run a mail server is NOT a heavy burden,
Personally, I don't think it's even necessary. I doubt that spammers will start doing man-in-the-middle attacks or DNS manipulation (not because they're morally above it, but because of the technical expertese, legal exposure, and risk of being caught and traced). So just make up a cert and stick it in a DNS record for your domain. No PKI needed => no payment to get your cert.
Now my little server can do advanced reverse lookups on the over 90,000 spam messages it handles per month.
I'm thinking not...
How about making all spam a crime and holding the companies who finance it liable. Then giving consumers the power to sue for damages.
I'm not an ISP, under CAN-SPAM I can't do ANYTHING about the over NINETY THOUSAND spam messages sent to my server per month.
Needless to say, my poor little PII-400 linux box gags and chokes during spuratic 'floods' of spam through each day.
I must say, though, any efforts to thwart spam are good in my opinion. However, the problem will _never_ be solved until the companies PAYING for spam are held financially and/or criminally liable for their actions.
After all, if you PAY someone to commit murder for you -- does that make you any less guilty?
No.
I hope the IETF is smart enough to not support any solution that would make it impossible for me as a regular joe-home user to run my own mailserver. If some other server wants to talk to mine and ask "did you send me this?" that's great, but if some other server decides to /dev/null a message from me because my IP doesn't backward resolve to the domain claimed when sending, then that's bad.
I'm actually a bit scared that this 'anti-spam' crusade will end with an even bigger wall between "users who should pay and consume" and "legitimate service providers".
Belief is the currency of delusion.
a) I am not paying an extra $50 just to send email from my home server for a certificate.
b) $50 a server for a spammer is like the average joe forking out money for a tootsie roll. Assume $50 gets him 12 hours of spamming before he gets the cert yanked. Lets assume he sends one email per second and receives a dollar for every email responded to. That's 43,200 emails a day and we will further assume only 5 percent get responded to. That's $2,160 for 12 hours of spamming gross, $21,110 net. I must be missing something.
-- botsex is {grep;touch;strip;unzip;head;mount}
If so, this will bother me to no end. I currently have two main email addresses, one using Cluemail and one using MyRealBox. I check both of these addresses using IMAP with MacOS X's Mail.app. However, since MyRealBox is an experimental server and is not always up and since the free accounts on ClueMail don't have SMPT access, I am using my own machine running QMail to send my emails. Obviously my IP and whatever domain gets assigned to it from So-Net (yay Fiber Optic connection to the apartment!!) do NOT match either of my mail addresses.
So, will something like this spam solution break my set-up?
Disclaimer: I am somewhat clueless about all of this. I only know enough to have been able to set my machine up securely so it is not nor can/will not be a source of spam. So, I appreciate any information. Cheers. :)
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
Huh? 90% of my spam is for the real stuff sold in canadian pharmacies.
Even if it's for generic viagra, having the name Viagra splattered in front of the world every day gives name recognition to the product.
Email doesn't need more bandaids and half-@ssed fixes, we need a ground-up rewrite that replaces SMTP.
It would be a very easy thing for the standards bodies to hash out the best SMTP replacement in 90 days (we've been talking about all of the changes for years, just decide already and take action!) and then announce to the world: "On January 1st, 2005 all SMTP email will be phased out in a 90 day transition period. It will be replaced by [acronym], which will prevent spam in it's various forms".
Anything short of this is a hack that will enjoy only very limited success and only prolong the inevitable.
There is far more wrong with email than just spam, and the protocol is showing it's age. A lot has happened in 20 years (not to mention the last 5 in particular), and it is time for complete replacement (that doesn't involve me paying money for email stamps...).
Anybody with over 10,000,000,000 cash is considered a powerhouse in my book. And I think any email program that exsisted before 1995 is venerable...
Onward to the Aether Sphere!
You might be missing something.
1) Politeness. When I send the same email (usually funny things) to a bunch of friends, I put them all in the BCC field becaus I don't want one to know about the email address of others without asking... I find annoying when somebody sends me such an email and puts me in the To field with a dozen other people.
2) Mailing lists. The email I receive from some of the mailing lists I belong to is addressed (To:) to some common email account (e.g. butler@mailinglist.org), and script send me the message but keep the To: address so when I hit reply it goes to that butler instead of going to the person that sent the original message.
Hope it makes things a little bit more clear.
__________
Don't belong. Never join. Think for yourself. Peace!
If it's sendmail they'll probably push to verify against passport.com.
Microsoft does have the power and the ubiquity to push a standard through but we also know about embrace and extend.
Instead of everyone working on seperate anti-spam standards (yahoo - domainkeys, AOL testing SPF) it would be better if the largest email providers used industry standards bodies (IETF, ECMA) to push through a common verification standard.
- cnb
ever seen in email from your sendmail MTA where in the header it say "FORGED". usually on spam email. You know you can block on that in sendmail without any add-ons... The problem is that the majority of the internet servers must then go out and update their DNS records for MX and reverse, for this to actually work.
PS: I actually turned this on one time to get rid of spam, blocking a whole bunch of legit email in the process. Ooops. hello internet just enforce the tools that you already posses.. nuff said.
--jboss
If you're right, that Microsoft's system involves cryptographic signatures on a per-email-address-level, and the protocol is open, I am deeply impressed. Microsoft would be from a technical standoint far ahead of the SPF crowd (who are pushing an ugly, nasty-side-effect hack if I've ever seen one).
Microsoft may actually produce something that benefits the community as a whole. Seems incredible, but...wow, if we owe having a *good* email infrastructure to Microsoft, the world will be standing on its head.
Anyone have a link to a good technical description of Microsoft's proposed system?
May we never see th
The issue you face is one of "identity distinction". By being on Comcast Cable, you appear to be one of the unwashed masses. Whether your system is secure or not isn't known, and isn't practical to find out (trying to actually crack your machine to see if one can get in, to refuse mail if the crack succeeds, has certain legal risks).
You can distinguish yourself by making your email address known and others can whitelist it. Of course that's only good up to the point that spammers start to joe-job you using that address (which may not be for quite a while). Another way (which won't work with Comcast because they are so clueless, but could work with some other ISPs) is to get static IP and arrange for reverse DNS to identify your domain name. Some (I do, for example) block Comcast based on the domain name (easier to manage than a bunch of IP address ranges), which means if your IP didn't have comcast.net on it, it might get through. And if you do have a static IP, you could just ask for that one to be whitelisted.
There are also message content ways to distinguish yourself, such as cryptographically signing your message. But the problem here is that mail servers have to accept all mail first to see that signature. That breaks the ability to refuse during the SMTP RCPT command; refusing at the DATA command not only means wasting the bandwidth always on every message, but also the inability to let users separately whitelist, or means sending bounces to unverified addresses (bad). If they would redesign SMTP to provide the crypto signature during the SMTP session, that would help a lot.
Probably the best solution is to subscribe to a mail submission service (e.g. someone who has a colocated mail server and takes your mail only via authenticated SMTP or MSA). Then the fact that you're on Comcast is hidden deeper in messy RFC headers.
now we need to go OSS in diesel cars
Microsoft - well... dunno... hard to say anything... Some of their ietf work has been brilliant. It is the implementation (and the marketing in command of it) that has been horrible.
Sendmail - no fscking thanks. Their track record in inventing features and suddenly introducing them without at least informing the internet community at large is not anything to shout about. Basically in order to deal with the sender-address-must-resolve and the antispam parts of their rulesets you usually need 4 apirins and 200ml of vodka. That along with 24 hours of sleep gives you a chance of recovering your sanity after getting it to work after the upgrade forced by the next inevitable Sendmail Security FuBAR(TM). Note - it is a chance. Some people never recover. In other words there is a reason for the upside down bat to be the sendmail logo. That is the way a sysadmin looks like after dealing with it. No matter how much I dislike some of Exim sillies I would stick with it.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Maybe. It depends on the implementation.
As an email originator, you have an envelope, a From: address, and a ReplyTo: address. I'm pretty sure that they're not going to filter on the ReplyTo: address, but From: and envelope are a different matter.
I have an email vanity domain, and they forward it all to my ISP's POP box. One of the things I like about Exim is that it can easily and *thoroughly* rewrite addresses, including the envelope. My outgoing email goes through my ISP's relay, but in every way except headers, it looks like it came from my vanity domain.
It looks to me as if this scheme will break my current vanity domain usage. Further, it looks to me as if it will require care to make *any* vanity domain usage work.
BTW, the other reason for a vanity domain is to keep your email address constant even when changing ISPs.
The living have better things to do than to continue hating the dead.
The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.
How is this to be attained? Checking DNS won't work - one is bound to get false positives when a DNS query fails on an existing domain.
Some mail servers are even configured so you can't lookup to see if a user exists. So you'd have to disable the lookup feature which most email servers already offer to check sending addresses so the server is meant to become a blackhole for spam...
Domain keys - pfft. It's as likely as any other technology - EVERYONE has to unilaterally implement it for it to work. Nevermind that it would be a matter of time before domain keys are spoofed.
Want to be effective for a period against spam? Then do what's needed on an already ailing system - re-write it from the ground up. There's numerous other features that are missing from email like UTF-8 support because English is the only language supported by email for usernames, passwords. In accompaniment, DNS needs UTF-8 support...
The sad truth is that this will never happen unless something catastrophic happened to the existing infrastructure.
This is just leading to a monoply and corporate control of the Internet. As much as I'd like to see a solution like this, as I believe it will work, we need to be sure that anyone can still participate
Our LUG recently had a disucssion on x.509 certs and how it could be used to verify a mail server. If a mail server starts to send spam, the cert is revoked and can no longer send mail. This is more drastic, and leads to the same corporate control however.
-- DuckWing
Certainly not. I do however predict it will be the beginning of the end of email. This is a perfect way to segment the email systems from one another; those that utilize this plugin and those that are discriminated against for not using this plugin. I for one will not use something that isn't a damned standard. You don't have to be an evil genius to recognize the evils of introducing non-standard requirements into such a critical system. It's just plain nuts.
Well, lets see...spamassassin works with sendmail, so I don't get your point there
Simple: Postfix is better than Sendmail. Spamassassin is better than anything Microsoft may even thing to write.
Two orthogonal concepts.
And, as far as postfix being better than sendmail...sendmail has a bad rap because it has been around the longest...
You may not have looked at Postfix deeply enought. Postfix is better in the way it is designed and in the way it is implemented. The multi-daemon design is orders of magnitude more secure than anything so monolitic as sendmail.
The code quality is spectacular. I had to customize it a bit and the sources was so well written that I was able to understand them almost immediately.
Yes, some older versions of sendmail had security problems. Yes, sendmail has some feature bloat...
Those security problems could have been cosmetic issues in a design like postfix's.
But, sendmail is the MTA of choice for UNIX distributions
Not anymore for my distribution. Anyway, this doesn't mean it is better... for the same reason Windows is installed on most computers...
Do you really trust a spammer to send you the real goods? Counterfeit drugs are rampant, and unless you purchased the drug from a reputable (liscenced) pharmacy, it is unlikely you are getting the real deal, especially on something expensive, hotly demanded, and potentially embarassing to sue about.
Pfizer suffers from this due to a possibility of a counterfeit drug causing harm, making Pfizer a target of an inadvertant lawsuit, the cost of which being huge amounts of negative publicity. Imagine: Pfizer getting sued - big headline on front page - everybody's talking about it. The drug turning out to be counterfeit - tiny headline near back page three months later - nobody notices. The fact that it came from a spammer - doesn't even get reported.
___ This sig is in boldface to emphasize its importance!
I wonder if this will have a positive impact on mass-mailing virii that rely so heavily on spoofed "From" fields, or if this will just further slow down our mail servers as it filters through it. I guess it's a matter of which is the lesser of the performance evils: the antivirus engine, or this new fancy schmancy sender verification idea.
will the plug-in be available for non-Microsoft systems? If not, then this will just cause a shift in the host OS of choice for spamming, thus allowing Microsoft to blame spam on "those commie hippy pinko open-source zealots."
"Freedom means freedom for everybody" -- Dick Cheney
I'd say the submitter was trying to sneak one by. That article was too short and too straight forward to be misinterpreted that badly.
How is this a good thing? Each of the million recipients of the spam that was sent with my domain as a forged sender is going to slam my mail server with a mail request and then cancel?
Talk about a DDOS.
At least SPF uses DNS servers, which are designed to handle that kind of load, and use UDP for lower overhead.
Avi
Battle != war
Last I checked, we didn't become a British colony again after 1812, Texas is part of the U.S. ("Texas - it's like a whole other state!"), as are the black hills, and you notice how the Iraqi troops kicked us right out.
Vietnam listed here is legitimate, and I'm not familiar enough with the Seminole wars to comment.
Iraq may be a political "loss" (we're still too close in history to judge it), but it certainly isn't a military loss.
Now having said that, I must also acknowledge that if it weren't for the French, we may still be a British colony.
Sleep is just a poor substitute for caffeine, anyway. -Bob Lehmann
(x) It is defenseless against brute force attacks Um? Public/Private key encryption is sorta subject to brute force attacks, but last I heard a 1024 bit key set requires a Seti@Home grade cluster to have a hope of breaking it.
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
I don't see that. However, if I enable spam blocking on my mst3k@earthlink.net account, my ISP may then drop everything from those not using this authentication into the bit bucket.
(x) Many email users cannot afford to lose business or alienate potential employers
And these folks will be the last victims of spam, until the diminished number of people seeing spam diminishes those buying spammed products so that spamming is no longer economically viable.
Specifically, your plan fails to account for
(x) Open relays in foreign countries
Such open relays may be subjected to vast pressure from their upstream providers, not to mention DDOS from socially activist script kiddies. They may also be conventionally blacklisted.
(x) Huge existing software investment in SMTP
This is still using SMTP, with perhaps eight additional RFC 822/2076 type headers that can and should be made official via RFC if this proposed standard is implemented. However, the plan does NOT cover the issues of secure key distribution, compare the computational overhead of key-pair signature verification versus current spam filter methods.
(x) Armies of worm riddled broadband-connected Windows boxes Depends on whether the spamming program uses its own SMTP engine (filtered at destination due to lack of authetication), or parisitizes off the ISP SMTP server (which will at least track spam to particular ISPs.) Granted, we're still going to need several million cluebats, and ISPs will need to deal with those people who enable spammers.
(x) Dishonesty on the part of spammers themselves
I don't see the problem here. More specific, please.
(x) Bandwidth costs that are unaffected by client filtering
If it results in vastly fewer people reading spam (say, reduced to 1% current levels), repsonse rates reduce (roughly) correspondingly. Spam becomes less rewarding, so fewer people will try it, and bandwidth throughput foes down.
I concede, the bandwidth/throughput costs of key distribution for the client filtering may be less than trivial as well.
//Information does not want to be free; it wants to breed.
Exactly. Going after sender verification (and route verification) is becoming more and more obsolete. We assumed the spammers wouldn't be able to do anything once we shut down their routes, but like has happened with almost every other tech we thought would beat them, they raised the bar to the next level and starting taking over machines and using *their* legit mail routes. So far they're still mostly using bogus From headers to send with, but it's only a matter of time until they switch to using the full credentials of the owner of the machine they're sending from.
How are SPF or DomainKeys or SMTP AUTH going to help you when all your spam comes from people you know, because spammers have moved to just taking over machines and using those machines to spam the people that person normally emails, as that person? In fact, the sender-verification systems likely will have the primary effect of pushing the spammers to using these techniques *more*. And if you think we're going to fix *that* problem by making MS machines more secure, wake up. The main effect of letting MS be involved in some sender verification "solution" is going to be inviting them to embrace and extend SMTP toward an Exchange-only internet.
It's becoming increasingly clear that the only thing that's going to set spam apart from legit mail long term is the content, and even that is becoming more and more iffy. Still, bayesian filters are showing the most short and long-term potential.
Face it: by any rational standard, sendmail sucks. /etc/sendmail.cf is so obfuscated that makes the Windows registry look simple by comparison. It's track record for security is as bad as anything coming out of Redmond, and has a similar track record for releasing patches which break more than they fix. Fortunately for mail administrators who aren't masochists, there is Postfix. Now if only some of the major Linux distros *cough*redhat*cough* would use postfix as their default MTA, life would be better.
The parent poster is also correct in that Microsoft has made important contributions to ITEF and other open standards boards. They do occasionally manage to do the right thing, even if it's because the engineers managed to sneak it out the back door when the marketroids weren't watching.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
A: Things would have worked out roughly the same, but with another company or set of companies up top. With any kind of luck that company would have had some better ethics and a less paranoid world-view.
B: Even if you accept the "microsoft invented everything good" notion, take a look at their bank account and try to say that with a straight face.
C: Hardware pricing falling while getting faster is where the real ubiquity comes from.
Pull your nose out of Bill's behind and think for yourself.
emt 377 emt 4
3 billion lusers on the net, 3 billion lusers, take one down, bash them around, 3 billion lusers on the net.
It has taken 2 solid decades to convince most people that drinking a beer while driving is a bad idea and if they do it, they will go to jail. How are you going to convince the average joe that his insecure computer is a real problem. I could see people at the local bar saying "Hey guys, I found out my computer was sending out millions of porn messages." "I got one of thouse." "Me too and did you check the hooters on that 1st picture?"