Slashdot Mirror
MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
Just adding a tag or a plugin wouldn't seem like it would help all that much...Email is such an open format that anything you add, can be copied and added by spammers too.
Just my opinion.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
This isn't going to fix it.
A crap load of junk mail comes from insecure personal computers that were hijacked. If these computers send their junk mail, and this system tracks them, it will send the "A-OK" because the mail came from where it said it did.
This will help, no doubt. But fix the problem? No.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
but it will need widespread acceptance to really work
And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.
nowhere in the fscking article does it say anything about MS and Sendmail working together.
It tells of Sendmail launching a plugin for sendmail, and then :
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system."
Does anyone RTFA anymore? Am I alone in this? Is god really a abnormally large crustacean living on the moons of Jupiter?
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Microsoft is involved, so it will cost you money.
I doubt this will end spam.. however it will put an end to the collaterol damage caused to other people's inboxes when some other jerk spoofs their domain names. (yes I'm mad.. I have 1000 bounces from the other week when someone sent online pharmacy ads while pretending to be ME)
It will also put an end to using a free email account to recieve spam replies.
So it's not a cure but it will make the game more expensive for the spammers.
Could this be a sign of the beginning of the end of spam?"
Yes, just like computers have made the era of office paper end (I enjoy my paperless office, do you?), and how Bill Clinton in 1995 ended the era of big government.
Don't blame Durga. I voted for Centauri.
This Inforworld Article is much better then the one posted and mentions how this new Microsoft Idea is very similar to the existing SPF, except that with Microsft's version, the whole message is sent and downloaded before it's rejected.
Well, lets see...spamassassin works with sendmail, so I don't get your point there...I don't think they are looking to replace the functionality of spamassassin, they are taking care of the problem in a different way...
And, as far as postfix being better than sendmail...sendmail has a bad rap because it has been around the longest...
Yes, some older versions of sendmail had security problems. Yes, sendmail has some feature bloat...
But, sendmail is the MTA of choice for UNIX distributions...sendmail is probably one of the most configurable of all MTAs (that also makes it one of the most difficult to configure)...mainly because of its past, sendmail is good in a different way than MTAs like postfix...
The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.
Doesn't this just sound like a great way to create a DoS style attack?
I: Flood many servers with email supposedly from server X
II: All servers attempt to contact server X
III: Server X crashes/is overwhelmed with requests, stops responding
IV: Some of the orginal servers might get hung trying to clear email from Server X, now no longer responding...
I admit that IV seems avoidable, but I-III don't seem like a big strech based off of prior MS security exploits...
DJMD - The fourth man - Planetary
Requiring a cert to run a mail server is NOT a heavy burden,
Personally, I don't think it's even necessary. I doubt that spammers will start doing man-in-the-middle attacks or DNS manipulation (not because they're morally above it, but because of the technical expertese, legal exposure, and risk of being caught and traced). So just make up a cert and stick it in a DNS record for your domain. No PKI needed => no payment to get your cert.
Now my little server can do advanced reverse lookups on the over 90,000 spam messages it handles per month.
I'm thinking not...
How about making all spam a crime and holding the companies who finance it liable. Then giving consumers the power to sue for damages.
I'm not an ISP, under CAN-SPAM I can't do ANYTHING about the over NINETY THOUSAND spam messages sent to my server per month.
Needless to say, my poor little PII-400 linux box gags and chokes during spuratic 'floods' of spam through each day.
I must say, though, any efforts to thwart spam are good in my opinion. However, the problem will _never_ be solved until the companies PAYING for spam are held financially and/or criminally liable for their actions.
After all, if you PAY someone to commit murder for you -- does that make you any less guilty?
No.
I hope the IETF is smart enough to not support any solution that would make it impossible for me as a regular joe-home user to run my own mailserver. If some other server wants to talk to mine and ask "did you send me this?" that's great, but if some other server decides to /dev/null a message from me because my IP doesn't backward resolve to the domain claimed when sending, then that's bad.
I'm actually a bit scared that this 'anti-spam' crusade will end with an even bigger wall between "users who should pay and consume" and "legitimate service providers".
Belief is the currency of delusion.
If so, this will bother me to no end. I currently have two main email addresses, one using Cluemail and one using MyRealBox. I check both of these addresses using IMAP with MacOS X's Mail.app. However, since MyRealBox is an experimental server and is not always up and since the free accounts on ClueMail don't have SMPT access, I am using my own machine running QMail to send my emails. Obviously my IP and whatever domain gets assigned to it from So-Net (yay Fiber Optic connection to the apartment!!) do NOT match either of my mail addresses.
So, will something like this spam solution break my set-up?
Disclaimer: I am somewhat clueless about all of this. I only know enough to have been able to set my machine up securely so it is not nor can/will not be a source of spam. So, I appreciate any information. Cheers. :)
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
Anybody with over 10,000,000,000 cash is considered a powerhouse in my book. And I think any email program that exsisted before 1995 is venerable...
Onward to the Aether Sphere!
ever seen in email from your sendmail MTA where in the header it say "FORGED". usually on spam email. You know you can block on that in sendmail without any add-ons... The problem is that the majority of the internet servers must then go out and update their DNS records for MX and reverse, for this to actually work.
PS: I actually turned this on one time to get rid of spam, blocking a whole bunch of legit email in the process. Ooops. hello internet just enforce the tools that you already posses.. nuff said.
--jboss
If you're right, that Microsoft's system involves cryptographic signatures on a per-email-address-level, and the protocol is open, I am deeply impressed. Microsoft would be from a technical standoint far ahead of the SPF crowd (who are pushing an ugly, nasty-side-effect hack if I've ever seen one).
Microsoft may actually produce something that benefits the community as a whole. Seems incredible, but...wow, if we owe having a *good* email infrastructure to Microsoft, the world will be standing on its head.
Anyone have a link to a good technical description of Microsoft's proposed system?
May we never see th
The issue you face is one of "identity distinction". By being on Comcast Cable, you appear to be one of the unwashed masses. Whether your system is secure or not isn't known, and isn't practical to find out (trying to actually crack your machine to see if one can get in, to refuse mail if the crack succeeds, has certain legal risks).
You can distinguish yourself by making your email address known and others can whitelist it. Of course that's only good up to the point that spammers start to joe-job you using that address (which may not be for quite a while). Another way (which won't work with Comcast because they are so clueless, but could work with some other ISPs) is to get static IP and arrange for reverse DNS to identify your domain name. Some (I do, for example) block Comcast based on the domain name (easier to manage than a bunch of IP address ranges), which means if your IP didn't have comcast.net on it, it might get through. And if you do have a static IP, you could just ask for that one to be whitelisted.
There are also message content ways to distinguish yourself, such as cryptographically signing your message. But the problem here is that mail servers have to accept all mail first to see that signature. That breaks the ability to refuse during the SMTP RCPT command; refusing at the DATA command not only means wasting the bandwidth always on every message, but also the inability to let users separately whitelist, or means sending bounces to unverified addresses (bad). If they would redesign SMTP to provide the crypto signature during the SMTP session, that would help a lot.
Probably the best solution is to subscribe to a mail submission service (e.g. someone who has a colocated mail server and takes your mail only via authenticated SMTP or MSA). Then the fact that you're on Comcast is hidden deeper in messy RFC headers.
now we need to go OSS in diesel cars
Microsoft - well... dunno... hard to say anything... Some of their ietf work has been brilliant. It is the implementation (and the marketing in command of it) that has been horrible.
Sendmail - no fscking thanks. Their track record in inventing features and suddenly introducing them without at least informing the internet community at large is not anything to shout about. Basically in order to deal with the sender-address-must-resolve and the antispam parts of their rulesets you usually need 4 apirins and 200ml of vodka. That along with 24 hours of sleep gives you a chance of recovering your sanity after getting it to work after the upgrade forced by the next inevitable Sendmail Security FuBAR(TM). Note - it is a chance. Some people never recover. In other words there is a reason for the upside down bat to be the sendmail logo. That is the way a sysadmin looks like after dealing with it. No matter how much I dislike some of Exim sillies I would stick with it.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Certainly not. I do however predict it will be the beginning of the end of email. This is a perfect way to segment the email systems from one another; those that utilize this plugin and those that are discriminated against for not using this plugin. I for one will not use something that isn't a damned standard. You don't have to be an evil genius to recognize the evils of introducing non-standard requirements into such a critical system. It's just plain nuts.
Well, lets see...spamassassin works with sendmail, so I don't get your point there
Simple: Postfix is better than Sendmail. Spamassassin is better than anything Microsoft may even thing to write.
Two orthogonal concepts.
And, as far as postfix being better than sendmail...sendmail has a bad rap because it has been around the longest...
You may not have looked at Postfix deeply enought. Postfix is better in the way it is designed and in the way it is implemented. The multi-daemon design is orders of magnitude more secure than anything so monolitic as sendmail.
The code quality is spectacular. I had to customize it a bit and the sources was so well written that I was able to understand them almost immediately.
Yes, some older versions of sendmail had security problems. Yes, sendmail has some feature bloat...
Those security problems could have been cosmetic issues in a design like postfix's.
But, sendmail is the MTA of choice for UNIX distributions
Not anymore for my distribution. Anyway, this doesn't mean it is better... for the same reason Windows is installed on most computers...
Do you really trust a spammer to send you the real goods? Counterfeit drugs are rampant, and unless you purchased the drug from a reputable (liscenced) pharmacy, it is unlikely you are getting the real deal, especially on something expensive, hotly demanded, and potentially embarassing to sue about.
Pfizer suffers from this due to a possibility of a counterfeit drug causing harm, making Pfizer a target of an inadvertant lawsuit, the cost of which being huge amounts of negative publicity. Imagine: Pfizer getting sued - big headline on front page - everybody's talking about it. The drug turning out to be counterfeit - tiny headline near back page three months later - nobody notices. The fact that it came from a spammer - doesn't even get reported.
___ This sig is in boldface to emphasize its importance!
Face it: by any rational standard, sendmail sucks. /etc/sendmail.cf is so obfuscated that makes the Windows registry look simple by comparison. It's track record for security is as bad as anything coming out of Redmond, and has a similar track record for releasing patches which break more than they fix. Fortunately for mail administrators who aren't masochists, there is Postfix. Now if only some of the major Linux distros *cough*redhat*cough* would use postfix as their default MTA, life would be better.
The parent poster is also correct in that Microsoft has made important contributions to ITEF and other open standards boards. They do occasionally manage to do the right thing, even if it's because the engineers managed to sneak it out the back door when the marketroids weren't watching.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?