MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
This isn't going to fix it.
A crap load of junk mail comes from insecure personal computers that were hijacked. If these computers send their junk mail, and this system tracks them, it will send the "A-OK" because the mail came from where it said it did.
This will help, no doubt. But fix the problem? No.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
but it will need widespread acceptance to really work
And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.
I doubt this will end spam.. however it will put an end to the collaterol damage caused to other people's inboxes when some other jerk spoofs their domain names. (yes I'm mad.. I have 1000 bounces from the other week when someone sent online pharmacy ads while pretending to be ME)
It will also put an end to using a free email account to recieve spam replies.
So it's not a cure but it will make the game more expensive for the spammers.
Could this be a sign of the beginning of the end of spam?"
Yes, just like computers have made the era of office paper end (I enjoy my paperless office, do you?), and how Bill Clinton in 1995 ended the era of big government.
Don't blame Durga. I voted for Centauri.
The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.
Doesn't this just sound like a great way to create a DoS style attack?
I: Flood many servers with email supposedly from server X
II: All servers attempt to contact server X
III: Server X crashes/is overwhelmed with requests, stops responding
IV: Some of the orginal servers might get hung trying to clear email from Server X, now no longer responding...
I admit that IV seems avoidable, but I-III don't seem like a big strech based off of prior MS security exploits...
DJMD - The fourth man - Planetary
Now my little server can do advanced reverse lookups on the over 90,000 spam messages it handles per month.
I'm thinking not...
How about making all spam a crime and holding the companies who finance it liable. Then giving consumers the power to sue for damages.
I'm not an ISP, under CAN-SPAM I can't do ANYTHING about the over NINETY THOUSAND spam messages sent to my server per month.
Needless to say, my poor little PII-400 linux box gags and chokes during spuratic 'floods' of spam through each day.
I must say, though, any efforts to thwart spam are good in my opinion. However, the problem will _never_ be solved until the companies PAYING for spam are held financially and/or criminally liable for their actions.
After all, if you PAY someone to commit murder for you -- does that make you any less guilty?
No.
ever seen in email from your sendmail MTA where in the header it say "FORGED". usually on spam email. You know you can block on that in sendmail without any add-ons... The problem is that the majority of the internet servers must then go out and update their DNS records for MX and reverse, for this to actually work.
PS: I actually turned this on one time to get rid of spam, blocking a whole bunch of legit email in the process. Ooops. hello internet just enforce the tools that you already posses.. nuff said.
--jboss
The issue you face is one of "identity distinction". By being on Comcast Cable, you appear to be one of the unwashed masses. Whether your system is secure or not isn't known, and isn't practical to find out (trying to actually crack your machine to see if one can get in, to refuse mail if the crack succeeds, has certain legal risks).
You can distinguish yourself by making your email address known and others can whitelist it. Of course that's only good up to the point that spammers start to joe-job you using that address (which may not be for quite a while). Another way (which won't work with Comcast because they are so clueless, but could work with some other ISPs) is to get static IP and arrange for reverse DNS to identify your domain name. Some (I do, for example) block Comcast based on the domain name (easier to manage than a bunch of IP address ranges), which means if your IP didn't have comcast.net on it, it might get through. And if you do have a static IP, you could just ask for that one to be whitelisted.
There are also message content ways to distinguish yourself, such as cryptographically signing your message. But the problem here is that mail servers have to accept all mail first to see that signature. That breaks the ability to refuse during the SMTP RCPT command; refusing at the DATA command not only means wasting the bandwidth always on every message, but also the inability to let users separately whitelist, or means sending bounces to unverified addresses (bad). If they would redesign SMTP to provide the crypto signature during the SMTP session, that would help a lot.
Probably the best solution is to subscribe to a mail submission service (e.g. someone who has a colocated mail server and takes your mail only via authenticated SMTP or MSA). Then the fact that you're on Comcast is hidden deeper in messy RFC headers.
now we need to go OSS in diesel cars
Microsoft - well... dunno... hard to say anything... Some of their ietf work has been brilliant. It is the implementation (and the marketing in command of it) that has been horrible.
Sendmail - no fscking thanks. Their track record in inventing features and suddenly introducing them without at least informing the internet community at large is not anything to shout about. Basically in order to deal with the sender-address-must-resolve and the antispam parts of their rulesets you usually need 4 apirins and 200ml of vodka. That along with 24 hours of sleep gives you a chance of recovering your sanity after getting it to work after the upgrade forced by the next inevitable Sendmail Security FuBAR(TM). Note - it is a chance. Some people never recover. In other words there is a reason for the upside down bat to be the sendmail logo. That is the way a sysadmin looks like after dealing with it. No matter how much I dislike some of Exim sillies I would stick with it.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/