Slashdot Mirror
MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
Will it be in the free version of sendmail too or only in the commercial buy-version?
I posted an idea similar to this on slashdot here, which would essentially involve sendmail digitally signing messages that it sends and then having receiving mail servers verify it. I think most of the people who read the idea misinterpreted it as forcing us to get digital certs through verisign, which was NOT what I was implying.
See, now this is a much better idea than "email postage" and "computationally expensive" sending of email. This way, the accountability falls down to individual email addresses, and domains for sending UCE.
It's FAR easier to track emails and their likelyhood of sending spam than the actual messages themselves (after all, buyviagra@biggerpenis.org is most likely sending you spam).
This, combined with a spam filter could do the trick.
Congratulations Microsoft for actually partnering with somebody who matters is this whole affair. I'm hoping the other companies like Yahoo and AOL follow suit with this strategy, and a solution becomes standardized.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
So, is qmail getting in on this solution????
Evolution or ID?
Could this be a sign of the beginning of the end of spam?
No, but it could be a sign of the beginning of e-mail postage.
-Letter
Will my email server I run perfectly responsibly just for my family be able to function without paying Microsoft for the plugin? Afterall, it is not rocket science to code your own SMTP server with Visual Basic.... This will work for the controllable sources, but what about foreign servers and the rest of the World?
Odd couple?
I don't think they're that different. Sounds like a match made in security hell.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Spammers used to buy a T1's worth of phone lines and then dial in to several different ISP's all at once and use THEIR mail server to send spam. With the advent of easily hacked broadband connections, this isn't required anymore. I can see it popping back up pretty quickly. While the idea is OK, spammers are adaptable. The ONLY way to make spammers stop, is to make them feel pain and this solution doesn't provide nearly enough pain.
For instance, I ws joe jobbed, I recieved about 2300 bounced messages advertising various web sites. For every bounced message I forwarded a 900k graphic that said "Do not use my return address in your spam campaign, it is illegal". Since I recieved another bounced spam before I had finished responding to these kind people, I decided perhaps another avenue of communication was approriate. I posted an order on each of the three websites I found advertised 2300 times (PERL w/LWP). Since I was unable to get a response via e-mail, I figured that I would get a response via an order form. I posted 2300 times(one for each boucne) with my contact information and a request to not use my e-mail in the shipping information box.
What happened?
1. one of the mail servers stopped responding all together. It didn't come back up for more than a week (qmail queue default lifetime anyone?)
2. During the post to these web sites (ALL on hacked machines running open proxy servers) the web site went down and stopped responding. I guess the concurrency of 2300 was a bad idea.
It appears that my e-mail address is no longer being used, although their websites finally recovered about 8 hours later. These web sites no longer accept orders from my IP address. No imagine if only 1/2 the people that recieved a spam did what I did? Think of the number of bogus orders that have to be sorted to simply get to a legitimate one? Think of the amount of traffic going INTO comcast and RR to these hacked machines (waving flag over here, over here LOOK LOOK security@rr.com!). Of course this would take time, and we alreayd have precious little of this. If enough people took the time, we would also have precious little spam. The cost would be too high.
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
You will of course not that there is NO requirement for a mailserver to have an MX record, an A record is sufficient. Not that I've checked, but I suspect filtering mailserver without an MX will result in lots of collateral damage.
seems to be that identd would do a sufficient job at reducing spam. rather than overcomplicating things, why dont they just start using the underused identd again??
Microsoft is pushing a solution called "Caller ID", which involves putting (wince) XML documents into the DNS telling you how to check the (argh) From: header.
A lot of other people are pushing a solution called SPF, which involves putting text "code snippets" into the DNS telling you how to check the MAIL FROM: envelope return address.
This topic will be discussed at the IETF next week in Seoul, Korea. Hot topic!
I've been using sendmail for the last 8 years, and I don't see why it's so bad.
Well what about what lots of people do, send email through their ISPs web server, and use the email address of where they get mail, which may not be their ISP?
I do this all the time, I send mail through whatever SMTP server for the ISP I'm currently connected to, but my email address is always the same, and the email domain is my hosting provider, which is not my ISP.
They better not fuck things up for people that don't always use their ISPs email address, or have more than one ISP.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
MS and Sendmail are probably responsible for 90% of the spam out there, with default open relay policies, cryptic documentation, and (in MS' case) a corporate culture and influence which means that only chimps and other simian life forms become Exchange admins. Flame all you want, this is from direct experience.
At an old job as a firewall engineer, I had to tell the Exchange Admin for a major medical insurance provider HOW to set up our AV server as their relay. I found it on Google faster than she could fumble through her documentation. At another site, I had to battle an NT/Exchange admin who, after moving the Exchange server to an internal network, wondered why he no longer could receive mail.
MS and Sendmail owe everyone on the Internet countless hours of lost time due to idiotic softawre config problems, its about time that they came up with a solution.
I want to delete my account but Slashdot doesn't allow it.
Sendmail is one of the vendors working on Sender Permited From or Sender Policy Framwork is it not? spf.pobox.com I have no clue, nor did the article, on what Microsoft might be doing.
SPF is basicly a reverse DNS lookup on SMTP servers if I understand it correctly. Basicly under the plan to send mail you have to have a registered SMTP server in DNS so that your mail can be traced back to the sending SMTP server. No SPF records then your mail is most likely spam and can be discarded at the client or even at the POP server. Heck I suppose even SMTP servers could refuse to forward such mail. Will not eliminate all spam but it would halt the span-in-can email virus like SoBig that makes every Winblows box into instant spam machine. It would also stop spoofed email that causes so much headache.
Very needed plan IMHO.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
A large portion of the spam I receive doesn't have my address in the To: field. Why doesn't mailer software look for this kind of mail? Am I missing something?
"Drug related crime" is a misnomer, "prohibition related crime" is the more accurate and correct phrase.
I still have my system up, but I am denied at places becuase I am on Comcast Cable. Yet, I have never had an open relay, nor been cracked. I find it obnoxious that I have issues sending simply due to location rather than an inability to have a secured system.
I prefer the "u" in honour as it seems to be missing these days.
I know I'm blowing my karma points on this one, but I believe it's justified and realistic.
No business partnership or alliance of any signficance has existed with Microsoft that resulted in a mutually beneficial conclusion. To put it another way, it's like trying to make a deal with the devil.
I don't expect that sendmail will be summarily destroyed as such. But I ernestly and honestly believe that the final outcome of this venture will only result in Micorosoft obtaining an absolute choke hold on email.
To expect anything less is niave and ignorant. There is no past performance which disputes this claim. Even considering legal judgements, Microsoft will not hesitate to make "all your email belong to us".
I apologize if I come off sounding like one of the slashdot anto-microsoft zealots, or some conspiracy theorist. But think it through.
Microsoft develops a means by which all email must be reverse authenticated as to the sender. Believe me, they will patent it and everything that looks like it before the night is over. This sounds great, but then all they do is just modify the email servers to require that this proprietary reverse authentication take place or you can't send any email.
The fact that they are working with sendmail, the company and not the OS project, allows them to license this technology to a Unix platform. This allows them a foothold onto the majority of email servers, which are Unix based, and to establish the means by which they have complete ownership of all email transactions. And it will be a matter of time before sendmail.com has to turn over their assets to pay the licensing fees, but then maybe Microsoft doesn't want them able to pay the fees.
Yeah, Spam sucks. But get a clue! Spam filters account for 99+% of all the spam out there. I would rather have my 1 spam a week out of 600 then to have Microsoft telling me I have to pay royalties to send email. There is nothing cool or encouraging about this.
And the real problem here isn't the spam, or the cost of sending spam, they haven't done anything to reduce either one of these. The problem is the adolescent pimple-butts who really think that herbal viagra will give them a 36" schlong that lasts all month long. Do you really want that? It's hard to pee standing on your head!
this is great first step, but it wont stop spam. it will only prevent spammers from spoofing their email addresses, etc. what good is that when the spammer lives in a country that has no laws against spam?
Gyrate Dot Org - "Where high-tech meets low-life"
I guess I will have to put up my OWN MTA (against the TOS for my ISP now) - SSH into it and deliver mail from that. What a pain to get around spam filters. This might make it slightly harder for the spammers - but it will make it infinitely harder for people like me that just want e-mail to work. Oh for the days when it was considered rude to close off access to your MTA. (Damned spammers ruined everything)
Had fun last weekend trying to e-mail my room mates work account. I wanted him to see an URL that he would be intereted in
Subject: Check this out
Response - This subject is commonly used in Virus e-mail, bounced back to me.
Three attempts later and I finally found a subject that I could use to send him e-mail. What a pain.
I have mod points and I am not afraid to use them
The core "problem" with the internet is that just about anyone can create a domain and the associated zone files and have them served as authoritative. There are at lesat two free DNS services out there that will host whatever zone data you wish to throw at them. Personally I don't consider this a problem, but a very nice feature.
When you can register domains in bulk for $5, perhaps less, and can host the DNS for free or just a few dollars a year, how exactly is any DNS based verification system going to operate to limit spam? Al the spammers have to do is fudge up the zone file so that any verification system will succeede because the spamming server is "legit". The server may very well be anonyous or hacked or have 20 IP addresses.
I still say the single best solution to spam is for ISPs to start a policy of disposable email addresses. This is a relatively simple matter to impliment with Sendmail and a few CGI scripts, or even via email messages.
An end user is given lets say 8 email addresses. These addresses are never to be given out to anyone for email purposes, they are simply for sorting incoming mail among several family/household members.
Each account can have up to 50 aliases at any time. Aliases are created on the fly by the end user, and can be set to expire at some future date, or be removed manually.
When you go to sign up for a discussion forum you create an alias for just that forum, ex: gjslashdot@ispdomain.com. If you start getting spam on that address, you can simply delete it and create another one, there's no attachment to the address outside that forum.
I've been using this system myself for about a year and have gone from 500+ spams a month to 3-5 a month. Again... as soon as I get spam at an address, I delete it and create a new one if necessary.
What's causing the spam problem is human ignorance. Layering technological complexity on top of the existing system will not eliminate the underlying ignorance. My solution does that.
As far as corporations go.... get your email addresses off of your business cards, and stop using employee names as the basis for email addresses. If someone has access to an email client, they probably have access to a web client. Out-side emailers should use a web form to send email to employees unless there is an existing relationship.
Once there is a relationship, siret email can be used.
Email addresses on business cards... business cards handed out like candy on haloween... no wonder you get inundated with spam.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Umm... You mean exactly like most linux installs, right?
The whole "sendmail isn't safe" mantra is based on very old versions. Not surprisingly, all from when it was being [primarily] supported and developed by people with 'day' jobs.
Since when has the difficulty to manually configure *nix software been something one should open there mouth about onSMTP is a simple concept, but somehow sendmail found a way to make it your worst nightmare. The gotcha's on the configuration alone is enough to break someone.
Snicker. Well yes the S stands for simple... Are you just talking about RFC 821??? What about 822, 876, 947, 1869, 1870, 1891, 1893, 1985, 2033, 2034, 2045, 2046, 2047, 2048, 2049, 2197, 2487, 2554, 2821, 2822? [BTW I'm sure I missed some, and yes some surpercede others]. You don't often use SMTP anymore, rather ESMTP with extensions.
FWIW it's really really easy to make sendmail a non-open relay. I even think RH configures it that way from the start.
Use whatever MTA works for you, but don't confuse your relative [or subjective] case with the absolute 'sendmail bad, MyMTA good.' As for Sendmail- they deserves some credit, if for nothing else, that it actually pays money to support one of the more important and underappreciated open source packages. Everything post 8.8 or is it 8.9.3 was heavily contributed to by them.
I'll bet a penny you use pico...
--Someone with yellow car; plate Y EHLO
I worked in a paperless office. We were tech support for a large public university, and did all of our developing in-house, so we had web based (mysql+php+apache) software that did every possible type of form we could fill out. Memos were posted to the website... Yeah I really never had to touch a piece of paper in the 2 years I worked there.
And things like this always start in universities, and move into the business world as the students graduate.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
More likely, it's the beginning of "features" which result in less of the spam we see today, and an equal amount of some other form of advertising annoyance.
today: fr33 \/14Gra dud3!!1
tomorrow: Retreiving email: starting winxp2005.mov (click to pay to skip commercial)
This is a horible idea - for those of us that bounce through different MTAs during our life based on where we are (work/home/travelling/etc.) to send mail out, but still wanting all of our mail to come to our trusty inbox.
Shoot, man! That's what SMTP Auth is for. Most of my "roaming" users use it. Those that don't, use webmail. Talk to your mail provider. They probably have a solution similar to this (it's been around for a while now).
Subject: Check this out
Response - This subject is commonly used in Virus e-mail, bounced back to me.
Now *that* is screwed up. Just like people of set up their mail servers to bounce any email containing the word "viagra", the potential for false positives is too high.
No sig
Actually, William the Bastard was a Viking with family origins in the Norwegian-ruled Orkneys. William's great-great-great-great-grandfather was Ragnald, first earl of Orkney, and William was a direct male descendant of Ragnald through Ragnald's son Rolf, first Duke of Normandy. They ended up marrying into the families of the Capetian dynasty of France and into the family of Aquitaine as well, but they weren't really French, any more so than the British royal family is truly British (I think it'll be only when Wills gets the throne that someone with a majority of UK blood will be reigning, for the first time since Queen Anne; the Windsors are primarily German with injections of Danish royal blood courtesy of Queen Alexandra and Prince Philip).
The Normans were regarded even in their day as Vikings with a veneer of French civilization. They were regarded as the equivalent of 17th and 18th Century Russians, who, due to their rather unsanitary personal habits, were regarded by courts in Europe to be "baptized bears".
So, in the final wash, it was Yet Another Viking Invasion Of England, albeit this one more successful than the others because the family stuck around for a while (until Richard III, in fact).
If using Linux is about choice, how come people complain when I choose to use Windows?
Speaking for myself, my mailserver is on OpenBSD, and Sendmail is the only MTA in their main tree. Oh sure, I *could* use postfix from ports, but then I don't get the happy little email when theres a vulnerability, and I don't get the comfort of knowing that at least the OpenBSD team has parsed the source for bugs.
So yeah, I use Sendmail. From where I sit it seems like the most secure choice.
I noticed that not a soul mentioned the patent issue: guess who will patent the solution?
a) the same folks who try to patent xml?
b) the same folks who try to take over all UNIX-like operating systems?
c) the same folks who like to be clicked only once(tm)?
I know I post too late.
You can defy gravity... for a short time
Could sombody please explain me how this SPF stuff is supposed to help fighting spam in any way? Seriously, I don't get it. So, the only thing spammers have to do additionally is to fake the domain part of a faked email address to match the IP or relay they use? That's it to trick the whole system?
Yes I do personally very much believe Pfizer hate "viagra spam", here's why:
As we all known the brand name "Viagra" is instantly recognisable and generates a buzz of instant brand recognition which is almost on the same level as "Coke" or "Hover".
For this very reason a couple of years ago Pfizer realised that they could reorganize their Viagra sales teams as the Viagra brand literally sold itself therefore most of their original Viagra sales people were promptly reassigned to other products within Pfizer. Pfizer's own Viagra sales teams are thus now small.
Incidently drug sales is a bit like playing football, each competive company (side) have their own sales people marking each others, person for person. So changes in one companies sales force always impact on their competitors.
Anyway "Viagra" is still covered/protected by patents which (if my memory serves me correctly) were granted for something like 10 or 15 years, this means that legally 100% identical generic versions of Viagra or generic sildenafil can NOT legally be made for a number of years yet.
It is important to realise that commericially Pfizer will be interested in maintaining a good "brand" reputation for a high quality product, they will also be interested in maintaining Viagra at a fairly constant fixed price for as long as is possible during the duration of their patents.
Remebering the fact that Viagra sells itself and you soon realise that Pfizer therefore don't really need to or even want to spend time or money on agressive "spam" type marketing for "low cost viagra" as selling such a product would be counter productive to their own interests.
I am also reliably informed that the apparent "Viagra" that we see being advertised on the Internet are in fact "viagra" copies which have been altered/redesigned often in what are unproven ways to try to get around some of Pfizers patents. So it's very much buyer beware.... !
On a similar note it worth understanding that medcines like Viagra are licensed for treating one particular condition only, e.g. "erectile dysfunction" aka "impotence" in the case of "Viagra". So even though many people found that "Viagra" appeared to make some difference in females Pfizer legally could NOT and would NOT acknowledge this fact. Thus a entirely new drug with a totally different name was created, tested and then licensed/marketed for use by females only.
While it admittedly takes significantly more real legwork, I'd imagine that much of the protection provided by authenticated email could be bypassed by riding on other people's unsecured wifi networks and sending mail via their trusting ISP's mail server. I'm might just start wardriving in my branded SPAM-van.
Thanks for the link -- much appreciated and read.
.doc format. Well, here's my take. The MS solution doesn't provide, as the top sender assumed, a real PKI-based solution, which is what really excited me. That would ultimately solve a lot of problems in a much better fashion.
Sigh. Trust Microsoft to release their techncial information in
The Microsoft solution is not actually very different than SPF. It aims at doing pretty much the same thing -- identifying outbound mail servers for a domain in DNS, and disallowing mail from any mail servers that are not listed in DNS. I *still* feel that this approach is a hack and is going to have undesireable long-term effects.
There are some things to be said for the Microsoft approach, though. It seems to be basically a "better SPF". They considered a number of implementation issues that I was upset over in SPF. They talk about DNS caching and security implications of DNS as a transport mechanism. They address server migration, and provide an attempt at dealing with multiple apparent identities -- one that I feel isn't really sufficient, but which Microsft, being Microsoft, might manage to pull off through control of Outlook.
Having read the SPF proposal and the Microsoft proposal, I do think that the Microsoft work is a lot more mature and builds on SPF, and is a better overall solution.
If one of the two must be implemented in the short term, I would prefer Microsoft's work.
I still think that Microsoft's Caller ID is still vulnerable to a number of SPF holes (such as throwaway domains). I am more than a little irritated, since Microsoft is really the only single player capable of promoting a PKI scheme (given that they control a major mail server and the major mail client). Furthermore, migrating to a PKI-based system would provide reasons to upgrade to new versions of Microsoft software -- pushing PKI makes excellent business sense for Microsoft. My guess is that Microsoft needed a solution *now*, given that they were facing SPF deployment, and wanted to fix some of SPF's problems rather than gambling on a full retrofit of the email system.
May we never see th