MS and Sendmail work together on Spam Solution
fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.
I posted an idea similar to this on slashdot here, which would essentially involve sendmail digitally signing messages that it sends and then having receiving mail servers verify it. I think most of the people who read the idea misinterpreted it as forcing us to get digital certs through verisign, which was NOT what I was implying.
See, now this is a much better idea than "email postage" and "computationally expensive" sending of email. This way, the accountability falls down to individual email addresses, and domains for sending UCE.
It's FAR easier to track emails and their likelyhood of sending spam than the actual messages themselves (after all, buyviagra@biggerpenis.org is most likely sending you spam).
This, combined with a spam filter could do the trick.
Congratulations Microsoft for actually partnering with somebody who matters is this whole affair. I'm hoping the other companies like Yahoo and AOL follow suit with this strategy, and a solution becomes standardized.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Odd couple?
I don't think they're that different. Sounds like a match made in security hell.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Spammers used to buy a T1's worth of phone lines and then dial in to several different ISP's all at once and use THEIR mail server to send spam. With the advent of easily hacked broadband connections, this isn't required anymore. I can see it popping back up pretty quickly. While the idea is OK, spammers are adaptable. The ONLY way to make spammers stop, is to make them feel pain and this solution doesn't provide nearly enough pain.
For instance, I ws joe jobbed, I recieved about 2300 bounced messages advertising various web sites. For every bounced message I forwarded a 900k graphic that said "Do not use my return address in your spam campaign, it is illegal". Since I recieved another bounced spam before I had finished responding to these kind people, I decided perhaps another avenue of communication was approriate. I posted an order on each of the three websites I found advertised 2300 times (PERL w/LWP). Since I was unable to get a response via e-mail, I figured that I would get a response via an order form. I posted 2300 times(one for each boucne) with my contact information and a request to not use my e-mail in the shipping information box.
What happened?
1. one of the mail servers stopped responding all together. It didn't come back up for more than a week (qmail queue default lifetime anyone?)
2. During the post to these web sites (ALL on hacked machines running open proxy servers) the web site went down and stopped responding. I guess the concurrency of 2300 was a bad idea.
It appears that my e-mail address is no longer being used, although their websites finally recovered about 8 hours later. These web sites no longer accept orders from my IP address. No imagine if only 1/2 the people that recieved a spam did what I did? Think of the number of bogus orders that have to be sorted to simply get to a legitimate one? Think of the amount of traffic going INTO comcast and RR to these hacked machines (waving flag over here, over here LOOK LOOK security@rr.com!). Of course this would take time, and we alreayd have precious little of this. If enough people took the time, we would also have precious little spam. The cost would be too high.
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Microsoft is pushing a solution called "Caller ID", which involves putting (wince) XML documents into the DNS telling you how to check the (argh) From: header.
A lot of other people are pushing a solution called SPF, which involves putting text "code snippets" into the DNS telling you how to check the MAIL FROM: envelope return address.
This topic will be discussed at the IETF next week in Seoul, Korea. Hot topic!
Well what about what lots of people do, send email through their ISPs web server, and use the email address of where they get mail, which may not be their ISP?
I do this all the time, I send mail through whatever SMTP server for the ISP I'm currently connected to, but my email address is always the same, and the email domain is my hosting provider, which is not my ISP.
They better not fuck things up for people that don't always use their ISPs email address, or have more than one ISP.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
MS and Sendmail are probably responsible for 90% of the spam out there, with default open relay policies, cryptic documentation, and (in MS' case) a corporate culture and influence which means that only chimps and other simian life forms become Exchange admins. Flame all you want, this is from direct experience.
At an old job as a firewall engineer, I had to tell the Exchange Admin for a major medical insurance provider HOW to set up our AV server as their relay. I found it on Google faster than she could fumble through her documentation. At another site, I had to battle an NT/Exchange admin who, after moving the Exchange server to an internal network, wondered why he no longer could receive mail.
MS and Sendmail owe everyone on the Internet countless hours of lost time due to idiotic softawre config problems, its about time that they came up with a solution.
I want to delete my account but Slashdot doesn't allow it.
Sendmail is one of the vendors working on Sender Permited From or Sender Policy Framwork is it not? spf.pobox.com I have no clue, nor did the article, on what Microsoft might be doing.
SPF is basicly a reverse DNS lookup on SMTP servers if I understand it correctly. Basicly under the plan to send mail you have to have a registered SMTP server in DNS so that your mail can be traced back to the sending SMTP server. No SPF records then your mail is most likely spam and can be discarded at the client or even at the POP server. Heck I suppose even SMTP servers could refuse to forward such mail. Will not eliminate all spam but it would halt the span-in-can email virus like SoBig that makes every Winblows box into instant spam machine. It would also stop spoofed email that causes so much headache.
Very needed plan IMHO.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
I still have my system up, but I am denied at places becuase I am on Comcast Cable. Yet, I have never had an open relay, nor been cracked. I find it obnoxious that I have issues sending simply due to location rather than an inability to have a secured system.
I prefer the "u" in honour as it seems to be missing these days.
I know I'm blowing my karma points on this one, but I believe it's justified and realistic.
No business partnership or alliance of any signficance has existed with Microsoft that resulted in a mutually beneficial conclusion. To put it another way, it's like trying to make a deal with the devil.
I don't expect that sendmail will be summarily destroyed as such. But I ernestly and honestly believe that the final outcome of this venture will only result in Micorosoft obtaining an absolute choke hold on email.
To expect anything less is niave and ignorant. There is no past performance which disputes this claim. Even considering legal judgements, Microsoft will not hesitate to make "all your email belong to us".
I apologize if I come off sounding like one of the slashdot anto-microsoft zealots, or some conspiracy theorist. But think it through.
Microsoft develops a means by which all email must be reverse authenticated as to the sender. Believe me, they will patent it and everything that looks like it before the night is over. This sounds great, but then all they do is just modify the email servers to require that this proprietary reverse authentication take place or you can't send any email.
The fact that they are working with sendmail, the company and not the OS project, allows them to license this technology to a Unix platform. This allows them a foothold onto the majority of email servers, which are Unix based, and to establish the means by which they have complete ownership of all email transactions. And it will be a matter of time before sendmail.com has to turn over their assets to pay the licensing fees, but then maybe Microsoft doesn't want them able to pay the fees.
Yeah, Spam sucks. But get a clue! Spam filters account for 99+% of all the spam out there. I would rather have my 1 spam a week out of 600 then to have Microsoft telling me I have to pay royalties to send email. There is nothing cool or encouraging about this.
And the real problem here isn't the spam, or the cost of sending spam, they haven't done anything to reduce either one of these. The problem is the adolescent pimple-butts who really think that herbal viagra will give them a 36" schlong that lasts all month long. Do you really want that? It's hard to pee standing on your head!