Slashdot Mirror
Spam Solutions from an Expert
Mod N writes "SecurityFocus has posted a nice survey of anti-spam technologies by spam expert Neal Krawetz, in which he delves deeply into the specifics and pitfalls of the numerous proposed solutions. Krawetz makes it obvious that securing the email infrastructure is a very complex problem that many of the current (simple) solutions can't solve alone."
Excuse me, what? Where's the proof? That's quite a brave statement to be making considering i've never seen this cracked, ever.
I challenge someone to find an automated response to C/R.
I did hear of a theory where C/R was being cracked by taking the C/R image, posting to a porn session, and letting a seeing person do the work. However, i've yet to witness this in practice. Show me the automated response to C/R that exists beyond a blog theory, and i'll believe. Until them, i hardly consider it "marketing hype".
There is no anti spam technology that actually works. Not even whitelisting, because those viruses fake email addresses.
Maybe whitelisting with custom mail headers to prove identity
Open Source Java Web Forum with LDAP authentication
With the way the Chinese government keeps making their own versions of everything, maybe they'll have their own version of the Internet. That shoud alleviate a good deal of the spam right there, given that their Internet will probably be incompatible with ours.
pishhhhh *breathe*
I find your lack of junk mail disturbing.
Good overview, all things considered. I would like to add to one of his conclusions (from part 1):
This conclusion is correct, but why is this considered a stopping point? Mail admins-- get off your collective butts and add encryption and authentication to your mail servers! The author also forgot to mention that server side certificates are not necessary for SMTP, SMTP+AUTH addresses this quite nicely.Note that such measures are not necessary for most users. Home users that use their ISP's mail server don't have to implement any of this, since the ISP can already account for the user. Let us not forget that "most users" do not have the e-mail needs that many Slashdot readers do. For those needing roaming access and multiple addresses, use IMAPS and SMTP+SSL+AUTH.
Just buy porn in magazine format instead of registering for it online :)
Why has spam grown to what it is today? It is an undeniably effective means of cheap marketing. What we need to do is come up with a way to stop this not on our end, but by looking at as a social problem or making it non-worthwhile to the spammers. If nobody ever responded to spam, spammer wouldn't bother.
n/t
At this point in the game, I am honestly surprised that we haven't heard of violence resulting from spam affliction.
I don't know about anyone else, but I'm pretty sure I'm not alone in this. I have, at times, felt utterly enraged at all the spam flying about and further all of the innocent and naive people that are being abused by all of this.
I know if I feel violent internally, then surely there are those with less self-control out there who will eventually act on his or her rage... perhaps the parent of a child afflicted with porn spam?
I think if two or three spammers are attacked physically, it might give them pause. Frankly, I'm amazed it hasn't happened.
The truth is 90% of spam comes from open relays, that is SMTP servers that can be tricked (a bit like lying to a 5 year old) into accepting and sending out massive ammounts of mail. Simply blocking open relays using The Open Relay Database at http://www.ordb.org/ or other open relay checking utility will save you lots of time if you run your own mailserver. When we can bascially negate the usefulness of open relays to spammers, they will then have to rely on their own bandwidth for the most part providing they cannot comprimise other "closed" relays.
I am in full support of using the broad-powered, freedom crushing Patriot Act in apprehending and imprisoning spammers. We might as well get some good out of it.
According to this site, spammers are constantly changing tactics to deal with anti-spam filter. So the site is trying to use human to catch any changes in spammers' styles.
So, are spam filter changing at least as quickly as spammers?
Rock that crushes, Paper & Scissors that don't matter.
A nice fool proof system, while a bit of a hassle, would effectly remove spam. PGP uses a white list of sorts, that only allows people to send you encrypted messages that have your public key. This in a sense could be done with email. Someone wants to send you an email, and has your email address. They send the small request to your mail server (1-2 KB in size) with their name, email address, and name of their mail server. The mail server holds this information and notifies you that a new sender is awaiting access. You then:
1. Verify the identity of the sender, okay then, and the sender is then given the return request, and is notified that they will be allowed to send emails.
2. Deny the sender, and all their emails will be bounced back.
Yes, spoofing problems still exist, but this system could be expanded, and guess what, you only recieve email from people you want to, and the mail server acts at the first point of defense.
This would require more complex and smarter mail servers, but it would make the every day user's life so much more simple.
ce n'est pas un Sig.
Why couldn't you set up some kind of email password system? You would need a password of sorts to send an email to someone, and the passoword would be checked by their mail server. Anything that's good goes right throught, and anything that's bad goes to a separate folder just in case you ever need it.
that the challenge/response could be outsourced to.
Only kidding (I think).
The Internet is full. Go Away!!!
My free anonymous (as in they can only be traced back to a common e-mail account on my server) e-mailer uses a simple quiz to keep spammers out.
The form page records the IP address of the visitor along the with the question number they were given in a file named with the IP address. That number is never sent to the client. When they hit submit the file of their IP is opened, the question number is read in and the answer given by the user is compared to the stored answer. The file is then deleted and if the answer was correct the e-mail is sent. Otherwise it's not.
This forces my custom form to be used to be able to send the e-mails. And it's not possible to simply keep refreshing the submit page to keep sending the message.
And the challenge is in the form of old riddles and a couple new ones like "what's your favorite color?"
Things a bot would never get but that anyone who knows how to use Google can. Someone would have to program a custom bot with the answers in order to even attempt to spam. And even then since everything goes through my mail server nobody is going to sneak garbage past me for long and I know who your ISP is.
I also include a disclaimer with every e-mail. It'd be quite silly for me not to.
Ben
Work Safe Porn
I think the author of the article is correct. Having a system whereby anybody can communicate at virtually zero cost without unsolicited commercial messages are mutually exclusive goals. I think that for most people, a simple whitelist is good enough, along with the understanding that there is a small chance that email between new contacts will be blown away.
In Soviet America the banks rob you!
SPAM is like popups. The one day you find a solution to stop it, the next day they find a new solution to send it. It's a never ending cycle get used to it.
Well, at the risk of sounding like a broken record, SMTP itself is the problem -- it's badly broken, security-wise, and needs to be fixed. It's going to be painful to move to a new mail standard, or to change SMTP so that it's not broken, but that's what needs to happen to stop spam. Thankfully, our friends the Russian Mafia and the ever-growing number of Windows zombie machines are making spam levels so great that, sometime soon, spam will represent such a large percentage of e-mail traffic that fixing SMTP will be necessary, not just something mail admins like myself wish for.
BTW, does anybody have a good figure on what percentage of all e-mail spam represents these days? I'm talking about *all* traffic, too, not just what ends up in peoples' Inboxes after all the filtering going on out there has done its job.
How To Get Humans To Mars
The linked article is part 2, Part 1 is here.
Rock that crushes, Paper & Scissors that don't matter.
I am not recommending mailblocks, I belive there is a sourceforge project called TMDA which does the same thing. Having said that, my experience comes from using mailblocks:
...
-cr deadlock: This does not exist because when you e-mail someone in a challenge and response system, it automatically assumes they are friendly. So if they have a challenge and response system, it will make it into your inbox, because you e-mailed them first
-automated systems He is correct here. Personally I hate when friends submit my e-mail to third parties without my consent so I do not mind missing these e-mails. I have caught a few while searching my pending folder, and inform my friends I rather have them e-mail me directly.
-interpretation challenge I believe he is wrong here because of a fundamental issue. When dealing with spam filters, the onus of working out refinements is left to the spamee, to make sure they filter out all spam. If a spammer adds a new technique, they get around the filter. With challenge systems, you have a few methods waiting as backup. When a spammer finally figures out how to read your words through AI, you simply change the challenge system and they are back to square 1 in trying to figure out how to defeat. As long as you have a few methods waiting in the wings, the spammers can easily be defeated, and have huge amounts of work to do.
if you doubt this, write an AI system to defeat hotmails gifs. Now what if the next day instead of showing a word, they show you a picture of 3 fire trucks and 2 police cars and ask you how many police cars are in the picture, etc
-Nuke the moon
Was out to lunch with three colleagues today and the subject of anti-spam measures came up.
I managed to appall the one from Berkeley by suggesting that the most practical solution was probably a moderate-size bomb.
B-)
But seriously:
In an arms race, weapons eventually defeat armor. Spam will continue until two real-world things are BOTH brought to bear on spammers:
- Economics
- Muscle
If a governmental solution applying both is not forthcoming soon, I predict that there WILL be vigilantism.
In fact we're already seeing it.
For instance: Subscribing the Detroit area spammer and his lawyer to enough real-world junkmail lists to bury his bills and other US Main correspondence in several daily truckloads of catalogues and other solicitations.
Soon to come: Retaliatory information-war software directed at DDoSer / spammer zombi-net machines. (As discussed in a recent Slashdot article.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
**note location of tongue**
Of all the odd places to find anti-spam technology, was this killer solution in WalMart. Yep, it turns out they have a remarkable tool that convinces spammers to stop spamming! I was AMAZED. This tool usually only has to be applied once, and the affect lasts for years. It doesn't require updating or re-installation. I was also suprised to find these very same tools in other places, like sears, and even in a "sneaker" store. What is this tool you ask? An aluminem baseball bat. It seems sadly though that there is a law protecting spammers. I believe useing this AWESOME anti spam technology falls under something called assault There is hope that exceptions for spammers could be provided for in a constitutional amendment!
**note location of cheek**
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I don't bother getting too deep into downloading too many 'new improved!...' filters. I block entire damn countries/netblocks. Besides I don't know anyone in korea, brazil, china, nor any other one of the massive spamming countries. I configure postfix to filter out a lot and the minute I receive one spammed message, I always whois -h whois.apnic/arin/ripe/lacnic offender and block their entire range. I also have spam assassin running and I have to admit I get about maybe... maybe... 4 spams a week not kidding. Again though this is my personal machine.
block return-icmp (8) in proto tcp from 24.76.0.0/14 to any port = 25
block return-icmp (3) in proto tcp from 81.208.64.0/18 to any port = 25
block return-icmp (4) in proto tcp from 163.121.163.0/22 to any port = 25
block return-icmp (4) in proto tcp from 82.77.83.0/24 to any port = 25
block return-icmp (4) in proto tcp from 61.247.224.0/19 to any port = 25
block return-icmp (4) in proto tcp from 217.132.0.0/17 to any port = 25
block return-icmp (4) in proto tcp from 62.103.204.32/27 to any port = 25
block return-icmp (4) in proto tcp from 210.111.224.0/17 to any port = 25
block return-icmp (4) in proto tcp from 144.135.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 195.166.224.0/18 to any port = 25
block return-icmp (4) in proto tcp from 61.228.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 207.144.229.0/24 to any port = 25
block return-icmp (4) in proto tcp from 193.252.22.160/28 to any port = 25
block return-icmp (4) in proto tcp from 200.0.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 209.202.192.0/18 to any port = 25
block return-icmp (4) in proto tcp from 83.32.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 68.38.64.0/8 to any port = 25
block return-icmp (4) in proto tcp from 219.240.0.0/10 to any port = 25
block return-icmp (4) in proto tcp from 195.57.218.0/25 to any port = 25
block return-icmp (4) in proto tcp from 129.79.245.98 to any port = 25
block return-icmp (4) in proto tcp from 24.150.0.0/19 to any port = 25
block return-icmp (4) in proto tcp from 24.205.28.0/21 to any port = 25
block return-icmp (4) in proto tcp from 220.116.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 200.128.0.0/9 to any port = 25
block return-icmp (4) in proto tcp from 212.81.64.0/17 to any port = 25
block return-icmp (4) in proto tcp from 32.10.58.0/19 to any port = 25
block return-icmp (4) in proto tcp from 210.183.110.0/20 to any port = 25
block return-icmp (4) in proto tcp from 134.196.0.0/16 to any port = 25
block return-icmp (4) in proto tcp from 24.60.88.0/23 to any port = 25
block return-icmp (3) in proto tcp from 24.190.8.0/24 to any port = 25
block return-icmp (2) in proto tcp from 24.98.77.0/23 to any port = 25
block return-icmp (2) in proto tcp from 24.173.29.0/23 to any port = 25
block return-icmp (2) in proto tcp from 205.206.176.0/23 to any port = 25
block return-icmp (2) in proto tcp from 172.128.0.0/10 to any port = 25
block return-icmp (2) in proto tcp from 200.171.99.0/24 to any port = 25
block return-icmp (2) in proto tcp from 200.171.97.0/22 to any port = 25
block return-icmp (2) in proto udp from 200.171.97.0/22 to any port = 25
block return-icmp (2) in proto tcp from 68.62.80.128/25 to any port = 25
block return-icmp (2) in proto udp from 68.62.80.128/25 to any port = 25
block return-icmp (2) in proto tcp from 218.76.0.0/17 to any port = 25
block return-icmp (2) in proto udp from 218.76.0.0/17 to any port = 25
MoFscker
This should be modded flamebait. Talking about violence as a solution to spam is frankly just total bullshit.
If you get that angry because of hitting delete (even if is an excessive number of times) you have an anger management problem.
Why don't you embrace your slashbotness instead of living in a dreamworld?
One "solution" which seems to be missing from this article is the "verify each stage" solution. You know, close down all open relays and implement a C-R system between the mail client and the server (password authenticaton to send?) and perhaps between servers too (a public-key challenge before transfers between servers, e-mail transferred in bulk after said challenge for speed reasons). The idea being not so much to make spam disappear, but to make all e-mail clearly and easily traceable so that no spammer would want to keep operating, and allowing any spammer who continues to operate to be tracked down.
Perhaps one of those SMTP fixes or SMTP alternatives mentioned at the end implements this idea? Anyone have more info?
As stated in the article's summary, the main problem with most spam-filter is the need for constant maintenance. We need a solution that requires ZERO maintenance by the joe-users, and yet cost-effective enough to implement.
My ISP seems to have a so-called "Watch Dog" spam filter, where they actually hire people to read spams and filter them manually, that's probably the most effective way to filter spam, but I wonder if it is cost-effective though.
Prior to this October, telemarketing calls were a national scourge. Amazingly, since we signed up for the Do-Not-Call list, we've only received 2 illegal calls. I'm rather surprised, in fact, at the relatively uniform acquiescing to this law. While spam, coming from all corners of the earth and is more anonymous, will be harder to enforce, some law with real teeth may be a good start.
First, Microsoft should bite the bullet and by default not execute executable attachments in email. They should also not obfuscate certain file extensions such as .pif.
Second, companies selling products via spammers should be held equally guilty as the spammers themselves.
I've been using SpamBayes for about 4 months now, plugged into my outlook (Don't ask) with a very high degree of success... It seems to me that if email is to remain a free(as in beer) and open part of internet infrastructure, and in fact our lives, that in-box solutions are the only way to go.
The many problems with challenge solutions and the like meen any hope of seamless introduction and integration into existing business processes is not likely, and seem to keep pointing us back to the inbox for our filtering. Aside from "e-stamps" (yuck) I just don't see a reliable alternative anywhere in the near future.
Then again, I could be full of crap.
I am become Troll, destroyer of threads
The only thing that will work in the end is some sort of distributed reputation management system. To a certain extent that is what RBLs do, except they are on or off. SpamAssassin does offer shades of grey to the RBLs (differening weights to each one).
To a certain extent this is what we already do in real life. We 'judge a book by its cover' as a first pass (for example people will often walk past a beggar in the street completely ignoring them) and then include other factors. How polite they appear, where they are from, recommendations from friends etc
All other mechanisms suffer from a determined spammer being able to get around them as the article pointed out. Any mechanism that prevents some spammers makes things more lucrative for the rest.
Spammers will not go away until they stop making money. If we could make people stop clicking links in the spam, or buying their products, spam would go away tomorrow without the need for any kind of filter. I'm clueless how that's supposed to happen though. It's seems that your average computer user will click everything that comes into their mailbox.
Your example is EXTREMLY easy to break.
You need the same font that is used on their page.
Then you loop through every possible starting position and every possible letter. When the pixels occupied from the letter have all the same color and the pixels surrounding them havent, you have a match.
Afterwards, you just need to order the letters according to the starting pixel.
Heck, if you put some money behind your challenge, I might write one, that breaks your example, over the weekend. If you send me the code you use to generate the image, I'll break it overnight.
For a real challenge, use at least something as the yahoo challenge from the article and add some random noise. This will make it harder, but I bet it would still be possible with a good (and perhaps adapted CR).
Remember, if you can reverse engineer their algo that produces the challenge images (and that is not difficult as you dont have to get exactly the results as long as they are similar), you can generate an infinity of training instances for your CR that can run automaticly.
And a CR trained with billions of instances will become VERY good (possibly even better than humans).
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
1) Tap the Slashdot and creative communities to produce a series of anti-spam TV/radio/print ads on the theme of "Spammers are Scammers." Smear all spammers as scam artists who sell fake merchandise and steal credit cards, and their customers as stupid losers.
2) Get media outlets to run them for free as public service ads.
Yes, I know this isn't a 100% solution. However, it is relatively low cost, and requires no new laws, software upgrades, or Internet standards.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
- I run SpamAssassin and ClamAV on my server and check all inbound mail against a series of RBL lists; and
- All mail POP'd into my Outlook (yeah, I gotta use it - no flames!) gets checked using the free-and-excellent SpamBayes.
Works in the bakcground with damn-near zero false positives, and doesn't require Microsoft-pushed e-mail postage, changes in the e-mail RFCs or anything else.The tools are out there. If you use them, spam isn't nearly as much of an issue as the press makes it out to be.
*Well not everyone in the Real World anyway -- here on /. we all run our own boxes, right?
"It was a summer's tale: Just a boy, his Linux, and a head full of dreams..."
What I take issue with is this paragraph from the article:
This is leaving out a key feature of any decent challenge system... When Bill tries to send an email to Charlie in the first place, Charlie's email address is automatically added to Bill's whitelist. So Charlie's challenge, showing his address as its source, flies straight to Bill's Inbox without a hitch. If Bill were so arrogant as to think he could send email to someone not on his whitelist, then he deserves not to have his email go through.[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
And here I thought the article was going to give help on how to increase my profits in sending viagra ads and other spam.
There are plenty of tasks that you can do that computers find nearly impossible. Facial recognition is a good one. Humans do it easily all the time. Computers are trying, but still screw it up badly. Musical recognition is another one. A human can easily pick out individual instruments in a peice, and can tell that the song is the same even if it is a complete different orchestration and mix (like a remix for example). Computers are confounded by this, even when they break something into component sine waves. Pragmatic language interpreatation is my favourite. Even when people speak non literally and indirectly, you still have no trouble with their meaning. You can also tell which level of meaning they want, and successfully decode the other levels if asked. Computers are lucky if they can get the literal direct meaning out of a sentence, never mind anything else.
So, just because a human can do it, doesn't mean a computer can. I don't know about any of these image schemes, I've never played with it. However if you make it sufficiently hard for it to recognise characters form background, and one character form another, it's screwed. Computers have trouble with fuzzy and incomplete information that humans are so good with.
Also remember it needs to be feasable to do in a reasonable time. Maybe you develop some whiz-bang image recog program that can take amazingly distorted text and figure it out. If it takes 5 minutes to process a box, it does you no good anyways, too much time to be worth it for this use.
Someone, either me or the author of the article is on crack. I was under the impression that one does not have to have private key in order to validate the signature.
Lets assume that there are CRT records that store SSL certificate for clients allowed to send mail on the behalf of the domain.
Now somebody tell me, in which step one needs private key to verify certs?
Robert
Bastard Operator From 193.219.28.162
I keep hearing about all these different methods of using authentication to curb spam. However, the problem is a little bigger than the minor inconvience that you recieve from having to delete 10, 100, 1000 e-mail's from your box a day. The real problem is the disgusting amount of traffic dedicated to sending out spam. While it would be great to block spam when it hit's my SMTP server, the traffic is still there and possibly doubled if my server sends a reply. We need to find a way to address this problem from the source before it bogs down pipelines.
Ok so I guess I'm all talk because I can't think of a single possible solution, but I do feel that this is the approach we need to take.
Make no mistake...
The most effective spam solution at this time is RBL blacklisting. Bottom line.
When you take into account that the biggest problem of spamming is bandwidth consumption and network resources, there is NO better way than blacklisting spam sources and refusing to communicate with them.
Services like Spamcop's RBL really piss off the spammers. All client-side filtering is counterproductive and ultimately useless as you constantly have to update the systems to catch new efforts on the part of spammers to thwart the filters. At least with RBLs, the spammers' connections are immediately refused as soon as they're ID'd.
If you want to identify what is the most effective solutions, it's simple. Look at what pisses off the sleazebag spam community the most. That's relay blacklisting. They don't DDOS the moronic client-side filtering companies because the spammers know they're useless, and even if they're not, the spammers can't tell. What hurts them are when systems say, 'screw you spammer, (click)' and that's done via relay blacklisting.
Why are spammers increasingly changing mail relays and pursuing open proxies? Because of RBLs. Even AOL uses RBLs (including Spamcop). All the major ISPs look at the RBLs because they are THE most effective way of stopping spam. And they're the only way to actually shut down the spammers.
Forget client or server-side content-based filtering. They will NEVER work. RBLs are responsible for forcing spammers into corners of IP space, forcing them to deploy worms and viruses to infiltrate new IP space (which exposes them to more prosecution). RBLs ** WORK ** !
The problem comes from the fact that any reasonable fix I can think of necessitates breaking compatibility with the current version. Well e-mail is, by it's nature, a tool for collabration. It is useful precisely because I can send it to anyone with an e-mail address. So I'm not going to upgrade my server if that upgrade means I can't communicate with anyone anymore.
No, the REAL solution is prosecution. Not just for the spamming, but for hacking. We know spammers pay to get systems hacked and viruses written. The government needs to track this down, find out who paid for it (not going to be hard, your average virus writer is not going to want to go to prison) and then lawyer the fuck out of them.
It won't stop it, but it will reduce it to managable levels, and I can't think of a workable technical solution that will.
while his credentials certainly would put him in a far better position to know these things than i am... i find his death and doom attitude annoying... he doesn't really address the parts of anti-spam that do work.. he glosses over them, and then hypes the parts that are broken.. without any sort of proof if i were to mod the article it would probably get something like +2 informative -2 Overrated -1 Flamebait and -1 Troll
And, no, I should not have used the goddamn Preview mode first.
Drug dealers and mobsters have been killing each other in bloody shootouts (or swordfights or whatever) for centuries and it hasn't slowed them down one bit. I don't see it being different for spammers.
Consider that both the sender and the recipient have a C-R filter. How will either one get the challenge? Wouldn't it just end up in an infinite loop of challenge e-mails? Or is there something I'm missing?
Crushing dreams at the speed of sarcasm
One proposed solution I would love to see getting more attention is SPF ("Sender Policy Framework"), which allows each domain admin to specify their email sending policy using existing infrastructure.
See the SPF site or read this month's Linux Journal to find out more.
Executive summary of SPF: Just use DNS to specify where mail from your domain may originate from. If everyone used this, we could have domain blacklists that actually work.
Do an "nslookup -type=txt psychogenic.com" to see an example entry. And if you manage any domains, please consider doing the same.
I had a chat with a Veep that was hired on to a company I used to work at. Very down to earth guy, very friendly. We got to talking about spams and semi-legitimate emailings to customers, etc.
He had one very interesting tidbit; stick with me for a sec here. Most companies outsource their semi-legit stuff because they get reported as spammers and whatnot, or it bogs down their email server/network, etc. No surprise there- however, the interesting tidbit is that the outsourcing companies turn around and outsource to Indian firms for handling the bounces. There's literally a room full of people in India, sitting there answering those challenge/responses and updating the client's customer email list(unlike spammers, it really is in their best interests to minimize failed deliveries). It sounds "expensive", but it's not, considering how few people use challenge/response systems. Further- a reasonably smart human can get familiar with all the various systems quickly(an hour or two, I'd guess, tops) and probably process close to a message every few seconds with a client program set up to do that limited functionality smoothly. Best part- if your client does several mailings, unless the recipient goes in and removes you, you're clear for future emailings.
Please help metamoderate.
What is wrong with using a combination of a hashcash type approach in conjunction with cryptographic signing to address the shortcomings of both.
Thus the following rules for the user:
If an incoming email is cryptographically signed by someone on your whitelist, accept it.
If an incoming email has made hashcash payment, accept it. The user then decides whether to accept future signed messages from the sender.
Other incoming mail is returned to sender instructing them to make hashcash payment.
Sign all outgoing messages, and also generate hashcash if you haven't previously sent to the user.
How this affects the downsides:
Mailing lists: Would generate hashcash payment for the subscription process, but regular mail messages are just cryptographically signed (i.e. independent of the number of subscribers).
Unequal taxation: May still be a concern if your machine isn't up to the task of signing the bulk of your outgoing messages.
Robot armies: Users (should) quickly notice if their machine is burning the CPU generating hashcash tokens and address the problem.
Legal robot armies: I don't see what the problem is here -- the sender is still having to pay to generate the tokens, so the economics of spam are changed.
Automated abuse: Hashcash payment is required for all initial messages, so generating countless certs doesn't help.
Usability: Crypto signing is done with self-signed certs (e.g.: PGP) so no central CA is needed.
What we need is a sniper at a Spam convention to thin out the ranks a bit... There's probably hundreds of pyschos out there into all kinds of weird stuff. Why can't a few be interested in offing a few of these spamboys like me? Waitaminute....
This isn't the solution to all spam, but it solves a lot of the big failures of the SMTP protocol. Sender Policy Framework.
o ng -spf-00.txt
.forward or alias is processed, the From: is changed to the email address that recived the mail. This will require as much work as the work to eliminate open relays has been. and it may never be 100% until the standards are officialy changed, and vendors change the default settings.
http://www.ietf.org/internet-drafts/draft-mengw
SPF removes the posibility of From: spoofing, by publishing a list of valid servers that are allowed to send mail for the From: domain.
try this command: 'host -t txt aol.com'
You will see a list of valid servers, and "?all" says, be warry of other servers. If it said "-all" it would be block alll servers not listed here.
The big huge major drawback to this system is email forwarding and aliases. The example I like to use is.. I subscribe to debian-devel@debian.org to an email account, and then that account forwards to my home server. The mail would bounce because the email came from a server not in the debian.org approved list.
The solution to the forwarding problem is header-rewriting. When a
A related note- the current Microsoft anti-spam solution, Email Caller ID is currently being boycotted.
æeee!
That you have a small dick.
Oddly enough the spammers name was "Fagin", as in the Oliver Twist villain, and he was born with that name.
so you suggest a "hack" to SMTP that wouldn't solve the problem. and then, because your hack is unfeasable you suggest that the problem cannot be solved.
Besides, blacklisting spammers is not a new idea and yet somehow SPAM continues to clog our inboxes. Perhaps it's not the silver bullet you're claiming.
why exactly would it be difficult to have a system that guarantees that the sender's address on the email is the actual sender? and that the date on the email is the date it was sent?
why can anyone with a computer and a connection to the internet send out millions of emails?
what exactly is the advantage provided by SMTP that there's so much resistance to changing it?
It breaks my pluginses, my precious!
And allow disposable passwords to register for stuff and be able to block the spam afterwards.
You could even give different passwords to different people, so you'd know who's responsible for some spam you're getting because he typed your e-mail + password into a "send an e-mail card" website.
A rotating password on your website could even allow some fans to contact you, while making it impossible to harvest and ship on a CD to spammers (password expires after 12h).
I guess we'd need a new "Password: " header in mails, and some minor changes to e-mail clients to filter incoming mail based on passwords, and to store passwords in the addressbook for outgoing mail.
If it's something that you have to explain to your parents how it works, then it's just not a mainstream solution. Besides, you're still talking about text, and if the answer can be found on a Google search, then a script can figure it out, too.
I like the challenge-response system, but instead of text I think they should use pictures. "Type in the name of the object in the picture, the first letter has been provided for you." Provide the first letter because some people will see a tiger and think "Lion" and the first letter will get them back on track. Show all of the images as grayscale so that image scanning software can't tell the difference between the yellow of a sunflower and the gray of a building.
The big problem with mail filters, as the article mentions, is that they need to be updated when new spam technologies appear... and there's also a lot of false positives... I gave SPAMfighter a try (from www.spamfighter.com) and although it was a bit worse at finding spam (At first), I never got any false positives. The way it works is that the "filters" are actually some kind of hash that users submit whenever they block or unblock an email (it analyses the whole content I think, not just the text). So if a new type of spam technique appears, the users will just block it. And unlike many other client-side plugins, it actually works on Outlook Express.
Another one I recomment is Spambayes...but there's the problem with false positives. All the other ones I've tried are utter crap.
Best regards,
Alex Ionescu
Relsoft Technologies
Today, I just set my cron job that does salearn --spam on my missed spam folder from once a day to every 30 minutes.
The best spam filter I've found so far is Spambayes. It's also free. Does a better job than any of the shareware ones i've seen so far.
For a new account that's never been seen before, or worse yet, a new domain that's never been seen before, the number of knock-knocks (of any kind) they should be allowed to make should be limited.
Afterall, if somebody new out of the blue wants to speak to a large users on your mail server, they deserve some checking into. They're at least a new mailing list who is growing at unheard of rates. Better to blacklist them until they've been proven worthy.
Cumulate stats for new accounts, new domains, and new originating SMTP servers both individually and by IP space. Any that pass their speed limit are shut off. And, if it just so happens that too many new accounts are coming from the range of 0.0.0.0 to 255.255.255.255, well, it's time to shut down for a bit...
I have an interesting idea to force ISPs to crack down on spamming customers...
This basically works only if the spamming ISP is from your country. Which is why blacklisting of foreign IPs is still necessary.
But for domestic ISPs who don't reign in spamming, someone should post the 800 numbers of ISPs that don't crack down on spamming. Put up a web site listing the 800 numbers of the ISPs that are top-ranked in harboring spammers. Most of them have 800 numbers.. if everyone calls these ISPs and complains, or at least takes up air time, it costs them money, and money seems to be the only thing that motivates these companies.
Yes, spam changes over time, but Bayesian filters naturally adapt over time. Of course, the downside is that as spam mutates you will get it in your inbox and have to manually mark it as spam, but I've found that this is somewhat more of perverse pleasure than a chore. (For more on why filters aren't an ideal solution, check out this article...)
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Comment removed based on user account deletion
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
"then it's just not a mainstream solution"
This isn't for the mainstream. And it's not difficult for anyone to get the answer. A computer may exist that can find the solution but it's a lot easier and a lot cheaper to bark up someone else's tree.
"If it's something that you have to explain to your parents how it works"
Why would I have to explain to my parents how to answer a question? And why would I force them to go through a script? I can access the common account from any e-mail client since I have the password. All the script is, is a custom e-mail client.
There are a million and one ways to organize a challenge system that will confound any computer that a spammer has access to. If not completely, to the point that it's a waste of time to try to break the system.
You seem to be confusing what computers can do with what is feasible.
"Besides, you're still talking about text, and if the answer can be found on a Google search, then a script can figure it out, too."
Scripts can't understand context. They may find the question but they won't be able to discern what text on the page is the answer. It's one thing to just assume it can be done and quite another to assume someone is going to go to the trouble of trying it.
The only reason to try to break a script set up like mine is purely academic. It takes all of two seconds to break the script so that no answer is correct and then a day or two to swap it out with something else.
The amount of effort needed to break a bot is infinitly less than the effort needed to come up with the bot.
"Show all of the images as grayscale so that image scanning software can't tell the difference between the yellow of a sunflower and the gray of a building."
Why? Anyone with that kind of money to afford such a system that could do those opperations has the money and know how to set up their own anonymous mailer.
Again, you're confusing what's feasible with what's possible.
Ben
Work Safe Porn
Always depends on the amount of money involved.
:
Neural networks offer a good solution to fuzzy problems. An interesting point of neural networks is that you can train them and once they are stabilized you can burn them into a chip.
Making the chip isnt cheap, but once you have one, you can run it at MHz speed and decode one image every cycle! So a challenge that takes a long time on a normal PC will just take one cycle on dedicated hardware. And as spammers will be likely to get such dedicated hardware, every time advantage is void.
And about your problems that are currently hard for computers : The problem with these is that you either
- have to classify a limited number of examples by humans. Than spammers could just get all examples and classify them by hand too.
- or have the computer generate an exemple following some rules. In this case you have rules + random noise. But noise reduction has become quite good and I dont know any example of a rule that can easily be reversed by a human but not by a computer (an "one-AI-way" function?)
And on facial recognition : there have been huge advances in facial recognition lately, to a point where there are the first prototypes that use facial recognition as a password.
There is still work to do to recognize a face from any angle, but even there is progress.
Since AI has stopped doing nothing other than trying to pass the turing test, there has been a huge advance on practical applications of it.
Thinking in concepts (needed for natural language) is really hard.
But just recognizing things is much easier and AI is getting better and better at it.
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
The CR traffic does not need to be filtered.
It's a UI issue is all.
Consider for example, a system in which I send you
a cold email. Your MUA caches it, and sends me a
challenge token. My MUA recognizes the challenge
token and the fact that it corresponds to a sent
mail. It gets flagged and replies with my response,
a pgp public key. Now you can see my mail, and
decide if you want to blacklist me, or whitelist me.
All future mail is private.
It's just software -- go write it.
-I like my women like I like my tea: green-
Try looking between shit and syphillis in the dictionary.
I am noting that each character is a single, solid, filled region of one color, without aliasing. The background is a repeating pattern of different colored lines
You could do a reduction looking for regions that are two are more pixels thick, and leave only the letters... very simple operation. Then all you have to do is use correlation against the constant font, iterating through each letter, and mark the position of highest value, sort by increasing x, then record the letters found sorted by x, and then post into the box.
If I had access to matlab this semester, I could code a solution in about 6 hours that would crack it in less than 5 seconds, for any image.
Even if they used noise, you can still use a least-squares match with the original font set (just a dumb iterated correlation/RMS/sort operation) to find a position 99% of the time. If noise is a problem you can apply a spatial "emboss" type filter and use letter outlines to match instead of letters themselves.
And if the computer make a mistake because it got a pathological one, maybe the next one will work. No big deal. Just detect the error on the resulting page and try again.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Humans do them lal teh tiem.
... and remember the Slashdot story a few weaks ago where a computer spam filter was MORE accurate than the human testers. (Yeah, it probably was spam filter reads whole message vs. human reads only subject, but still ...)
So you cant just block someone after one mistake.
You just have to get your computer program better than the average typo occurance.
Oh
I think there are many tasks where a well trained computer program will perform even better than the average human.
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
most C/R engines use a constant suite of pictures and words because the pictures are too time consuming to create on the fly... so the signup page might take too long to load.
:-)
What the spammers do is just download as many challenges as possible, solve them, and store the hashes in a database.
When the harvester goes out, it is likely to encounter many of the challenges a second time, and it already has the answer.
If it doesn't know it, it flags the spammer, who identifies it offline, adding it back in, and the database is that much more useful.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I think we are attacking Spam from the wrong direction. Attempting to stem the flood of incoming spam is tough - everything about the identity of the incoming spam can be faked. However, we could alternatively attempt to prevent the replies going back the other way.
There are two inevitable facts:
1) In order for spamming to be worth someone's effort, they have to somehow get money from people. If NOBODY replied to them, then spamming would stop overnight.
2) Something in the content of the Spam must be real - a reply address - a web site, a phone number or something. Block traffic to that location and the spammer gets no money and dies.
Hence, I think they may be vulnerable. Educating people not to reply to SPAM would help - it only takes a mere handful of people to respond to a SPAM to make it profitable - but if education could drop that handful to a mere one or two - then we could succeed in putting more spammers out of business simply by cutting their margins to the point where it wasn't worth the hassle.
Where are the TV adverts: "Replying to Spam is Bad!"....we know that the morons who reply to spam are suckers for advertising - they are as likely to believe a well targetted TV advert as a crappy email shot. If Spam is costing the ISP's as much as they say it does - then funding some TV ads might not be impossible.
What if we made it illegal to respond to an emailed advertisement that was not clearly labelled as such, that would help to deter people from responding. Such a law would be next to impossible to enforce - but we are trying to deter the gullible here - so it might not have to be enforcable - just very well advertised.
Since every SPAM has to either advertise a product that you can buy from somewhere - or direct you to a postal address, a phone number or a web site - then that route for getting money back to the spammer could be blocked.
The return route has to be genuine. There is no point in them sending you a fake phone number or faked web address. If the phone companies (who are often also ISP's - or have at least some cause to want to kill spam) were to block calls to and from phone numbers that were seen in Spam - then the reverse route for the money would be curtailed. Whilst you can afford to change the aparrent source of your spam and fake those addresses for each new mail shot, you can't change your phone number for every couple of dozen orders you take. Similar considerations apply to web sites and postal addresses.
If it was required for credit card companies not to transfer money to businesses that employed spammers to push their goods - then that would also help some.
It wouldn't take many people to deliberately reply to spammers - to lead them on into thinking you want their product - to send them fake cheques or bogus credit card numbers. If they only get a handful of positive responses per million spams - then it wouldn't take more than a few determined people per million (eg ISP employees) to clutter up the the spammer's cash collection mechanism to the point where it's too much hassle for him to sort out the real orders from the bogus ones.
I don't pretend to have all of the answers - but there seems to be far too little creative thinking along these lines.
www.sjbaker.org
In the case where bob's email address is spoofed, wouldn't a cr loop be a Good Thing?
Laws are horrible moral guides, moral guides make even worse laws.
that you would still have to sort thru every new message that came in, even if it's just "yes/no" to the address, in which case you havent really solved anything.
Naturally we may be inclined to believe that this grants us superiority to the computer. That, while stating some arbitrary facts taken from some textbook somewhere, a computer can never accomplish X objective.
Therein lies the fallacy. The computer does not identify that it is in an infinite loop, nor can it, because it is not given the benefit of looking at the actual code. If a compiler were designed to read into code for things like while(true) loops, which naturally could result in infinite loops, then already you would be cutting back on the instances of these problems.
Determining if there is an infinite loop requires a conscious understanding of the code itself, which is no trivial matter. It is not, however, something that could be deemed impossible.
As with all fields of science, there will be those who say "Well, I haven't seen it yet, so it will never happen"... but skeptics are everywhere, and the presence of skepticism is hardly a measure of credibility... rather, a measure of how pious certain peoples assumptions are.
Solutions are always found in math, and never in magic. Don't underestimate the computer, and more importantly, don't underestimate your own brain. You don't perceive things the way you do 'just because'... and that's what's so exciting.
You do realize that image recognition is one of the *hardest* tasks to do with a computer right? It would probably be cheaper just to hire a person to respond to the challenges than to automate this. Just like it is cheaper to use people to sort parts and insert them into a machine than it is to make a robot to do it.
... their newly validated email address can be blacklisted. If the email address is blacklisted quickly and broadly (through spamhaus or similar), then it will miss most of the intended recipients. Again, this increases the costs of sending SPAM.
In and of itself, it would be computationally difficult (if it is even possible) to scan these images consistently. Implementing such a thing would increase the cost of spamming sharply (image recognition is way more resource intensive than sending email).
It's worth noting that TMDA.net includes the ability to include these kinds of challenges in the response but does not use them. Why? They aren't necessary. Spammers don't use valid email addresses to send their emails. Forget the question of whether they could automate responses; they aren't set up to receive responses, much less answer them. This is unlikely to change, as receiving responses would double the work of sending spam. Answering the responses would triple it -- even without complicated challenge systems.
What happens if they do create an automated response? They successfully get through so that
No one method is not going to eliminate SPAM. Every anti-spam method has a response. However, each response increases the complexity of spamming, which reduces the profitability.
There is no CR deadlock problem. Yes, it is theoretically possible, but every Challenge/Response system has checks to handle this. In particular, if you send someone an email, TMDA.net whitelists that person. Thus, when you get their challenge, you will accept it rather than challenging.
It is true that automated systems will have trouble with challenge/response systems. After all, this is the whole point. Who cares? If you sign up for it, you can whitelist the sender. If someone else requests it for you, then they can answer the challenge (or maybe they don't need to do so, as they are already whitelisted). It would be easy enough to switch the tell a friend systems to launch the email client to send the email.
The author correctly reviews the issues with Computational Challenge systems. Mainly because those systems aren't well thought out (Thank You Microsoft).
I am unsure that public key interfaces like GPG offer much in fighting SPAM (although the encryption aspect can be useful in and of itself). Otoh, they are very good at whitelisting your own circle of friends and catching joe jobs in that circle. I have not done a more in depth study (any more than the author did) to see if they would work well in more general situations. My feeling is that domain verification like SPF is sufficient there.
The author's previous article mentioned the domain verifiers and once again missed the point. His two problems are mobile computing and domains that are host-less or vanity. He starts talking about sending email through ISP mail servers, but everyone already knows that this is incorrect. Instead, one should send through a mail server associated with the domain name by using SMTP AUTH. In general, vanity domains already come with these. Mobile computers should use these for security's sake anyway. Host-less forwarding accounts should demand that they get an SMTP server as well. Most of them already come with webmail (which has its own SMTP server) anyway. This is a downside but only a minor one.
Our security *expert* notices that POP mail authenticates in plain text by default. For some reason, he associates this with sending mail, even though POP is used by the *recipient*. Possibly POP before SMTP is the issue. Minor issue, since SMTP AUTH is strictly preferable to a POP before system.
He does make
http://ppedriana.homeip.net/blog/SpamScreensaver.h tml
So what, do you tell all your friends the password so they can send mail to you?
You know you could achieve the same effect by telling them to all put [this_is_the_password] in the subject line, and filtering out anything that doesn't have it...
Why change the protocol when the existing software can already do this? But I don't know why you would, it seems like it could be a nightmare: people have enough trouble remembering passwords as it is.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Just wait till telemarkerters combine open relays with VoIP... then you'll never be able to stop the calls.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I think there is a possible moral case for capital punishment against any form of intrusive marketing used on a large enough scale.
I'll explain by giving an example.
Lets assume a large scale spanner sends out about 6,000,000 spam messages a day (figured based on vague memories of slashdot articles). They does this 365 days a year. Let's assume that, on average, each of those emails wastes 1 second of someones time. This is a rough guess based on the time to recognize the message as trash and hit delete, or to setup and maintian spam filters, support the the extra load on mail servers, to vent anger and calm down enough to be productive, etc.
This means that they are wasting 2,190,000,000 seconds of other peoples lives every year. That means they are wasting a bit over 66 years of other peoples time per year. That means that they are wasting an entire human life a year. Even though they are only doing a little harm to many individuals, I see this as being the same as killing someone.
Yes, they make a lot of money, but in effect, they steal a life a year to do it. These figures are based on a lot of vague guess work, but they aren't THAT far out of line. I'm mean, would it be okay, if they only steal 30 years per year they are in business? 20?
I see legally sanctioned violence (meaning trials and executions or life imprisonments) as a reasonable response from society.
I also see this as a rough formula for measuring the damage done by any form intrusive marketing. How much time is someone stealing? Are we as a society willing to allow them to steal that much?
plus-good, double-plus-good
Don't ever say a PHD in Computer Science, and "15 years of experience in computer security" means you can't say something stupid. You're right, you don't need a private key to do authentication, you need the public key. The private key holder is the only one that can sign messages.
The fact that Mr. Krawetz doesn't understand basic public key crypto makes me question his credibility and this entire article. I don't make it a habbit of studying spam solutions, and I understand authentication schemes. This guy writes a damn article about it in Security Focus, and makes a MAJOR mistake about the very basis of public key authentication. Sorry Neal, but you're on my bozo list now.
AccountKiller
Drop SMTP in favor of a system where email is kept on the *sending* server until you request it. Sending an email would involve sending the message envelope (sender name, etc.) along with an access key (to identify you as the actual recipient of the email). If you look at the envelope and decide to open it, then you connect to the sending server and download the rest of the message.
Why this helps:
1. It moves the burden from the receiving server to the sending server. Sending now takes up ISP bandwidth and storage rather than putting that burden on the receiver's ISP.
2. As this is kept on the *original* sender's server, there is no point in open relays. You still have to reveal the *actual* mail server that is sending the email. Same with open proxies.
3. Because of that, blacklists work. You can now blacklist the storage facility IP, which can't be hidden (otherwise you wouldn't be able to connect and get the email).
4. Virus spammers can no longer send directly to the recipient's server (unless it will also serve up the messages). They will have to use an intermediate (sending) server. This server will be able to see that it is sending loads of messages, delete the message, and cancel the envelopes.
You can do sender verification as part of this as well if you like. The public key would go into the envelope.
The first result points to the Wired article.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
The instant spammers start pumping out emails questioning Cheney's secret energy meetings, Bush's being AWOL from the National Guard, or what will happen as a result of the U.S. leading the way for nuclear powers to adopt preemptive strike policies, you can bet that the Patriot Act WILL be invoked to shut them down. Heck, for all we know, Guantanamo Bay already has a few spammers in it. Maybe this Orwellian nightmare isn't such a bad thing after all.
Publish TWO email addresses and let people use either of them.
Spammers will use both and if the addresses are alphabetically close you will receive the same spam in the same order at both addresses and have no problems getting rid of all of it.
With this 'parity even' spam elimination *I*/You really dont need anything but a lil comparatorator to get rid of all your spam.
I junk more than 1k messages this way daily.
About 80% are caught in the first pass (message sequence) the rest after the balance of the messages are compared when sorted by size.
Thanks very much, can we finally move off this silly topic?
i'm suprised no one wrote about mailwasher yet ...
its pretty simple , it connects and lists whats on the pop server, and lets you select what to trash (with the option to block entires domains) and what to keep (friend list). pretty soon, it has a pretty big blacklist & friend list and does most of the work by itself. It can also send a fake bounceback message, but i don't really trust it... http://www.mailwasher.net for the interested
Counter Spam Measure: Negative Feedback.
Imagine if all or some very large contingent of email clients allowed you to
"retaliate" against spam messages. Highlight message, select "negative feedback"
option, a daemon is spun that traces back as far as possible the route of the
message and barrages it some fashion. By pings maybe? By directed replies? Imagine
it does this in some scheduled fashion so as to minimize the impact on your local
network. As 1 million disparate sources converge upon the last traceable source of
the route of the offending spammer, some network somewhere will start to feel the
load. Like the spokes of a wheel converging on the hub, the retaliation traffic will
thicken as it closes in on the source. The pain increases. ISPs inundated by
individuals expressing their right to freedom of speech, will feel suddenly inclined
to exercise their right to refuse service to someone.
The "negative feedback" could be dosed in a coordinated fashion if there were some
P2P means of establishing how many individuals had received a particular spam. If a
spammer hits only a hundred people, the dose of retaliatory traffic would have to be
increased to be felt. If the spam hit a million, it would require only a modest
retaliation to utterly swamp the source.
Just thinking out loud. Could this be made to work? No one's free speech is
curtailed, spam is dealt a serious blow.
fight fire with fire.
The article and its predecessor (part I and II) do not provide any solutions. Both articles simply run down a laundry list of currently proposed solutions, explaining along the way why none of them will work.
Spam sucks, but this article doesn't help provide a solution. It does help frame the discussion, and provides coherent analysis of problems with currently proposed ideas.
Damn. I was hoping for a fix.
So what about this:
You start with a central certificate authority. I know, I know, bottlenecks. But you only need them to issue keys to (or sign the keys of) about 100 (or 1000?) servers. The signing authority has to be central, but the *revocation* authority does not. That's the key here.
So those servers can sign the keys of 1000 servers of their own and so on.
So my mail server tries to send your server an email. Your server checks if my key is signed by someone who is signed by someone who is signed by the CA. It also checks against its nightly downloaded revocation list. If everything is good, the mail goes through. Very little processor time, and very little bandwidth.
Suppose someone issues a key to a dishonest server? Well, enough people issue complaints and the issuer's key gets revoked. Or some automatied spamassasin type thing that auto-revokes the key after enough spams get spotted. No more spam from them, and maybe next time the admins are more careful.
This totally eliminates (i think) the threat of zombie SMTP servers on DSL and open relays.
Then the ball is in the park of the ISPs and server hosters (those with their own email keys) to keep spammers out locally. SLL login for SMTP? sure. C/R for each email sent through them? Whatever. Send anything over their open relay? Not for long.
Sounds reasonable to me. It makes it easier for the end user I think, and minimizes spam.
Any suggestions?
Muerte
This totally eliminates zombie SMTP servers on cable lines spewing spam.
As I've detailed before every time there's an SPF article on Slashdot, SPF is seriously broken in a number of ways. It was not produced by security people. Microsoft's counterproposal fixes a few of SPF's problems and leaves open a number more.
I thought that the article as a whole was a very realistic and down-to-earth view of what's going on -- it's really nice to see someone in the anti-spam world that knows what they're talking about.
I do have two points -- I really think that despite the drawbacks mentioned, cryptographic systems must ultimately become the final anti-spam solution. There are a number of ways to deal with the issues Neal brought up:
* Automated abuse: this is significant -- it does mean that no ISP can provide an abusable automated system for generating new certs. This is not an insurmountable technical issue, however. Is is an issue for the early transition to Internet-wide email cryptography. One can link trust of multiple identities, so that people can "obtain" up to, say, six new "identity" certs from their ISP per address in an automated fashion, but that if any of these certs are abused, the trust of all of them falls. There needs to be a secure system for granting certs already for webservers or for administering domains. It does not seem unreasonable that piggybacking one of these distribution systems could not be used for handing certs to ISPs/domain owners. If I go to work at a company, the IT people that set up my email client and whatnot just drop my "identity cert" in when setting it up.
* Usability: I see no reason for Neal's assertion that a CA going down would break everything as a problem. At the moment, almost all people rely on MX records to get their email. If the DNS server goes down, they don't get their mail. Is it so much harder to host whatever CA stuff is an issue on a server of DNS reliability? I don't see CA load being an issue -- it's not as if the CA is going to generate a cert per-email in any kind of a sane system. Certs could be cached, cert chains could be attached to emails, etc.
There are three big reasons cryptography is seen as an unpopular solution (and why Microsoft and the SPF people don't like the cryptography path). First, having a cryptosystem that allows signing in place probably means that people are going to include encryption support with it. A lot of governments really, really do not want to lose the ability to read email. I think this can be gotten around by forcing ISPs in such unenglightened countries to use key escrow. Second, a lot of people are concerned about server CPU load. I just don't see this as a problem. I cause more CPU load on systems webbrowsing than I do sending my tiny average number of bytes in email each day. Third, cryptography isn't easy to deploy. You need essentially everyone to be using it for it to be useful (though you can start tying it in to existing antispam filters immediately, treating a signed email as far more trustworthy than an unsigned one -- SpamAssassin can already do this). You need to do PKI, handing out certificates to users, and you need to ensure that these certs are kept reasonably secure.
I don't see Neal's complaint about "nobody should control email" as a problem. Is that an issue? Fine...have, say, several CA roots per country, and allow people to add more if they want. Use a trust system that allows CAs to become untrusted (I've gotten all these spam emails from this domain that this CA alone signed off on...) That should be enough distribution that it's damned hard for anyone to muck around with email as Verisign does with DNS. Also, instead of having CA roots directly sign domains, have CA roots sign "signer servers" that are responsible for handing out certs to domain owners (and have. That way, if I want to set up a root CA tomorrow for my friends to use, all I have to do is kick it on, sign all the "signer servers" for name registrars or whatever that I trust, and then tell my friends to add the root CA as trusted). E
May we never see th
IMHO, SA and CAV should be set up on client-side boxes by default in Red Hat and other distros, run through procmail or whatnot.
They are absolutely amazing programs when used in conjuction, and I think that too much focus is put on their server-side use -- I *know* that my anti-spam/anti-virus system is excellent, even if my ISP's isn't...and *I* can whitelist and use my own Baysian filtering on things, unlike server-side SA/CAV users.
It is extremely unfortunate that SA/CAV take effort to set up. I consider them more useful and fundamental than the firewall that Red Hat ships in their basic distro.
May we never see th
This sort of trust system works better with cryptography.
The idea is that people move around IPs, IPs change ownership, people use tunneling, IPv6 comes out, etc.
However, if everyone sends their email with a cryptographic identity and uses these identities instead of IPs to identify people, then you can do the trust system you proposed (or another trust system) and it works reliably. It can take some work to set up, yes...
May we never see th
Actually, when the current federal antispam law went in, "political emails" were exempted -- those legislators wanted to be able to get in on this cheap communication, even if companies couldn't.
Of course, that means that spamming people regarding Bush's or Cheney's flaws is entirely legal and legitimate.
May we never see th
They're also polluting key registries with their garbage - that's a big negative.
So do something like having each domain maintain a key registry server, just as they currently do for DNS. It's not that hard -- it's just up until now, PGP needs have been met by a handful of servers, so each server handles "all and sundry" domains.
May we never see th
What if you create image-elements or rather drawing elements put together and the user has to press buttons for all elements in the picture. "a PIG with HORNS, JUMPING over a FENCE". Or let the user write in "PIG".
Insert `fortune -o` here
I've proposed this before and was modded a troll, then modded funny, then modded insightful, but I was being serious!
The only way to stop SPAM is vigilantism. A bounty on the head of every spammer. And not dead or alive. Just dead.
A few dead spammers would stop the problem. It's not a moral dilemna. These scum aren't human and they don't deserve mercy.
Don't tell me you're not nodding your head. You know it makes sense. I'm Sam Kekovich.
I didn't see any mention of a pretty good solution that i've run across:
Every time a message hits a server from a sender that it has never met before, it sends a TEMPFAIL back instead of accepting the message. All real MTAs will try again with whatever their retry delay is set to, and usually for about 4 days. If the server gets the same message being delivered again, it accepts it and adds the sender to a whitelist where it never has to 'ask questions' of this sender again.
The reason that this would work, at least for now, is that spammers mostly use badly written MTAs (or something akin to an Expect script posing as an MTA). Their software doesn't know how to deal with a TEMPFAIL and never tries again. All real MTAs will try again within a few minutes. Good times.
What about /.'ing the advertisers? You could setup your spamfilter to make a wget -r > /dev/null or the like on all links in incoming spammails. That way their servers will be overloaded, and they cannot get any real traffic/orders, meanwhile the load on you would be minimal. However the ISP's probaly don't like this idea as it will generate enormous amounts of traffic (initially anyway), and there will be lots of innocent bystanders.
Anyway, no one will probably ever read this as I am an Anonymous Coward.
I've been using the sbl-xbl.spamhaus.org combined lists for a few days, and copying the HELO/EHLO hosts to my incoming transaction filter. This method cuts down on spam actually received and saves me an incredible amount of bandwidth.
-- There is no spoon. Only fork.
*Sarcasm*
:)
Make spamming punishable by death.
eTrade SUCKS
When I took a look at the first of these two articles which examines end-user anti-spam solutions I had to wonder if the writer had actually tried any of the technology or was relying purely on hearsay. For example:
Spam senders and their bulk-mailing applications are not static -- they rapidly adapt around filters. For example, to counter word lists, spam senders randomize the spelling of words ("viagra", "V1agra", "\/iaagra"). Hash-busters (sequences of random characters that differ in each email) were created for bypassing hash filters. And the currently popular Bayesian filters are being bypassed by the inclusion of random words and sentences. Most spam filters are only effective for a few weeks at best
This is the view of someone who clearly has no experience at all with a high-quality Bayesian classifier like POPFile. I've been using this program for almost a year and it most certainly has not been defeated by random words or spelling. Many of the tokens that trip email as being spam are actually unusual items in the headers or sales terminology. After a very brief training period POPFile has continued to provide me with excellent protection from spam and malicious email, with only a few false negatives to retrain on.
If that's not a good end-user anti-spam solution then I don't know what is.
From what I understand, rewritting SMTP to fix most (if not all) of the spam loopholes is no problem (Am I seriously glossing over some big details here?). The trouble is that people want a 100% effective, immediatly pluggable solution. If new email clients support both the old and new smtp protocols, and use the new one as a default, it will be just a matter of time before there's a critical mass of clients and ISPs that are using the new one.
Once this critical mass is reached, boom, everyone is required to use the new protocol, and any email that uses the old one is immediately dumped way upstream, before it can start hogging bandwidth everywhere.
I'm aware that if my idea is so great, how come it hasn't been implemented?? Feel free to pick holes....
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
My credentials are years of programming experience and months of research invested in CF13(TM), my solution to English-language spam.
Part I of the article:
Identity theft - The ones I got were relayed through a 3rd party machine and deemed spam. Should I ever get a 'real one' that would mean either a spammer is using a stolen/throwaway account at a domain with mailserver(s) and easily traceable, or, worse yet, an 'inside job' by someone unscrupulous at the sender domain. The rule of thumb is to not give out sensitive information via email no matter how convincing said email is.
Viruses - All attachments are treated as 'text files' by my program and are 'harmless' provided a certain registry key affecting Notepad hasn't been changed/hijacked (see my website for more details). Also, all email is downloaded and treated as text files, making HTML related exploits impossible as well.
Sender - Anonymous senders are treated as spam. No exceptions. I've only gotten spam from such senders the rare times I recived them before I wrote my program.
Recipient - No 'BCC:' email if desired. In the past, such email I've recieved were spam.
Word lists - My program uses two of them. One of them is the single word list from Grady Ward's Moby project. The other file contains 'spam words' that appear in the first file. Both lists make 'hashbusting' and 'L33T' spelling, two tried and true spammer tactics, impossible.
Black/White lists - Supported at the email address and email domain level. I decided not to support IP level black/whitelisting since the IP source of spam is irrelevant--it is the content of spam that is relevant. Likely, such spam is deemed spam at the email header level anyway--or at the email message content level if need be.
Hash-tables - Pointlest due to 'hashbusting' and 'L33T' spelling. Unecessary in my program.
AI/Probabilistic systems - I researched the Bayesian approach and decided not to use it in my program. Though effective at first, spammers have thoroughly 'poisoning' this method of spam detection. Also, this method requires additional disk storage space, processor time (to do the math calculations on top of the pattern matching), and training time to be effective.
Bypassing filters - A default install of my program should catch almost all spam. Should any get through, one could read through the spam and identify new 'spam words' to be added to that list.
False-positives - Alas, to avoid deleteing such email at the server level, All such email is downloaded and processed. My program displays the subject lines of email messages it process and logs them to a separate file for further review if needed.
Spam filters do not stop spam - Agreed, but they can be as effective as my program which only has one known form of spam it cannot detect sent by a spammer from a stolen/throwaway account.
Reverse lookup - Not supported in my program to avoid slowing my program down and not overburdening the (likely) overtaxed DNS server system. This should be handled at the mailserver level to head off the sending of spam in the first place.
Part II of the article:
Challenge-Response - I considered using this but decided against it. In doing so I avoid 'mail loops' with another Challenge-Response system and outright rejection by email correspondents who hold a dim view of this antispam system.
Computational challenge: Another idea that fell by the wayside due primarily to the wide disparity in the CPU clock speeds of user's systems.
Cryptography - Not used by my program to process incoming email and thus unecessary. The 'bu
...a lot of the time people want to get in contact with you, that you don't immediately recognize. Maybe a contact address you've given out somewhere, on a business card, web board, im buddy, all sorts of places. It'd be no problem creating SPAM that seems to come from "normal" people, and many people would have no choice but to accept them all. And the gullible people would still allow the "From: FDG Lottery - you are a winner" spams through.
Kjella
Live today, because you never know what tomorrow brings
From spoofing verification would knock out 98% of my spam. It would also stop one of the most annoying virus attacks - where windows user "Alice" has me and "Bob" in their addressbook and I get blamed when Alice's virus mails Bob with my address.
I propose
1) (seems to exist, as stated) extensions to DNS allowing you to specify domain outgoing servers for "from" addresses irrelevant of your MX records, and to specify whether you should accept from unlisted servers
2) (seems NOT to exist) a new lookup service probably running on your mail server (or a much bigger extension to DNS) allowing you to look up additional acceptable servers (ideally by IP OR name) on a _per username_ basis. Whether or not to check this, and where to check, should be an extension of the listing in 1)
Neither list requires you to have any control over the hosts listed (that's a requirement)
#2 has the disadvantage that lots of users need to configure it - but it's the users who are already configuring vanity domains and forwards that have to do it, not the recipients. For a vanity domain, you configure your vanity domain to include the SPF of your home ISP. For your forward situation, you add your remote address to that domains user-policy. (Of course, you should ALSO be able to whitelist it in, since the recipient is you.)
There's no reason you couldn't additionally have your local client automatically authenticate (using a decent authentication) and update this if you for some reason use a random local SMTP server (presumeably because outside SMTP is blocked on the network)
Here are the big advantages:
1: It would help. It would eliminate from spoofing from any partipating domain to any recipients using the filtering.
2: It wouldn't block anybody legitimate. At all. Or force any upgrades, at all.
3: Senders would want to upgrade so they don't get spoofed. Recipients would want to upgrade so they get less spam.
4: It would knock out the worst kind of spam - the joejob.
As a bonus, if an ISP gets a lot of checks against a given username, they could be suspicious of that username. They shouldn't automatically block them, obviously, since those queries could be made for just that reason. But even if they DID block that lookup for that user, it would only prevent them from sending mail through ANOTHER SMTP server using THAT domain from. So in the most common odd case of my using a vanity domain and sending email through my ISP, my vanity domain host would have to be blocking me, not my ISP. Since my vanity domain host expects me to have a vanity domain, presumeably they'll get this rather correct.
{PS: I'd like to add real legal $ penalties not only for sending spam, but for letting spammers abuse your network, especially after you've been notified. (While I'd like to include trojaned boxes too, what I really mean is ISPs) But that's not really part of the same proposal.}
sorry this was so long.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
You forgot to include your own country, the largest source of SPAM, in your axis of evil.
If the parent had RTFA, he/she would've seen that this option was discussed and discounted. The author's conclusion was that if you automate the whitelisting solution in the email infrastructure then spammers can figure out a way to game the automation.
Personally I feel that is overly pessimistic, but I don't design protocols for a living and I haven't really thought hard about the spamming problem at a strategic level so I'm not really qualified to comment.
Regards
Luke
#include witty_one_liner.h
Even if the the software can detect the letters in a C/R system 1% of the time, it would rake in the cash.
Our patent-pending "It's an A!"(TM) software is almost 4 times more accurate than that. The licensing costs are very reasonable. Our dedicated research team is working on a whole suite of apps, the next ("It's a B!"(TM)) will be released next spring.
At present, though, 3.85% seems to be some sort of theoretical limit to the accuracy that can be obtained.
So, basically it's like everything else in security... if the scheme isn't designed by PhDs or government agencies with very solid security experience, or it isn't at least internally peer-reviewed thoroughly, it's very likely to have holes in it that will be exploited in short order.
Also, they appear to use different colors for the background vs. the text. If you convert the colors to hue/saturation/brightness, the brightness of the letters seem to be in the 40-60% range, while the background seems to be in the 79-96% range.
How can we use spam to drive progress in AI research? I say let's require every email sender must pass a turing test before sending an email - thus we require spammers to develop software that is indistinguisable from humans in order to send spam. So spam only comes back when they have - and we simply then ask the new AI's for a solution. Evolution in action. ;-)
What about blind people? They need email too!
* Mailing lists. [...] if there is a way for legitimate mailing lists to bypass the challenge, then spammers can equally bypass the challenge.
Hashcash is generated for the mailing-list address. The recipient would add the mailing-list to their list of addresses they accept mail as, and a spammer can not send to the list without including hashcash. So the limitation for mailing-lists is that the spammer can send mail to many people (the list subscribers) for the cost of one stamp; if he sends directly he has to send one stamp for each recipient.
* Robot armies [of 0wned machines].
Clearly someone wit lots of owned systems can send lots of mail; but still less mail than they could without hashcash.
* Legal robot armies. [...] Large spam groups can afford purchasing hundreds of systems for distributing an computational cost.
They can do this (and doesn't matter with it's legal or not btw, they'll do it anyway), but it will cost them more per mail which will cost them, so they will send less mails and be economically incentivized to target their mails by buying demographic data etc. (eg. so you would be less likely to receive spams in languages you can't read, or on topics you are not interested in).
Another aspect is that legitimate users do not send mails to lots of new recipients; most email exchanges are conversations over a period of time with sends and receives. Some of the hashcash based systems use hashcash only for introductions, and exempt recipients from hashcash after that based on crypto tokens (or just whitelists) (eg CAMRAM, TMDA do this).
The argument here is that hashcash can be set to higher cost as it is only borne once per new recipient for normal users.
Because a 100% UCE-free Internet is going to be darned expensive and rather less usable. At what level of filtration does the next incremental improvement begin to cost more than simply being satisfied with what you've accomplished?
I've tuned up a pretty good stack of procmail recipes, set my MTA to refuse unverifiable senders and obvious forgeries, subscribed to a couple of decent blacklists, and trimmed things down to a level I find tolerable. And thus I'm disinclined to do much more.
Through a bit of mental jiu-jitsu I've come to regard the remaining trickle as a moderately challenging puzzle provided to me for free, and a source of amusement first thing in the morning as I make the initial pass through my inbox to weed out the junk unread. I spend a few moments each week enjoying the logs that Exim and my procmail recipes write to show me what they've strained out. Once you push the S/N ratio high enough to get some work done, it's possible to turn the rest of the N into fun if you have the right attitude.
Oh, there are other things I'd like to do. If most people would crypto-sign their mail, I'd set up recipes to toss unsigned messages, and play around with hacking signature and CA blacklists into my filters to get rid of the more brazen attempts. I'd like to try out some recognizers that would be mighty hard to write as regular expressions. I'd like to tinker with external filters that rip out some of the common obfuscation techniques before procmail even sees the message. But for now I can live without these.
If you're thinking, "but it's costing my company money to deliver this junk," ask yourself how much it's costing your company to have you sitting around trying to find ways to remove the last little morsel of UCE when you could be crafting new competitive advantages for the firm, or at least dealing with the *other* stuff that gets in people's way and which is not actively working against you.
I have seen much better C/R image systems, e-gold.com although only black and white seems harder to crack via OCR, and one, I don't have the URL for it, but it was great - letters were sized, distorted, streched, oriented in different directions, random colored blobs were on the image, etc. These systems haven't begun to explore the realm of creatively damaged fonts that are available, like:
corrupt
or
punk-ass
there are a wide variety of creative ways to make fonts hard to read for OCR but still recognizable to humans.
In the article, Krawetz says that Computational Challange won't work. I disagree, and I think it's the most elegant solution. His reasons (paraphrased by me):
* Mailing lists and other legit mass mailers, such as Amazon, will be hit as hard spammers
But the recipient could whitelist these. If they don't, the sender would 'pay' for one message that says: Either whitelist us or use our website.
* Robot armies created by worms will be used by spammers to bypass the costs.
If Computational Challange is implemented, ISPs -- to protect their own budgets -- would immediately cut off any zombie computer. They should be cutting them off, now, anyway.
* Spammers can construct legal robot armies -- essentially buy lots of computing power
This argument misses the point of a small fee (paid in cpu cycles) for each e-mail. It's simple economics: You only have to make it expensive enough that spammers lose money on the deal.
If you can send 1 million emails for free, then you can afford sending ads with only a one in a million shot of selling something. But if you pay a penny per email, it's not worth it. No spammer is buying and operating a server farm to send 1 million e-mails, just to make $1,000 in sales.
* It's reverse taxation: To answer the same Computational Challange, a slower computers will require more CPU time than a faster computer. Thus the poor pay more than the rich
This is true, but it would still be a minimal tax, except for mass mailers.
Consider also,
* The recipient can set the bar as high as he wants. He could crank up it up to problems that consume 30 seconds or a minute, if he really hated unwanted mail.
* The recipient could set different levels for different classes of email, including a whitelist class for those who get through for free. Mailing lists might require subscribers to whitelist them.
* If you look at it one way, it's really the penny per email tax, but it's implemented more efficiently: No micropayment system, banks, accounts -- it just uses existing infrastructure. And nobody gets the penny.
what if an added feature was added to email systems?
specifically, what if you removed the need for the @ in email addresses (while keeping systems backward compatible)?
wouldnt that complicate things for harvesting programs?
And when they decide that political emails from the Democrat party are spam, and start raiding people... Seriously, gone from no PATRIOT act to nearly PATRIOT 2 in 3 years. Going from PATRIOT 2 to PATRIOT 2.5 (with DemoClene(tm)) wouldn't take much longer...
What I'd rather see is every e-mail transmitted be digitally signed.
/dev/null it.
When the e-mail client is set up, it could generate a GPG key set to use for signing the e-mail.
The recipient's computer, if verification is required, could send a standardized e-mail back to the sender's computer asking for the sender's public GPG key. If and when it arrives, check the digital signature and either deliver the e-mail or
By caching the keys, you really wouldn't even have to have a white list. Or, more accurately, the white list would be by digital signature rather than the Reply-to or From address.
This could even be implemented on the server itself and with better results.
When adding the user, create a GPG key for that user on the server.
Require authorization for each incoming e-mail that is to be relayed. Digitally sign the e-mail with that key if it sender has not already done so on the client side.
The recipient's server or the recipient's client may then request the public key. If the public key used was the server's key used on behalf of the client, then return that. Otherwise, send the request on to the client for his public key.
Of course, this could be abused, but then the e-mail addresses have to be real and could then be used for blocking.
The traffic itself should be relatively small. The data portion of the request would just identify the public key desired based on what was used on the message (sender's key maintained by the server or the sender's key maintained by the client) and the data portion of the response would contain that id and the key.
For those who use multiple e-mail clients, allowing the server to handle the key would be preferable since the multiple clients would generally use different keys.
If the cached public key for that user failed, a request for the public key would be sent in case the public key had been changed. If the new key was different, the cached public key could be expired after a set period of time (in case there were any yet to be delivered e-mails from the old key around) and the new public key added to the cache.
You'd have the benefits of challenge-response systems without the users being annoyed.
One problem with challenge response systems is with mailing lists. With this method, there would be no problem since the mailing list's server would react to requests for the public key by providing it.
This would also take care of the automated e-mail case, say when you place an order and the sender sends an e-mail telling you the order has been fulfilled.
Put in jail every business that buys spam services, put in jail every final-end spammer.
Make both pay 1$ for each spam they sent, and make the money go to affected users.
Ok, that wont stop spamming, but i'd even prefer spam not to stop and to earn thousands of dollars (euros) for receiving it.
See part 1 and look for "Reverse lookup".
Two words, Joe job.
Any one of these "solutions" can be exploited to hurt legitimate business. Simply send out a spam campaign on behalf of XYZ company with legitimate credentials, and watch the chaos and disaster at the company as phone lines are cut, merchant accounts cancelled, etc.
Spammers have already done all sorts of illegal activity to continue their frauds, what's one more to cut the knees out on the competition, or the competition of their customers.
I would hardly consider this guy an expert on spam - in fact nobody I know in the spam filtering community even knows who this guy is. Ph.D from Texas A&M...wow...there's a technical college for you. Unfortunately he's very misled on the whole topic and doesn't seem to understand even the basic caveats of spam filtering. This is the kind of guy who likes to say "everything sucks" to prove his point.
For instance: Subscribing the Detroit area spammer and his lawyer to enough real-world junkmail lists to bury his bills and other US Main correspondence in several daily truckloads of catalogues and other solicitations
With all due respect, get a clue.
You don't fight a noisy neighbor by cranking up your stereo.
With all due respect, try actually reading what I wrote.
I didn't say it was RIGHT to do this. I PREDICTED that it WOULD HAPPEN. Very different thing.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It looks to me like microsoft isn't even using their own caller-id standard? IE: no TXT records published for microsoft.com? Lame. It took me all of about a minute to publish dns spf records for my domains.
Differential filtering based on reputation management of authenticated sending services.
You don't need to authenticate the email author (too much overhead, too disruptive). Only the sending service.
Once the sending service is authenticated, you apply differential filtering based on the reputation of the sending service.
Optional: allow authenticated senders to bypass filtering.
Put this in place, then let natural selection work its magic.
I've been writing about this for about 3 years, but I'm sure it's been discussed for many years. I never see it presented though.
It's not that hard.
http://www.faughnan.com/spam.html#CheapFix has roughly what I wrote here, but not much more.
John Faughnan
jfaughnan@spamcop.net
OK, you beat this one. I'm using a different system. And my friends are using yet another C/R system. And my system poses questions like: what's thr33 plu$ 2? Oh yeah, and you have to pay somebody to write the program to crack these C/R's, you have to have a valid domain name, working system to receive my challenge mails, cpu power to do the OCR, possibly pay for the bandwidth to download a boatload of graphics. Pretty soon it becomes un-economical to spam.
Back in the .com craze there were a number of companies that made money solely by running large, popular, opt-in email lists. While the dot com crash surely killed off the poorly managed ones, the ones that were run modestly by a few folks from a small office in some cheap location still hung on... although I would wager such companies are hardly around anymore with the way spammers have effectively killed off opt-in email....... drag
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
just pile on the BS. Live in your own alternate reality don't belive the "blog theory". Whatever.
fine alternate reality.
Slippery slope, there.
<grrr>
you append or prepend a random sequence of letters to the IP address and pass that sequence to the client in the form. The client then passes it back to the server so it can open up the file by recreating the file name from it and the IP.
"but inherently prohibitively flawed for any global purpose..."
Only if you're not a problem solver. The IP basically amounts to a private key since it's grabbed from the request header and the sequence is essentially the public key.
And frankly no, it's not a big deal. If you were planning on marketing something like this to a massive number of users then you would need to spend the five minutes needed to rectify the situation.
In my case, I might get around to changing how the file is named to account for same IPs overlapping.
Ben
Work Safe Porn
Yahoo uses one system. Hotmail uses one system. Juno uses one system.
But just breaking _one_ of those C/R systems is useful enough to a spammer for a long while. Once the system is broken, you can get unlimited email addresses from a domain.
You only need to crack the next one once someone blocks every user on a site... (which is draconian, so it's not as commonplace as one would expect).
No, C/R just means you have fewer, more sophisticated spammers. It gets rid of the small fries who can't compete in the "market".
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Here's "THE" solution for spamming:
This requires a new feature to be added to mail servers and clients to implement this functionality, but it should be relatively straightforward and is 100% backwards compatible with non-conforming servers and clients.
Basically how it should work is if johnny@aol.com sends me a message at andy@att.com, the mail server at aol.com (the sending server) will store a list of recently sent emails.
All it stores is the sender email address (johnny@aol.com) and a unique id for the email, maybe a CRC number (see explanation at the very end) derived from the message contents and all attachments.
When the receiving mail server (that's Andy's server at ATT) gets the message, it contacts the server at aol.com (derived from the 'from' field) and queries to see if a message from such a person was actually sent.
It sends the email address (johnny@aol.com) together with its own generated CRC number.
The sending server (which was aol.com) now checks its list of recently sent email and either returns a yes or no based on the test to see if the address/CRC pair is on the list.
Once the user (Andy) downloads the message and removes it from the server the receiving server (Andy's at ATT) sends a message to the originating server (Johnny's AOL) that it's ok to remove the message record from the recently sent email list.
This method makes it impossible to spoof the "from" field--- (I am sure all you who read this are more than familiar with the spoofing done by spammers).
If spammers can't spoof the "from" field they lose their anonymous/fake cover.
It's possible to trace them back to the originating ISP and that ISP will have records of whom that account belongs to or will simply shut down the account if it's a free mail service.
Basically spam can be traced back to its source (and maybe even viruses).
Of course, not all servers will implement such functionality right away.
The end user can set up their mail client to simply filter email from servers that don't support this feature into a special folder that will contain "unverified" email, but this folder will get less and less email as this feature gets implemented more and more.
If the server does support this feature, and the sender is not verified, you KNOW its spam.
If AOL, Hotmail, Yahoo implemented this feature, and you have a client that supports this feature, you KNOW you won't get spam from any of those servers anymore.
------------
CRC
Short for cyclic redundancy check, a common technique for detecting data transmission errors.
Transmitted messages are divided into predetermined lengths that are divided by a fixed divisor.
According to the calculation, the remainder number is appended onto and sent with the message.
When the message is received, the computer recalculates the remainder and compares it to the transmitted remainder. If the numbers do not match, an error is detected.
What are web forms for?? You set up a web-based form on the website and upon submissions, the server-side script sends you an email. Think before you write.
Kraewetz also wrote an article on anti-honeypot technology for IEEE Security & Privacy (pp 76-79, January-February 2004 issue.) He seems to asume (like too many) that the spamemrs are near God-like in their abilities. He also seems not to have ever run an anti-spam honeypot. If he had he might have, many times, seen spammers behaving in an incredibly stupid manner. The spammers aren't all that sharp and honeypots (at least now) don't have to be very sophisticated.
His survey article (the topic of this Slashdot thread) once again continues the misconception that anti-spam tools all must be at or after the destination server. Let's look at it this way: the spammers quickly figured out (4-5 years ago) that going direct from their server to the destination wasn't working for them, so they went to intermediate severs, starting with open relays. Anti-spammers are still stuck on their servers - if it isn't the final server it doesn't exist (to their closed minds.) The open relay layer is just as available to the anti-spammers as it is to the spammers, but the anti-spammers mostly refuse to go there. Actually the layer is more available to the anti-spammers: any system with no real email function could serve as an open relay honeypot. You don't need to filter or be smart at all with an open relay honeypot: the spammers do all the work for you. They find the honeypot, they think it's an open relay (the honeypot dutifully does deliver the spammers' test messages), they send the spam, you just sit and watch. For open proxies (another layer dominated by spammers) that's even more true: not that many systems need to run any real proxy software at all. If you don't like spammers (pretty likely) think how gleeful you'd be to see a spammer falsely assuming your trap will deliver his spam for him - and then think of the glee as you trap more and more of it. Think of finding the spammer's IP address (if you run a proxypot) and reporting it to the spammer's ISP. Many ISPs actually are ethical enough to rid themselves of a spamming customer, once they learn of him. Honeypots still work: the spammers don't all use spam-server zombies yet.
Retain your blocklists and filters in the meantime: until spam stops flowing you'll need them. If you've got an available IP and an available box you could probably be causing some spammer grief as early as tomorrow - if you'd run a honeypot.