Slashdot Mirror
Spam Solutions from an Expert
Mod N writes "SecurityFocus has posted a nice survey of anti-spam technologies by spam expert Neal Krawetz, in which he delves deeply into the specifics and pitfalls of the numerous proposed solutions. Krawetz makes it obvious that securing the email infrastructure is a very complex problem that many of the current (simple) solutions can't solve alone."
Excuse me, what? Where's the proof? That's quite a brave statement to be making considering i've never seen this cracked, ever.
I challenge someone to find an automated response to C/R.
I did hear of a theory where C/R was being cracked by taking the C/R image, posting to a porn session, and letting a seeing person do the work. However, i've yet to witness this in practice. Show me the automated response to C/R that exists beyond a blog theory, and i'll believe. Until them, i hardly consider it "marketing hype".
With the way the Chinese government keeps making their own versions of everything, maybe they'll have their own version of the Internet. That shoud alleviate a good deal of the spam right there, given that their Internet will probably be incompatible with ours.
pishhhhh *breathe*
I find your lack of junk mail disturbing.
Good overview, all things considered. I would like to add to one of his conclusions (from part 1):
This conclusion is correct, but why is this considered a stopping point? Mail admins-- get off your collective butts and add encryption and authentication to your mail servers! The author also forgot to mention that server side certificates are not necessary for SMTP, SMTP+AUTH addresses this quite nicely.Note that such measures are not necessary for most users. Home users that use their ISP's mail server don't have to implement any of this, since the ISP can already account for the user. Let us not forget that "most users" do not have the e-mail needs that many Slashdot readers do. For those needing roaming access and multiple addresses, use IMAPS and SMTP+SSL+AUTH.
Just buy porn in magazine format instead of registering for it online :)
Why has spam grown to what it is today? It is an undeniably effective means of cheap marketing. What we need to do is come up with a way to stop this not on our end, but by looking at as a social problem or making it non-worthwhile to the spammers. If nobody ever responded to spam, spammer wouldn't bother.
At this point in the game, I am honestly surprised that we haven't heard of violence resulting from spam affliction.
I don't know about anyone else, but I'm pretty sure I'm not alone in this. I have, at times, felt utterly enraged at all the spam flying about and further all of the innocent and naive people that are being abused by all of this.
I know if I feel violent internally, then surely there are those with less self-control out there who will eventually act on his or her rage... perhaps the parent of a child afflicted with porn spam?
I think if two or three spammers are attacked physically, it might give them pause. Frankly, I'm amazed it hasn't happened.
The truth is 90% of spam comes from open relays, that is SMTP servers that can be tricked (a bit like lying to a 5 year old) into accepting and sending out massive ammounts of mail. Simply blocking open relays using The Open Relay Database at http://www.ordb.org/ or other open relay checking utility will save you lots of time if you run your own mailserver. When we can bascially negate the usefulness of open relays to spammers, they will then have to rely on their own bandwidth for the most part providing they cannot comprimise other "closed" relays.
I am in full support of using the broad-powered, freedom crushing Patriot Act in apprehending and imprisoning spammers. We might as well get some good out of it.
A nice fool proof system, while a bit of a hassle, would effectly remove spam. PGP uses a white list of sorts, that only allows people to send you encrypted messages that have your public key. This in a sense could be done with email. Someone wants to send you an email, and has your email address. They send the small request to your mail server (1-2 KB in size) with their name, email address, and name of their mail server. The mail server holds this information and notifies you that a new sender is awaiting access. You then:
1. Verify the identity of the sender, okay then, and the sender is then given the return request, and is notified that they will be allowed to send emails.
2. Deny the sender, and all their emails will be bounced back.
Yes, spoofing problems still exist, but this system could be expanded, and guess what, you only recieve email from people you want to, and the mail server acts at the first point of defense.
This would require more complex and smarter mail servers, but it would make the every day user's life so much more simple.
ce n'est pas un Sig.
that the challenge/response could be outsourced to.
Only kidding (I think).
The Internet is full. Go Away!!!
My free anonymous (as in they can only be traced back to a common e-mail account on my server) e-mailer uses a simple quiz to keep spammers out.
The form page records the IP address of the visitor along the with the question number they were given in a file named with the IP address. That number is never sent to the client. When they hit submit the file of their IP is opened, the question number is read in and the answer given by the user is compared to the stored answer. The file is then deleted and if the answer was correct the e-mail is sent. Otherwise it's not.
This forces my custom form to be used to be able to send the e-mails. And it's not possible to simply keep refreshing the submit page to keep sending the message.
And the challenge is in the form of old riddles and a couple new ones like "what's your favorite color?"
Things a bot would never get but that anyone who knows how to use Google can. Someone would have to program a custom bot with the answers in order to even attempt to spam. And even then since everything goes through my mail server nobody is going to sneak garbage past me for long and I know who your ISP is.
I also include a disclaimer with every e-mail. It'd be quite silly for me not to.
Ben
Work Safe Porn
I think the author of the article is correct. Having a system whereby anybody can communicate at virtually zero cost without unsolicited commercial messages are mutually exclusive goals. I think that for most people, a simple whitelist is good enough, along with the understanding that there is a small chance that email between new contacts will be blown away.
In Soviet America the banks rob you!
SPAM is like popups. The one day you find a solution to stop it, the next day they find a new solution to send it. It's a never ending cycle get used to it.
Well, at the risk of sounding like a broken record, SMTP itself is the problem -- it's badly broken, security-wise, and needs to be fixed. It's going to be painful to move to a new mail standard, or to change SMTP so that it's not broken, but that's what needs to happen to stop spam. Thankfully, our friends the Russian Mafia and the ever-growing number of Windows zombie machines are making spam levels so great that, sometime soon, spam will represent such a large percentage of e-mail traffic that fixing SMTP will be necessary, not just something mail admins like myself wish for.
BTW, does anybody have a good figure on what percentage of all e-mail spam represents these days? I'm talking about *all* traffic, too, not just what ends up in peoples' Inboxes after all the filtering going on out there has done its job.
How To Get Humans To Mars
The linked article is part 2, Part 1 is here.
Rock that crushes, Paper & Scissors that don't matter.
I am not recommending mailblocks, I belive there is a sourceforge project called TMDA which does the same thing. Having said that, my experience comes from using mailblocks:
...
-cr deadlock: This does not exist because when you e-mail someone in a challenge and response system, it automatically assumes they are friendly. So if they have a challenge and response system, it will make it into your inbox, because you e-mailed them first
-automated systems He is correct here. Personally I hate when friends submit my e-mail to third parties without my consent so I do not mind missing these e-mails. I have caught a few while searching my pending folder, and inform my friends I rather have them e-mail me directly.
-interpretation challenge I believe he is wrong here because of a fundamental issue. When dealing with spam filters, the onus of working out refinements is left to the spamee, to make sure they filter out all spam. If a spammer adds a new technique, they get around the filter. With challenge systems, you have a few methods waiting as backup. When a spammer finally figures out how to read your words through AI, you simply change the challenge system and they are back to square 1 in trying to figure out how to defeat. As long as you have a few methods waiting in the wings, the spammers can easily be defeated, and have huge amounts of work to do.
if you doubt this, write an AI system to defeat hotmails gifs. Now what if the next day instead of showing a word, they show you a picture of 3 fire trucks and 2 police cars and ask you how many police cars are in the picture, etc
-Nuke the moon
Was out to lunch with three colleagues today and the subject of anti-spam measures came up.
I managed to appall the one from Berkeley by suggesting that the most practical solution was probably a moderate-size bomb.
B-)
But seriously:
In an arms race, weapons eventually defeat armor. Spam will continue until two real-world things are BOTH brought to bear on spammers:
- Economics
- Muscle
If a governmental solution applying both is not forthcoming soon, I predict that there WILL be vigilantism.
In fact we're already seeing it.
For instance: Subscribing the Detroit area spammer and his lawyer to enough real-world junkmail lists to bury his bills and other US Main correspondence in several daily truckloads of catalogues and other solicitations.
Soon to come: Retaliatory information-war software directed at DDoSer / spammer zombi-net machines. (As discussed in a recent Slashdot article.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
**note location of tongue**
Of all the odd places to find anti-spam technology, was this killer solution in WalMart. Yep, it turns out they have a remarkable tool that convinces spammers to stop spamming! I was AMAZED. This tool usually only has to be applied once, and the affect lasts for years. It doesn't require updating or re-installation. I was also suprised to find these very same tools in other places, like sears, and even in a "sneaker" store. What is this tool you ask? An aluminem baseball bat. It seems sadly though that there is a law protecting spammers. I believe useing this AWESOME anti spam technology falls under something called assault There is hope that exceptions for spammers could be provided for in a constitutional amendment!
**note location of cheek**
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I don't bother getting too deep into downloading too many 'new improved!...' filters. I block entire damn countries/netblocks. Besides I don't know anyone in korea, brazil, china, nor any other one of the massive spamming countries. I configure postfix to filter out a lot and the minute I receive one spammed message, I always whois -h whois.apnic/arin/ripe/lacnic offender and block their entire range. I also have spam assassin running and I have to admit I get about maybe... maybe... 4 spams a week not kidding. Again though this is my personal machine.
block return-icmp (8) in proto tcp from 24.76.0.0/14 to any port = 25
block return-icmp (3) in proto tcp from 81.208.64.0/18 to any port = 25
block return-icmp (4) in proto tcp from 163.121.163.0/22 to any port = 25
block return-icmp (4) in proto tcp from 82.77.83.0/24 to any port = 25
block return-icmp (4) in proto tcp from 61.247.224.0/19 to any port = 25
block return-icmp (4) in proto tcp from 217.132.0.0/17 to any port = 25
block return-icmp (4) in proto tcp from 62.103.204.32/27 to any port = 25
block return-icmp (4) in proto tcp from 210.111.224.0/17 to any port = 25
block return-icmp (4) in proto tcp from 144.135.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 195.166.224.0/18 to any port = 25
block return-icmp (4) in proto tcp from 61.228.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 207.144.229.0/24 to any port = 25
block return-icmp (4) in proto tcp from 193.252.22.160/28 to any port = 25
block return-icmp (4) in proto tcp from 200.0.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 209.202.192.0/18 to any port = 25
block return-icmp (4) in proto tcp from 83.32.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 68.38.64.0/8 to any port = 25
block return-icmp (4) in proto tcp from 219.240.0.0/10 to any port = 25
block return-icmp (4) in proto tcp from 195.57.218.0/25 to any port = 25
block return-icmp (4) in proto tcp from 129.79.245.98 to any port = 25
block return-icmp (4) in proto tcp from 24.150.0.0/19 to any port = 25
block return-icmp (4) in proto tcp from 24.205.28.0/21 to any port = 25
block return-icmp (4) in proto tcp from 220.116.0.0/8 to any port = 25
block return-icmp (4) in proto tcp from 200.128.0.0/9 to any port = 25
block return-icmp (4) in proto tcp from 212.81.64.0/17 to any port = 25
block return-icmp (4) in proto tcp from 32.10.58.0/19 to any port = 25
block return-icmp (4) in proto tcp from 210.183.110.0/20 to any port = 25
block return-icmp (4) in proto tcp from 134.196.0.0/16 to any port = 25
block return-icmp (4) in proto tcp from 24.60.88.0/23 to any port = 25
block return-icmp (3) in proto tcp from 24.190.8.0/24 to any port = 25
block return-icmp (2) in proto tcp from 24.98.77.0/23 to any port = 25
block return-icmp (2) in proto tcp from 24.173.29.0/23 to any port = 25
block return-icmp (2) in proto tcp from 205.206.176.0/23 to any port = 25
block return-icmp (2) in proto tcp from 172.128.0.0/10 to any port = 25
block return-icmp (2) in proto tcp from 200.171.99.0/24 to any port = 25
block return-icmp (2) in proto tcp from 200.171.97.0/22 to any port = 25
block return-icmp (2) in proto udp from 200.171.97.0/22 to any port = 25
block return-icmp (2) in proto tcp from 68.62.80.128/25 to any port = 25
block return-icmp (2) in proto udp from 68.62.80.128/25 to any port = 25
block return-icmp (2) in proto tcp from 218.76.0.0/17 to any port = 25
block return-icmp (2) in proto udp from 218.76.0.0/17 to any port = 25
MoFscker
One "solution" which seems to be missing from this article is the "verify each stage" solution. You know, close down all open relays and implement a C-R system between the mail client and the server (password authenticaton to send?) and perhaps between servers too (a public-key challenge before transfers between servers, e-mail transferred in bulk after said challenge for speed reasons). The idea being not so much to make spam disappear, but to make all e-mail clearly and easily traceable so that no spammer would want to keep operating, and allowing any spammer who continues to operate to be tracked down.
Perhaps one of those SMTP fixes or SMTP alternatives mentioned at the end implements this idea? Anyone have more info?
As stated in the article's summary, the main problem with most spam-filter is the need for constant maintenance. We need a solution that requires ZERO maintenance by the joe-users, and yet cost-effective enough to implement.
My ISP seems to have a so-called "Watch Dog" spam filter, where they actually hire people to read spams and filter them manually, that's probably the most effective way to filter spam, but I wonder if it is cost-effective though.
Prior to this October, telemarketing calls were a national scourge. Amazingly, since we signed up for the Do-Not-Call list, we've only received 2 illegal calls. I'm rather surprised, in fact, at the relatively uniform acquiescing to this law. While spam, coming from all corners of the earth and is more anonymous, will be harder to enforce, some law with real teeth may be a good start.
Thats what alot of theyse bayesian analyzer attempt to do. They statistically learn your patterns by what emails you like and what you dont like, and then try to "intelligently" discard the bad ones for you. I mean obviously the worry exists (mostly for companies) that good email may get stopped, but in my experience its very uncommon, aslong as the user has taught the spam bot/blocker properly.
video game, ecchi, bbs and classic computing fans unite to eat sushi
The only thing that will work in the end is some sort of distributed reputation management system. To a certain extent that is what RBLs do, except they are on or off. SpamAssassin does offer shades of grey to the RBLs (differening weights to each one).
To a certain extent this is what we already do in real life. We 'judge a book by its cover' as a first pass (for example people will often walk past a beggar in the street completely ignoring them) and then include other factors. How polite they appear, where they are from, recommendations from friends etc
All other mechanisms suffer from a determined spammer being able to get around them as the article pointed out. Any mechanism that prevents some spammers makes things more lucrative for the rest.
1) Tap the Slashdot and creative communities to produce a series of anti-spam TV/radio/print ads on the theme of "Spammers are Scammers." Smear all spammers as scam artists who sell fake merchandise and steal credit cards, and their customers as stupid losers.
2) Get media outlets to run them for free as public service ads.
Yes, I know this isn't a 100% solution. However, it is relatively low cost, and requires no new laws, software upgrades, or Internet standards.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
- I run SpamAssassin and ClamAV on my server and check all inbound mail against a series of RBL lists; and
- All mail POP'd into my Outlook (yeah, I gotta use it - no flames!) gets checked using the free-and-excellent SpamBayes.
Works in the bakcground with damn-near zero false positives, and doesn't require Microsoft-pushed e-mail postage, changes in the e-mail RFCs or anything else.The tools are out there. If you use them, spam isn't nearly as much of an issue as the press makes it out to be.
*Well not everyone in the Real World anyway -- here on /. we all run our own boxes, right?
"It was a summer's tale: Just a boy, his Linux, and a head full of dreams..."
What I take issue with is this paragraph from the article:
This is leaving out a key feature of any decent challenge system... When Bill tries to send an email to Charlie in the first place, Charlie's email address is automatically added to Bill's whitelist. So Charlie's challenge, showing his address as its source, flies straight to Bill's Inbox without a hitch. If Bill were so arrogant as to think he could send email to someone not on his whitelist, then he deserves not to have his email go through.[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
There are plenty of tasks that you can do that computers find nearly impossible. Facial recognition is a good one. Humans do it easily all the time. Computers are trying, but still screw it up badly. Musical recognition is another one. A human can easily pick out individual instruments in a peice, and can tell that the song is the same even if it is a complete different orchestration and mix (like a remix for example). Computers are confounded by this, even when they break something into component sine waves. Pragmatic language interpreatation is my favourite. Even when people speak non literally and indirectly, you still have no trouble with their meaning. You can also tell which level of meaning they want, and successfully decode the other levels if asked. Computers are lucky if they can get the literal direct meaning out of a sentence, never mind anything else.
So, just because a human can do it, doesn't mean a computer can. I don't know about any of these image schemes, I've never played with it. However if you make it sufficiently hard for it to recognise characters form background, and one character form another, it's screwed. Computers have trouble with fuzzy and incomplete information that humans are so good with.
Also remember it needs to be feasable to do in a reasonable time. Maybe you develop some whiz-bang image recog program that can take amazingly distorted text and figure it out. If it takes 5 minutes to process a box, it does you no good anyways, too much time to be worth it for this use.
Someone, either me or the author of the article is on crack. I was under the impression that one does not have to have private key in order to validate the signature.
Lets assume that there are CRT records that store SSL certificate for clients allowed to send mail on the behalf of the domain.
Now somebody tell me, in which step one needs private key to verify certs?
Robert
Bastard Operator From 193.219.28.162
Make no mistake...
The most effective spam solution at this time is RBL blacklisting. Bottom line.
When you take into account that the biggest problem of spamming is bandwidth consumption and network resources, there is NO better way than blacklisting spam sources and refusing to communicate with them.
Services like Spamcop's RBL really piss off the spammers. All client-side filtering is counterproductive and ultimately useless as you constantly have to update the systems to catch new efforts on the part of spammers to thwart the filters. At least with RBLs, the spammers' connections are immediately refused as soon as they're ID'd.
If you want to identify what is the most effective solutions, it's simple. Look at what pisses off the sleazebag spam community the most. That's relay blacklisting. They don't DDOS the moronic client-side filtering companies because the spammers know they're useless, and even if they're not, the spammers can't tell. What hurts them are when systems say, 'screw you spammer, (click)' and that's done via relay blacklisting.
Why are spammers increasingly changing mail relays and pursuing open proxies? Because of RBLs. Even AOL uses RBLs (including Spamcop). All the major ISPs look at the RBLs because they are THE most effective way of stopping spam. And they're the only way to actually shut down the spammers.
Forget client or server-side content-based filtering. They will NEVER work. RBLs are responsible for forcing spammers into corners of IP space, forcing them to deploy worms and viruses to infiltrate new IP space (which exposes them to more prosecution). RBLs ** WORK ** !
while his credentials certainly would put him in a far better position to know these things than i am... i find his death and doom attitude annoying... he doesn't really address the parts of anti-spam that do work.. he glosses over them, and then hypes the parts that are broken.. without any sort of proof if i were to mod the article it would probably get something like +2 informative -2 Overrated -1 Flamebait and -1 Troll
And, no, I should not have used the goddamn Preview mode first.
Consider that both the sender and the recipient have a C-R filter. How will either one get the challenge? Wouldn't it just end up in an infinite loop of challenge e-mails? Or is there something I'm missing?
Crushing dreams at the speed of sarcasm
One proposed solution I would love to see getting more attention is SPF ("Sender Policy Framework"), which allows each domain admin to specify their email sending policy using existing infrastructure.
See the SPF site or read this month's Linux Journal to find out more.
Executive summary of SPF: Just use DNS to specify where mail from your domain may originate from. If everyone used this, we could have domain blacklists that actually work.
Do an "nslookup -type=txt psychogenic.com" to see an example entry. And if you manage any domains, please consider doing the same.
I had a chat with a Veep that was hired on to a company I used to work at. Very down to earth guy, very friendly. We got to talking about spams and semi-legitimate emailings to customers, etc.
He had one very interesting tidbit; stick with me for a sec here. Most companies outsource their semi-legit stuff because they get reported as spammers and whatnot, or it bogs down their email server/network, etc. No surprise there- however, the interesting tidbit is that the outsourcing companies turn around and outsource to Indian firms for handling the bounces. There's literally a room full of people in India, sitting there answering those challenge/responses and updating the client's customer email list(unlike spammers, it really is in their best interests to minimize failed deliveries). It sounds "expensive", but it's not, considering how few people use challenge/response systems. Further- a reasonably smart human can get familiar with all the various systems quickly(an hour or two, I'd guess, tops) and probably process close to a message every few seconds with a client program set up to do that limited functionality smoothly. Best part- if your client does several mailings, unless the recipient goes in and removes you, you're clear for future emailings.
Please help metamoderate.
What is wrong with using a combination of a hashcash type approach in conjunction with cryptographic signing to address the shortcomings of both.
Thus the following rules for the user:
If an incoming email is cryptographically signed by someone on your whitelist, accept it.
If an incoming email has made hashcash payment, accept it. The user then decides whether to accept future signed messages from the sender.
Other incoming mail is returned to sender instructing them to make hashcash payment.
Sign all outgoing messages, and also generate hashcash if you haven't previously sent to the user.
How this affects the downsides:
Mailing lists: Would generate hashcash payment for the subscription process, but regular mail messages are just cryptographically signed (i.e. independent of the number of subscribers).
Unequal taxation: May still be a concern if your machine isn't up to the task of signing the bulk of your outgoing messages.
Robot armies: Users (should) quickly notice if their machine is burning the CPU generating hashcash tokens and address the problem.
Legal robot armies: I don't see what the problem is here -- the sender is still having to pay to generate the tokens, so the economics of spam are changed.
Automated abuse: Hashcash payment is required for all initial messages, so generating countless certs doesn't help.
Usability: Crypto signing is done with self-signed certs (e.g.: PGP) so no central CA is needed.
Well, to prove identity you could cryptographically sign mails. When the recipient gets the signed mail, they do a key lookup and verify that the signed mail was signed with the correct private key.
Now, how do you handle the situation where spammers are generating thousands of keys? Well, the spammers are forced to waste some cpu time, but that's trival for them. They're also polluting key registries with their garbage - that's a big negative.
However, in terms of trustworthiness, the spammer probably hasn't gotten all his keys signed by somebody else who is of a "trusted" ranking. Even more likely, much of the signed mail you do get will either be known to you (ie, you've signed their keys) or will be known to people you know (ie, someone you know has signed somebody else's key.)
Mind you, this is no replacement for other types of filtering (ie, SpamAssassin with Bayes, etc.) but it would make whitelisting useable against spammers who forge e-mails, UNLESS the spammers know the private key of the poor slob that they're impersonating.
A related note- the current Microsoft anti-spam solution, Email Caller ID is currently being boycotted.
æeee!
From spoofing verification won't make a difference... it'll slow down mail services and won't make a dent in spam.
Spammers are now rotating IP space all over the place... they're also beginning to NOT forge header information, so what are you left with?
Recognizing rogue relays and blacklisting them, even if they have valid header information. Any improvement to SMTP protocol won't make a bit of difference.
Most mail servers and large ISPs are already employing additional methods of header-verification. It hasn't stopped spam.
RBLs ARE working. They're making spammers scramble for un-blacklisted IP space. That's why they're running overseas; that's why they're sending out worms and viruses. Lord help us if IPv6 gets introduced... we'll never be able to stop spam then.
Oddly enough the spammers name was "Fagin", as in the Oliver Twist villain, and he was born with that name.
The big problem with mail filters, as the article mentions, is that they need to be updated when new spam technologies appear... and there's also a lot of false positives... I gave SPAMfighter a try (from www.spamfighter.com) and although it was a bit worse at finding spam (At first), I never got any false positives. The way it works is that the "filters" are actually some kind of hash that users submit whenever they block or unblock an email (it analyses the whole content I think, not just the text). So if a new type of spam technique appears, the users will just block it. And unlike many other client-side plugins, it actually works on Outlook Express.
Another one I recomment is Spambayes...but there's the problem with false positives. All the other ones I've tried are utter crap.
Best regards,
Alex Ionescu
Relsoft Technologies
What happens when someone on your whitelist opens an attachment that automatically sends email from their account, signing it? Now you have a spam that has been legitamately sent from your friend's account.
I created a C/R anti-spam system myself, but gave up on it and turned to Spambayes for two main reasons:
1.) I was losing challenges in others' spam filters
2.) I would still get emails from whitelisted folks when they were infected with an email worm.
If you're interested, I blogged about my switch from C/R to Bayesian filtering here.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
I have an interesting idea to force ISPs to crack down on spamming customers...
This basically works only if the spamming ISP is from your country. Which is why blacklisting of foreign IPs is still necessary.
But for domestic ISPs who don't reign in spamming, someone should post the 800 numbers of ISPs that don't crack down on spamming. Put up a web site listing the 800 numbers of the ISPs that are top-ranked in harboring spammers. Most of them have 800 numbers.. if everyone calls these ISPs and complains, or at least takes up air time, it costs them money, and money seems to be the only thing that motivates these companies.
Comment removed based on user account deletion
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Humans do them lal teh tiem.
... and remember the Slashdot story a few weaks ago where a computer spam filter was MORE accurate than the human testers. (Yeah, it probably was spam filter reads whole message vs. human reads only subject, but still ...)
So you cant just block someone after one mistake.
You just have to get your computer program better than the average typo occurance.
Oh
I think there are many tasks where a well trained computer program will perform even better than the average human.
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
most C/R engines use a constant suite of pictures and words because the pictures are too time consuming to create on the fly... so the signup page might take too long to load.
:-)
What the spammers do is just download as many challenges as possible, solve them, and store the hashes in a database.
When the harvester goes out, it is likely to encounter many of the challenges a second time, and it already has the answer.
If it doesn't know it, it flags the spammer, who identifies it offline, adding it back in, and the database is that much more useful.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I think we are attacking Spam from the wrong direction. Attempting to stem the flood of incoming spam is tough - everything about the identity of the incoming spam can be faked. However, we could alternatively attempt to prevent the replies going back the other way.
There are two inevitable facts:
1) In order for spamming to be worth someone's effort, they have to somehow get money from people. If NOBODY replied to them, then spamming would stop overnight.
2) Something in the content of the Spam must be real - a reply address - a web site, a phone number or something. Block traffic to that location and the spammer gets no money and dies.
Hence, I think they may be vulnerable. Educating people not to reply to SPAM would help - it only takes a mere handful of people to respond to a SPAM to make it profitable - but if education could drop that handful to a mere one or two - then we could succeed in putting more spammers out of business simply by cutting their margins to the point where it wasn't worth the hassle.
Where are the TV adverts: "Replying to Spam is Bad!"....we know that the morons who reply to spam are suckers for advertising - they are as likely to believe a well targetted TV advert as a crappy email shot. If Spam is costing the ISP's as much as they say it does - then funding some TV ads might not be impossible.
What if we made it illegal to respond to an emailed advertisement that was not clearly labelled as such, that would help to deter people from responding. Such a law would be next to impossible to enforce - but we are trying to deter the gullible here - so it might not have to be enforcable - just very well advertised.
Since every SPAM has to either advertise a product that you can buy from somewhere - or direct you to a postal address, a phone number or a web site - then that route for getting money back to the spammer could be blocked.
The return route has to be genuine. There is no point in them sending you a fake phone number or faked web address. If the phone companies (who are often also ISP's - or have at least some cause to want to kill spam) were to block calls to and from phone numbers that were seen in Spam - then the reverse route for the money would be curtailed. Whilst you can afford to change the aparrent source of your spam and fake those addresses for each new mail shot, you can't change your phone number for every couple of dozen orders you take. Similar considerations apply to web sites and postal addresses.
If it was required for credit card companies not to transfer money to businesses that employed spammers to push their goods - then that would also help some.
It wouldn't take many people to deliberately reply to spammers - to lead them on into thinking you want their product - to send them fake cheques or bogus credit card numbers. If they only get a handful of positive responses per million spams - then it wouldn't take more than a few determined people per million (eg ISP employees) to clutter up the the spammer's cash collection mechanism to the point where it's too much hassle for him to sort out the real orders from the bogus ones.
I don't pretend to have all of the answers - but there seems to be far too little creative thinking along these lines.
www.sjbaker.org
Naturally we may be inclined to believe that this grants us superiority to the computer. That, while stating some arbitrary facts taken from some textbook somewhere, a computer can never accomplish X objective.
Therein lies the fallacy. The computer does not identify that it is in an infinite loop, nor can it, because it is not given the benefit of looking at the actual code. If a compiler were designed to read into code for things like while(true) loops, which naturally could result in infinite loops, then already you would be cutting back on the instances of these problems.
Determining if there is an infinite loop requires a conscious understanding of the code itself, which is no trivial matter. It is not, however, something that could be deemed impossible.
As with all fields of science, there will be those who say "Well, I haven't seen it yet, so it will never happen"... but skeptics are everywhere, and the presence of skepticism is hardly a measure of credibility... rather, a measure of how pious certain peoples assumptions are.
Solutions are always found in math, and never in magic. Don't underestimate the computer, and more importantly, don't underestimate your own brain. You don't perceive things the way you do 'just because'... and that's what's so exciting.
So what about this:
You start with a central certificate authority. I know, I know, bottlenecks. But you only need them to issue keys to (or sign the keys of) about 100 (or 1000?) servers. The signing authority has to be central, but the *revocation* authority does not. That's the key here.
So those servers can sign the keys of 1000 servers of their own and so on.
So my mail server tries to send your server an email. Your server checks if my key is signed by someone who is signed by someone who is signed by the CA. It also checks against its nightly downloaded revocation list. If everything is good, the mail goes through. Very little processor time, and very little bandwidth.
Suppose someone issues a key to a dishonest server? Well, enough people issue complaints and the issuer's key gets revoked. Or some automatied spamassasin type thing that auto-revokes the key after enough spams get spotted. No more spam from them, and maybe next time the admins are more careful.
This totally eliminates (i think) the threat of zombie SMTP servers on DSL and open relays.
Then the ball is in the park of the ISPs and server hosters (those with their own email keys) to keep spammers out locally. SLL login for SMTP? sure. C/R for each email sent through them? Whatever. Send anything over their open relay? Not for long.
Sounds reasonable to me. It makes it easier for the end user I think, and minimizes spam.
Any suggestions?
Muerte
This totally eliminates zombie SMTP servers on cable lines spewing spam.
I didn't see any mention of a pretty good solution that i've run across:
Every time a message hits a server from a sender that it has never met before, it sends a TEMPFAIL back instead of accepting the message. All real MTAs will try again with whatever their retry delay is set to, and usually for about 4 days. If the server gets the same message being delivered again, it accepts it and adds the sender to a whitelist where it never has to 'ask questions' of this sender again.
The reason that this would work, at least for now, is that spammers mostly use badly written MTAs (or something akin to an Expect script posing as an MTA). Their software doesn't know how to deal with a TEMPFAIL and never tries again. All real MTAs will try again within a few minutes. Good times.
When I took a look at the first of these two articles which examines end-user anti-spam solutions I had to wonder if the writer had actually tried any of the technology or was relying purely on hearsay. For example:
Spam senders and their bulk-mailing applications are not static -- they rapidly adapt around filters. For example, to counter word lists, spam senders randomize the spelling of words ("viagra", "V1agra", "\/iaagra"). Hash-busters (sequences of random characters that differ in each email) were created for bypassing hash filters. And the currently popular Bayesian filters are being bypassed by the inclusion of random words and sentences. Most spam filters are only effective for a few weeks at best
This is the view of someone who clearly has no experience at all with a high-quality Bayesian classifier like POPFile. I've been using this program for almost a year and it most certainly has not been defeated by random words or spelling. Many of the tokens that trip email as being spam are actually unusual items in the headers or sales terminology. After a very brief training period POPFile has continued to provide me with excellent protection from spam and malicious email, with only a few false negatives to retrain on.
If that's not a good end-user anti-spam solution then I don't know what is.
From what I understand, rewritting SMTP to fix most (if not all) of the spam loopholes is no problem (Am I seriously glossing over some big details here?). The trouble is that people want a 100% effective, immediatly pluggable solution. If new email clients support both the old and new smtp protocols, and use the new one as a default, it will be just a matter of time before there's a critical mass of clients and ISPs that are using the new one.
Once this critical mass is reached, boom, everyone is required to use the new protocol, and any email that uses the old one is immediately dumped way upstream, before it can start hogging bandwidth everywhere.
I'm aware that if my idea is so great, how come it hasn't been implemented?? Feel free to pick holes....
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
* Mailing lists. [...] if there is a way for legitimate mailing lists to bypass the challenge, then spammers can equally bypass the challenge.
Hashcash is generated for the mailing-list address. The recipient would add the mailing-list to their list of addresses they accept mail as, and a spammer can not send to the list without including hashcash. So the limitation for mailing-lists is that the spammer can send mail to many people (the list subscribers) for the cost of one stamp; if he sends directly he has to send one stamp for each recipient.
* Robot armies [of 0wned machines].
Clearly someone wit lots of owned systems can send lots of mail; but still less mail than they could without hashcash.
* Legal robot armies. [...] Large spam groups can afford purchasing hundreds of systems for distributing an computational cost.
They can do this (and doesn't matter with it's legal or not btw, they'll do it anyway), but it will cost them more per mail which will cost them, so they will send less mails and be economically incentivized to target their mails by buying demographic data etc. (eg. so you would be less likely to receive spams in languages you can't read, or on topics you are not interested in).
Another aspect is that legitimate users do not send mails to lots of new recipients; most email exchanges are conversations over a period of time with sends and receives. Some of the hashcash based systems use hashcash only for introductions, and exempt recipients from hashcash after that based on crypto tokens (or just whitelists) (eg CAMRAM, TMDA do this).
The argument here is that hashcash can be set to higher cost as it is only borne once per new recipient for normal users.
Because a 100% UCE-free Internet is going to be darned expensive and rather less usable. At what level of filtration does the next incremental improvement begin to cost more than simply being satisfied with what you've accomplished?
I've tuned up a pretty good stack of procmail recipes, set my MTA to refuse unverifiable senders and obvious forgeries, subscribed to a couple of decent blacklists, and trimmed things down to a level I find tolerable. And thus I'm disinclined to do much more.
Through a bit of mental jiu-jitsu I've come to regard the remaining trickle as a moderately challenging puzzle provided to me for free, and a source of amusement first thing in the morning as I make the initial pass through my inbox to weed out the junk unread. I spend a few moments each week enjoying the logs that Exim and my procmail recipes write to show me what they've strained out. Once you push the S/N ratio high enough to get some work done, it's possible to turn the rest of the N into fun if you have the right attitude.
Oh, there are other things I'd like to do. If most people would crypto-sign their mail, I'd set up recipes to toss unsigned messages, and play around with hacking signature and CA blacklists into my filters to get rid of the more brazen attempts. I'd like to try out some recognizers that would be mighty hard to write as regular expressions. I'd like to tinker with external filters that rip out some of the common obfuscation techniques before procmail even sees the message. But for now I can live without these.
If you're thinking, "but it's costing my company money to deliver this junk," ask yourself how much it's costing your company to have you sitting around trying to find ways to remove the last little morsel of UCE when you could be crafting new competitive advantages for the firm, or at least dealing with the *other* stuff that gets in people's way and which is not actively working against you.
What I'd rather see is every e-mail transmitted be digitally signed.
/dev/null it.
When the e-mail client is set up, it could generate a GPG key set to use for signing the e-mail.
The recipient's computer, if verification is required, could send a standardized e-mail back to the sender's computer asking for the sender's public GPG key. If and when it arrives, check the digital signature and either deliver the e-mail or
By caching the keys, you really wouldn't even have to have a white list. Or, more accurately, the white list would be by digital signature rather than the Reply-to or From address.
This could even be implemented on the server itself and with better results.
When adding the user, create a GPG key for that user on the server.
Require authorization for each incoming e-mail that is to be relayed. Digitally sign the e-mail with that key if it sender has not already done so on the client side.
The recipient's server or the recipient's client may then request the public key. If the public key used was the server's key used on behalf of the client, then return that. Otherwise, send the request on to the client for his public key.
Of course, this could be abused, but then the e-mail addresses have to be real and could then be used for blocking.
The traffic itself should be relatively small. The data portion of the request would just identify the public key desired based on what was used on the message (sender's key maintained by the server or the sender's key maintained by the client) and the data portion of the response would contain that id and the key.
For those who use multiple e-mail clients, allowing the server to handle the key would be preferable since the multiple clients would generally use different keys.
If the cached public key for that user failed, a request for the public key would be sent in case the public key had been changed. If the new key was different, the cached public key could be expired after a set period of time (in case there were any yet to be delivered e-mails from the old key around) and the new public key added to the cache.
You'd have the benefits of challenge-response systems without the users being annoyed.
One problem with challenge response systems is with mailing lists. With this method, there would be no problem since the mailing list's server would react to requests for the public key by providing it.
This would also take care of the automated e-mail case, say when you place an order and the sender sends an e-mail telling you the order has been fulfilled.
Two words, Joe job.
Any one of these "solutions" can be exploited to hurt legitimate business. Simply send out a spam campaign on behalf of XYZ company with legitimate credentials, and watch the chaos and disaster at the company as phone lines are cut, merchant accounts cancelled, etc.
Spammers have already done all sorts of illegal activity to continue their frauds, what's one more to cut the knees out on the competition, or the competition of their customers.