Revolutionary Spam Firewall Developed

psy writes "physorg has a story on a new spam firewall developed at The University of Queensland. The new technology is the only true spam firewall in existence, according to co-developer Matthew Sullivan. "Existing anti-spam software filters out spam whereas ours puts up a firewall, stopping all email traffic and only allowing real mail through," said Mr Sullivan. "In addition, our technology is accurate and fast. We recently completed a successful trial of a key layer of the spam firewall and it processed the emails at 90 messages per second, misclassifying only one out of 25,000 emails." "It turned out that the software was even better than us, picking up spam we'd incorrectly classified as legitimate emails."

Spelling

[swordboy]

I have a simple algorithm to reject spam: spelling.

If you can't spell correctly, then I don't want your v1agr4.

Re:Spelling

[random_culchie]

Yes and aparently there are 600,426,974,379,824,381,951 different ways to spell viagra!

Will your algorithm do it with polynomial complexity ;)

Re:Spelling

[gowen]

We should apply the "good spelling" rule to /. posts.

( Read More... | 2 of 1274 comments | it.slashdot.org )

Re:Spelling

[Jeff+DeMaagd]

Well, shoot, despite using the pre tag, it got hidden, anyway, an invalid tag might be randomly inserted into parts of words to make scans fail. So it throws off scanners and doesn't show up when rendered for the user.

Re:Spelling

[random_culchie]

The there is the old trick of putting html in the middle of dodgey words.
Like: viag<!--xyz -->ra

Re:Spelling

[swordboy]

I honestly think that we need an RFC for this so that idiots who can't spell can get a real error message back when their legitimate email gets rejected. At this point, all spammers would be forced to spell correctly and it would be difficult for them to get their point across without using obvious spam keywords like 'viagra'.

Re:Spelling

[random_culchie]

Select Extrans from the drop down box :)

Re:Spelling

[ninewands]

Quoth the poster:

Yes and aparently there are 600,426,974,379,824,381,951 different ways to spell viagra.

Actually, the number is 1,300,925,111,156,286,160,896. He missed a couple of possibilities and had to update the page.

Re:Spelling

[ncc74656]

The there is the old trick of putting html in the middle of dodgey words. Like: viag<!--xyz-->ra

Your typical Bayesian filter works on the message source, not the output of an HTML renderer. "viag<!--xyz-->ra" gets dumped into the spammy-word list along with "v1agr4" and other annoyances, so after the first one sneaks through and is manually classified, the rest are blocked.

Re:Spelling

[CommanderData]

His algorithm doesn't need to. All it needs to do is check against an existing dictionary of words. If the word is not on the list, it is assumed to be misspelled. (If the good spelling of Viagra is in the dictionary, simply remove it so that any correctly spelled reference to Viagra counts as a misspelling too). If there are greater than X% misspellings in the e-mail it gets trashed. X can be a smaller percentage if the e-mail has any hyperlinks in it, because it is virtually guaranteed that someone is trying to sell you something...

Re:Spelling

One of the biggest problems with this proposal is that messages talking/warning about spam-such as this one-would get marked as spam.

It's already happened when I sent an email to a client warning about a porn dialer. The repeated mention of porn got my message spam-trapped.

What's needed is a filter that checks these words & spellings in context-but that's far more difficult than the simplistic spell checker that's proposed.

Re:Spelling

[rossz]

Spelling doesn't work. The average computer user either can't spell or can't type and doesn't bother to use a spellchecker in email. I did small study on spell checking as an anti-spam tool and was somewhat disappointed by the results.

Re:Spelling

[wheany]

Only if the bayesian filter sucks. Or rather: Only if the tokenizer of the filter sucks. Bayesian filters don't have to treat the message as a raw string. They are free to parse it to, for example, remove comments, use image urls, or the difference between the foreground and background color in html mails as words.

You can make a tokenizer that not only treas a word written like this: 't.r.i.c.k.y', as the word 'tricky', but also as a "pseudoword" like 'trick:dottedword.' So the "bayesian part" of the filter would see these two words: 'tricky' and 'trick:dottedword.'

And there is of course loads of information that can be extracted from the headers of the mail.

Re:Spelling

[daveashcroft]

....and you must remember that chemists such as myself, will sometimes send an email to a colleague containing the systematic chemical name of a chemical which has just been synthesised for the first time. There is no way a dictionary based check would pass that, as we are effectively creating new "dictionary entries" each day.

but cant it

[InfoHighwayRoadkill]

filter out mesages from my x ;-)

Re:but cant it

[Zork+the+Almighty]

You shouldn't be exposing port 6000 anyway.

Re:but cant it

[CSG_SurferDude]

OK, Really off-topic here, but I'll bite...

Messages you probably want to get from your "Ex-Whatever"

• The kids are sick
• The kids are in the hospital
• You need to pick the kids up from the neighbors house
• You'll/I'll be picking the kids up late/early
• Child Protective Services called again
• The police were looking for you
• The police were looking for me
• I've taken the children back to Uruguay
• Your squid died while the children were neglecting it.

Not the first; not revolutionary

I think Barracuda Networks would rather disagree with the idea that this is the "only true spam firewall in existence," considering that Barracuda's entire product line consists of spam firewalls.

Damn fine spam firewalls, too, I might add. They handle around 115 messages per second, and can run up to eight filtering steps (including Bayesian analysis, which is similarly efficient to SVM, which the one in the article uses). Plus Barracuda's can do virus scanning.

I'm not sure how this is revolutionary.

Re:Not the first; not revolutionary

[micromoog]

Isn't "spam firewall" just a marketing term for "filter"?

Re:Not the first; not revolutionary

[Rikus]

Isn't "spam firewall" just a marketing term for "filter"?

Isn't "revolutionary" just a marketing term for any stupid new product?

Re:Not the first; not revolutionary

[Greyfox]

I believe the distinction is when the filtering takes place. If you wait for the spam to be placed on your hard drive and filter it out when you start your mail client, then it's filtering. If you reject the spam before the remote MTA drops the connection, then it's a firewall.

I'm using Postfix at home and it's got some nifty features to allow you to do this sort of thing. You can write a simple SMTP server that listens on some port of 127.0.0.1 and configure postfix to send the mail though that. Your server scans the E-Mail and sends a reject or accept message back to postfix, which sends it on to the remote MTA. Your SMTP server then feeds the mail into another postfix server which listens on an odd port of 127.0.0.1 and doesn't have the restrictions that your publically accessable postix server does. There are packages available for all sorts of scanning based on this ability. Since you reject the message at MTA time, you don't have to bother with sending a bounce message, either.

Re:Not the first; not revolutionary

[SkyWalk423]

They handle around 115 messages per second, and can run up to eight filtering steps

Is this the next nerd measuring stick?

Nerd #1: I overclocked my spam firewall, i'm getting 119 MPS now!

Nerd #2: Sweet! My mom promised I'd get a new spam firewall accelerator card for Christmas, I'll pwn your 119 MPS!

Re:Not the first; not revolutionary

[Mickey+Jameson]

I first heard of Barracuda a few weeks ago when I clicked on a banner ad from (IIRC) theregister.com. I signed up for a demo. The unit came about a week later.

Plugged it in and set it up. My users actually asked me why the spam has stopped, since they don't understand the concept of filtering messages out tagged with *****SPAM***** in their email client. I must say I was really impressed. Until I had to send it back.

Re:Not the first; not revolutionary

[isorox]

I understand a "spam firewall" to close the connection as soon as it recognises spam, rather then let the whole email download. In the case of those "Windows service pack" emails, you can save a lot of bandwidth.

Re:Not the first; not revolutionary

[Rei]

Isn't slashdot supposed to be more than just a conduit for corporate press releases?

Re:Not the first; not revolutionary

[LaCosaNostradamus]

Isn't "marketing" just a term for people who don't know, selling to other people who don't know?

Re:Not the first; not revolutionary

[Weirdofreak]

I'm reminded of the legend of DWIM. For those that don't know, it was basically an automated error-correction program - Do What I Mean. If it thought you'd typed something in wrong, it would replace it with what it thought you meant.

Somebody tried to delete their backup files, which had $s appended. There were no backup files, so DWIM thought that somehow they'd mistakenly hit the $ key just after pressing *, and in fact meant to delete everything on the disk. And no, heaven forbid that it confirmed this assumption, it merely proceeded to wipe everything. The guy managed to abort it, but wasn't happy.

Now why the hell would I want a computer to assume that it knows what is and isn't spam, and then not give me any way of verifying this? The software is fallible. When judging email that I don't want, the only infallible person is me. That one in 25,000 isn't likely to be important, but it sure would be nice if I was allowed to read it instead of just being told to sod off.

And how can it be better than yourself at finding spam? If you read an email and don't consider it spam, there's a good chance you might actually WANT it. Then a machine comes along, tells you it's spam, and you just accept that blindly?

Maybe by not reading the article I missed something vital, but that's how it seems to me.

Re:Not the first; not revolutionary

[GileadGreene]

The academic literature search is pretty much dead these days - there's just so much stuff going on in the world that it's well nigh impossible to be completely up to date on your field. There're entire communities of researchers that have no idea what other, similar groups are up to.

Re:Not the first; not revolutionary

[naelurec]

I do multi-layered protection. At the MTA level, I utilize some DNSRBL lists to block from known spam servers. In addition, I require HELO and reject people who are claiming to be my server. In addition, I will reject invalid recipient domains, etc.

From here I run accepted emails through AMaViS / SpamAssassin / ClamAV / Sophos Sweep (I have yet had Sophos catch a virus that ClamAV did not detect.. though ClamAV caught two that Sophos did not..) and will not deliver (but notify postmaster) of spams over a set value (ie 8), deliver spam between 5-8 tagged and items under a certain value get passed without tagging. Viruses are always blocked and reported.

Overall this has reduced unwanted email significantly. On networks of 40-60 users, between 35-50% of email is rejected at the SMTP level, about another 10% or so is quarantined (either viruses/spam), another 10% or so is tagged but delivered and the rest is legit.

I have yet had any compliants of false positives (granted there is a risk that they do not know) but have had a lot of priase for reduction in spam levels. I am not aware of any viruses penetrating.

Check out http://jimsun.linxnet.com/misc/postfix-anti-UCE.tx t for more info (this is postfix centric, but the ideas could be applied to other setups)

Re:Not the first; not revolutionary

[SCHecklerX]

we do the same here with sendmail + mimedefang. The reject/drop occurs as soon as spammage is detected. Combined with spamassassin, it is a good system.

For example, here is a list of messages that we completely discarded yesterday (in other words, they were dumped before we even bothered invoking our spamass or antivirus routines):

Completely discarded: 6373
Reject 554 total: 30885
Reject 550 total: 33796
Reject 501 total: 9702
Suspicious Header total: 3
Partial MIME type total: 1
Non-multipart total: 2
Forbidden File attachment total: 737

Barricuda tried to sell to us, but quite frankly, our existing system built on sendmail/mimedefang/spamass is working great. Barricuda admitted that they couldn't beat what we are doing ourselves.

Re:Not the first; not revolutionary

[CustomDesigned]

Your definition is a good one. But it still doesn't make this product the first - or revolutionary. Sendmail created the 'milter' interface many years ago precisely to make this kind of rejection of unwanted mail possible. There are many sendmail milters written in many languages. The most popular being C, Perl, Python in that order. I run a Python milter which removes Windows executables (except DOC and XLS), checks SPF, and checks content with DSPAM wrapped for Python. Of the 40000 spams a day we get, nearly all are rejected before SMTP DATA. Those flunking content check are rejected before the connection closes - except when addressed to a 'screener', in which case it goes to a spam mailbox. Screeners have the task of providing feedback to the Bayesian filter - relieving others in the company of the burden.

Sourcecode?

[peterprior]

Sourceode would be nice....

Re:Sourcecode?

So would a built in spellchecker.

Re:Sourcecode?

[isorox]

how to make my workplace happier got rejected

Make your chair happier by not sitting on it. Let it sit on you occasionally.

Support Vector Machine (SVM)

[doofusclam]

What the hell is one of these? There seems no substance to this report, bar some TLAs as above and a load of hype. Where is the proof? How was it tested? Etc.

Re:Support Vector Machine (SVM)

Support vector machines are actually quite a good machine learning tool -- try Wikipedia: http://en.wikipedia.org/wiki/Support_vector_machin e

1/25000

[Laivincolmo]

Although this is a great new technology, for a business setting, I don't know if even missing one e-mail is acceptable...

Re:1/25000

[Shakrai]

Although this is a great new technology, for a business setting, I don't know if even missing one e-mail is acceptable...

That's what everybody says but what's the other option? Letting all the SPAM come in? Do you really think that fed-up employee who gets hundreds of SPAMs a day is really going to do a better job of just mashing down the delete key then a SPAM filter with a 1/25000 error rate?

Of course I doubt this technology would perform that well but the point still stands -- if you don't have a computer flagging them then chances are you have a human flagging them. Who do you trust more?

Re:1/25000

[stienman]

Most users of email are now treating it as a lossy messaging system, and the users themselves accept that some messages simply don't make it. Critical business is always followed up with a call.

-Adam

Re:1/25000

[Quarters]

If you are sending something so critical then you shouldn't be using email. FedEx with signature required delivery and certified/return-receipt USPS mail exist for a reason.

Re:1/25000

[Mononoke]

Although this is a great new technology, for a business setting, I don't know if even missing one e-mail is acceptable...

I would guess that's right in line with USPS, UPS, FedEx, or even faxing directly.

Re:1/25000

[rjstanford]

and if we missed 4 legit client emails a day... that would be lost business, and that's just unacceptable no matter how you look at it.

Well... how much money would it take to have the staff necessary to do the filtering manually (at a better rate - even humans are fallible), and how much would the potential business loss cost you? Assuming that the business was very profitable, and that the senders wouldn't call or send a follow-up email of course.

Re:1/25000

[cyngus]

One of two conditions exists in this case.
1) The e-mail is vitally important and your business will be seriously damaged by its failed delivery.

2) The e-mail was somewhat important, but not something large enough to materially change your revenue/profits.

If the first is the case, you probably shouldn't be using e-mail in the first place and/or whoever sent it is probably going to follow up with a FedEx or phone call.

In the case of number 2 (ha ha, number two), you've saved so much time not having to wade through spam that the losses are negated.

Re:1/25000

[Alioth]

1/25000 is significantly better than a human being. If you use no automatic spam filtering at all, and you get a typical geek's email load (about 100 spam a day with 10 legitimate emails a day), you will still delete mail as spam when it wasn't spam.

That's why I use SpamAssassin - it does a good job, and is no worse at making false positives than I am. If I'm just as liable to make a false positive than an automatic filter, I'm better off saving my time.

Re:1/25000

[biglig2]

Then you're stuffed anyway, because internet e-mail is not guaranteed.

It is difficult. We're swatting away a million of the damn things a week and still our users complain. They also complain when we get false positives. And when, next week, we turn on the system that lets them see what we have blocked that was addressed to them, they'll complain too.

I think the one solution they would find acceptable is for me to personally read every one of those million messages and mark it as good or bad. I hope our VP doens't read slashdot....

Re:1/25000

[nkntr]

I support among other people, a marketing staff. When people are interested in buying things, they may only send one email. That one email is all you are going to get, and not getting it is the same as not getting the sale. I know the marketing staff is extremely skeptical about any sort of spam filtering, as they are always concerned about missing important emails that may lead to sales, and ultimately, revinue. I don't know how this fits in with spam filtering, but suggesting that all important email is followed up with a call is not true. And ask any CEO--sales are the most important thing to a company. It doesn't matter if you have the best thing in the world, if you can't sell it, it isn't worth anything.

Re:1/25000

[Politburo]

When people are interested in buying things, they may only send one email.

Assuming you give them multiple avenues to contact you, then they simply aren't that interested if they only send one email and drop it after that. Now, I can certainly see trying to make the email system as hardened as possible to prevent any missed email, but the idea that youre going to lose out on some huge sale because of one email being dropped is silly. The grandparent is correct. If you're at all serious in your business, important email is always followed up with a call or some other means.

And ask any CEO--sales are the most important thing to a company.

Close, but profit is the most important thing. You can sell a billion units, but if you're selling them at a loss, I don't think the CEO will be too pleased.

Re:1/25000

[That's+Unpossible!]

I don't mean to be a prick, but maybe those are all different users complaining? Maybe give them some options. It sounds like you have:

- Some people that want no spam and can accept losing real email.

- Some people that want as little spam as possible without losing any real email.

This is what I like to call "normal."

Re:1/25000

[ColdGrits]

If missing one email is not acceptible to your business, then your business should not be using email ever anyway - email is not, nor has it ever been, a guaranteed delivery mechanism.

At our company, current just over 50% of all inbound email is detected as spam. Thus more than 50% of all our inbound email is spam, and the true figure (allowing for the false negatives which slip through) is probably in excess of 60% (and rising)

With a failure rate of 1 in 25,000, AND assuming that means a false positive rather than a false negative, then for our company taking into acount the volume of spam we receive it means 1 email in > 55,000 is wrongly identified.

I can assure you that our business is capable of coping with 1 missed email in > 55,000.

We certainly do not to business-threatening-essential transactions via insecure, non-guaranteeded publicly-transported email, and nor shoudl your business!

Re:1/25000

[tiger99]

The email system as we know it and the underlying protocols do not guarantee delivery, therefore any business absolutely relying on email is very stupid indeed.

It is in principle possible to produce a reliable email system, but only if a receipt is returned to the sender when the recipient actually reads the mail, not when it arrives at his ISP for example.

Sadly some businesses do rely implicitly on things that usually, but not always, work, such as mobile phones, pagers, and text messaging. It may have been the same with pigeons, a predator might get the bird! Businesses should set up foolproof systems if they want to do well, a quick phone call to confirm receipt of critical items, for example. The occasional email, even now, takes many hours or even several days to arrive, there is no guarantee whatsoever of time of arrival, but again some seem to think it is "instant", because it very often is. Managers should be aware of these issues, sadly some are not.

But I hope this anti-spam firewall is a brilliant success, and that if it has minor shortcomings there will be satisfactory work-arounds. I am sick of spam, but the ultimate answer must be to ensure that it does not pay, i.e. that the probability of being caught multiplied by the fine greatly exceeds the potential profit. That requires legislation worldwide and some conceptually simple additions to existing mail servers, with care taken to protect the privacy of normal users. Given the political will, and some competent leaders (not Dubya or B. Liar, for a start) it should be easy.

Revolutionary

[jjares]

The words revolutionary and spam in the same phrase... frightens me.

Not a firewall

[BarryNorton]

This isn't a firewall as it doesn't filter based on addressing. Furthermore, the use of SVMs (support vector machines) to classify text is not new...

Re:Not a firewall

[Tony+Hoyle]

the definition of a firewall is a device on a network that allows or denies access

Ahh, so *that's* what our system administrator is called..

I'll stick to 'Mordac' though.

Re:Not a firewall

[Threni]

> This isn't a firewall as it doesn't filter based on addressing. Furthermore,
> the use of SVMs (support vector machines) to classify text is not new...

If the box running it stops fire from spreading in your building then it's a firewall, otherwise it's not. I mean, if you're going to be strict about what constitutes a firewall...

Fetchmail?

[TheLoneCabbage]

Fetchmail + SpamAssassin?

What am I missing here?

Doesn't save B/W: you need to run in INSIDE your network.

Don't care how fast it is: It's a dedicated server.

1/25,000 failure rate with no false positives: OK, that's good. But still not amazing.

How are their servers? /.?

Deployment

[Rikus]

Well, this certainly sounds like a good thing for many people, but because it's been described as "firewall" and not a "server-side filter", I certainly hope it wouldn't be set up at major ISPs to intercept all smtp traffic going through.

Yes...

[phosphorous]

Hopefully their spam firewall is more robust than their web server.

Uh yeah, OK...

[Tony+Hoyle]

It's easy to produce these kind of results in trials - you just tune the spam filter to handle a certain set of emails, then you feed it those emails again and you get a near 100% success rate.

Heck, why not do it with a million emails? Makes better headlines that way.

I don't see how this is any different to SpamAssassin (the term 'Mail Firewall' is pure marketing bullshit. It's a spam filter. Get over it.) except I bet it costs a hell of a lot more...

Re:Uh yeah, OK...

[Tony+Hoyle]

No real researcher would ever perform a test in such a way.

Take of the rose-tinted spectacles.

Have a look at some of the recent MS or SCO research. *real* researchers give ther results they're paid to give, and don't give a damn about methods.

This a press release (presumably.. definately reads like one). Most of the 'facts' in it were probably dreamed up on the spur of the moment because they sounded good. Assuming they really ran the 25,000 email test then it's almost certain they reached the conclusion they were told to reach. If they can repeat those results after a server has been up for 6 months filting *real* email then I'll be interested.

Not necessarily. I don't know how much configuration this system requires, but if it requires nothing more than simply plugging two network cables into a box and away you go, then I think it is very appropriate to call it a "firewall."

No, it's still a spam filter.

If you put it into a sealed self-powered black box with the words 'Firewall' emblazoned in large letters on the side it would *still* be a spam filter.

The word 'Firewall' has a specific use in the IT world, and this aint it.

Re:Uh yeah, OK...

[Tony+Hoyle]

They're not trying to get published. They're trying to get paid.

Someone posted a non-slashdotted link. They've formed a company and are after funding - hence this press release. TBH Slashdot should stop giving these people airspace.

This is *not* science it's a corporate press release. If they had the integrity you ascribe to them (which really doesn't exist - everyone has an agenda, whether it's to get published or, in this case, to get money) then they'd never have allowed it to go out with claims like this is 'new' and 'revolutionary' which are quite obviously total bullshit.

And no, it's still not a firewall. I do exactly the same with postfix and spamassassin and that's not a firewall either. It's a mail filter.

What happens to the 1 mis-classified email?

[Thrymm]

1 out of 25k is impressive, but what happens to these spam mails? Are they bounced back as an error "no user account found"? Or done like a blackhole where the spammer doesnt know if it reeached its intended recipiant? I like my SpamBayes :)

Ciphertrust, too...

[TrebleJunkie]

I know! Ciphertrust's Ironmail works the same way... It stops ALL mail inbound, runs it through about a dozen different detection queues, only letting legitimate stuff through. I'd really like to see how this new one is otherwise unique.

Re:Ciphertrust, too...

[Just+Some+Guy]

Darnit! The spam filter I was writing lets everything through, then picks through my inbox over the course of the next month to highlight possible spam in chartreuse. Back to the ol' drawing board...

Useless

[trans_err]

Until there is a 0% fail misclassification rate such a method is useless. Filtering was one thing, if you misfiltered a message you always had the oppertunity of occasionally scanning your SPAM box and making sure everything was about penis enlargement and not about the meeting you have next week. However, with this method email is stopped and never delivered, thus your misclassified email is now gone- forever.

I'd rather get 5 extra spam if it meant I also recieved every real email.

Re:Useless

[leperkuhn]

if it's just bounced back then how is that bad? there will never be a perfect system - even whitelisting involves a bounceback. I'd be more than happy with 1 out of 25,000 e-mails being incorrect. I bet more mail gets lost by the post office.

My favorite line:

[calypso15]

"...companies losing valuable employee time to deleting spam..."

Maybe they should be working on a Slashdot-Firewall. Damn, I really should get back to work.

Oh, and since the linked article got /.ed, here:
http://www.uq.edu.au/news/index.phtml?article=5833

Spin doctors

[sean23007]

"It turned out that the software was even better than us, picking up spam we'd incorrectly classified as legitimate emails."

Heh. Does anyone else see that as a good way to downplay false positives?

"Oh, good point, Computer. That email from my boss actually was spam. I didn't realize that until you mentioned it."

Re:Spin doctors

[JimDabell]

No, it's well-known that humans make mistakes. Human decisions, when faced with hundreds of spam emails, result in false positives and false negatives as well. The comment you mention merely points out that they consider it to make less false negatives than the average human.

Spam firewall? I want a hard drive firewall

[MustardMan]

I submitted this as an ask slashdot and was promptly rejected, so I'm going to put this here as a slightly on-topic post.

What I want to see is a software hard drive "firewall." If you're not sure what I mean, think of what a product like zone alarm does when spyware.exe tries to access the internet on your pc. It pops up a window saying "do you want to allow this program..." Now, why can't we have the same thing for hard drive access? So, I download fungame.exe, and when I go to run it, my "firewall" tells me fungame.exe is trying to write to fifteen different directories to install different spyware products. It could only give a popup on the first time a program tries to write to a given directory, and have an option to not show any new notices for this program, to limit the annoyance factor. I think this would be a great tool to help lessen spyware/trojan problems. If the program interacted with spybot or a similar product, it could even automatically prevent writing of files that are known to be adware. Is there anything like this out there? Anyone who would be willing to help make it?

As a self-appointed representative of ...

[burgburgburg]

Unconsciously Desired Email Industry (Our slogan: You opted in in your heart!), I'd like to strongly protest the continuing escalation of technology against us. We provide the opportunity for hundreds of thousands of people to spend freely on products unburdened by simple heuristics of "they work" or "they won't make you ill" or "we'll actually send them". Why are you so intent on interfering with the consumer ethos?

Big deal

[n6kuy]

You mean it blocks all email, and the one ligitimate email among the 25000 is the "misclassed" one...

Here's how it probably works

[lokedhs]

I heard about this new technique before. Apparently it works trmendously well.

The idea is that the mail server keeps a whitelist of "allowed" addresses which are always accepted. If a mail comes from an address which is not known, the mail server will reply with a "server unavailable, try later" error message. All real mail servers will try to send the message a little later (I don't know the exact time, but it's probably less than an hour. Someone else might know better).

The second time the remote mail server tries to connect, the server accepts the mail and adds the address to the whitelist.

However, mass mailers for spam don't do this but simply go on to the next address in the list if this happens. This way the spam message is filtered out.

Note that this method doesn't require any analysis of the actual content of the messgae, nor does it involve any manual actions from neither the sender nor the receiever. Currently it's porbably the best spam blocking method that exists.

Re:Here's how it probably works

[Santana]

That's how spamd works, and yes, it works tremendously well. I used to get 300 spam messages daily. I receive now one or two every week.

Re:Here's how it probably works

[Frostalicious]

The second time the remote mail server tries to connect, the server accepts the mail and adds the address to the whitelist. Currently it's porbably the best spam blocking method that exists.

Until the spammers catch on and start to resend their requests. This seems like a stop-gap solution.

Re:Here's how it probably works

[hedronist]

I think you're trying to describe greylisting. Although greylisting is amazingly effective, I don't believe that's what is being discussed here (the site is slashdotted).

Our experience with greylisting has been (1) an 90%+ reduction in passed-through email (with no complaints from users about lost mail (yet)), (2) a dramatic decrease in server load because SpamAssassin doesn't see the message until after it gets past greylisting, and (3) people rediscover how useful email is once you get all of the crap out of their inbox.

Marketing Guy: What's the worst that could happen?
Dilbert: Our beta product could turn into an evil robot that annihilates the galaxy.

Re:Here's how it probably works

[xlv]

That's probably going to work for about a month, until the spam programs are updated.

As mentionned in other posts, he's describing http://greylisting.org/. Even if spammers adapt their software, the beauty of the system is that by the time the message is resent, it's probably already in a distributed spam database, so spamassassin will give it a higher score than if it had been accepted the first time around.

Re:Here's how it probably works

[Zak3056]

Until the spammers catch on and start to resend their requests. This seems like a stop-gap solution.

It is, but it's a GOOD stop-gap. In order to resend the bounced greylisted message, you'd have to be resending ALL soft bounced messages the number of which, assuming you're sending millions of emails a day, is not insignificant.

It makes the cost of doing business higher for spammers, which ideally cuts down on their profits, making spamming less attractive.

Re:Here's how it probably works

[slashname3]

You just described greylisting. And it works extremely well. It is something all ISPs should be forced to implment immediately.

And for those that say this is a stop gap and won't be effective for very long, they are wrong.

The whole idea is to increase the cost to the spammer of sending out millions of emails. By greylisting they have to resend the same message at least twice, possibly multiple times, since they don't know how long the delay is.

On top of that if you combine greylisting with an RBL which is fed from a spam trap it is most likely that by the time the spammer resends the message to you a second time that machine is listed in the RBL. So the second attempt you let it in, check the RBL and reject the message.

Add spamassassin as the next line of defense and the few messages that do get through will get tagged and dropped in the spam bucket.

But the important part of all this is to increase the cost to the spammer. If they try to get around this then they have to maintain a list of sent messages that were rejected and resend. This takes time and resources to do, thus increasing the cost to the spammer.

And human error is better?

[metallicagoaltender]

I'd guess that if you put the firewall up against your average email user, the average user would shitcan legitimate messages at a much higher rate than the firewall thanks to the fact that the user can get frustrated while the firewall can't. I know my boss accidentally deletes mail from me at least 3 times per week because he's careless while mass-deleting spam in the morning.

Since the firewall functions based upon code rather than emotion and intuition, the firewall's error rate is going to look better and better against human error as it handles more and more mail.

I hope they don't reject my e-mail

[koinu]

I'm a.l-wa-ys wr|?|-ng l|-ke ðißs 2 m.y f-iends

amidoacetic platymyoid granomerite nonacceptant dorsoposteriad uninclined unshocked zibet intercity lornness

Re:I hope they don't reject my e-mail

[stienman]

And you wonder why they don't write back...

-Adam

Re:One solution to spam

[Tony+Hoyle]

You mean TMDA.

Not new. Nobody ever sends the replies. Mailing lists automatically ban users who run it (I know I do... if they didn't want email they shouldn't have frikkin registered, so I grant them their wish and ban them.).

people not considering their mail important enough

Well if you don't consider my email important enough to read it before assuming it's spam, I don't see why I should continue the conversation.... Sucks for you if I just sent you a job offer..

What's the problem?

[Deep+Fried+Geekboy]

Thanks to spam, I have been able to remortgage my house online seventeen times to pay for diet pills, pirated software, false identity cards and bogus certificates proving I am a minister of religion.

Not to mention my enormous, permanently erect p3N1s.

Just say NO to spam-blocking!

Why filter at firewall layer?

[sdxxx]

Well, the site is slashdotted, so I can't read their claims. However, it doesn't seem like there is any benefit to doing spam filtering at the firewall layer.

For example, Mail Avenger allows you to filter spam based on network characteristics like SYN fingerprints and routes. It even integrates with the kernel firewall to filter out aggressive spammers and mail bombers. However, because it runs as an ordinary user-level process, it also has much more flexibility, for example allowing individual users to set different policies on different email addresses. What can a spam "firewall" do that you can't do with a system like Mail Avenger.

Re:One solution to spam

[MurkyGoth]

(Presuming that wasn't a troll) That's a horrible, horrible solution. Viruses fake sender addresses, which means the faked address gets *loads* of these 'Please confirm' emails, clogging up another innocent mail server. Get it wrong, and you'll have two servers sending 'Please confirm' messages to each other until one screws up into a little ball and dies. I'm all for the War Against Spam, but this isn't the way - it just doubles the amount of emails.

One Revolutionary anti-spam firewall right here!

[hndrcks]

Here's a nice How-To that covers building an SMTP mail relay with SpamAssassin, Amavisd, DCC, Razor, and Clam AntiVirus all running chrooted on OpenBSD.

Once the relay determines a message is spam, it rejects and drops the message before it is transferred to the 'real' mail server. End users never even know the message was there...

We set up two of these about 6 months ago and eradicated most of our spam problems. (some still get through, on the order of 5 - 10 false negatives on a mailserver handling about 3k messages per day.)

The what where now?

[broothal]

This didn't make it through my bullshit filter. Oh - sorry, I mean bullshit firewall. It's like this new technology that rejects bullshit from the evil internet, so I never have to read it. Thank god, because if I'd read about this "revolutionary spam firewall" I would be forced to make a childish comment on slashdot and burn some karma.

In fact, it's a step backwards!

[Roadkills-R-Us]

One of the nice things about the Barracuda is that I can configure it as a spam filter or a firewall.[1] I can decide whether to have certain mails stopped at the border, or dumped in a special box, or passed through (and optionally tagged).

In fact, you can do all this with free software as well. It's just that the free software was freaking out on us, and requiring way too much handholding. We were losing email, and having huge delays.

The Barracuda (which we found through a /. ad, so /. isn't a complete waste of time! 8^) has done a great job so far. For the first week, I put 1-2 hours in per day going through the list, training things. Then I dropped down to 1 hour a week for a couple of weeks. Now I spend very little time on it. It's great.

Is it perfect? No? But most of my complaints are niceties in the GUI, so it's still well ahead of where we were before trying to maintain things ourselves.

This may be a new, rockin' way to detect spam, but if so, they need to pitch it better. They're focusing on the wrong things, IMO. I have an enterprise to run, and marketing jive doesn't cut it.

[1] It's a dessert wax and a floor topping!

False Positives

[ewn]

"It turned out that the software was even better than us, picking up spam we'd incorrectly classified as legitimate emails."

They are celebrating false positives?

Re:Spam firewall? I want a hard drive firewall

[Kaa]

That's not a firewall either - it's a sandbox (and not new, either)...

The guy is not asking for a sandbox. He is asking for the ability to give or deny individual processes write-access to the hard drive. That's something quite different from a sandbox.

I would also be interested is software that does this.

Solution

[HarveyBirdman]

Hellfire missiles into the offices of spammers. It's the only way to be sure.

Won't work.

[pontifier]

Any sufficiently advanced spam is indistinguishable from ham.

Fenley's torment.

Article slashdotted, but skeptical of the blurb

[gvc]

The only true ... followed by some words with nebulous semantics. Successful trial of a key layer ... [as opposed to an actual demonstration]. 1 misclassification in 25,000 [a.k.a 99.996% accuracy].

All these phrasings automatically trigger my B.S. filter. Or should I say firewall.

Vapor

[gone.fishing]

You smell that vapor? Sounds like bullshit to me.

Someone has figured out how to build a "spam firewall" that is different from everything out there. Yeah right. No details to tell us exactly how it is different.

My guess is that they took a software based product using baysien filters and some other common anti-spam filtering technology and packaged it in hardware. Won't really improve the function of the machine but could possibly help with performance (process mail faster).

I won't believe it is anything else until I actually see it. Unfortunately, I don't think that will happen anytime soon.

But what if...

[Clown+Jizz]

your name is Dick? My father, whose name is Dick, has had endless trouble with spam filters blocking all of the messages he sends where he uses his own name, or when clients send him email using his name. It seems most filters and firewalls don't distinguish between "Dick" and "dicks," and this is a problem for businesses, where context is so important.

They've updated...

[One+Childish+N00b]

From the site: These three additions change the first equation to (3*13*17*4*3*17) variations, and boost the second equation to ( 192 x 3 x 192 x 13 x 192 x 17 x 192 x 4 x 192 x 3 x 192 x 17 x 192) = 1,300,925,111,156,286,160,896. Thanks Greg, Ryan and SR, you helped push the total into the SEXTILLIONS!

Please don't tell me I'm the only one who finds it ironic that the number of different ways to spell it comes out as sextillions...

Revolutionary Mail Firewall?

[Titusdot+Groan]

Mail Firewalls are an entire business sector with many companies competing in this space. This space is tracked by Gartner and Meta Group. How in the hell is this revolutionary?

Hell, there's even a product called the Mail Firewall that pops up if you google for mail firewall.

Not true, it less than doubles costs of spam

[davidwr]

If the spammer gets a "try later" response, he tries later ONE TIME. Worst-case this doubles their bandwidth costs and delays everything by 4 hours.

Today, MOST bad addresses will get SOME OTHER reply, so the cost increase is 2x.

I agree that it's a GOOD stopgap measure but it will fail as soon as the spammers catch on.

On the other hand, spammers might catch on to the idea that "these people are likely to complain, so I don't want to mail them anyways." That would be a Very Good Thing.

Old news

They are not the first on the block.

Heuristic analysis - detects and blocks spam by various email characteristics

Black lists - checks if the sending server is in RBL (Realtime Blackhole List), dial-up or open-relay servers

DNS verification - checks if the sender is using a valid mail server

Keyword blocking - blocks spam according to keywords in subject and body

Anti-spoofing - blocks email masquerading as coming from within the organization - a common spam technique

Cookies/web beacons - blocks email cookies which help spammers identify the recipient as a "live" email

Header verifier - inspects various header signatures and blocks spam

Textual analysis - categorizes spam according to textual content like mortgages, pornography, dental care, etc

Spam signatures - an auto-updating spam database allows detection and blocking of spam according to smart signatures

Spam URL filtering - blocks email with links to spam sources and sponsors

Spam image filtering - blocks email containing spam associated images

Auto-updating database - local or remote spam blocking database based on thousands of Spam collecting bots and web crawlers

http://www.esafe.com/esafe/anti-spam.aspeSafe

Some things can't be accurately filtered

[davidwr]

Here's a hypothetical:

1) I get a spam "from" you and forward it to you with a note saying "did you send this." You want to get this type of email. Since you might get such a message from anyone at any time, traditional "is he in my mailing list" filters aren't suitable.

2) I'm a spammer and malware writer, and I write a virus that sends mail from my victim's machine that looks identical to #1. Even though the message is malware-free, you definately do NOT want this message.

No human recipient can tell the two apart, by looking ONLY at the received email.

Of course, no computer can identify "friend or foe" by simply looking at the message either.

So, if you are looking for the perfect filter, it doesn't exist.

If you are looking for a filter that's better than a person, I recommend Yahoo for web-based mail and a number of good solutions for your own system.

In the above scenario, there are solutions. One requires analyzing multiple copies of the message to spot patterns, something big houses like AOL and Yahoo can do but small shops that may only get 1 copy of the message cannot. You can also use RBL lists that track zombied machines, but that won't trigger if the machine in question isn't RBL'd yet. Delay-try-again-later tactics like those mentioned elsewhere in this thread can help here, but are ruinous if you want legitimate complaints ASAP. "Man in the loop" solutions like sending a confirmation message might help, but many people ignore such requests.

Re:Spelling = easy

[khrtt]

Will your algorithm do it with polynomial complexity ;)

Yes:

1. Remove insignificant interspersed characters:

   s/[.,-=+]//g

   Make sure the meaningful \/ and such combinations are not removed.
   
2. Map each of the remaining characters so as to group characters that represent the same letter, e.g.:

   s/[Ii1l|&#239;&#236;:&#204;&#206;&#205;&#207;]/i/g

   Note that l and i would be in the same group then, and L would be in another. This also maps out the 1337-speak, so here you could add a lameness qualifier to each character, based on it's 1337-ness.
   
3. Match against tree-encoded dictionary.
   

Almost forgot:
4. ...
5. Profit

Eh, never mind...

Nothing new..MXLogic was doing this 2 years ago

[cubicleman]

www.mxlogic.com

I did this myself

[bucketoftruth]

Any incoming email that spamassassin detects as spam I record the IP for. If that IP has more than 2 infractions in a given amount of time I execute an ssh command to add an iptables rule to my firewall to block that IP. Problem solved.

Sorry Guys, but it's been done a long time ago by

[joemapango]

The firewall I use does exactly what this company is claiming their new product does. I've been running it for years. It's Open Source to boot. It's called messagewall, and I think it's great. My (other) mail server receives between 100 and 700 spams a day, out of which I actually receive 1 or 2. I like it because it rejects the mail if it is spam before the sending server can actually send it.

The down side, you have to load, compile, and build it. It's not too bad, even for a non programmer like me.

CC

On the contrary

[Julian+Morrison]

Let's configure all SMTP servers to drop mis-spelled email. Then not merely will we have ended the scourge of spam, but also cleared the internet of dumb people. This is not a bug!

You should re-run your study, and correlate against average IQ before and after...