Slashdot Mirror
FairUCE - the Smart Email Proxy
Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."
FairUCE looks interesting but I'd be curious if it'd do a better job than milter-sender. About a year ago, before I installed milter-sender, I was receiving about 200-300 spams per day. Since installing milter-sender in March 2004 and adding the spamhaus SBL-XBL checks to sendmail, I've received (checking spam mbox) 1568 spam messages.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Or get e-mail providers to support MSA, which is SMTP for mail being introduced to the network, and is supposed to run on port 587.
I appear to have a blog. Odd.
The reverse DNS for email is NOT for determining a match between the sender email address domain, and the server itself. All that needs to match is the hostname of the mail server itself, thus identifying who administers it (not necessarily who gets to use it). If the ISP administers the mail server, then the hostname in the PTR record of the appropriate in-addr.arpa zone will be a unique name in an ISP domain. The forward lookup then prevents forged PTR records by making sure the domain owner acknowledges that name belongs to that IP address.
While most ISPs do have reverse DNS on their mail servers, when you focus on just the servers that spam houses run from, this changes over to most do not. But what would really happen if everyone blocked on lack of matching rDNS is that the spammers would adapt and use it. Then we'd know what domain they are using. But many of them are now registering bulk volumes of domain names (if you're making a million dollars a month abusing other people's networks, registering 100 randomly generated domains a month is just a tiny cost of business).
now we need to go OSS in diesel cars
Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines. The providers are complaining, but in the end they will simply raise prices to compensate. Effectively I will be paying to be spied upon. And in the case of email, I will be paying to receive spam and then store it for five or ten years.
I'm sorry, you're wrong on a detail.
There is no reason to have port 25 open outbound on anything but the ISP's authorized SMTP servers. None whatsoever iin this day and age, except the convenience of people who like to run their own mail servers. Unfortunately, with the massive number of zombied and badly run home SMTP servers, most outbound SMTP from ISP users that does not go directly to their ISP's SMTP server for delivery as mail from that ISP is in fact spam or email worms.
So yes, it needs to be blocked outbound. You simply need to use SMTPAUTH on the road to get your email to your own ISP's SMTP server over port 587. Problem solved.
According to the standard, the from field should have the email address the mail was sent from (in this case your uni addy).
No, that's "Sender". From RFC 2822:
The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.
I've been using Challenge/Response for nearly 3 years. And I disagree with your critiques. Let's take this point by point:
- Users hate them: There is a kernel of truth to this. Some users do hate them. Those users hate challenge/response so much that they instigate fights. They submit their IP addresses to RBLs for blacklisting. These are a very annoying, and vocal MINORITY. By far most users are agnostic. They deal with the challenge once and then they're done.
- automated systems can't get past them: Again, there's a kernel of truth here. If you have badly configured your C/R you're going to be in trouble. But a properly configured C/R has absolutely no problems.
- they're almost always subverted: Really? In the last month I've had over 4000 pieces of email delivered to me from unknown addresses. Only 10 of those have been confirmed. Of the ones that were confirmed 2 of them were spam. This was easily remidied by removing those 2 addresses from my whitelist and adding them to my blacklist.
- never will gain the acceptance of the user community enough to become effective: While C/R may never gain the acceptance of the user community, I don't think it's for the reasons that you cited. I think the reason is that it's too hard to set up correctly. But that being said, it doesn't need the acceptance of the user community to be effective. It works for me today whether or not you use it.
IMHO, what you don't know about C/R is quite large.I use TMDA. I've got it configured so that any email I send to unknown addresses will be allowed to respond for 7 days. After that, they go into C/R. For my bill pay services, I give them a special address that allows them in forever, but that's tied to them so that I'll know if they ever hand it out to someone else.
Personally, I think it'd be better if the entire world started using C/R. It'd be better because then everyone would understand that sending email to an unknown party involves a formal introduction process. This would cut down on the number of people who get confused when they receive a challenge. But if this doesn't happen it's not that big a deal. The number of confused people is already small.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Similarly, responsible blacklists will demand credible evidence before listing a domain as a spam source.
Could you name names, i.e. the blacklists that you have encountered that are not being responsible?
Female Prison Rape in NY
I run a small web board, and already the e-mail address I use as the admin of that board gets flooded daily with crap like "I haven't actually received your message, click here to verify you are real". I finally got fed up with it and posted this response.
If you implement these, remember you get e-mail from more then just friends you know. Lets see, last week alone, I got 5 messages from companies like Dell from working on issues with them, and none of them are in my address book.
The proper solution is to ensure the outside world sees no difference unless it is spam. I never give my full address to a company, instead I use the postfix feature where anything after _ is ignored. Then I create a one letter alias for me to keep them short. If I get a lot of e-mail, it makes server side filtering into my IMap folders easy. And if one address gets hit by spam, I then block it on the server. It works well, and doesn't inconvenience the people e-mailing me.
"Thank you or ringing my doorbell. I am currently home, but did not hear the doorbell. To properly ring it, please run around my house, braving the dogs in back, and use the doorbell located next to the cat door on the deck. Then I might care enough to see who you are and let you in."
"My solution was simply to pay for an account at an ISP where they aggressively filter spam."
Yeah, but sometimes agressive spam filters accidentally filter legit mail. You may still be missing out on freelance opportunites thanks to your agressive spam filter.
DRM 'manages access' in the same way that a prison 'manages freedom'
By properly configuring the C/R system.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Here you go.
I've fallen off your lawn, and I can't get up.