FairUCE - the Smart Email Proxy

Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."

Need an end-user version

[RevJim]

"End-users cannot install FairUCE at this time; end-users, please direct your mail administrator to this page."

Even though this is an interesting new tool, most e-mail users are tied to whatever backend their ISP supplies, which is a shame... Someone should whip up an end-user desktop version.

Can't wait to get my hands on a copy of the server version though...

Re:Oh crap....

Filtering doesn't belong in the client. That's always been an ugly hack.

Challenge/Block

[droleary]

FYI, any time (which is every time) I get a challenge for an email I didn't send, I immediately block the server because that kind of "solution" is nothing short of dropping their spam problem in my lap. Fair warning to anyone who thinks FairUCE is in any way a "Smart" answer to spam.

The only effective spam solution I've currently found is to have expiring email addresses. One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.

Re:forward and reverse

[NuclearDog]

Most ISPs have reverse dns set up already for all their IPs, eg in my case mapping 10.123.123.123 to static10-123-123-123.reverse.myisp.ca, and the A record for that host is the IP 10.123.123.123. Could the virus/spam server/etc not tell the remote mail server it is "static10-123-123-123.reverse.myisp.ca" then?

The remote mail server would find that the host points to 10.123.123.123, which reverses back to... the given hostname!

ND

Re:forward and reverse

[deranged+unix+nut]

Most ISPs won't delegate reverse DNS lookups to their small (8 IP block) DSL customers. I would happily do reverse DNS if my ISP let me. Unfortunately, most people think that reverse DNS is either dead or not-needed so they normally don't even think about using it.

I'd rather see the MTAs all do PKI to authenticate eachother, only issue certs to those that sign non-UCE agreements, and revoke certs when servers start breaking the non-UCE agreements. If a cert issuer starts issuing a large number of certs to MTAs that start sending UCE, revoke the cert of the issuer.

Re:Challenge Response Spam

[fyngyrz]

One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me.

This is very common - and not just with a real users address. I have seen thousands of "bounce" messages come to the various domains I own as spammers use the domain prefixed by various random bogus names at whateverdomainitis.com.

Luckily (for us, anyway) we've now got the proper software written and configured to keep this crap from ever hitting a mailbox we own; however, a more serious problem here is the "do-gooder" problem.

It goes like this. Joe Spammer decides to use several_thousand_names@mydomainname.com as his assumed identity. A do-gooder site gets reports of that mydomainname.com is "sending" this spam to, oh, say a zillion people. They promptly "blacklist" my domain -- from whence, I hasten to point out, no spam has ever been, or will ever be, sent. However, my domain is a valid domain that I depend upon to make my living. Various ISP's, through a compounding of stupidity (but still with the intent to "do good"), promptly bounce our valid emails, because the do-gooders site says we are spammers.

The end result is that because some spammer out on the net has used our domain name, we, not the spammer, are penalized and in a real financial sense.

In the meantime, the spammer, who like any competent spammer watches the do-gooder's sites very carefully, notices that my domain is banned, and promptly switches to a new domain. Meanwhile, I can't send mail to my customers. Meanwhile, I get thousands of "bounce" messages that have to be handled by some layer of software or, Darwin forbid, by one of the legitimate users at my site. Random netizens out there have been temporarily "protected" from (typically) one spam email per email address they have, while our customers are cut off at the knees, as are we.

So what the do-gooder has accomplished is to cause the spammer to take another domain (probably from an automated list, no sweat off the spammer's brow whatsoever) and the do-gooder has hurt a legitimate net citizen who never spams.

Everybody's trying to do good here except the spammer. The do-gooder and the ISPs using the do-gooder list hurt our end users by blocking mail they should be getting; they hurt us by screwing up our commications channel to our customer base; but -- they don't hurt the spammer one flipping bit, and they do no permanent good for the average netizen who gets one of these spams. The spammer just restarts his list at the break point and begins with a new domain; the end user, after a short delay, gets a new spam with a new domain name, and the temporary respite for them is over -- and the net result of the do-gooder's blacklist is no good whatesoever has been done. Some users will get two spams if the spammer restarts the list back a little to make sure he doesn't miss anyone. Great, eh?

Obviously, do gooder blacklisting doesn't work, and cannot work. Mostly, it causes harm to legitimate parties.

IMHO, if Internet mail is going to be unregulated, then it needs to be just that -- unregulated. If spammers are going to be fined and/or jailed, then the govt(s) need/s to get the heck after it (and probably needs to close the international email borders to any non-co-operative country so that such a thing is possible.) The latter seems far too severe; the former is being degraded by do-gooders and the people they confuse into accepting their services in an area they should have no absolutely authority in to a degree that should be unacceptable to any thinking person.

The only good solution to spam I know of is to use whitelists and web submission entry gateways. If someone is on your whitelist, you get email from them. If someone is not on your whitelist, they get an auto-reply email telling them to mail you via a form on a website. The form, which has to be hand-filled out, mails you at a whitelisted address that is not publ

Re:Will it be better than milter-sender?

[Matt+Perry]

I've been using the same email address since 1996 and I'd like to keep using it. Not every one wants to change their primary email address to avoid spam.

Re:Here we go again

[wirelessbuzzers]

Sorry to bother you while you're making a joke, but you are supposed to X the appropriate bubbles, not random ones.

Restricted use and restricted download

[Skapare]

This package just isn't going to get very popular. It is restricted to non-commercial use (perhaps you can buy a license for commercial use). And you have to sign up with IBM to get a download just to see if it's any good. And then there's a lot of extra stuff you have to have to run it. Maybe I should work on my own GPL open source version of this and do it as a pure TCP proxy front end so it works on any mail server (even for Exchange on Windows if on a different machine or under some emulator).

Re:Here we go again

[johannesg]

I strongly suspect this list was first devised by spammers to convince people that spam cannot be fought. In fact that is wrong, all it takes is the realisation that instead of a single perfect solution we will need a series of incremental solutions. As solutions multiply the amount of spam will drop, but this will take time. I'm fine with that, as long as we are making progress. Right now thanks to your attitude we are not making much progress.

A law against spam will not actually stop it, but it does allow action to be taken against the spammer after he is found out so he won't do it again.

Similarly, a technical solution that enforces detectability of the spammer will make it possible to find out so he is, so the law can be applied.

Neither law nor technical solution on its own will stop spam, but together they can be used to significantly reduce the volume. And that's all we are asking for, really.

Re:Oh crap....

[samael]

Depends what filtering we're talking about. Filtering of viruses and definite spam belong on the server. But when a lot of spam is 'possibles' then I want it filtered as close to me as possible so that I can check myself.

If nothing else I've had friends forward me particularly amusing spam in the past...

Yet another challenge/response system: *yawn*

[Antique+Geekmeister]

"If we could just rewrite everybody mailer's with my new widget in illegible Perl or badly written C that breaks several RFC's I've never bothered to read, we will surely stop spam!" I've heard this sort of thing before, every few months for the past 10 years.

There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.

Re:Yet another challenge/response system: *yawn*

[DavidTC]

In other words, you sent out 3992 pieces of spam to forged or invalid addresses, pissing off 2 people who knew what was going on bad enough that they confirmed your C/R.

Re:Yet another challenge/response system: *yawn*

[boodaman]

Mail shouldn't be hard. It shouldn't be up to the user to figure out how to "configure TMDA correctly", and it shouldn't be up to the general public to understand how to deal with any number of different automated challenge and response systems out there should they get such a challenge.

I'm extremely savvy when it comes to IT, computers, Internet, etc. It's what I do all day at work. I wouldn't use the system you describe...what a pain in the ass. How can you expect someone's grandmother to use such a system?

I used mailblocks.com for about 4 months...also a pain in the ass. Challenge/Response systems are not the solution.

Here's a scenario: I send you a freelance job opportunity. I've never corresponded with you before, but I visited your website, saw your resume, and saw the part on your site where you said "if you need someone with my skills, and have work, send me a message". After sending my offer, I log off and go fishing at the lake for two days. While I'm gone, your C/R system sends me a challenge. My system thinks its spam. Or maybe you've configured your C/R system to only wait 24 hours instead of 7 days for a response. The end result is that I never get a response back from you regarding my opportunity, I believe you're a tool because you blew me off, and you never get the work. Worse, in the future, if anyone ever says to me "hey, I'm thinking about sending X some work, what do you think? He has a great website with a lot of info." I will say "don't bother, the guy blew me off he'll probably blow you off, too."

My solution was simply to pay for an account at an ISP where they aggressively filter spam. Coupled with a whitelist, blacklist and goldlist, all of my spam gets filtered...hundreds of messages every day. Very simple system, I didn't have to "configure" anything except my lists when I started, and best of all, none of the people I correspond with get confused or hassled by automated systems.

Re:Yet another challenge/response system: *yawn*

[DavidTC]

I don't know in what universe it's a useful point to mention that you're removing invalid email address before you send mail to them. That mail wouldn't go through anyway! It's the valid addresses that are a problem.

But, hey, you gave me the last number. So...5%. That's about 200 pieces of mail you sent. And you got 8 valid responses, and 2 invalid.

So you sent out, basically, 192 spam messages, barring the occasional legit C/R you sent out that was ignored. (Which is also a failure of the system, it's just a failure that isn't spamming.)

To get 8.

To get 8 fucking messages, you sent 192. For every legitmate message you receive, 24 other people had to look at a spam you sent them.

Well, you're the moral paradigm I've come to expect from C/R people.

Fucker.

Re:Yet another challenge/response system: *yawn*

[DavidTC]

Yeah, that's the ticket. In addition to having to filter spam, I now should now have to keep up with the format of C/R messages to filter those too.

Re:Yet another challenge/response system: *yawn*

[Malc]

If I buy airline tickets online and they don't tell me the source email address, how am I supposed to get the itineray (sp?), etc that get's sent out automatically. On a couple of occasions the domain has differed from that of the website I purchased from. On another occasion I sponsored a friend to walk 60km to raise money for charity - the PDF receipt I need for tax purpose was sent from a different domain... it goes on. In that latter case I would have had to whitelist the email address I provided. It's all extra work which is inconvenient to a technical user like me, and far beyond what I could expect my parents to use. I *hate* C/R systems - if somebody (even a friend) uses them I won't bother unlocking with a response, and I won't use email to contact them again. It's their loss, not mine.

Re:Yet another challenge/response system: *yawn*

[mjh]

Here's another scenario: using agressive spam filters, your "oppurtunity" gets miscategorized as spam, and I never even know that you sent it to me. You conclude that I don't care for the oppurtunity, and that's the end of the story.

At least with C/R, you KNOW that my spam filter has prevented me from receiving your email. With all other spam filters, it filters silently so that NO ONE knows that it's been filtered. If it doesn't filter silently, one of us has to be notified.

If I'm notified of all email coming in, that's functionally equivalent to turning off spam filterinng. If you're notified, that's functionally equivalent to C/R. According to the anti-C/R crowd, the only acceptable thing to do is turn off spam filtering. I hope they practice what they preach.

Problem though

[Nijika]

Well, if everyone's using C/R, how do users who challenge get through to users who need to respond if those users won't get the challenge until their challenge is met?

Also, wouldn't this just create a rash of false challenges that lead to spamming type material or websites?

Re:yet another waste of time

[AnotherBlackHat]

1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.

Bandwidth is a problem, but it's the least of our problems.
Typical spam is under 10K.
Cost to send 10K is under $0.0001 - and the cost is falling.
Compare that with the amount of time you spend deleting spam - about 1 second.
Even a $1/hour, it costs a lot more to for a human to look at and delete spam than for the computer to receive it.

Spam read by the human is closer to 90% of the problem.

2. The majority of the anti-spam solutions (with the exception of RBLs) including the one related to this article, require extra time, bandwidth and resources on the part of innocent networks to deal with the spam problem. This is a step backwards.

Once again, bandwidth is not the only cost, nor is it the major cost.
However, there is a large human-time cost for any spam solution, including RBLs.
RBLs aren't a fire-and-forget solution.

If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting. This has several added benefits including: stopping propagating of worms/viruses, and forcing ISPs to police the illegal activities of their users and shut down nodes which are spamming through their network.

RBLs are not the only effective method.
Greylisting for example, reduces bandwidth costs, and blocks 85-95% of all spam.
In fact, greylisting has fewer false positives and fewer false negatives than any RBL I've ever tested.
Which includes almost every RBL mentioned at http://www.declude.com/Articles.asp?ID=97

And I'll point out that the system described in the fine article can reduce bandwidth too.
70% of all senders would be rejected before the data stage, a very small challenge sent, and better than 99% would never be heard from again.
So instead of receiving a 5K spam, you send a 1K message - a net reduction.

As an ISP, I have no interest in yet another costly anti-spam solution that I have to install that doesn't address the larger issue of the tons of bandwidth spammers waste on my network and every one in between. This system wastes even more resources by attempting to verify the source of every e-mail in an even more detailed manner than before, so the end result is: more computing resources needed, more bandwidth needed and slower mail service.

No thanks.

I encourage my competitors to agree with you.

-- Should you belive authority without question?

Another dumb challenge/response system, because...

[almaw]

- If someone else has a different challenge/response system then the automated systems will ping e-mail back and forth to each other and humans will never see it. If the systems are sufficiently dumb, you'll get a nasty mailing loop and fill up both users' quota/hard disk.

- Most spam has a forged address. If someone sends e-mail to 10,000 users with a c/r system with *your* e-mail address in the from header, you get 10,000 e-mails that day. Your only solution to this obvious problem would be to blacklist anything that looked like a c/r e-mail, thus breaking the system entirely.

- It increases the amount of traffic on the 'net. This is bad.

- About five million other reasons to do with netiquette and common sense. Will people never learn?

Why challenge-response does not work

[metamatic]

I haven't seen anyone post the BIG REASON why C/R systems won't work, so here it is again.

C/R relies on users being willing to respond to challenge messages, either by clicking a URL or by replying by e-mail.

As soon as C/R systems become commonplace enough, and users become accustomed to responding to the messages, spammers will simply craft their spam to look like challenge messages. Replying to e-mail will confirm the address (a win for the spammer), clicking the URL will deliver the reader to a web site full of pop-up ads and spyware (a win for the spammer).

Shortly after this, user willingness to respond to challenges will drop to zero, and challenge messages will be filtered out automatically by bayesian spam filters.

So, if there are any spammers reading this, PLEASE PLEASE start your next major spamming campaign by disguising it as a challenge message from one of these stupid C/R systems. That way we'll kill off the idea once and for all, people won't waste any more time building new (and mutually incompatible) C/R systems, and people with a clue won't have to put up with any more C/R advocacy from well-meaning idiots.