Slashdot Mirror


FairUCE - the Smart Email Proxy

Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."

5 of 333 comments (clear)

  1. Re:Challenge Response Spam by fyngyrz · · Score: 5, Insightful

    One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me.

    This is very common - and not just with a real users address. I have seen thousands of "bounce" messages come to the various domains I own as spammers use the domain prefixed by various random bogus names at whateverdomainitis.com.

    Luckily (for us, anyway) we've now got the proper software written and configured to keep this crap from ever hitting a mailbox we own; however, a more serious problem here is the "do-gooder" problem.

    It goes like this. Joe Spammer decides to use several_thousand_names@mydomainname.com as his assumed identity. A do-gooder site gets reports of that mydomainname.com is "sending" this spam to, oh, say a zillion people. They promptly "blacklist" my domain -- from whence, I hasten to point out, no spam has ever been, or will ever be, sent. However, my domain is a valid domain that I depend upon to make my living. Various ISP's, through a compounding of stupidity (but still with the intent to "do good"), promptly bounce our valid emails, because the do-gooders site says we are spammers.

    The end result is that because some spammer out on the net has used our domain name, we, not the spammer, are penalized and in a real financial sense.

    In the meantime, the spammer, who like any competent spammer watches the do-gooder's sites very carefully, notices that my domain is banned, and promptly switches to a new domain. Meanwhile, I can't send mail to my customers. Meanwhile, I get thousands of "bounce" messages that have to be handled by some layer of software or, Darwin forbid, by one of the legitimate users at my site. Random netizens out there have been temporarily "protected" from (typically) one spam email per email address they have, while our customers are cut off at the knees, as are we.

    So what the do-gooder has accomplished is to cause the spammer to take another domain (probably from an automated list, no sweat off the spammer's brow whatsoever) and the do-gooder has hurt a legitimate net citizen who never spams.

    Everybody's trying to do good here except the spammer. The do-gooder and the ISPs using the do-gooder list hurt our end users by blocking mail they should be getting; they hurt us by screwing up our commications channel to our customer base; but -- they don't hurt the spammer one flipping bit, and they do no permanent good for the average netizen who gets one of these spams. The spammer just restarts his list at the break point and begins with a new domain; the end user, after a short delay, gets a new spam with a new domain name, and the temporary respite for them is over -- and the net result of the do-gooder's blacklist is no good whatesoever has been done. Some users will get two spams if the spammer restarts the list back a little to make sure he doesn't miss anyone. Great, eh?

    Obviously, do gooder blacklisting doesn't work, and cannot work. Mostly, it causes harm to legitimate parties.

    IMHO, if Internet mail is going to be unregulated, then it needs to be just that -- unregulated. If spammers are going to be fined and/or jailed, then the govt(s) need/s to get the heck after it (and probably needs to close the international email borders to any non-co-operative country so that such a thing is possible.) The latter seems far too severe; the former is being degraded by do-gooders and the people they confuse into accepting their services in an area they should have no absolutely authority in to a degree that should be unacceptable to any thinking person.

    The only good solution to spam I know of is to use whitelists and web submission entry gateways. If someone is on your whitelist, you get email from them. If someone is not on your whitelist, they get an auto-reply email telling them to mail you via a form on a website. The form, which has to be hand-filled out, mails you at a whitelisted address that is not publ

    --
    I've fallen off your lawn, and I can't get up.
  2. Yet another challenge/response system: *yawn* by Antique+Geekmeister · · Score: 4, Insightful

    "If we could just rewrite everybody mailer's with my new widget in illegible Perl or badly written C that breaks several RFC's I've never bothered to read, we will surely stop spam!" I've heard this sort of thing before, every few months for the past 10 years.

    There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.

    1. Re:Yet another challenge/response system: *yawn* by DavidTC · · Score: 4, Insightful

      In other words, you sent out 3992 pieces of spam to forged or invalid addresses, pissing off 2 people who knew what was going on bad enough that they confirmed your C/R.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    2. Re:Yet another challenge/response system: *yawn* by DavidTC · · Score: 4, Insightful
      I don't know in what universe it's a useful point to mention that you're removing invalid email address before you send mail to them. That mail wouldn't go through anyway! It's the valid addresses that are a problem.

      But, hey, you gave me the last number. So...5%. That's about 200 pieces of mail you sent. And you got 8 valid responses, and 2 invalid.

      So you sent out, basically, 192 spam messages, barring the occasional legit C/R you sent out that was ignored. (Which is also a failure of the system, it's just a failure that isn't spamming.)

      To get 8.

      To get 8 fucking messages, you sent 192. For every legitmate message you receive, 24 other people had to look at a spam you sent them.

      Well, you're the moral paradigm I've come to expect from C/R people.

      Fucker.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    3. Re:Yet another challenge/response system: *yawn* by Malc · · Score: 4, Insightful

      If I buy airline tickets online and they don't tell me the source email address, how am I supposed to get the itineray (sp?), etc that get's sent out automatically. On a couple of occasions the domain has differed from that of the website I purchased from. On another occasion I sponsored a friend to walk 60km to raise money for charity - the PDF receipt I need for tax purpose was sent from a different domain... it goes on. In that latter case I would have had to whitelist the email address I provided. It's all extra work which is inconvenient to a technical user like me, and far beyond what I could expect my parents to use. I *hate* C/R systems - if somebody (even a friend) uses them I won't bother unlocking with a response, and I won't use email to contact them again. It's their loss, not mine.