FairUCE - the Smart Email Proxy

Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."

At last - a technological solution to spam!

No way will the spammers ever find a way around this. It's solid!

Re:At last - a technological solution to spam!

No way will the spammers ever find a way around this. It's solid!

I agree .. this will be the death of spam for sure. Hurrah!

That said, I'm selling herbal viagra if anyone's interested.

Re:At last - a technological solution to spam!

[Yaztromo]

That said, I'm selling herbal viagra if anyone's interested.

Which reminds me -- your new shipment of grass clippings and barber hair is ready for delivery.

Yaz.

Oh crap....

[Justice8096]

I've already had problems getting email from my government coworkers with spam validators like this. The military really doesn't like broadcasting who their email servers are... So they regularly get sent to Junk Mail.

Re:Oh crap....

Filtering doesn't belong in the client. That's always been an ugly hack.

Re:Oh crap....

[samael]

Depends what filtering we're talking about. Filtering of viruses and definite spam belong on the server. But when a lot of spam is 'possibles' then I want it filtered as close to me as possible so that I can check myself.

If nothing else I've had friends forward me particularly amusing spam in the past...

forward and reverse

[gonaddespammed.com]

If MTA's on the Internet required the forward and reverse DNS lookups to match ~70% of spam (and viruses) would disappear. This requires ISP's to correcty configure their DNS, which unfortunately doesn't happen because people are lazy.

Re:forward and reverse

[NuclearDog]

Most ISPs have reverse dns set up already for all their IPs, eg in my case mapping 10.123.123.123 to static10-123-123-123.reverse.myisp.ca, and the A record for that host is the IP 10.123.123.123. Could the virus/spam server/etc not tell the remote mail server it is "static10-123-123-123.reverse.myisp.ca" then?

The remote mail server would find that the host points to 10.123.123.123, which reverses back to... the given hostname!

ND

Re:forward and reverse

[deranged+unix+nut]

Most ISPs won't delegate reverse DNS lookups to their small (8 IP block) DSL customers. I would happily do reverse DNS if my ISP let me. Unfortunately, most people think that reverse DNS is either dead or not-needed so they normally don't even think about using it.

I'd rather see the MTAs all do PKI to authenticate eachother, only issue certs to those that sign non-UCE agreements, and revoke certs when servers start breaking the non-UCE agreements. If a cert issuer starts issuing a large number of certs to MTAs that start sending UCE, revoke the cert of the issuer.

Re:forward and reverse

[metlin]

You mean, something like this?

</Shameless plug>

Re:forward and reverse

[Skapare]

The reverse DNS for email is NOT for determining a match between the sender email address domain, and the server itself. All that needs to match is the hostname of the mail server itself, thus identifying who administers it (not necessarily who gets to use it). If the ISP administers the mail server, then the hostname in the PTR record of the appropriate in-addr.arpa zone will be a unique name in an ISP domain. The forward lookup then prevents forged PTR records by making sure the domain owner acknowledges that name belongs to that IP address.

While most ISPs do have reverse DNS on their mail servers, when you focus on just the servers that spam houses run from, this changes over to most do not. But what would really happen if everyone blocked on lack of matching rDNS is that the spammers would adapt and use it. Then we'd know what domain they are using. But many of them are now registering bulk volumes of domain names (if you're making a million dollars a month abusing other people's networks, registering 100 randomly generated domains a month is just a tiny cost of business).

Re:forward and reverse

[Skapare]

I have a generally very high success rate for reverse DNS lookups ... at least where reverse DNS is actually set up. But there is an occiasional ISP that has such poor service that DNS lookups often fail. And I've even seen ISPs that, for some reason, only have random selections of their IP space set up with reverse DNS (out of a block of 32 there might be 25 with reverse DNS and repeated queries show consistency). One fundamental problem is ISPs hiring the bottom of the barrel in tech talent, especially at the manager level.

Re:forward and reverse

required the forward and reverse DNS lookups to match

They can't in many cases - I work at company that has several website that send reminder emails for different free services. There are 8 different domain names that share 5 machines.

Each machine in the load balanced group of 5 can send out emails for any of the services.

If you have a bunch of services, cnamed to IP's the reverse lookup cannot guess which of the cnames you want to have returned to make you feel good about the fact that these are the same machines/owners/domains/groups/people.

A good example might be someone like friendfinder.com, they have "adultfriendfinder.com", alt.com and bigchurch.com they serve 10's of millions of hits per day to their various sites send millions of emails per month (at least). If their load balanced machines have multiple cnames/ips etc. people might find that their squeaky clean blue state church singles site emails are coming from a machine that has a reverse lookup of adultfriendfinder.com or worse alt.com - OMG!

Real Life Example
My aff emails come from ef154.friendfinderinc.com but the IP (216.34.38.114) reverses to e114.friendfinder.com. Again OMG, that isn't the same domain as the From address claims - team@adultfriendfinder.com - so they are lieing! It is a forgery! and the machine is lieing about who it really is, is it ef154.friendfinderinc.com or e114.friendfinder.com. ?

Three different domains for the From, HELO, and reverse lookup and yet as a human I can see they are legit and related - but a program would not be able to discern that. Reverse lookups muddy the waters more often than not.

Re:forward and reverse

[Antique+Geekmeister]

Nope. Not in your wildest dreams. The growth of the use of zombied machines, and the continuing existence of "pink contracts" with ISP's that allow spam from their domains, and the continuing existence of new ISP's that allow spammers to easily buty throwaway accounts that result in effectively pink contracts will easily grow to fill the temporary void of using forward/reverse DNS blocking. Mandating forward/reverse DNS does nothing to block the existing and easily expanding spam from valid hostnames.

Re:forward and reverse

[Antique+Geekmeister]

Yup. Fortunately, this actually helps make your old company *trackable*, which has been a big problem for identifying spam. Most people can't read the headers to track the email back to the original sender correctly. Tools like requiring valid reverse or forward DNS and SPF are useful for that, and help get the bounces (which are a huge part of the burden of spam) sent back to the righ place instead of the forged victims and forged domains. The missing step, as always, has been enforcement of sane policies. The upstream ISP's of this company is the one that needs to enforce sane policy. Also, because a company relies on junk email does not make them spam. Let's be very clear here. The law, and sane policies, provide a standard where a company doing business with you already can send you junk mail or faxes legally. Simply applying the same standard to email would be a huge help in controlling spam, but getting the laws in place and the policies in place at the ISP level has been very hard due to their legal concerns and their fiscal problems where a paying customer is a paying customer.

Will it be better than milter-sender?

[Matt+Perry]

FairUCE looks interesting but I'd be curious if it'd do a better job than milter-sender. About a year ago, before I installed milter-sender, I was receiving about 200-300 spams per day. Since installing milter-sender in March 2004 and adding the spamhaus SBL-XBL checks to sendmail, I've received (checking spam mbox) 1568 spam messages.

Re:Will it be better than milter-sender?

[Matt+Perry]

I've been using the same email address since 1996 and I'd like to keep using it. Not every one wants to change their primary email address to avoid spam.

Re:Will it be better than milter-sender?

[Matt+Perry]

SBL-XBL is great. It blocks a lot of stuff. In the last serveral months I added the follow which have also helped:

relays.ordb.org - http://www.ordb.org/
combined.njabl.org - http://www.njabl.org/
list.dsbl.org - http://dsbl.org

I also added ClamAV with the clamav-milter. That's eliminated all of the viruses that I used to get, although it does nothing for the virus warning messages I get from poorly administrated mail servers out there. Before I added ClamAV I was using the Virus Snaggers procmail package which was great at catching a lot of that stuff.

BTW, I use this procmail rule to catch all of the DSNs I get and stuff them in a mbox rather than having them clutter my inbox. I didn't write this and I forget who did. I think I got it from a post here on Slashdot sometime in the last year. To whoever wrote this, thanks.

# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs

Re:Italics!!

No kidding, I hate people with slanted views.

Pyrrhic Victory?

[Jaysyn]

Doesn't this just create more traffic?

Jaysyn

Need an end-user version

[RevJim]

"End-users cannot install FairUCE at this time; end-users, please direct your mail administrator to this page."

Even though this is an interesting new tool, most e-mail users are tied to whatever backend their ISP supplies, which is a shame... Someone should whip up an end-user desktop version.

Can't wait to get my hands on a copy of the server version though...

Challenge Response Spam

[SnowZero]

One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me. I regularly get error messages about mail that could not be delivered. Now I'll get loads of challenge messages instead.

Of course if my MTA signed my messages with a random key, and the challenge message sent the key back, my MTA could filter out anything I didn't actually send. Unfortunately that requires coordination which the various email/spam task groups do not seem to be capable of.

Re:Challenge Response Spam

[fyngyrz]

One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me.

This is very common - and not just with a real users address. I have seen thousands of "bounce" messages come to the various domains I own as spammers use the domain prefixed by various random bogus names at whateverdomainitis.com.

Luckily (for us, anyway) we've now got the proper software written and configured to keep this crap from ever hitting a mailbox we own; however, a more serious problem here is the "do-gooder" problem.

It goes like this. Joe Spammer decides to use several_thousand_names@mydomainname.com as his assumed identity. A do-gooder site gets reports of that mydomainname.com is "sending" this spam to, oh, say a zillion people. They promptly "blacklist" my domain -- from whence, I hasten to point out, no spam has ever been, or will ever be, sent. However, my domain is a valid domain that I depend upon to make my living. Various ISP's, through a compounding of stupidity (but still with the intent to "do good"), promptly bounce our valid emails, because the do-gooders site says we are spammers.

The end result is that because some spammer out on the net has used our domain name, we, not the spammer, are penalized and in a real financial sense.

In the meantime, the spammer, who like any competent spammer watches the do-gooder's sites very carefully, notices that my domain is banned, and promptly switches to a new domain. Meanwhile, I can't send mail to my customers. Meanwhile, I get thousands of "bounce" messages that have to be handled by some layer of software or, Darwin forbid, by one of the legitimate users at my site. Random netizens out there have been temporarily "protected" from (typically) one spam email per email address they have, while our customers are cut off at the knees, as are we.

So what the do-gooder has accomplished is to cause the spammer to take another domain (probably from an automated list, no sweat off the spammer's brow whatsoever) and the do-gooder has hurt a legitimate net citizen who never spams.

Everybody's trying to do good here except the spammer. The do-gooder and the ISPs using the do-gooder list hurt our end users by blocking mail they should be getting; they hurt us by screwing up our commications channel to our customer base; but -- they don't hurt the spammer one flipping bit, and they do no permanent good for the average netizen who gets one of these spams. The spammer just restarts his list at the break point and begins with a new domain; the end user, after a short delay, gets a new spam with a new domain name, and the temporary respite for them is over -- and the net result of the do-gooder's blacklist is no good whatesoever has been done. Some users will get two spams if the spammer restarts the list back a little to make sure he doesn't miss anyone. Great, eh?

Obviously, do gooder blacklisting doesn't work, and cannot work. Mostly, it causes harm to legitimate parties.

IMHO, if Internet mail is going to be unregulated, then it needs to be just that -- unregulated. If spammers are going to be fined and/or jailed, then the govt(s) need/s to get the heck after it (and probably needs to close the international email borders to any non-co-operative country so that such a thing is possible.) The latter seems far too severe; the former is being degraded by do-gooders and the people they confuse into accepting their services in an area they should have no absolutely authority in to a degree that should be unacceptable to any thinking person.

The only good solution to spam I know of is to use whitelists and web submission entry gateways. If someone is on your whitelist, you get email from them. If someone is not on your whitelist, they get an auto-reply email telling them to mail you via a form on a website. The form, which has to be hand-filled out, mails you at a whitelisted address that is not publ

Re:Challenge Response Spam

[farnz]

I'd be interested to know which blacklists are by domain, not by sending IP address; I find that SpamAssassin's use of SPEWS and Spamhaus blacklists is enough to catch virtually all the spam I get, and both of those blacklists are done via sender IP, not by domain name.

So, I'd disagree with your conclusion that blacklisting doesn't work; if a spammer can use one of your IP addresses to spam, then you need to fix up your system to be more secure. A quick browse of mail logs will show any unexpected outgoing e-mail, and you can always feed your mailserver IP to spews.org and see if they list you (they're one of the most aggressive listing places).

If it's not coming from one of your IP addresses, then it doesn't affect mail sent from your domain, only from the spammer's IP addresses. Hence there is no fallout on you unless I use an aggressive list like SPEWS, and you are being blocked because your ISP hosts spammers himself.

Re:Challenge Response Spam

[fyngyrz]

I'd be interested to know which blacklists are by domain, not by sending IP address

Here you go.

So...

[netsharc]

Guess I'm asking at the wrong place, but does this mean if I send email using my uni's SMTP server with my Yahoo! E-mail address in the "from" field, I will receive a challenge? A challenge being an email to the sender's address so they know the address is active, I'm guessing..

And I read of a whitelist/blacklist. Does this mean the user having to manage this list? It looks like it's being done so that the user can reactively work about it though (instead of actively), maybe an email that says "You got email from xyz, Do you want this email?" Heh an email about an email, that'd be annoying.

I tried sending email using Yahoo!'s web interface with 3 addresses in the "To" field today, and when I clicked "Send" it asked me to answer a Captcha, interesting..

Re:So...

[djmurdoch]

According to the standard, the from field should have the email address the mail was sent from (in this case your uni addy).

No, that's "Sender". From RFC 2822:

The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.

Naive at best

[erice]

1) Mobile user sets up notebook at new location and sends mail via the local mail relay.
2) FairUCE on recipient end bounces the mail because it can't find a relationship between the sender and the mail relay.

If the ISP blocks outbound port 25 access, you get a real catch 22. Can't use remote relay becuase of the port block. Can't use local relay because FireUCE will see that there is no relationship to the sender and block the mail.

This is an old idea. It can be implimented with procmail and a little perl. Few people do this, not for lack of tools, but simply because it is a bad idea.

Re:Naive at best

[farnz]

Or get e-mail providers to support MSA, which is SMTP for mail being introduced to the network, and is supposed to run on port 587.

Re:Naive at best

[Antique+Geekmeister]

I'm sorry, you're wrong on a detail.

There is no reason to have port 25 open outbound on anything but the ISP's authorized SMTP servers. None whatsoever iin this day and age, except the convenience of people who like to run their own mail servers. Unfortunately, with the massive number of zombied and badly run home SMTP servers, most outbound SMTP from ISP users that does not go directly to their ISP's SMTP server for delivery as mail from that ISP is in fact spam or email worms.

So yes, it needs to be blocked outbound. You simply need to use SMTPAUTH on the road to get your email to your own ISP's SMTP server over port 587. Problem solved.

What it does....

[julesh]

). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'.

Oh, yeah, and completely stop mailing lists from being usable. That, too.

Here we go again

[nsayer]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
(X) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Here we go again

[physicsphairy]

Modularize this, extend its applicability, and we can replace 90% of slashdotters with a small shell script!

Re:Here we go again

[LMCBoy]

what makes you think this hasn't happened already?
you think that's air you're breathing?

Re:Here we go again

[wirelessbuzzers]

Sorry to bother you while you're making a joke, but you are supposed to X the appropriate bubbles, not random ones.

Re:Here we go again

[johannesg]

I strongly suspect this list was first devised by spammers to convince people that spam cannot be fought. In fact that is wrong, all it takes is the realisation that instead of a single perfect solution we will need a series of incremental solutions. As solutions multiply the amount of spam will drop, but this will take time. I'm fine with that, as long as we are making progress. Right now thanks to your attitude we are not making much progress.

A law against spam will not actually stop it, but it does allow action to be taken against the spammer after he is found out so he won't do it again.

Similarly, a technical solution that enforces detectability of the spammer will make it possible to find out so he is, so the law can be applied.

Neither law nor technical solution on its own will stop spam, but together they can be used to significantly reduce the volume. And that's all we are asking for, really.

Challenge/Block

[droleary]

FYI, any time (which is every time) I get a challenge for an email I didn't send, I immediately block the server because that kind of "solution" is nothing short of dropping their spam problem in my lap. Fair warning to anyone who thinks FairUCE is in any way a "Smart" answer to spam.

The only effective spam solution I've currently found is to have expiring email addresses. One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.

Re:Challenge/Block

[anti-NAT]

One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.

This is exactly the same solution as I use, and I've found it very effective. I've written some stuff about it here - Mitigating spam.

Did we come up with it independently ? The first "thought" that triggered me thinking about it was when I moved house, and wanted to make sure that emails to my domain, while unavailable, were bounced immediately, rather than having the sending SMTP server keep attempting for up to 5 days (or what ever it was configured to be). My solution was to set the MX record for my domain to point to an A record that resolved to 127.0.0.1. That lead to the idea of creating "sacrificial subdomains", and then abandoning when I get too much spam by changing the MX record value.

Re:Challenge/Block

[anti-NAT]

Don't use 127.0.0.1. Use 127.29.13.4, or some equally random address in the 127/8 loopback.

Another alternative, depending on how you want the failed delivery to fail, is to use an IP address within one of the reserved IANA ranges. Bogon lists on the default free routers usually silently drop packets to these addresses. Unless spammers are doctoring the TCP/IP stack in their hosts, silent drops of TCP SYNs usually take around three minutes before the application is notified of a failure to connect. One address I use is 1.1.1.1/32.

Spamming software is almost always poorly written. They'll filter out 127.0.0.1, but aren't smart enough to do anything else. Those bastards will probably try to deliver mail to themselves for a week.

Which type of address you select, bogon (eg 1.1.1.1/32) or loopback depends a bit on whether you want to tie up their delivery resources immediately (1.1.1.1/32) or over a few days (loopback).

One of the issues with loopback though is that the delivery failure depends on whether they are running an MTA on 127.0.0.1. If not, they'll usually get immediate "connection failed" messages, although if they are firewalling the local host, the effect will be the same as using a bogon address.

If they are running an MTA on local host, then they'll likely get "bounce messages" with a "not a relay" message (or what ever the exact status is, I'm rusty on the exact SMTP messages).

Of course, another alternative is to delete the subdomain, meaning that the MX record lookup will fail.

Still, I prefer one of the "bad MX" address methods - there is a chance it will waste some of the resources of the spammers, increasing their costs.

Another idea, as part of this, is to create a bogus web page that contains a whole stack of these "sacrificial subdomain" email addresses. If spammers are using web page robots to collect addresses, they'll end up collecting a lot of them. That might frustrate them, such that they'll delete all email addresses for the particular domain, which, of course, would include any of your legitimate ones. You can have a look at mine here, which contains 7500 bogus addresses, covering a range of "sacrificial subdomain"s. I used 30 bogus domains, and a list of male and female names from files listed in Kevin Mitnick's book, "The Art of Deception". Using the full 30 domains, and the full male and female name list, I ended up with a 22 MB html file, with 256 000 or so addresses. I figured that was a bit too many (!) and cut it back. That being said, if my "sending" bandwidth was free or near free, it might be worth making the page around the 5 to 10 MBs in size, to also tie up spammer resources while they are running their address collecting robot.

None of these techniques are perfect, then again, if there is anything realatively simple you can do to frustrate the spammers, it is worth it. They might give up if their costs become too high.

yet another waste of time

[mabu]

Have we not established a few basic tenets of the spamademic?

1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.

2. The majority of the anti-spam solutions (with the exception of RBLs) including the one related to this article, require extra time, bandwidth and resources on the part of innocent networks to deal with the spam problem. This is a step backwards.

If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting. This has several added benefits including: stopping propagating of worms/viruses, and forcing ISPs to police the illegal activities of their users and shut down nodes which are spamming through their network.

As an ISP, I have no interest in yet another costly anti-spam solution that I have to install that doesn't address the larger issue of the tons of bandwidth spammers waste on my network and every one in between. This system wastes even more resources by attempting to verify the source of every e-mail in an even more detailed manner than before, so the end result is: more computing resources needed, more bandwidth needed and slower mail service.

No thanks.

I'll patiently wait until the *inevitable* SMTP whitelist scheme that is the only true solution to stopping spam (unless the authorities decide to actually start prosecuting spammers for their crimes).

Re:yet another waste of time

[bigberk]

To date, the ONLY effective solution thus far has been relay blacklisting.

I'll agree with this, as a small ISP. Blocklists are very easy to use, bandwidth-efficient and highly effective. They are the best solution we have, and do put pressure on bad ISPs to clean up their act. With over 150 public blocklists out there, spammers get nervous. Their attacks against SPEWS, Spamhaus, and Spamcop demonstrate how desperate spammers are getting.

Re:yet another waste of time

[AnotherBlackHat]

1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.

Bandwidth is a problem, but it's the least of our problems.
Typical spam is under 10K.
Cost to send 10K is under $0.0001 - and the cost is falling.
Compare that with the amount of time you spend deleting spam - about 1 second.
Even a $1/hour, it costs a lot more to for a human to look at and delete spam than for the computer to receive it.

Spam read by the human is closer to 90% of the problem.

2. The majority of the anti-spam solutions (with the exception of RBLs) including the one related to this article, require extra time, bandwidth and resources on the part of innocent networks to deal with the spam problem. This is a step backwards.

Once again, bandwidth is not the only cost, nor is it the major cost.
However, there is a large human-time cost for any spam solution, including RBLs.
RBLs aren't a fire-and-forget solution.

If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting. This has several added benefits including: stopping propagating of worms/viruses, and forcing ISPs to police the illegal activities of their users and shut down nodes which are spamming through their network.

RBLs are not the only effective method.
Greylisting for example, reduces bandwidth costs, and blocks 85-95% of all spam.
In fact, greylisting has fewer false positives and fewer false negatives than any RBL I've ever tested.
Which includes almost every RBL mentioned at http://www.declude.com/Articles.asp?ID=97

And I'll point out that the system described in the fine article can reduce bandwidth too.
70% of all senders would be rejected before the data stage, a very small challenge sent, and better than 99% would never be heard from again.
So instead of receiving a 5K spam, you send a 1K message - a net reduction.

As an ISP, I have no interest in yet another costly anti-spam solution that I have to install that doesn't address the larger issue of the tons of bandwidth spammers waste on my network and every one in between. This system wastes even more resources by attempting to verify the source of every e-mail in an even more detailed manner than before, so the end result is: more computing resources needed, more bandwidth needed and slower mail service.

No thanks.

I encourage my competitors to agree with you.

-- Should you belive authority without question?

Restricted use and restricted download

[Skapare]

This package just isn't going to get very popular. It is restricted to non-commercial use (perhaps you can buy a license for commercial use). And you have to sign up with IBM to get a download just to see if it's any good. And then there's a lot of extra stuff you have to have to run it. Maybe I should work on my own GPL open source version of this and do it as a pure TCP proxy front end so it works on any mail server (even for Exchange on Windows if on a different machine or under some emulator).

It gets better!

[johannesg]

Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines. The providers are complaining, but in the end they will simply raise prices to compensate. Effectively I will be paying to be spied upon. And in the case of email, I will be paying to receive spam and then store it for five or ten years.

Yet another challenge/response system: *yawn*

[Antique+Geekmeister]

"If we could just rewrite everybody mailer's with my new widget in illegible Perl or badly written C that breaks several RFC's I've never bothered to read, we will surely stop spam!" I've heard this sort of thing before, every few months for the past 10 years.

There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.

Re:Yet another challenge/response system: *yawn*

[mjh]

There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them.

I've been using Challenge/Response for nearly 3 years. And I disagree with your critiques. Let's take this point by point:

• Users hate them: There is a kernel of truth to this. Some users do hate them. Those users hate challenge/response so much that they instigate fights. They submit their IP addresses to RBLs for blacklisting. These are a very annoying, and vocal MINORITY. By far most users are agnostic. They deal with the challenge once and then they're done.
• automated systems can't get past them: Again, there's a kernel of truth here. If you have badly configured your C/R you're going to be in trouble. But a properly configured C/R has absolutely no problems.

  I use TMDA. I've got it configured so that any email I send to unknown addresses will be allowed to respond for 7 days. After that, they go into C/R. For my bill pay services, I give them a special address that allows them in forever, but that's tied to them so that I'll know if they ever hand it out to someone else.

• they're almost always subverted: Really? In the last month I've had over 4000 pieces of email delivered to me from unknown addresses. Only 10 of those have been confirmed. Of the ones that were confirmed 2 of them were spam. This was easily remidied by removing those 2 addresses from my whitelist and adding them to my blacklist.
• never will gain the acceptance of the user community enough to become effective: While C/R may never gain the acceptance of the user community, I don't think it's for the reasons that you cited. I think the reason is that it's too hard to set up correctly. But that being said, it doesn't need the acceptance of the user community to be effective. It works for me today whether or not you use it.

  Personally, I think it'd be better if the entire world started using C/R. It'd be better because then everyone would understand that sending email to an unknown party involves a formal introduction process. This would cut down on the number of people who get confused when they receive a challenge. But if this doesn't happen it's not that big a deal. The number of confused people is already small.

IMHO, what you don't know about C/R is quite large.

Re:Yet another challenge/response system: *yawn*

[DavidTC]

In other words, you sent out 3992 pieces of spam to forged or invalid addresses, pissing off 2 people who knew what was going on bad enough that they confirmed your C/R.

Re:Yet another challenge/response system: *yawn*

[boodaman]

Mail shouldn't be hard. It shouldn't be up to the user to figure out how to "configure TMDA correctly", and it shouldn't be up to the general public to understand how to deal with any number of different automated challenge and response systems out there should they get such a challenge.

I'm extremely savvy when it comes to IT, computers, Internet, etc. It's what I do all day at work. I wouldn't use the system you describe...what a pain in the ass. How can you expect someone's grandmother to use such a system?

I used mailblocks.com for about 4 months...also a pain in the ass. Challenge/Response systems are not the solution.

Here's a scenario: I send you a freelance job opportunity. I've never corresponded with you before, but I visited your website, saw your resume, and saw the part on your site where you said "if you need someone with my skills, and have work, send me a message". After sending my offer, I log off and go fishing at the lake for two days. While I'm gone, your C/R system sends me a challenge. My system thinks its spam. Or maybe you've configured your C/R system to only wait 24 hours instead of 7 days for a response. The end result is that I never get a response back from you regarding my opportunity, I believe you're a tool because you blew me off, and you never get the work. Worse, in the future, if anyone ever says to me "hey, I'm thinking about sending X some work, what do you think? He has a great website with a lot of info." I will say "don't bother, the guy blew me off he'll probably blow you off, too."

My solution was simply to pay for an account at an ISP where they aggressively filter spam. Coupled with a whitelist, blacklist and goldlist, all of my spam gets filtered...hundreds of messages every day. Very simple system, I didn't have to "configure" anything except my lists when I started, and best of all, none of the people I correspond with get confused or hassled by automated systems.

Re:Yet another challenge/response system: *yawn*

[DavidTC]

I don't know in what universe it's a useful point to mention that you're removing invalid email address before you send mail to them. That mail wouldn't go through anyway! It's the valid addresses that are a problem.

But, hey, you gave me the last number. So...5%. That's about 200 pieces of mail you sent. And you got 8 valid responses, and 2 invalid.

So you sent out, basically, 192 spam messages, barring the occasional legit C/R you sent out that was ignored. (Which is also a failure of the system, it's just a failure that isn't spamming.)

To get 8.

To get 8 fucking messages, you sent 192. For every legitmate message you receive, 24 other people had to look at a spam you sent them.

Well, you're the moral paradigm I've come to expect from C/R people.

Fucker.

Re:Yet another challenge/response system: *yawn*

[DavidTC]

Yeah, that's the ticket. In addition to having to filter spam, I now should now have to keep up with the format of C/R messages to filter those too.

Re:Yet another challenge/response system: *yawn*

[Malc]

If I buy airline tickets online and they don't tell me the source email address, how am I supposed to get the itineray (sp?), etc that get's sent out automatically. On a couple of occasions the domain has differed from that of the website I purchased from. On another occasion I sponsored a friend to walk 60km to raise money for charity - the PDF receipt I need for tax purpose was sent from a different domain... it goes on. In that latter case I would have had to whitelist the email address I provided. It's all extra work which is inconvenient to a technical user like me, and far beyond what I could expect my parents to use. I *hate* C/R systems - if somebody (even a friend) uses them I won't bother unlocking with a response, and I won't use email to contact them again. It's their loss, not mine.

Re:Yet another challenge/response system: *yawn*

[tylernt]

"My solution was simply to pay for an account at an ISP where they aggressively filter spam."

Yeah, but sometimes agressive spam filters accidentally filter legit mail. You may still be missing out on freelance opportunites thanks to your agressive spam filter.

Re:Yet another challenge/response system: *yawn*

[mjh]

Here's another scenario: using agressive spam filters, your "oppurtunity" gets miscategorized as spam, and I never even know that you sent it to me. You conclude that I don't care for the oppurtunity, and that's the end of the story.

At least with C/R, you KNOW that my spam filter has prevented me from receiving your email. With all other spam filters, it filters silently so that NO ONE knows that it's been filtered. If it doesn't filter silently, one of us has to be notified.

If I'm notified of all email coming in, that's functionally equivalent to turning off spam filterinng. If you're notified, that's functionally equivalent to C/R. According to the anti-C/R crowd, the only acceptable thing to do is turn off spam filtering. I hope they practice what they preach.

Re:"With over 150 public blocklists out there"

[greenrd]

Responsible blacklists will always perform a relay test on any host that is alleged to be an open relay. Therefore, if you are blacklisted by these blacklists, this means that you were either incompetent, hacked into, or possibly both.

Similarly, responsible blacklists will demand credible evidence before listing a domain as a spam source.

Could you name names, i.e. the blacklists that you have encountered that are not being responsible?

Re:(Can't You) Troll Like I Do

[DrunkenTerror]

It would be a lot better if you rewrote the verse lyrics, too. As it's written, it's just a waste of space. No creativity is displayed at all.
Something like:

I've got the hacktitude of a Redmond pro
I've got the legacy devices of a billion sold
I got My Rights Online back, but I don't seem to care
I got the compressed jay-pegs of sex with a mare!

TFP. HAND.

Problem though

[Nijika]

Well, if everyone's using C/R, how do users who challenge get through to users who need to respond if those users won't get the challenge until their challenge is met?

Also, wouldn't this just create a rash of false challenges that lead to spamming type material or websites?

Re:Problem though

[mjh]

how do users who challenge get through to users who need to respond if those users won't get the challenge until their challenge is met?

By properly configuring the C/R system.

Re:"With over 150 public blocklists out there"

[DavidTC]

You know, that's the second time I've heard people complaining about blacklisted domains, and I have no idea what the fuck you're talking about. No one blacklists 'from' addresses as spammer domains except stupid users. (No spam fighter would ever claim email came fromyour website unless you were running an open formmail script, in which case, damn right they block you.)

Some blacklists list known spammer domains, but these are fairly well confirmed via the ownership of the domain. Many lists skip the actual 'sending spam' part and just list all domains owned by certain spammers.

What you are describing sounds like what people who have IPs near spammers go through. Can you point to one of these hundreds of domain blocklists that has listed you incorrect at some point?

The only thing I can think of is that you're running an affiliate system and can't keep your affiliates under control.

Another dumb challenge/response system, because...

[almaw]

- If someone else has a different challenge/response system then the automated systems will ping e-mail back and forth to each other and humans will never see it. If the systems are sufficiently dumb, you'll get a nasty mailing loop and fill up both users' quota/hard disk.

- Most spam has a forged address. If someone sends e-mail to 10,000 users with a c/r system with *your* e-mail address in the from header, you get 10,000 e-mails that day. Your only solution to this obvious problem would be to blacklist anything that looked like a c/r e-mail, thus breaking the system entirely.

- It increases the amount of traffic on the 'net. This is bad.

- About five million other reasons to do with netiquette and common sense. Will people never learn?

This increases mail/work to administrators though

[Drakino]

I run a small web board, and already the e-mail address I use as the admin of that board gets flooded daily with crap like "I haven't actually received your message, click here to verify you are real". I finally got fed up with it and posted this response.

If you implement these, remember you get e-mail from more then just friends you know. Lets see, last week alone, I got 5 messages from companies like Dell from working on issues with them, and none of them are in my address book.

The proper solution is to ensure the outside world sees no difference unless it is spam. I never give my full address to a company, instead I use the postfix feature where anything after _ is ignored. Then I create a one letter alias for me to keep them short. If I get a lot of e-mail, it makes server side filtering into my IMap folders easy. And if one address gets hit by spam, I then block it on the server. It works well, and doesn't inconvenience the people e-mailing me.

"Thank you or ringing my doorbell. I am currently home, but did not hear the doorbell. To properly ring it, please run around my house, braving the dogs in back, and use the doorbell located next to the cat door on the deck. Then I might care enough to see who you are and let you in."

Why challenge-response does not work

[metamatic]

I haven't seen anyone post the BIG REASON why C/R systems won't work, so here it is again.

C/R relies on users being willing to respond to challenge messages, either by clicking a URL or by replying by e-mail.

As soon as C/R systems become commonplace enough, and users become accustomed to responding to the messages, spammers will simply craft their spam to look like challenge messages. Replying to e-mail will confirm the address (a win for the spammer), clicking the URL will deliver the reader to a web site full of pop-up ads and spyware (a win for the spammer).

Shortly after this, user willingness to respond to challenges will drop to zero, and challenge messages will be filtered out automatically by bayesian spam filters.

So, if there are any spammers reading this, PLEASE PLEASE start your next major spamming campaign by disguising it as a challenge message from one of these stupid C/R systems. That way we'll kill off the idea once and for all, people won't waste any more time building new (and mutually incompatible) C/R systems, and people with a clue won't have to put up with any more C/R advocacy from well-meaning idiots.