Slashdot Mirror
IBM Unveils Anti-Spam Services to Stop Spammers
bblazer writes "CNN Money is running a story about a new IBM service that spams the spammers. The idea behind the technology is that when a spam email is received, it is immediately sent back to the originating computer - not an email account. From the article, ""We're doing it to shut this guy down," Stuart McIrvine, IBM's director of corporate security strategy, told the paper. "Every time he tries to send, he gets slammed again."""
Rather than adding yet more traffic to the net I think it'd be far better if more places ran OpenBSD's spamd package. It tarpit's mail connections from spammer machines thus consuming the remote machine's resources rather than generating more traffic in a misguided game of "fight fire with fire".
Trolling is a art,
It's been reported on a mailing list that the article is actually about FairUCE, which implements something completely different which makes at least some sense (for scoring, not for outright blocking).
This is a duplicate of http://it.slashdot.org/article.pl?sid=04/12/04/204 7246&tid=111&tid=185&tid=95
However, the CNN story referenced seems to be utterly clueless as to how this technology, known as FairUCE, actually works. It really is nothing like they have described it. For real information go to IBM's page: http://www.alphaworks.ibm.com/tech/fairuce
This system does not try to DDOS the spammers, or anything stupid like that. It attempts to link the IP address of the sender to the senders domain name using DNS and WHOIS lookups. If that fails, it sends a challenge/response email to the sender.
Moderators, parent post is not insightful, it is clueless. It doesn't depend on the spammer being honest. It depends on the spammer being dishonest. For actual information about how this system works see IBMs web page about it:
http://www.alphaworks.ibm.com/tech/fairuce
If you look at the email headers you can often times tell which IP address it was sent from. Domain spoofing just implies changing the From and/or the Reply-To header.
Instant DDOS attack. All a spammer needs to do is send out a message containing "Nigeria v!agra load http://www.spam-fighter.com teen" and that site gets clobbered even though it had nothing to do with the message.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If you have somebody opening a TCP connection to your mail server, you already *know* what IP address is on the other end. And, as IBM has realized, that's *all* you know, so that's the place to start applying pressure.
"I assumed blithely that there were no elves out there in the darkness"
close but 100% wrong
try reading the SMTP RFC's sometime,
the *only* part one can trust is the IP of the machine sending the message
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
ipchains -A input -s $MYNETWORKS -j ACCEPT
ipchains -A input -p tcp -dport 25 -j DENY
I mean, I suppose in theory IBM could DOS my ipchains, but this is rate-limited by what I'm capable of sending out, which is significantly less than ipchains could handle.
All's true that is mistrusted
That's the whole point of this system. It tries to match the IP address of the sender to their domain name. If this is successful then the mail is classed as genuine and delivered. If it can't (i.e the sender is an 0wned PC), then it sends a challenge/response email back to the senders email address (not to the zombie PC). If the sender is genuine they click a button on the challenge/response email and the original mail gets accepted.
As someone else pointed out, this could be used to DDOS someone by using a zombie net sending spam purporting to come from them. They'd then get innundated with challenge/reponse emails. Not nice.
Great. So when a variable-IP zombie pc power cycles and I get their old IP address next, it becomes my problem. Time to buy a fixed IP service, people.
It says the mails will be returned immediately. The effect of innocent users should be minimal and short term, Once there's no more mail going out, the problem will clear up.
Except that most residential ISP are blocking incoming 25 now. So for most of the Cable Modem users out there will never see any of this. And the repeated sends would get the IP of this new gizmo black holed in a heart beat. Net effect 0
That will get the user of FairUCE blacklisted. It's called backscatter. The email address provided in the SMTP transaction, or the message headers, should ABSOLUTELY NOT be considered valid unless, and until, the IP is verified as designated by the domain of the RHS of that email address. And then even that won't work very well if spammers start forging addresses within the same domain as the zombied machine. Don't forget that spammers do have a list of lots of email addresses within all the major domains. They only need to pick one at random that has @comcast.net as the RHS for the zombies running on comcast.net.
now we need to go OSS in diesel cars
Here's the text of the WSJ article cited by CNN. It actually has much better information and clarifies some points.
--
IBM Embraces Bold Method To Trap Spam
By CHARLES FORELLE
Staff Reporter of THE WALL STREET JOURNAL
March 22, 2005; Page B1
Warriors in the battle against junk e-mail are adopting a contentious tactic: Spam the spammers.
The most-common spam defense used to date -- software filters that attempt to identify and block out the unwanted messages -- hasn't stopped the flood of Viagra pitches, cut-rate mortgage offers, and solicitations for foolproof investment schemes swamping many inboxes. Some recent studies say 50% to 75% of e-mails carried over the Internet are spam.
An alternate approach -- counterattacking, in effect -- has been available for some time to users of open-source software, for which code is posted free of charge on the Internet. But adoption in corporate offices has been slow, partly because of fears of exposing companies to certain liabilities -- especially if a target is actually innocent of spamming.
But now the practice is going mainstream. International Business Machines Corp. is expected to unveil today its first major foray into the anti-spam market with a service, based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them. The more spam that comes out, the more vigorous the response.
"We're doing it to shut this guy down," says Stuart McIrvine, IBM's director of corporate security strategy. "Every time he tries to send, he gets slammed again."
The IBM move follows security giant Symantec Corp., which released a new product in January that uses a similar technology called "traffic shaping" to slow connections from suspected spam computers.
Trapping spammers is sometimes called "teergrubing," from the German word for "tar pit" -- as in, spammers get stuck. It is the equivalent of answering a telemarketer's phone call, "saying 'Hi, how are you,' and setting the phone down and seeing how long he'll talk before realizing there's no one on the other end," says Tom Liston, a computer-security expert.
Teergrubes exploit some convenient features of the Internet, which was designed to be a polite method of communication. Computers -- including e-mail servers -- that chat back and forth in the Internet's electronic protocol will courteously wait to see that their data has been received before sending more. Typically, such acknowledgments come in a matter of milliseconds. A computer set up to teergrube will languorously stretch its responses out to minutes -- effectively tying up the spamming machine and reducing its ability to pump out messages.
How to handle spam -- or, indeed, any other form of unwanted electronic traffic -- is a tricky issue in security circles. Gaining unauthorized entry to a remote system, even in order to stop it from harming yours, is generally illegal under anti-hacking laws. The aggressive new products from IBM and others don't violate those rules, but they can increase the amount of network traffic. Unnecessary traffic increases are generally frowned upon.
But proponents of aggressive antispam tactics say something needs to be done to choke off the supply; simply turning the other cheek and trying to discard spam as quickly as possible isn't enough. IBM says in a new report that in February 76% of all e-mails were spam, down from a summer 2004 peak of nearly 95%, but still well above levels at the same time last year.
"Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," says IBM's Mr. McIrvine. Brian Czarny, vice president of marketing for MessageLabs Ltd., which uses the Symantec product, says traffic shaping doesn't constitute a potentially illegal "denial of service" attack because it is r
I get the WSJ and the article does indeed confirm it is FairUCE....
IBM Embraces Bold Method To Trap Spam
By CHARLES FORELLE
Staff Reporter of THE WALL STREET JOURNAL
March 22, 2005; Page B1
Warriors in the battle against junk e-mail are adopting a contentious tactic: Spam the spammers.
The most-common spam defense used to date -- software filters that attempt to identify and block out the unwanted messages -- hasn't stopped the flood of Viagra pitches, cut-rate mortgage offers, and solicitations for foolproof investment schemes swamping many inboxes. Some recent studies say 50% to 75% of e-mails carried over the Internet are spam.
An alternate approach -- counterattacking, in effect -- has been available for some time to users of open-source software, for which code is posted free of charge on the Internet. But adoption in corporate offices has been slow, partly because of fears of exposing companies to certain liabilities -- especially if a target is actually innocent of spamming.
But now the practice is going mainstream. International Business Machines Corp. is expected to unveil today its first major foray into the anti-spam market with a service, based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them. The more spam that comes out, the more vigorous the response.
"We're doing it to shut this guy down," says Stuart McIrvine, IBM's director of corporate security strategy. "Every time he tries to send, he gets slammed again."
The IBM move follows security giant Symantec Corp., which released a new product in January that uses a similar technology called "traffic shaping" to slow connections from suspected spam computers.
Trapping spammers is sometimes called "teergrubing," from the German word for "tar pit" -- as in, spammers get stuck. It is the equivalent of answering a telemarketer's phone call, "saying 'Hi, how are you,' and setting the phone down and seeing how long he'll talk before realizing there's no one on the other end," says Tom Liston, a computer-security expert.
[Spamalot]
Teergrubes exploit some convenient features of the Internet, which was designed to be a polite method of communication. Computers -- including e-mail servers -- that chat back and forth in the Internet's electronic protocol will courteously wait to see that their data has been received before sending more. Typically, such acknowledgments come in a matter of milliseconds. A computer set up to teergrube will languorously stretch its responses out to minutes -- effectively tying up the spamming machine and reducing its ability to pump out messages.
How to handle spam -- or, indeed, any other form of unwanted electronic traffic -- is a tricky issue in security circles. Gaining unauthorized entry to a remote system, even in order to stop it from harming yours, is generally illegal under anti-hacking laws. The aggressive new products from IBM and others don't violate those rules, but they can increase the amount of network traffic. Unnecessary traffic increases are generally frowned upon.
But proponents of aggressive antispam tactics say something needs to be done to choke off the supply; simply turning the other cheek and trying to discard spam as quickly as possible isn't enough. IBM says in a new report that in February 76% of all e-mails were spam, down from a summer 2004 peak of nearly 95%, but still well above levels at the same time last year.
"Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," says IBM's Mr. McIrvine. Brian Czarny, vice president of marketing for MessageLabs Ltd., which uses the Symantec product, says traffic shaping doesn't constitute a potentially illegal "denial of service" attack because it is responding to connections made by anot
CNN (and by extension, slashdot, surprise!) got this completely wrong. It's challenge and response sender identity technique, which is way different. See the IBM webpage about fairuce.
It's not offtopic, dumbass. It's orthogonal.
Over a year ago I had this idea and I tried to get my ISP to do it. I even talked to a VP, but all I got was all the "reasons" why it couldn't be done, or it wouldn't work because the spammers fake the IP, etc.
I still think it can work, and I've (finally!) begun using KMail which has a "bounce" function.
Since using "bounce" on all spam, I've been getting far less spam, so I have to believe it works.
If spammers are able to fake the IP in the sending header, then the SMTP relays and routers need a patch to bounce any faked IP on the spot.
"spams the spammers"?
I think not. This is from CNN after all. They publicly admit they lie often. This is true here.
http://www.alphaworks.ibm.com/tech/fairuce/faq
Take note to what this system actually does. Not what the (lying) press tells you.
1. Isn't this just another challenge/response system?
No. Challenge/response (C/R) systems challenge everybody; FairUCE sends a challenge only when the mail appears to be spoofed.
2. Other anti-spam technologies work well. Why should I switch?
FairUCE eliminates any need for a "probable spam" folder, as well as the necessity of keeping up with the latest version of antispam software.
3. Will it run on Windows®, or with QMail, or with Sendmail, etc.?
No, the current release does not.
4. Is it fast?
No real performance testing has been done, but speed is expected. The code basically consists of a few if/then statements and some DNS look-ups (which are cached in memory as well as on the DNS server). The mail server will probably bog down before FairUCE does.
5. Don't all those challenges take up unnecessary bandwidth?
A little bit, but it takes the server much less time to send out a small challenge than it does for the user to look at it in the spam folder, no matter how fast he presses the delete key. Legitimate senders know immediately that a user hasn't received their email, and they can click a button to have it delivered. Meanwhile, the emails sit in the queue for only an hour if they can't be delivered.
Oh dear, you're right. It's Yet Another CR System, but with some standard sender verification (a la SpamAssassin) glued on the front.
In other words, it's as utterly useless and counterproductive as any other challenge-response system. See http://www.xciv.org/~meta/2005/02/15/ for more discussion (from me) of why CR won't work.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
In an IP packet, the orginal MAC address doesn't get past the first router the packet travels through. Besides, MAC addresses are easily spoofed with normal hardware and free software.
It tries to match the IP address of the sender to their domain name. [...]If it can't [...]then it sends a challenge/response email back to the senders email address (not to the zombie PC). If the sender is genuine they click a button on the challenge/response email and the original mail gets accepted.
Great:
My site administers its own mail. But direct SMTP outbound mail uses a DSL line whose reverse translation points to our DSL provider, while outbound mail through the local mail servers goes through a mailserver site at a different ISP whose reverse translation will also point to them rather than us.
So all our outgoing mail will receive the challenge. Mail is handled by polling, so every outgoing letter to a site using their tool will now require two extra email transactions, two extra wait-for-poll delays, plus an extra wait-for-sender-to-read-email delay. (No more "fire and forget - now email accounts have to be checked several times a day.)
"Click a button"? On a mail reader without HTML or with it disabled? More like "copy and edit, and hope you don't screw it up".
Yuck!
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Dude, the ping of death hasn't worked in like, 10 million internet-years.
First off McIrvine only works for Tivoli so what he's selling is a toolkit you can retrofit into a hosting farm.
Next he's talking about a SERVICE so that if IGS hosts a customer, it's 99% likely that the customer will have a domain of customername.com not ibm.com. The spam fighter will originate from customername.com. So if some other source detects that the spam fighter is spam only that domain will get hammered.
However, if I'm not mistaken, the IP, through which the connection to the recipient's server is made, cannot be forged. This is the target of return mailings.
This is assuming that the IP isn't spoofed, and since SMTP could conceivably be used blindly (without receiving packets back), this isn't out of the question. However, even if they do get the IP of the spammer, my point was that if they're not running a SMTP server on their machine, there won't be anything to deliver to; connections to port 25 will simply be refused.
Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions. It's the only way to mak
Sigh. This is an alphaWorks project that's been kicking around for a while. Precis: it tries to match the sender IP to the purported sender domain. If it can't find a match, it falls back to something similar to challenge/response. The theory goes:
1. All spam is spoofed, so it will fail the IP/domain match and won't get past the challenge.
2. The vast majority of legitimate mail will pass the IP/domain match, so will be delivered without needing a challenge.
3. The only legitimate mail that needs to be challenged is sent by "power" users, who will know how to deal with a challenge.
This could initially cause false positive problems for some legitimate direct marketers who use some bulk email service providers. However, the problem is quite easily fixed.
Note that this doesn't fight spam, so much as fight spoofed senders. Much like SPF, in fact.
Note also that there's been a deal of lousy reporting (say hello to WSJ and CNN), saying that FairUCE somehow spams the spammers back. What a load of old cobblers, as we say over here.
From the quotes attributed to an IBM exec in the WSJ, I'm worried that this mis-reporting might actually be IBM's fault.