Slashdot Mirror
IBM Unveils Anti-Spam Services to Stop Spammers
bblazer writes "CNN Money is running a story about a new IBM service that spams the spammers. The idea behind the technology is that when a spam email is received, it is immediately sent back to the originating computer - not an email account. From the article, ""We're doing it to shut this guy down," Stuart McIrvine, IBM's director of corporate security strategy, told the paper. "Every time he tries to send, he gets slammed again."""
And maybe the screaming hordes of DSL-bots will finally get shut down.
Sometimes seventeen/Syllables aren't enough to/Express a complete
The networks of zombie PCs are going to be even more lagged by IBM. Maybe this will finally get their owners to patch or firewall them.
I don't understand what they mean about sending it back to the computer, not the email address. Do they mean that they'll identify the postmaster or domain administrator, because most spamers don't even have those addresses, or if they do they're total black holes.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Now we'll have even more junk traffic slowing things down on the internet. It's a waste of bandwidth, in my opinion, to do this.
IBM says in a new report that, in February, 76 percent of all e-mails were spam. While its report says that is down from a summer 2004 peak of nearly 95 percent, it is well above levels in February 2004.
Interesting that the figure has dropped so significantly in a year's time. The mere fact that email has been so thoroughly polluted as a medium by spamvertisers prompts me to think that RSS could be a way to circumvent email and its problems entirely. Imagine if people had pass-protected RSS feeds for all their contacts, as well as group feeds and a public feed. Then, when it's time to email someone, you just insert a new entry in that person's feed. A mechanism that checks feeds 10 times an hour should be sufficient. In terms of end-user interface, it would be identical to email in every significant way. Just seems to me that there's no room for spammers in a system like that, since in order to be "spammed" you'd have to subscribe specifically to a spammers feed.
There would be a lot of traffic overhead with a system like that, but it couldn't possibly be worse than the 75% spam overhead of email.
I Want To Believe
Maybe I'm just new here, but wouldn't spamming the spammers still cause an awful lot of network traffic on some "innocent" ISPs for the spam wars?
Who is John Galt?
perpetuate the problem of increasing traffic on networks thereby increasing infrastructure costs to a company?
Nevermind the fact that most spammers don't use a real e-mail address (shocker) -- but my IT department doesn't have funds to waste attacking spammers.
Real solutions to spam [in decreasing order of success]
1. Not use SMTP, sounds like a shocker but like the doctor says "if it hurts don't do it".
2. honeypots can be used to waste spammers time
3. Absolutely don't reply to spam in any form
But the real problem is SMTP is not a reliable or robust protocol for the problem it tries to solve. The fact that people keep pushing it shows they're lazy.
But you don't have to abandon SMTP completely. Something as simple as hashcash could essentially eliminate spam.
Just nobody wants to actually implement it [re: think about a mozilla/thunderbird plugin that uses X-HEADERS to put/read hashcashes].
Tom
Someday, I'll have a real sig.
Isn't that sort of like cutting off your legs to run faster?
I know that this was supposed to be a joke, but it's worth some thinking. Are anti-spam services really always meant to stop spam? IMHO, this isn't redundant, but a strange business model if you really think about it.
We've got this new product here and if it suceeds it will be completely superflous!
IBM's solution would at least help shutdown the zombie PCs though. While the zombie PC owners aren't the originator of the spam messages, the solution would hopefully push users to patch/clean/protect their PC from future spam control. Unfortunately I don't see this as the "be all" solution but it could play a part in cleaning up zombie PCs and encouraging ISPs to better protect their own networks.
Now what if the collective zombie PCs are instructed to spam the anti-spam service?
Anyone remember the smurf attack? Send a large ICMP PING to a broadcast address from a spoofed IP of your real victim - all the machines in the subnet then DDoS the victim with replies sent to the spoofed address. This new DDoS of spamming machines sounds kind of similar. What's to stop haxx0rs exploiting this to cause a DDoS of non-spammers?
And what if you've been joe jobbed?
You are not supposed to set up an smtp server on a dynamic ip, please relay on your isp smtp instead. Regards.
For those that actually read the article, it is completely wrong. It does a terrible job of explaining FairUCE. Read the material at http://www.alphaworks.ibm.com/tech/fairuce. They are not advocating sending spam back to the spammers, but instead are using a combination challenge/response and DNS lookups to associate a reputation to the IP that is sending the email message. I figured IBM was smarter than the original article was implying.
After sending a million spam messages to a million recipients using this system, the originating node receives a million challenges. Not DDOS per se, but it will almost always bring the spammer down as a (nice) side-effect.
The problem is that most people sitting at a zombie won't know why the machine has a problem.
The CNN story is rather light on detail. Like how do you send an email back to a machine that is unlikely to be listening on port 25 (as most zombies are)?
Isn't this sort of like blowing up a speeding car?
The collateral damage to innocent people will be tremendous.. If a spammer is stupid enough to use his own machine, he would drop off line instantly after he broadcasts.. IBM's packets have to go somewhere, flooding out neighbors..
Plus, what if the person spamming has been infected with a virus and isn't knowingly spamming, or IBM's system misidentifies the offending machine? There would be hell to pay..
Yes, spam sux, and it needs to stop, but we need to do it properly..
---- Booth was a patriot ----
the one true way to stop spam,
and its NEVER been done...
EGRESS FILTERING!
hey guys, get a freaking clue...
it works. use it.
do you know *WHY* it will never be used?
why would AT&T (example) filter a customer who is paying them $100,000 a MONTH to send their spam?!?
yeah, you got that right, spammers are paying that much just so the ISPs WILL carry their trafic. if all that money suddenly went away. well... you know the rest...
PS-I work for a MAJOR ISP that does this. I think I mentioned their name in this article....
From the FAQ (http://www.alphaworks.ibm.com/tech/fairuce/faq)
No real performance testing has been done, but speed is expected. The code basically consists of a few if/then statements and some DNS look-ups (which are cached in memory as well as on the DNS server). The mail server will probably bog down before FairUCE does.
Wow... sounds like the developers don't even consider this to be a substantial piece of software.
If the 3000 machines in my botnet get connectivity from generic-isp.example.net,
and I set the sending email address of my spam payload to be
"user@generic-isp.example.net", it sounds like FairUCE may let the spam
fly unmolested.
We need bounty hunters. That's the only way to stop spam. The "laws explicitly prohibiting it" can go to hell. They can't track down osama bin laden, or spammers, but microsoft puts out a bounty for whoever created the last big virus and they find the guy in a 3rd world country 3 days later. Now I'll just wait for someone to reply to this and suggest that a 1 cent tax on every email sent could pay for the bounties.
The FA is F-ing all wrong. They got very little right in fact. Go to the IBM website and read the faq. It does not DDOS the sending PC. It does a Challenge / reponse if the mail looks like it was spoofed / forged (using fairly comprehensive tests.) Even collateral C/R spam can be eliminated with SPF records.
Frankly, when you get down to the REAL details, this system addresses MOST of my complaints about C/R systems.
and in addition, not only do they not have an inbound port 25, but their sender usually doesn't keep track of who has rejected them and go back and retry.
an idea a lot of people have done is: reject ALL first attempts and label them. reject all incomings from that identity for x minutes. then open the gate and let them thru next time.
a valid sender WILL retry and queue up messages. a spammer will rarely queue up and retry.
this also works. downside is that you delay receipt of mail. but most companies are doing this, more and more.
--
"It is now safe to switch off your computer."
...So what is the big deal?
:( And onone is going to read this...
The CNN article says "IBM is not concerned about liability, even in cases where innocent senders might be misidentified as spammers, because all the technology does is bounce back the e-mails, said Gail." The WSJ article posted by someone above says "based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them." This sounds exactly like the DNSBL FAQ at www.spamhaus.org which reads "Doing a DNSBL lookup on a message at SMTP connect time is cheap in hardware cycles and system time. Your DNS server may even have it cached from the last time the spammer tried. If your MTA already knows the incoming message is spam it can deny a spam message before having to pass it to mail-scanner (medium cost), through the virus scanner (medium to expensive), bayesian filtering (medium), spamassassin network tests: blacklists, DCC, pyzor, razor, etc. (medium - high). Mail rejected by a DNSBL does not disappear into the bit bucket. A DNSBL realtime rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, therebye allowing troubleshooting on the sender's end. Realtime rejection avoids the "backscatter" problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam. Of course, as we all know, most spam and all viruses have forged sender addresses, and so the "bounce" goes back to an innocent third party (if it is deliverable at all). Using the SBL-XBL lists together (recommended) rejects a very large amount of spam and virus mail with very low "false positive" rejections of legitimate mail. And remember, all those rejected legitimate mails are instantly reported to the sender with a DSN. "
The IBM page says "FairUCE (which stands for "Fair use of Unsolicited Commercial Email") is a spam filter that stops spam by verifying sender identity instead of filtering content." "Technically, FairUCE tries to find a relationship between the envelope sender's domain and the IP address of the client delivering the mail." This suggests that the receiving mail server does a DNS lookup "at SMTP connect time" verifying that the from address is related to the owner of the IP address the mail is coming from i.e. email from joe@yahoo.com originating from www.msn.com "bad" email from me@myisp.net originating from www.myisp.net "good" or something like this. If the cash is of WHOIS lookups so what? IP addresses do not change hands very often (do they?), I may have a different IP every time I log on to the internet, but that IP is always comes up on a WHOIS as being assigned to my ISP.
I wrote this "spam form" in December 2003. The form appears on Cory Doctorow's site and is occasionally attributed to him but it was originally written by me.
The general form of a "checklist" response is really old. I first saw such a form on USENET more than ten years ago. It originally appeared in in this rec.humor.funny post from December 1994 whose author claims to have gotten it from a VAX conferencing system. The general idea of a standardized checklist for blowing someone off is probably even older than that.
I got tired of explaining to people why their cockeyed spam solutions wouldn't work, so I wrote this particular one about spam one evening and posted it here and here. I'm surprised it took off, actually. Now in every thread about spam I do a search for "technical legislative vigilante" to see if it's reappeared and it's there half the time. I only wish I had included a little dig for challenge-response schemes!
The part at the end about burning your house down is there because someone in the original thread proposed a solution to spam that was so abysmally bad that the poster was suspected to be a spammer himself- hence the "( )spammers could easily use it to harvest email addresses" item.
Judging from Google searches, spam researchers seem to have mixed feelings about it. The form wears out its welcome all the time but keeps reappearing. Some like it and use it a lot to quickly dispatch stupid ideas from the peanut gallery. Others hate the form because it gets presented to them all the time when they present their proposals. It has actually appeared in a number of anti-spam research papers. One group of researchers, when proposing their solution, actually prepared a preemptive response to refute each form item.