Slashdot Mirror
IBM Unveils Anti-Spam Services to Stop Spammers
bblazer writes "CNN Money is running a story about a new IBM service that spams the spammers. The idea behind the technology is that when a spam email is received, it is immediately sent back to the originating computer - not an email account. From the article, ""We're doing it to shut this guy down," Stuart McIrvine, IBM's director of corporate security strategy, told the paper. "Every time he tries to send, he gets slammed again."""
IBM's Anti-Spam services are designed to stop spammers?!?!?
What will they think of next?
And maybe the screaming hordes of DSL-bots will finally get shut down.
Sometimes seventeen/Syllables aren't enough to/Express a complete
I think I'll stick with spamd. It doesn't waste my bandwidth.
How does this exactly help solving the spam problem when the machine sending the spam is not owned (but "0wned") by the spammer?
Or do they plan to DDoS the spam-zombies?
Watch as AOL and MSN/Hotmail now mark IBM as a spammer...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
The networks of zombie PCs are going to be even more lagged by IBM. Maybe this will finally get their owners to patch or firewall them.
IBM Unveils Anti-Spam Services to Stop Spammers
Anti-Spam services that STOP spam?!? You don't say? Now there's a novel idea...
This joke was brought to you by the Department of Redundancy Department.
I don't understand what they mean about sending it back to the computer, not the email address. Do they mean that they'll identify the postmaster or domain administrator, because most spamers don't even have those addresses, or if they do they're total black holes.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
You end up shutting down the zombied PCs. I don't see how that's a bad thing.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
What if the spammer had this same technology? Would the internet get stuck in an infinite loop and go to 100% usage?
This post has been filtered for sanity.
Now we'll have even more junk traffic slowing things down on the internet. It's a waste of bandwidth, in my opinion, to do this.
What's the problem? If you are participating, on purpose or not, you should be stopped.
Being subject to this form of retribution might make people aware of the problems on their machines. It seems to be a Good Thing to me.
Agile Artisans
Rather than adding yet more traffic to the net I think it'd be far better if more places ran OpenBSD's spamd package. It tarpit's mail connections from spammer machines thus consuming the remote machine's resources rather than generating more traffic in a misguided game of "fight fire with fire".
Trolling is a art,
If it helps knock the zombie effectively offline, the user is more likely to notice that there's a problem.
Paleotechnologist and connoisseur of pretty shiny things.
IBM says in a new report that, in February, 76 percent of all e-mails were spam. While its report says that is down from a summer 2004 peak of nearly 95 percent, it is well above levels in February 2004.
Interesting that the figure has dropped so significantly in a year's time. The mere fact that email has been so thoroughly polluted as a medium by spamvertisers prompts me to think that RSS could be a way to circumvent email and its problems entirely. Imagine if people had pass-protected RSS feeds for all their contacts, as well as group feeds and a public feed. Then, when it's time to email someone, you just insert a new entry in that person's feed. A mechanism that checks feeds 10 times an hour should be sufficient. In terms of end-user interface, it would be identical to email in every significant way. Just seems to me that there's no room for spammers in a system like that, since in order to be "spammed" you'd have to subscribe specifically to a spammers feed.
There would be a lot of traffic overhead with a system like that, but it couldn't possibly be worse than the 75% spam overhead of email.
I Want To Believe
It's been reported on a mailing list that the article is actually about FairUCE, which implements something completely different which makes at least some sense (for scoring, not for outright blocking).
-- Thou hast strayed far from the path of the Avatar.
Maybe I'm just new here, but wouldn't spamming the spammers still cause an awful lot of network traffic on some "innocent" ISPs for the spam wars?
Who is John Galt?
perpetuate the problem of increasing traffic on networks thereby increasing infrastructure costs to a company?
Nevermind the fact that most spammers don't use a real e-mail address (shocker) -- but my IT department doesn't have funds to waste attacking spammers.
This is a duplicate of http://it.slashdot.org/article.pl?sid=04/12/04/204 7246&tid=111&tid=185&tid=95
However, the CNN story referenced seems to be utterly clueless as to how this technology, known as FairUCE, actually works. It really is nothing like they have described it. For real information go to IBM's page: http://www.alphaworks.ibm.com/tech/fairuce
This system does not try to DDOS the spammers, or anything stupid like that. It attempts to link the IP address of the sender to the senders domain name using DNS and WHOIS lookups. If that fails, it sends a challenge/response email to the sender.
massive extra traffic to all isp's, traffic that doesn't even end up shutting the real source of the spam down.
so.. double the money wasted on spam on total and no cure.
world was created 5 seconds before this post as it is.
"e-mails coming from a computer on the spam list" are treated this way. Great. So when a variable-IP zombie pc power cycles and I get their old IP address next, it becomes my problem. Time to buy a fixed IP service, people.
I don't see any way that this would shut down zombified PCs. DSL/Cable usually has much more downstream bandwidth that upstream, assuming that its even open for receiving mail, I don't think that they would effectively be shut down at all.
Better to slam the websites advertised, like the slashdot effect, I reckon.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Moderators, parent post is not insightful, it is clueless. It doesn't depend on the spammer being honest. It depends on the spammer being dishonest. For actual information about how this system works see IBMs web page about it:
http://www.alphaworks.ibm.com/tech/fairuce
Real solutions to spam [in decreasing order of success]
1. Not use SMTP, sounds like a shocker but like the doctor says "if it hurts don't do it".
2. honeypots can be used to waste spammers time
3. Absolutely don't reply to spam in any form
But the real problem is SMTP is not a reliable or robust protocol for the problem it tries to solve. The fact that people keep pushing it shows they're lazy.
But you don't have to abandon SMTP completely. Something as simple as hashcash could essentially eliminate spam.
Just nobody wants to actually implement it [re: think about a mozilla/thunderbird plugin that uses X-HEADERS to put/read hashcashes].
Tom
Someday, I'll have a real sig.
Instant DDOS attack. All a spammer needs to do is send out a message containing "Nigeria v!agra load http://www.spam-fighter.com teen" and that site gets clobbered even though it had nothing to do with the message.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Isn't that sort of like cutting off your legs to run faster?
1) Person on comcast gets zombie-fied
2) starts sending out spam to say IBM
3) IBM sends back spam to the zombie
4) IBM gets put on every RBL list because it actually is sending spam, think about it
5) comcast and every major company using that RBL and every user in comcast can no longer get mail from IBM
6) IBM yells and screams to RBL list owner that they really arent sending spam, just well sending back email to people who didn't ask for it, or didn't want it or didn't sign up for it. OK they are sending spam... just not bad spam.
Only positive I see is maybe ISPs like comcast might wake the hell up and start cleaning up the problems and stop ignoring their users.
Suppose the spammer's machine that sends 200k e-mails per hour. This machine is for sending only. It does not have any port for receiving e-mails opened. So - the throughtoutput must be high to send out 200k of e-mails, and what they will do to the spammers? If all servers (it is not likely to happen) are having IBM soft then they will receive 200k attempts per hour to connect to blocked ports on spammers machine while trying to hit back... And this is going to stop them? :-) Their specialized machines tuned for sending with no receiving capabilities against high-performance spam-analyzing machines that will waste CPU by identifying spam and waste bandwith while trying repeatdly pass e-mail to some blocked ports on spammers machine... Hm. I don't understand it. Just another way how to hurt people afected by spam by selling the useless software/hw to them.
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
IBM's tactic is utterly useless because the vast majority of spam originates from zombie PCs. Those zombie system may have an SMTP engine to generate spam, but they most likely do not have port 25 open. Bouncing the spam back will be futile. It is more likely to generate a new denial-of-service attack: send a spam to IBM and watch them fight in vain attempting to bounce back the message.
signature pending slashdot approval
If an ISP notices the extra traffic, might they not be motivated to get the zombies that are used for spamming off their network?
My small local ISP sends techs to help their customers when these things happen - and, yes, I realize that's not viable in most cases.
ipchains -A input -s $MYNETWORKS -j ACCEPT
ipchains -A input -p tcp -dport 25 -j DENY
I mean, I suppose in theory IBM could DOS my ipchains, but this is rate-limited by what I'm capable of sending out, which is significantly less than ipchains could handle.
All's true that is mistrusted
As requested (all selections open to change, subjective, etc, etc) Note the law-based stuff comes from the fact that I suspect a retaliation response like this is probably illegal, IANAL though so this may be/probably is wrong.
Your company advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
IBM's solution would at least help shutdown the zombie PCs though. While the zombie PC owners aren't the originator of the spam messages, the solution would hopefully push users to patch/clean/protect their PC from future spam control. Unfortunately I don't see this as the "be all" solution but it could play a part in cleaning up zombie PCs and encouraging ISPs to better protect their own networks.
Now what if the collective zombie PCs are instructed to spam the anti-spam service?
Anyone remember the smurf attack? Send a large ICMP PING to a broadcast address from a spoofed IP of your real victim - all the machines in the subnet then DDoS the victim with replies sent to the spoofed address. This new DDoS of spamming machines sounds kind of similar. What's to stop haxx0rs exploiting this to cause a DDoS of non-spammers?
Your post advocates a
(x) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
And what if you've been joe jobbed?
is the law and the fines that will be applied internationally and enforced (collected) by the local authorities on the SOURCE.
If there was no Spam senders there would be no problem with Spam. Right? The problem is that we keep going after the carrier, not the beneficiary.
Fine the people for whom and on whose behalf the Spam is sent. Make it for one dollar per spam message received. Instead of sending for free, the messages end up costing more than the Post Office.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I'd like to learn more about this. What's your phone number, I'd like to call you to talk further.
You know, some customers on the entry level ADSL plan at one of the ISPs I work for are on a plan that gives them 500MB of data transfer a month, with excess at 15c/MB. It's a pretty standard arrangement here in Australia.
If this sort of plan counts as a DDOS attack, I wonder if those users will start sending their excess usage bills to IBM.
Then don't complain when ISPs start blocking port 25 at their head end.
I really don't know why ISPs don't just suspend the accounts of PCs with zombies/viruses. In the same way that you get your driving licence revoked/suspended for driving like an ass, people should get their internet accounts suspended too.
And it's not like it's hard to tell who the culprits are. Anyone who has logging enabled on their firewall will know exactly what I mean.
For those that actually read the article, it is completely wrong. It does a terrible job of explaining FairUCE. Read the material at http://www.alphaworks.ibm.com/tech/fairuce. They are not advocating sending spam back to the spammers, but instead are using a combination challenge/response and DNS lookups to associate a reputation to the IP that is sending the email message. I figured IBM was smarter than the original article was implying.
After sending a million spam messages to a million recipients using this system, the originating node receives a million challenges. Not DDOS per se, but it will almost always bring the spammer down as a (nice) side-effect.
Can you say Comcast?
How the hell do you expect ISPs to react to this kind of retalitory behavior?
You start attacking major networks automatically and you're going to see port blocking come up faster than you can say Postfix.
But what happens when the software controlling the zombie PCs is upgraded to resend the returned spam?
Internet crash!
To: [*.*]
From: [*.*]
Subject: Re: Crashtastic!
SMTP requires two-way communication, so spoofing is nearly impossible. As mentioned in the article, this isn't a system of returning mail to the From email address, as everyone knows that is forged nearly 100% of the time in spam. It is returning the message to the SMTP server it arrived from. If spam is coming from your IP, you either have an exploited host or open relay.
Except that most residential ISP are blocking incoming 25 now. So for most of the Cable Modem users out there will never see any of this. And the repeated sends would get the IP of this new gizmo black holed in a heart beat. Net effect 0
That would be a hit to the bottom line - Average User will just think the ISP is incompetent and find another, way before ever admitting their system has a problem.
Better to just silently block ports, open them only when people specifically ask - then monitor for abuse.
That will get the user of FairUCE blacklisted. It's called backscatter. The email address provided in the SMTP transaction, or the message headers, should ABSOLUTELY NOT be considered valid unless, and until, the IP is verified as designated by the domain of the RHS of that email address. And then even that won't work very well if spammers start forging addresses within the same domain as the zombied machine. Don't forget that spammers do have a list of lots of email addresses within all the major domains. They only need to pick one at random that has @comcast.net as the RHS for the zombies running on comcast.net.
now we need to go OSS in diesel cars
The "news" story is pretty much completely wrong. You might want to read the actual technical details and refactor. (Sadly, a lot stays the same, I think.)
One line blog. I hear that they're called Twitters now.
Here's the text of the WSJ article cited by CNN. It actually has much better information and clarifies some points.
--
IBM Embraces Bold Method To Trap Spam
By CHARLES FORELLE
Staff Reporter of THE WALL STREET JOURNAL
March 22, 2005; Page B1
Warriors in the battle against junk e-mail are adopting a contentious tactic: Spam the spammers.
The most-common spam defense used to date -- software filters that attempt to identify and block out the unwanted messages -- hasn't stopped the flood of Viagra pitches, cut-rate mortgage offers, and solicitations for foolproof investment schemes swamping many inboxes. Some recent studies say 50% to 75% of e-mails carried over the Internet are spam.
An alternate approach -- counterattacking, in effect -- has been available for some time to users of open-source software, for which code is posted free of charge on the Internet. But adoption in corporate offices has been slow, partly because of fears of exposing companies to certain liabilities -- especially if a target is actually innocent of spamming.
But now the practice is going mainstream. International Business Machines Corp. is expected to unveil today its first major foray into the anti-spam market with a service, based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them. The more spam that comes out, the more vigorous the response.
"We're doing it to shut this guy down," says Stuart McIrvine, IBM's director of corporate security strategy. "Every time he tries to send, he gets slammed again."
The IBM move follows security giant Symantec Corp., which released a new product in January that uses a similar technology called "traffic shaping" to slow connections from suspected spam computers.
Trapping spammers is sometimes called "teergrubing," from the German word for "tar pit" -- as in, spammers get stuck. It is the equivalent of answering a telemarketer's phone call, "saying 'Hi, how are you,' and setting the phone down and seeing how long he'll talk before realizing there's no one on the other end," says Tom Liston, a computer-security expert.
Teergrubes exploit some convenient features of the Internet, which was designed to be a polite method of communication. Computers -- including e-mail servers -- that chat back and forth in the Internet's electronic protocol will courteously wait to see that their data has been received before sending more. Typically, such acknowledgments come in a matter of milliseconds. A computer set up to teergrube will languorously stretch its responses out to minutes -- effectively tying up the spamming machine and reducing its ability to pump out messages.
How to handle spam -- or, indeed, any other form of unwanted electronic traffic -- is a tricky issue in security circles. Gaining unauthorized entry to a remote system, even in order to stop it from harming yours, is generally illegal under anti-hacking laws. The aggressive new products from IBM and others don't violate those rules, but they can increase the amount of network traffic. Unnecessary traffic increases are generally frowned upon.
But proponents of aggressive antispam tactics say something needs to be done to choke off the supply; simply turning the other cheek and trying to discard spam as quickly as possible isn't enough. IBM says in a new report that in February 76% of all e-mails were spam, down from a summer 2004 peak of nearly 95%, but still well above levels at the same time last year.
"Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," says IBM's Mr. McIrvine. Brian Czarny, vice president of marketing for MessageLabs Ltd., which uses the Symantec product, says traffic shaping doesn't constitute a potentially illegal "denial of service" attack because it is r
Great, I can't wait to have my dynamic IP switch to one of a zombie pc and get dos attacked.
I get the WSJ and the article does indeed confirm it is FairUCE....
IBM Embraces Bold Method To Trap Spam
By CHARLES FORELLE
Staff Reporter of THE WALL STREET JOURNAL
March 22, 2005; Page B1
Warriors in the battle against junk e-mail are adopting a contentious tactic: Spam the spammers.
The most-common spam defense used to date -- software filters that attempt to identify and block out the unwanted messages -- hasn't stopped the flood of Viagra pitches, cut-rate mortgage offers, and solicitations for foolproof investment schemes swamping many inboxes. Some recent studies say 50% to 75% of e-mails carried over the Internet are spam.
An alternate approach -- counterattacking, in effect -- has been available for some time to users of open-source software, for which code is posted free of charge on the Internet. But adoption in corporate offices has been slow, partly because of fears of exposing companies to certain liabilities -- especially if a target is actually innocent of spamming.
But now the practice is going mainstream. International Business Machines Corp. is expected to unveil today its first major foray into the anti-spam market with a service, based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them. The more spam that comes out, the more vigorous the response.
"We're doing it to shut this guy down," says Stuart McIrvine, IBM's director of corporate security strategy. "Every time he tries to send, he gets slammed again."
The IBM move follows security giant Symantec Corp., which released a new product in January that uses a similar technology called "traffic shaping" to slow connections from suspected spam computers.
Trapping spammers is sometimes called "teergrubing," from the German word for "tar pit" -- as in, spammers get stuck. It is the equivalent of answering a telemarketer's phone call, "saying 'Hi, how are you,' and setting the phone down and seeing how long he'll talk before realizing there's no one on the other end," says Tom Liston, a computer-security expert.
[Spamalot]
Teergrubes exploit some convenient features of the Internet, which was designed to be a polite method of communication. Computers -- including e-mail servers -- that chat back and forth in the Internet's electronic protocol will courteously wait to see that their data has been received before sending more. Typically, such acknowledgments come in a matter of milliseconds. A computer set up to teergrube will languorously stretch its responses out to minutes -- effectively tying up the spamming machine and reducing its ability to pump out messages.
How to handle spam -- or, indeed, any other form of unwanted electronic traffic -- is a tricky issue in security circles. Gaining unauthorized entry to a remote system, even in order to stop it from harming yours, is generally illegal under anti-hacking laws. The aggressive new products from IBM and others don't violate those rules, but they can increase the amount of network traffic. Unnecessary traffic increases are generally frowned upon.
But proponents of aggressive antispam tactics say something needs to be done to choke off the supply; simply turning the other cheek and trying to discard spam as quickly as possible isn't enough. IBM says in a new report that in February 76% of all e-mails were spam, down from a summer 2004 peak of nearly 95%, but still well above levels at the same time last year.
"Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," says IBM's Mr. McIrvine. Brian Czarny, vice president of marketing for MessageLabs Ltd., which uses the Symantec product, says traffic shaping doesn't constitute a potentially illegal "denial of service" attack because it is responding to connections made by anot
Isn't this sort of like blowing up a speeding car?
The collateral damage to innocent people will be tremendous.. If a spammer is stupid enough to use his own machine, he would drop off line instantly after he broadcasts.. IBM's packets have to go somewhere, flooding out neighbors..
Plus, what if the person spamming has been infected with a virus and isn't knowingly spamming, or IBM's system misidentifies the offending machine? There would be hell to pay..
Yes, spam sux, and it needs to stop, but we need to do it properly..
---- Booth was a patriot ----
I read the IBM article. Sounds like the early days of SpamCop. SpamCop traces headers back to the originator or the first phony header, to validate the source. Mail with tracing problems used to get a challenge from SpamCop, but they gave up on that. Challenge-response effectively does a denial of service attack on joe-job victims. It's also incompatible with too many legitimate autoresponder systems that send mail confirmations of transactions.
CNN (and by extension, slashdot, surprise!) got this completely wrong. It's challenge and response sender identity technique, which is way different. See the IBM webpage about fairuce.
It's not offtopic, dumbass. It's orthogonal.
While the idea of pinging to death sounds great, it's also a DOS, Which, I think might be agaist some law here in the USA. Returning the mail to the sender seems to be legit.
onepoint
if you see me, smile and say hello.
"spams the spammers"?
I think not. This is from CNN after all. They publicly admit they lie often. This is true here.
http://www.alphaworks.ibm.com/tech/fairuce/faq
Take note to what this system actually does. Not what the (lying) press tells you.
1. Isn't this just another challenge/response system?
No. Challenge/response (C/R) systems challenge everybody; FairUCE sends a challenge only when the mail appears to be spoofed.
2. Other anti-spam technologies work well. Why should I switch?
FairUCE eliminates any need for a "probable spam" folder, as well as the necessity of keeping up with the latest version of antispam software.
3. Will it run on Windows®, or with QMail, or with Sendmail, etc.?
No, the current release does not.
4. Is it fast?
No real performance testing has been done, but speed is expected. The code basically consists of a few if/then statements and some DNS look-ups (which are cached in memory as well as on the DNS server). The mail server will probably bog down before FairUCE does.
5. Don't all those challenges take up unnecessary bandwidth?
A little bit, but it takes the server much less time to send out a small challenge than it does for the user to look at it in the spam folder, no matter how fast he presses the delete key. Legitimate senders know immediately that a user hasn't received their email, and they can click a button to have it delivered. Meanwhile, the emails sit in the queue for only an hour if they can't be delivered.
If the 3000 machines in my botnet get connectivity from generic-isp.example.net,
and I set the sending email address of my spam payload to be
"user@generic-isp.example.net", it sounds like FairUCE may let the spam
fly unmolested.
Oh dear, you're right. It's Yet Another CR System, but with some standard sender verification (a la SpamAssassin) glued on the front.
In other words, it's as utterly useless and counterproductive as any other challenge-response system. See http://www.xciv.org/~meta/2005/02/15/ for more discussion (from me) of why CR won't work.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
We need bounty hunters. That's the only way to stop spam. The "laws explicitly prohibiting it" can go to hell. They can't track down osama bin laden, or spammers, but microsoft puts out a bounty for whoever created the last big virus and they find the guy in a 3rd world country 3 days later. Now I'll just wait for someone to reply to this and suggest that a 1 cent tax on every email sent could pay for the bounties.
It tries to match the IP address of the sender to their domain name. [...]If it can't [...]then it sends a challenge/response email back to the senders email address (not to the zombie PC). If the sender is genuine they click a button on the challenge/response email and the original mail gets accepted.
Great:
My site administers its own mail. But direct SMTP outbound mail uses a DSL line whose reverse translation points to our DSL provider, while outbound mail through the local mail servers goes through a mailserver site at a different ISP whose reverse translation will also point to them rather than us.
So all our outgoing mail will receive the challenge. Mail is handled by polling, so every outgoing letter to a site using their tool will now require two extra email transactions, two extra wait-for-poll delays, plus an extra wait-for-sender-to-read-email delay. (No more "fire and forget - now email accounts have to be checked several times a day.)
"Click a button"? On a mail reader without HTML or with it disabled? More like "copy and edit, and hope you don't screw it up".
Yuck!
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Dude, the ping of death hasn't worked in like, 10 million internet-years.
I haven't seen a spammer's box in the last couple of years that's used to send spam also listen on tcp/25. That's because they don't have a SMTP server listening. When you try to send the spam back to the originating computer you're going to get your TCP connection rejected simply because they aren't running a SMTP server. Who's resources are they planning on wasting? Good grief. This isn't rocket science.
The FA is F-ing all wrong. They got very little right in fact. Go to the IBM website and read the faq. It does not DDOS the sending PC. It does a Challenge / reponse if the mail looks like it was spoofed / forged (using fairly comprehensive tests.) Even collateral C/R spam can be eliminated with SPF records.
Frankly, when you get down to the REAL details, this system addresses MOST of my complaints about C/R systems.
First off McIrvine only works for Tivoli so what he's selling is a toolkit you can retrofit into a hosting farm.
Next he's talking about a SERVICE so that if IGS hosts a customer, it's 99% likely that the customer will have a domain of customername.com not ibm.com. The spam fighter will originate from customername.com. So if some other source detects that the spam fighter is spam only that domain will get hammered.
Challenge response does not work well. In my case, there is a spammer out there who uses random email addresses at my domain name. Every time he sends a spam run I get anywhere from tens of thousands to over a hundred thousand bounced emails at my mail server. This server is for personal use only and is not designed to handle huge amounts of email, though Postfix doesn't seem to mind too much even though it's a 333MHz Pentium II box running Linux (uptime now at 595 days).
While my mail server doesn't seem to mind too much (other than huge log files), my Netgear firewall goes nuts from time to time forcing me to reboot it.
What would stop this type of DDOS I'm under? The gateway mail server should validate the recipient and return an error code right away instead of sending a bounced email later.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
This basically makes the assumption that:
a) spammers give a rat's ass about receiving e-mail, and thus actually *have* incoming mail servers, and
b) that spammers aren't spamming through botnets.
Since both these assumptions are false, this suddenly becomes a spectacularly stupid idea.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
...So what is the big deal?
:( And onone is going to read this...
The CNN article says "IBM is not concerned about liability, even in cases where innocent senders might be misidentified as spammers, because all the technology does is bounce back the e-mails, said Gail." The WSJ article posted by someone above says "based on a new IBM technology called FairUCE, that uses a giant database to identify computers that are sending spam. One key feature: E-mails coming from a computer on the spam list are sent directly back to the machine, not just the e-mail account, that sent them." This sounds exactly like the DNSBL FAQ at www.spamhaus.org which reads "Doing a DNSBL lookup on a message at SMTP connect time is cheap in hardware cycles and system time. Your DNS server may even have it cached from the last time the spammer tried. If your MTA already knows the incoming message is spam it can deny a spam message before having to pass it to mail-scanner (medium cost), through the virus scanner (medium to expensive), bayesian filtering (medium), spamassassin network tests: blacklists, DCC, pyzor, razor, etc. (medium - high). Mail rejected by a DNSBL does not disappear into the bit bucket. A DNSBL realtime rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, therebye allowing troubleshooting on the sender's end. Realtime rejection avoids the "backscatter" problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam. Of course, as we all know, most spam and all viruses have forged sender addresses, and so the "bounce" goes back to an innocent third party (if it is deliverable at all). Using the SBL-XBL lists together (recommended) rejects a very large amount of spam and virus mail with very low "false positive" rejections of legitimate mail. And remember, all those rejected legitimate mails are instantly reported to the sender with a DSN. "
The IBM page says "FairUCE (which stands for "Fair use of Unsolicited Commercial Email") is a spam filter that stops spam by verifying sender identity instead of filtering content." "Technically, FairUCE tries to find a relationship between the envelope sender's domain and the IP address of the client delivering the mail." This suggests that the receiving mail server does a DNS lookup "at SMTP connect time" verifying that the from address is related to the owner of the IP address the mail is coming from i.e. email from joe@yahoo.com originating from www.msn.com "bad" email from me@myisp.net originating from www.myisp.net "good" or something like this. If the cash is of WHOIS lookups so what? IP addresses do not change hands very often (do they?), I may have a different IP every time I log on to the internet, but that IP is always comes up on a WHOIS as being assigned to my ISP.
I wrote this "spam form" in December 2003. The form appears on Cory Doctorow's site and is occasionally attributed to him but it was originally written by me.
The general form of a "checklist" response is really old. I first saw such a form on USENET more than ten years ago. It originally appeared in in this rec.humor.funny post from December 1994 whose author claims to have gotten it from a VAX conferencing system. The general idea of a standardized checklist for blowing someone off is probably even older than that.
I got tired of explaining to people why their cockeyed spam solutions wouldn't work, so I wrote this particular one about spam one evening and posted it here and here. I'm surprised it took off, actually. Now in every thread about spam I do a search for "technical legislative vigilante" to see if it's reappeared and it's there half the time. I only wish I had included a little dig for challenge-response schemes!
The part at the end about burning your house down is there because someone in the original thread proposed a solution to spam that was so abysmally bad that the poster was suspected to be a spammer himself- hence the "( )spammers could easily use it to harvest email addresses" item.
Judging from Google searches, spam researchers seem to have mixed feelings about it. The form wears out its welcome all the time but keeps reappearing. Some like it and use it a lot to quickly dispatch stupid ideas from the peanut gallery. Others hate the form because it gets presented to them all the time when they present their proposals. It has actually appeared in a number of anti-spam research papers. One group of researchers, when proposing their solution, actually prepared a preemptive response to refute each form item.
Sigh. This is an alphaWorks project that's been kicking around for a while. Precis: it tries to match the sender IP to the purported sender domain. If it can't find a match, it falls back to something similar to challenge/response. The theory goes:
1. All spam is spoofed, so it will fail the IP/domain match and won't get past the challenge.
2. The vast majority of legitimate mail will pass the IP/domain match, so will be delivered without needing a challenge.
3. The only legitimate mail that needs to be challenged is sent by "power" users, who will know how to deal with a challenge.
This could initially cause false positive problems for some legitimate direct marketers who use some bulk email service providers. However, the problem is quite easily fixed.
Note that this doesn't fight spam, so much as fight spoofed senders. Much like SPF, in fact.
Note also that there's been a deal of lousy reporting (say hello to WSJ and CNN), saying that FairUCE somehow spams the spammers back. What a load of old cobblers, as we say over here.
From the quotes attributed to an IBM exec in the WSJ, I'm worried that this mis-reporting might actually be IBM's fault.