Slashdot Mirror
Microsoft and Yahoo! Fight Spam - Sort Of
kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
If a bunch of hotmail users stop getting email then that will only hurt MS.
Q: I am short, useless and provide no value. What am I? A: a sig
Hotmail is no longer providing me with the value-add service I signed up for. I want my money back.....oh wait...it was free....damn.
Not going to discuss pros/cons of these systems, but at least the do help. Two days ago I got one of those PayPal phishing emails in my hotmail account and hotmail had a big banner on top saying the sender's ID couldn't be verified. This could be a great help to users silly enough to fall for these attacks (assuming they actually pay attention to the warnings).
"reality has a well-known liberal bias" - Steven Colbert
It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...
see a Text Widget
Perhaps this is Microsoft attempting to leverage (yes, I used it correctly!) what they perceive to be as their market dominance to hold users' feet to the fire. Basically, "We've got a lot of users. If you want to communicate with any of them, you're going to need to play by our rules."
Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.
concrete5: a cms made for marketing, but strong enough for geeks.
This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.
Voice your opinion!
To delete all messages without a valid SenderID is not quite the same as to mark non valid SenderId messages as spam
like gMail. MS execs would just love an exodus of people over to google.
Q: I am short, useless and provide no value. What am I? A: a sig
is all the major companies sit down and design a new email system. the current email system is like a sinking boat they are trying to patch and prevent it from reaching the bottom. now, everyone is going their own seperate way (MS, Yahoo), where there will be no standard. the whole system needs to be scraped and rebuilt from the ground up taking into consideration spam, which was never present when the system was designed.
Never happen...Microsoft would never abuse their market domainance to foist an inferior product upon the industry...
Oh wait...
____
~ |rip/\/\aster /\/\onkey
To be honest I vastly prefer the Gmail approach of having relatively smart spam analysis than a whitelist approach based on authentication.
Think of all the people out there who don't have their own mail server but have SMTP/POP access to a hosting company's machine. A change in the core protocols for email would adversely affect most of them, as even if they all had the knowledge to make the changes, they may not have the ability.
Add to this the possibility that a requirement for SenderID will just result in spammers mounting directory attacks against SMTP servers in order to find logins that work..
All this will really cause is a migration away from hotmail !
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
There is also Sender Policy Framework (http://spf.pobox.com/), this is very simular to SenderID but it has the majour advantage that its open source, agreed microsoft is trying to push SenderID down everybodys throats, I myself publish SPF on a number of domains and it does a good job. The more people that use SPF the more power it will have over SenderID.
With several gmail accounts, I never have trouble managing spam. I don't reply to suspicious e-mails, and if I do, I am sure not to use the return e-mail address of my primary account. I keep an account for things like ebay, rentacoder, guru.com, etc., and a seperate account for personal e-mail. I have been doing this for over a year and I have only received six spam messages, and those were in the secondary account. I don't see why AOL couldn't encourage their users to do this. Isn't this why we have multiple e-mail accounts available from ISPs?
Powered by caffeine and sugar; BSD
My thinking has always been that we need two systems. Or at least one system that provides two types of service. Authenticated and Anonymous. The Business world would of course choose to use authenticated and be willing to pay for it. Home users (such as Hotmail) could choose between free anonymous email and deal with the spam or pay for authenticated email, where as the theme song states, "everyone knows your name".
... After all, what's to stop a spammer using a microsoft product that has the technology? It sounds more like something intended to change the internet standards in a way that destroys any chance of a small company creating a new system that could compete with microsoft.
"As a writer / novelist you might want to spellcheck your sig.
One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....
And All I Ask is a Tall Ship And a Star to Steer Her By
I have always encourage my friends and family to move away from hotmail and msn.com email. There were other reasons before this (like getting spam the moment you register an address), but this is just another one.
How about fixing your crappy OS security model and the crappierst of Mailers on the Planet, Outlook?
I have a month-old business, personal-handout-only E-Mail address, and allready spam is rolling in. It's because my business partners all use Outlook, which is near by default riddled with Spambots, Contact-grabbers and whatnot because of this shitpile of software those f*ckers over at redmond farted onto their harddisks.
MSses bullshitting policy couldn't care me less as long as they don't bug me with their crap. But spam popping up left, right and center once Jon Doe has your mailaddress on his box is NOTHING BUT MICROSOFTS FAULT!
Heavens, this issue gets me so pumped I want to go to Redmond and chop of heads ALL the time. That would be sweet.
We suffer more in our imagination than in reality. - Seneca
Spammers have the upper hand in this war. Whatever solution to spam companies come up with, there will be a work-around developed in a very short time.
The systems would also have to be so fine tuned so as to not block email from legitimate sources. Certainly spammers would be able to masquerade as a legit source.
Spam blockers also have another possibly fatal flaw. How long until the companies that develope the blockers enter into agreements with spammers to let some spam through. We all know of the possible alliances between adware companies and ad ware removal companies. What's to stop spammers from doing the same thing?
I wonder if despite the shortcomings of the systems, the cure to spam may indeed require a heavyweight like Microsoft strongarming everyone into using their anti-spam system. Much as I hate to say it, MS may be doing exactly what needs to be done to deal with the spam problem.
Oh no... it's the future.
Heh.
a few things here.
1. who uses hotmail anyway? and if a lot of people do, they could easily just switch to a different free email service and get a better service (Gmail comes to mind)
2. what's so bad about the current junk mail filtering that people like Yahoo and most email clients (except for outlook express, of course) use? these adaptive junk systems work fine and I don't see why this is still a problem for some people.
am i the only one who doesn't get viruses without a virus scanner, on windows? am I the only one who only gets 1 or 2 spam emails every 1-3 days?
I know, I know.
I am trolling
..a bunch of hotmail users stop getting email.
And they will all switch to Gmail! Whoohooo!!!!
Does anyone still use hotmail? That's soooo 90's!
You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.
PGP key's? I thought people knew about and used these. With a pgp key, it is signed with an encrypted hash, and you have the option of encrypting the message along side it. Once this is done, you know an email is coming from a valid user because it contains their key. These are already used in workplaces around the world. Why implement a new system when one already exists? Not only does one exist it is more or less and open standard. Yeesh! I wish people would actually stop rebuilding the wheel in the software industry.
(No, you didn't! Leverage is a noun, you raging faggot!) Perhaps this is Microsoft attempting to hold users' feet to the fire, using what they perceive to be their market dominance as leverage.
It's trivial to add arbitrary headers to SMTP data, worse the headers PRA uses don't have to be present at all.
Microsoft need to stop checking PRA against our spf v1 records. Afterall, I don't check SenderID records against SMTP MFROM (ie: SPF), even if it would be a worthwhile counter to Microsoft's position.
Then there's that unacceptable patent license and some rather disturbing support for Microsofts silly, broken system and abuse of existing SPF records within the IETF.
If Microsoft Hotmail starts blocking all messages without valid Sender ID, this will indeed stop most of the spam on the internet! After all, once everyone closes their Hotmail accounts, all that spam will merely bounce.
/wonders how much of the internet's spam actually does go through hotmail
If I had a hotmail account and email from people I know suddenly started coming up with banners telling me it might be spam, or were to get filed in a spam folder, chances are I'd turn off spam filtering as it'd be clearly not marking it correctly.
Whether or not senderid is worth anything depends on whether or not its used by everyone. Sure, it'll put a big spam banner at the top of a lot of phishing messages. But, what about legit messages from banks, friends, and government agencies who aren't using senderid?
For something like this to work, its needs to be widely accepted. MS has been able to illegally use its monopoly in the past to get its way with the industry, but you'd think by now they wuold have figured out that they don't have a monopoly on email. God, these people are stupid. They're just making sure senderid fails, along with other really usefull things. MS's boneheaded antics are just making it harder to get a decent solution out there.
"We are all geniuses when we dream"
- E.M. Cioran
90% of Hotmail IS probably spam. I admin about 3,000 email users and our spam percentage is more like 50%.
Anyone else got stats?
Keep the Classic Slashdot.
If 90% of all email is spam, then there is a high chance that they can randomly flag a email as spam.
Cheers,
RoadkillBunny
Lets see... If we write a tool that immediately filters 100% of all e-mail, we can claim that our "Spam filtering tool" gets 100% of Spam with only a 10% false positive rate. Excellent!!!
So its now 90% of all email, but what % of all internet traffic is email and ad popups/banners?
---- Booth was a patriot ----
I currently do not email anyone who has a hotmail account, so let hotmail go isolate themselves.
With Yahoo & Cisco proposing an alternative to Microsoft's suggestion for a standard there wil at least be some fighting over which design (if either) becomes a standard. Without the competition, the odds are that one might win by default. (Unfortunately.)
My mail servers do have SPF records and when I get a chance, I'm going to setup SPF record checking for incoming email, although initially I'm going to only have it add a header to emails.
At the very least, I recommend eveyone who can set up SPF records for their mail servers even if they can't take the time to set up checking SPF records for incoming email. This would help by enabling places that do check SPF records know if they're getting (possibly) forged return addresses.
I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.
I complained, and was told I could use filters for those un-markable spam items. Yeah, right.
Advantages to MS for letting "authorized" spam through
- They get paid, probably very well, to send spam to all hotmail accounts.
- They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.
A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.
What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).
My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.
Kalori.
-
No sig. is a good sig.
Seriously, why is this a problem? At home I have a FreeBSD box that runs mail through scanners and figures out what's what. Works like this:
;)). Seriously, I'm no genius, but why can't this kind of solution be bolted on? Even if a company is locked into Exchange, slap a box like this accepting :25, then have it relay mail on after the checks!
incoming:25 -> Postgrey (greylisting) -> MailScanner -> ClamAV -> Spamassassin (with DCC, razor checks) -> DSPAM -> Postfix -> users_mailbox
All ClamAV definitions are updated via cron by Freshclam, all Spamassasin rules are updated via Rules_du_jour daily. Using this I get just about zero spam, with a VERY rare occurance of realy mail being labelled spam (and that's usually bad chain-emails sent around by my wife's friends - and I consider that spam anyway
I fail to see why a solution like this can't be implemented on a large scale 'free-mail' company like Hotmail or Yahoo! If they could stop (and eventually block) spams, they could help turn the tables on spammers, making them less profitable. What am I not seeing?
bad_outlook
--
Is this vague enough for you?
Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.
I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.
Yahoo!: Announcing: Domain Keys!
Microsoft: Announcing: SenderID!
(some time later)
Yahoo!: Presenting: Domain Keys Identified Mgmt!
Cisco: Presenting: IIM!
Microsoft: Um, hey lookie... SenderID!
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it.
SenderID is an extension of SPF, which is not proprietary. A valid SPF record will be picked up by any conforming SenderID processor as a SenderID record. I'm just worried about those people who use an ISP's mail server where the ISP lacks enough clue to use SPF.
Microsoft is gonna PIMP spam
This article "A blank check for Microsoft" more or less confirms the changes to spam policy I have observed while using Hotmail over the past few months:
http://blogs.salon.com/0003364/stories/2005/02/01
I've always considered Hotmail a bit of a UCE enabler anyway.
Luck favors the prepared, darling.
I have many contacts who use Hotmail but all of my email is sent out through sendmail on my Linux box.
How easy is it to get a SenderID? Hopefully not too easy that spammers can obtain one also... GMail seems to be pretty good at handling spam anyway, I don't really see what's wrong with their approach.
yeah this will work.... as most spam I get comes from hotmail
No, you didn't! Leverage is a noun
Then what is the verb meaning "to use as a metaphorical lever"? When correcting somebody's usage, it's polite to provide an acceptable alternative.
you raging faggot!
How can a bundle of sticks be "raging"?
What is wrong with using Spam Assasin? I use it and it works wonderfully. I probably get around 100 e-mail messages a day, and yeah, 90% are spam but they get flagged as such by SA. We don't need to reinvent the wheel here.
Don't be so anally obsessive. It's not a big deal in the greater scheme of things and it's certainly not something that moderators will waste mod points on.
(Hope you note that I got all the apostrophes in the right places.)
Something is happening here but you don't know what it is, do you, Mr Jones.
The only reason I have a hotmail account is to catch spam. It is what I use to register everything. my real email addresses get only one or two pieces of spam aday.
Not to be blowing their horn or anything, but at least GMail has caught every piece of spam I've been sent so far.
No single technology will bring spam under control. It's going to take a blend of technologies, namely:
The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.
The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.
If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.
The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.
The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.
There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.
The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.
Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.
Simon
The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record
No. This is not what they said, nor what the article you link to said.
They said they would classify all messages that failed a sender ID lookup as JUNK. It's not factual to state the messages will be deleted, or "never reach their intended recipient."
I was getting about 40 spam messages a day, before I implemented my new anti-spam e-mail server. Now I get about one or two... but SenderID only blocks about two messages a week. Much more effective are my set of 5 Blacklists, a URL Blacklist, and some simple rules. SenderID can stop fake from addresses, but the people sending the messages will just use servers that do not have SPF entry's, as all the servers will never implement it.
65% Spam
35% Clean Messsages.
54% of total messages(Spam) blocked by RBLs
11% of total messages(Spam) caught by filters.
error rate +/- 0.5%
But, what about legit messages from banks, friends, and government agencies who aren't using senderid?
By definition, a valid Sender Policy Framework record is a valid SenderID record. Banks and government agencies control their own domains and can easily add the TXT records that SPF uses. Friends on dial-up can switch. Yes, it would hurt friends on broadband, who generally can't switch away from the monopoly or the duopoly and would have to find a webmail provider that has SPF.
From the hashcash.org site:
"Hashcash is a denial-of-service counter measure tool. Its main current use is to help hashcash users avoid losing email due to content based and blacklist based anti-spam systems. A hashcash stamp constitutes a proof-of-work which takes a parameterizable amount of work to compute for the sender. The recipient can verify received hashcash stamps efficiently."
Basically, you make it where the sender needs to spend a non-negligible amount of computational power to send a message. But it is computationally cheap to verify that they have done so.It's not going to affect normal users that much (except maybe list services) but by marginally increasing the cost of sending out thousands of messages at a time, it alters the economics of spam and makes it a non-viable way to do business.
Once I set this up on my Wordpress blog, the level of comment spam dropped to zero *immediately* and I haven't had a single incident since.
"There is no night so forlorn, no mood so bleak, that it cannot be infused with pleasure by tender meat..." - R.W. Apple
Um .. wait .. isn't there a BUG in SenderID?
Domains below org and info can be registered in DNS within minutes today and are cheap. So it's easy to integrate SenderID into Spamtools by allocating a domain just-in-time, transfer the SPAM and then kill the domain again, all done with a single click of a button. Thanks to anonymous Domain registry services and zillions of Domains out there this will make it likewise difficult to track back the SPAMmer.
However non-SPAMmers will have trouble supporting SenderID in their domains. I for my part often roam ISPs, so it's hard to track all those outgoing MTAs to add them to my SenderID entries of the domains I use to send eMails from.
As a consequence this means, it's more easy to make SPAM conforming to SenderID than to do this in my highly mobile world. Thanks again, Microsoft, and poor users of Hotmail.
SenderID shall be integrated in the ReverseDNS of the sending MTA and not in the Domain seen in From! It's relatively easy (thanks to djbdns-tools) to automatically add SenderID records to this reverse lookup of the Relay on the fly, such that all From-Adresses show up in the reverse as soon as the eMail is relayed. However this does not help, as open relays then automatically add SenderIDs as well.
Checkmate. Either way, SenderID promotes SPAM.
it hardly matters. no one can email hotmail as it is.
Everything ends up in the junk box including emails askingabout how college is going.
And MS tags anything from gmail automatically cause most of those never even are recieved at all
Totally agree! MS can start working on it immediately after they've finished off Longhorn.....
I don't really know what people do with their address to get spam level up to annoyance level. I've three email accounts, and the last spam was received in october 2004(in my hotmail account). The other two accounts have never seen a spam-mail.
Even though I classify every email from Hotmail itself as junk, they still kept getting into my Inbox instead of the Spam folder.
Something struck me a few weeks ago, when MS said that they were dropping *nix versions of a virus scanner company that they had just bought (where's my rant? Let's see - here. I'll re-state it to see what people think):
I think MS is trying to get into the Internet "backbone" a bit more. They're going to provide filtering on the client side (anti-spyware and anti-virus products) but only MS boxes will be able to provide filtering "in between" and the majority of "heavy lifting" on the Internet is done by *nix boxes.
If MS can claim to be the only entity that can filter out junk between client and server (or peers, or whetever), they might be more likely to be considered for such heavy lifting tasks, since this would free bandwidth for more lucrative payloads...
CEO@Clarion.com to BillyGates@hotmail.com -- So have u figured out how to integrate Gator into Longhorn yet...
Message delivery failed due to invalid SenderID record...
News Reporters Make Tasty Polar Bear Treats!
Since 90% of the email is spam, Microsoft can use their usual programming techniques and generate a random number. If it is lesser than 90 then delete the mail else let the mail go through. Easy...
What does your Credit Report look like?
Microsoft is playing a dangerous game. Most of their Hotmail users will not understand why they are not receiving their emails or how to remedy it. They will blame Hotmail.
Microsoft, hoisted by their own proprietary petard.
One ring to bind them - should probably have more fiber and less rings in their diet.
Microsoft claims that 90% of email on the internet is spam. So from now on, 90% of all mail received will be automatically deleted. Thank you.
A better way is to choose who can send you mail in the first place. If you don't want someone sending you mail - shut off the ability for their message to get to you. Channel-basd communications, where the message is authorized by a key (like keyed-based email ... i.e. joe+key@zoemail.com) lets the receiver choose who they want to hear from. And since spammers don't get keys, spam doesn't get to your inbox. (And if they get a hold of a key from one of your friends, change the key).
Zoemail (http://www.zoemail.com/) owns the Bell Labs patent. Yahoo tried this, violated the patent, and now are going for this inferior spam control method DKIM
What product have they done this with and what was it inferior to at the time?
and another question
Why should a company not use it's marketshare to leverage it's products?
This works for now. However when everyone moves to it, it won't help at all. It is trivial for spammers to get around this - follow the standard. They don't bother now because most of their mail isn't being stopped by this trick. When it starts stopping a lot of email they will just implement that part of the standard and greylisting will become useless.
So, who kept their hotmail after MS bought it?
... stability.
IF YOU FEED THE MONKEY IT WILL KEEP COMING BACK.
Funny thing is, they still have to keep some of the old bsd machines around for
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
Hotmail has decided to block all e-mail not from hotmail in an attempt to cut down on spam
Microsoft will patent their solution, and refuse to license it to open source developers. Hence no more free email servers that will work with the network.
If microsoft developed a solution that worked and released it as an open standard then I'd salute them. But given their previous business practices I doubt that. And when this sendmail replacement becomes part of the Windows server offerings, hello new monopoly.
The reality is that if your using a hotmail address for anything that is even remotely important then you should really get a clue. The best thing anyone can do is get a new email address. there are so many better alternatives out there.
1. Spam filtering. ...
1. Preventing forged headers.
1. Making e-mail sending computationally expensive.
1.
1. Profit!
Being funny is my sig nature.
Especialy if you don't care about security.
You don't have my key. If you get a signed message purporting from me, you have no way of telling if that was actually my key. You need an easy way of finding out my key. Also, srhawrtrdh12532@hotmail.com has to be somehow be prevented from getting a valid key on the grounds that he doesn't exist. (Yes. I know; keyservers and web of trust and so on and so forth. I think you'll find that incredibly few people use PGP properly. Very few get anyone to sign their key. Very very few have enough people signing their key to help build a genuine web. Almost no-one properly checks the identity of the sender and the key before trusting the key)
In soviet russia stale jokes recycle you!
How is that a good solution? What about setups (such as mine) that depend on timely email delivery to a lot of people. This will not work for me. Although with SA, ClamAV and a bunch of blacklists, I get very little spam as it is.
With so much money apparently out there to be made, slimy spammers will turn to using discardable domains with valid domain sender and MX records.
They don't have to change machines, either. Just reconfigure the virtual hostname and DNS info, and they're ready to spam.
If I were into that kind of thing, here's what I'd do: write a script to set up a virtual domain with a DNS server, sendmail, and some firewall rules. Buy a list of domains, acquire a few zombies for mail proxy, and "4. Profit!". You could rotate domains hourly, or keep several up at once, all sharing the same hardware. If one gets blacklisted (and you care), just buy another domain name.
SenderID doesn't say anything about the mail server accepting mail, so pesky, bandwidth-choking bounce messages aren't a problem. A spam server can just drop any requests for incoming port 25. The resources are wasted on the machines which generate the bounces, not on the spam server. That's one reason why spam is profitable.
sigs, as if you care.
Right now most of us have two buckets in our mail programs: our inbox and junk mail folders. If we did have 'sender ID' (or whatever wins) then we could have three (or more) buckets: known senders, inbox of unverifiable senders, and junk mail.
At first, we wouldn't get much traffic in the known senders bucket but there would eventually be a cross-over point where the vast majority of the mail we want to receive is funneled to the known senders folder and we stop paying attention to the regular inbox of unverifiable senders (or we only look in it a couple of times a day).
Of course whatever happens next will need to be evolutionary, but this path seems like a reasonable one to me.
-- Scott
Wouldn't be too hard. A few questions like:
- What's a firewall?
- What's an anti-virus?
- What browser do you use?
- Should you open this attachment?
- Should you download this software?
. . . would weed out almost every user who, metaphorically, throws his computer open and yells "Free bandwidth, get it while it's hot!" to the spammers. Without a huge global network of PCs sending their spam out for free, spammers can't send spam, and the whole problem goes away.Note for the humour-impaired: Yes, that is in fact a joke
So.. it has come to this
Why? Because I never bought any. Fancy that. And I don't care how high the SPF is. I can lay that stuff on three layers thick, and I still burn in 10 minutes. That junk just seals in the flavor.
I just got back New York and the http://www.emailauthentication.org/summit2005/agen da.html/ Email Authentication Summit that covered all of these topics. Here's the last one page summary on all 3 (SPF, Sender ID, DKIM)
How is validation performed?
SPF - RFC2821 MAIL FROM address, "Bounce" or "envelope from" address
Sender ID - RFC2822 PRA FROM address
DKIM / DK - Designated "singer" address/RFC2822 FROM address
Strengths
SPF - Reduces bounce messages where the victim receives errors for mail they didn't send
Sender ID - Validates the identity most users see and reduces the threat to phishing.
DKIM / DK - Provides end-to-end validation over multiple hops (i.e. forwarding)
MTA Updates?
SPF - Receiving update required.
Sender ID - Receiving update required.
DKIM / DK - Sender / Receiving MTA update required.
Weaknesses
SPF - Only validates the last hop
Sender ID - Only validates the last hop
DKIM / DK - Can be "broken" by imperceptible changes (and FWD: >'s in messages)
Publishing / Signing
SPF - Easy. Publish and maintain in DNS.
Sender ID - Easy. Publish and maintain in DNS.
DKIM / DK - Create keys & publish in DNS.
Mailing Lists
SPF - Easy.
Sender ID - Easy.
DKIM / DK - Hard
Forwarding
SPF - Hard.
Sender ID - Requires a header added.
DKIM / DK - Easy
Performance
SPF - Negotiable. ISPS may cache to improve.
Sender ID - Negotiable. ISPS may cache to improve.
DKIM / DK - 5 - 10% processing CPU
Well, I'm sure that to the people who run hotmail, it must seem that way.
Chris Mattern
"If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
Umm... its already happening. A number of my friends and I have noticed that e-mails we send sometimes end up going to the Junk E-mail folder. And yes, its already starting to tick a number of ppl off, forcing them to use other means.
If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.
MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. So the technology to bypass SPF and Sender ID is already deployed.
Don't use Hotmail...
Based on the information at this URL :
;; Truncated, retrying in TCP mode.
http://www.maawg.org/about/whitepapers/spf_sendID
It appears as though AOL has adopted both SPF and Sender ID based Records. as Per Here:
host -t TXT aol.com
aol.com descriptive text "spf2.0/pra ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
aol.com descriptive text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
Phishing schemes attempt to mimic the most common banks and such.
All that Microsoft would have to do to kill phishing on Hotmail would be to check the From: field for paypal, ebay, USBank, MBNA, etc and then see if the sending IP address matches the sending machines for those sites.
And I'm sure that Microsoft would get lots of help from those companies to keep Microsoft's list current.
There, instant death for phishing those sites. Then they could work to the less common banks and such.
Getting a phishing email from Ethel's Bank and Feed Store in Nebraska won't affect too many people. And it shouldn't be too difficult for those smaller banks to contact Microsoft and confirm their identity to be added to the list.
So, Microsoft kills all phishing on Hotmail and doesn't require any other email servers to adopt anything new.
Google can do the same with gmail. Yahoo! can do the same. Everyone can maintain their own lists.
Eventually, the banking regulators should get involved and provide a secure list of those addresses.
This doesn't solve the same problems as SenderID and SPF solve, but it does get rid of the phishing TODAY. And this issue NEEDS to be solved TODAY.
I don't know anyone in Asia. You don't know anyone in Asia. What is so wrong with this:Seriously though, spam is a simple problem with a simple solution. It's just that the solution isn't popular enough: PGP.
-- I was raised on the command line, bitch
I don't know anyone who uses Hotmail for anything other than SPAM collectors. The interface is slow and cluttered, the terms (must sign on once a month) more restrictive, and they have demonstrated that they can't keep up with the space-race between Google and Yahoo (and some others). I rank their free e-mail offering a couple of notches below MyWay, Netscape and peoples local ISPs which are also responding to the space race by more generous storage deals.
Even AOL's new AIM e-mail now that it has IMAP support is making the others look week.
Now if Hotmail would just drop the sign-on frequently requirement it would be the perfect SPAM trap. I could direct all my junk mail there and they would delete it automatically. Way to go MS! Innovation!
Have a yahoo email account and can tell you since they started their new email authentification, I get plenty of Spam. Furthermore some legitimate email hasn't gotten through. With AOL some email I send doesn't arrive and have to send again If Microsoft succeeds in pushing their junk through , then it will make it that much easier for spamers. After all they have only one system to target. Diversity in products can make these creeps job difficult if not impossable. Don't use Nortan or Mcaffee antiviral software but an open source free app.. Practically no viruses enter. And when they do it is my own fault and they are easily isolated. Reason is probably not only is the software good, but not that many people use it. Ergo some malacious creep isnt going to try and waste their time cracking it.
DKIM lets domain owners "easily" sign all email coming from them as valid. DKIM does not do encryption or per-user authentication. PGP and S/MIME can do both encryption and per-user authentication, but it requires certs and public-key infrastructure (PKI) stuff that makes it much more complicated.
So, if you want to know if the email you received from ebay is legit, use DKIM (or SPF). If you want to know if the secret contract you are negotiating with is really from the CEO of ebay, use PGP (or S/MIME).
SPF support for most open source mail servers can be found at libspf2.
Last week they had an article with three spelling mistakes in one sentence. I emailed them; they ignored it. So good luck. Nevertheless, I modded you up from the current -1, which is why I'm posting this AC.
Comment removed based on user account deletion
Be a real software company and tight up your mail systems. And quit trying to reinvent the wheel.
I can sit and watch my RBL rejections on my spam filters running Postfix and 90% of my spam comes from AOL, Yahoo, and Hotmail...so F U Microsuck. Before you remove the spec from my eye...take the big fucking tree out of yours.
That's 'anally retentive'. Anally obsessive is more descriptive of rainbow flaggers.
>>> a significant portion of valid e-mails would never reach intended Hotmail recipients
Wouldn't this cause the last remaining hotmail users to switch over to Google's gmail?
I get very few spam messages in my gmail account and I think all the intended emails are reaching me (since nobody complained to me about my not responding to them).
Ok, this is massive FUD. SenderID & DKIM's single jobs are that IF a domain has that as part of it's DNS _AND_ it doesn't match the mail, then that mail is automatically dumped.
Example 1:
Paypal.com has a Sender ID
Badguy.com sends something and it claims to be from Paypal.com
Hotmail drops the mail
Example 2:
Fidelity.com does not have a Sender ID
Badguy.com sends something it claims to be from Fidelity.com
Hotmail DOES NOT drop the mail
That's it! There's no random dropping or risk to mail. If someone is claiming to be someone they are not, drop them! Simple!
I have multiple hotmail accounts, and one of them is a generic name that could easily get slammed by dictionary spammers. The other is a not so generic name. I literally NEVER get spam on that account. So your claim that hotmail purposfully sells its lists or allows spam to go to ALL hotmail members is bogus. Stop signing up for pr0n stop giving merchants your email, and dont use email addys like puppy123@hotmail.com and I gurantee you wont have any spam from anywhere. Hotmail most definitly does NOT allow spam, nor do they sell their lists or anything like that. If you dont believe me make a new hotmail account, dont give the address to ANYONE... and see how much spam you get. You wont get any, guranteed. But of course you must make your email address something that a dictionary cant get etc..
Then what is the verb meaning "to use as a metaphorical lever"?
What is the verb meaning "to set up a straw man argument when you're defending a position that is simply wrong" ? (How about "slashturbate"? Oops, no, that's already gone. How about "slashtervate" ?)
Leverage *is* a noun. Most all of the places where it is used in bizspeak, appropriate words would be "harness", "employ", "utilise", or, best and simplest, "use". Once you've got that phrase vertically integrated into your knowledge mobilisation, we can fully harmonise the synergistic value-add of our dialoguing.
"Microsoft claims that 90% of email on the internet is spam."
My Gmail account is 90% of the internet.
No existe.
SA has been great with respect to false positives. I've only had 1 or 2 non-spam messages ever wind up in the "probably spam" folder (which only sees about 3 spams per day... not too hard to sort through), and have never had a non-spam message rejected outright (if I had, the sender would have contacted me and said, WTF? since I reject during SMTP... I don't /dev/null any mail.)
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Will Microsoft delete legit e-mails coming from Yahoo! ?
It sure does. It verifies that the envelope data came from the senders server. It checks the envelope data and compares it to the spf record from your domain. One way around this is if a email server is an open relay allowing anyone to send email through the server. However most email admins do not allow others to relay thru their server. Here is a great email related list serv. http://www.ipswitch.com/Support/IMail/discussion_l ist.html>
Unlike others posting here, I have no bright ideas. But I do hae worries and I do have hopes. Worry: a commercial solution will become standard and force me to use software not of my own choice. Hope: a non-commercial solution will surface, proving that GNU (*) has new ideas.
--
* or FSF or OSS or foo or bar or whatever the heck is the politically correct way of saying this without starting a flame war.
Sender-ID advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from state to state.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires cooperation from too many of your friends and is counterintuitive
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
(x) Ideas similar to yours are easy to come up with, yet none have ever worked
( ) Other:
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
(x) Other: cheap throwaway domains
and the following philosophical objections may also apply:
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures cannot involve wire fraud or credit card fraud
( ) Countermeasures cannot involve sabotage of public networks
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
( ) Other:
Furthermore, this is what I think about you:
( ) Nice try, dude, but I don't think it will work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
(x) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Assume I was drunk when I posted this.
SPF seems like it might no allow forwarding and remailing to work, though.
Under SPF-aware forwarding, each remail operation on a message replaces the envelope's sender address, and only the newest envelope is checked against the domain's SPF record.
We know that spammers are smart, and thus hard to catch/stop. We also know that the people who respond to spam are dumb, or they wouldn't do it. Since they're dumb, they're much easier to catch.
Seems the obvious solution here is that if you respond to spam, we shoot you. This should quickly stop people from responding to spam, and thus make it unprofitable for people to send spam in the first place.
As an added bonus, more oxygen for the rest of us.
paintball
I didn't realise when I replied to you earlier that you are not just a regular proponent of SPF, but Wayne* , so of course, you're very familiar indeed with the pros and cons of SPF. My apologies for not recognising you earlier, and for perhaps oversimplifying what I think all sides in the debate will concede is a difficult problem.
* I guess you've been on by Friends list for so many years, I'd long forgotten *why*
My next sig will be ready soon, but subscribers can beat the rush
Thunderbird filtering works for me quite well, but it doesn't really stop the onslaught of assholes promoting their worthless crap by filling the servers' pipes. My inbox just doesn't see their junk as it is auto-deleted.
In other words, I might support it if it does its job (reduces spam) while simultaneously allowing me a reasonable level of freedom (i.e., ability to continue running my mail system). The concern I always have is that it might turn into what port 25 blocking has become: a mechanism to force users to route mail through pathetic "approved' servers that do bizarre things with mail.
For better or worse, I think when that happens you might see an alternative to SMTP and the standard mail system come about. I personally think that will be a good thing.
SPF is roughly on par with the overpriced solutions that consultants sell stupid, desperate clients. Think Y2K era. People will do *anything* to stop spam, so they accepted an authentication system that:
* Doesn't have anything better than domain-level granularity (If I compromise a single account at Ford, you've got a fun time ahead of you.)
* Doesn't actually provide a proposal as to how to stop spam (this is actually verbally danced around on the SPF website, with hand-wavy statements about webs of trust and other things that have failed to materialize).
* Doesn't deal with throwaway domains.
* Treats as trusted a non-authenticated transport (DNS), which allows not only breaking SPF, but due to DNS caching, severely breaking it.
* Has severe side effects. We've moved away from the era of the true peer-to-peer mail server, where each box ran a mail server and didn't need to own a domain, and I'm still getting spam. However, now I have to live with the side effects.
Basically, SPF is a system that attempts to do nothing other than authentication to a domain (not spam stopping), and fails to securely do even that.
The problem is the people that say "yes, it won't *stop* spam, but it will stop N%". The problem is that if you continue accepting solutions with negative side effects but which can be worked around, spammers simply work around them. Just like biology, if you start dumping a small amount of antibiotic on bacteria, sooner or later you have bacteria that aren't bothered by the antibiotic (except spammers are a lot smarter than bacteria and evolve a lot faster). No solution with negative side effects should be adopted unless it really has promise to *stop* spam in a non-workaroundable way, or at least permanently reduce it to an insignificant amount.
I'm just waiting for people to give up and use PGP (or similar) with whitelists plus some sort of trust system. It will happen sooner or later. It might wait until Outlook starts doing it, but it will happen.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
As a bit of a digression, I just started using graylisting on mailsnare.com, and I was wondering what other mail providers people use that they're pleased with.
(I used a bunch of online comparison resources to find mailsnare, and chose it because the configuration is most like my own mail processing system (ClamAV + SA) so I could configure it to block a bunch of mail before I have to download it and because they do encrypted pop/imap. Oh, and because they give you a subdomain of your own, which my previous university did and I had gotten attached to.
I don't have much to compare it to, but I haven't had any problems getting email through, so they beat my place of employment and my former university, both of which were known for occasional glitches and hold-ups.
I'm a bit curious to know what services the other techies on Slashdot use, particularly if they're quite happy with them or there are unusual, geek-friendly features.
I'm not tied to mailsnare (since I have a "lifetime" account elsewhere that forwards to them), and I could pretty easily switch services if there was something better out there.
The main disadvantage of mailsnare is that their email boxes are relatively small (100 MB for my account), but which happens to not be a problem for me because my normal mode of operation is to regularly suck mail down to my box via fetchmail, not to leave it on-server (thus, the point of me getting service is essentially to provide a reliable access point that does some filtering and provides a secure channel back to my machine).
Anyone else have favorites that might be worth looking into?
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Please tell me that the acronym DKIM is not pronounced "Dick'em".
This is what M$ does to thier customers.
With SPF, I have to set up the info for my domain and the recipient has to have a system that checks that info.They could do that. But as I noted in my original post, Ethel's Bank and Feed Store isn't going to get many phishing attempts.
Yet I see ones "from" eBay and PayPal and USBank and MBNA and so forth every day.
If MICROSOFT wanted to block phishing attempts to Hotmail users "from" those sites, then Microsoft could collect the necessary information and not wait on anyone else to deploy SPF or SenderID.I already had the idea. You're the one confused about who does what work to achieve what result.It's easy to find out if the sending server is in an assigned block.
You're still confused about who would do what work to achieve which result.
I'm already doing part of this with a local blacklist. I don't need eBay to tell me what servers they send their messages from. I can find that info and I can kill all phishing attempts "from" eBay. Even if eBay never filled out an SPF record or a SenderID record.
In other words, I can solve this problem, today, for my system, without them having to setup anything.
I believe there are implementations that use SpamAssassin and weigh an SPF test in. The way to do it is of course to use all the available data, including results of SPF/DKIM if available, and use statistics to assign them weights that produce the best prediction of a message being unwanted.]
What it seems M$ is planning is to weigh SenderID compliance more than what statistics would give it, making more uncomplying messages go into the Jubk mail folder, and by doing so with many millions of mailboxes of users who have no real choice about their spam filters, they can thus force copliance.
One mportant thing one needs to remember is that in some jurisdictions complying with SenderID would mean either infringing on M$ IP or getting a license from them.
The worst assumption in implementing SPF/SenderID is classifying doamins that did not publish an SPF record as incompliant, when the SPF specification specifically means that not publishing an SPF record has a meaning equivalent to publishing a record that authorizes sending from any server. In other words: The SPF specification has a default record that is assumed if no record is explicitly given and that is the record that is most suitable to the vast majority of email users - those that do not need to protect the use of their "brand name" in hidden email headers (another misinformation in the article is that SPF/SenderID protects somehow against "changing" the "From" header. It does not in any way. "From" is not checked by SPF, and is checked by SenderID only if there is absolutely no other kind of sesnder/resender headers. I would say that the only thing that these "authentication" schmes do is promote the worse kind of identity theft: stealing credit card info+personal info needed to use the CC numbers, and using these to buy wahtever's needed to bypass SPF/DKIM - all that's needed is a domain name to use in a hidden email header.)
Note: This is an on-topic 'ad'. If you hate ads, read no further. If you are 'drowning' in unwanted spam email, please read on.
No single technology will bring spam under control. It's going to take a blend of technologies, namely:
Spam filtering.
Preventing forged headers.
Making e-mail sending computationally expensive.
I did this back in July, 2004 as Windows shareware, the platform that could *really* use such software.
Note: Submitted with 'No Karma Bonus' to prevent cries of 'Karmawhoring/astroturfing'.
You shouldn't have any problem with SPF.
First, you need to publish a one line SPF in your DNS record. That's a few minutes work.
And then, if your forum software allows a forum member to email another forum member using your server and their email address in "From", then you should either have an additional "Sender" header with an address in your domain (which is really the correct way to do it and comply with email standars - rfc2822), or you can use your own address in the "From" and their address in "Reply-to" (which is less standards compliant, because rfc2822 defines "From" as the author and "Sender" as the one actually sending - such as when a boss dictates to a secretary and the secretary sends).
No need to alter ebay/paypal DNS.
:-(
No need to spoof IP.
Method 1:
You need a bunch of stolen credit card info with enough personal info to use for small payments online.
You buy domains werothjwer.com werwervser634.com etc. (not paypa1.com)
You send your spam with Paypal.com/ebay.com in the "From" header and with werothjwer.com in the "Sender" header and the SMTP envelope-from.
Your email passes SPF/SenderID tests perfectly, and the recipient email client (Outlook Express?) proudly peresents email "From: paypal.com" (not paypa1.com!).
By the time someone complains about you using their credit card your phishing emails are history, and you have a pile of now CC+personal info to use for your next venture. Paypal/ebay can seize all your registered doamains because you don't need them anymore. You get new ones every day using presh stolen identities.
method 2:
No need for the classical identity theft (Credit card+personal info). You alter the trjan horses that power your spam sending botnet to use info from the compromised machine's credentials in the "Sender" header and the SMTP envelope-from and route it through the servers listed in the email account info on the infected PC. You can still use paypal.com or ebay.com in the "From" field.
SPF/SenderID are very well suited to fight late 20th century spammers' methods, but the 20th century is over and spammers don't use these methods anymore.
The real mistake with all those "authentication" methods is that the data they try to "authenticate" is quite meaningless and useless in the email protocols. the only piece of data that has any significance in an SMTP transaction is the recipient's envelope address. If it is not correct the message never gets to its destination. The rest is quite useless, especially for bulk mailers (the envelope-from is there for error messages in case of indirect delivery, and the different headers indicating "message origin" are there for replies. Bulk mailers have no interest in either of them so they are free to abuse them). If you don't want to be fooled with an email "from paypal" that is not from paypal, all you have to do is to give paypal a unique address to send mail to you. Mail sent from paypal to that address is from paypal. Mail sent "from paypal" to any other address you use is not from paypal. So the only thing needed to protect people from themselves is to educate them about using unique email addresses with those entities such as financial institutes where they want to be sure they email sent is really from the intended sender. It's not foolproof, but it would be extremely difficult to break this in bulk. It's not like harvesting/purchasing huge lists of addresses. It's a real effort to recover each single address.
One obstacle to public education is that ISPs have no interest in having their customers know that email addresses are so cheap. The only thing that locks Joe Sixpack or Jane Shoponline to their ISP is the precious email address they got from their ISP. Changing an email address is a hassle and most users don't realize that there's no real reason to use the email address supplied by their connectivity provider (except to make it difficult to switch providers).
One suggested method to base authentication on recipient's address is VarA (http://wiki.outboundindex.net/VarA). VarA is a way to do it without any database. There are many other ways to do it, but actually all one needs right now is a disposable email address service like spamgourmet.com or sneakemail.com, or an email provider that allows users to use all addresses in a subdomain (like FastMail.FM allowing user jcitizen to use all addresses like anything@jcitizen.fastmail.fm). There are many other services that provide similar functionality. There is no "best" option here. I use a combination of the three above and addresses in my own domain (another cheap option). One concern that I have with those "authentication" schemes like SPF is that they would make it harder to use bulletproof anti-phishing protection like unique addresses for an "authentication" scheme that any half educated spammer would be able to bypass...
> ... effective litigation and prosecution
> is made more difficult by a lack of
> effective authentication for email traffic.
> These are things that SenderID and SPF are
> designed to address
These are NOT things that SenderID and SPF are designed to address! neither of them can authenticate the real identity of a person responsible for sending email. The only thing they "authenticate" is that someone that paid for the use of a domain has set permision for email to be sent with some hidden header field containing the domain name from a list of specific computers (IP addresses listed either directly or indirectly in an SPF record). There is nothing here that can identify a person. Spammers have already used SPF authenticated domains that they purchased with stolen identities (credit card info). The ONLY THING SPF/SenderID provide, is very limited protection for brand names.
On the other hand following the money (credit card payments to spammers) have already proved effective for litigation, and they don't necessiate any change in technology.
As evilspammer@example.com, I could set my spf record to be 24.0.0.0/8 so I could then spam from anyone in that space. Or i could have short lived ttls for my recently r00ted WinDoze boxen in my zone, utilizting dyndns to push them out. Anyone who thinks spammers can't run their own dns servers or manage technology is in denial.
I use a different email address with each subscription (I use sneakemail.com for that). Some email addresses of mine have been harvested from several online forums, but with the addresses I publish on slashdot this happens more often than anywhere else. I change address on slashdot every few days, and usually it takes no more than a week for the address to be picked up by spammers (one time it happened on the same day).
> With several gmail accounts, I never have trouble managing spam ...
Of course you have! You have to check each account separately. And in time you might find out that it's difficult to dump an account when you're not sure that you remember who got the address. What you really need is a single account with multiple addresses (in a way you already have it in gmail: if you are user@gmail.com you can use user+anystring@gmail.com).
One popular way to do it is to use a disposable addresses service that forwards the mail you receive at any of your multiple addresses there to your mailbox (the one you already use, such as your ISP or your gmail account.
Another approach is to register a domain - usually you would get free email forwarding with that. Then you can use all the addresses in your domain. This costs less than $10 a year and has the added benefit that having your own domain is cool (and you can send your love letters from "the_one_who_loves_you@mydomain.net").
There are some email services that allow a user to use a whole subdomain (e.g. jcitizen@fastmail.fm can use anything@jcitizen.fastmail.fm). This is much like registering a domain but without having to either forward email or host it somewhere.
The benefit of all these methods is that you get all your email in one place, but they still come to different addresses so it is easy to cut off a spam stream if one of those addresses starts getting spam.
Each one of these methods has it's own advantages and disadvantages. I use a combination of several of them, but one or two of them are good enough for almost anyone.
I use sneakemail.com and spamgourmet.com for "disposable addresses". They are very different services. At least spamgourmet is a service everyone should know about because it's the most hassle free service on earth: about 20 seconds to register and then use transparently. SneakEmail requires more work but in return gives a lot of control. I use it with financial institutes (bank, credit card...) as it totally eliminates the risk of phishing.
Then I use fastmail subdomains and aliases, and I use my own domain that I host with fastmail. Fastmail allows for very detailed filtering of incoming email using the Sieve filtering language, so this allows for management of all the email coming from different addresses (sorting into folders, applying differernt spam filter sensitivity to different sources...) Gmail is a bit less powerfull than Fastmail in filtering ability (e.g., envelope info is not available for fltering in Gmail) but it is very easy to setup filters in Gmail to separate and label incoming email forwarded from sneakemail, and tghe search functionality in Gmail can also do this job. Of course I could do with one email address and one disposable email address, but I like to play!.
Yet you claim to have "phish attempts" for a user base of 20,000.
So, what are the odds that someone sending a phishing message will hit someone on your site? 1 in 10,000? 1 in 100,000? 1 in a million? 1 in 10 million?
And if they do succeed, what that they gained? With a real bank, they have access to the account.You might want to pay a little bit more attention to this thing called "reading with comprehension".
I have never said that everyone "with a mail server" should spend any time collecting this.
I said that if Microsoft wanted to deal with the problem, today, they could.
Hotmail has a lot more users than you do. USBank has a lot more users than you do. For a little bit of work, Hotmail users could be safe from phishing attempts targetting USBank.
Am I going to fast for you?Taking into consideration your inability to read, I don't feel bad about your opions on other topics.
Or do the names "Microsoft" and "Hotmail" mean "everyone" in your world?Why would they have to guess? Not everyone has the same intellectual issues you do. Reasonable adults can take reasonable steps to ensure that they know to whom they are talking. Particularly with well established companies such as Microsoft and eBay and USBank, etc.Again, why waste time with guessing? Did you miss this line in my original post?
And I'm sure that Microsoft would get lots of help from those companies to keep Microsoft's list current.
If you disagree with the concept, show why they would not/could not cooperate with Microsoft.Again, they are not using SPF. Very few people are using SPF.
I'm talking about solving this problem, today, for all the Hotmail users.I'm not even going to ask how you would presume that this would screw up anyone's email. You don't even understand how it is possible for two businesses to securely communicate.
Good luck in your little fantasy world with your 20,000 users.
> It's the #3 I wonder about.
> Why are they trustworthy?
You have a point! I have no idea. Just gut feeling! What do others think? Can it be that Slashdot "sells" our email addresses? I believe that it does not, but then it's just my belief, unsupported by facts.
A more general issue: If I agreed that my email address be displayed on a website (such as by checking a box that says I agree), is that website allow to give my address to anyone in any other way pther than posting it where I expected them to post it (e.g., in my public profile and alongside my posts). I believe not.
Remark (for those who came directly to this post): #3 refers to the grandparent post where I said I trust that Slashdot did not give my address to spammers.