Slashdot Mirror
Microsoft and Yahoo! Fight Spam - Sort Of
kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
Right, somehow I doubt microsoft would start deleting e-mails. That's just silly. The instant someone finds out a real e-mail was deleted is the instant they switch e-mail providers.
This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.
Voice your opinion!
is all the major companies sit down and design a new email system. the current email system is like a sinking boat they are trying to patch and prevent it from reaching the bottom. now, everyone is going their own seperate way (MS, Yahoo), where there will be no standard. the whole system needs to be scraped and rebuilt from the ground up taking into consideration spam, which was never present when the system was designed.
With several gmail accounts, I never have trouble managing spam. I don't reply to suspicious e-mails, and if I do, I am sure not to use the return e-mail address of my primary account. I keep an account for things like ebay, rentacoder, guru.com, etc., and a seperate account for personal e-mail. I have been doing this for over a year and I have only received six spam messages, and those were in the secondary account. I don't see why AOL couldn't encourage their users to do this. Isn't this why we have multiple e-mail accounts available from ISPs?
Powered by caffeine and sugar; BSD
One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....
And All I Ask is a Tall Ship And a Star to Steer Her By
Not really. Once people start seeing that every mail from everyone they know excpet those on hotmail get a warning it will cease to be effective.
False positives are WORSE than false nevatives.
SpamAssassin reduces my spam by 98%. That's just one example of filters... the point being that the more filters deployed out there (at ISP's, companies, etc), the more spam gets auto-tossed into the bit-bucket, and the less economically viable it is. Simply starve the market, requiring no protocol changes.
Dump the IRS - http://www.fairtax.org
PGP key's? I thought people knew about and used these. With a pgp key, it is signed with an encrypted hash, and you have the option of encrypting the message along side it. Once this is done, you know an email is coming from a valid user because it contains their key. These are already used in workplaces around the world. Why implement a new system when one already exists? Not only does one exist it is more or less and open standard. Yeesh! I wish people would actually stop rebuilding the wheel in the software industry.
It's trivial to add arbitrary headers to SMTP data, worse the headers PRA uses don't have to be present at all.
Microsoft need to stop checking PRA against our spf v1 records. Afterall, I don't check SenderID records against SMTP MFROM (ie: SPF), even if it would be a worthwhile counter to Microsoft's position.
Then there's that unacceptable patent license and some rather disturbing support for Microsofts silly, broken system and abuse of existing SPF records within the IETF.
My biggest concern (and please don't bash me for this) is not about Hotmail users getting all their email flagged as spam. The problem I can see with this is if Microsoft strongarms other servers into using the SenderID. It's almost like the way that the majority of websites have CSS hacks and workarounds for a broken browser(IE) that still won't be fixed in the next version. If enough people are using the proprietary garbage, then people will others will be forced to support it.
If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it. Microsoft has had its overwhelming failures at times, but it also has a record of 'forcing' their way onto enough of the market to make an impact for better or worse. That's just my take on it; it's not what it will do, but what it will allow to happen in the future (should it catch on)
Perfecting Discordia
www.stevenvansickle.com
It's not just Microsoft's old tricks. Many 800 lb. gorillas (Cisco, IBM, Intel) have done the same with more or less success. Most of the time, wrangling is done in working groups where vendors start deploying products based on early standard drafts, which commits them to lock-in, which then motivates them to fight for thier methods regardless of technical requirements. Besides, market dominant driven standardization is not always a bad thing. The anti-spam market is so fragmented that having a Microsoft force a decision may actually move a resolution.
Except that the Forbes article says that "... a Sender Policy Framework (SPF) record, which is covered under Microsoft's SenderID framework. "
Does this now mean that SenderID includes SPF? Or is Forbes confused?
Anyway, it doesn't get around the fact that SPF generates false positives, according to the article.
www.lucernesys.comHorizon: Calendar-based personal finance
Why would this stop spam? In my physical mailbox i get spam as well and don't tell me they don't pay the shipping fee or the guys that put those ads in your mailbox. So how would this be any different? They could afford to spam before the email, so they can also if emailing becomes a paid service.
And? What would prevent a spammer or phisher from creating the necessary setup to pass verification? Things like SPF and Sender-ID are good for stopping (or at least warning about) mail that some spam clown sent with a forged From: address (which can be highly annoying if the forged address is in one of *your* domains), but it won't do a thing about, say, email that comes from, say, "support@paypa1.com" or so.
:)
Besides, if you want to warn users about phishing, you don't even need any of these tricks. GMail, for example, warns me with a big red banner when it thinks that an email may be a phishing attempt, and so far, it's always been right - no false positives, no false negatives, even without any technical trick that depend on the honesty of the sender (which both SPF and Sender-ID ultimately do, in that they allow malicious senders to set up systems so that tests are passed for spam and phishing mails and the like).
I only wish their spam filter would be as effective...
quidquid latine dictum sit altum videtur.
Yahoo!: Announcing: Domain Keys!
Microsoft: Announcing: SenderID!
(some time later)
Yahoo!: Presenting: Domain Keys Identified Mgmt!
Cisco: Presenting: IIM!
Microsoft: Um, hey lookie... SenderID!
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Um, that won't stop spam, but it will increase the likelihood that you will get better quality spam. I have been tracking me snail mail for a few months. 70% of the mail I receive I would classify as spam. Credit card offers and advertising circulars from companies I have never done business with (MBNA, Providian to name two). Then there is the mail I receive from companies I do business with, but are trying to extend thier reach. All that mail costs money to print and mail. I don't know what the bulk rate is, but I bet it is larger than $.05 and the cost to the USPS to actually deliver it must be higher. HOwever, since they are going to spend the money sending out snail mail, they might as well go the incremental cost of making the mass mailing look good so that recipients will open it. I think the same principle will apply with per charge USPS email. No, the driver for the USPS to charge $.05 send an email is pure profit (and to regain control of it's monopoly) because the costs to process and deliver snail mail outpaces the revenue collected to send it.
yeah this will work.... as most spam I get comes from hotmail
The objective of the new protocol is to cut back on unwanted bandwidth/cpu usage by receiving and filtering spam and to only allow mail from trusted sources.
Filtering doesn't fix the problem. It just prolongs it. A new protocol would fix the problem for the most part, but there's also a price to pay. It has to be adopted by servers.
Um .. wait .. isn't there a BUG in SenderID?
Domains below org and info can be registered in DNS within minutes today and are cheap. So it's easy to integrate SenderID into Spamtools by allocating a domain just-in-time, transfer the SPAM and then kill the domain again, all done with a single click of a button. Thanks to anonymous Domain registry services and zillions of Domains out there this will make it likewise difficult to track back the SPAMmer.
However non-SPAMmers will have trouble supporting SenderID in their domains. I for my part often roam ISPs, so it's hard to track all those outgoing MTAs to add them to my SenderID entries of the domains I use to send eMails from.
As a consequence this means, it's more easy to make SPAM conforming to SenderID than to do this in my highly mobile world. Thanks again, Microsoft, and poor users of Hotmail.
SenderID shall be integrated in the ReverseDNS of the sending MTA and not in the Domain seen in From! It's relatively easy (thanks to djbdns-tools) to automatically add SenderID records to this reverse lookup of the Relay on the fly, such that all From-Adresses show up in the reverse as soon as the eMail is relayed. However this does not help, as open relays then automatically add SenderIDs as well.
Checkmate. Either way, SenderID promotes SPAM.
The trouble is many spammers are now using networks (say, 50,000 or more) of pwned Windows zombies. They are doing it on a huge distributed network - they don't care if calculating a hash slows them down. If each zombie only sends 100 emails per day, that's 5 million spam emails sent. You'd have to have an insanely long calculation time to make a dent on a zombie network.
Oolite: Elite-like game. For Mac, Linux and Windows
This works for now. However when everyone moves to it, it won't help at all. It is trivial for spammers to get around this - follow the standard. They don't bother now because most of their mail isn't being stopped by this trick. When it starts stopping a lot of email they will just implement that part of the standard and greylisting will become useless.
You need to install an RTFM interface.
The other problem, of course, is that spammers constantly use new tricks to avoid filters. "In a race between bullets and armor, bullets will always have an advantage" Purely defensive measures, such as filters and block lists will give the advantage to the spammer as they are more able to adapt quickly than large ISPs are.
Litigation and Criminal prosecutions, combined with efffective and adaptive filtering measures are the best bet. Unfortunately, effective litigation and prosecution is made more difficult by a lack of effective authentication for email traffic. These are things that SenderID and SPF are designed to address. Prosecuting individuals who advertise through spam is another effective measure. (for example, maybe RICO would be useful in going after folks who hire spammers to do their advertising?) There are plenty of laws which address criminal conspiracy, and applying those to the anti-spam laws which have hit the books recently may take some of the economic incentive out of unsolicited email advertising.
Just a thought...
-Grim
Ok, I'll bite..
"Why should a company not use it's marketshare to leverage it's products?"
Your basic premise is fine... that in general companies should be able to use their marketshare as a selling point. The problem is that in Market economies Monopolies develop (either "naturally" because they are the best, or through illegal practices).
In our economy once a company or product reaches the state of "Monopoly" there are certain rules that they must play by in order to allow natural market forces to continue (rules as in laws). One of those is that you can't use a Monopoly in one sector to force your way into another sector.
Microsoft has violated this time and time again... and to the detriment of consumers and consumer choice. A few recent examples:
1. Internet Explorer. Bundling IE with Windows was how MS pushed itself into the "internet sector" using their monopoly on operating systems.
"But IE is free! How is this bad for the consumer?!". Because MS then put proprietary extensions into IE that only it's web-server and authoring tools (Frontpage and Visual Studio) are equiped to serve/create (ActiveX and extensions to Java). So if you want to talk to IE the best way to do it is with Windows Server after creating it in Visual Studio/Frontpage... and since they used their monopoly to deploy IE... 90% of people are using it.....
2. Windows Media Player (Both the format and the player). This one is the next MS cash cow. They bundle WMP with Windows so everyone has it...
"But WMP is free! And it works well! How is that bad for consumers?!"
Becuase of what they are doing now. They are pushing WMP as the next format for EVERYTHING. Music, Movies, Streaming Media... Have you noticed that the new HD-DVD codec is WMP based? Do you think you'll be able to play those without a license from MS? All MS has to do is start making set top DVD players and they can force everyone else out of the market (by not licensing the codec to them).... wait they already are! (Think XBox 360).
What about streaming wmp?? What kind of server do you need to do that? Oh.. right.. Windows Server.
What about music? Oh you mean WMPs with DRM will only be playable in Windows? Hmmm.
#
For some reason people have a hard time understanding just how evil MS really is. And when I say "evil" I don't mean that trying to make money is evil. That's capitalism. What's evil is trying to make money at the detriment to consumer choice and product quality.
This is really a problem because destructive Monopolies are bad for the entire economy. They stagnate innovation and produce "economic blackholes" where all the money from the economy pours... but nothing comes out (how many billions does Microsoft have just sitting around in liquid assets?)
Ok. That should do, nobody read this far anyway.
Friedmud
If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.
MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. So the technology to bypass SPF and Sender ID is already deployed.
All the SPF and Sender-ID critics continuously point out that SPF and Sender-ID only have the features they were originally designed to have. Ok. That's plenty. How can it not be a good thing to be able to show whether a given SMPT agent is authorized by the domain? Yes, obviously, we all know that spammers will then be able to set up their own domains and spam via those domains with SPF and Sender-ID. That's FINE. That was the entire goal of the technology. All of a sudden, plain old blacklists will work way way better. You won't get spam messages that appear to be from acquaintances. No one ever said that messages using SPF and Sender-ID should always pass through your spam filter.
There are no trails. There are no trees out here.
I have multiple hotmail accounts, and one of them is a generic name that could easily get slammed by dictionary spammers. The other is a not so generic name. I literally NEVER get spam on that account. So your claim that hotmail purposfully sells its lists or allows spam to go to ALL hotmail members is bogus. Stop signing up for pr0n stop giving merchants your email, and dont use email addys like puppy123@hotmail.com and I gurantee you wont have any spam from anywhere. Hotmail most definitly does NOT allow spam, nor do they sell their lists or anything like that. If you dont believe me make a new hotmail account, dont give the address to ANYONE... and see how much spam you get. You wont get any, guranteed. But of course you must make your email address something that a dictionary cant get etc..