Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft and Yahoo! Fight Spam - Sort Of

Posted by Zonk on from the spamfighters-saddle-up dept.

kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."

19 of 344 comments (clear)

  1. Let MS do it... by losman · · Score: 2, Interesting

    If a bunch of hotmail users stop getting email then that will only hurt MS.

    --
    Q: I am short, useless and provide no value. What am I? A: a sig
    1. Re:Let MS do it... by norfolkboy · · Score: 2, Interesting

      Wrong

      It won't only hurt MS.

      Non receipt of email can hurt businesses not remotely connected with MS.

      For example, I run a website with around 52,000 members. Each member has opted to join a mailing list, and they also receive alerts when they have a new message waiting for them on the website.

      My own stats show that there are a significant number of users that will not return unless they receive a message telling them they have a new message on the website.

      When back on the website their interest for the site increases, and they are likely to upgrade to a paid membership.

      I've asked people who only log in from time to time, why they do so, and asside from the reason given above, the other reason is:

      "I forget my login details, and the message alert email gives me a reminder".

      (Too much effort to use the password reminder tool is it?)

      Anyway - users are funny things, and for many similar sites, we depend on email getting through to hotmail and AOL users - they are the bulk of our custom.

      So no,

      it doens't just hurt MS, it hurts anyone with a significant interest in the 'net.

  2. At least it works by CaymanIslandCarpedie · · Score: 5, Interesting

    Not going to discuss pros/cons of these systems, but at least the do help. Two days ago I got one of those PayPal phishing emails in my hotmail account and hotmail had a big banner on top saying the sender's ID couldn't be verified. This could be a great help to users silly enough to fall for these attacks (assuming they actually pay attention to the warnings).

    --
    "reality has a well-known liberal bias" - Steven Colbert
    1. Re:At least it works by Shadowlore · · Score: 2, Interesting

      If ebay/paypal published SPF records indicating what servers send valid email for ebay/paypal, and your server checks those, how can a spammer set up a ligitiamte system to bypass that system? They can't.

      The only way is to:
      * alter ebay/paypal DNS records by some means
      * spoof the IP address.

      Gmail may well have a very large database of valid email from ebay/paypl and perhaps others, or may be implementing their own version of SPF that doesn't rely on the domains to publish SPF records. They may, for example, have done research to see what IP ranges are used by ebay/paypal or other banks and if it doesn't come from those ranges they consider it likely a phishing attempt. Essentially a form of SPF. We do this on some of our (Fortune 50) email servers; it isn;t hard to conceive of Google doing it.

      Mail::SPF::Query essentially does something similar.

      but it won't do a thing about, say, email that comes from, say, "support@paypa1.com" or so.

      It doesn't have to. Such a domain gets reported as phsihing attempt, ebay/payal goes after the domain to get it shut down, end of that problem. Indeed, they already have. Do a whois on it and you'll fid it owned by eBay. So yes, SPF would work here. eBay can put out an SPF record saying all email from this domain is invalid. Servers using SPF checks can then toss it or mark it as invalid.

      Indeed, this use would be an excellent use. If SPF had a field to indicate a domain sends zero mail we can safely discard/block all email claiming to be from there.

      If you think google doesn't use a form of SPF or sender verification you are sadly mistaken. Besides, SPF is not intended to be THE solution, just a (good) tool in the toolbox of the solution.

      --
      My Suburban burns less gasoline than your Prius.
  3. Problem with fighting spam... by moz25 · · Score: 4, Interesting

    It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...

    --
    see a Text Widget
  4. Heh by aftk2 · · Score: 4, Interesting

    Perhaps this is Microsoft attempting to leverage (yes, I used it correctly!) what they perceive to be as their market dominance to hold users' feet to the fire. Basically, "We've got a lot of users. If you want to communicate with any of them, you're going to need to play by our rules."

    Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.

    --
    concrete5: a cms made for marketing, but strong enough for geeks.
  5. All things considered, not a good thing by CdBee · · Score: 3, Interesting

    To be honest I vastly prefer the Gmail approach of having relatively smart spam analysis than a whitelist approach based on authentication.

    Think of all the people out there who don't have their own mail server but have SMTP/POP access to a hosting company's machine. A change in the core protocols for email would adversely affect most of them, as even if they all had the knowledge to make the changes, they may not have the ability.

    Add to this the possibility that a requirement for SenderID will just result in spammers mounting directory attacks against SMTP servers in order to find logins that work..

    All this will really cause is a migration away from hotmail !

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
    1. Re:All things considered, not a good thing by b4k3d+b34nz · · Score: 2, Interesting

      I agree. Although whitelists are good, they tend to become annoying, much more so than receiving spam. Gmail manages to block about 200 emails of spam per day for me, and lets in maybe 4 or 5.

      At least for a while, the SenderID system will end up blocking too many valid emails and will irritate users. I suppose after it's been around for a year or so and they have a decent system and database for the whitelist, the system will see the results that Microsoft wants.

      Hotmail sucks anyway...Gmail is far superior in every sense.

      --
      Grammar Lesson: you're is a contraction of "you are"; your means you possess something; yore means days gone by.
    2. Re:All things considered, not a good thing by scovetta · · Score: 3, Interesting

      I disagree. No matter how good the spam filter is, it always misses a few. False negatives are annoying, but false positives mean that you have to scan your 600+ spam e-mails per day to see if it missed any. A non-perfect spam filter is just a fancy inbox sorter.

      I don't think whitelisting is the way to go either, though, for obvious reasons.

      I have a dedicated server with a dozen or so domains on it. I'm forced to send mail through my personal ISP because mail coming FROM my domain gets marked as spam by most large ISPs (no, I don't spam, nor is my IP on a specific spammer blacklist). So if I decide to start spamming from my dedicated server, no one will get it (unless I route it through another ISP, in which case now it's their job to check).

      --
      Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
  6. Two email systems by Anonymous Coward · · Score: 1, Interesting

    My thinking has always been that we need two systems. Or at least one system that provides two types of service. Authenticated and Anonymous. The Business world would of course choose to use authenticated and be willing to pay for it. Home users (such as Hotmail) could choose between free anonymous email and deal with the spam or pay for authenticated email, where as the theme song states, "everyone knows your name".

    1. Re:Two email systems by nysus · · Score: 1, Interesting

      I was just talking about this with a president of a letter carrier's union. We were talking about the US Postal service giving e-mail addresses to every individual. You would have to spend 5 cents to send an e-mail to someone else. That's probably a high enough threshold to keep spam out.

      The receiving in the e-mail benefits because he knows he will have an inbox that is spam free and has messages full of important messages. The sender benefits in that he knows his message is much more likely to be seen and read.

      --

      ---Technology will liberate us if it doesn't enslave us first.

  7. SPF doesn't prevent spam by jaredmauch · · Score: 4, Interesting
    SPF helps with virii and phishing. eg: someone connecting saying they're billyg@msft.net from a dsl line in bellsouth land. If i'm evilspammer@example.com, I can just publish my SPF records in the same way you do, as long as i send from example.com's authorized SPF records it'll be good.

    You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.

  8. I'm not sure I'm affected by HotMails decission... by Name+Anonymous · · Score: 2, Interesting

    I currently do not email anyone who has a hotmail account, so let hotmail go isolate themselves.

    With Yahoo & Cisco proposing an alternative to Microsoft's suggestion for a standard there wil at least be some fighting over which design (if either) becomes a standard. Without the competition, the odds are that one might win by default. (Unfortunately.)

    My mail servers do have SPF records and when I get a chance, I'm going to setup SPF record checking for incoming email, although initially I'm going to only have it add a header to emails.

    At the very least, I recommend eveyone who can set up SPF records for their mail servers even if they can't take the time to set up checking SPF records for incoming email. This would help by enabling places that do check SPF records know if they're getting (possibly) forged return addresses.

  9. MS is just eliminating competition... by FriendlyLurker · · Score: 4, Interesting


    I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.

    I complained, and was told I could use filters for those un-markable spam items. Yeah, right.

    Advantages to MS for letting "authorized" spam through
    - They get paid, probably very well, to send spam to all hotmail accounts.
    - They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.

    A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.

    What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).

    My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.

    Kalori.

    -
    No sig. is a good sig.

  10. Greylisting by Sanity · · Score: 4, Interesting
    If you run a mail server, and you aren't greylisting, then you need to be.

    Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.

    I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.

  11. SpamAssasin by Anonymous Coward · · Score: 1, Interesting

    What is wrong with using Spam Assasin? I use it and it works wonderfully. I probably get around 100 e-mail messages a day, and yeah, 90% are spam but they get flagged as such by SA. We don't need to reinvent the wheel here.

  12. No single technology.. by Ckwop · · Score: 4, Interesting

    No single technology will bring spam under control. It's going to take a blend of technologies, namely:

    1. Spam filtering.
    1. Preventing forged headers.
    1. Making e-mail sending computationally expensive.

    The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.

    The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.

    If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.

    The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.

    The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.

    There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.

    The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.

    Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.

    Simon

  13. Re:Bad news by PeterBrett · · Score: 2, Interesting
    I couldn't care less if it's Microsoft, as long as 1) everyone can use it, and 2) it works.

    ROFL.

    1. Not everyone can use it. Microsoft's supposedly "Reasonable and Non-Discriminatory" patent licensing for Sender-ID is nothing of the sort, and makes free software implementations impossible.
    2. It works... for a given value of "working". Whoo-hoo, now spammers need to set up a Sender-ID record for [423.sdlfk2_133dsk.net], [419.sdlfk3_175dsk.net] and [12.dngls4_983duy.net]! Wait until the domain gets blacklisted, then set up a new set of randomly-generated domain names! Maybe I should patent it! </sarcasm>

    I could care if it's Microsoft. Hands up if you want Yet Another Broken Incompatible Standard?

    --
    Pirate Party UK
  14. Hotmail has No Spam Filter Whatsover... by loyukfai · · Score: 2, Interesting

    Even though I classify every email from Hotmail itself as junk, they still kept getting into my Inbox instead of the Spam folder.