Slashdot Mirror
Microsoft and Yahoo! Fight Spam - Sort Of
kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
If a bunch of hotmail users stop getting email then that will only hurt MS.
Q: I am short, useless and provide no value. What am I? A: a sig
Not going to discuss pros/cons of these systems, but at least the do help. Two days ago I got one of those PayPal phishing emails in my hotmail account and hotmail had a big banner on top saying the sender's ID couldn't be verified. This could be a great help to users silly enough to fall for these attacks (assuming they actually pay attention to the warnings).
"reality has a well-known liberal bias" - Steven Colbert
It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...
see a Text Widget
Perhaps this is Microsoft attempting to leverage (yes, I used it correctly!) what they perceive to be as their market dominance to hold users' feet to the fire. Basically, "We've got a lot of users. If you want to communicate with any of them, you're going to need to play by our rules."
Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.
concrete5: a cms made for marketing, but strong enough for geeks.
This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.
Voice your opinion!
To delete all messages without a valid SenderID is not quite the same as to mark non valid SenderId messages as spam
is all the major companies sit down and design a new email system. the current email system is like a sinking boat they are trying to patch and prevent it from reaching the bottom. now, everyone is going their own seperate way (MS, Yahoo), where there will be no standard. the whole system needs to be scraped and rebuilt from the ground up taking into consideration spam, which was never present when the system was designed.
Never happen...Microsoft would never abuse their market domainance to foist an inferior product upon the industry...
Oh wait...
____
~ |rip/\/\aster /\/\onkey
To be honest I vastly prefer the Gmail approach of having relatively smart spam analysis than a whitelist approach based on authentication.
Think of all the people out there who don't have their own mail server but have SMTP/POP access to a hosting company's machine. A change in the core protocols for email would adversely affect most of them, as even if they all had the knowledge to make the changes, they may not have the ability.
Add to this the possibility that a requirement for SenderID will just result in spammers mounting directory attacks against SMTP servers in order to find logins that work..
All this will really cause is a migration away from hotmail !
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
There is also Sender Policy Framework (http://spf.pobox.com/), this is very simular to SenderID but it has the majour advantage that its open source, agreed microsoft is trying to push SenderID down everybodys throats, I myself publish SPF on a number of domains and it does a good job. The more people that use SPF the more power it will have over SenderID.
With several gmail accounts, I never have trouble managing spam. I don't reply to suspicious e-mails, and if I do, I am sure not to use the return e-mail address of my primary account. I keep an account for things like ebay, rentacoder, guru.com, etc., and a seperate account for personal e-mail. I have been doing this for over a year and I have only received six spam messages, and those were in the secondary account. I don't see why AOL couldn't encourage their users to do this. Isn't this why we have multiple e-mail accounts available from ISPs?
Powered by caffeine and sugar; BSD
One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....
And All I Ask is a Tall Ship And a Star to Steer Her By
You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.
PGP key's? I thought people knew about and used these. With a pgp key, it is signed with an encrypted hash, and you have the option of encrypting the message along side it. Once this is done, you know an email is coming from a valid user because it contains their key. These are already used in workplaces around the world. Why implement a new system when one already exists? Not only does one exist it is more or less and open standard. Yeesh! I wish people would actually stop rebuilding the wheel in the software industry.
Lets see... If we write a tool that immediately filters 100% of all e-mail, we can claim that our "Spam filtering tool" gets 100% of Spam with only a 10% false positive rate. Excellent!!!
Why would this stop spam? In my physical mailbox i get spam as well and don't tell me they don't pay the shipping fee or the guys that put those ads in your mailbox. So how would this be any different? They could afford to spam before the email, so they can also if emailing becomes a paid service.
I currently do not email anyone who has a hotmail account, so let hotmail go isolate themselves.
With Yahoo & Cisco proposing an alternative to Microsoft's suggestion for a standard there wil at least be some fighting over which design (if either) becomes a standard. Without the competition, the odds are that one might win by default. (Unfortunately.)
My mail servers do have SPF records and when I get a chance, I'm going to setup SPF record checking for incoming email, although initially I'm going to only have it add a header to emails.
At the very least, I recommend eveyone who can set up SPF records for their mail servers even if they can't take the time to set up checking SPF records for incoming email. This would help by enabling places that do check SPF records know if they're getting (possibly) forged return addresses.
I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.
I complained, and was told I could use filters for those un-markable spam items. Yeah, right.
Advantages to MS for letting "authorized" spam through
- They get paid, probably very well, to send spam to all hotmail accounts.
- They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.
A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.
What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).
My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.
Kalori.
-
No sig. is a good sig.
Seriously, why is this a problem? At home I have a FreeBSD box that runs mail through scanners and figures out what's what. Works like this:
;)). Seriously, I'm no genius, but why can't this kind of solution be bolted on? Even if a company is locked into Exchange, slap a box like this accepting :25, then have it relay mail on after the checks!
incoming:25 -> Postgrey (greylisting) -> MailScanner -> ClamAV -> Spamassassin (with DCC, razor checks) -> DSPAM -> Postfix -> users_mailbox
All ClamAV definitions are updated via cron by Freshclam, all Spamassasin rules are updated via Rules_du_jour daily. Using this I get just about zero spam, with a VERY rare occurance of realy mail being labelled spam (and that's usually bad chain-emails sent around by my wife's friends - and I consider that spam anyway
I fail to see why a solution like this can't be implemented on a large scale 'free-mail' company like Hotmail or Yahoo! If they could stop (and eventually block) spams, they could help turn the tables on spammers, making them less profitable. What am I not seeing?
bad_outlook
--
Is this vague enough for you?
Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.
I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.
Yahoo!: Announcing: Domain Keys!
Microsoft: Announcing: SenderID!
(some time later)
Yahoo!: Presenting: Domain Keys Identified Mgmt!
Cisco: Presenting: IIM!
Microsoft: Um, hey lookie... SenderID!
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
This article "A blank check for Microsoft" more or less confirms the changes to spam policy I have observed while using Hotmail over the past few months:
http://blogs.salon.com/0003364/stories/2005/02/01
I've always considered Hotmail a bit of a UCE enabler anyway.
Luck favors the prepared, darling.
Um, that won't stop spam, but it will increase the likelihood that you will get better quality spam. I have been tracking me snail mail for a few months. 70% of the mail I receive I would classify as spam. Credit card offers and advertising circulars from companies I have never done business with (MBNA, Providian to name two). Then there is the mail I receive from companies I do business with, but are trying to extend thier reach. All that mail costs money to print and mail. I don't know what the bulk rate is, but I bet it is larger than $.05 and the cost to the USPS to actually deliver it must be higher. HOwever, since they are going to spend the money sending out snail mail, they might as well go the incremental cost of making the mass mailing look good so that recipients will open it. I think the same principle will apply with per charge USPS email. No, the driver for the USPS to charge $.05 send an email is pure profit (and to regain control of it's monopoly) because the costs to process and deliver snail mail outpaces the revenue collected to send it.
No single technology will bring spam under control. It's going to take a blend of technologies, namely:
The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.
The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.
If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.
The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.
The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.
There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.
The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.
Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.
Simon
I was getting about 40 spam messages a day, before I implemented my new anti-spam e-mail server. Now I get about one or two... but SenderID only blocks about two messages a week. Much more effective are my set of 5 Blacklists, a URL Blacklist, and some simple rules. SenderID can stop fake from addresses, but the people sending the messages will just use servers that do not have SPF entry's, as all the servers will never implement it.
Even though I classify every email from Hotmail itself as junk, they still kept getting into my Inbox instead of the Spam folder.
The trouble is many spammers are now using networks (say, 50,000 or more) of pwned Windows zombies. They are doing it on a huge distributed network - they don't care if calculating a hash slows them down. If each zombie only sends 100 emails per day, that's 5 million spam emails sent. You'd have to have an insanely long calculation time to make a dent on a zombie network.
Oolite: Elite-like game. For Mac, Linux and Windows
This works for now. However when everyone moves to it, it won't help at all. It is trivial for spammers to get around this - follow the standard. They don't bother now because most of their mail isn't being stopped by this trick. When it starts stopping a lot of email they will just implement that part of the standard and greylisting will become useless.
You need to install an RTFM interface.
I just got back New York and the http://www.emailauthentication.org/summit2005/agen da.html/ Email Authentication Summit that covered all of these topics. Here's the last one page summary on all 3 (SPF, Sender ID, DKIM)
How is validation performed?
SPF - RFC2821 MAIL FROM address, "Bounce" or "envelope from" address
Sender ID - RFC2822 PRA FROM address
DKIM / DK - Designated "singer" address/RFC2822 FROM address
Strengths
SPF - Reduces bounce messages where the victim receives errors for mail they didn't send
Sender ID - Validates the identity most users see and reduces the threat to phishing.
DKIM / DK - Provides end-to-end validation over multiple hops (i.e. forwarding)
MTA Updates?
SPF - Receiving update required.
Sender ID - Receiving update required.
DKIM / DK - Sender / Receiving MTA update required.
Weaknesses
SPF - Only validates the last hop
Sender ID - Only validates the last hop
DKIM / DK - Can be "broken" by imperceptible changes (and FWD: >'s in messages)
Publishing / Signing
SPF - Easy. Publish and maintain in DNS.
Sender ID - Easy. Publish and maintain in DNS.
DKIM / DK - Create keys & publish in DNS.
Mailing Lists
SPF - Easy.
Sender ID - Easy.
DKIM / DK - Hard
Forwarding
SPF - Hard.
Sender ID - Requires a header added.
DKIM / DK - Easy
Performance
SPF - Negotiable. ISPS may cache to improve.
Sender ID - Negotiable. ISPS may cache to improve.
DKIM / DK - 5 - 10% processing CPU
Ok, I'll bite..
"Why should a company not use it's marketshare to leverage it's products?"
Your basic premise is fine... that in general companies should be able to use their marketshare as a selling point. The problem is that in Market economies Monopolies develop (either "naturally" because they are the best, or through illegal practices).
In our economy once a company or product reaches the state of "Monopoly" there are certain rules that they must play by in order to allow natural market forces to continue (rules as in laws). One of those is that you can't use a Monopoly in one sector to force your way into another sector.
Microsoft has violated this time and time again... and to the detriment of consumers and consumer choice. A few recent examples:
1. Internet Explorer. Bundling IE with Windows was how MS pushed itself into the "internet sector" using their monopoly on operating systems.
"But IE is free! How is this bad for the consumer?!". Because MS then put proprietary extensions into IE that only it's web-server and authoring tools (Frontpage and Visual Studio) are equiped to serve/create (ActiveX and extensions to Java). So if you want to talk to IE the best way to do it is with Windows Server after creating it in Visual Studio/Frontpage... and since they used their monopoly to deploy IE... 90% of people are using it.....
2. Windows Media Player (Both the format and the player). This one is the next MS cash cow. They bundle WMP with Windows so everyone has it...
"But WMP is free! And it works well! How is that bad for consumers?!"
Becuase of what they are doing now. They are pushing WMP as the next format for EVERYTHING. Music, Movies, Streaming Media... Have you noticed that the new HD-DVD codec is WMP based? Do you think you'll be able to play those without a license from MS? All MS has to do is start making set top DVD players and they can force everyone else out of the market (by not licensing the codec to them).... wait they already are! (Think XBox 360).
What about streaming wmp?? What kind of server do you need to do that? Oh.. right.. Windows Server.
What about music? Oh you mean WMPs with DRM will only be playable in Windows? Hmmm.
#
For some reason people have a hard time understanding just how evil MS really is. And when I say "evil" I don't mean that trying to make money is evil. That's capitalism. What's evil is trying to make money at the detriment to consumer choice and product quality.
This is really a problem because destructive Monopolies are bad for the entire economy. They stagnate innovation and produce "economic blackholes" where all the money from the economy pours... but nothing comes out (how many billions does Microsoft have just sitting around in liquid assets?)
Ok. That should do, nobody read this far anyway.
Friedmud
If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.
MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. So the technology to bypass SPF and Sender ID is already deployed.