Slashdot Mirror
Microsoft and Yahoo! Fight Spam - Sort Of
kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
Not going to discuss pros/cons of these systems, but at least the do help. Two days ago I got one of those PayPal phishing emails in my hotmail account and hotmail had a big banner on top saying the sender's ID couldn't be verified. This could be a great help to users silly enough to fall for these attacks (assuming they actually pay attention to the warnings).
"reality has a well-known liberal bias" - Steven Colbert
It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...
see a Text Widget
Perhaps this is Microsoft attempting to leverage (yes, I used it correctly!) what they perceive to be as their market dominance to hold users' feet to the fire. Basically, "We've got a lot of users. If you want to communicate with any of them, you're going to need to play by our rules."
Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.
concrete5: a cms made for marketing, but strong enough for geeks.
This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.
Voice your opinion!
is all the major companies sit down and design a new email system. the current email system is like a sinking boat they are trying to patch and prevent it from reaching the bottom. now, everyone is going their own seperate way (MS, Yahoo), where there will be no standard. the whole system needs to be scraped and rebuilt from the ground up taking into consideration spam, which was never present when the system was designed.
Never happen...Microsoft would never abuse their market domainance to foist an inferior product upon the industry...
Oh wait...
____
~ |rip/\/\aster /\/\onkey
To be honest I vastly prefer the Gmail approach of having relatively smart spam analysis than a whitelist approach based on authentication.
Think of all the people out there who don't have their own mail server but have SMTP/POP access to a hosting company's machine. A change in the core protocols for email would adversely affect most of them, as even if they all had the knowledge to make the changes, they may not have the ability.
Add to this the possibility that a requirement for SenderID will just result in spammers mounting directory attacks against SMTP servers in order to find logins that work..
All this will really cause is a migration away from hotmail !
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
There is also Sender Policy Framework (http://spf.pobox.com/), this is very simular to SenderID but it has the majour advantage that its open source, agreed microsoft is trying to push SenderID down everybodys throats, I myself publish SPF on a number of domains and it does a good job. The more people that use SPF the more power it will have over SenderID.
If anyone had even bothered to read the linked article, they'd see that it said MS would "flag it as potential spam". They wouldn't just stop getting it.
One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....
And All I Ask is a Tall Ship And a Star to Steer Her By
You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.
PGP key's? I thought people knew about and used these. With a pgp key, it is signed with an encrypted hash, and you have the option of encrypting the message along side it. Once this is done, you know an email is coming from a valid user because it contains their key. These are already used in workplaces around the world. Why implement a new system when one already exists? Not only does one exist it is more or less and open standard. Yeesh! I wish people would actually stop rebuilding the wheel in the software industry.
My biggest concern (and please don't bash me for this) is not about Hotmail users getting all their email flagged as spam. The problem I can see with this is if Microsoft strongarms other servers into using the SenderID. It's almost like the way that the majority of websites have CSS hacks and workarounds for a broken browser(IE) that still won't be fixed in the next version. If enough people are using the proprietary garbage, then people will others will be forced to support it.
If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it. Microsoft has had its overwhelming failures at times, but it also has a record of 'forcing' their way onto enough of the market to make an impact for better or worse. That's just my take on it; it's not what it will do, but what it will allow to happen in the future (should it catch on)
Perfecting Discordia
www.stevenvansickle.com
Lets see... If we write a tool that immediately filters 100% of all e-mail, we can claim that our "Spam filtering tool" gets 100% of Spam with only a 10% false positive rate. Excellent!!!
Actually, what we need is a messaging protocol that isn't tied to some website.
Jabber anyone?
I'm a virgo and on Slashdot. Coincidence? Yes.
I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.
I complained, and was told I could use filters for those un-markable spam items. Yeah, right.
Advantages to MS for letting "authorized" spam through
- They get paid, probably very well, to send spam to all hotmail accounts.
- They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.
A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.
What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).
My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.
Kalori.
-
No sig. is a good sig.
Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.
I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.
No single technology will bring spam under control. It's going to take a blend of technologies, namely:
The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.
The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.
If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.
The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.
The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.
There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.
The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.
Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.
Simon
I was getting about 40 spam messages a day, before I implemented my new anti-spam e-mail server. Now I get about one or two... but SenderID only blocks about two messages a week. Much more effective are my set of 5 Blacklists, a URL Blacklist, and some simple rules. SenderID can stop fake from addresses, but the people sending the messages will just use servers that do not have SPF entry's, as all the servers will never implement it.
The trouble is many spammers are now using networks (say, 50,000 or more) of pwned Windows zombies. They are doing it on a huge distributed network - they don't care if calculating a hash slows them down. If each zombie only sends 100 emails per day, that's 5 million spam emails sent. You'd have to have an insanely long calculation time to make a dent on a zombie network.
Oolite: Elite-like game. For Mac, Linux and Windows
If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.
MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. So the technology to bypass SPF and Sender ID is already deployed.