Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft and Yahoo! Fight Spam - Sort Of

Posted by Zonk on from the spamfighters-saddle-up dept.

kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."

15 of 344 comments (clear)

  1. At least it works by CaymanIslandCarpedie · · Score: 5, Interesting

    Not going to discuss pros/cons of these systems, but at least the do help. Two days ago I got one of those PayPal phishing emails in my hotmail account and hotmail had a big banner on top saying the sender's ID couldn't be verified. This could be a great help to users silly enough to fall for these attacks (assuming they actually pay attention to the warnings).

    --
    "reality has a well-known liberal bias" - Steven Colbert
  2. Problem with fighting spam... by moz25 · · Score: 4, Interesting

    It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...

    --
    see a Text Widget
  3. Heh by aftk2 · · Score: 4, Interesting

    Perhaps this is Microsoft attempting to leverage (yes, I used it correctly!) what they perceive to be as their market dominance to hold users' feet to the fire. Basically, "We've got a lot of users. If you want to communicate with any of them, you're going to need to play by our rules."

    Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.

    --
    concrete5: a cms made for marketing, but strong enough for geeks.
    1. Re:Heh by hal9000(jr) · · Score: 4, Insightful

      It's not just Microsoft's old tricks. Many 800 lb. gorillas (Cisco, IBM, Intel) have done the same with more or less success. Most of the time, wrangling is done in working groups where vendors start deploying products based on early standard drafts, which commits them to lock-in, which then motivates them to fight for thier methods regardless of technical requirements. Besides, market dominant driven standardization is not always a bad thing. The anti-spam market is so fragmented that having a Microsoft force a decision may actually move a resolution.

  4. Bad news by mfloy · · Score: 4, Insightful

    This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.

    --
    Voice your opinion!
  5. Sender Policy Framework by coolnicks · · Score: 4, Informative

    There is also Sender Policy Framework (http://spf.pobox.com/), this is very simular to SenderID but it has the majour advantage that its open source, agreed microsoft is trying to push SenderID down everybodys throats, I myself publish SPF on a number of domains and it does a good job. The more people that use SPF the more power it will have over SenderID.

  6. Re:Let MS do it... by DrEldarion · · Score: 4, Informative

    If anyone had even bothered to read the linked article, they'd see that it said MS would "flag it as potential spam". They wouldn't just stop getting it.

  7. The problem... Meetings by Alex+P+Keaton+in+da · · Score: 4, Insightful

    One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
    Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
    It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
    As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
  8. SPF doesn't prevent spam by jaredmauch · · Score: 4, Interesting
    SPF helps with virii and phishing. eg: someone connecting saying they're billyg@msft.net from a dsl line in bellsouth land. If i'm evilspammer@example.com, I can just publish my SPF records in the same way you do, as long as i send from example.com's authorized SPF records it'll be good.

    You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.

  9. 90% of messages spam by aardwolf64 · · Score: 4, Funny

    Lets see... If we write a tool that immediately filters 100% of all e-mail, we can claim that our "Spam filtering tool" gets 100% of Spam with only a 10% false positive rate. Excellent!!!

  10. Re:Let MS do it... by maotx · · Score: 4, Informative

    Actually, what we need is a messaging protocol that isn't tied to some website.

    Jabber anyone?

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  11. MS is just eliminating competition... by FriendlyLurker · · Score: 4, Interesting


    I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.

    I complained, and was told I could use filters for those un-markable spam items. Yeah, right.

    Advantages to MS for letting "authorized" spam through
    - They get paid, probably very well, to send spam to all hotmail accounts.
    - They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.

    A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.

    What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).

    My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.

    Kalori.

    -
    No sig. is a good sig.

  12. Greylisting by Sanity · · Score: 4, Interesting
    If you run a mail server, and you aren't greylisting, then you need to be.

    Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.

    I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.

  13. No single technology.. by Ckwop · · Score: 4, Interesting

    No single technology will bring spam under control. It's going to take a blend of technologies, namely:

    1. Spam filtering.
    1. Preventing forged headers.
    1. Making e-mail sending computationally expensive.

    The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.

    The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.

    If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.

    The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.

    The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.

    There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.

    The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.

    Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.

    Simon

  14. Re:Hashcash for mail would be better by Alioth · · Score: 4, Insightful

    The trouble is many spammers are now using networks (say, 50,000 or more) of pwned Windows zombies. They are doing it on a huge distributed network - they don't care if calculating a hash slows them down. If each zombie only sends 100 emails per day, that's 5 million spam emails sent. You'd have to have an insanely long calculation time to make a dent on a zombie network.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows