Slashdot Mirror
'Leak-Proof' Anti-Spam Solution?
sikandril asks: "In an effort to help the Internet community and user-base at large in fighting spam, I have decided to put up this white paper for public review and remarks. As you will see, the system provides an almost 'waterproof' solution to spam blockage via an opt-in system. The main drawback is that everyone (except spammers or other evildoers) has to have this installed in order for it to work perfectly. A small number of installs means that unknown legit contacts still might show up as spam, albeit only for the first e-mail and/or until they too elect to install the software. I'm an independent developer located in Israel, and would love to hear your ideas regarding this."
From TFA: "In an effort to help the internet community..."
Bollocks, this is an attempt to get investors. What's the patent number?
Am I a cynic? Hell yeah!
This article advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
liqbase
According to the article, this system is completely unbreakable! Unless, of course, the spammers decide to do things that are against the law.
Heck, since we know that all spammers are good, law-abiding citizens, why don't we just pass laws against the spam, instead of trying to convince everybody in the world to use the same mail client?
This signature carefully hand-crafted from recycled electrons.
Would-be spam fighter posts email address on public internet, gets linked to by /.
Oops!
You are not the customer.
EVERYONE has to change to a NEW SOFTWARE/PROTOCOL and trust a CENTRAL SERVER controlled by a CENTRAL AUTHORITY and spammers have to STOP USING FAKE DATA and STOP USING BOTNETS (and probably all of us have to LICENSE THIS TECHNOLOGY).
I clearly see this could work - NOT.
From the article:
"6. Sixth, the system provides additional security and control over computer viruses which spread by e-mail - Client (1)'s connection with Server (2) is much harder to hack into than simply taking control of a regular e-mail client. Large and suspect amounts of key (4) requests from suspect client (1) can simply be blocked at the server level."
Who said anything about hacking "the connection"? Once we have everybody using the same client, I am sure it is only a matter of time before somebody finds a vulnerability in it, and crafts a virus / trojan to take control of it. And you *know* that people will open it up. "It came completely verified from somebody on my whitelist! It can't be faked or a virus!"
So Mom gets infected. It sends to everybody on her list. Because it was verified, it gets through to all of them, and they open it. Then to all of their friends. And so forth and so on. Not enough key requests from any one client to result in a block at the server level, and impossible to get ahead of it without blocking a significant portion of your userbase.
Congratulations. You've reinvented Outlook, and given people a better reason to click on that attachment and perpetuate it.
This signature carefully hand-crafted from recycled electrons.
The proposed solution relies on a centralized authority producing new keys for each person periodically, which is a recipe for disaster if a billion users sign up for it.
http://www.craphound.com/spamsolutions.txt
that should work... I already gave it a digg
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
The real effect of CAN-SPAM has been that most spam either gets deleted by filters, or involves a felony by the sender. The remaining spammers are either selling drugs illegally, trying to manipulate the stock market, or running a scam. That's ordinary law enforcement work, and it's now routine to hear of spammer arrests and convictions. We used to just have ineffective civil suits. That's over. Now they're doing hard time. It's not a safe business to be in any more.
SpecialHam.com is still up, and the usual suspects are still at it: "Looking for people with botnets to run ads! pm me for more details". But it's clearly a board for the clueless now.
The only problem with SpamAssassin is that it is ALMOST perfect.
Most of my users have setup rules so that the stuff SpamAssassin tags is automatically dumped into their trash. But they don't bother checking their trash much any more. They expect the system to always be right.
Which still leads to the situation where someone thinks you've received their message but you haven't read it because it scored just over the spam level and it's sitting in your trash can.
I would prefer a system that rejected messages at the SMTP connection time rather than one that tags suspected spam after accepting it. I run Exim4 at work and it does pretty good. Of course, I still run the messages through SpamAssassin. We're down from 80% of all accepted email being spam to only 5%.