Slashdot Mirror
Postfix's Creator Outlines Spam Solution
SATAN writes "Wietse Venema started out as a physicist, but became interested in the security of the programs he wrote to control his physics experiments. He went on to create several well-known network and security tools, including the Security Administrator's Tool for Analyzing Networks (SATAN) and The Coroner's Toolkit with Dan Farmer. He is also the creator of the popular MTA Postfix and TCP Wrapper.
SecurityFocus chatted up Venema to talk about software security, how to improve the code quality, what solutions we might have to fight spam successfully, the principle of least privilege, and the philosophy behind the design of Postfix. Venema is currently a researcher at IBM's T.J. Watson Research Center."
Just get everyone to sign their mail including companies that send you receipts and opted in spam.
I would be happy if I could reject any mail that is not digitally signed and then manage the signed mail by signature.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Google have experienced mail-administrators, while your work has someone who knows how to point and click?
Let me get this straight. Two men help strangers to use free software and you are calling one an ass because he wants to 1) share the results of a fix with future users of the group, and 2) avoid flowery 'thank you' follow ups because he has high pressure work to do (there is no other kind of work at Morgan Stanley). Is that the jist of it?
Think global, act loco
I wish the Linux platform had a "one solution" product for these services. The services pegged to Postfix that I am talking about include: -
Mailman/Mailing Lists, Autoresponders, Greylisting, POP3/IMAP, unlimited domains, Sender Policy Framework (SPF), per-user filtering, per-domain policy rules, ClamAV virus, Filtering and Spamassassin Spam Filtering.
Getting these to flawlessly get set-up from scratch is a feat in itself. Why don't we have such a product? I am no coder so I cannot do much except reporting problems.
I imagine a single script a user can run then have all those services running within parameters to be supplied. Linux folks are capable of a lot more so this should not be that difficult.
Just forgot! Add a calendering application [of your choice] to the above line up.
I think he is talking about reliability in that every email sent gets to its destination. Right now, email can be blocked as spam. It doesn't matter whether you do the blocking at the SMTP level or not, it is still being blocked including some legitimate emails. If legitimate email is being blocked for any reason, it means the service is not reliable. Your caveat "As long as YOUR email admin handles error messages in any sane way" doesn't solve anything since the person sending the email is usually not responsible for how their email server is configured. Meaning that for them, the service is either reliable or it isn't. This ultimately means that if someone's legitimate email gets blocked by you/your server for some erroneous reason, that your email server is not reliable, and less so than in 1998. The article is saying our current anti spam counter measures are what is making email less reliable.
-- I ignore anonymous replies to my comments and postings.
Getting these to flawlessly get set-up from scratch is a feat in itself. Why don't we have such a product? I am no coder so I cannot do much except reporting problems.
I imagine a single script a user can run then have all those services running within parameters to be supplied. Linux folks are capable of a lot more so this should not be that difficult.
... because mail IS complicated, and each of these products has its own quirks and gotchas.
Someone who cannot be bothered to read the teeny fraction of relevant documentation necessary to properly set up this software probably has no business administering it (especially on a production network). Since a poorly configured mail server really has the potential to piss thousands of people off around the planet, I'm actually content with the current state of affairs...
P.S. you are looking for a product called Microsoft Exchange. It has nice big buttons you can point and click on. Luckily the costs involved and the presence of an official certification program serve as an effective barrier to entry for most amateur admins.
For some reason many people prefer to have polite, useless help than have someone who directly solves their problem without a bunch of extra words on the side. It boggles the mind, and it's a large part of why I significantly curtailed the time I spend helping people work through their problems. For some reason, a whole lot of people with questions get angry with people who ask things like "what are you actually trying to do here?" or who tell them that their whole approach is wrong, but are perfectly fine with people who go along answering questions politely and wrongly for dozens of messages.
If you mod me Overrated, you are admitting that you have no penis.
No, it's the hypocrisy and self-righteousness involved in adding eleven lines onto every email you send to tell people you don't want them sending you redundant information in emails.
I am trolling
This man is a God-Damned genius:
"...The technical arms race will continue unless politicians and law enforcement join the battle with effective measures that work across national borders.
This observation has led me to conclude that the spammers aren't destroying the email infrastructure, it's the well-meaning people with their countermeasures."
Yes! Yes! Yes!
As a system administrator, I can't tell you how many times a failure to receive a customer's e-mail was due to a poorly-configured junk scanner on the customer's network.
And fighting spam is indeed a two-pronged approach. Sysadmins AND politicians need to be proactive about fighting spam. Spam is an issue that affects communications, especially business communications, with unacceptable severity. It's time for politicians to do their fair share.
The pull model really isn't a good idea, because that is what spammers are already trying to get people to do. They want you to open the email and click the link. A pull model just makes that automatic. Not to mention all the marketing people (pseudo-spammers) that would just love to know which of their recipients actually look at their emails, and how long they look at them, etc. I already get mailings (alumni stuff, etc) that are just links to a web page where I can read the actual letter.
And of course, "just use gmail" isn't really a solution. It only works until someone figures out how to get through gmail's filters, or Google really sells out and starts allowing select "partners" to advertise to members directly. Though there is some irony in the idea that you can avoid email advertising by using a system that has ads in the email viewer. I'm not saying anything bad about Google or gmail, just pointing out the irony :)
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Yeah, it's really mind boggling how people dislike being insulted and patronised. Idiots.
You know, even if you're doing something good, if you do it with ill temper and lack of grace, you're still being an arse.
One email every 3 seconds is not a difficult task, unless you work for a lawfirm that likes to email around PDF attachments running in excess of 100 MB. Then we'll talk.
-l
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
What stops a spammer from grabbing the signing keys and using them to their heart's content? Remember, most spam comes from botnets and they're not exactly technological idiots.
How do digital signatures allow easy harvesting of email addresses?
Certificates must be centrally stored or related to a trusted central authority. With this, you only have to break that central authority to get all the valid e-mail addresses. In addition, if all e-mail had to be signed, then people wouldn't be able to use throwaway e-mail addresses as easily, so every "give us your e-mail" would mean that a valid e-mail address was being harvested.
Few organizations on this planet have the resources to brute force a valid bogus digital signature, and no one can do it on the sort of scale you'd need to send spam.
You are thinking about forging e-mail, which isn't the problem. Spam could have a valid signature without being from someone you know. Like current spam and phishing, it could be from someone you might know.
Easy to obtain, in that we really only need the mail server admins to cooperate, then everyone (who wants to get their email) will play along pretty damned quick.
Once you finish that "easy" task, could you get to work on the trivial problems of a portable fusion reactor, transporter technology, and faster than light travel?
Armies of worm riddled broadband-connected Windows boxes - Can spam as much as they want, it will never get read.
The bot that controls a Windows machine probably also would be able to control the certificates the user had for sending e-mail. Thus, signed spam from people you trust.
Joe jobs and/or identity theft - Would require either knowing their private key, or even in the easiest case, physical access to their machine.
Cruise on over to Verisign and see just how easy it is to get a certificate with an e-mail address that isn't yours, and Verisign is one of the better at checking it. Also, read what I wrote about bots infecting the machine.
I don't want the government reading my email - So add full-message encryption basically for no extra work. And they can read your email now, so how would this make it any worse?
Because today there isn't a central certificate authority that is required to be used by everyone sending e-mail. This idea would make that a reality. That CA would have all the private keys for all the certs in a one-stop shop for the government. Encrypting wouldn't do any good, because it would be done using one of the same keys that was available in the CA.
The problem with this guy browbeating others into not thanking him on the mailing list is that idiots like me, who don't subscribe to postfix-user, have no way to browse the archives a year later and be able to differentiate between questions that have working answers and questions that the asker just gave up on. That means I'm gonna ask him the same question again, and I'd bet a dollar that he'd remember answering it the first time and just tell me to go check the archives instead of wasting his time. And if he gives bad advice with anywhere near the frequency that your parent's post mentions, then I sure as hell would like to know when any of his posts actually lead to a useful and working solution to a problem so I can ignore the others.
It's not my job to make life easier for anyone's email filter. His need for an uncluttered inbox is trumped by the need for the community to archive useful information.
the coolest club on
The problem is that they take direct talk for insults, and direct answers for patronizing. People come onto these lists with the attitude that they're smarter than everyone, yet somehow they still need help. If your question is wrong then it's in everybody's best interests if someone points out that the question is wrong and guides you on how to approach things better, and it's in nobody's best interests to take it at face value and be happy and polite while leading you both into darkness.
If you mod me Overrated, you are admitting that you have no penis.
Actually, if someone deals with the unwashed masses regularly, it might be a good idea to learn some manners and/or diplomacy. There's no excuse for being an asshole, not even being ridiculously intelligent and having to deal with real idiots. Everyone has stress in their lives, and it's like geniuses can't be bothered to deal with it gracefully. Quietly ignoring the "it works, thanks" e-mail saves just as much time, without alienating the person with his first response.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
If you don't get the "it worked" follow-ups to the list, others looking through the list archives trying to resolve the same issue don't know whether a) the proposed solution really worked, or b) the person just gave up or resolved it another way. It's unfortunate that Viktor doesn't understand confirmed answers are therefore useful for reducing his long-term support workload.
Not that Spelling Nazi's are prevalent here or anything, but...
Spelling Nazi's what?
Stop Computers/Cars Analogies on S
why do you see politeness and usefulness as a dichotomy?
Is it so hard to be polite and helpful?
Is it so hard to always be polite?