Earthlink Deploying Challenge-Response Anti-Spam System 520
deliasee writes "The Washington Post reports that Earthlink is preparing to offer new spam filter technology that requires sender authentication. AOL is still concerned that such technologies will put too much burden on consumers." The day after it's deployed, every legitimate mailing list on the planet will get challenges from all the Earthlink subscribers...
Nice moves (Score:4, Interesting)
I was hoping more ISPs would adopt the challenge-response system, like MailBlocks [mailblocks.com], previously featured [slashdot.org] on Slashdot. Way to go Earthlink! If I was interested in dialup, this would be a big selling point for me. I'm still waiting for a service that offers the challenge-response feature of MailBlocks but allows me to forward to my existing provider. I mean, a 12MB inbox is pretty lame. There are free providers [fastmail.fm] that can give me that much space...
Intrusive and Easily Fooled (Score:4, Interesting)
Then, I give the address to all my fellow spammers and we use it until it dies. Then we make a new one.
Gee, that was tough.
How about mandatory authentication instead? Or even better, program all routers to only allow properly signed outgoing packets. Spam and hackers disappear overnight.
Michael's comment (Score:5, Interesting)
As a network admin, many of the remote users I support (sales reps, on-the-road types) use Earthlink dial-up while travelling. At times, some of the program's that Earthlink has used to stop people from using their services to spam have make my job harder. However, I do not begrudge Eartlink for these inconviences, at least they, as a major ISP, are doing *something* about this problem.
My two cents,
-- RLJ
Response... (Score:1, Interesting)
Results:
1. Spammers get free AUTOMATED account verification.
2. The load on the email system doubles.
Conclusion:
Nice "solution" dumbass.
Needs to be 'hard' in some way (Score:4, Interesting)
- Make the challenge 'AI-complete', that is, to give a correct answer you must be a thinking human being and not a computer. But then how can the other end check that the answer is correct? Having humans generate a fixed number of questions and provide sample answers also isn't going to work, since spammers will learn the correct answers. You need a way to generate an unlimited number of questions and to mark the answers automatically, and clearly this can't be done if the questions are intended to be too hard for a computer.
- Make the response computationally burdensome, so a computer can do it but only at the cost of some CPU power (so large bulk mailings would be impractical). This is what Hash Cash [cypherspace.org] and similar systems suggest.
It looks like Earthlink's system will rely on sending pictures you have to look at. Apart from the practical problems of clogging the wires with image files, I worry about OCR potential. The examples of this stuff I've seen on Yahoo, where you have to type in a number shown in a partially 'obscured' image, wouldn't have been difficult to develop OCR software for if you were so minded.
There's also the question of the spammer taking the challenge and sending it out to some other user. That user, by now used to replying to challenges from Earthlink and other addresses, will respond to the question and send the correct answer back to the spammer. D'oh!
Re:How do two people with C/R communicate? (Score:3, Interesting)
> If the challenge always gets thrugh, then the spammer will just issue cahllenges as spam.
> If they don't get through, then you would have a nasty mail loop.
In TMDA [tmda.net] (a challenge response system in python) at least, when you send a email to somebody, they don't get a challenge when they answer. It's logical because if you send him an email, you know he will not spam you
So i assume earthlink system will act the same.
Re:Correction (Score:5, Interesting)
A simple rule is: Headers can be forged. Don't trust anything in the headers for antispam purposes. This includes the sender and recipient.
Re:How do two people with C/R communicate? (Score:4, Interesting)
Re:Now the spammers get address validation for fre (Score:4, Interesting)
I'd guess there system is pretty effective.
I assume (Score:4, Interesting)
One question: shouldn't it be REALLY OBVIOUS to ISPs what is spam and what isn't? It seems that if a nearly-identical message gets sent to a large enough percentage of their users, it's clearly spam. Is this hard to do? Are spammers clever enough to distribute emails to avoid this?
Relative speed (Score:4, Interesting)
Earthlink offers DSL and cable. I'm using it right now.
I am definitely in favor of a little pain up front in increased traffic from challenge-response to get the spam boys off the net.
I suspect that when the spammers stop sucking up so much bandwidth, net speeds will increase for everyone--including dial up users.
Remember when 14.4K was fast? So do I. And I think with a correction in the system, it can be a decent speed.
Challenge Response Works great (Score:1, Interesting)
Filtering instead of Blocking (Score:2, Interesting)
This way, If I get monthly newsletters from donotreply@... and I want to keep getting it, i can approve that email. After about 3 months of this type of filtering and I would probably have approved everything I want to receive. Then, I could turn it back to blocking instead of filtering.
-the Hun
Adaptive teergrubing anyone? (Score:5, Interesting)
A residential broadband customer mailing through his ISP's mail server is whitelisted (most stuff from that server is nonspam). An rr.com luzer with an open proxy is tarpitted into oblivion (everything else in 24.0.0.0/8 is spam). Yes, Joe Linux running (non-relaying) Sendmail on his Linux box is also tarpitted, but he's not trying to send a million mails a day. So he's not hurtin'.
I can see a scaling problem in that you'd have to run some sort of adaptive filtering process on the receiving end, which might be prohibitive CPU-wise. OTOH, if you only scanned 1% of all inbound mails for "spamminess", you'd still rapidly figure out that for a US ISP, 24.0.0.0/8 is an ocean of spam with a few islands of real email, and 200.0.0.0/7 is a shitstorm of spam. You don't need to analyze every inbound mail - you only need a statistically-valid sampling of the inbound mail queue to figure out which netblocks are teh sux0r.
Having it be adaptive would be cool - because a South American ISP (which probably has less of a problem with 200.0.0.0/7 than, say, Earthlink does, because they have legitimate users emailing each other from within those netblocks). So an ISP in .mx would end up with a different set of teergrubing weights. They might end up letting most of 200.0.0.0/7 in, only tarpitting the worst /24s, and teergrubing all 24.0.0.0/8 because so few of their users get anything but spam from rr.com netblocks.
Think of it as combining the best part of SPEWS (naughty netblocks are noticed semi-automatically), without as much collateral damage (if you're an ISP, a 10 second delay to anyone emailing one of your customers from a naughty netblock will never be noticed, but it'll *kill* some dirtball trying to spam to 10000 of your users through an open proxy.)
Re:How do two people with C/R communicate? (Score:4, Interesting)
That's not true. There is an approach where you show a "proof of computational effort"; that is, your computer spends 10 or so seconds computing the response to a challenge. Here's a paper [microsoft.com] on the subject.
Re:Nice moves (Score:1, Interesting)
I think Mailblocks is the perfect example of a company the /. crowd would hate: rich guy comes into the market late, drops a bundle of money, scoops up some shaky patents, and tries to sue/shutdown their competitors (some of which have been in business for over a year longer than them).
By the way, Spam Arrest [spamarrest.com], one of Mailblocks' competitors (and currently being sued by Mailblocks) has no disk quota. (10 MB max message size though). Their enterprise product will forward messages through to your smtp server. A little pricey, but good for businesses.
Matador [mailfrontier.com] also does challenge-response (in addition to filtering) but runs on your desktop, if you are into that kind of thing.
Yes, I've done a lot of research into the anti-spam products!
I used to use this... (Score:2, Interesting)
Don't even get me started on all those damn email card companies - lots of missing Easter cards because dumbassonlinecards.com wasn't in the whitelist and again, noone is going to send confirmation mails from an automated system.
The whole thing got dumped. Back to SpamAssassin, which causes far fewer headaches. Fortunately, this Earthlink deal is an opt-in system. I couldn't stand to use it myself and I bet few customers will live with this long-term.
Um, the blind? (Score:4, Interesting)
micro payments (Score:3, Interesting)
I'd like to suggest a way this could all be done automatically, so transparently your an AOL grandma could do it, and almost non-intrusively. Like the lessig-style stamp, all users would be charged say 0.01 cents to send ME an e-mail. but I would automatically refund this payment if either 1) the sender was in my addressbook/whitelist or 2) I did not file the e-mail in my junk mailbox.
what is needed is some sort of distributed postal service to handle the actual micropayments. And this is the main problem--how to collect these. I think the least intrusive method is that when you get an e-mail account you put down a pre-payment, lets say $10 on account at the postal service. when you send messages that are welcome your account is not depleted. when you send messages that aren't it slowly drains.
the cost of the postal service ditributed servers could probably be paid for by
1) the charges for unwanted e-mail
2) interest on the deposits on account.
thus people would be willing to set up these servers.
the final missing ingredient is a centralized server that coordinated the actual postal servers. all this would be would be like a DNS that told all of the remote servers the names of the other ones so they could communicate account info.
the transactions themselves would be in number about twice as the number of e-mails handled (one to the post office from the first ISP to receive the mail to validate the payment code in the header, one from to the postal service me to authorize refund/no refund), and the accounting message size very small.
Perhaps this is a rotten idea. its main benefits are 1) its not intrusive and is nearly transparent 2) it pays for itself 3) requires changes only at the browser level.
I does not stop spam from showing up in my inbox, but makes it very expensive to mass mail.
flame on! or suggests problems and their solution.
Calling all perl wizards and poor college kids! (Score:3, Interesting)
How many lines will it take to write a script to automatically reply to challanges? As long as the messages have predictable structure, you should be able to write a parser to pick out the word or picture they want, then throw it back.
College kids: Are you bored, broke, and of weak moral fiber? You too can make money while sitting on your ass by replying to email challanges for the princely sum of 3 cents per message! Combine the first suggestion with the second, and you've got yourself a money machine.
It's great to see an ISP take some decisive steps, but this scheme has weaknesses. Interesting to see how it goes. Despite the concerns, I'm cautiously optimistic.
As a twist, it would be interesting to see how that anti-spam vs. spam lawsuit with the copyrighted haiku goes (don't recall the parties names, but it's gotten coverage here). Maybe something similar could be combined with the challange-response system to make it illegal to respond to the challange under false pretenses. Raises a few slippery-slope legal issues that if you're going to touch, you might as well criminalize spam outright (which would be fine, of course).
Re:How do two people with C/R communicate? (Score:3, Interesting)
Re:Too drastic? (Score:3, Interesting)
I agree. It's so simple yet so effective. It really makes me wonder why people invest time and money in silly, less-friendly and potentially less-effective solutions such as C/R.
it seems to rate the spam based on its content, which no spammer can get around.
They're starting to try. When they start breaking up words so that "cock" is "c.o.c.k" they're making an effort to avoid filters, but also are addressing the Bayesian filters since that will normally get broken up into 4 tokens, one for each letter. Of course, if they do it enough then a single token "c" might actually become a commomn characteristic of spam for that user.
Anyway, Bayesian works great now. I think spammers will evolve to deal with it, but all that is necessary is to implement new token-identifying logic in the Bayesian filter... the Bayesian approach itself is very solid.
It's a hell of a lot faster to do than actually placing calls to people and talking to them, and people
I agree. I suspect you will see spammers actually analyzing the C/R responses. If it's something the software has seen before and is capable of responding automatically, it will. Those that it can't will be forwarded to someone to quickly deal with it. If some of the megaspammers make as much as they supposedly do, hiring a teenage kid at $6/hr to spend the day answering C/R responses is not a huge investment.
Bayesian Filter + Challenge Response (Score:2, Interesting)
Precedence: Bulk (Score:4, Interesting)
Once the spammers are obliged to label their stuff "bulk", half the battle is won. Then they start collecting a "white list" of legitimate mailing list sources, and label every bulk message not on it as "suspected spam" and dump it in a separate folder.
Re:Too drastic? (Score:3, Interesting)
See "Guarded Email" paper (Score:3, Interesting)
Guarded email completely deals with some of the problems noted in these comments:
Could help slow some worms, viruses. . . (Score:3, Interesting)
Re:Adaptive teergrubing anyone? (Score:3, Interesting)
Great article, wish I could post a link. To your point... wouldn't this guy have been automatically whitelisted?
Re:Too drastic? (Score:2, Interesting)
Oh, I'm sure they'd start using actual return addresses... at yahoo, hotmail, etc. As long as they (the free email accounts) last long enough to collect some challenges that's all they need. Even if the accounts are closed by hotmail you can still send email "from" that account.
C/R doesn't even have a chance of working large-scale while there are free email providers such as Yahoo.
And even if it does, as someone else said, you just start sending spam with email addresses that have a high chance of being whitelisted. orders@amazon.com, orders@cdnow.com. So now instead of sending 1 spam to each user they'll send the same message 100+ different times from different addresses that they have concluded are more likely to be whitelisted in the hopes that one of them actually is whitelisted.
At best, C/R doubles spam traffic by generating a C/R request for each spam sent--now instead of just getting bounces sent to some poor innocent victim, the innocent victim will get bounces plus thousands of C/R requests. At worst, spammers will take the brute-force approach mentioned above of sending hundreds of copies of the same spam to every user using different "common" whitelisted email addresses. Either way the spam problem arguably gets worse, not better.
Blindness (Score:4, Interesting)
One problem with this system. (Score:3, Interesting)
I can see this being a big problem. In my experience, people only get spam if they have done one of several things:
1. Published their email address on a web page to be picked up by harvesters.
2. Given their email address to an online retailer that sells it.
3. Signed up for some spyware scam where they again give their email address to someone that will add it to a spam list.
4. Opened a Hotmail account, which, it seems is automatically sold to all the various spam providers.
In almost all of these cases, the act that caused spam to be received was the user giving out their email address to a non-trustworthy source.
How is having a second email address that people will just type into any webpage that promises free porn and bypasses Challenge/Response going to curb the spam problem? I give this system only 1-2 months before spam is back at it's initial volume, just using the new email address instead of the old.
You need to also educate users about the problems of giving their email address out to unreputable places on the net. A lot of users don't correlate their spam problem with the fact that they typed their email address into some website to get a free porno password the night before.
Re:Too drastic? (Score:2, Interesting)
Personally I use a combination of SpamAssassin's bayesian abilities along with TMDA, a challenge/response system. I only require confirmation for messages that SpamAssassin identifies as being over my threshold of 5. In my .tmda/filters/incoming file I have the following rule:
pipe "/usr/bin/spamc -c" ok
That means that if SpamAssassin says its clean, then no confirmation is required and TMDA delivers the message to my inbox.
Simple, effective, the best of both worlds.
Re:Relative speed (Score:3, Interesting)
I have a feeling if you saw pages designed for 14.4 today, you'd be deeply disappointed.
Re:Nice moves (Score:3, Interesting)
Hardly. If you're on Earthlink and decide to opt-in for this, it simply means that everybody you know has to send you one extra email once.
And that every time you get spammed from a new address (read: constantly), the system fires off another confirmation email from you. It effectively doubles the number of network connections spam generates.
Re:How about another approach... (Score:2, Interesting)
If self-signed certificates would be allowed, then spammers would make their own. So that can't be allowed.
If they are prompted, as you suggested earlier, it would inevitably lead to people who just ignore invalid ones, because they are sick of being prompted. My little mail server gets creamed.
Nice idea, but unless you get Verisign to give away free certs, I can't see it working.
An alternative solution? (Score:3, Interesting)
Re:How do two people with C/R communicate? (Score:2, Interesting)
Otherwise, a spammer just sends one message from an address, responds to the challenge, and then spams away.
Or am I misunderstanding it?
Re:You can do this yourself. (Score:2, Interesting)