Microsoft Researching Anti-Spam Technique 660
Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.
Re:Question... (Score:2, Informative)
Re:Question... (Score:5, Informative)
Not exactly a monopoly here as anyone else can implement it.
Tom
Re:10 seconds (Score:4, Informative)
The research this is based on [presented at crypto'03] is designed to level the difference between a P4-3000 and a P2-233. They use problems where cache hits will be lower [e.g. use a 8MB buffer or something] so you end up computing at the speed of your memory bus.
If you had done some research before posting your crap you'd know this.
Tom
How about my old hardware? (Score:4, Informative)
Re:Involves calculating hashes (Score:2, Informative)
Re:Question... (Score:2, Informative)
Re:Spammers don't use their own computers (Score:2, Informative)
Let's say you leave your gun safe unlocked and someone comes in and takes your guns and kills somebody. You're going to get sued for big moneys. If you leave your computer "unlocked" and someone sends spam with it you should be held accountable in some way.
Spam is an international problem and is very difficult to stop. But there are known spammers in the united states. Make a law that punishes them with federal prison time. Then enforce that law and lock them up. Spam wont go away, but it will definitely decrease. To solve spam on the international level we will need a new international organization that governs the net. They tried, but I think they'll get it on one of the next few go arounds.
Re:Question... (Score:3, Informative)
read the paper yourself! [weizmann.ac.il]
Tom
Why are people too lazy to read the article? (Score:2, Informative)
Re:Proposed "Sender do Something" technique. (Score:4, Informative)
1. Clueless admins (of windows or *nix servers) who refuse to use SA or similar? These are the same who leave the mail servers as open relays in the first place.
2. People who use their own SMTP server
Sure, go ahead and say that you can add reverse domain lookups. But registering a domain is quite cheap these days ($4.95 a year) and point the NS to your machine, set up MX records, and you're on your way.
Your solution is useful, but not comprehnsive. I doubt there is a comprehensive solution short of making the spammers incapable of accessing the internet.
--
Clueless People? Everywhere I look, I see them. And some of them, they WORK here!
Re:Okay.. (Score:3, Informative)
Re:what's your point? (Score:2, Informative)
The point is they did produce a result, it was published in a first tier crypto journal and the results are acknowledged as correct.
I was trying to dispell the hordes of people who would post "oh MSFT stole this idea" blah blah blah.
Tom
Re:Question... (Score:5, Informative)
Calm down, killer. Microsoft's not THAT smart.
It Is Not A Big Secret [weizmann.ac.il]
At worst, I suppose Microsoft could make it's own scheme and try to push other people out, but I doubt that there are enough Microsoft MTAs out there to make that sort of system survive. If they implemented it for Microsoft-only, they'd almost have to give the option to revert to a traditional white-list when the sender can't play Microsoft's Holy Encryption Puzzle. After all. If you send someone an e-mail and outlook Express won't give it to them, just tell them that - Outlook Express won't let you look at it. I sent it, sorry. The problem is clearly on your end, call support for help.
Microsoft HATES support costs and one thing you don't do on Windows is screw with grandma's emails.
Re:Okay.. (Score:3, Informative)
Personally, my whole take on spam is that everything needs to be done on the user end. Laws have loopholes in every situation (foreign spammers being a large one,) server restrictions are either too restrictive on small servers, or can be defeated with distributed computing.. I say we stick with Bayesian filtering. It works _wonders_ for me, and I'd love to see more people use it.
Whitelists my good friend, whitelists.
Just make it so that some people dont have to calculate hashes for you and there you go.
Re:Why not just.... (Score:2, Informative)
Hashcash (although it has it's drawbacks) forces the sending machine to actually do something. That's the difference.
Re:not a solution (Score:3, Informative)
What you're missing is the fact that the 50 e-mails you delete take *your* time, whereas the 50 you send burn only your computer's time. You click send and go on to something else while your computer chugs away in the background.
I don't know about you, but my computer's time is worth next to nothing to me, whereas my time is rather important (to me).
Re:Proposed "Sender do Something" technique. (Score:1, Informative)
This might be a non-issue for mailing lists. (Score:3, Informative)
You know how mailing lists require you to confirm your membership? Well, this confirmation mail would have you add the mailing list to your whitelist. As a result, future mailings on that list would be let through without having to do the computation.
The mailing list could simply refuse to deliver mail if you ask it to do the computation, or it might give you a one time warning that you have to add it to the whitelist, or similar.
But all it takes is to add the mailing list to your whitelist once, and it won't be a problem anymore.
With that said, spammers could start pretending to be mail from various mailing lists. I am not sure how big a problem this would be, but it would definitely make an impact on spammers if they couldn't just spew out millions of e-mails to random people in a short period of time. They would have to either go through the computations, or figure out which mailing lists you are a member of and use it to spam you, and so on. But this sounds like it would take too much time anyway, so the spammer would hopefully just give up. And if they did start spoofing mailing lists, then I'm sure there would be ways to prevent that as well. Most mailing lists don't accept mail from people who aren't subscribed, right?
The reason spam "works" is that you can just press a button and the rest happens automatically. If the spammer has to start doing manual labor, my guess is he'll be looking for something else to do. (Such as taking a swim off the deep end wearing concrete shoes, I hope...)
old and embraced (Score:3, Informative)
It has known shortcomings, but it is one of the best solutions out there.
Its main problem, however, was not yet known when it was invented: That spammers would control huge zombie networks, as they do today.
With 100k zombies (which is not uncommon), the spammers can still send out 10k mails per second, or those 25 mio. spams the topic speaks about in under one hour.
Why not... (Score:3, Informative)
And to "strongly discourage" any ISP that would consider flaunting this rule, they get zero compensation for that netblock they paid for and are denied from buying any new netblock for a time (possibly a week).
Because this would necissarly work on the level of ARIN and the root DNS servers, you can't avoid it, because those are known, reputable organizations who will have no choice to comply.
Can anyone think of a way you *could* avoid this?
Net effect is more important than exact method (Score:1, Informative)
Re:not a solution (Score:2, Informative)
Re:Textbook case of over-engineering (Score:4, Informative)
Thread 1:
for x goes from 1 to 100000, send message number X to a server somewhere.
Thread 2:
In a loop, respond to any 10 second sleep requests that came back from servers being talked to by thread 1.
Thus, the overall additional cost to the spammer is NOT 10 seconds per message, but 10 seconds overall for the whole batch of messages. Not a big deal, really. (The server-side sleeping solution only works for the case where the spammer is talking to a small list of e-mail servers. So long as the spammer is sending 10,000 messages to 10,000 different SMTP servers, each one can sleep 10 seconds and it won't delay the spammer much overall, provided the spamming program is smart enough to start in on the next message before waiting for a reply from the first.)
What microsoft's solution does is make the sender pay a resource cost that is more signifigant than just sleeping a few seconds (which costs almost nothing), so that a long delay is guaranteed. (It also makes it impossible to lie and fake out the message - because it has to be an answer to the math question asked by the recipient's server, and until you see that question, the sending program doesn't know what fake thing to put into the header.)
The idea is sound, so long as the algorithm is well published (not used by MS as a monopoly-enhancer like they usually do), and it's not possible to devise a question which is deliberately problematic for the program to solve. (If there exists a special case of a question to ask the sender which isn't solvable in reasonable time, then a malicious site could set things up so that when you try to send mail to that site your own mail server gets stuck trying to solve an impossible math problem and can't continue.)
Re:Question... (Score:2, Informative)
But as the grandparent implies, the sender still isn't made to do anything. Rather, the client refuses to accept mail unless it complies with this protocol.
Which begs the question: how is something like this ever going to reach critical mass? Because if you're an early adopter, you're bouncing back e-mails to servers that don't yet comply, so don't perform the validation, so you never get your e-mail. You bear a high cost for other people's non-adoption.
This seems like something you want to adopt once everyone else has, but not before--which means it has a very low chance of getting widely adopted in the first place.