Microsoft Researching Anti-Spam Technique

Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.

Re:Question...

[asquared256]

by automatically rejecting any emails where the computation's results aren't present, like using cryptographic signatures?

Re:Question...

[tomstdenis]

The technique is on page 426 of Advances in Cryptology -- Crypto 2003 [LLNCS2729].

Not exactly a monopoly here as anyone else can implement it.

Tom

Re:10 seconds

[tomstdenis]

Mod parent down [-1,unsightful]

The research this is based on [presented at crypto'03] is designed to level the difference between a P4-3000 and a P2-233. They use problems where cache hits will be lower [e.g. use a 8MB buffer or something] so you end up computing at the speed of your memory bus.

If you had done some research before posting your crap you'd know this.

Tom

How about my old hardware?

[bigberk]

How is my older hardware (or even pretty recent hardware on a huge ISP, with lots of SMTP activity) supposed to be able to handle this? Bah. It seems to me that adding computational difficulty is not such a great way to combat spam. Do you have any idea how effective IP blocklists [openrbl.org] and statistical filters [sourceforge.net] alone are? (Or, you could combine them as this project [pc9.org] is doings).

Re:Involves calculating hashes

[baseinfinity]

It's transparent to that. All this has to do with is if you want to use a service of a server (sending mail). This strategy doesn't have to be global, you could tack it onto any authentication protocol and it would only be the senders job to get the required software. However the reciever authenticates is the buisiness of the server they recieve from.

Re:Question...

[Geoffreyerffoeg]

By refusing connections or refusing to send e-mail unless they do. Kind of like how SMTP servers "make" the senders do a HELO before sending the message. Like:

220 mail.example.com SMTP server ready
HELO client.example.com
250-Hello client.example.com, calculate
250 1+2+3+4
ANSR 10
250 Answer correct, continue
MAIL FROM:<foo@example.com>
...

or

...
250 Hello spammer.example.com, calculate
250 1+2+3+4
MAIL FROM:<user@example.com>
503 You didn't answer my question, go away

although the computation would be a lot harder than just 1+2+3+4. Disclaimer: I have no idea how the system works in practice. This is just a possible way.

Re:Spammers don't use their own computers

[Apreche]

Damn straight. All the spam I get is from stupid people on campus who have insecure computers that spammers gain control over and send spam with.

Let's say you leave your gun safe unlocked and someone comes in and takes your guns and kills somebody. You're going to get sued for big moneys. If you leave your computer "unlocked" and someone sends spam with it you should be held accountable in some way.

Spam is an international problem and is very difficult to stop. But there are known spammers in the united states. Make a law that punishes them with federal prison time. Then enforce that law and lock them up. Spam wont go away, but it will definitely decrease. To solve spam on the international level we will need a new international organization that governs the net. They tried, but I think they'll get it on one of the next few go arounds.

Re:Question...

[tomstdenis]

Don't take my word for it...

read the paper yourself! [weizmann.ac.il]

Tom

Why are people too lazy to read the article?

[Koatdus]

Do any of you actually read the articles before you open your mouths?

The idea was originally formulated to use CPU memory cycles by team member Cynthia Dwork in 1992.

But they soon realised it was better to use memory latency - the time it takes for the computer's processor to get information from its memory chip - than CPU power. That way, it does not matter how old or new a computer is because the system does not rely on processor chip speeds, which can improve at rapid rates. A cryptographic puzzle that is simple enough not to bog down the processor too much, but that requires information to be accessed from memory, levels the difference between older and newer computers.

Re:Proposed "Sender do Something" technique.

[hashinclude]

While this seems useful at first glance (at least open relays would stop working), how does your technique address these issues:

1. Clueless admins (of windows or *nix servers) who refuse to use SA or similar? These are the same who leave the mail servers as open relays in the first place.

2. People who use their own SMTP server

Sure, go ahead and say that you can add reverse domain lookups. But registering a domain is quite cheap these days ($4.95 a year) and point the NS to your machine, set up MX records, and you're on your way.

Your solution is useful, but not comprehnsive. I doubt there is a comprehensive solution short of making the spammers incapable of accessing the internet.

--
Clueless People? Everywhere I look, I see them. And some of them, they WORK here!

Re:Okay..

[Sparr0]

You already opt-in to mailing lists by subscribing to them, which takes anywhere from 10 seconds to 5 minutes depending on the list. Would it be so hard to add them to a client-side white-list, perhaps an additional 10 to 30 seconds, in addition to subscribing?

Re:what's your point?

[tomstdenis]

mod parent offtopic.

The point is they did produce a result, it was published in a first tier crypto journal and the results are acknowledged as correct.

I was trying to dispell the hordes of people who would post "oh MSFT stole this idea" blah blah blah.

Tom

Re:Question...

[the_mad_poster]

Calm down, killer. Microsoft's not THAT smart.

It Is Not A Big Secret [weizmann.ac.il]

At worst, I suppose Microsoft could make it's own scheme and try to push other people out, but I doubt that there are enough Microsoft MTAs out there to make that sort of system survive. If they implemented it for Microsoft-only, they'd almost have to give the option to revert to a traditional white-list when the sender can't play Microsoft's Holy Encryption Puzzle. After all. If you send someone an e-mail and outlook Express won't give it to them, just tell them that - Outlook Express won't let you look at it. I sent it, sorry. The problem is clearly on your end, call support for help.

Microsoft HATES support costs and one thing you don't do on Windows is screw with grandma's emails.

Re:Okay..

[Lord Kholdan]

If this works as stated, then I can see issues.. For instance, large mailing lists. Would they have to be white-listed? 3000 seconds of computation is a heavy tax on a community based program like the Linux Kernel Mailing List, which averages 300 messages to my inbox a day. Also, there's the issue of viral spammers.. Those that send out viruses to do the spamming for them. If you infect enough, 8000 mails per day per computer can still be quite a bit.

Personally, my whole take on spam is that everything needs to be done on the user end. Laws have loopholes in every situation (foreign spammers being a large one,) server restrictions are either too restrictive on small servers, or can be defeated with distributed computing.. I say we stick with Bayesian filtering. It works _wonders_ for me, and I'd love to see more people use it.

Whitelists my good friend, whitelists.

Just make it so that some people dont have to calculate hashes for you and there you go.

Re:Why not just....

[stef0x77]

With no cost to the sending computer, it can spawn tens thousands of concurrent email sessions, which all wait a painless 10 seconds.

Hashcash (although it has it's drawbacks) forces the sending machine to actually do something. That's the difference.

Re:not a solution

[swillden]

What you're missing is the fact that the 50 e-mails you delete take *your* time, whereas the 50 you send burn only your computer's time. You click send and go on to something else while your computer chugs away in the background.

I don't know about you, but my computer's time is worth next to nothing to me, whereas my time is rather important (to me).

Re:Proposed "Sender do Something" technique.

[BladesP9]

Thats all well and good - but this is going to drive up ISP costs. As an independent ISP who has really struggled to survive against the "Pay .02 per month" hosting bait-and-switch deals and try to provide a quality service, I do what I can keep costs down. Having to program my mail servers to send a reply to each and every of the over 1,000,000 emails that my mail server processes in a day would tripple my bandwidth needs which are already rather high... not to mention possibly require additional hardware. That said, I really don't have a solution to offer... but God knows I've looked into what others are doing.

This might be a non-issue for mailing lists.

[hkmwbz]

This doesn't have to be a big problem for mailing lists.

You know how mailing lists require you to confirm your membership? Well, this confirmation mail would have you add the mailing list to your whitelist. As a result, future mailings on that list would be let through without having to do the computation.

The mailing list could simply refuse to deliver mail if you ask it to do the computation, or it might give you a one time warning that you have to add it to the whitelist, or similar.

But all it takes is to add the mailing list to your whitelist once, and it won't be a problem anymore.

With that said, spammers could start pretending to be mail from various mailing lists. I am not sure how big a problem this would be, but it would definitely make an impact on spammers if they couldn't just spew out millions of e-mails to random people in a short period of time. They would have to either go through the computations, or figure out which mailing lists you are a member of and use it to spam you, and so on. But this sounds like it would take too much time anyway, so the spammer would hopefully just give up. And if they did start spoofing mailing lists, then I'm sure there would be ways to prevent that as well. Most mailing lists don't accept mail from people who aren't subscribed, right?

The reason spam "works" is that you can just press a button and the rest happens automatically. If the spammer has to start doing manual labor, my guess is he'll be looking for something else to do. (Such as taking a swim off the deep end wearing concrete shoes, I hope...)

old and embraced

[Tom]

The technology is fairly old, it's known as Hash Cash [hashcash.org].

It has known shortcomings, but it is one of the best solutions out there.

Its main problem, however, was not yet known when it was invented: That spammers would control huge zombie networks, as they do today.
With 100k zombies (which is not uncommon), the spammers can still send out 10k mails per second, or those 25 mio. spams the topic speaks about in under one hour.

Why not...

[The Master Control P]

Simply de-allocate the IP blocks of any ISP that continually harbors spammers, meaning it refuses to terminate them immediately? They can't spam if they can't connect to the internet!

And to "strongly discourage" any ISP that would consider flaunting this rule, they get zero compensation for that netblock they paid for and are denied from buying any new netblock for a time (possibly a week).

Because this would necissarly work on the level of ARIN and the root DNS servers, you can't avoid it, because those are known, reputable organizations who will have no choice to comply.

Can anyone think of a way you *could* avoid this?

Net effect is more important than exact method

[Anonymous Coward]

For the record, my suggestion was at the SMTP level. This would alleviate most of your grievances with C/R.

Doing it at the SMTP level should indeed work towards alleviating some of the problems, but you explicitely stated that mail with a forged sender address would result in the validation request being sent to somebody else's mailbox.

That is the annoyance people will complain about, and it really won't matter to them whether you accomplish it on the SMTP level or what your false hit ratio is.

Also, if the spammer is talking to your MTA via another relay, chances are that relay will turn your SMTP-level C/R rejection message into a regular DSN sent to the forged envelope address.

Re:not a solution

[ArgumentBoy]

Let me offer an analogy to antibiotics. If you only take part of the prescription, you kill, say, 99% of the bacteria, but that last 1% is superbacteria, often antibiotic resistant. That's what this technique will do to spammers. In the short run, some will get more sophisticated, and trick other people's computers into sending out the 25 million spams. Others may be run out of business. But in the long run, this will force smart spammers to cull their lists, in the same way that marketing has become more target-oriented and less broadband during our lifetimes. Spammers will need to collect detailed information on where we surf and how we spend our money, and may do this illegitimately, ala Gator, BonzaiBuddy, or KaZaa. They will reduce their lists to manageable levels, maybe half a million or so per product. But we will still get spam, and we will get it from superspammers - technology resistant ones. We need a more complete solution - the whole prescription, if you will. Half measures might be good PR, but they're just as dangerous as half a prescription.

Re:Textbook case of over-engineering

[DunbarTheInept]

It's about more than just sleeping a while. The problem with a "sleep" solution is that the sender can still queue up messages to send out elsewhere while waiting for the sleep confirmation messages to come back from the first messages sent, like so:

Thread 1:
for x goes from 1 to 100000, send message number X to a server somewhere.

Thread 2:
In a loop, respond to any 10 second sleep requests that came back from servers being talked to by thread 1.

Thus, the overall additional cost to the spammer is NOT 10 seconds per message, but 10 seconds overall for the whole batch of messages. Not a big deal, really. (The server-side sleeping solution only works for the case where the spammer is talking to a small list of e-mail servers. So long as the spammer is sending 10,000 messages to 10,000 different SMTP servers, each one can sleep 10 seconds and it won't delay the spammer much overall, provided the spamming program is smart enough to start in on the next message before waiting for a reply from the first.)

What microsoft's solution does is make the sender pay a resource cost that is more signifigant than just sleeping a few seconds (which costs almost nothing), so that a long delay is guaranteed. (It also makes it impossible to lie and fake out the message - because it has to be an answer to the math question asked by the recipient's server, and until you see that question, the sending program doesn't know what fake thing to put into the header.)

The idea is sound, so long as the algorithm is well published (not used by MS as a monopoly-enhancer like they usually do), and it's not possible to devise a question which is deliberately problematic for the program to solve. (If there exists a special case of a question to ask the sender which isn't solvable in reasonable time, then a malicious site could set things up so that when you try to send mail to that site your own mail server gets stuck trying to solve an impossible math problem and can't continue.)

Re:Question...

[violet16]

But as the grandparent implies, the sender still isn't made to do anything. Rather, the client refuses to accept mail unless it complies with this protocol.

Which begs the question: how is something like this ever going to reach critical mass? Because if you're an early adopter, you're bouncing back e-mails to servers that don't yet comply, so don't perform the validation, so you never get your e-mail. You bear a high cost for other people's non-adoption.

This seems like something you want to adopt once everyone else has, but not before--which means it has a very low chance of getting widely adopted in the first place.