Microsoft, Yahoo Investigate Spam Solution

bllfrnch writes "The NY Times (account required, yada yada) has an article about the suggestion of email postage to stop the advent of spam. Apparently, both Microsoft and Yahoo! support such an initiative, as they are the largest email service providers. Best quote: ''Damn if I will pay postage for my nice list,' said David Farber, a professor at Carnegie Mellon University, who runs a mailing list on technology and policy with 30,000 recipients'."

Do we need this?

[RT Alec]

Story also posted on C-Net [com.com] (no account required, yada yada).

What hapened to Yahoo's (as yet unveiled) scheme-to-end-all-schemes [eweek.com] for authenticating mail? IMHO, I think that SPF:Sender will make great strides towards combatting spam, combined with new laws that make spoofing illegal. And AOL is backing it [wired.com], so I think there is a good chance for success, as they are both one of the largest sources of e-mail as well as one of the most commonly spoofed domains.

Mirrors without registration

[digitalvengeance]

Here is a Washington Times summary that doesn't require registration.

http://washingtontimes.com/upi-breaking/20040202-1 23126-8662r.htm [washingtontimes.com]

And here is a IHT article which appears to feature the same quote as the NYT article. Same article? I won't register...

http://www.iht.com/articles/127677.html [iht.com]

Josh.

After looking at the possible solutions

[Sheetrock]

It's clear that sender-pays is the only technological scheme that is effective and can be guaranteed effective in the long term.

Other proposed solutions involve lengthy computations on a sender's machine, which can be trivially verified on the receiver's machine. These will be overcome with faster machines, and spammers can afford better hardware than the rest of us anyway. Legislation is no solution, as the only sort that respects the First Admendment rights of emailers provides the same rights to unsolicited email.

As the saying goes at our local Mensa chapter: wise thoughts may go into your mind, but pultem calidus invado pantorum. At the end of the day postage is the cheapest option, given the cost of enforcement or technology updates.

Re:Cha ching?

[LBArrettAnderson]

or just click here [google.com] then click the first link.

Re:Reading without account (using google)

[Joey Patterson]

Or just click here [nytimes.com].

Nope, nope, nope

[ackthpt]

ah... but if spammer x sends a boatload of herbal viagra offers under bob's relay and bob gets a bill... then when they do catch spammer x he can be nabbed under wire fraud laws and be open to all sorts of tasty civil action.

That's naive. You know Ralsky and the like use open relays around the world. He's even contracted some in China. You might tighten a net at best, but eventually you come back to the problem of trying to bill non-USA service providers. Lotsa luck. At best you encourage them to clean up their open relays and implement some decent security, lest their IP traffic be blocked at the border. But this should already be happening. Start locking these things out and they'll get around to fixing things pronto.

Re:Postage?

[Zeinfeld]

Doesn't seem too smart but at least it's better than the memory and processor cycles idea

The media accounts are wrong. Microsoft is pushing a processor cycles idea. The NPR interview [npr.org] with Ryan Hamlin the GM of the anti-spam division is a more accurate example of what they have presented.

The accreditation scheme that Microsoft and Yahoo are considering mean you pay for sending spam. You do not pay for sending email. It is like ironport bonded sender, you spam, you forfeit part of your bond. You no spam you no pay.

Ryan was pushing the computational scheme hardest. But the basic scheme is, you stop impersonation spam so you know where the message comes from, then you act on what you know about that person. It authentication and accreditation.

Re:snail mail

[JWhitlock]

As the son of a U.S. Postal Service employee, I'm forced to tell you that it's Direct Mail, not snail spam or junk mail. The big difference is with direct mail, the marketer is paying for every item sent, but with spam, most of the cost is placed on the ISP and the end user. Direct mail is more targeted, often more effective, and helps keep the cost of first-class mail (that's your mail) down. Spam just makes the spammers richer, and annoys the rest of us to tears.

Of course, if it still annoys you, there are a few simple steps [junkbusters.com] you can take to drastically reduce the amount of direct mail you get. The majority of the mail I get is now mail I want to get. I still get AOL CDs, but it's down to twice a year - usually due to a new magazine subscription where I haven't told them my preferences.

No, not simple

[Vainglorious Coward]

Experience has shown that those who say "simply replace SMTP" do not understand the nature of the problem. It's no coincidence that one of the symptoms of being an anti-spam kook [rhyolite.com] is that your solution involves replacing SMTP

Re:I WILL SAY IT AGAIN...

[mabu]

I will say it again too...

That's what is commonly referred to as a "whitelist".

Re:Welcome to the new IM revolution

[Dukael_Mikakis]

... and bingo, new SPAM also. If people migrate to IM, then Spammers can just use dictionaries to hassle people's screen names (I have already experienced people trolling for sex talk online) and soon we'll be dealing with dozens of pop-up (which makes it worse) windows asking if we want Printer Ink. And it doesn't necessarily help having a buddy list, because all IM services will still pop-up a window "Spammer has sent a message, would you like to see it", so even though you can avoid the Spam, you still have to deal with the window.

It helps that you can be offline, but if IM is the chief communication then we won't be able to stay offline, if we want our messages. And those that collect messages while offline (i.e. Yahoo) will just flood you with back Spam.

If Spammers can break email, they'll break IM. It's just that up until now there hasn't been reason to. Don't give them a reason, either.

Re:I think I have a better solution.

[Phroggy]

What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?

Most spam from @hotmail.com addresses doesn't come from Hotmail. A list of what's currently in my inbox:

From: mail.com
Really from: hispeed.ch

From: mail.com
Really from: hispeed.ch

From: osn.de
Really from: adsl.tpnet.pl

From: tiscali.co.uk
Really from: t-dialin.net

From: artnet.com.br
Really from: ny325.east.verizon.net

From: siba.fi
Really from: dsl.pltn13.pacbell.net

From: cellularpia.co.kr
Really from: cypresscom.net

From: wanadoo.fr
Really from: btcentralplus.com

From: hotmail.com
Really from: megared.net.mx

From: xcelco.on.ca
Really from: bb.netvision.net.il

From: onlinehome.de
Really from: interbusiness.it

From: el-nacional.com
Really from: (IP address)

From: tiscali.co.uk
Really from: cable.ntl.com

From: web.de
Really from: (IP address)

From: sasquatch.com
Really from: dyn.optonline.net

From: julian.uwo.ca
Really from: dsl.lsan03.pacbell.net

These are the spams I've gotten since last night that were not blocked by SpamCop (most of my mail is forwarded through SpamCop, but not all, and SpamCop doesn't always catch all spam). This also doesn't count what gets blocked by my DNS RBL filters. Anyway, notice how many of them came from different countries than the e-mail address used. There's really no correlation.

Re:Cha ching?

[Lost Race]

It's already impossible to spoof your IP address in TCP/IPv4. Sure, you can forge a bogus source IP address on the SYN but you'll never get the ACK so you can't complete the connection, and any data you transmit will be ignored. The best you can do with address spoofing in TCP/IPv4 is a SYN flood DoS attack; you certainly can't send any spam with a forged source IP address. (Route it through a proxy/relay/zombie? You can do that in IPv6 too.)

Re:Yes, there has to be *some* cost for stranger-m

[Alien Conspiracy]

It already exists: this is what sudonames.com [sudonames.com] does.

Also check-out the Mailbox Reputation Network [polityresearch.com], which can provide the infrastructure for doing this on a global scale.

Re:Cha ching?

[Ben Hutchings]

You can spoof your IP address in IPv4. It's easier if you're on the same network segment as the spoofed address, though. If the segment isn't switched, it's trivial to get the responses by putting the NIC into promiscuous mode. If the segment is switched then you should be able to steal the target address by using MAC spoofing or ARP spoofing [arp-sk.org]. With ARP spoofing you can also become a man-in-the-middle for extra fun. If you're not on the same network segment the possibilities are admittedly more limited. However, if the machines you're sending your spoofed packets to are running to still don't have a good TCP ISN generator (many don't [cert.org]) it should be possible to predict the ISN and to set up a connection without seeing the replies. You don't have to limit yourself to one guess, of course.