Forgot your password?
typodupeerror
Spam Software The Internet

FairUCE - the Smart Email Proxy 333

Posted by michael
from the can't-hurt dept.
Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."
This discussion has been archived. No new comments can be posted.

FairUCE - the Smart Email Proxy

Comments Filter:
  • by Anonymous Coward on Sunday December 05, 2004 @03:08AM (#11000249)
    No way will the spammers ever find a way around this. It's solid!
  • Oh crap.... (Score:5, Interesting)

    by Justice8096 (673052) on Sunday December 05, 2004 @03:11AM (#11000255)
    I've already had problems getting email from my government coworkers with spam validators like this. The military really doesn't like broadcasting who their email servers are... So they regularly get sent to Junk Mail.
    • your email client is smart enough not to filter people in your contact list.....right ?
      • Re:Oh crap.... (Score:2, Insightful)

        by Anonymous Coward
        Filtering doesn't belong in the client. That's always been an ugly hack.
      • The problem with this concept is that you have to know who your contact list is before you start contacting people. And if you both have this policy, then there is no way you can use email as a means of initial communication. It becomes second fiddle to something else.

        Not very practical because if you ask someone to send you an email you have to first get their address and that might also require that you get their sending server DNS and IP information as well. And just how many people will bother with

        • Hi Tom!

          Never mind the fact that if one wanted to, one could turn a challenge-response set up into a harrassment tool. Send an email with a forged envelope header to one of these challenge-response systems and the reply goes to someone not involved -- in other words, someone gets spammed with an unwanted challenge-response message. Multiply that by dozens of attempts and the challenge-response part of the mechanism becomes just as bad as the initial spammer.

          Nope, I'll stick to my multiple filters: priva
    • by Antique Geekmeister (740220) on Sunday December 05, 2004 @07:43AM (#11000726)
      "If we could just rewrite everybody mailer's with my new widget in illegible Perl or badly written C that breaks several RFC's I've never bothered to read, we will surely stop spam!" I've heard this sort of thing before, every few months for the past 10 years.

      There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.
      • by mjh (57755) <mark AT hornclan DOT com> on Sunday December 05, 2004 @08:53AM (#11000839) Homepage Journal
        There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them.

        I've been using Challenge/Response for nearly 3 years. And I disagree with your critiques. Let's take this point by point:

        • Users hate them: There is a kernel of truth to this. Some users do hate them. Those users hate challenge/response so much that they instigate fights. They submit their IP addresses to RBLs for blacklisting. These are a very annoying, and vocal MINORITY. By far most users are agnostic. They deal with the challenge once and then they're done.
        • automated systems can't get past them: Again, there's a kernel of truth here. If you have badly configured your C/R you're going to be in trouble. But a properly configured C/R has absolutely no problems.

          I use TMDA [tmda.net]. I've got it configured so that any email I send to unknown addresses will be allowed to respond for 7 days. After that, they go into C/R. For my bill pay services, I give them a special address that allows them in forever, but that's tied to them so that I'll know if they ever hand it out to someone else.

        • they're almost always subverted: Really? In the last month I've had over 4000 pieces of email delivered to me from unknown addresses. Only 10 of those have been confirmed. Of the ones that were confirmed 2 of them were spam. This was easily remidied by removing those 2 addresses from my whitelist and adding them to my blacklist.
        • never will gain the acceptance of the user community enough to become effective: While C/R may never gain the acceptance of the user community, I don't think it's for the reasons that you cited. I think the reason is that it's too hard to set up correctly. But that being said, it doesn't need the acceptance of the user community to be effective. It works for me today whether or not you use it.

          Personally, I think it'd be better if the entire world started using C/R. It'd be better because then everyone would understand that sending email to an unknown party involves a formal introduction process. This would cut down on the number of people who get confused when they receive a challenge. But if this doesn't happen it's not that big a deal. The number of confused people is already small.

        IMHO, what you don't know about C/R is quite large.
        • In other words, you sent out 3992 pieces of spam to forged or invalid addresses, pissing off 2 people who knew what was going on bad enough that they confirmed your C/R.
        • Problem though (Score:4, Insightful)

          by Nijika (525558) on Sunday December 05, 2004 @11:01AM (#11001187) Homepage Journal
          Well, if everyone's using C/R, how do users who challenge get through to users who need to respond if those users won't get the challenge until their challenge is met?

          Also, wouldn't this just create a rash of false challenges that lead to spamming type material or websites?

        • Mail shouldn't be hard. It shouldn't be up to the user to figure out how to "configure TMDA correctly", and it shouldn't be up to the general public to understand how to deal with any number of different automated challenge and response systems out there should they get such a challenge.

          I'm extremely savvy when it comes to IT, computers, Internet, etc. It's what I do all day at work. I wouldn't use the system you describe...what a pain in the ass. How can you expect someone's grandmother to use such a syst
          • "My solution was simply to pay for an account at an ISP where they aggressively filter spam."

            Yeah, but sometimes agressive spam filters accidentally filter legit mail. You may still be missing out on freelance opportunites thanks to your agressive spam filter.
          • Here's another scenario: using agressive spam filters, your "oppurtunity" gets miscategorized as spam, and I never even know that you sent it to me. You conclude that I don't care for the oppurtunity, and that's the end of the story.

            At least with C/R, you KNOW that my spam filter has prevented me from receiving your email. With all other spam filters, it filters silently so that NO ONE knows that it's been filtered. If it doesn't filter silently, one of us has to be notified.

            If I'm notified of all emai
        • by Malc (1751) on Sunday December 05, 2004 @01:02PM (#11001680)
          If I buy airline tickets online and they don't tell me the source email address, how am I supposed to get the itineray (sp?), etc that get's sent out automatically. On a couple of occasions the domain has differed from that of the website I purchased from. On another occasion I sponsored a friend to walk 60km to raise money for charity - the PDF receipt I need for tax purpose was sent from a different domain... it goes on. In that latter case I would have had to whitelist the email address I provided. It's all extra work which is inconvenient to a technical user like me, and far beyond what I could expect my parents to use. I *hate* C/R systems - if somebody (even a friend) uses them I won't bother unlocking with a response, and I won't use email to contact them again. It's their loss, not mine.
    • Couldn't you just add certain addresses/domains to a whilelist, then? That way, even if they would be flagged as spam, they'd be ignored and you'd receive them in your inbox as regular email.
    • Avoiding mail from the military sounds defiinitely like a Good Thing!
  • forward and reverse (Score:5, Interesting)

    by gonaddespammed.com (550312) on Sunday December 05, 2004 @03:17AM (#11000266)
    If MTA's on the Internet required the forward and reverse DNS lookups to match ~70% of spam (and viruses) would disappear. This requires ISP's to correcty configure their DNS, which unfortunately doesn't happen because people are lazy.
    • It would if such a system became standard.
    • Most ISPs have reverse dns set up already for all their IPs, eg in my case mapping 10.123.123.123 to static10-123-123-123.reverse.myisp.ca, and the A record for that host is the IP 10.123.123.123. Could the virus/spam server/etc not tell the remote mail server it is "static10-123-123-123.reverse.myisp.ca" then?

      The remote mail server would find that the host points to 10.123.123.123, which reverses back to... the given hostname!

      ND
      • Mine does this to, but reverse DNS doesn't always return back properly, don't ask me why, it just doesn't (maybe its only configured properly for some IPs).
        • I have a generally very high success rate for reverse DNS lookups ... at least where reverse DNS is actually set up. But there is an occiasional ISP that has such poor service that DNS lookups often fail. And I've even seen ISPs that, for some reason, only have random selections of their IP space set up with reverse DNS (out of a block of 32 there might be 25 with reverse DNS and repeated queries show consistency). One fundamental problem is ISPs hiring the bottom of the barrel in tech talent, especially

          • That's what happens when cable companies think that the people who are installing their coax have the training and expertise as needed to operate Cisco switches and the like.
    • by deranged unix nut (20524) on Sunday December 05, 2004 @04:05AM (#11000374) Homepage
      Most ISPs won't delegate reverse DNS lookups to their small (8 IP block) DSL customers. I would happily do reverse DNS if my ISP let me. Unfortunately, most people think that reverse DNS is either dead or not-needed so they normally don't even think about using it.

      I'd rather see the MTAs all do PKI to authenticate eachother, only issue certs to those that sign non-UCE agreements, and revoke certs when servers start breaking the non-UCE agreements. If a cert issuer starts issuing a large number of certs to MTAs that start sending UCE, revoke the cert of the issuer.
      • <Shameless plug>

        You mean, something like this [highbrew.com]?

        </Shameless plug>
      • I have reverse DNS completley configured on my linux server, but when someones does a reverse lookup to my IP, nothing happens.

        I'm using ADSL and its configured on a linux machine.

        Don't know why... perhaps the ISP has it set up that way -sigh-
        • > but when someones does a reverse lookup to my IP, nothing happens.

          Look at your allocation through ARIN. Your IP needs to be assign to you, or remote DNS servers won't know where to look for your IP number!

          204.8.140.181 -> Netrange 204.8.136.0 - 204.8.143.255 is assigned to Southwest Nineteen Networks and IN PTR resolution goes through

          NameServer: NS1.EXO.COM
          NameServer: NS2.EXO.COM ..so either you need to get your IP number/range allocated to you (fat chance), or you need to get exo.com to updat
      • Unfortunately, most people think that reverse DNS is either dead or not-needed so they normally don't even think about using it.

        So most people do not want to send e-mails to AOL customers?

        From their Standards for E-Mail Delivery [aol.com]:

        AOL's mail servers will reject connections from any IP address that does not have reverse DNS (a PTR record).
    • by Anonymous Coward
      required the forward and reverse DNS lookups to match

      They can't in many cases - I work at company that has several website that send reminder emails for different free services. There are 8 different domain names that share 5 machines.

      Each machine in the load balanced group of 5 can send out emails for any of the services.

      If you have a bunch of services, cnamed to IP's the reverse lookup cannot guess which of the cnames you want to have returned to make you feel good about the fact that these are the
    • Nope. Not in your wildest dreams. The growth of the use of zombied machines, and the continuing existence of "pink contracts" with ISP's that allow spam from their domains, and the continuing existence of new ISP's that allow spammers to easily buty throwaway accounts that result in effectively pink contracts will easily grow to fill the temporary void of using forward/reverse DNS blocking. Mandating forward/reverse DNS does nothing to block the existing and easily expanding spam from valid hostnames.
    • Today you are right. But if everyone forced HELO and Sender domains to be DNS listed it would only be a matter of time before someone started to fix all the spam tools to work accordingly. Right now they just don't do it becuase they don't need to.

      The RFC says that you can have either no domain assigned at all for an IP address, or you have to have a Fully Qualified Domain Name for the IP address. A lot of people go for option one because they don't want their sending mail server to be listed on the DNS

      • Spammers will respond to a auto-confirmation with their own automated reply engine. After that, they pummel the crap out of your server with free & clear spam that's never checked again.

        In my personal experience (one of my addresses receives several hundred spams a month), this hardly even happens. All the spammers who spam me (and whose email never reaches my inbox because I use Bluebottle.com's free challenge/response service) are cowards who are too afraid to use real From addresses. This has been

  • by Matt Perry (793115) <perry.matt54@yahoo.DALIcom minus painter> on Sunday December 05, 2004 @03:19AM (#11000273)
    FairUCE looks interesting but I'd be curious if it'd do a better job than milter-sender [milter.info]. About a year ago, before I installed milter-sender, I was receiving about 200-300 spams per day. Since installing milter-sender in March 2004 and adding the spamhaus SBL-XBL checks to sendmail, I've received (checking spam mbox) 1568 spam messages.
    • Why is it that mobile phone numbers seem less expendable to me than e-mail addresses. My past habits have been: If I get enough spam that it BOTHERS me, then change my e-mail. This is really easy since I have a web host that allows plenty of pop3 e-mail addresses (esp. if it has "vacation auto-responses" built in). I think only one person in my history has complained about my almost-yearly e-mail addy changes. I think if I were getting over a grand of spam, I'd just kill that e-mail addy and get a new o
      • Cool, I'll change my email. Good idea, let me notify people everyone, I'm sure I'll miss someone but who cares? Changing Email isn't a solution, spam filtering shouldn't have to be a solution (but I do it anyways) How this, I didn't ask for the email, and you shouldn't be sending it to me and 16000000 other people who didn't ask for it either.
      • I've been using the same email address since 1996 and I'd like to keep using it. Not every one wants to change their primary email address to avoid spam.
    • I've been thinking about adding RBL filtering to my personal mail server for some time now. What do you think of Spamhaus' SBL-XBL? Do you use any other lists?
  • Pyrrhic Victory? (Score:4, Interesting)

    by Jaysyn (203771) <jaysyn+slashdot&gmail,com> on Sunday December 05, 2004 @03:26AM (#11000286) Homepage Journal
    Doesn't this just create more traffic?

    Jaysyn
    • In these days of huge video downloads and P2P music sharing, email is _not_ that big a deal, traffic wise.

      Receiving 250 spams a day, on the other hand, is.
  • by RevJim (564784) on Sunday December 05, 2004 @03:27AM (#11000290) Homepage
    "End-users cannot install FairUCE at this time; end-users, please direct your mail administrator to this page."

    Even though this is an interesting new tool, most e-mail users are tied to whatever backend their ISP supplies, which is a shame... Someone should whip up an end-user desktop version.

    Can't wait to get my hands on a copy of the server version though...

  • by SnowZero (92219) on Sunday December 05, 2004 @03:27AM (#11000291)
    One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me. I regularly get error messages about mail that could not be delivered. Now I'll get loads of challenge messages instead.

    Of course if my MTA signed my messages with a random key, and the challenge message sent the key back, my MTA could filter out anything I didn't actually send. Unfortunately that requires coordination which the various email/spam task groups do not seem to be capable of.
    • by fyngyrz (762201) on Sunday December 05, 2004 @04:22AM (#11000408) Homepage Journal

      One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me.

      This is very common - and not just with a real users address. I have seen thousands of "bounce" messages come to the various domains I own as spammers use the domain prefixed by various random bogus names at whateverdomainitis.com.

      Luckily (for us, anyway) we've now got the proper software written and configured to keep this crap from ever hitting a mailbox we own; however, a more serious problem here is the "do-gooder" problem.

      It goes like this. Joe Spammer decides to use several_thousand_names@mydomainname.com as his assumed identity. A do-gooder site gets reports of that mydomainname.com is "sending" this spam to, oh, say a zillion people. They promptly "blacklist" my domain -- from whence, I hasten to point out, no spam has ever been, or will ever be, sent. However, my domain is a valid domain that I depend upon to make my living. Various ISP's, through a compounding of stupidity (but still with the intent to "do good"), promptly bounce our valid emails, because the do-gooders site says we are spammers.

      The end result is that because some spammer out on the net has used our domain name, we, not the spammer, are penalized and in a real financial sense.

      In the meantime, the spammer, who like any competent spammer watches the do-gooder's sites very carefully, notices that my domain is banned, and promptly switches to a new domain. Meanwhile, I can't send mail to my customers. Meanwhile, I get thousands of "bounce" messages that have to be handled by some layer of software or, Darwin forbid, by one of the legitimate users at my site. Random netizens out there have been temporarily "protected" from (typically) one spam email per email address they have, while our customers are cut off at the knees, as are we.

      So what the do-gooder has accomplished is to cause the spammer to take another domain (probably from an automated list, no sweat off the spammer's brow whatsoever) and the do-gooder has hurt a legitimate net citizen who never spams.

      Everybody's trying to do good here except the spammer. The do-gooder and the ISPs using the do-gooder list hurt our end users by blocking mail they should be getting; they hurt us by screwing up our commications channel to our customer base; but -- they don't hurt the spammer one flipping bit, and they do no permanent good for the average netizen who gets one of these spams. The spammer just restarts his list at the break point and begins with a new domain; the end user, after a short delay, gets a new spam with a new domain name, and the temporary respite for them is over -- and the net result of the do-gooder's blacklist is no good whatesoever has been done. Some users will get two spams if the spammer restarts the list back a little to make sure he doesn't miss anyone. Great, eh?

      Obviously, do gooder blacklisting doesn't work, and cannot work. Mostly, it causes harm to legitimate parties.

      IMHO, if Internet mail is going to be unregulated, then it needs to be just that -- unregulated. If spammers are going to be fined and/or jailed, then the govt(s) need/s to get the heck after it (and probably needs to close the international email borders to any non-co-operative country so that such a thing is possible.) The latter seems far too severe; the former is being degraded by do-gooders and the people they confuse into accepting their services in an area they should have no absolutely authority in to a degree that should be unacceptable to any thinking person.

      The only good solution to spam I know of is to use whitelists and web submission entry gateways. If someone is on your whitelist, you get email from them. If someone is not on your whitelist, they get an auto-reply email telling them to mail you via a form on a website. The form, which has to be hand-filled out, mails you at a whitelisted address that is not publ

      • by farnz (625056) <slashdot@far[ ]org.uk ['nz.' in gap]> on Sunday December 05, 2004 @05:23AM (#11000516) Homepage Journal
        I'd be interested to know which blacklists are by domain, not by sending IP address; I find that SpamAssassin's use of SPEWS and Spamhaus blacklists is enough to catch virtually all the spam I get, and both of those blacklists are done via sender IP, not by domain name.

        So, I'd disagree with your conclusion that blacklisting doesn't work; if a spammer can use one of your IP addresses to spam, then you need to fix up your system to be more secure. A quick browse of mail logs will show any unexpected outgoing e-mail, and you can always feed your mailserver IP to spews.org and see if they list you (they're one of the most aggressive listing places).

        If it's not coming from one of your IP addresses, then it doesn't affect mail sent from your domain, only from the spammer's IP addresses. Hence there is no fallout on you unless I use an aggressive list like SPEWS, and you are being blocked because your ISP hosts spammers himself.

    • Of course if my MTA signed my messages with a random key, and the challenge message sent the key back, my MTA could filter out anything I didn't actually send. Unfortunately that requires coordination which the various email/spam task groups do not seem to be capable of.

      At least one C/R system [tmda.net] does this. It does this by being able to determine legitimate email that you sent from illegitimate email. The way it does this is it tags the From address of email that you send with a cryptographic key. All re

  • So... (Score:3, Interesting)

    by netsharc (195805) on Sunday December 05, 2004 @03:32AM (#11000303)
    Guess I'm asking at the wrong place, but does this mean if I send email using my uni's SMTP server with my Yahoo! E-mail address in the "from" field, I will receive a challenge? A challenge being an email to the sender's address so they know the address is active, I'm guessing..

    And I read of a whitelist/blacklist. Does this mean the user having to manage this list? It looks like it's being done so that the user can reactively work about it though (instead of actively), maybe an email that says "You got email from xyz, Do you want this email?" Heh an email about an email, that'd be annoying.

    I tried sending email using Yahoo!'s web interface with 3 addresses in the "To" field today, and when I clicked "Send" it asked me to answer a Captcha [captcha.net], interesting..
  • Naive at best (Score:4, Interesting)

    by erice (13380) on Sunday December 05, 2004 @03:35AM (#11000310) Homepage
    1) Mobile user sets up notebook at new location and sends mail via the local mail relay.
    2) FairUCE on recipient end bounces the mail because it can't find a relationship between the sender and the mail relay.

    If the ISP blocks outbound port 25 access, you get a real catch 22. Can't use remote relay becuase of the port block. Can't use local relay because FireUCE will see that there is no relationship to the sender and block the mail.

    This is an old idea. It can be implimented with procmail and a little perl. Few people do this, not for lack of tools, but simply because it is a bad idea.
    • This is why ISPs shouldn't block outbound port 25, and e-mail providers should provide SMTP servers with SMTP-auth. This won't eliminate spam, but it will eliminate the problem that many mobile users have. I can only use my school's SMTP server if I'm on campus (and on the wired network, no less), and I cannot use any other SMTP server other than my ISP's server. This means I am constantly changing the server settings depending on my location, or, firing up IE to use the web-based mail which is so buggy, I
      • Re:Naive at best (Score:2, Informative)

        by farnz (625056)
        Or get e-mail providers to support MSA, which is SMTP for mail being introduced to the network, and is supposed to run on port 587.
      • Re:Naive at best (Score:5, Informative)

        by Antique Geekmeister (740220) on Sunday December 05, 2004 @08:09AM (#11000764)
        I'm sorry, you're wrong on a detail.

        There is no reason to have port 25 open outbound on anything but the ISP's authorized SMTP servers. None whatsoever iin this day and age, except the convenience of people who like to run their own mail servers. Unfortunately, with the massive number of zombied and badly run home SMTP servers, most outbound SMTP from ISP users that does not go directly to their ISP's SMTP server for delivery as mail from that ISP is in fact spam or email worms.

        So yes, it needs to be blocked outbound. You simply need to use SMTPAUTH on the road to get your email to your own ISP's SMTP server over port 587. Problem solved.
  • What it does.... (Score:3, Interesting)

    by julesh (229690) on Sunday December 05, 2004 @03:40AM (#11000321)
    ). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'.

    Oh, yeah, and completely stop mailing lists from being usable. That, too.
  • I've had this working with Exim for a long time now. It's actually just a tickbox in cPanel. I actually think it's on by default for any host using cPanel, which are quite a few.
  • by nsayer (86181) <nsayer@kfu.COUGARcom minus cat> on Sunday December 05, 2004 @03:47AM (#11000339) Homepage
    Your post advocates a

    (X) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (X) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    (X) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    (X) Requires immediate total cooperation from everybody at once
    (X) Many email users cannot afford to lose business or alienate potential employers
    (X) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (X) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    (X) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    (X) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    (X) Dishonesty on the part of spammers themselves
    (X) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    (X) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (X) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
    • by physicsphairy (720718) on Sunday December 05, 2004 @03:52AM (#11000349) Homepage
      Modularize this, extend its applicability, and we can replace 90% of slashdotters with a small shell script!
    • Sorry to bother you while you're making a joke, but you are supposed to X the appropriate bubbles, not random ones.
    • by johannesg (664142)
      I strongly suspect this list was first devised by spammers to convince people that spam cannot be fought. In fact that is wrong, all it takes is the realisation that instead of a single perfect solution we will need a series of incremental solutions. As solutions multiply the amount of spam will drop, but this will take time. I'm fine with that, as long as we are making progress. Right now thanks to your attitude we are not making much progress.

      A law against spam will not actually stop it, but it does all

  • Challenge/Block (Score:4, Insightful)

    by droleary (47999) on Sunday December 05, 2004 @03:51AM (#11000348) Homepage

    FYI, any time (which is every time) I get a challenge for an email I didn't send, I immediately block the server because that kind of "solution" is nothing short of dropping their spam problem in my lap. Fair warning to anyone who thinks FairUCE is in any way a "Smart" answer to spam.

    The only effective spam solution I've currently found is to have expiring email addresses. One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.

    • Did anyone see this phrase?
      FairUCE only sends a challenge when the mail appears to be spoofed.

      So, um, right when we *don't* want you to be adding to the spam problem, it goes and makes it worse for everyone else?

      As for the description of what it does, well, we already have RBLs (which I generally hate, but they do sort-of fulfil the description "looking up who it claims to be from"), we have reverse/forward DNS lookup ability - in exim and postfix and sendmail already.
    • Re:Challenge/Block (Score:3, Interesting)

      by anti-NAT (709310)

      One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.

      This is exactly the same solution as I use, and I've found it very effective. I've written some stuff about it here - Mit [whirlpool.net.au]

  • I've played around with some custom made scripts that do (what sounds like) the same kinds of checks that these fellows do. While it's true that this method is good for flagging suspicious emails, the result is not definitive and shouldn't be used to block mail. It suffers from the same fundamental problem as SPF itself; email is meant as a store and forward system. You can email mail with any return address through any intermediate host (e.g. using .forward or whatever). My guess is that this software doe
  • by mabu (178417) on Sunday December 05, 2004 @04:08AM (#11000382)
    Have we not established a few basic tenets of the spamademic?

    1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.

    2. The majority of the anti-spam solutions (with the exception of RBLs) including the one related to this article, require extra time, bandwidth and resources on the part of innocent networks to deal with the spam problem. This is a step backwards.

    If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting. This has several added benefits including: stopping propagating of worms/viruses, and forcing ISPs to police the illegal activities of their users and shut down nodes which are spamming through their network.

    As an ISP, I have no interest in yet another costly anti-spam solution that I have to install that doesn't address the larger issue of the tons of bandwidth spammers waste on my network and every one in between. This system wastes even more resources by attempting to verify the source of every e-mail in an even more detailed manner than before, so the end result is: more computing resources needed, more bandwidth needed and slower mail service.

    No thanks.

    I'll patiently wait until the *inevitable* SMTP whitelist scheme that is the only true solution to stopping spam (unless the authorities decide to actually start prosecuting spammers for their crimes).
    • To date, the ONLY effective solution thus far has been relay blacklisting.
      I'll agree with this, as a small ISP. Blocklists are very easy to use, bandwidth-efficient and highly effective. They are the best solution we have, and do put pressure on bad ISPs to clean up their act. With over 150 public blocklists out there, spammers get nervous. Their attacks against SPEWS, Spamhaus, and Spamcop demonstrate how desperate spammers are getting.
    • It gets better! (Score:3, Informative)

      by johannesg (664142)
      Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines. The providers are complaining, but in the end they will simply raise prices to compensate. Effectively I will be paying to be spied upon. And in the case of email, I will be paying to receive spam and then store it for five or ten years.
      • Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines.

        No. Not a log of all mail, but a log from the mailserver, with sender and recepient addresses.
    • If everyone had a 99% accurate spam-blocker (ie installed at the ISP level), spam would become an inifficient way of making money, so the spammers would have to go elsewhere; bandwidth use then drops off from that.
    • If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting.

      And yet spam still gets thourgh RBLs. The question isn't whether or not this happens, but what to do when it happens. When spam gets through an RBL, that's when you start employing additional features. You've already lost the resources. At this point, is it worth any additional computational resources to deal with it? If the answer is no, then you have


    • 1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.

      Bandwidth is a problem, but it's the least of our problems.
      Typical spam is under 10K.
      Cost to send 10K is under $0.0001 - and the cost is falling.
      Compare that with the amount of

  • But won't challenges look like spam servers probing your system.
  • This package just isn't going to get very popular. It is restricted to non-commercial use (perhaps you can buy a license for commercial use). And you have to sign up with IBM to get a download just to see if it's any good. And then there's a lot of extra stuff you have to have to run it. Maybe I should work on my own GPL open source version of this and do it as a pure TCP proxy front end so it works on any mail server (even for Exchange on Windows if on a different machine or under some emulator).

    • There are already dozens of challenge response systems like this. Take a look at this site for another typical example. http://harvee.billerica.ma.us/~esj/camram.html They seem to be mandatory to write for new mail administrators who have just discovered the power of Perl and feel a need to test it out.
  • [...] verifies email by attempting to verify the sender through lookups (a user customized challenge/response)

    Okay, so either (a) a user has to do a challenge/response simulation each time he or she wants to send/receive and email, or (b) it's automated... and a spammer could simply brute force/crack/automate themselves the challenge/response. I don't see how this would really work.

    - dshaw
  • Yeah, thats right. For 3 (three) months, i havn't got a single SPAM that got through to my inbox.

    Most of it gets blocked by a combination of Blacklists and firewall-rules, the rest gets flushed down the drain by a combination of Bayes- and other mailfilters.

    From my Serverlogs i can see that only 'about 0.5-1% gets through firewall and the HELO-command of my server at all (out of about 200-500 Spams a day, varying with weekday). So i even reduced my mail-traffic quite a bit.
    • Yeah, thats right. For 3 (three) months, i havn't got a single SPAM that got through to my inbox.

      You may not have seen any emails that you consider to be spam, however, are you sure that you haven't had emails deleted that weren't spam ? How can you be sure ?

      As much as I certainly agree spam is a problem, and would like it to be "fixed", I'm personally not keen on filters, just because they can't be guaranteed to be 100% accurate, which conflicts with my desire to see 100% of the (legitimate) emails

      • You may not have seen any emails that you consider to be spam, however, are you sure that you haven't had emails deleted that weren't spam ? How can you be sure ?

        I can't be 100% sure. Even with all filters turned of, you can't be sure to get all mails, though.

        The main points are: First, this server is primarily used for private purposes. Second, i check the logs at intervals and/or when i get reported a problem (which very, very seldom happend). Third, here in Europe its quite custom to handle important
  • So it seems to me that I'm already doing as much work as I would have to do using this software, but the whitelisting I'm doing in Thunderbird is already 100% effective at filling my inbox with email I care to see. Anything suspect goes to a suspect folder (after my ISP has already had a go with their spam filters, certain ones don't even reach Thunderbird) so I can double-check if there's something important I'm watching for from an as yet unknown address. It's kind of a pain, but it works. I can't see a b
  • by almaw (444279) on Sunday December 05, 2004 @02:08PM (#11002046) Homepage
    - If someone else has a different challenge/response system then the automated systems will ping e-mail back and forth to each other and humans will never see it. If the systems are sufficiently dumb, you'll get a nasty mailing loop and fill up both users' quota/hard disk.

    - Most spam has a forged address. If someone sends e-mail to 10,000 users with a c/r system with *your* e-mail address in the from header, you get 10,000 e-mails that day. Your only solution to this obvious problem would be to blacklist anything that looked like a c/r e-mail, thus breaking the system entirely.

    - It increases the amount of traffic on the 'net. This is bad.

    - About five million other reasons to do with netiquette and common sense. Will people never learn?
  • I run a small web board, and already the e-mail address I use as the admin of that board gets flooded daily with crap like "I haven't actually received your message, click here to verify you are real". I finally got fed up with it and posted this response [empegbbs.com].

    If you implement these, remember you get e-mail from more then just friends you know. Lets see, last week alone, I got 5 messages from companies like Dell from working on issues with them, and none of them are in my address book.

    The proper solution is to ensure the outside world sees no difference unless it is spam. I never give my full address to a company, instead I use the postfix feature where anything after _ is ignored. Then I create a one letter alias for me to keep them short. If I get a lot of e-mail, it makes server side filtering into my IMap folders easy. And if one address gets hit by spam, I then block it on the server. It works well, and doesn't inconvenience the people e-mailing me.

    "Thank you or ringing my doorbell. I am currently home, but did not hear the doorbell. To properly ring it, please run around my house, braving the dogs in back, and use the doorbell located next to the cat door on the deck. Then I might care enough to see who you are and let you in."
  • by metamatic (202216) on Sunday December 05, 2004 @03:00PM (#11002309) Homepage Journal
    I haven't seen anyone post the BIG REASON why C/R systems won't work, so here it is again.

    C/R relies on users being willing to respond to challenge messages, either by clicking a URL or by replying by e-mail.

    As soon as C/R systems become commonplace enough, and users become accustomed to responding to the messages, spammers will simply craft their spam to look like challenge messages. Replying to e-mail will confirm the address (a win for the spammer), clicking the URL will deliver the reader to a web site full of pop-up ads and spyware (a win for the spammer).

    Shortly after this, user willingness to respond to challenges will drop to zero, and challenge messages will be filtered out automatically by bayesian spam filters.

    So, if there are any spammers reading this, PLEASE PLEASE start your next major spamming campaign by disguising it as a challenge message from one of these stupid C/R systems. That way we'll kill off the idea once and for all, people won't waste any more time building new (and mutually incompatible) C/R systems, and people with a clue won't have to put up with any more C/R advocacy from well-meaning idiots.

If you had better tools, you could more effectively demonstrate your total incompetence.

Working...