FairUCE - the Smart Email Proxy 333
Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."
Need an end-user version (Score:3, Insightful)
Even though this is an interesting new tool, most e-mail users are tied to whatever backend their ISP supplies, which is a shame... Someone should whip up an end-user desktop version.
Can't wait to get my hands on a copy of the server version though...
Re:Oh crap.... (Score:2, Insightful)
Challenge/Block (Score:4, Insightful)
FYI, any time (which is every time) I get a challenge for an email I didn't send, I immediately block the server because that kind of "solution" is nothing short of dropping their spam problem in my lap. Fair warning to anyone who thinks FairUCE is in any way a "Smart" answer to spam.
The only effective spam solution I've currently found is to have expiring email addresses. One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.
Re:forward and reverse (Score:3, Insightful)
The remote mail server would find that the host points to 10.123.123.123, which reverses back to... the given hostname!
ND
Re:forward and reverse (Score:4, Insightful)
I'd rather see the MTAs all do PKI to authenticate eachother, only issue certs to those that sign non-UCE agreements, and revoke certs when servers start breaking the non-UCE agreements. If a cert issuer starts issuing a large number of certs to MTAs that start sending UCE, revoke the cert of the issuer.
Re:Challenge Response Spam (Score:5, Insightful)
This is very common - and not just with a real users address. I have seen thousands of "bounce" messages come to the various domains I own as spammers use the domain prefixed by various random bogus names at whateverdomainitis.com.
Luckily (for us, anyway) we've now got the proper software written and configured to keep this crap from ever hitting a mailbox we own; however, a more serious problem here is the "do-gooder" problem.
It goes like this. Joe Spammer decides to use several_thousand_names@mydomainname.com as his assumed identity. A do-gooder site gets reports of that mydomainname.com is "sending" this spam to, oh, say a zillion people. They promptly "blacklist" my domain -- from whence, I hasten to point out, no spam has ever been, or will ever be, sent. However, my domain is a valid domain that I depend upon to make my living. Various ISP's, through a compounding of stupidity (but still with the intent to "do good"), promptly bounce our valid emails, because the do-gooders site says we are spammers.
The end result is that because some spammer out on the net has used our domain name, we, not the spammer, are penalized and in a real financial sense.
In the meantime, the spammer, who like any competent spammer watches the do-gooder's sites very carefully, notices that my domain is banned, and promptly switches to a new domain. Meanwhile, I can't send mail to my customers. Meanwhile, I get thousands of "bounce" messages that have to be handled by some layer of software or, Darwin forbid, by one of the legitimate users at my site. Random netizens out there have been temporarily "protected" from (typically) one spam email per email address they have, while our customers are cut off at the knees, as are we.
So what the do-gooder has accomplished is to cause the spammer to take another domain (probably from an automated list, no sweat off the spammer's brow whatsoever) and the do-gooder has hurt a legitimate net citizen who never spams.
Everybody's trying to do good here except the spammer. The do-gooder and the ISPs using the do-gooder list hurt our end users by blocking mail they should be getting; they hurt us by screwing up our commications channel to our customer base; but -- they don't hurt the spammer one flipping bit, and they do no permanent good for the average netizen who gets one of these spams. The spammer just restarts his list at the break point and begins with a new domain; the end user, after a short delay, gets a new spam with a new domain name, and the temporary respite for them is over -- and the net result of the do-gooder's blacklist is no good whatesoever has been done. Some users will get two spams if the spammer restarts the list back a little to make sure he doesn't miss anyone. Great, eh?
Obviously, do gooder blacklisting doesn't work, and cannot work. Mostly, it causes harm to legitimate parties.
IMHO, if Internet mail is going to be unregulated, then it needs to be just that -- unregulated. If spammers are going to be fined and/or jailed, then the govt(s) need/s to get the heck after it (and probably needs to close the international email borders to any non-co-operative country so that such a thing is possible.) The latter seems far too severe; the former is being degraded by do-gooders and the people they confuse into accepting their services in an area they should have no absolutely authority in to a degree that should be unacceptable to any thinking person.
The only good solution to spam I know of is to use whitelists and web submission entry gateways. If someone is on your whitelist, you get email from them. If someone is not on your whitelist, they get an auto-reply email telling them to mail you via a form on a website. The form, which has to be hand-filled out, mails you at a whitelisted address that is not publ
Re:Will it be better than milter-sender? (Score:3, Insightful)
Re:Here we go again (Score:2, Insightful)
Restricted use and restricted download (Score:2, Insightful)
This package just isn't going to get very popular. It is restricted to non-commercial use (perhaps you can buy a license for commercial use). And you have to sign up with IBM to get a download just to see if it's any good. And then there's a lot of extra stuff you have to have to run it. Maybe I should work on my own GPL open source version of this and do it as a pure TCP proxy front end so it works on any mail server (even for Exchange on Windows if on a different machine or under some emulator).
Re:Here we go again (Score:3, Insightful)
A law against spam will not actually stop it, but it does allow action to be taken against the spammer after he is found out so he won't do it again.
Similarly, a technical solution that enforces detectability of the spammer will make it possible to find out so he is, so the law can be applied.
Neither law nor technical solution on its own will stop spam, but together they can be used to significantly reduce the volume. And that's all we are asking for, really.
Re:Oh crap.... (Score:4, Insightful)
If nothing else I've had friends forward me particularly amusing spam in the past...
Yet another challenge/response system: *yawn* (Score:5, Insightful)
There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.
Re:Yet another challenge/response system: *yawn* (Score:4, Insightful)
Problem though (Score:4, Insightful)
Also, wouldn't this just create a rash of false challenges that lead to spamming type material or websites?
Re:Yet another challenge/response system: *yawn* (Score:3, Insightful)
I'm extremely savvy when it comes to IT, computers, Internet, etc. It's what I do all day at work. I wouldn't use the system you describe...what a pain in the ass. How can you expect someone's grandmother to use such a system?
I used mailblocks.com for about 4 months...also a pain in the ass. Challenge/Response systems are not the solution.
Here's a scenario: I send you a freelance job opportunity. I've never corresponded with you before, but I visited your website, saw your resume, and saw the part on your site where you said "if you need someone with my skills, and have work, send me a message". After sending my offer, I log off and go fishing at the lake for two days. While I'm gone, your C/R system sends me a challenge. My system thinks its spam. Or maybe you've configured your C/R system to only wait 24 hours instead of 7 days for a response. The end result is that I never get a response back from you regarding my opportunity, I believe you're a tool because you blew me off, and you never get the work. Worse, in the future, if anyone ever says to me "hey, I'm thinking about sending X some work, what do you think? He has a great website with a lot of info." I will say "don't bother, the guy blew me off he'll probably blow you off, too."
My solution was simply to pay for an account at an ISP where they aggressively filter spam. Coupled with a whitelist, blacklist and goldlist, all of my spam gets filtered...hundreds of messages every day. Very simple system, I didn't have to "configure" anything except my lists when I started, and best of all, none of the people I correspond with get confused or hassled by automated systems.
Re:Yet another challenge/response system: *yawn* (Score:4, Insightful)
But, hey, you gave me the last number. So...5%. That's about 200 pieces of mail you sent. And you got 8 valid responses, and 2 invalid.
So you sent out, basically, 192 spam messages, barring the occasional legit C/R you sent out that was ignored. (Which is also a failure of the system, it's just a failure that isn't spamming.)
To get 8.
To get 8 fucking messages, you sent 192. For every legitmate message you receive, 24 other people had to look at a spam you sent them.
Well, you're the moral paradigm I've come to expect from C/R people.
Fucker.
Re:Yet another challenge/response system: *yawn* (Score:2, Insightful)
Re:Yet another challenge/response system: *yawn* (Score:5, Insightful)
Re:yet another waste of time (Score:3, Insightful)
Bandwidth is a problem, but it's the least of our problems.
Typical spam is under 10K.
Cost to send 10K is under $0.0001 - and the cost is falling.
Compare that with the amount of time you spend deleting spam - about 1 second.
Even a $1/hour, it costs a lot more to for a human to look at and delete spam than for the computer to receive it.
Spam read by the human is closer to 90% of the problem.
Once again, bandwidth is not the only cost, nor is it the major cost.
However, there is a large human-time cost for any spam solution, including RBLs.
RBLs aren't a fire-and-forget solution.
RBLs are not the only effective method.
Greylisting for example, reduces bandwidth costs, and blocks 85-95% of all spam.
In fact, greylisting has fewer false positives and fewer false negatives than any RBL I've ever tested.
Which includes almost every RBL mentioned at http://www.declude.com/Articles.asp?ID=97 [declude.com]
And I'll point out that the system described in the fine article can reduce bandwidth too.
70% of all senders would be rejected before the data stage, a very small challenge sent, and better than 99% would never be heard from again.
So instead of receiving a 5K spam, you send a 1K message - a net reduction.
I encourage my competitors to agree with you.
-- Should you belive authority without question?
Another dumb challenge/response system, because... (Score:3, Insightful)
- Most spam has a forged address. If someone sends e-mail to 10,000 users with a c/r system with *your* e-mail address in the from header, you get 10,000 e-mails that day. Your only solution to this obvious problem would be to blacklist anything that looked like a c/r e-mail, thus breaking the system entirely.
- It increases the amount of traffic on the 'net. This is bad.
- About five million other reasons to do with netiquette and common sense. Will people never learn?
Why challenge-response does not work (Score:3, Insightful)
C/R relies on users being willing to respond to challenge messages, either by clicking a URL or by replying by e-mail.
As soon as C/R systems become commonplace enough, and users become accustomed to responding to the messages, spammers will simply craft their spam to look like challenge messages. Replying to e-mail will confirm the address (a win for the spammer), clicking the URL will deliver the reader to a web site full of pop-up ads and spyware (a win for the spammer).
Shortly after this, user willingness to respond to challenges will drop to zero, and challenge messages will be filtered out automatically by bayesian spam filters.
So, if there are any spammers reading this, PLEASE PLEASE start your next major spamming campaign by disguising it as a challenge message from one of these stupid C/R systems. That way we'll kill off the idea once and for all, people won't waste any more time building new (and mutually incompatible) C/R systems, and people with a clue won't have to put up with any more C/R advocacy from well-meaning idiots.
Re:Yet another challenge/response system: *yawn* (Score:3, Insightful)
At least with C/R, you KNOW that my spam filter has prevented me from receiving your email. With all other spam filters, it filters silently so that NO ONE knows that it's been filtered. If it doesn't filter silently, one of us has to be notified.
If I'm notified of all email coming in, that's functionally equivalent to turning off spam filterinng. If you're notified, that's functionally equivalent to C/R. According to the anti-C/R crowd, the only acceptable thing to do is turn off spam filtering. I hope they practice what they preach.