Microsoft Researching Anti-Spam Technique 660
Tim C writes "Microsoft's Research group are working on a technique to combat spam. Dubbed the 'Penny Black project', it involves making email senders perform a computation taking around 10 seconds, which their recipients can then check for. This delay would limit bulk emailing speeds to around 8000 a day, meaning that to spam all of those 'fresh, guaranteed 25 million addresses' would take approximately 8.5 years." We've reported on this before.
Question... (Score:4, Insightful)
Re:Question... (Score:3, Funny)
With large pointy sticks....
Re:Question... (Score:2, Insightful)
Re:Question... (Score:2)
Re:Question... (Score:5, Informative)
Calm down, killer. Microsoft's not THAT smart.
It Is Not A Big Secret [weizmann.ac.il]
At worst, I suppose Microsoft could make it's own scheme and try to push other people out, but I doubt that there are enough Microsoft MTAs out there to make that sort of system survive. If they implemented it for Microsoft-only, they'd almost have to give the option to revert to a traditional white-list when the sender can't play Microsoft's Holy Encryption Puzzle. After all. If you send someone an e-mail and outlook Express won't give it to them, just tell them that - Outlook Express won't let you look at it. I sent it, sorry. The problem is clearly on your end, call support for help.
Microsoft HATES support costs and one thing you don't do on Windows is screw with grandma's emails.
Re:Yes, let's pace innovation by grandmas (Score:3, Insightful)
It's ironic that your complaint about worst-case users and grandmas is tied to mention of industry.
Anything that produces an end product for a userbase must adapt to suit the needs of that userbase at the time that the product is being produced. If the end user is so egregiously stupid that they can't even handle e-mail without someone holding their hand, then rather than evolving toward the next great technological advance, usability must be made the next branch for improvement.
Think about it in relatio
Re:Yes, let's pace innovation by grandmas (Score:3, Insightful)
Re:Question... (Score:3, Interesting)
How do you know if the key is valid?
Why can't a spammer just make up a false key? Does the client check it mathematically? How long does that take? Why not just delete the spam manually (like we all do now) if it's still going to take time to filter it out?
LK
Re:Question... (Score:4, Insightful)
If this is so computationally expensive, what would happen to the mailserver if I sent...oh half a million emails with bad keys in them.
Re:Question... (Score:3, Insightful)
Re:Question... (Score:3, Interesting)
You really want to email me [or get priority over other emails] you will do as I say.
Of course you can get to the point where it's too much hassle. I think MSFT is seeking to have this built into OE [e.g. integrated]
Tom
Re:Question... (Score:2, Informative)
Re:Question... (Score:2, Insightful)
What concerns me is how this would affect people who use Eudora, or yahoo-mail, or any of the host of other systems that don't require the Lords of Redmond holding their hands to send e-mail.
It seems that it would be a stop-gap measure for anyone using MS products or services to spam, but unless it was adopted by every major (and ma
Comment removed (Score:5, Interesting)
Re:Proposed "Sender do Something" technique. (Score:4, Informative)
1. Clueless admins (of windows or *nix servers) who refuse to use SA or similar? These are the same who leave the mail servers as open relays in the first place.
2. People who use their own SMTP server
Sure, go ahead and say that you can add reverse domain lookups. But registering a domain is quite cheap these days ($4.95 a year) and point the NS to your machine, set up MX records, and you're on your way.
Your solution is useful, but not comprehnsive. I doubt there is a comprehensive solution short of making the spammers incapable of accessing the internet.
--
Clueless People? Everywhere I look, I see them. And some of them, they WORK here!
Re:Proposed "Sender do Something" technique. (Score:5, Insightful)
> the scoring process. If the message scores more
> than 6/10 the server sends the sender an
> authentication message, asking to validate the
> email.
So you are one of those resposible for bomabarding me with those damn things.
> This would require spammers to manually
> intervene and waste tons of their time. if they
> forged the sender email...
They always do. My domain is a favorite.
>
> email...
Yes. Mine.
>
Isn't that what the spammers say? "If you don't want it, just delete it. What's the big deal?"
The big deal is that about a quarter of my email is bogus bounces and useless "confirmation" message from systems such as yours.
_NEVER_ _REPLY_ _TO_ _SPAM_
Re:Proposed "Sender do Something" technique. (Score:3, Interesting)
As a matter of policy, I do not respond to whitelisting requests because the sender of the whitelisting request has already accused, with zero basis in fact, of being a spammer...
If you got a whitelisting request from him, it would have been because your message looks like spam. That is not a zero basis in fact from his perspective.
In fact it would be because you did something in your email to total a high bayesian filtering score.
As the sender *I* would not be insulted if that were to happen. In fa
Re:Question... (Score:2, Informative)
or
although the computation would be
Re:Question... (Score:5, Informative)
Not exactly a monopoly here as anyone else can implement it.
Tom
Re:Question... (Score:2)
Re:Question... (Score:3, Informative)
read the paper yourself! [weizmann.ac.il]
Tom
Oh yeah they invented this... (Score:5, Insightful)
So while MSFT didn't invent the original HashCash concept MSFT did improve upon it. So before anyone gets the bright idea of flaming MSFT ignorantly.... know your facts!
Tom
what's your point? (Score:4, Insightful)
If Penny Black is all there is, it doesn't look like that's going to change. It will probably be decades before we know whether MSR will have had lasting impact. By that time, Microsoft will probably be a benign, lumbering giant, just like its monopolistic predecessors, AT&T and IBM.
Re:what's your point? (Score:4, Interesting)
On the other hand, IBM Research has done pretty well, though it too has gone through hard times. Its contributions to open-source are substantial, and at the same time, it's much more in touch with the demands of the company.
Now, if someone had beaten me to it and moderated my parent as flamebait perhaps I'd have kept quiet....
Re:what's your point? (Score:5, Interesting)
And my point is that your comment is both insulting to MSR and misses the point.
Your comment is insulting to MSR because anybody who knows anything about CS research knows that MSR has top people. They have produced hundreds of first tier journal publications over the years. This is just a minor publication among many good things MSR has done.
It's meaningless because you are missing the main problem that all industrial research labs share: making the connection between research and products. MSR has been as unsuccessful at that as any other of the big industrial computer research labs before. Microsoft's problems is the quality and lack of innovation in their products, not their research labs.
mod parent offtopic.
I suppose when your points are weak, you have to fall back on calling on moderators. Why don't you engage your brain instead of falling back on such underhanded tactics?
Re:what's your point? (Score:5, Insightful)
It's patronizing. MSR doesn't have just one journal publication to their credit, they have had a sustained output of quality publications over years. There shouldn't be any question in anybody's mind whether MSR is an innovative and high-quality research lab: it clearly is. They are among the top-rated research labs in computer science, both in general and in specific areas.
I was hoping to FP to dispel the people who are naturally going to post out how MSFT is not innovative.
What you are missing is that whether MSR publishes nice papers or not has nothing to do with whether Microsoft "is innovative", i.e., whether the company produces innovative products. MSR is innovative, but Microsoft products are not. That disconnect is common among large companies and their research labs.
You seem to be agreeing with me while arguing against my post!!!
You are engaging in the usual confusion between research labs and corporate products. The only thing I can't tell is whether it's out of ignorance or whether you are doing it deliberately (PR departments often like to use releases about interesting research results to cover up inadequacies in a company's product line).
Re:Oh yeah they invented this... (Score:3, Insightful)
The real contribution MSFT made was their memory-bound HashCash which was designed to perform comparably on the latest machines [e.g. P4-3000] and the oldest machines [e.g. P2-233].
And this is part about sales but the research is freely available off the web as well as part of the Crypto'03 proceedings.
Tom
Re:Oh yeah they invented this... (Score:2)
You point out quite correctly that the Method takes exactly the same amount of time on an old machine as a new one.
Now, Imagine a Beowulf Cluster of 386's....
Re:Oh yeah they invented this... (Score:3, Interesting)
This memory-bound one doesn't have such a nice reduction but it's conjectured to be similar.
So you can't "fake the method". Sure they could put a fake header in there, e.g.
X-MBHC: BLAH
But the verifier could trivially see it was faked.
Tom
Re:Oh yeah they invented this... (Score:3, Interesting)
However, 8MB of what essentially amounts to cache is expensive. This means now for a spammer to spam in volume they have to buy a $20,000 cpu.
The trick though, is in the original HC to make spammers slow down you have to slow down the lower end users.
MSFT research realized that if you make the memory bus the major limitation you can level most desktops. E.g. a P4-3000 is only 4 t
Motives (Score:3, Insightful)
No, if it takes 10 seconds for a spammer with the latest dual Xeon CPU (or hacked into a superfast company computer), it will take several minutes for the average user, and hours for my mother on her old P200 (which is more than good enough for sending email), or days for myself on my 20MHz PDA.
Of course, this will incite people to buy new PC's, which comes
Re:Motives (Score:4, Insightful)
Re:Oh yeah they invented this... (Score:3, Insightful)
If something like this became popular I'd have to drop the mailing list as the hardware cost would be prohibitive (10 messages a day, 10,000 emails at 10 seconds an email doesn't scale when the machine is serving web pages too).
The LKML people would be stuffed... they'd need to invest in one of those expensive zero wait-state memory modules just to stay online.
Re:Oh yeah they invented this... (Score:5, Interesting)
I believe you 100%, only Microsoft would come up with a solution that artificially induces inefficiency.
I'm no fan of Microsoft, but this is silly. Lots of security tools "artificially induce" inefficiency. One relatively early example that comes to mind is Unix crypt, the function originally used to hash passwords. It runs a DES-like algorithm many times to produce its results, not because that improves the quality of the hashing, but because it takes longer, which makes brute force attacks harder. The Unix login program also deliberately introduces an artificial delay after every failed login attempt, and it's not to give you time to remember your password.
There are many instances in which slowing down legitimate users a little is an effective mechanism for deterring abuse.
That said, I still think this particular idea is stupid, since there are plenty of people who have a legitimate reason to send large volumes of e-mail, and this would cause them more pain than it would cause spammers.
not a solution (Score:2, Insightful)
Re:not a solution (Score:5, Insightful)
Whine!
It may not be the end all be all solution, but obviously we haven't found that yet. This seems like a pretty good solution for the moment. There may be a better one that comes out, making this one null and void, but we are continuing to find ideas which are a little better than the last.
How can that be a bad thing?
Re:not a solution (Score:2)
Maybe because people keep misidentifying the problem.
The problem isn't that email is easy to send. The problem is that there are people who want something for nothing, and don't care who they harrass or steal from in order to get it.
Solve that problem, and spam will go away!
Re:not a solution (Score:2, Interesting)
The idea though is that you can automate the process. E.g. unless the email has a tag on it that's valid you delete/filter the message.
Tom
Re:not a solution (Score:2)
Re:not a solution (Score:3, Insightful)
Recall that verification is trivial while generation is what takes the time.
Or the server could put the burden on the users.
The idea is not to stop spam it's to make it easier to filter out. Spammers won't take a 10,000x fold penalty increase to spam with valid tags...
Tom
Re:not a solution (Score:3, Informative)
What you're missing is the fact that the 50 e-mails you delete take *your* time, whereas the 50 you send burn only your computer's time. You click send and go on to something else while your computer chugs away in the background.
I don't know about you, but my computer's time is worth next to nothing to me, whereas my time is rather important (to me).
Re:not a solution (Score:5, Insightful)
The idea is not to save you fifty-seconds of time by deleting your spam. That's a fringe benefit. The idea is to stop spam by making it harder and more expensive to do so. If we can up the price and difficulty to a certain point spam will no longer be a viable marketting technique.
You're missing no voodoo magic whatsoever, I think you've simply failed to think this through in its entirety. You claim you're sending 50 emails a day. In all likelihood most of these emails are not first-contact emails which would require a crypto challenge, but are in fact addressed to an established-contact which doesn't challenge you.
But for the sake of argument lets say all 50 of these emails are first contact. Dandy. Lets look at how this goes. You write the first letter, and proofread it, and click send. Your system does not immediately lock for ten seconds. Instead your message goes into your outgoing message queue. While you are writing and proofreading your next message the system is busily computing the hash for the previous message.
Let's suppose even further that you type uncommonly fast, require not proofreading, and get all 50 of the messages into your outbox. You take a deep breath, run to the bathroom or for a refill on your coffee, or whatever -- guess whats happening while you're afk?
Re:not a solution (Score:3, Insightful)
Some of your bandwidth and time is being wasted in the short term, because spam is still being circulated.
But in the long term, spam ceases to be an effective business model.
Re:not a solution (Score:5, Insightful)
Re:not a solution (Score:5, Insightful)
No, it isn't. Three years ago it might have been a solution, but right now, it's just a colossal waste of time.
The problem with this is that it operates on the assumtion that spammers work within the same boundaries as everyone else. Anyone who has spent even a tiny fraction of their time fighting spam knows this is simply not true.
The days of spammers sending spam from a single server are long gone - nowadays, they use thousands of trojaned machines to do their work. How many machines do spammers control? Enough to launch effective DDoS'es on some of the largest pipes out there.
The effectiveness of this 'solution' would be marginal at best.
Now compare the effect it would have on legitimate users - an individual sending mail wouldn't notice 10 seconds.. but email is not only used by individuals.
Something to keep in mind when assessing any anti-spam 'solution' such as this is the following:
From a receiver's standpoint, the only difference between a legitimate mailing list and a spammer is that the user asked to be part of a mailing list.
Now think about how this would affect legitimate mailing lists: How many mail servers do most mailing lists have? One? Two? Six? Some large mailing lists might have a dozen.
So how does this affect those mailing lists?
It would shut them down, is how. They would cease to be useful, as it would take days for their mails to get through.
So the 'obvious' solution to this problem would be to whitelist legitimate mailing lists, right? Wrong. That's not a solution either (and we'll ignore the point that any 'solution' that requires exceptions is probably not very well thought out.)
I maintian a mail server for a few thousand people. I have no idea which mailing lists they would subscribe to. It would probably become a full-time job to keep such a whitelist up to date. (And most users wouldn't have any idea to notify me in the first place - so the end effect is that they would subscribe, and then bitch about how they're not getting the stuff they signed up for.)
This 'solution' does not solve anything, and will create more and worse problems than it attempts to solve.
Re:not a solution (Score:5, Interesting)
First setup a whitelist, make this your first spam check. On the whitelist? Email goes through never checking for any other spam criteria. (Mailing list should be accepted here).\
For mail that doesn't pass the white list check we can check for the header created by the MS program. We verify that the computationally intense header is correct and maybe we can let that through if we want, maybe I let emails with this tag pass through my spam checker with a higher spam score.
If we decided to accept mails with the header, we now check the remaining email with a very thorough spam checker and use a very low score.
No matter how many computers they have, it will lower the number of emails that are able to be sent, if people filter on this criteria.
Re: (Score:2)
Re:not a solution (Score:3, Insightful)
Re:not a solution (Score:2)
Re:not a solution (Score:3, Interesting)
The second point that I have is that the whining is i
Comment removed (Score:3, Insightful)
Re:Technique? (Score:2)
I RTFA, but what exactly is it? (Score:4, Interesting)
Involves calculating hashes (Score:5, Interesting)
Re:Involves calculating hashes (Score:2)
Re:Involves calculating hashes (Score:2, Informative)
Phew (Score:4, Funny)
"The payment is not made in the currency of money, but in the memory and the computer power required to work out cryptographic puzzles. "
Phew!!! For a second there I thought I was going to have to do a math problem for each email I was going to send. I woulda been fucked!
Compliance is manditory... (Score:2)
Why not charge per message? (Score:2, Interesting)
Spammers don't use their own computers (Score:5, Insightful)
So 8,000 emails / day is fine, if you have a couple thousands relays to pick from.
Re:Spammers don't use their own computers (Score:2)
Re:Spammers don't use their own computers (Score:2, Informative)
Let's say you leave your gun safe unlocked and someone comes in and takes your guns and kills somebody. You're going to get sued for big moneys. If you leave your computer "unlocked" and someone sends spam with it you should be held accountable in some way.
Spam is an international problem and is very difficult to stop. But there are known spammers in the unite
Mailing list operators do use their own computers (Score:4, Insightful)
So this would have the effect of making legitimate high-volume, high-subscribership mailing lists expensive to operate (unless subscribers configured their MTAs to accept "unstamped" messages from the list, which is annoying and error-prone -- and has an obvious "workaround" for the spammers).
<tinfoilhat mode="on">Ha! Now we see Microsoft's *real* goal... to slow Linux development by shutting down the kernel mailing list!</tinfoilhat>
Seriously, though, any attempt to make e-mail expensive hampers those who have a legitimate need to send lots of e-mail.
Plus, there are obvious workarounds that will be developed in short order. A hardware stamp-generator could probably cut the stamp generation time to practically nothing, particularly since their approach somehow depends on memory/CPU latencies rather than processing time. You might be able to make a much faster stamp generator by running it on your graphics card, and custom-built hardware could certainly do it.
Re:Mailing list operators do use their own compute (Score:3, Interesting)
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
Re:Mailing list operators do use their own compute (Score:3, Interesting)
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
As somebody who hosts low-volume mailing lists, I have to agree.
Whitelists are nifty (we use them extensively), but what worries me on that score is that if they become frequent, I suspect we'll just see spammers hijacking address books along with machines, and forgi
A bit of foresight... (Score:2)
Glad the guy from MessageLabs hit the nail on the head right away... what are the chances Microsoft will go along with THAT idea? They'll implement this as an Exchange/Outlook only feature, if they can get away with it...
And, a poster above me states that Microsoft basically invented this, giving me reason to believe there i
This not only isn't going to work, it's a disaster (Score:5, Insightful)
SMTP needs to be redesigned. Not by Microsoft, who will use any change in the protocol to tighten their monopoly grip, locking in their customers (and locking out the non-Microsoft world), but by the IETF.
Spammers having to do a computation before delivering email isn't going to limit them to 8000 pieces of mail a day, it simply means they're going to cluster all of those Windoze boxes their custom worms have infected, and let those millions of PCs do the work for them in parallel. SPAM won't decrease one bit, but the load and toll it places on those who use the net will go up significantly.
The solution isn't to increase the cost of email (computationally, bandwidth-wise, or financial), the solution is to repair the design flaws in SMTP (and, for that matter, USENET, something that remains the most useful medium on the 'net despite its widespread abuse) that make SPAM a viable methodology.
Scrap SMTP? (Score:3, Insightful)
Until you know how you're going to repair the problem, let's not get too excited about scrapping a protocol that still has a lot of flexibility. I've learned a lot about SMTP in the last few months, if there was universal agreeement as to WHAT to do, we could probably accomplish it in place.
What are the options? Whitelists, blacklists, red lists, gray lists, hash cash, filters, etc. No one can agree HOW to combat the problem.
How about my old hardware? (Score:4, Informative)
Okay.. (Score:5, Insightful)
Personally, my whole take on spam is that everything needs to be done on the user end. Laws have loopholes in every situation (foreign spammers being a large one,) server restrictions are either too restrictive on small servers, or can be defeated with distributed computing.. I say we stick with Bayesian filtering. It works _wonders_ for me, and I'd love to see more people use it.
Re:Okay.. (Score:3, Informative)
Re:Okay.. (Score:3, Informative)
Personally, my whole take on spam is that everything nee
This might be a non-issue for mailing lists. (Score:3, Informative)
You know how mailing lists require you to confirm your membership? Well, this confirmation mail would have you add the mailing list to your whitelist. As a result, future mailings on that list would be let through without having to do the computation.
The mailing list could simply refuse to deliver mail if you ask it to do the computation, or it might give you a one time warning that you have to add it to the whitelist, or similar.
But all it takes
Could be good *if* (Score:2)
2) No-one discovers a mathematical short cut for the hash.
3) What are the calculation costs on the recipient?
4) The Intel "Spammer Edition" Pentium 5 with a half gig of L1 cache. Memory bandwidth is no longer a bottleneck.
Fine for users but what about companies? (Score:2)
what about mailing lists? (Score:2)
What about mailing lists? Until we recently upgraded, we were doing reasonably OK with a Axil 320(Sun Sparc clone. No, not an UltraSparc, a sparc. Yes, that slow) for about 3,000 subscribers. One of our lists was at least 30-40 messages a day.
Ten seconds of P4 3ghz time is about....half a year for a 110mhz microsparc ;-)
We've since upgraded- but I can tell you right now that anyone who tries to make us leap through these hoops will simply find themselves removed by Mailman for bouncing. Like those
I wonder how well it will work? (Score:2)
Hummm...doesn't look like Microsoft is really serious.
No research involved (Score:2, Funny)
we need hybrid solutions, with whitelists (Score:2)
I think that any postage scheme should be hybridized with a white list to avoid imposing burdens on people you want to talk to. The postage (economic or computational) should only apply to people who you don't know.
In other words, if I know you, you should be able to email me for free, but if I don't know you, it should cost something -- not
GPU's? (Score:2, Interesting)
But they soon realised it was better to use memory latency - the time it takes for the computer's processor to get information from its memory chip - than CPU power.
Don't GPU's have a lot smaller memory latency?
hmm, whats this?
BrookGPU: General Purpose Programming on GPUs [slashdot.org]
Uhm (Score:4, Insightful)
Limiting technology? (Score:5, Insightful)
Instead, they should focus on adding more functionality to the smtp protocol. For instance, they could add sender e-mail address verification. You can't check the actual e-mail address, but you can make a "dial-back" TCP connection to check, if the e-mail is known by the mail-server that belongs to the sender e-mail address.
Combined with law enforcement, blacklists etc., this is extremely effective.
Why not just.... (Score:5, Interesting)
Textbook case of over-engineering (Score:3, Insightful)
This MS solution is almost a caricature of one of my own over-done home improvement ideas. Why bother with some elaborate cryptographic system to delay inbound emails? Why not just have the receiving SMTP process call sleep(10) at the beginning of the SMTP session? You get the same desired slowdown, and all you have to change is the SMTP server software. There's no need to modify MTAs, promulgate new standards, or fit yourself more tightly into the MS monopoly noose.
Re:Textbook case of over-engineering (Score:4, Informative)
Thread 1:
for x goes from 1 to 100000, send message number X to a server somewhere.
Thread 2:
In a loop, respond to any 10 second sleep requests that came back from servers being talked to by thread 1.
Thus, the overall additional cost to the spammer is NOT 10 seconds per message, but 10 seconds overall for the whole batch of messages. Not a big deal, really. (The server-side sleeping solution only works for the case where the spammer is talking to a small list of e-mail servers. So long as the spammer is sending 10,000 messages to 10,000 different SMTP servers, each one can sleep 10 seconds and it won't delay the spammer much overall, provided the spamming program is smart enough to start in on the next message before waiting for a reply from the first.)
What microsoft's solution does is make the sender pay a resource cost that is more signifigant than just sleeping a few seconds (which costs almost nothing), so that a long delay is guaranteed. (It also makes it impossible to lie and fake out the message - because it has to be an answer to the math question asked by the recipient's server, and until you see that question, the sending program doesn't know what fake thing to put into the header.)
The idea is sound, so long as the algorithm is well published (not used by MS as a monopoly-enhancer like they usually do), and it's not possible to devise a question which is deliberately problematic for the program to solve. (If there exists a special case of a question to ask the sender which isn't solvable in reasonable time, then a malicious site could set things up so that when you try to send mail to that site your own mail server gets stuck trying to solve an impossible math problem and can't continue.)
Why bother with the computation? (Score:3, Interesting)
So why bother with all the computation and hashing, and just refuse to accept connections from a given IP except every 10 seconds? So if an email was sent from AAA.BBB.CCC.DDD at 00:00.00, don't accept another from that IP until 00:00.10.
This makes it happen entirely at the recipeient server side, so you're not breaking SMTP, and it's backwards compatible with everyone else.
On the other hand, if it's 10/sec per email it doesn't sound like this would be feasable to implement:
Re:Why bother with the computation? (Score:3, Interesting)
The idea is not to take longer sending one email. Spammers don't send spam one at a time and wait for the first one to be finished before sending the second one. The idea is to force the spammer to spend something, specifically in this case 10-20 seconds of CPU time, per message. If all you are doing is sleeping 10 seconds, the spammers can out multithread you and just wait, while making 10000 other SMTP connections in parallel doing the same thing. The rate of messages will ultimately be the same but i
What they fail to mention... (Score:5, Insightful)
Perhaps, if Steve 'Uncle Fester' Ballmer and his cronies had paid more attention to basic security to begin with, or had taken the trouble to actually try and educate their customers about the most basic computing security steps, there wouldn't be such a huge problem now.
This 'Penny Black' nonsense looks like nothing more than a means for them to make money off a mess that they created in the first place.
What about legitimate bulk mailers? (Score:3, Insightful)
Email Fiefdoms (Score:3, Insightful)
Having read the article, I was impressed by how clever their proposed solution was, though since I don't have a CS background, I don't understand how a mathematical computation can be essentially bottlenecked by memory latency -- I'd love it if someone could give an explanation of how that works.I'm guessing that some cryptographic hash needs to be held in memory, such that the nature of the data structure and physical access to it proves a bottleneck. This is probably way off.
But having read the /. comments, it becomes clearer to me that this solution, and many other proposed solutions face problems insofar as they "break" the assumed contract under which email has worked for so many years. To me, this seems to boil down to a challenge / response system (allbeit one that increases the overhead of the transaction signifigantly). The problem with these systems is that for a time, email will be broken for certain people, or broken when trying to communicate with certain people depending on whether or not one has migrated to the proposed system. I'd worry that this would have the effect of segmenting email users into little fiefdoms determined by which email system they are using.
I don't think a migration can happen unless there is some "benevolent dictator" who can force everyone to migrate to such-and-such a new email model and system, and frankly, I wouldn't want that forced on us.
It seems that the challenge to any such spam-reduction system is that migration must be immediate and non-backwards-compatible, and universal, otherwise for a time email users will be segmented into little fiefdoms based on whether they've migrated, and solution to which they've migrated.
old and embraced (Score:3, Informative)
It has known shortcomings, but it is one of the best solutions out there.
Its main problem, however, was not yet known when it was invented: That spammers would control huge zombie networks, as they do today.
With 100k zombies (which is not uncommon), the spammers can still send out 10k mails per second, or those 25 mio. spams the topic speaks about in under one hour.
solution (Score:3, Insightful)
I think in the long run only something more expensive will deter most spam, but will not succeed completely. Case in point is all the junk mail we still get in our real mailbox. Someone out there is paying for postage to send that crap, yet they still ship it to me so that I can place it in my trash can.
My simple solution (Score:3, Insightful)
http://gallery7.withsex.com/
All I do is block withsex.com with an expression filter and all spam that's afilitated with that site goes away. Spammers can't ofuscate an URL otherwise it won't work. The image linked from the same site is 28KB. If that spam was sent out to 25 million people and all of them looked at it once that cost the spammers 667GB of transfer. On a standard DSL line it would take about 6 months to transfer that. These companies need a dedicated host to allow them that kind of bandwidth. The company may have a number of domains for the site but spammers aren't going to be using random ones to advertise it like they use random from e-mail addresses. They also have to keep the domains functional or all that spam goes to waste.
Not many hosts would allow that kind of bandwidth transfer without charging up the nose for it. Which limits the number of hosts that spammers will use for images. 2004Hosting.org/.net is a big one for the cable filter and "banned CD." 530000x.net is also affiliated with those spams.
http
click-net and click-com are what spammers use to get paid. If you click on a spam link, most likely it goes through a common domain to log the referal to calculate how much the spammer gets paid. Block the referal site and all spam that uses that referer to get paid is gone.
For example
http://www.xswcde.biz/index.php?id=173&affid=56
342
Is a big e-bay spammer site. I block xswcde.biz with an expression filter and all e-bay spam from that company goes away.
It basically boils down to blocking the company and not the spammer. My spam count went from about a dozen a day to 1 or 2 and they also have obvious tells. If possible I also block the domain in the from address. Using a web-form cut down on spam quite a bit as well.
Ben
Why not... (Score:3, Informative)
And to "strongly discourage" any ISP that would consider flaunting this rule, they get zero compensation for that netblock they paid for and are denied from buying any new netblock for a time (possibly a week).
Because this would necissarly work on the level of ARIN and the root DNS servers, you can't avoid it, because those are known, reputable organizations who will have no choice to comply.
Can anyone think of a way you *could* avoid this?
E-mail list killer (Score:4, Insightful)
First, it would kill legitimate mailing lists. Imagine what the perl5-porters list or the Linux kernel list or any of the other high traffic mailing lists would have to do to keep operational. Large mailing lists already have problems with lag. This would just add to that.
Also, there does not seem to be anything that would stop them from doing these operations in background and just contact multiple sites while working on the problem. They would just multi-thread the mail spammer or just hijack more machines to use as their slaves.
This technique requires replacing every mail program out there to support the protocol. Of course, they will just make it a condition to connect to exchange. Might be a way of getting people away from having to talk to compromised Windows mail servers.
This is a bad solution for a big problem.
"Something must be done! This is something, therefore we must do it!"
research? microsoft? (Score:4, Interesting)
Yahoo works better with regards to spam though I wish it would empty the bulk mail folder more often.
And my pop3 acct has something called greylisting and that alone cuts 95% of spam. Plus black and white listing IPs and domains helps too (for instance, only allowing email from hotmail.com if it originates from one of hotmail's servers, etc.) and blocking known spam-haven Class C ranges (eg x.x.x.*).
Just hashcash - wasteful, impotent, and harmful. (Score:3, Interesting)
Hashcash is wasteful... it just runs processes at full blast for tens of seconds to tens of minutes at a time, which is a small energy waste but overall a loss.
Hashcash is impotent... any hashcash scheme cheap enough to let someone with an older computer send mail in less than minutes won't slow down a P4-3GHz at all.
Hashcash is harmful, because it makes no distinction between solicited and unsolicited mail. How would you subscribe to Slashdot without whitelisting it?
And once you're whitelisting senders, you might as well just whitelist everyone you get mail from, and now you only need to discourage unknown senders. And hashcash is still a silly solution there, how about real cash?
Here's one way to do that. Whitelist not a sender, but a server. A server at a company that simply charges a few pennies to a few dollars to forward mail (you pick the level of unsolicited mail you want), or one that requires other hoops...
Much simpler, doesn't require new proprietary Microsoft technology, and allows all kinds of alternatives...
Re:10 seconds (Score:4, Informative)
The research this is based on [presented at crypto'03] is designed to level the difference between a P4-3000 and a P2-233. They use problems where cache hits will be lower [e.g. use a 8MB buffer or something] so you end up computing at the speed of your memory bus.
If you had done some research before posting your crap you'd know this.
Tom
Re:10 seconds (Score:4, Insightful)
I'd love to see the Itanium 2 results. The entire program could fit in cache... Yes, the array size could be increased in size, but that would futrher penalize users of PDAs, which already suffer quite a bit.
The real question is whether this program is suffiently enough of a unique case that further advances in memory technology (short of the Itanium's rather expensive brute force solution) will not make this program obsolete.
Re:Can Multiple Email Processes be Spawned ... (Score:3, Insightful)