Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Spam Technology

Microsoft and Yahoo! Fight Spam - Sort Of 344

kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
This discussion has been archived. No new comments can be posted.

Microsoft and Yahoo! Fight Spam - Sort Of

Comments Filter:
  • Let MS do it... (Score:2, Interesting)

    by losman ( 840619 ) *
    If a bunch of hotmail users stop getting email then that will only hurt MS.
    • Re:Let MS do it... (Score:2, Insightful)

      by natedubbya ( 645990 )
      Right, somehow I doubt microsoft would start deleting e-mails. That's just silly. The instant someone finds out a real e-mail was deleted is the instant they switch e-mail providers.
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Friday July 15, 2005 @09:25AM (#13072737)
      Comment removed based on user account deletion
    • Re:Let MS do it... (Score:4, Insightful)

      by Iriel ( 810009 ) on Friday July 15, 2005 @09:38AM (#13072876) Homepage
      My biggest concern (and please don't bash me for this) is not about Hotmail users getting all their email flagged as spam. The problem I can see with this is if Microsoft strongarms other servers into using the SenderID. It's almost like the way that the majority of websites have CSS hacks and workarounds for a broken browser(IE) that still won't be fixed in the next version. If enough people are using the proprietary garbage, then people will others will be forced to support it.

      If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it. Microsoft has had its overwhelming failures at times, but it also has a record of 'forcing' their way onto enough of the market to make an impact for better or worse. That's just my take on it; it's not what it will do, but what it will allow to happen in the future (should it catch on)
      • If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it.

        SenderID is an extension of SPF, which is not proprietary. A valid SPF record will be picked up by any conforming SenderID processor as a SenderID record. I'm just worried about those people who use an ISP's mail server where the ISP lacks enough clue to use SPF.

        • SenderID is an extension of SPF, which is not proprietary.

          The proprietary (purportedly patent-encumbered) SenderID abuses non-proproprietary SPF records, meaning that SenderID is an extension to SPF in the abusive "embrace, extend, and extinguish" sense.

          A valid SPF record will be picked up by any conforming SenderID processor as a SenderID record.

          I would word that as: "Conforming MS-senderid processes will not only misinterpret valid SPF records, but they will use those misinterpreted results in a

    • Re:Let MS do it... (Score:3, Interesting)

      by norfolkboy ( 235999 ) *
      Wrong

      It won't only hurt MS.

      Non receipt of email can hurt businesses not remotely connected with MS.

      For example, I run a website with around 52,000 members. Each member has opted to join a mailing list, and they also receive alerts when they have a new message waiting for them on the website.

      My own stats show that there are a significant number of users that will not return unless they receive a message telling them they have a new message on the website.

      When back on the website their interest for the s
      • For example, I run a website with around 52,000 members. Each member has opted to join a mailing list, and they also receive alerts when they have a new message waiting for them on the website.

        Hmm.... Anyone got 52,000 spare gmail invites?

  • At least it works (Score:5, Interesting)

    by CaymanIslandCarpedie ( 868408 ) on Friday July 15, 2005 @09:19AM (#13072677) Journal
    Not going to discuss pros/cons of these systems, but at least the do help. Two days ago I got one of those PayPal phishing emails in my hotmail account and hotmail had a big banner on top saying the sender's ID couldn't be verified. This could be a great help to users silly enough to fall for these attacks (assuming they actually pay attention to the warnings).
    • by _LORAX_ ( 4790 )
      Not really. Once people start seeing that every mail from everyone they know excpet those on hotmail get a warning it will cease to be effective.

      False positives are WORSE than false nevatives.
    • by slavemowgli ( 585321 ) on Friday July 15, 2005 @09:47AM (#13072987) Homepage
      And? What would prevent a spammer or phisher from creating the necessary setup to pass verification? Things like SPF and Sender-ID are good for stopping (or at least warning about) mail that some spam clown sent with a forged From: address (which can be highly annoying if the forged address is in one of *your* domains), but it won't do a thing about, say, email that comes from, say, "support@paypa1.com" or so.

      Besides, if you want to warn users about phishing, you don't even need any of these tricks. GMail, for example, warns me with a big red banner when it thinks that an email may be a phishing attempt, and so far, it's always been right - no false positives, no false negatives, even without any technical trick that depend on the honesty of the sender (which both SPF and Sender-ID ultimately do, in that they allow malicious senders to set up systems so that tests are passed for spam and phishing mails and the like).

      I only wish their spam filter would be as effective... :)
      • Besides, if you want to warn users about phishing, you don't even need any of these tricks. GMail, for example, warns me with a big red banner when it thinks that an email may be a phishing attempt

        What makes you think Google isn't using SPF and Sender-ID for those banners? And dunno what you mean "no false negatives". I've seen quite a few fishing attempts on my gmail account that had no banner.

        All the SPF and Sender-ID critics continuously point out that SPF and Sender-ID only have the features they wer

      • Re:At least it works (Score:3, Interesting)

        by Shadowlore ( 10860 )
        If ebay/paypal published SPF records indicating what servers send valid email for ebay/paypal, and your server checks those, how can a spammer set up a ligitiamte system to bypass that system? They can't.

        The only way is to:
        * alter ebay/paypal DNS records by some means
        * spoof the IP address.

        Gmail may well have a very large database of valid email from ebay/paypl and perhaps others, or may be implementing their own version of SPF that doesn't rely on the domains to publish SPF records. They may, for exa
    • With so much money apparently out there to be made, slimy spammers will turn to using discardable domains with valid domain sender and MX records.

      They don't have to change machines, either. Just reconfigure the virtual hostname and DNS info, and they're ready to spam.

      If I were into that kind of thing, here's what I'd do: write a script to set up a virtual domain with a DNS server, sendmail, and some firewall rules. Buy a list of domains, acquire a few zombies for mail proxy, and "4. Profit!". You coul
  • by moz25 ( 262020 ) on Friday July 15, 2005 @09:19AM (#13072678) Homepage
    It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...
    • It seems that one constant problem with fighting spam is that sometimes the ones who are fighting the spam are doing more damage than the spammers themselves...

      I don't get a lot of spam on my Yahoo account. Unless of course you count Yahoo's approved spam. I have reported several emails from various big companies that I get. Fox Home Entertainment being one of them. The only thing I can figure is that Yahoo has some kind of deal with companies to allow them to spam their users.

  • Heh (Score:5, Interesting)

    by aftk2 ( 556992 ) on Friday July 15, 2005 @09:19AM (#13072680) Homepage Journal
    Perhaps this is Microsoft attempting to leverage (yes, I used it correctly!) what they perceive to be as their market dominance to hold users' feet to the fire. Basically, "We've got a lot of users. If you want to communicate with any of them, you're going to need to play by our rules."

    Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.
    • Re:Heh (Score:5, Insightful)

      by hal9000(jr) ( 316943 ) on Friday July 15, 2005 @09:39AM (#13072891)
      It's not just Microsoft's old tricks. Many 800 lb. gorillas (Cisco, IBM, Intel) have done the same with more or less success. Most of the time, wrangling is done in working groups where vendors start deploying products based on early standard drafts, which commits them to lock-in, which then motivates them to fight for thier methods regardless of technical requirements. Besides, market dominant driven standardization is not always a bad thing. The anti-spam market is so fragmented that having a Microsoft force a decision may actually move a resolution.
      • Mod parent up. This guy's got a good point.

        As far as I'm concerned the "anti-spam" market has been fairly lacklustre for the past ten years. The only real innovation I've seen is in-computer solutions: The best yet (I've seen) is OS X's "Mail.app" filter, and Microsoft's Entourage comes in a close second.

        It would be so nice to have spam blocked server-side, but for finding a solution to that it seems that everyone's following everyone else around in circles these days. If one giant on the same level with
      • by gclef ( 96311 )
        The problem come when the "industry standard" can't be implemented by OSS folks due to patent restrictions. The IETF draft for the combined SPF/Sender-ID system fell apart last year because MS's lawyers would not release their patents on the system in a way that allowed Open Source folks to implement it.

        Market-based standardization is fine when no one's trying to patent the standard. Otherwise, it's a mess.
  • Bad news (Score:4, Insightful)

    by mfloy ( 899187 ) on Friday July 15, 2005 @09:20AM (#13072685) Homepage
    This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.
    • Re:Bad news (Score:2, Insightful)

      by kryptx ( 894550 )
      Of course, but something like this "should" have been done ten years ago. Spam is nothing new.

      I, for one, am glad that somebody seems to be trying to do something about spam other than blacklisting, whitelisting (a la TDMA), or bayesian filtering. I couldn't care less if it's Microsoft, as long as 1) everyone can use it, and 2) it works.
      • Re:Bad news (Score:2, Interesting)

        by PeterBrett ( 780946 )

        I couldn't care less if it's Microsoft, as long as 1) everyone can use it, and 2) it works.

        ROFL.

        1. Not everyone can use it. Microsoft's supposedly "Reasonable and Non-Discriminatory" patent licensing for Sender-ID is nothing of the sort, and makes free software implementations impossible.
        2. It works... for a given value of "working". Whoo-hoo, now spammers need to set up a Sender-ID record for [423.sdlfk2_133dsk.net], [419.sdlfk3_175dsk.net] and [12.dngls4_983duy.net]! Wait until the domain gets black
  • by Anonymous Coward
    To delete all messages without a valid SenderID is not quite the same as to mark non valid SenderId messages as spam
  • by hsmith ( 818216 ) on Friday July 15, 2005 @09:21AM (#13072694)
    is all the major companies sit down and design a new email system. the current email system is like a sinking boat they are trying to patch and prevent it from reaching the bottom. now, everyone is going their own seperate way (MS, Yahoo), where there will be no standard. the whole system needs to be scraped and rebuilt from the ground up taking into consideration spam, which was never present when the system was designed.
  • Naaah... (Score:4, Funny)

    by TripMaster Monkey ( 862126 ) * on Friday July 15, 2005 @09:21AM (#13072695)

    Never happen...Microsoft would never abuse their market domainance to foist an inferior product upon the industry...

    Oh wait...
  • by CdBee ( 742846 ) on Friday July 15, 2005 @09:22AM (#13072702)
    To be honest I vastly prefer the Gmail approach of having relatively smart spam analysis than a whitelist approach based on authentication.

    Think of all the people out there who don't have their own mail server but have SMTP/POP access to a hosting company's machine. A change in the core protocols for email would adversely affect most of them, as even if they all had the knowledge to make the changes, they may not have the ability.

    Add to this the possibility that a requirement for SenderID will just result in spammers mounting directory attacks against SMTP servers in order to find logins that work..

    All this will really cause is a migration away from hotmail !
    • I agree. Although whitelists are good, they tend to become annoying, much more so than receiving spam. Gmail manages to block about 200 emails of spam per day for me, and lets in maybe 4 or 5.

      At least for a while, the SenderID system will end up blocking too many valid emails and will irritate users. I suppose after it's been around for a year or so and they have a decent system and database for the whitelist, the system will see the results that Microsoft wants.

      Hotmail sucks anyway...Gmail is far sup
    • by scovetta ( 632629 ) on Friday July 15, 2005 @09:31AM (#13072794) Homepage
      I disagree. No matter how good the spam filter is, it always misses a few. False negatives are annoying, but false positives mean that you have to scan your 600+ spam e-mails per day to see if it missed any. A non-perfect spam filter is just a fancy inbox sorter.

      I don't think whitelisting is the way to go either, though, for obvious reasons.

      I have a dedicated server with a dozen or so domains on it. I'm forced to send mail through my personal ISP because mail coming FROM my domain gets marked as spam by most large ISPs (no, I don't spam, nor is my IP on a specific spammer blacklist). So if I decide to start spamming from my dedicated server, no one will get it (unless I route it through another ISP, in which case now it's their job to check).
      • I can only go by my own experience, but I used a fastmail [fastmail.fm] IMAPO account to upload 3 years of email from the inbox on my PC to the IMAP web server, then from the server used redirect to send it all to gmail

        Of about 2,500 messages moved this way into my gmail account (as a backup and to make them searchable), only 1 was spam-canned. I make that an accuracy rate of 99.6%. The 30 or so spam mails I got during the month in which I did this were all correctly moved to the spam-can

        That sort of accuracy rate
    • by Phrack ( 9361 ) on Friday July 15, 2005 @09:33AM (#13072813)
      SpamAssassin reduces my spam by 98%. That's just one example of filters... the point being that the more filters deployed out there (at ISP's, companies, etc), the more spam gets auto-tossed into the bit-bucket, and the less economically viable it is. Simply starve the market, requiring no protocol changes.
      • I'm still looking for something that will stop the Nigerian 419 scam style messages. I get several a day. Thuderbird under Windows doesn't flag it as junk. So much for its Bayesian filters. What will work with Thunderbird and POP3?
        • Every time you get one scam message flag it as junk - after a while Thunderbird will learn to recongnize it as such.

          I.e. you need to train the spam filter in Thunderbord - after som time it will get better.

          Well, unless you have - by mistake - told it to not learn from messages flagged as spam ?
  • by coolnicks ( 865625 ) on Friday July 15, 2005 @09:22AM (#13072704)
    There is also Sender Policy Framework (http://spf.pobox.com/ [pobox.com]), this is very simular to SenderID but it has the majour advantage that its open source, agreed microsoft is trying to push SenderID down everybodys throats, I myself publish SPF on a number of domains and it does a good job. The more people that use SPF the more power it will have over SenderID.
    • by jaredmauch ( 633928 ) <jared@puck.nether.net> on Friday July 15, 2005 @09:36AM (#13072855) Homepage
      SPF helps with virii and phishing. eg: someone connecting saying they're billyg@msft.net from a dsl line in bellsouth land. If i'm evilspammer@example.com, I can just publish my SPF records in the same way you do, as long as i send from example.com's authorized SPF records it'll be good.

      You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.

    • Except that the Forbes article says that "... a Sender Policy Framework (SPF) record, which is covered under Microsoft's SenderID framework. "

      Does this now mean that SenderID includes SPF? Or is Forbes confused?

      Anyway, it doesn't get around the fact that SPF generates false positives, according to the article.
      • Does this now mean that SenderID includes SPF?

        Yes. If you're publishing SPF records, you're already publishing records that are accepted as valid by any conforming SenderID processor.

    • I disagree with the false positives statement, I run web and email hosting and cant recall seeing any false positives.

      Agreed SPF does a better job at fighting fraud and viri, but it does have a go against spam. A very high amount of spam is from fake or randomly picked real domains, now when all these real domains publish SPF nobody can send spam form them anymore, combine this with checking for existent domains and the only option left is for the spammers to root servers as you said or buy their own dom
    • I don't know if it's really made a difference or not, but since I started publishing an SPF record for my domain I seem to receive far far fewer bounced messages where somebody else has sent to a wrong address with my address in the from field. That's exactly what SPF is supposed to do, so I'm happy. Or maybe it's just a coincidence.
  • With several gmail accounts, I never have trouble managing spam. I don't reply to suspicious e-mails, and if I do, I am sure not to use the return e-mail address of my primary account. I keep an account for things like ebay, rentacoder, guru.com, etc., and a seperate account for personal e-mail. I have been doing this for over a year and I have only received six spam messages, and those were in the secondary account. I don't see why AOL couldn't encourage their users to do this. Isn't this why we have multi
  • by Alex P Keaton in da ( 882660 ) on Friday July 15, 2005 @09:27AM (#13072753) Homepage
    One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
    Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
    It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
    As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....
    • I think you have the right analogy and the wrong conclusion. What it is -- it's easier to be destructive and nihilistic than to be careful and responsible. Spammers aren't smarter than the guys who developed mail protocols, they simply don't have to care about negative consequences of their actions.

      Incidentally -- Sky Dayton's CTO is named Tripp Cox? WTF? I grew up in Connecticut and went to Yale and I've never actually met people with names like that.

    • Except that drug dealers and prostitutes actually supply something:-)
      I really don't understand how anyone buys anything from spammers. How many people have the unique lack of critical thinking skills and lack of erections to support all these spammers?
  • How about fixing your crappy OS security model and the crappierst of Mailers on the Planet, Outlook?

    I have a month-old business, personal-handout-only E-Mail address, and allready spam is rolling in. It's because my business partners all use Outlook, which is near by default riddled with Spambots, Contact-grabbers and whatnot because of this shitpile of software those f*ckers over at redmond farted onto their harddisks.

    MSses bullshitting policy couldn't care me less as long as they don't bug me with their
    • I have a month-old business, personal-handout-only E-Mail address, and allready spam is rolling in.

      Why should you be any different? I have an address that has never been published, has never sent an email, and was only established because the DSL "required" it. It had spam in it the first time I checked the mailbox!

    • there are several ways the a spammer can get your email address, some of them are:
      • Harvesting them off of the internet. Any publicly available page with a mailto eventually will get processed.
      • Buying from other spammers. I always know that spam will spike when I start seeing the "buy a million email addresses for $xxx." emails.
      • Just guessing. Most domains have 'typical' email address, spammers will often create bots which will 'guess' at common email addresses. Sure most will just bounce, but what do th
  • I wonder if despite the shortcomings of the systems, the cure to spam may indeed require a heavyweight like Microsoft strongarming everyone into using their anti-spam system. Much as I hate to say it, MS may be doing exactly what needs to be done to deal with the spam problem.
    • Have you actually looked at the SenderID standard? It suffers the same shortcomings as SPF. It won't stop spam, but it will allow Microsoft, because they refuse to make the licensing compatible with open source, to control a very large chunk of the Internet. I'm all for killing spam, but I'm completely against letting MS, a convicted monopolist, take over email.

      Beyond that SenderID, SPF, domain keys and so on are nothing more than kludges to SMTP, a protocol simply not designed with spam in mind. As muc

  • Maybe you could actually edit. I can't expect every submitter to know how to use an apostrophe, but you'd have though the actual editor of a news website would have a bit of a clue.

    I know, I know.

  • What About (Score:3, Insightful)

    by Noodlord ( 877951 ) on Friday July 15, 2005 @09:37AM (#13072868)
    PGP key's? I thought people knew about and used these. With a pgp key, it is signed with an encrypted hash, and you have the option of encrypting the message along side it. Once this is done, you know an email is coming from a valid user because it contains their key. These are already used in workplaces around the world. Why implement a new system when one already exists? Not only does one exist it is more or less and open standard. Yeesh! I wish people would actually stop rebuilding the wheel in the software industry.
    • You are comparing apples with oranges. PGP signs the message, not the envelope. It is not very useful for mail servers - it is aimed at sender and recipient. The following quote (from Yahoo) regarding S/MIME applies to PGP as well:

      S/MIME was developed for user-to-user message signing and encryption and by design should be independent of the sending and receiving servers. We believe that DomainKeys should be a natural server-to-server complement to S/MIME and not a replacement. Additionally, since S/MIME

    • Especialy if you don't care about security.
      You don't have my key. If you get a signed message purporting from me, you have no way of telling if that was actually my key. You need an easy way of finding out my key. Also, srhawrtrdh12532@hotmail.com has to be somehow be prevented from getting a valid key on the grounds that he doesn't exist. (Yes. I know; keyservers and web of trust and so on and so forth. I think you'll find that incredibly few people use PGP properly. Very few get anyone to sign their key.
  • Whether or not senderid is worth anything depends on whether or not its used by everyone. Sure, it'll put a big spam banner at the top of a lot of phishing messages. But, what about legit messages from banks, friends, and government agencies who aren't using senderid?

    For something like this to work, its needs to be widely accepted. MS has been able to illegally use its monopoly in the past to get its way with the industry, but you'd think by now they wuold have figured out that they don't have a monopol
    • But, what about legit messages from banks, friends, and government agencies who aren't using senderid?

      By definition, a valid Sender Policy Framework [pobox.com] record is a valid SenderID record. Banks and government agencies control their own domains and can easily add the TXT records that SPF uses. Friends on dial-up can switch. Yes, it would hurt friends on broadband, who generally can't switch away from the monopoly or the duopoly and would have to find a webmail provider that has SPF.

  • by Monoman ( 8745 )
    90% of Hotmail IS probably spam. I admin about 3,000 email users and our spam percentage is more like 50%.

    Anyone else got stats?
  • by aardwolf64 ( 160070 ) on Friday July 15, 2005 @09:42AM (#13072920) Homepage
    Lets see... If we write a tool that immediately filters 100% of all e-mail, we can claim that our "Spam filtering tool" gets 100% of Spam with only a 10% false positive rate. Excellent!!!
  • So its now 90% of all email, but what % of all internet traffic is email and ad popups/banners?
  • I currently do not email anyone who has a hotmail account, so let hotmail go isolate themselves.

    With Yahoo & Cisco proposing an alternative to Microsoft's suggestion for a standard there wil at least be some fighting over which design (if either) becomes a standard. Without the competition, the odds are that one might win by default. (Unfortunately.)

    My mail servers do have SPF records and when I get a chance, I'm going to setup SPF record checking for incoming email, although initially I'm going to on
  • by FriendlyLurker ( 50431 ) on Friday July 15, 2005 @09:46AM (#13072974)

    I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.

    I complained, and was told I could use filters for those un-markable spam items. Yeah, right.

    Advantages to MS for letting "authorized" spam through
    - They get paid, probably very well, to send spam to all hotmail accounts.
    - They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.

    A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.

    What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).

    My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.

    Kalori.

    -
    No sig. is a good sig.
  • Seriously, why is this a problem? At home I have a FreeBSD box that runs mail through scanners and figures out what's what. Works like this:

    incoming:25 -> Postgrey (greylisting) -> MailScanner -> ClamAV -> Spamassassin (with DCC, razor checks) -> DSPAM -> Postfix -> users_mailbox

    All ClamAV definitions are updated via cron by Freshclam, all Spamassasin rules are updated via Rules_du_jour daily. Using this I get just about zero spam, with a VERY rare occurance of realy mail being lab
    • I agree. I use a three tier system.

      Tier one redirects any known spammers to OpenBSD's spamd tar-pit tying up their connection for about 10 minutes while they are sent the reply very slowly. Known spammers are hosts on well known block lists and IPs that have sent me spam before. These lists are updated daily.

      Tier 2 checks a real-time block list and bounces any email that matches one of these. This is not quite as good at tier one, since it doesn't waste as much of the spammer's time.

      Tier 3 pipe

  • Greylisting (Score:5, Interesting)

    by Sanity ( 1431 ) * on Friday July 15, 2005 @09:47AM (#13072986) Homepage Journal
    If you run a mail server, and you aren't greylisting [greylisting.org], then you need to be.

    Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.

    I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.

    • My mailhost recently implemented greylisting and it's fantastic. I now get NO real spam (there's still noise from legitimate lists I haven't unsubscribed from of course, but that's my fault). The only downside of greylisting that I can see is that real mail can be delayed a while, up to a few hours. This can mean that conversations between groups of people can arrive out of order, but that's a small price to pay IMHO.

      Add in auto-whitelisting (that adds anyone you send mail to into a 1-week whitelist) at th
      • The only downside of greylisting that I can see is that real mail can be delayed a while, up to a few hours.
        As I understand it, mail can be delayed for up to 10 minutes if it is coming from a mail server your server hasn't seen before. Are you sure your mail can be delayed for so long?
        • The delay is a setting on the mail server attempting to send mail - it can wait potentially a long time before trying again.

          Or, if it is a spammer they might try again later in 5 seconds...
    • This works for now. However when everyone moves to it, it won't help at all. It is trivial for spammers to get around this - follow the standard. They don't bother now because most of their mail isn't being stopped by this trick. When it starts stopping a lot of email they will just implement that part of the standard and greylisting will become useless.

    • How is that a good solution? What about setups (such as mine) that depend on timely email delivery to a lot of people. This will not work for me. Although with SA, ClamAV and a bunch of blacklists, I get very little spam as it is.
  • by merc ( 115854 )
    Yahoo!: Announcing: Domain Keys!
    Microsoft: Announcing: SenderID!

    (some time later)

    Yahoo!: Presenting: Domain Keys Identified Mgmt!
    Cisco: Presenting: IIM!
    Microsoft: Um, hey lookie... SenderID!
  • by Nijika ( 525558 ) on Friday July 15, 2005 @09:52AM (#13073045) Homepage Journal
    I've always considered Hotmail a bit of a UCE enabler anyway.
  • by Ckwop ( 707653 ) * on Friday July 15, 2005 @10:00AM (#13073115) Homepage

    No single technology will bring spam under control. It's going to take a blend of technologies, namely:

    1. Spam filtering.
    1. Preventing forged headers.
    1. Making e-mail sending computationally expensive.

    The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.

    The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.

    If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.

    The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.

    The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.

    There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.

    The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.

    Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.

    Simon

  • by ChadL ( 880878 ) on Friday July 15, 2005 @10:03AM (#13073142) Homepage
    I was getting about 40 spam messages a day, before I implemented my new anti-spam e-mail server. Now I get about one or two... but SenderID only blocks about two messages a week. Much more effective are my set of 5 Blacklists, a URL Blacklist, and some simple rules. SenderID can stop fake from addresses, but the people sending the messages will just use servers that do not have SPF entry's, as all the servers will never implement it.
  • From the hashcash.org site [hashcash.org]:

    "Hashcash is a denial-of-service counter measure tool. Its main current use is to help hashcash users avoid losing email due to content based and blacklist based anti-spam systems. A hashcash stamp constitutes a proof-of-work which takes a parameterizable amount of work to compute for the sender. The recipient can verify received hashcash stamps efficiently."

    Basically, you make it where the sender needs to spend a non-negligible amount of computational power to send a message

    • by Alioth ( 221270 ) <no@spam> on Friday July 15, 2005 @10:17AM (#13073266) Journal
      The trouble is many spammers are now using networks (say, 50,000 or more) of pwned Windows zombies. They are doing it on a huge distributed network - they don't care if calculating a hash slows them down. If each zombie only sends 100 emails per day, that's 5 million spam emails sent. You'd have to have an insanely long calculation time to make a dent on a zombie network.
  • Even though I classify every email from Hotmail itself as junk, they still kept getting into my Inbox instead of the Spam folder.
  • CEO@Clarion.com to BillyGates@hotmail.com -- So have u figured out how to integrate Gator into Longhorn yet...

    Message delivery failed due to invalid SenderID record...
  • Microsoft claims that 90% of email on the internet is spam. So from now on, 90% of all mail received will be automatically deleted. Thank you.
  • . . . why not just create a "Windows license" so you can only install & use Windows after you prove you're not going to leave it wide-open to spammers?

    Wouldn't be too hard. A few questions like:

    • What's a firewall?
    • What's an anti-virus?
    • What browser do you use?
    • Should you open this attachment?
    • Should you download this software?

    . . . would weed out almost every user who, metaphorically, throws his computer open and yells "Free bandwidth, get it while it's hot!" to the spammers. Without a huge globa

  • by Animats ( 122034 ) on Friday July 15, 2005 @11:22AM (#13074082) Homepage
    Right now, most zombie machines send using some arbitrary identity. Most of them are just proxies or forwarders, not mail generators. The way the spam industry works is that you rent some zombies at SpecialHam [specialham.com], get a "bulletproof mail server" from Black Box Hosting [blackboxhosting.com] in China, install Dark Mailer [dark-mailer.com], and go. Dark Mailer runs on the "bulletproof mail server" and generates the messages, which are sent via your rented proxy farm.

    If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.

    MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. [mxlogic.com] So the technology to bypass SPF and Sender ID is already deployed.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...