Microsoft and Yahoo! Fight Spam - Sort Of 344
kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."
Let MS do it... (Score:2, Interesting)
Re:Let MS do it... (Score:2, Insightful)
Comment removed (Score:5, Informative)
Re:Let MS do it... (Score:4, Insightful)
If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it. Microsoft has had its overwhelming failures at times, but it also has a record of 'forcing' their way onto enough of the market to make an impact for better or worse. That's just my take on it; it's not what it will do, but what it will allow to happen in the future (should it catch on)
SPF isn't proprietary (Score:2)
If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it.
SenderID is an extension of SPF, which is not proprietary. A valid SPF record will be picked up by any conforming SenderID processor as a SenderID record. I'm just worried about those people who use an ISP's mail server where the ISP lacks enough clue to use SPF.
Re:SPF isn't proprietary (Score:2)
The proprietary (purportedly patent-encumbered) SenderID abuses non-proproprietary SPF records, meaning that SenderID is an extension to SPF in the abusive "embrace, extend, and extinguish" sense.
I would word that as: "Conforming MS-senderid processes will not only misinterpret valid SPF records, but they will use those misinterpreted results in a
Re:Let MS do it... (Score:3, Interesting)
It won't only hurt MS.
Non receipt of email can hurt businesses not remotely connected with MS.
For example, I run a website with around 52,000 members. Each member has opted to join a mailing list, and they also receive alerts when they have a new message waiting for them on the website.
My own stats show that there are a significant number of users that will not return unless they receive a message telling them they have a new message on the website.
When back on the website their interest for the s
Re:Let MS do it... (Score:2)
Hmm.... Anyone got 52,000 spare gmail invites?
Re:Let MS do it... (Score:3, Informative)
Re:Let MS do it... (Score:2)
Re:Let MS do it... (Score:5, Informative)
Jabber [jabber.org] anyone? [wikipedia.org]
Re:Let MS do it... (Score:2)
And of course unless you force people to use your (non-Free) client, it's very costly for the service provider.
Re:Let MS do it... (Score:2)
Actually, what we need is a messaging protocol that isn't tied to some website.
Is Jabber tied to jabber.org?
Re:Let MS do it... (Score:2)
Re:Let MS do it... (Score:2, Informative)
Re: (Score:2, Informative)
At least it works (Score:5, Interesting)
Re:At least it works (Score:3, Insightful)
False positives are WORSE than false nevatives.
Re:At least it works (Score:4, Insightful)
Besides, if you want to warn users about phishing, you don't even need any of these tricks. GMail, for example, warns me with a big red banner when it thinks that an email may be a phishing attempt, and so far, it's always been right - no false positives, no false negatives, even without any technical trick that depend on the honesty of the sender (which both SPF and Sender-ID ultimately do, in that they allow malicious senders to set up systems so that tests are passed for spam and phishing mails and the like).
I only wish their spam filter would be as effective...
Re:At least it works (Score:3, Insightful)
What makes you think Google isn't using SPF and Sender-ID for those banners? And dunno what you mean "no false negatives". I've seen quite a few fishing attempts on my gmail account that had no banner.
All the SPF and Sender-ID critics continuously point out that SPF and Sender-ID only have the features they wer
Re:At least it works (Score:3, Interesting)
The only way is to:
* alter ebay/paypal DNS records by some means
* spoof the IP address.
Gmail may well have a very large database of valid email from ebay/paypl and perhaps others, or may be implementing their own version of SPF that doesn't rely on the domains to publish SPF records. They may, for exa
It works, if it does, only for the moment. (Score:2)
They don't have to change machines, either. Just reconfigure the virtual hostname and DNS info, and they're ready to spam.
If I were into that kind of thing, here's what I'd do: write a script to set up a virtual domain with a DNS server, sendmail, and some firewall rules. Buy a list of domains, acquire a few zombies for mail proxy, and "4. Profit!". You coul
Re:At least it works (Score:2)
All they'll be doing is removing the functionality of their bulk mail detector.
Problem with fighting spam... (Score:5, Interesting)
Re:Problem with fighting spam... (Score:2)
I don't get a lot of spam on my Yahoo account. Unless of course you count Yahoo's approved spam. I have reported several emails from various big companies that I get. Fox Home Entertainment being one of them. The only thing I can figure is that Yahoo has some kind of deal with companies to allow them to spam their users.
Heh (Score:5, Interesting)
Note: I'm not commenting on Sender ID, whether its technically sound, etc... I haven't really been following this. I just think its interesting that Microsoft tries its old tricks in industries where it doesn't necessarily have the clout to do so, at least with as much success.
Re:Heh (Score:5, Insightful)
Re:Heh (Score:2)
As far as I'm concerned the "anti-spam" market has been fairly lacklustre for the past ten years. The only real innovation I've seen is in-computer solutions: The best yet (I've seen) is OS X's "Mail.app" filter, and Microsoft's Entourage comes in a close second.
It would be so nice to have spam blocked server-side, but for finding a solution to that it seems that everyone's following everyone else around in circles these days. If one giant on the same level with
Re:Heh (Score:2)
Market-based standardization is fine when no one's trying to patent the standard. Otherwise, it's a mess.
Bad news (Score:4, Insightful)
Re:Bad news (Score:2, Insightful)
I, for one, am glad that somebody seems to be trying to do something about spam other than blacklisting, whitelisting (a la TDMA), or bayesian filtering. I couldn't care less if it's Microsoft, as long as 1) everyone can use it, and 2) it works.
Re:Bad news (Score:2, Interesting)
ROFL.
delete all messages without a valid SenderID (Score:2, Informative)
what should be done (Score:4, Insightful)
Naaah... (Score:4, Funny)
Never happen...Microsoft would never abuse their market domainance to foist an inferior product upon the industry...
Oh wait...
Re:ANSWER THE FUCKING QUESTION FUNNY MAN (Score:3, Insightful)
"Why should a company not use it's marketshare to leverage it's products?"
Your basic premise is fine... that in general companies should be able to use their marketshare as a selling point. The problem is that in Market economies Monopolies develop (either "naturally" because they are the best, or through illegal practices).
In our economy once a company or product reaches the state of "Monopoly" there are certain rules that they must play by in order to allow natural market forces to cont
All things considered, not a good thing (Score:4, Interesting)
Think of all the people out there who don't have their own mail server but have SMTP/POP access to a hosting company's machine. A change in the core protocols for email would adversely affect most of them, as even if they all had the knowledge to make the changes, they may not have the ability.
Add to this the possibility that a requirement for SenderID will just result in spammers mounting directory attacks against SMTP servers in order to find logins that work..
All this will really cause is a migration away from hotmail !
Re:All things considered, not a good thing (Score:2, Interesting)
At least for a while, the SenderID system will end up blocking too many valid emails and will irritate users. I suppose after it's been around for a year or so and they have a decent system and database for the whitelist, the system will see the results that Microsoft wants.
Hotmail sucks anyway...Gmail is far sup
Re:All things considered, not a good thing (Score:4, Interesting)
I don't think whitelisting is the way to go either, though, for obvious reasons.
I have a dedicated server with a dozen or so domains on it. I'm forced to send mail through my personal ISP because mail coming FROM my domain gets marked as spam by most large ISPs (no, I don't spam, nor is my IP on a specific spammer blacklist). So if I decide to start spamming from my dedicated server, no one will get it (unless I route it through another ISP, in which case now it's their job to check).
Re:All things considered, not a good thing (Score:2)
Of about 2,500 messages moved this way into my gmail account (as a backup and to make them searchable), only 1 was spam-canned. I make that an accuracy rate of 99.6%. The 30 or so spam mails I got during the month in which I did this were all correctly moved to the spam-can
That sort of accuracy rate
Re:All things considered, not a good thing (Score:4, Insightful)
Re:All things considered, not a good thing (Score:2)
Re:All things considered, not a good thing (Score:2)
I.e. you need to train the spam filter in Thunderbord - after som time it will get better.
Well, unless you have - by mistake - told it to not learn from messages flagged as spam ?
Re:All things considered, not a good thing (Score:2)
We have SpamAssassin implemented on our webmail servers and it's slowly but surely becoming less and less able to catch everything as the spammers try new tricks. D-Spam looks interesting though, apparently a properly trained D-Spam system will catch 99% of spam, but there's the issu
Sender Policy Framework (Score:4, Informative)
SPF doesn't prevent spam (Score:5, Interesting)
You're just saying that it's a valid domain-name, but as soon as someones dns servers or smtp servers are rooted, you'll have spam again. The good thing is it'll help let legit people you do business with (eg: your Bank, CC company) say that a message was authorized by them, or at least by the SPF rules.
Re:Sender Policy Framework (Score:3, Insightful)
Does this now mean that SenderID includes SPF? Or is Forbes confused?
Anyway, it doesn't get around the fact that SPF generates false positives, according to the article.
Re:Sender Policy Framework (Score:2, Informative)
Does this now mean that SenderID includes SPF?
Yes. If you're publishing SPF records, you're already publishing records that are accepted as valid by any conforming SenderID processor.
Re:Sender Policy Framework (Score:2, Informative)
Agreed SPF does a better job at fighting fraud and viri, but it does have a go against spam. A very high amount of spam is from fake or randomly picked real domains, now when all these real domains publish SPF nobody can send spam form them anymore, combine this with checking for existent domains and the only option left is for the spammers to root servers as you said or buy their own dom
Re:Sender Policy Framework (Score:2)
Multiple e-mail accounts and masking (Score:2, Insightful)
Re:Multiple e-mail accounts and masking (Score:2)
Anyone else have this?
The problem... Meetings (Score:5, Insightful)
Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....
Re:The problem... Meetings (Score:3, Insightful)
Incidentally -- Sky Dayton's CTO is named Tripp Cox? WTF? I grew up in Connecticut and went to Yale and I've never actually met people with names like that.
Re:The problem... Meetings (Score:2)
Trip is a nickname for "The third"
Re:The problem... Meetings (Score:2, Insightful)
I really don't understand how anyone buys anything from spammers. How many people have the unique lack of critical thinking skills and lack of erections to support all these spammers?
This gets me really pissed! (Score:2)
I have a month-old business, personal-handout-only E-Mail address, and allready spam is rolling in. It's because my business partners all use Outlook, which is near by default riddled with Spambots, Contact-grabbers and whatnot because of this shitpile of software those f*ckers over at redmond farted onto their harddisks.
MSses bullshitting policy couldn't care me less as long as they don't bug me with their
Re:This gets me really pissed! (Score:2)
Why should you be any different? I have an address that has never been published, has never sent an email, and was only established because the DSL "required" it. It had spam in it the first time I checked the mailbox!
Re:This gets me really pissed! (Score:2)
No pain, no gain? (Score:2)
Re:No pain, no gain? (Score:2)
Beyond that SenderID, SPF, domain keys and so on are nothing more than kludges to SMTP, a protocol simply not designed with spam in mind. As muc
Editors.... (Score:2)
I know, I know.
Re:Editors.... (Score:2)
What About (Score:3, Insightful)
Re:What About (Score:2)
S/MIME was developed for user-to-user message signing and encryption and by design should be independent of the sending and receiving servers. We believe that DomainKeys should be a natural server-to-server complement to S/MIME and not a replacement. Additionally, since S/MIME
It's easy to create keys (Score:2)
You don't have my key. If you get a signed message purporting from me, you have no way of telling if that was actually my key. You need an easy way of finding out my key. Also, srhawrtrdh12532@hotmail.com has to be somehow be prevented from getting a valid key on the grounds that he doesn't exist. (Yes. I know; keyservers and web of trust and so on and so forth. I think you'll find that incredibly few people use PGP properly. Very few get anyone to sign their key.
SenderID works - badly (Score:2)
For something like this to work, its needs to be widely accepted. MS has been able to illegally use its monopoly in the past to get its way with the industry, but you'd think by now they wuold have figured out that they don't have a monopol
SPF works (Score:2)
But, what about legit messages from banks, friends, and government agencies who aren't using senderid?
By definition, a valid Sender Policy Framework [pobox.com] record is a valid SenderID record. Banks and government agencies control their own domains and can easily add the TXT records that SPF uses. Friends on dial-up can switch. Yes, it would hurt friends on broadband, who generally can't switch away from the monopoly or the duopoly and would have to find a webmail provider that has SPF.
90% ? (Score:2)
Anyone else got stats?
90% of messages spam (Score:5, Funny)
How much total traffic (Score:2)
I'm not sure I'm affected by HotMails decission... (Score:2, Interesting)
With Yahoo & Cisco proposing an alternative to Microsoft's suggestion for a standard there wil at least be some fighting over which design (if either) becomes a standard. Without the competition, the odds are that one might win by default. (Unfortunately.)
My mail servers do have SPF records and when I get a chance, I'm going to setup SPF record checking for incoming email, although initially I'm going to on
MS is just eliminating competition... (Score:4, Interesting)
I have used Hotmail for years for communication with "untrusted" sources. In the last 3 months I was forced, regretfully, to let the account die... Hotmail-Microsoft had begun to allow "legal" spam through to the hotmail account. Week after week, the same spam messages over and again was forcing me to check the account. Marking the emails as spam had no effect, I would get the exact same message the next day-week-month, same email address and all.
I complained, and was told I could use filters for those un-markable spam items. Yeah, right.
Advantages to MS for letting "authorized" spam through
- They get paid, probably very well, to send spam to all hotmail accounts.
- They increase page impressions and advertising revenue forcing hotmail users to check the site when notified of waiting emails.
A Great Idea(TM), something an Accountant more than likely worked out, looks oh-so-great on paper, congratulations.
What they cannot measure is how pissed off I got, and in the end abandoned their system permanently, advising all clients, friends, relatives to use another service for their web based email address. (I have had no such problems of ausorized spam with Yahoo/Gmail... yet).
My conclusion, MS does not give a rats arse about how much spam we are forced to look at... they just want to be on the spam generated profit gravy train via "legalized" spam, and don't want freeloaders competing with them to deliver it.
Kalori.
-
No sig. is a good sig.
Re: A blank check for Microsoft. (Score:2, Informative)
This article "A blank check for Microsoft" more or less confirms the changes to spam policy I have observed while using Hotmail over the past few months:
http://blogs.salon.com/0003364/stories/2005/02/01
Why is this a problem? (Score:2, Informative)
incoming:25 -> Postgrey (greylisting) -> MailScanner -> ClamAV -> Spamassassin (with DCC, razor checks) -> DSPAM -> Postfix -> users_mailbox
All ClamAV definitions are updated via cron by Freshclam, all Spamassasin rules are updated via Rules_du_jour daily. Using this I get just about zero spam, with a VERY rare occurance of realy mail being lab
Re:Why is this a problem? (Score:2)
Tier one redirects any known spammers to OpenBSD's spamd tar-pit tying up their connection for about 10 minutes while they are sent the reply very slowly. Known spammers are hosts on well known block lists and IPs that have sent me spam before. These lists are updated daily.
Tier 2 checks a real-time block list and bounces any email that matches one of these. This is not quite as good at tier one, since it doesn't waste as much of the spammer's time.
Tier 3 pipe
Greylisting (Score:5, Interesting)
Its a simple idea whereby your server exploits the fact that most mail servers obey the SMTP standard, while most spam sending software does not, to only accept mail from servers which behave properly. Plugins are available for most popular mail server software.
I implemented this about 6 weeks ago and noticed a dramatic and immediate reduction in spam, perhaps better than any other single anti-spam measure.
Re:Greylisting (Score:2)
Add in auto-whitelisting (that adds anyone you send mail to into a 1-week whitelist) at th
Re:Greylisting (Score:2)
Re:Greylisting (Score:2)
Or, if it is a spammer they might try again later in 5 seconds...
Only as long as few use it (Score:3, Insightful)
This works for now. However when everyone moves to it, it won't help at all. It is trivial for spammers to get around this - follow the standard. They don't bother now because most of their mail isn't being stopped by this trick. When it starts stopping a lot of email they will just implement that part of the standard and greylisting will become useless.
Auto rejecting all mail? (Score:2)
Industry announcements (Score:2, Insightful)
Microsoft: Announcing: SenderID!
(some time later)
Yahoo!: Presenting: Domain Keys Identified Mgmt!
Cisco: Presenting: IIM!
Microsoft: Um, hey lookie... SenderID!
Problem solves itself (Score:3, Funny)
No single technology.. (Score:5, Interesting)
No single technology will bring spam under control. It's going to take a blend of technologies, namely:
The first campaign, spam filtering, has worked with resonable success. Spammers now have to send a lot more e-mail in order to reach their customer base. Of course, e-mail is cheap to send so this hasn't changed the economics of the situation dramatically and army of slave machines that they've hacked make getting a lot of CPU power fairly straight-forward.
The second campaign on which we are embarking is designed to reduce this army. How effective this will be only time will tell. The principle is concern is about throw-away domains be a problem.
If I set up a domain and tell the SPF address to allow any machine on the internet to send mail then i've totally destroyed the value of SPF. However, it's value in controlling pishing should not be underestimated.
The final campaign in my list it the nuclear option: Using CPU time to create digital stamps. The idea behind this is to take the hash of your e-mail (complete with subject, addresses etc.) then brute force a collision of the last 20 bits of the hash. For the normal user, this wont cause a noticeable slow down, for a spammer it will probably destroy their business model.
The drone armies will be cut down to size. Rather than sending a couple of hundred messages per second they may be able to manage one or two. The CPU load on a drone would be so high as to make the PC unusable and the users of these hacked machines would have to start taking notice: they will have to get their machines fixed. If spammers wanted to send messages directly they would now need supercomputers.
There are disadvantages to the above approach. Mobile devices would take a long time to mint a stamp. This can be combated by setting special rules for the SMTP servers that forward messages from mobile devices.
The same problems also exist for third-world countries where they might be running significantly slower machines. However, even if it took 15 seconds to send an e-mail, I think that's an acceptable price to pay for the service.
Overall, I think the real answer lies in the combination of these three schemes. I believe there is a "critial point" in the fight against spam. Once you start to tip the spammers from profit to loss we will start to see huge reductions in spam. The only way to achieve this is to put the cost on the spamer. Electronic stamps are the way to do this.
Simon
SenderID does not help spam... too much (Score:3, Informative)
Hashcash for mail would be better (Score:2)
From the hashcash.org site [hashcash.org]:
"Hashcash is a denial-of-service counter measure tool. Its main current use is to help hashcash users avoid losing email due to content based and blacklist based anti-spam systems. A hashcash stamp constitutes a proof-of-work which takes a parameterizable amount of work to compute for the sender. The recipient can verify received hashcash stamps efficiently."
Basically, you make it where the sender needs to spend a non-negligible amount of computational power to send a message
Re:Hashcash for mail would be better (Score:5, Insightful)
Hotmail has No Spam Filter Whatsover... (Score:2, Interesting)
I can see it now! (Score:2)
Message delivery failed due to invalid SenderID record...
interesting. (Score:2)
Since most spam comes from zombie PCs (Score:2)
Wouldn't be too hard. A few questions like:
. . . would weed out almost every user who, metaphorically, throws his computer open and yells "Free bandwidth, get it while it's hot!" to the spammers. Without a huge globa
Zombies will steal your sender ID (Score:4, Insightful)
If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.
MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. [mxlogic.com] So the technology to bypass SPF and Sender ID is already deployed.
Re:Two email systems (Score:2, Interesting)
The receiving in the e-mail benefits because he knows he will have an inbox that is spam free and has messages full of important messages. The sender benefits in that he knows his message is much more likely to be seen
Re:Two email systems (Score:2, Insightful)
Re:Two email systems (Score:2)
Re:Two email systems (Score:3, Insightful)
Re:Two email systems (Score:2)
Re:Two email systems (Score:2)
Re:Two email systems (Score:2)