MS and Sendmail work together on Spam Solution

fudgefactor7 writes "Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?" Update: 02/26 08:01 GMT by S : Though Microsoft and Sendmail are both working on solutions, there's no official alliance in place between the companies.

Perspective....

"Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance to launch a sender authentication plug-in which is hoped will combat email fraud and spam. The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did. Could this be a sign of the beginning of the end of spam?"

Wow......this really sounds like it was written by a marketing director. A Slashdotter could have just as easily interpreted this as "The 800 lb gorilla of the software industry, Microsoft has coerced the long suffering Sendmail to provide Microsoft with a software patch that fixes security holes inherent in Microsoft products that allow for email fraud and spam to run rampant. Another side benefit is that Microsoft can exert their market dominance to further entrench the Microsoft monopoly by refusing email not conforming to Microsoft "standards".

Laugh, it's intended to be funny. :-)

Re:Perspective....

I say there needs to be a class-action suit against Pfizer. If Viagra were never invented, Spam would be nearly non-existant ;) But seriously, do you think Pfizer hates the fact that their product is spammed to a billion people a day? I think not.

Re:Perspective....

Do you really trust a spammer to send you the real goods? Counterfeit drugs are rampant, and unless you purchased the drug from a reputable (liscenced) pharmacy, it is unlikely you are getting the real deal, especially on something expensive, hotly demanded, and potentially embarassing to sue about.

Pfizer suffers from this due to a possibility of a counterfeit drug causing harm, making Pfizer a target of an inadvertant lawsuit, the cost of which being huge amounts of negative publicity. Imagine: Pfizer getting sued - big headline on front page - everybody's talking about it. The drug turning out to be counterfeit - tiny headline near back page three months later - nobody notices. The fact that it came from a spammer - doesn't even get reported.

Submitter and Editor didn't RTFA

It says nothing about Sendmail and MSFT working together. Only that they're working on their own solutions to the same problem.

While it's nice to see this type of work being done, the headline is misleading.

wbs.

Re:Submitter and Editor didn't RTFA

Microsoft - well... dunno... hard to say anything... Some of their ietf work has been brilliant. It is the implementation (and the marketing in command of it) that has been horrible.

Sendmail - no fscking thanks. Their track record in inventing features and suddenly introducing them without at least informing the internet community at large is not anything to shout about. Basically in order to deal with the sender-address-must-resolve and the antispam parts of their rulesets you usually need 4 apirins and 200ml of vodka. That along with 24 hours of sleep gives you a chance of recovering your sanity after getting it to work after the upgrade forced by the next inevitable Sendmail Security FuBAR(TM). Note - it is a chance. Some people never recover. In other words there is a reason for the upside down bat to be the sendmail logo. That is the way a sysadmin looks like after dealing with it. No matter how much I dislike some of Exim sillies I would stick with it.

fscking moderators...

Say somthing nice about Microsoft and get modded down, even if it's the truth. Say something bad about an open source program and get modded down, even if it's the truth. Just because you disagree with an opinion doesn't make it a troll. A fact which contridicts your prejudices is not flamebait. Save the downmods for penis birds and hot grits. If you disagree with a poster, reply instead of moderating and give your reasons.

Face it: by any rational standard, sendmail sucks. /etc/sendmail.cf is so obfuscated that makes the Windows registry look simple by comparison. It's track record for security is as bad as anything coming out of Redmond, and has a similar track record for releasing patches which break more than they fix. Fortunately for mail administrators who aren't masochists, there is Postfix. Now if only some of the major Linux distros *cough*redhat*cough* would use postfix as their default MTA, life would be better.

The parent poster is also correct in that Microsoft has made important contributions to ITEF and other open standards boards. They do occasionally manage to do the right thing, even if it's because the engineers managed to sneak it out the back door when the marketroids weren't watching.

Re:Submitter and Editor didn't RTFA

The word "alliance" does not appear in the linked article.

The article only states "Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."

The article [sendmail.com] on the Sendmail site says "By incorporating a selection of sender authentication technologies into these applications, Sendmail aims to significantly hasten the global adoption of mainstream authentication initiatives such as DomainKeys, recently introduced by Yahoo!, as well as proposals put forward by Microsoft and others."

A Sendmail press release [sendmail.com], also released today, does mention the collaboration of Yahoo and Sendmail: "Sendmail, Inc., the global provider of electronic message management solutions and Yahoo! Inc. (Nasdaq: YHOO), a leading global Internet company, will begin testing the DomainKeys. cryptographic authentication solution in March 2004."

Re:Perspective....

If you look on the sendmail site, it says that they are also working with yahoo on domain keys. It looks like sendmail is going to create their own compatible version of everyone's anti-spam solution

source, http://www.sendmail.com/sender_auth.shtml

-CPM

again NOT new features

ever seen in email from your sendmail MTA where in the header it say "FORGED". usually on spam email. You know you can block on that in sendmail without any add-ons... The problem is that the majority of the internet servers must then go out and update their DNS records for MX and reverse, for this to actually work.
PS: I actually turned this on one time to get rid of spam, blocking a whole bunch of legit email in the process. Ooops. hello internet just enforce the tools that you already posses.. nuff said.
--jboss

Re:Gee this isn't biased

Anybody with over 10,000,000,000 cash is considered a powerhouse in my book. And I think any email program that exsisted before 1995 is venerable...

Which version

Will it be in the free version of sendmail too or only in the commercial buy-version?

Re:Which version

MS will make final shot in antispam wars... they are going to stop delivering outlook

Re:Which version

From the article:

Open source versions of its plug-in will be freely distributed, while it will also be integrated in commercial versions of Sendmail's products.

Read the article. Hey, it's really short too.

Read the ...article?

You must be new here to /.

What is this ...article you speak of?

I see why MS did it

They were looking for something with more vulnerabilities than Windows! Seriously, who uses sendmail? I thought we all started using Qmail or other alternatives?

Re:I see why MS did it

Seriously, who uses sendmail?

Apparently, 60% of the world does.

Re:I see why MS did it

Too bad there's not a mod option for "(+1, Horrifying)"

especially when fully compatible alternatives like Postfix exist and have been around for years

Re:I see why MS did it

Although the parent post was moderated as "funny," I think the question is a serious one. I use sendmail exlusively because it is the only mail server that supports the powerful milter API and allows me to use mimedefang, which cannot work with any other mail server. Mimedefang can drive antivirus software and spam filter, not to mention sanitizing of html email and so forth, is a very powerful piece of software.

For many people postfix or exim work very well, and should be used over sendmail. But in a larger environment, sendmail is the standard. Qmail, well, I've never liked it.

Re:Could this be the end of spam ?

I doubt this will end spam.. however it will put an end to the collaterol damage caused to other people's inboxes when some other jerk spoofs their domain names. (yes I'm mad.. I have 1000 bounces from the other week when someone sent online pharmacy ads while pretending to be ME)

It will also put an end to using a free email account to recieve spam replies.

So it's not a cure but it will make the game more expensive for the spammers.

Re:Could this be the end of spam ?

You should look into using SPF [pobox.com] if you want to avoid such things. It won't solve your problem overnight, but its adoption is on the rise, including large players like AOL.

In fact, if you search the /. archives, you'll find a somewhat recent article.

For the average /. reader who can't be bothered to RTFA, the short of it is that works like a reverse MX record. Only hosts listed in your SPF (Sender Policy Framework) rules (published in DNS) are considered allowed senders of email from your domain. Recieving MTAs can then make an informed decision on whether to accept mail that has an envelope sender from you domain, based on whether the sending host is listed as permitted. This means that for any domain that is publishing SPF rules, spoofing the sender address while using an open relay/M$ zombie box becomes impossible, as long as the receiving MTA checks SPF.

It won't put an end to spam, but when enough domains have implemented both publishing SPF rules as well as checking them for inbound mail, it will cause severe headaches to the spammers, and cut down their arena significantly. Best of all, if there ever are any false positives that are rejected, it's due to the originating site policies, not the receiver's or middleman (as the case easily is with distributed blacklists)!

Re:Could this be the end of spam ?

This is a horible idea - for those of us that bounce through different MTAs during our life based on where we are (work/home/travelling/etc.) to send mail out, but still wanting all of our mail to come to our trusty inbox.

Shoot, man! That's what SMTP Auth is for. Most of my "roaming" users use it. Those that don't, use webmail. Talk to your mail provider. They probably have a solution similar to this (it's been around for a while now).

Subject: Check this out
Response - This subject is commonly used in Virus e-mail, bounced back to me.

Now *that* is screwed up. Just like people of set up their mail servers to bounce any email containing the word "viagra", the potential for false positives is too high.

Talk about your odd couple.

Just adding a tag or a plugin wouldn't seem like it would help all that much...Email is such an open format that anything you add, can be copied and added by spammers too.

Just my opinion.

Re:Talk about your odd couple.

Odd couple?

I don't [cert.org] think [cert.org] they're that [cert.org] different [cert.org]. Sounds like a match made in security hell.

Soko

Re:Talk about your odd couple.

Eh? The point is that the receiving server will verify with the sending server that the email is really coming from where it says it is. SPAM usually lies about where it is coming from and the servers using this plug in will reject such mail.

If the SPAM isn't lieing about where it's coming from then it's easy to block all SPAM from a web server, notify the offending servers admin if possible, get the spammers accounts revoked, etc.

I don't know, am I missing something? The problem isn't that this won't help, the hurdle is getting the modification to the protocal accepted and used widely.

Re:Talk about your odd couple.

Well what about what lots of people do, send email through their ISPs web server, and use the email address of where they get mail, which may not be their ISP?

I do this all the time, I send mail through whatever SMTP server for the ISP I'm currently connected to, but my email address is always the same, and the email domain is my hosting provider, which is not my ISP.

They better not fuck things up for people that don't always use their ISPs email address, or have more than one ISP.

Re:Talk about your odd couple.

This has been rehashed a million times...

Basically forging email addresses is going to have to stop, just like using open relays had to stop years ago. SMTP AUTH has been around for years & every mailserver supports it.

Re:Talk about your odd couple.

If you really want, you can set SPF ( spf.pobox.com ) to authorize your ISP mail server to relay mail from your own domain (this is useful if your domain does not have its own mail server). However, a better solution is generally to SMTP AUTH to the mail server for your domain (rather than the mail server for your bandwidth, i.e. your ISP). SPF will support both though; it is your responsibility to make sure that this secures you from relaying.

Not sure if the Microsoft/sendmail suggestions work the same way.

Good job Microsoft!

I posted an idea similar to this on slashdot here [slashdot.org], which would essentially involve sendmail digitally signing messages that it sends and then having receiving mail servers verify it. I think most of the people who read the idea misinterpreted it as forcing us to get digital certs through verisign, which was NOT what I was implying.

See, now this is a much better idea than "email postage" and "computationally expensive" sending of email. This way, the accountability falls down to individual email addresses, and domains for sending UCE.

It's FAR easier to track emails and their likelyhood of sending spam than the actual messages themselves (after all, buyviagra@biggerpenis.org is most likely sending you spam).

This, combined with a spam filter could do the trick.

Congratulations Microsoft for actually partnering with somebody who matters is this whole affair. I'm hoping the other companies like Yahoo and AOL follow suit with this strategy, and a solution becomes standardized.

Re:Good job Microsoft!

(after all, buyviagra@biggerpenis.org is most likely sending you spam).

Hey, that's *my* email address!

Re:Good job Microsoft!

I'm hoping the other companies like Yahoo and AOL follow suit with this strategy, and a solution becomes standardized

You didn't read the article, did you? Go RTFA

"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one."

Re:Good job Microsoft!

Yeah, I see some actual hope that something like this would be effective. Perhaps if the servers simply exchanged certs, for example. Requiring a cert to run a mail server is NOT a heavy burden, and you could always accept unsigned messages if you wanted to. It raises some tech issues, and current SSL certs wouldn't work exactly. But a system of verifying the sending server and tying it to an identifiable individual or company would help a lot. Even the barrier of having it cost $50 or so to get a server cert would be enough to stop a lot of spammers.

Even better, such a solution is implemented at the server level, it's transparent to users, and it's backwards compatible (you could still configure your server to accept unsigned mail, or just filter it more aggressively), making gradual implementation a possibility. So there's a good chance it could catch on if major ISP's were to adopt it.

I confess to not having thought through all the details, but something along these lines is probably going to be the answer. Makes a lot more sense than any of the "pay per message" proposals, that's just Libertarians Gone Wild.

Re:Good job Microsoft!

Requiring a cert to run a mail server is NOT a heavy burden,

Personally, I don't think it's even necessary. I doubt that spammers will start doing man-in-the-middle attacks or DNS manipulation (not because they're morally above it, but because of the technical expertese, legal exposure, and risk of being caught and traced). So just make up a cert and stick it in a DNS record for your domain. No PKI needed => no payment to get your cert.

Re:Good job Microsoft!

>>I must be missing something.

You are. 5% is way too high, it's more the .05%. In the traditional direct mail world (old style mail), 2% was a huge return.

Re:Good job Microsoft!

Sorry, but your solution is NOT the solution.

(after all, buyviagra@biggerpenis.org is most likely sending you spam).

That statement would have made sense in 2002 perhaps, but today a _very_ large portion of email is sent through hijacked machines.

It's just as easy for the hijacking spammer to sign the outgoing email on the hijacked machine.

Consider it similar to a telemarketer that goes from house to house to find unlocked doors. When the door is open, he goes in and makes the phone call from the phone in the residence. The caller ID is not going to identify the phone call as a telemarketer call.

In the real world this would be absurd, but unfortunately there's tons of machines out there with SMTP backdoors.

Re:Good job Microsoft!

How are SPF or DomainKeys or SMTP AUTH going to help you when all your spam comes from people you know, because spammers have moved to just taking over machines and using those machines to spam the people that person normally emails, as that person?

When people discover that they've been sending out Viagra spam, pissing off their friends and embarassing themselves in front of coworkers, they'll suddenly have a personal understanding on why security is so important. They will scramble to fix the problem to limit the damage to their reputation. When it is explained that they infected themselves by running that screensaver they got through email they'll not do it again. When it becomes endemic they'll start screaming at their software providers to stop shipping buggy crap and to make things secure by default. It may be a messy road, but it will eventually work out.

Re:Good job Microsoft!

If you're right, that Microsoft's system involves cryptographic signatures on a per-email-address-level, and the protocol is open, I am deeply impressed. Microsoft would be from a technical standoint far ahead of the SPF crowd (who are pushing an ugly, nasty-side-effect hack if I've ever seen one).

Microsoft may actually produce something that benefits the community as a whole. Seems incredible, but...wow, if we owe having a *good* email infrastructure to Microsoft, the world will be standing on its head.

Anyone have a link to a good technical description of Microsoft's proposed system?

Thanks -- my take on Caller ID

Thanks for the link -- much appreciated and read.

Sigh. Trust Microsoft to release their techncial information in .doc format. Well, here's my take. The MS solution doesn't provide, as the top sender assumed, a real PKI-based solution, which is what really excited me. That would ultimately solve a lot of problems in a much better fashion.

The Microsoft solution is not actually very different than SPF. It aims at doing pretty much the same thing -- identifying outbound mail servers for a domain in DNS, and disallowing mail from any mail servers that are not listed in DNS. I *still* feel that this approach is a hack and is going to have undesireable long-term effects.

There are some things to be said for the Microsoft approach, though. It seems to be basically a "better SPF". They considered a number of implementation issues that I was upset over in SPF. They talk about DNS caching and security implications of DNS as a transport mechanism. They address server migration, and provide an attempt at dealing with multiple apparent identities -- one that I feel isn't really sufficient, but which Microsft, being Microsoft, might manage to pull off through control of Outlook.

Having read the SPF proposal and the Microsoft proposal, I do think that the Microsoft work is a lot more mature and builds on SPF, and is a better overall solution.

If one of the two must be implemented in the short term, I would prefer Microsoft's work.

I still think that Microsoft's Caller ID is still vulnerable to a number of SPF holes (such as throwaway domains). I am more than a little irritated, since Microsoft is really the only single player capable of promoting a PKI scheme (given that they control a major mail server and the major mail client). Furthermore, migrating to a PKI-based system would provide reasons to upgrade to new versions of Microsoft software -- pushing PKI makes excellent business sense for Microsoft. My guess is that Microsoft needed a solution *now*, given that they were facing SPF deployment, and wanted to fix some of SPF's problems rather than gambling on a full retrofit of the email system.

Submitter didnt RTFA

Microsoft is one of several companies who are also working to combat spam with a "caller ID" system. Yahoo's DomainKeys is another one.
MS is a footnote. Aside from headline, the article mentions nothing about an 'alliance' or even Sendmail and MS working together.

Re:Submitter didnt RTFA

I didn't see anything about collaboration with Microsoft, either. If you go to sendmail.com [sendmail.com], though, there's a story about Sendmail working with Yahoo's scheme.

The sky is falling

Isn't this one of the signs of the apocolypse?

Re:The sky is falling

3) France wins a war (without American help and without being led by a non-frenchman)

Even if you don't count the French Revolution, doesn't the Norman Conquest count? French invade Britain, French win, Britain ruled by Frenchmen for several hundred years. I'm pretty sure William of Normandy was French, and I'm pretty sure the Americans didn't intervene in that one.

Re:The sky is falling

Actually, William the Bastard was a Viking with family origins in the Norwegian-ruled Orkneys. William's great-great-great-great-grandfather was Ragnald, first earl of Orkney, and William was a direct male descendant of Ragnald through Ragnald's son Rolf, first Duke of Normandy. They ended up marrying into the families of the Capetian dynasty of France and into the family of Aquitaine as well, but they weren't really French, any more so than the British royal family is truly British (I think it'll be only when Wills gets the throne that someone with a majority of UK blood will be reigning, for the first time since Queen Anne; the Windsors are primarily German with injections of Danish royal blood courtesy of Queen Alexandra and Prince Philip).

The Normans were regarded even in their day as Vikings with a veneer of French civilization. They were regarded as the equivalent of 17th and 18th Century Russians, who, due to their rather unsanitary personal habits, were regarded by courts in Europe to be "baptized bears".

So, in the final wash, it was Yet Another Viking Invasion Of England, albeit this one more successful than the others because the family stuck around for a while (until Richard III, in fact).

qmail

So, is qmail getting in on this solution????

Re:qmail

DJB hasn't updated qmail since 1997 and it looks doubtful he ever will. However, I'm sure third-party patches will be available if the idea catches on in any significant way.

See also..

Yahoo & sendmail cooperating [sendmail.com]

Why Sendmail ,why?

First your cf syntax, now working with Microsoft?! What did we ever do to you?! Truly, a sysadmin's worst enemy.

Not going to fix it

This isn't going to fix it.

A crap load of junk mail comes from insecure personal computers that were hijacked. If these computers send their junk mail, and this system tracks them, it will send the "A-OK" because the mail came from where it said it did.

This will help, no doubt. But fix the problem? No.

Re:Not going to fix it

Most if not all Spam sent this way claims to be comming from some place other then the computer that sent it. If you get a message claiming to e from Microsoft and its source is some DSL IP range in the UK, this filter will chuck it. If you are only getting spam from known sources then you dont realy have a spam problem.

Re:Not going to fix it

You have a good point, but THIS combined with other solutions could make a difference. Yes most of the PCs sending Spam won't be stopped by this, except that they don't have proper MX/PTR records. So if we use this with some DNS filtering to only accept mail from "real" mail servers, this could take out a large chunk of spam.

And there's your problem...

but it will need widespread acceptance to really work

And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.

A Phased approach

And therein lies the problem. No vendor, no matter how well placed, should just run off and try to implement a solution. Why? Because odds are good it will not take off. Everyone involved needs to agree on a solution THEN implement it.

As with any change to infrastructure, the conversion is likely best done in a phased approach.

Step 1: Impliment authentication, but don't block messages from unauthenticated servers.

Step 2: Adjust existing SPAM filters to weigh mail from unauthenticated servers as having x % (where x is initially some relatively low number) greater liklihood of being SPAM than messages from authenticated servers.

Step 3: Increase x gradually over time. At the end of some period (say, one year), x appraoches 90%, effectively blocking most mail not on whitelists from unauthenticated servers. Leave x at this high value for some time (say another year)

Step 4: stop accepting mail from anauthenticated servers completely.

End of SPAM? Probably not (as SPAM mailers can authenticate themselves, and Microsoft WORMS and Viruses can hijack legitimate mail servers which authenticate themselves and send SPAM anyway) but it is a start.

End of what?

Could this be a sign of the beginning of the end of spam?

Dunno... but it could be the beginning of the end of sendmail. Not that it would be a bad thing...

There's much better [postfix.org] software [spamassassin.org] out there.

Re:End of what?

Well, lets see...spamassassin works with sendmail, so I don't get your point there...I don't think they are looking to replace the functionality of spamassassin, they are taking care of the problem in a different way...

And, as far as postfix being better than sendmail...sendmail has a bad rap because it has been around the longest...

Yes, some older versions of sendmail had security problems. Yes, sendmail has some feature bloat...

But, sendmail is the MTA of choice for UNIX distributions...sendmail is probably one of the most configurable of all MTAs (that also makes it one of the most difficult to configure)...mainly because of its past, sendmail is good in a different way than MTAs like postfix...

Eh?

Microsoft working with a Free Software group to produce a standard that will be freely available?

Sounds more like the end of the world than the end of spam to me!

this is low, even by /. standards

nowhere in the fscking article does it say anything about MS and Sendmail working together.

It tells of Sendmail launching a plugin for sendmail, and then :
"Microsoft is one of several companies who are also working to combat spam with a "caller ID" system."

Does anyone RTFA anymore? Am I alone in this? Is god really a abnormally large crustacean living on the moons of Jupiter?

Appropriate question..

Could this be a sign of the beginning of the end of spam?"

Allow me to rephrase that:

Could this be a sign of the beginning of even smarter & trickier spammers?"

I wonder how this works...

MS put a signature in all emails from outlook, and sendmail blocks everything with that signature?

The era of spam is over!

Could this be a sign of the beginning of the end of spam?"

Yes, just like computers have made the era of office paper end (I enjoy my paperless office, do you?), and how Bill Clinton in 1995 ended the era of big government.

Sooo....

Will my email server I run perfectly responsibly just for my family be able to function without paying Microsoft for the plugin? Afterall, it is not rocket science to code your own SMTP server with Visual Basic.... This will work for the controllable sources, but what about foreign servers and the rest of the World?

Just imagine...

With the combined stellar security records of MS and sendmail, guess how secure the new software would be.

Sendmail AND MS?

That screams safe and secure to me. Then, maybe we could set it up with BIND.. and the computer would be safe..

until you plug it in..

(Flamebait to induce conversation.. calm down)

Hi, I'm Bill Gates

and I've just written an email tracking program . . .

A better article

This Inforworld Article [infoworld.com] is much better then the one posted and mentions how this new Microsoft Idea is very similar to the existing SPF, except that with Microsft's version, the whole message is sent and downloaded before it's rejected.

back in the day

Spammers used to buy a T1's worth of phone lines and then dial in to several different ISP's all at once and use THEIR mail server to send spam. With the advent of easily hacked broadband connections, this isn't required anymore. I can see it popping back up pretty quickly. While the idea is OK, spammers are adaptable. The ONLY way to make spammers stop, is to make them feel pain and this solution doesn't provide nearly enough pain.

For instance, I ws joe jobbed, I recieved about 2300 bounced messages advertising various web sites. For every bounced message I forwarded a 900k graphic that said "Do not use my return address in your spam campaign, it is illegal". Since I recieved another bounced spam before I had finished responding to these kind people, I decided perhaps another avenue of communication was approriate. I posted an order on each of the three websites I found advertised 2300 times (PERL w/LWP). Since I was unable to get a response via e-mail, I figured that I would get a response via an order form. I posted 2300 times(one for each boucne) with my contact information and a request to not use my e-mail in the shipping information box.

What happened?

1. one of the mail servers stopped responding all together. It didn't come back up for more than a week (qmail queue default lifetime anyone?)

2. During the post to these web sites (ALL on hacked machines running open proxy servers) the web site went down and stopped responding. I guess the concurrency of 2300 was a bad idea.

It appears that my e-mail address is no longer being used, although their websites finally recovered about 8 hours later. These web sites no longer accept orders from my IP address. No imagine if only 1/2 the people that recieved a spam did what I did? Think of the number of bogus orders that have to be sorted to simply get to a legitimate one? Think of the amount of traffic going INTO comcast and RR to these hacked machines (waving flag over here, over here LOOK LOOK security@rr.com!). Of course this would take time, and we alreayd have precious little of this. If enough people took the time, we would also have precious little spam. The cost would be too high.

AngryPeopleRule

similar solution already available

There's something at least very similar to that already available as a milter. milter-sender [snert.com] does an email callback to the mx of the domain the email claims to be from and verifies that the address exists. Unlike some of the other solutions available, it doesn't expect the sender to send another mail to verify he's a genuine sender, but accepts the email if the mx doesn't fail to the "RCPT TO" command (exceptions requiring a "full callback" can be configured for mxs that only find out they don't know the recipient after the DATA command has been sent).

sendmail fun

As a public service I am providing my sendmail.cf file as a configuration example.

HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
HDate:@@_$_$?sfrom^*$%#%!*(()^&^&*#$##
$%@$#%&&_%#__&^#$%_#$%%___*(__Y_JY_*_*(_#$%#_
#@$@@#sonofa@#$%@@#@#$#

I know it just looks like line noise but this is a working config!

Re:sendmail fun

Just add #!/usr/bin/perl to the top and it'll patch sendmail.cf for you. :-)

This will fail because

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Article doesn't say they're working on same thing

Microsoft is pushing a solution called "Caller ID", which involves putting (wince) XML documents into the DNS telling you how to check the (argh) From: header.
A lot of other people are pushing a solution called SPF, which involves putting text "code snippets" into the DNS telling you how to check the MAIL FROM: envelope return address.
This topic will be discussed at the IETF next week in Seoul, Korea. Hot topic!

Some more info here....

http://www.sendmail.com/sender_auth.shtml

DoS attack anyone?

The plug-in lets organisations verify a message's source before accepting it by automatically checking to see if an email came from where it claims it did.

Doesn't this just sound like a great way to create a DoS style attack?
I: Flood many servers with email supposedly from server X
II: All servers attempt to contact server X
III: Server X crashes/is overwhelmed with requests, stops responding
IV: Some of the orginal servers might get hung trying to clear email from Server X, now no longer responding...
I admit that IV seems avoidable, but I-III don't seem like a big strech based off of prior MS security exploits...

Solve the problem at the SOURCE

Now my little server can do advanced reverse lookups on the over 90,000 spam messages it handles per month.

I'm thinking not...

How about making all spam a crime and holding the companies who finance it liable. Then giving consumers the power to sue for damages.

I'm not an ISP, under CAN-SPAM I can't do ANYTHING about the over NINETY THOUSAND spam messages sent to my server per month.

Needless to say, my poor little PII-400 linux box gags and chokes during spuratic 'floods' of spam through each day.

I must say, though, any efforts to thwart spam are good in my opinion. However, the problem will _never_ be solved until the companies PAYING for spam are held financially and/or criminally liable for their actions.

After all, if you PAY someone to commit murder for you -- does that make you any less guilty?

No.

MS + Sendmail = The Spam Problem

MS and Sendmail are probably responsible for 90% of the spam out there, with default open relay policies, cryptic documentation, and (in MS' case) a corporate culture and influence which means that only chimps and other simian life forms become Exchange admins. Flame all you want, this is from direct experience.

At an old job as a firewall engineer, I had to tell the Exchange Admin for a major medical insurance provider HOW to set up our AV server as their relay. I found it on Google faster than she could fumble through her documentation. At another site, I had to battle an NT/Exchange admin who, after moving the Exchange server to an internal network, wondered why he no longer could receive mail.

MS and Sendmail owe everyone on the Internet countless hours of lost time due to idiotic softawre config problems, its about time that they came up with a solution.

Article not very informative.

Sendmail is one of the vendors working on Sender Permited From or Sender Policy Framwork is it not? spf.pobox.com [pobox.com] I have no clue, nor did the article, on what Microsoft might be doing.

SPF is basicly a reverse DNS lookup on SMTP servers if I understand it correctly. Basicly under the plan to send mail you have to have a registered SMTP server in DNS so that your mail can be traced back to the sending SMTP server. No SPF records then your mail is most likely spam and can be discarded at the client or even at the POP server. Heck I suppose even SMTP servers could refuse to forward such mail. Will not eliminate all spam but it would halt the span-in-can email virus like SoBig that makes every Winblows box into instant spam machine. It would also stop spoofed email that causes so much headache.

Very needed plan IMHO.

Can I still use my own mailserver...?

I read the article, but it seemed a little light on details...What exactly do they mean by checking to see if an email comes from where it claims? Do they mean that if the Domain Name or IP that the mail is sent from doesn't match the domain in your return address, the mail will be rejected?

If so, this will bother me to no end. I currently have two main email addresses, one using Cluemail [cluemail.com] and one using MyRealBox [myrealbox.com]. I check both of these addresses using IMAP with MacOS X's Mail.app. However, since MyRealBox is an experimental server and is not always up and since the free accounts on ClueMail don't have SMPT access, I am using my own machine running QMail to send my emails. Obviously my IP and whatever domain gets assigned to it from So-Net (yay Fiber Optic connection to the apartment!!) do NOT match either of my mail addresses.

So, will something like this spam solution break my set-up?

Disclaimer: I am somewhat clueless about all of this. I only know enough to have been able to set my machine up securely so it is not nor can/will not be a source of spam. So, I appreciate any information. Cheers. :)

The way to get rid of a lot of spam...

is to reject messages where the outside envelope (not certain of the correct term) address(es) doesn't match any addresses in the To:, CC:, or BCC: fields on the inside.

A large portion of the spam I receive doesn't have my address in the To: field. Why doesn't mailer software look for this kind of mail? Am I missing something?

Sending from home? http://slashdot.org/users.pl

I still have my system up, but I am denied at places becuase I am on Comcast Cable. Yet, I have never had an open relay, nor been cracked. I find it obnoxious that I have issues sending simply due to location rather than an inability to have a secured system.

Re:Sending from home? http://slashdot.org/users.pl

The issue you face is one of "identity distinction". By being on Comcast Cable, you appear to be one of the unwashed masses. Whether your system is secure or not isn't known, and isn't practical to find out (trying to actually crack your machine to see if one can get in, to refuse mail if the crack succeeds, has certain legal risks).

You can distinguish yourself by making your email address known and others can whitelist it. Of course that's only good up to the point that spammers start to joe-job you using that address (which may not be for quite a while). Another way (which won't work with Comcast because they are so clueless, but could work with some other ISPs) is to get static IP and arrange for reverse DNS to identify your domain name. Some (I do, for example) block Comcast based on the domain name (easier to manage than a bunch of IP address ranges), which means if your IP didn't have comcast.net on it, it might get through. And if you do have a static IP, you could just ask for that one to be whitelisted.

There are also message content ways to distinguish yourself, such as cryptographically signing your message. But the problem here is that mail servers have to accept all mail first to see that signature. That breaks the ability to refuse during the SMTP RCPT command; refusing at the DATA command not only means wasting the bandwidth always on every message, but also the inability to let users separately whitelist, or means sending bounces to unverified addresses (bad). If they would redesign SMTP to provide the crypto signature during the SMTP session, that would help a lot.

Probably the best solution is to subscribe to a mail submission service (e.g. someone who has a colocated mail server and takes your mail only via authenticated SMTP or MSA). Then the fact that you're on Comcast is hidden deeper in messy RFC headers.

My Karma for their Karma

I know I'm blowing my karma points on this one, but I believe it's justified and realistic.

No business partnership or alliance of any signficance has existed with Microsoft that resulted in a mutually beneficial conclusion. To put it another way, it's like trying to make a deal with the devil.

I don't expect that sendmail will be summarily destroyed as such. But I ernestly and honestly believe that the final outcome of this venture will only result in Micorosoft obtaining an absolute choke hold on email.

To expect anything less is niave and ignorant. There is no past performance which disputes this claim. Even considering legal judgements, Microsoft will not hesitate to make "all your email belong to us".

I apologize if I come off sounding like one of the slashdot anto-microsoft zealots, or some conspiracy theorist. But think it through.

Microsoft develops a means by which all email must be reverse authenticated as to the sender. Believe me, they will patent it and everything that looks like it before the night is over. This sounds great, but then all they do is just modify the email servers to require that this proprietary reverse authentication take place or you can't send any email.

The fact that they are working with sendmail, the company and not the OS project, allows them to license this technology to a Unix platform. This allows them a foothold onto the majority of email servers, which are Unix based, and to establish the means by which they have complete ownership of all email transactions. And it will be a matter of time before sendmail.com has to turn over their assets to pay the licensing fees, but then maybe Microsoft doesn't want them able to pay the fees.

Yeah, Spam sucks. But get a clue! Spam filters account for 99+% of all the spam out there. I would rather have my 1 spam a week out of 600 then to have Microsoft telling me I have to pay royalties to send email. There is nothing cool or encouraging about this.

And the real problem here isn't the spam, or the cost of sending spam, they haven't done anything to reduce either one of these. The problem is the adolescent pimple-butts who really think that herbal viagra will give them a 36" schlong that lasts all month long. Do you really want that? It's hard to pee standing on your head!

wont stop spam

this is great first step, but it wont stop spam. it will only prevent spammers from spoofing their email addresses, etc. what good is that when the spammer lives in a country that has no laws against spam?

Re:wont stop spam

what good is that when the spammer lives in a country that has no laws against spam?

It would be much easier to accurately blacklist [netsonic.fi] them, really. Currently some poor people get erroneously blacklisted by mail admins because spammers spoof their e-mail addresses.

Ironically for Yahoo's involvement in blocking spam, I was recently forced to switch my mailing list subscriptions from my Yahoo account because Yahoo's servers are considered insecure and some mail servers tag Yahoo mails as possible spams...

no solutions I can see

The core "problem" with the internet is that just about anyone can create a domain and the associated zone files and have them served as authoritative. There are at lesat two free DNS services out there that will host whatever zone data you wish to throw at them. Personally I don't consider this a problem, but a very nice feature.

When you can register domains in bulk for $5, perhaps less, and can host the DNS for free or just a few dollars a year, how exactly is any DNS based verification system going to operate to limit spam? Al the spammers have to do is fudge up the zone file so that any verification system will succeede because the spamming server is "legit". The server may very well be anonyous or hacked or have 20 IP addresses.

I still say the single best solution to spam is for ISPs to start a policy of disposable email addresses. This is a relatively simple matter to impliment with Sendmail and a few CGI scripts, or even via email messages.
An end user is given lets say 8 email addresses. These addresses are never to be given out to anyone for email purposes, they are simply for sorting incoming mail among several family/household members.
Each account can have up to 50 aliases at any time. Aliases are created on the fly by the end user, and can be set to expire at some future date, or be removed manually.
When you go to sign up for a discussion forum you create an alias for just that forum, ex: gjslashdot@ispdomain.com. If you start getting spam on that address, you can simply delete it and create another one, there's no attachment to the address outside that forum.

I've been using this system myself for about a year and have gone from 500+ spams a month to 3-5 a month. Again... as soon as I get spam at an address, I delete it and create a new one if necessary.

What's causing the spam problem is human ignorance. Layering technological complexity on top of the existing system will not eliminate the underlying ignorance. My solution does that.

As far as corporations go.... get your email addresses off of your business cards, and stop using employee names as the basis for email addresses. If someone has access to an email client, they probably have access to a web client. Out-side emailers should use a web form to send email to employees unless there is an existing relationship.
Once there is a relationship, siret email can be used.
Email addresses on business cards... business cards handed out like candy on haloween... no wonder you get inundated with spam.

Big 3 Spam Solutions

There are currently 3 solutions competing on the internet. Only one actually works right now as we speak.

(1) Caller ID is Microsoft's big proposal. Domain owners put XML in the TXT records in their domain. Receiving email systems can determine if a message is valid only after seeing all of the headers.

(2) SPF (http://spf.pobox.com/) is already implemented and is already blocking joe-jobs and phishing schemes. It relies only on the envelope FROM and the owners of the domain publishing a short TXT record. Currently, aol.com and many more domains (around 6,000?) publish SPF records. Implementations for filtering based on SPF exist in perl, python, C, and for Exim, postfix, qmail and sendmail.

There is a small problem in forwarding email properly, but that is being resolved with SRS (same website).

(3) DomainKeys (Yahoo!'s solution) is still being researched and is looking more and more like S/MIME or PGP but for an entire domain. The domain owners would publish the public key via DNS (probably a TXT record as well) and receving mail servers can verify that the message is indeed from said domain. There are some severe limitations: If someone gets your domain private key, you are screwed. It's also subject to a replay attack. The attacker would send a valid email to themselves through a server using domain keys, and then replay that message to the rest of the internet.

Both SPF and Caller ID can't work around DNS poisoning or IP spoofing. But they both limit the number of machines that are allowed to send email for a domain.

It is important that if you own a domain, that you publish SPF records - even if it is only "v=spf1 !all" or "I don't send any email for this domain". SPF, if it is going to be adopted, is going to be adopted at an exponential rate.

Caller ID is mostly Microsoft's response to the rapid success of SPF. They want to own the solution to spam, and they want to take credit for cleaning up your email box, even though their idea is really other people's ideas + XML. The protocol is heavy, burdensome, and subject to the whims of the XML interpreters out there right now. Plus, it is a huge proposal that is detailed and complicated, ripe for incompatibilities that could force users of Sendmail, Exim, Postfix, or Qmail to "upgrade" to Exchange.

Not a panacea

I already use a challenge/response system to filter my spam, and it works amazingly well. This is similar to the proposed MS/Sendmail "plug-in" in that it tries to verify that the sender is real and actually sent the email in question.

The one big problem neither system solves is spam from sources that are not forged, and actually have a valid return address. Nigerian spam gets through in either case, because an actual human is there. And sites that have a response-bot get through my challenge system (for the moment). These are the extreme rarity, of course, but if everyone used such a system then the spammers would just start using real verifiable return addresses all the time. It's easy to generate a new domain name every day (some already do) and get new IP blocks on a regular basis, so there's no easy way to automatically block email.

Even worse, spammers could still send out the email using zombies while putting valid return addresses in the spam so that it can be verified. They only need to hack their sendmail plugin to auto-verify any email with their return address on it and they can still use zombies all they like to send spam.

I think it's safe to say, as long as there's email, there will be spam.

more corporate control of internet

This is just leading to a monoply and corporate control of the Internet. As much as I'd like to see a solution like this, as I believe it will work, we need to be sure that anyone can still participate

Our LUG recently had a disucssion on x.509 certs and how it could be used to verify a mail server. If a mail server starts to send spam, the cert is revoked and can no longer send mail. This is more drastic, and leads to the same corporate control however.

Beginning of the End of EMAIL

"Could this be a sign of the beginning of the end of spam?"

Certainly not. I do however predict it will be the beginning of the end of email. This is a perfect way to segment the email systems from one another; those that utilize this plugin and those that are discriminated against for not using this plugin. I for one will not use something that isn't a damned standard. You don't have to be an evil genius to recognize the evils of introducing non-standard requirements into such a critical system. It's just plain nuts.

minor correction

Powerhouse software vendor Microsoft and the venerable Sendmail, have formed an alliance

You misspelled vulnerable... HTH, HAND

Really? You mean port 113?

Oh, I thought this was a reference to the ident protocol, already supported by sendmail, which would solve the problem in exactly the same way if firewall admins were willing to open up their AUTH ports and run identd daemons.

Nah, this is an elaboration of the same thing but on the email port instead.

Slap a few new buzzwords on it as it goes through the door, of course... PKI! WMD! Cryptographic keys! 40% more trunk room! Compassionately Conservative (Less liberal than the leading brand)! Microsoft Windows Compatible!

Now it's sure to sell. Won't stink up the room as bad as old dead identd I hope.

so wil the fate of sendmail be that of..

.. netscape or Real.com?

Usually when MS forms an alliance with someone for any reason they want to put them out of business somehow, but not sure if that would happen in this case. Isn't sendmail GPL or BSD licensed?

The question is

will the plug-in be available for non-Microsoft systems? If not, then this will just cause a shift in the host OS of choice for spamming, thus allowing Microsoft to blame spam on "those commie hippy pinko open-source zealots."

So long as it allows for open relays

I use open relays constructively. My ISP doesn't give me an SMTP server, I have to deliver all of my own mail via sendmail. This means that messages from my email account aren't directly from my domain's server. It irritates me when my email is seen as spam by unintelligent spam filters because this is a problem that I have had to deal with for years and I'm sure others are in a similar situation. I personally thing that a scheme like PGP is the only way to rid the world of spam and to authenticate all email messages.

MSFT Spam Protocol explained...

I've said it before, but it bears repeating here:

1. Message Arrives
2. Message sender and recipient(s) checked against known Windows licensees. If a sender or recipient is not a licensee, message is bounced.
3. Message headers are examined for mail client. If mail client is not a Micro$oft client, message is bounced.
4. Message body vetted for disparaging comments about Micro$oft using new "IntelliDiss" technology. If disparaging comments (or intentional derogatory misspellings of company name) are found, message is bounced and forwarded to Micro$oft legal.
5. Micro$oft pays off Senator Disney (or one of their other stooges in the House or Senate) to sponsor a bill banning the traditional SMTP protocol in favor of MSMTP. Bill passes by a wide margin in both Republican-controlled houses of congress and is signed into law by pResident George W. Bush, who proclaims "You're either with Micro$oft, or you're with the terra-ists." Any remaining SMTP user is secretly arrested and sent to camp X-Ray.

The weakest link in the chain

While it admittedly takes significantly more real legwork, I'd imagine that much of the protection provided by authenticated email could be bypassed by riding on other people's unsecured wifi networks and sending mail via their trusting ISP's mail server. I'm might just start wardriving in my branded SPAM-van.

Clippy Sez...

"It looks like you are editing your sendmail.mc file. Would you like to add:

1. define('confTRY_NULL_MX_LIST',true)
2. define('UUCP_MAILER_MAX','2000000')
3. define('confAUTH_MECHANISMS', 'EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
4. FEATURE(`relay_based_on_MX')
5. ..."