'Leak-Proof' Anti-Spam Solution? 90
sikandril asks: "In an effort to help the Internet community and user-base at large in fighting spam, I have decided to put up this white paper for public review and remarks. As you will see, the system provides an almost 'waterproof' solution to spam blockage via an opt-in system. The main drawback is that everyone (except spammers or other evildoers) has to have this installed in order for it to work perfectly. A small number of installs means that unknown legit contacts still might show up as spam, albeit only for the first e-mail and/or until they too elect to install the software. I'm an independent developer located in Israel, and would love to hear your ideas regarding this."
That reads like a patent (Score:3, Insightful)
Bollocks, this is an attempt to get investors. What's the patent number?
Am I a cynic? Hell yeah!
Obligatory... (Score:5, Insightful)
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
ACK (Score:2)
Re:Obligatory... (Score:1)
Re:Obligatory... (Score:1)
Re:DIGG (Score:3, Informative)
that should work... I already gave it a digg
Re:Obligatory... (Score:2, Insightful)
Re:Obligatory... (Score:1, Redundant)
(x) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the mone
Re:Obligatory... (Score:2)
But nonetheless, I'll deal with the last point:
Anyone can set up an email server. You may well trust your ISP/mail server to send your email. But why on earth should I trust you or your servers to send trustworthy mail? And why should the burden be on me to chase things up with you, your upstream and so on? Eventually (and sooner, rather than later) the cost to me in dealing with this is going t
Re:Obligatory... (Score:3, Insightful)
The one thing your plan does do is prevent spoofing, but tha
Re:Obligatory... (Score:2)
1) you need capital, and lots of it. You'll need to maintain a server farm just for supporting the requests to check the keys, as well as a staff to maintain the abuse complaints, support the mail admins, etc, etc, etc.. Just imagine, if 90% of the admins on the internet with mail servers got with your system, and 1% of them were the typical daily complainers, you'd be flooded with supp
Re:Obligatory... (Score:2)
Also the following definitely apply as well:
- Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
- Countermeasures must work if phased in gradually
- Why should we have to trust you and your servers?
In other words Sikandril (aka Ami Rodan), you don't know enough to know what you don't know. You're, what, 18 and in your first jo
Yawn (Score:2)
Won't work, because everyone has to change.
Naaah, the only way to stop it is to make it sufficiently unattractive to spam. Like by nailing their balls to the wall. And, most importantly, doing the same to the people who have their products spamvertised.
Re:Almost there (Score:1)
AND you also have to sieze the spammer's client list. Not their spam list (ie: everyone they've sent an email to), but their actual, real live CLIENT list. Everyone they've sold stuff to.
Then you track down those people, and nail them to walls as well.
That way you've eliminated (or at least te
Re:Yawn (Score:1)
Now a large scale PGP implimentation would determine if mail is being spoofed. Add that to a way to check
Completely unbreakable! (Score:3, Funny)
Heck, since we know that all spammers are good, law-abiding citizens, why don't we just pass laws against the spam, instead of trying to convince everybody in the world to use the same mail client?
Re:Completely unbreakable! (Score:1)
They might well be law-abiding citizens, just in a different country.
Mailing lists? (Score:1)
Mailing lists are a nightmare too, as would be getting any kind of automated response (invoices from online shopping etc) through.
R.
Doh! (Score:3, Funny)
Oops!
Yeah, sure (Score:3, Funny)
I clearly see this could work - NOT.
Re:Yeah, sure (Score:1)
Re:Yeah, sure (Score:2)
Re:Yeah, sure (Score:1)
If you're important to me, you'll be whitelisted. But the effectiveness of greylisting seems to be decreasing, I'm seeing more spam get through. Still, between Spamcop's RBL and SQLGrey, I usually only have to delete about 20 spam messages a day.
Re:Yeah, sure (Score:1)
Re:Yeah, sure (Score:2)
Adaptive filters seem like a better idea. I've got one email address with greylisting, one without. The greylisted one is the more public one, with about 50% more incoming spam than the other, but the "Bayesian" filters in SpamAssassin catch
most
Re:Yeah, sure (Score:2)
Even if you discount spam, greylisting as an anti-virus method should not be underestimated. In the past 7 days, I've had NO viruses picked up by ClamAV or NOD32 on m
Re:My preferred solution (Score:2)
The one giant problem that your idea (and others like it) fail to address is non-support for bulk sending. One of my clients regularly sends about 60,000 copies of his monthly newsletter to opt-in customers. The current system allows him to spool out mail at a pace his system can handle. Your system encourages his server to ignite at 8:15 AM whenever all his recipients get to work, check their mail, and simultaneously attempt to download the message.
I'd like to say it's
I would say.. (Score:2)
A lot of complaint re-spam is- the recipient (or his isp) bear the brunt of the costs.. this would fix that.
Further. you could (as with mail backup) have a server which is a stand in (specified with an MX (or XM?)) which also supplies outgoing email.
Yes- I quite think keeping outgoing email on the senders email server... until the recipient client asks for the email- makes a hell of a lot of sense..
Somebody get these guys a clue... (Score:4, Insightful)
"6. Sixth, the system provides additional security and control over computer viruses which spread by e-mail - Client (1)'s connection with Server (2) is much harder to hack into than simply taking control of a regular e-mail client. Large and suspect amounts of key (4) requests from suspect client (1) can simply be blocked at the server level."
Who said anything about hacking "the connection"? Once we have everybody using the same client, I am sure it is only a matter of time before somebody finds a vulnerability in it, and crafts a virus / trojan to take control of it. And you *know* that people will open it up. "It came completely verified from somebody on my whitelist! It can't be faked or a virus!"
So Mom gets infected. It sends to everybody on her list. Because it was verified, it gets through to all of them, and they open it. Then to all of their friends. And so forth and so on. Not enough key requests from any one client to result in a block at the server level, and impossible to get ahead of it without blocking a significant portion of your userbase.
Congratulations. You've reinvented Outlook, and given people a better reason to click on that attachment and perpetuate it.
leak-proof (Score:2)
Most spam will be caught in google filter, other stuff you can just label away. You should still see all valid mail access requests even if some spam gets through.
If you get spam to the primary mail,
You've hit upon a good point. (Score:2)
There are different categories of users with different requirements.
...
... the small insurance company that deals with insurance agents and the occasional new individual ...
... which is different from Amazon or eBay.
The home user who connects to his/her ISP and downloads his/her email with POP3 and sends via the ISP's host has different needs than
Your method works great for the home user who occasionally gets email from new addr
Yikes (Score:3, Insightful)
Re:Yikes (Score:1)
In all seriousness though - I don't see "if you don't want junk mail subscribe to this entirely new Postal Service" catching on. Also to jump up a few comment threads - whitelists SUCK. Such is the p
Sorry... (Score:2)
"The defining characteristic of the client above (1) is that it does not allow placing of a large number of e-mail addresses in the to: cc: or bcc: sections (does not allow sending of the same message to more than e.g. 50 recipients) unless each one of the recipients has expressly given his authorization to the sender to be included in such a multiple e-mail distribution list/mass em
Re:Sorry... (Score:1)
So yes, it requires an additional software layer IF you have a POP3 account or something similar. However, HTML based e-mail solutions can implement this transparently to the users. Think of t
Re:Sorry... (Score:2)
never trust the client
Re:Sorry... (Score:1)
A glorified white-list, eh? (Score:2)
Time to fill out the form again. (Score:1, Insightful)
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from st
Almost waterproof? (Score:1, Funny)
Would you go out to sea in an almost waterproof boat?
Would you drink coffee from an almost waterproof cup?
Re:Almost waterproof? (Score:1)
Oh, that's right. American's aren't allowed to look at their ships anymore, in case they're planning a bombing mission.
Disposable email addresses (Score:2)
Give a different email address to every person that wants to be able to contact you. If one address gets compromised, disable it. Good email servers even have support for creating aliases using the + sign. (User+code@example.com will be sent to User@example.com). What is missing is an email client that automatically generates and tracks codes for each person you know.
The above method only work
Re:Disposable email addresses (Score:1)
Hell, you should be able to expire any temp address and move all future mails to the bin without your oversite.
That way you can happily give out addresses without the client and pick up the pieces later.
Re:Disposable email addresses (Score:2)
So what email address do I print on my business card or company letter head ?
Separate Protocol Needed (Score:2)
In short, it
Re:Separate Protocol Needed (Score:2)
Off the top of my head, I can think of;
. Better handling of mailing lists/discussion groups/chat rooms.
. Return recipit.
. Unforgable ID's (or at least hard to forge).
. No central authority.
. Standardized rendering of non-english alphabets.
. Standardized video/voice rendering
. A lot less spam (not sure how to do it, but I'm sure I want it).
. Attachments
. Better error handling (especi
New idea (Score:2)
Re:New idea (Score:2)
-Charlie
SpamAssassin and diversity (Score:1)
There are always going to be imperfections. Wise people plan for imperfection, rather than trying to hammer the world into one method.
Also, isn't there something to be said for software diversity?
Perhaps we'd like to recall the fun of Sasser and cousins thanks to the fact that everyone runs Windows.
Yup. Getting everyone on one system sure helped there, right?
SpamAssassin's one problem: near perfection. (Score:3, Interesting)
Most of my users have setup rules so that the stuff SpamAssassin tags is automatically dumped into their trash. But they don't bother checking their trash much any more. They expect the system to always be right.
Which still leads to the situation where someone thinks you've received their message but you haven't read it because it scored just over the spam level and it's sitting in your trash can.
I would prefer a system that rejected messages a
Re:SpamAssassin's one problem: near perfection. (Score:2)
My mail path looks something like this:
Greylisting (Postgrey) -> xbl.spamhaus.net (Only rbl I trust enough for a hard block) -> Custom Perl Filter to Spot UK Phishing Attempts -> SpamAssassin (Tags at 13) with ocrtext.pm/RBL+/Mailpolice -> ClamAV -> NOD32 -> Mailb
Re:SpamAssassin's one problem: near perfection. (Score:2)
Reverse DNS check (sendmail) -> SBL/XBL (Spamhaus) -> Greylisting milter -> SPF milter -> SpamAssassin -> procmail -> deliver
The key element is procmail. Each user's procmail rules filter all spam scoring 10+ into a special folder that is initially defined as
All of the rest of the spam (5+
Blue Security (Score:2)
Re:Blue Security (Score:2)
Re:Blue Security (Score:2)
Your own journal entry [slashdot.org] demonstrates how Blue Security's Blue Frog software can't work on much of the spam. And there are other reasons why it can't work on most spam. After reading Blue Security's FAQ, I see the following six fallacies, just off the top of my head... Actually they can be summarized as, "How can you possibly expect automated complaints to a form on a spamvertised website (if there even is a feedback or complaint form) will shame a spa
Actually, spam filtering is working pretty well. (Score:3, Interesting)
The real effect of CAN-SPAM has been that most spam either gets deleted by filters, or involves a felony by the sender. The remaining spammers are either selling drugs illegally, trying to manipulate the stock market, or running a scam. That's ordinary law enforcement work, and it's now routine to hear of spammer arrests and convictions. We used to just have ineffective civil suits. That's over. Now they're doing hard time. It's not a safe business to be in any more.
SpecialHam.com [specialham.com] is still up, and the usual suspects are still at it: "Looking for people with botnets to run ads! pm me for more details". But it's clearly a board for the clueless now.
Re:Actually, spam filtering is working pretty well (Score:2)
Um, no. Spammers have been performing illegal scams and stock market manipulations ever since the first spammer. And I've never heard of any of them getting arrested. Heck, every time send such a scam to my local law enforcement agency, nothing happens and I don't even get so much as a reply
Re:Actually, spam filtering is working pretty well (Score:2)
But you're right anyway. It hasn't been enough to make a difference.
Re:Actually, spam filtering is working pretty well (Score:2)
Some other things apparently forgotten (Score:2)
Being perfectly honest, as an ISP I wouldn't mind spam NEAR as much as I do if the @#$%@#%@# would atleast clean out invalid email addresses from time to time and wouldn't resort to harvest attacks. I'm still
Umm wow tons of problems. (Score:1, Interesting)
12 hour key rotation for the database for probably the trillion e-mail addresses that are active?
keys are inserted by the client of the sender and not by the actual smtp server? gee well I sent that e-mail to you 24 hours ago I wonder why it didnt show up... smtp servers couldnt connect for 12 hours and so my keys expired.
wow I my name being directly tied to my e-mail address so the cops can just look at the centralize database.
I can just see the lag as every single pe
You still get spam? (Score:2)
I have a better idea (Score:1)
Have the mailserver check that the OpenPGP signature on every message corresponds properly to the sender and is not on a blocked list. Otherwise, or if the message is not signed, it goes in
There's little point doing this on the outgoing SMTP server because most spam is sent from hastily-bodged-up SMTP servers running on compromised Windows boxes. It really should be done on the POP3 server {which, of course, receives mail by SMTP but then drops
Re:I have a better idea (Score:1)
2) Check the linked-to article. Good, nothing about sending back a 'rejection' to the sender of an unapproved email, which you were going to bitch about on the grounds that it's as bad as spam itself. Remember that you DO harangue anyone running a whitelist anti-spam system that spams *you* when some spammer spoofs your email address in the From field.
3) Have it occur rather quickly to you that this 'key' system already exists, it's called PGP.
4) Look at
5) F
People are still wasting time on this nonsense? (Score:1)
hashcash-based blocking system (Score:2)
When someone sends an email, they take the sender's email address, the receiving address, and 8 random alphanumeric characters (we'll call this "K"). The sender then initializes an 8-byte counter starting at 8 x 0x00. The sender then does a SHA-1 hash of the string with the counter appended on the end, and then increments the counter and repeats until the last 4 bytes of the SHA-1 are 0x00. It then saves the number
Re:hashcash-based blocking system (Score:2)
And the end result would be...spammers using 250,000 zombies to send a given spam instead of 150,000. No noticable change in volume of spam.
Re:hashcash-based blocking system (Score:2)
Anti-SPAM appliance (Score:1)