anti-spam measures

[Roedy Green]

I have summarised my ideas on spam at
http://mindprod.com/jgloss/spam.html

It a challenging technical problem, and I don't think we will make
much progress without an overhaul of the basic mail system.

This means we can't wait for total gridlock before acting. The
solution is difficult both technically and politically.

 

[Thomas Weidenfeller]

Follow up set to news.admin.net-abuse.email (be careful in that group,
hints at the end of this posting)

1. legal means.

Seems to fail. But there are three issues:

1. No anti-spam laws, or some existing anti-spam laws are a joke.
CAN-SPAM anyone?

But even if there would be strong anti-spam laws:

2. It would not even take anti-spam laws to bring spammers behind bares.
E.g. most of these V1a.g!Ra online "pharmacies" operate illegal under
existing drug laws in most countries. Most "stock newsletter" spams run
illegal pump-and-dump scams. Selling e-mail addresses might violate
privacy laws in some countries. The list is endless, credit card
phishing, 419 scams, MLM scams, identity theft, theft of service.
Spammers do it all.

3. Enforcement: Not even the existing anti-spam laws or criminal laws
are enforced. Almost no law-enforcement agency around the world is
interested. And/or most are just not competent with this "internet
thingy". They could nail spammers for a large number of things, they
just don't do it.

However but spammers will be able to hide anywhere on
earth. Surely some third world country will harbour them just as the
Cayman Islands harbours crooked companies. With the net, they can set
up shop in SomethingIstan and have effective storefronts in every
country.

Chinese ISPs are good at this, but the US is still leading. Go to

http://www.spamhaus.org/

scroll to the end of the page, have a look at the top-ten lists, and weep.

2. boycotts.

Google for the term "Boulder pledge" and take it:

/Under no circumstances will I ever purchase anything offered to me as
the result of an unsolicited e-mail message. Nor will I forward chain
letters, petitions, mass mailings, or virus warnings to large numbers of
others. This is my contribution to the survival of the online community./

Also Google for boycott lists like SPEW, SBL, AHBL, etc. and initiate
the usage at your mail server.

3. technology. I see a new email delivery system evolving to
completely replace POP3/SMTP. It will have a number of features.

Hmmm, has also been discussed endlessly. Unfortunately, all alternatives
didn't look so great once thoroughly examined by experts.

I suggest you take the discussion to news.admin.net-abuse.email (no
hyphen in the word "email") where it is more on-topic. I set a follow-up
already.

But be warned, the people there are very different beasts, grumpy old
admins who have to shovel millions of spam out of their systems day and
night and know every details of SMTP. Trigger happy anti-spammers,
super-kooks (the worst nicknamed Moronis and Lamie, you best ignore
them). Brace yourself for fool language, and occasionally watch a
spammer trying to excuse his sad existence.

Wear nomex underwear, don't top-post (these guys over there really mean
it), and also be prepared that spammers like to flood the group (google
for Hipcrime, aka Dipslime) with thousands of messages once a year or so.

/Thomas

 

[George Neuner]

2. boycotts. We must educate people to ensure spammers DON'T get
whatever it is they want from spamming.

Increasingly I have noticed spam which is just one or more paragraphs
of random words - just machine generated nonsense. The only reason I
can think of for sending such a message is to clog servers and waste
bandwidth.

George

 

[Christophe Vanfleteren]

Increasingly I have noticed spam which is just one or more paragraphs
of random words - just machine generated nonsense. The only reason I
can think of for sending such a message is to clog servers and waste
bandwidth.

George

No it isn't. It is a silly attempt to poison bayesian filters, by having a
high contents of non-spam words in the message.

Most of the times, there's also a text/html messge attached that has the
actual spam in it (my mail-client can be told not to render those, so only
the random words show up).

 

[Nigel Wade]

Nigel> Definitely. I have blacklisted several commercial Nigel>
organizations who would not take any notice of the requests I Nigel>
sent to them to stop the UCE. They now get a rejection Nigel> message
from our mail server pointing out that they are Nigel> spammers, and
that we don't accept mail from them.

I hope this doesn't mean you sent bounce messages. About half of the
spam I get are bounce messages telling me what a bad boy I am, for
having my email address spoofed by a virus.

Definitely not. As I said, I reject the messages (with a 5xx) at SMTP
time. I do the same with viruses and mail which SpamAssassin scores at
over 15.

I hate collateral spam even more than actual spam since most of it is
entirely avoidable.

Nigel> That's unjustified. The current email system was developed
Nigel> with a great deal of thought over many years. It was Nigel>
developed as a means of communication between cooperating and Nigel>
consenting parties. The blame for spam lies entirely with Nigel>
commercialism.


No, its more legacy. The system could have been made improved since it
was produced, but its too hard to get everyone to update their systems.
Even if we invent new technology this will still cause a difficulty.

It certainly was not cooked-up overnight as a demo, which is what I was
objecting to. Yes, it could have been improved, and it certainly requires
it now, but as you rightly say it will be very difficult. Whilst the mail
servers are designed to meet RFCs, the actual implementations of those
RFCs are many and varied. All of them would need to be changed within a
short time if any progress is to be made without bringing the entire
global email system to a halt.

 

[Roedy Green]

Increasingly I have noticed spam which is just one or more paragraphs
of random words - just machine generated nonsense. The only reason I
can think of for sending such a message is to clog servers and waste
bandwidth.

If cleverly chosen, it might confuse spam filters that just look at
word frequencies rather than semantic sense.

 

[FISH]

I had a bit of a fright the other day. I thought for a while I was
under a email denial of service attack. I wondered if I would ever be
able to post even a munged public email address ever again.

There was one scheme I remember being suggested many years back,
which I wish had been carried through. It did contain an interesting
programming problem which would be on-topic here.

Basically it was a distributed mouse-trap scheme, which looked a
little like Usenet news. If you don't know what a mouse trap is,
then it works like this: sys admins create bogus 'cheese' email
addresses, then leave them in places where they know spammers would
look, but humans are unlikely to mistake them. For example clearly
flagged in the sig of a newsgroup posting, or as "email:" links on
an obscure web page which only web bots would find interesting. The
only email which will arrive at these addresses is spam - because
only automated software would be dumb enough to collect and use them.

The mailboxes of these addresses are tied to a software which analyses
each spam mail as it arrives, creates a signature, then scans legit-
imate user mailboxes (and incoming mail) for mail which matches that
sig. The beauty of the scheme is the more successful the spammers are
at harvesting addresses, the more cheese they will get, and the more
networks will be 'alerted' to their spam.

To round the idea off, the original suggestion proposed a kind of
Usenet like scheme, were sig's which arrive at one mouse trap are
automatically forwarded on to other ISPs and networks - in the same
way that newsgroup messages posted at one news service are then dist-
ributed around the net. This creates a global network of mouse traps
- once a spam arrives at one cheese address, a process of identification
and notification begins.

The programming problem is this: how to create a sig which is short
enough to be practical in such a system, while flexible enough to adapt
to random changes introduced into each message by spammers. For
example, MD5 and SHA-1 are useless - they will only work if the spam
bodies are identical. There needs to be a way of creating an 'imprint'
of a message which works even when the data isn't absolutely identical.
(Kind of like a fuzzy logic hashing algorithm!!

I'm not sure if that problem is even solvable - although one idea I
had was to focus on the constant aspects of a spam mail. No matter
what garbage they fill the body of the message with, ultimately all
spam (well, almost all!) has to have some kind of contact address -
so you can buy the crap they are selling. Some things like snail
mail addresses and phone numbers are quite inflexible - they can't
be easily randomised. Stuff like email addresses and web addresses
are more flexible - but only to a point. One can easily randomise
the filename part of a URL, but randomising the domain has less
possibilities - (because the spammer has to 'own' all the variations
used, and therefore in any practical sense they are unlikely to be
able to employ more than a few dozen different variations.)

There is an obvious problem with this... suppose our spammer uses
(e-mail address removed) as their contact address - our software
locates this and realise that the account name part of the address
can be easily manipulated, but the domain cannot... so it then
sends out a message warning all other anti-spam server to be on
the look out for mail containing "yahoo.com"...! Whoooops!

Ah well, it would have been a nice idea if it had worked!


-FISH- ><>

 

[Roedy Green]

To round the idea off, the original suggestion proposed a kind of
Usenet like scheme, were sig's which arrive at one mouse trap are
automatically forwarded on to other ISPs and networks - in the same
way that newsgroup messages posted at one news service are then dist-
ributed around the net. This creates a global network of mouse traps
- once a spam arrives at one cheese address, a process of identification
and notification begins.

this is the similar to Vipul's Razor.

See http://mindprod.com/jgloss/vipul.html

 

[George Neuner]

No it isn't. It is a silly attempt to poison bayesian filters, by having a
high contents of non-spam words in the message.

Hadn't thought of that.

Most of the times, there's also a text/html messge attached that has the
actual spam in it (my mail-client can be told not to render those, so only
the random words show up).

No. I'm the sysadmin in the small company where I work and I can look
at the messages raw in the server logs and mail archives. Not all but
many of these messages contain absolutely nothing but nonsense.

George

 

[Grant Wagner]

3. technology. I see a new email delivery system evolving to
completely replace POP3/SMTP. It will have a number of features.

a. automatic encryption, compression, digital signing.
b. full use of the 8-bit channels.
c. a sender pays receiver system so any spam that does leak through
still costs the spammer.
d. the best anti-spam thinking that is built in, suitable for
technopeasants.
e. suitable for exchanging large files, and common files.
f. ways to protect against denial of service attacks.
g. designed from the ground up for technopeasants. Everything is
automatic.

The original email system was cooked up overnight as a demo. The
author surely never dreamed his system would be used almost unmodified
for planetary email scheme. It needs a major overhaul.

There are things that can be done now, immediately, within the limitations
of existing technology, to help fix some of the mess:

<url: http://www.circleid.com/print/151_0_1_0/ />

Unfortunately the organizations and individuals who run mail servers seem
unwilling or unable to put this mechanism in place, or uninformed about
the benefits of implementing such a scheme.

 

[Roedy Green]

There are things that can be done now, immediately, within the limitations
of existing technology, to help fix some of the mess:

<url: http://www.circleid.com/print/151_0_1_0/ />

He calls for DNS registration of all outgoing mailservers.

The key to any spam system has to be easy identification of sender,
and non-forgeabilty.

At some point you become exasperated enough to say, I don't want to
talk to anyone who has not got a publicly verifiable good reputation.
I don't want to talk to anyone who has merely an empty reputation.

We need electronic analogs for reputation checking to the Better
Business Bureau, platinum credit cards, awards, degrees, exclusive
club memberships, letter of introduction, references ...

The other key point is we must make spam cost enough to discourage it.
Right now receivers subsidize the spammers.

I think a fee paid from sender to receiver should be sufficient to
stem the tide. For most people, it would balance out or they would
make money. Perhaps the receiver could even set his own fee, depending
on just how strongly he wanted to discourage unsolicited mail. You
then have the problem of crooks setting up traps to SOLICIT mail at
high fees and offering nothing in return.

 

[Nigel Wade]

There are things that can be done now, immediately, within the limitations
of existing technology, to help fix some of the mess:

<url: http://www.circleid.com/print/151_0_1_0/ />

Unfortunately the organizations and individuals who run mail servers seem
unwilling or unable to put this mechanism in place, or uninformed about
the benefits of implementing such a scheme.

Probably it's more likely that administrators of email systems can see the
weaknesses of the method rather than focusing on the strengths. Even the
proponent of the system recognises it has problems and provides fixes for
the most glaring ones.

The most obvious one is that MX records identify systems which are setup
to *receive* email, not to send it. So, if an organisation has hosta setup
to send mail and hostb setup to receive it, what should happen is that
hostb has an MX record and hostb does not. That way, anyone attempting to
send mail to the organisation will lookup the MX record for the domain and
get hostb. If both hosta and hostb have MX records they are advertising
the fact that hosta and hostb receive mail. This is wrong. When a mail
server wishing to send to the domain asks for an MX record they may get
either hosta or hostb, but hosta won't accept the mail. The "fix" for this
suggested by the author is a kludge, and shows why many of these proposals
just don't stand up to scrutiny.

 

[Roedy Green]

When a mail
server wishing to send to the domain asks for an MX record they may get
either hosta or hostb, but hosta won't accept the mail. The "fix" for this
suggested by the author is a kludge, and shows why many of these proposals
just don't stand up to scrutiny.

What if there were recorded in the MX records both send only, receive
only and both mail servers and perhaps an administrative mail server
that could only be sent to from other administrative mail servers.

 

[Nigel Wade]

What if there were recorded in the MX records both send only, receive
only and both mail servers and perhaps an administrative mail server
that could only be sent to from other administrative mail servers.

I'm not sure what you mean.

 

[Roedy Green]

I'm not sure what you mean.

What I am suggesting is extending the MX record or replacing it with
something that records the type of mailserver:
send-only, receive-only, both, neither( temporarily inactive).

I also suggest inventing yet another category of mailserver, the
administrative, which the public is not invited to use, only other
registered administrative mailservers. If the service is abused, you
can shut the offender off by deregistering or blacklisting his send,
receive or administrative mail servers.

 

[Nigel Wade]

What I am suggesting is extending the MX record or replacing it with
something that records the type of mailserver:
send-only, receive-only, both, neither( temporarily inactive).

I also suggest inventing yet another category of mailserver, the
administrative, which the public is not invited to use, only other
registered administrative mailservers. If the service is abused, you
can shut the offender off by deregistering or blacklisting his send,
receive or administrative mail servers.

Ok, I see what you mean.

That looks like a not insignificant change to DNS. It may break
every mail server in existence, and that just might be case of a cure
which is worse than the complaint.

 

[Roedy Green]

That looks like a not insignificant change to DNS. It may break
every mail server in existence, and that just might be case of a cure
which is worse than the complaint.

That's the whole idea. If mailservers don't comply, they can't
communicate in the new system. The old system becomes the skid row of
the Internet.

 

[Nigel Wade]

That's the whole idea. If mailservers don't comply, they can't
communicate in the new system. The old system becomes the skid row of
the Internet.

I think it's more likely your new system will disappear into obscurity.

Who's going to setup a new mail server which can't communicate with any
existing mail servers?

 

[Roedy Green]

I think it's more likely your new system will disappear into obscurity.

Who's going to setup a new mail server which can't communicate with any
existing mail servers?

You have to have a phase over, gradually excluding the laggards. It
works like evolution, "God" has to put selective pressure if he wants
to consciously direct evolution.

 

[Dale King]

I think it's more likely your new system will disappear into obscurity.

Who's going to setup a new mail server which can't communicate with any
existing mail servers?

You are right that some small mail server cannot do it. But if the major
players jointly agree to enforce something like that then people will have
no choice but to comply. And that is actually what is happening. AOL, MSN,
and Yahoo are joining forces to fight Spam and it will be something like was
described:

http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=9400061