Previous Politech message: "Will new 'spam reduction' service result in... more spam?" http://www.politechbot.com/p-04580.html Also note that Mailblocks has changed their privacy policy (see the next Politech message). -Declan --- Date: 24 Mar 2003 14:33:55 -0500 From: "John R Levine" <johnlat_private> To: "Declan McCullagh" <declanat_private> Subject: Re: FC: Will new "spam reduction" service result in... more spam? Cleverness: None detected > CNET (among other news sites is touting Mailblocks, a "new class of email > service that completely rids your Inbox of spam and offers the powerful > features you want in your web mail." After reading the ToS and privacy > policy, I certainly will not recommend the service. The only thing that's new about Mailblocks is that their founder has a high enough profile that he got reporters to talk to him. There are plenty of other mail challenge systems, both freeware and commercial. Even the ones that aren't privacy disasters don't work well. For one thing, a lot of people won't respond. Some less technical users assume it's spam or another incomprehensible message from their ISP and delete it. Some better informed users won't respond because (with good reason) they don't trust the challenge service not to misuse their addresses. Some of us are really tired of misconfigured challenge systems that send challenges to mail from lists to which the user has subscribed, or to a response that the challenge user sent, so to minimize the damage we don't respond to any of them. In the long run, these challenge systems are a bad idea because they treat correspondents' e-mail addresses as passwords. But they're just about the worst kind of password you can imagine, easy to guess, easy to spoof, and hard to change. We're already seeing spam sent with random forged return addresses, which among other things reverse spams the forged user when the spam hits a challenge. If challenges become at all popular, we can expect spammers to start harvesting mail in bunches to try and maximize the chance that the forged return address is already in the victim's whitelist. And remember that for spammers, if that works 1% of the time, that's "success". I can hardly wait. Regards, John Levine, johnlat_private, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "A book is a sneeze." - E.B. White, on the writing of Charlotte's Web --- Date: Mon, 24 Mar 2003 20:40:13 +0100 To: declanat_private From: Brad Knowles <brad.knowlesat_private> Subject: Re: FC: Will new "spam reduction" service result in... more spam? Cc: politechat_private Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 2:02 PM -0500 2003/03/24, Declan McCullagh wrote: > CNET's article here: http://news.com.com/2010-1071-992911.html From this article: Before allowing e-mails through to your in-box, Mailblocks automatically transmits a numerical password to first-time correspondents. The senders must then retype the code into an onscreen dialog box before the system acknowledges them as legitimate. This is no different from a package called "TMDA" (see <http://tmda.net/>), which has been in existence for a while. It's not the only package of this sort, but is one of the ones that is better-known. So, he's going to make money by selling a package that he claims is better at doing the TMDA job than TMDA itself, and in return he gets to spam you endlessly? I don't think so.... -- Brad Knowles, <brad.knowlesat_private> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) --- Date: Mon, 24 Mar 2003 16:16:13 -0800 To: politechat_private From: Steve Schear <schearat_private> Subject: FC: Will new "spam reduction" service result in... more spam? Cc: asrgat_private In-Reply-To: <20030324232728.67BCF84F8at_private> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed From NYTimes.com http://www.nytimes.com/2003/03/24/technology/24PHIL.html Start-Up Aims to End Spam March 24, 2003 By JOHN MARKOFF >In addition to legislative proposals before Congress and >state legislatures, there are efforts under way within the >direct marketing industry to try to deal with spam. And >last week, the Internet Engineering Taskforce, a committee >of technology experts that sets Internet standards, met in >San Francisco to listen to proposals for technical >solutions to spam. I've been monitoring and contributing to the mail list associated with this IETF function now for about two weeks. Most of the people are looking for a magic bullet to cure spam but I think it will not be that simple. If it were it would have already been done. It seems all the seemingly good long term spam elimination approaches either require notable changes to the Internet's email or other infrastructure, make it difficult for some classes of current email users, or the require the establishment of new services (e.g., financial infrastructure to support real value e-stamps). >The Mailblocks antispam service is based on a so-called >challenge-response mechanism to block bulk mail sent >automatically to e-mail accounts. When a customer receives >a new message from an unknown correspondent, the system >will intercept the message and automatically return to the >sender a digital image of a seven-digit number and a form >to fill out. Once a human being views that number and types >it into the form - demonstrating that he or she is a person >and not an automated mass-mailing machine - the system will >forward the e-mail to the intended recipient. E-gold uses this approach. They call it a Turing number (after the British mathematician, Alan Turing) https://www.e-gold.com/acct/login.html Challenge responses may eliminate spam from bogus addresses but it almost sure to set of an image recognition arms race between other spammers and Turing number technologists as the try to fashion ever more cleaver images that supposedly can be easily read by humans but not machines. There are already programs to "read" earlier (and maybe current versions of E-gold's Turing number images. I would be surprised if these measures proved effective steve --- Date: Mon, 24 Mar 2003 17:32:56 -0800 From: Brad Templeton <bradat_private> To: Steve Schear <schearat_private> Cc: politechat_private, asrgat_private Subject: Re: [Asrg] FC: Will new "spam reduction" service result in... more +spam? On Mon, Mar 24, 2003 at 04:16:13PM -0800, Steve Schear wrote: > E-gold uses this approach. They call it a Turing number (after the British > mathematician, Alan Turing) > https://www.e-gold.com/acct/login.html Challenge responses may eliminate > spam from bogus addresses but it almost sure to set of an image recognition > arms race between other spammers and Turing number technologists as the try > to fashion ever more cleaver images that supposedly can be easily read by > humans but not machines. There are already programs to "read" earlier (and > maybe current versions of E-gold's Turing number images. I would be > surprised if these measures proved effective Actually, it is an interesting question of what arms races spammers would wish to engage in. >From a purely rational standpoint (bear with me on this!) the spammer simply wants to send as many messages to the best prospects per unit of time and bandwidth. This means that if the spammer gets a challenge (or even something as simple as a temporarily unavailable status) they can do one of two things: a) Try to respond to the challenge b) Simply move on to delivering the next message in the list. As long as B is easier than A, the rational thing to do is to just do B. This changes in two cases. If most people start issuing challenges or other such barriers, B is no longer productive, and so you now start the arms race -- but only until you have enough people to send to again. Secondly, if you have some idea as to the "quality" of an address, in terms of probability of making a sale (direct marketers try to measure this all the time) then you are motiviated to do extra work on the higher "quality" targets. Finally, spammers will not be rational, and may wish to get in an arms race for the spite or challenge of it. (There's a lot of spite in both directions in this field.) Nonetheless, I think people overestimate the arms race. I have seen challenge response systems that try to do natural language questions, or embed images only the human eye can see in graphics. I wrote a challenge/response system six years ago that simply asks for any reply at all -- it doesn't put any burden on the other party, and would be easy to defeat with something as simple as an autoresponder. Yet it works, the spammers have not attempted to use this simple defeat. Once they start, I will easily enough move to something else, but it is telling that in six years they have not, even though others have also built a number of challenge/response systems since then. Sometimes spammers have autoresponders for other reasons, but they have been easy for me to eliminate. --- Date: Tue, 25 Mar 2003 09:13:46 -0500 To: Brad Templeton <bradat_private> From: Kee Hinckley <nazgulat_private> Subject: Re: [Asrg] FC: Will new "spam reduction" service result in... more spam? Cc: Steve Schear <schearat_private>, politechat_private, asrgat_private Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 5:32 PM -0800 3/24/03, Brad Templeton wrote: >I wrote a challenge/response system six years ago that simply asks for any >reply at all -- it doesn't put any burden on the other party, and would be >easy to defeat with something as simple as an autoresponder. Yet it works, >the spammers have not attempted to use this simple defeat. Once they start, If a challenge response system puts messages in the "look at me later" queue if you don't respond, then I don't think spammers will care. (And it's not clear that you'll be that much happier as a user of the system. You will have to scan the queue.) Why is not clear to me is a) how anyone expects your typical user to whitelist commercial addresses and mailing lists in advance and b) how a challenge response system (which had *better* respond to envelope from) avoids getting them removed from said list, or not receiving notification about their purchase or what not. Just consider the following. 1 User sends email to asrg-requestat_private?subject=subscribe 2 Think quick. What address should you whitelist? asrgat_private? asrg-requestat_private? Nope. asrg-adminat_private And you knew that because...? 3 asrg sends back a confirmation request. Now as it happens, it does this from asrg-adminat_private (envelope) and asrg-request (from). But some mailers use a custom address for this. But let's assume we're dealing with the average user here. They either didn't do anything at all (forgot they had to) or their software whitelisted based on the To: address (asrg-request). 4.1 A challenge gets sent back to the asrg list. The result depends on a combination of how the list software works and how the challenge software constructed its reply. 4.1.1 It's treated as a bounce and the user is not added 4.1.2 It's treated as a confirmation and the user is added 4.1.3 It goes to the admin, who says something I can't repeat and throws it in the trash. 4.2 It makes it through because we whitelisted the right thing. 5 The first list message comes through. If you had whitelisted asrg-admin, you're fine. If you whitelisted asrg-request, we challenge it. If the list software uses a different envelope from each time, you got problems. Now, let's take amazon.com. I've received automated email from payments-messagesat_private, ordersat_private, auto-confirmat_private, eyesat_private, amazon-news-senderat_private, editer-senderat_private, science-fiction-editorat_private and they actually send mail from their domain--never mind what happens if they higher m0.net or someone to deliver it. And if you start sending challenges to those--Amazon's going to see them as bounces and dump me. Of course we could just whitelist all of amazon.com. But I rather suspect the spammers might figure that one out. If you want challenge/response to work, the first thing you should do has nothing to do with challenge/response. The first thing is to come up with an RFC for a standard format for challenges so that automated mail systems can recognize that they aren't the same as bounces. And come up with a protocol whereby they can reply and say "Yo! I'm an automated system you idiot." Where you go from there I don't know. However, see my next message on "Protocols". -- Kee Hinckley http://www.puremessaging.com/ Junk-Free Email Filtering http://commons.somewhere.com/buzz/ Writings on Technology and Society --- Cc: Brad Templeton <bradat_private>, Steve Schear <schearat_private>, politechat_private, asrgat_private To: Kee Hinckley <nazgulat_private> From: Chuq Von Rospach <chuquiat_private> In-Reply-To: <p06000d08baa60f450f0b@[192.168.1.104]> Message-Id: <E3A4437C-5EDF-11D7-980A-0003934516A8at_private> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.551) On Tuesday, March 25, 2003, at 06:13 AM, Kee Hinckley wrote: > > Why is not clear to me is a) how anyone expects your typical user to > whitelist commercial addresses and mailing lists in advance I think there has to be a responsibility here for the commercial sender to help the user figure this out. In fact, it's one of the issues I'm mulling over in revamping system documentation on my lists and other things. we're now seeing enough challenges that we have to find a way to help users figure this out. (FWIW, we don't respond to challenges. We've talked it over and decided if the user hasn't whitelisted us, we shouldn't validate from the outside. we ring the bell, we don't turn the knob. To me, the risks of validating a whitelist and upsetting someone are a lot worse than the risks of someone under a whitelist expecting to get a subscription and no realizing why it's not happening.) We're probably going to add language explaining whitelisting issues to our stuff down the road, since t seems like whitelists are starting to be used fairly widely and I expect that trend to continue. > 1 User sends email to asrg-requestat_private?subject=subscribe > 2 Think quick. What address should you whitelist? asrgat_private? > asrg-requestat_private? Nope. asrg-adminat_private And you knew that > because...? Because I read the FAQ, and it told me. > And if you start sending challenges to those--Amazon's going to see > them as bounces and dump me. > > Of course we could just whitelist all of amazon.com. But I rather > suspect the spammers might figure that one out. So amazon has to figure out whitelists, too, and help people understand what addresses things will come from. With a foot on both sides of this cashm, I really feel the sender of this mail shouldn't put the burden of responsibility on the user here. They need to help them out. --- Cc: Brad Templeton <bradat_private>, Steve Schear <schearat_private>, politechat_private, asrgat_private To: Kee Hinckley <nazgulat_private> From: Chuq Von Rospach <chuquiat_private> In-Reply-To: <p06000d08baa60f450f0b@[192.168.1.104]> Message-Id: <E3A4437C-5EDF-11D7-980A-0003934516A8at_private> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.551) On Tuesday, March 25, 2003, at 06:13 AM, Kee Hinckley wrote: > > Why is not clear to me is a) how anyone expects your typical user to > whitelist commercial addresses and mailing lists in advance I think there has to be a responsibility here for the commercial sender to help the user figure this out. In fact, it's one of the issues I'm mulling over in revamping system documentation on my lists and other things. we're now seeing enough challenges that we have to find a way to help users figure this out. (FWIW, we don't respond to challenges. We've talked it over and decided if the user hasn't whitelisted us, we shouldn't validate from the outside. we ring the bell, we don't turn the knob. To me, the risks of validating a whitelist and upsetting someone are a lot worse than the risks of someone under a whitelist expecting to get a subscription and no realizing why it's not happening.) We're probably going to add language explaining whitelisting issues to our stuff down the road, since t seems like whitelists are starting to be used fairly widely and I expect that trend to continue. > 1 User sends email to asrg-requestat_private?subject=subscribe > 2 Think quick. What address should you whitelist? asrgat_private? > asrg-requestat_private? Nope. asrg-adminat_private And you knew that > because...? Because I read the FAQ, and it told me. > And if you start sending challenges to those--Amazon's going to see > them as bounces and dump me. > Of course we could just whitelist all of amazon.com. But I rather > suspect the spammers might figure that one out. So amazon has to figure out whitelists, too, and help people understand what addresses things will come from. With a foot on both sides of this cashm, I really feel the sender of this mail shouldn't put the burden of responsibility on the user here. They need to help them out. ------------------------------------------------------------------------- POLITECH evening reception in New York City at 7 pm, April 1, 2003 at CFP: http://www.politechbot.com/events/cfp2003/ ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 10:58:20 PST