Re: Hashcash - was re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote:
> In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has 
been seen typing:
> > Besides, with an army of Windows Zombies you could generate those
> > signatures anyway...
>
> Why bother, when said windows machines will have perfectly good
> signatures stored on them somewhere already?

Presumably the signature would be based on the envelope recipient and 
therefore signatures you find on someone else's machine would not do any 
good.  If it was otherwise then a single signature would work for an entire 
spam run.

I am assuming that the sending machine would not store the signatures for 
messages it sent, which could be re-used if the spam messages were to have an 
ancient time-stamp.  However this still wouldn't be of any great use, not 
many people have more than 10,000 messages stored in their sent-mail folder 
and the common case is far less.  Capturing a lot of zombies to generate 
signatures would probably be easier than trying to find a machine that had a 
large sent-mail folder.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Hashcash - was re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote:
> In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has 
been seen typing:
> > Besides, with an army of Windows Zombies you could generate those
> > signatures anyway...
>
> Why bother, when said windows machines will have perfectly good
> signatures stored on them somewhere already?

Presumably the signature would be based on the envelope recipient and 
therefore signatures you find on someone else's machine would not do any 
good.  If it was otherwise then a single signature would work for an entire 
spam run.

I am assuming that the sending machine would not store the signatures for 
messages it sent, which could be re-used if the spam messages were to have an 
ancient time-stamp.  However this still wouldn't be of any great use, not 
many people have more than 10,000 messages stored in their sent-mail folder 
and the common case is far less.  Capturing a lot of zombies to generate 
signatures would probably be easier than trying to find a machine that had a 
large sent-mail folder.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

あのとき5千万円■イマ1千万 円■北京オリンピック特需■楽 々して大金■苦労して損金■1 00万円証券6券600万円賞金

2004-06-11 Thread KKB通信       
[EMAIL PROTECTED](B
$B!!(B
$B(B
 $B$3$l$+$i$N!"[EMAIL 
PROTECTED]|1_0J>eCy6b!!![$O!"[EMAIL PROTECTED](B

$B(,(,(B[$B<}F~3HBg$KI,FI!X2?8N9b3[<}F~$K$J$k!*(B 
$B!Y(B]$B(,(,(B[$B>epJs$H(BPR$B$N3hMQ$GL\E*$N$?$a$N<}F~3HBg!*(,(B


$B"!"!"!(,!y!!:#$,7hCG$N%A%c%s%9!&>-Mh$N=PH/[EMAIL 
PROTECTED]/FC<{$KJX>h!!!y(,(,(,(,(,(,(,!~(B

$B"!$"$N;[EMAIL PROTECTED]|1_$"$C$?$i"!:[EMAIL 
PROTECTED]|1_$"$C$?$i"!6a$$>[EMAIL PROTECTED]|1_$,$"$C$?$i"!(B
$B"#$"$N;~$h$j!&6a$$>-Mh$h$j!!!|$$$^$N([EMAIL 
PROTECTED]|1_$"$C$?J}$,$H;W$&J}$OB??t$G$9!|(B

$B!!>[EMAIL 
PROTECTED]|1_$h$j!&7P:Q8z2L$O!&@83h8~>e8z2L$O!&0B?48z2L$O(B
[EMAIL PROTECTED]|1_!W$NJ}$,!"$O$k$+$KBg$-$$8z2L!&3N!&4jK>!&OC$NOC$G$O8z2L$O4|BT$G$-$^$;$s!*>Z5r!"$7$+$bJ*E*>Z5r$+$i=PH/!*(B


$B"#(!(B[PR]$B(!#22/1_(!(!(!(!(!(!(!(!(!(!(!"#>Z5r8+$;$^$9(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B

$B"##32/1_0J>e<}F~Z5rM-!*%M%C%HM>2K3hMQ%S%8%M%9!*!*$G<+M3$K;H$($kK~B-$JBg6b$r%5%,%9!*(B

$B!!(B 
$B%[!<%`$Z!<%8$r$4Mw4j$$$^$9(Bhttp://hosyou-no1.orgdns.org/[EMAIL 
PROTECTED]&5?$&$h$j!&>Z5r$G2r7h=PMh$^$9!#(B

$B(B  
$B(!(B[PR]$B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B
$B!!(B
$B!!"[EMAIL PROTECTED]"[EMAIL 
PROTECTED](B50$BL>8BDj$G!Z;q;:1?MQ%P%$%V%k![$rL5NA?JDh!*!*!!".(B
$B!!(B
$B!!(B $BI,MW$G$9!#G/6b!&ITF0;:!&@G6b!&MBCy6bEy$"[EMAIL 
PROTECTED];q;:[EMAIL PROTECTED],[EMAIL PROTECTED];q;:KI1R(B
$B!!(B 
$B!?9q:]%(%3%N%_%9%H?eLnN4FA4F=$!W$r(B50$BL>MM$K?JDh!*8B$j$,M-$j$^$9$N$G$*Aa$a$K!!(B
$B!!(B
   
$B%[!<%`$Z!<%8$r$4Mw4j$$$^$9!!(Bhttp://www2.health.ne.jp/redirect.php?LID=prenq01960
   
$B(!(B[PR]$B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B

 $B"#$=$NJ]81NA$KG<[EMAIL 
PROTECTED])<+F0$=$&!*(B
 
$B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B
$B!!(B $B%"%a%j%+%s%[!<%`!&[EMAIL 
PROTECTED]/%H$N<+F02A!WBh#10L!J3t<02q\$7$/$O$3$A$i$+$i(B
  
http://dt.magclick.com/.W/HLT0T7SZq%2BPihm6mRns/JZ5%2BsNWyibHa   


$B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B
$B!!$a$k$^$,%S%8%M%9#0#0#6#0#79f(B
$B!Z!!9-9pEj9F?o;~Jg=8Cf(B 
$B![!!9-9p!!(B5$B2s7G:\!!(B10$BF|!!7G:\$G(B3000$B1_!!9-9p#1#72s!!7G:\#4#5F|(B
$B(B   $B7G:\$G#4#0#0#01_!!(B $B!!(B
$B9-9p#1#02s7G:\!!#6#0F|7G:\$G#5#0#0#01_L5NAEj9F9-9p4?7^(B

$B(B
$B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B
$B"[EMAIL 
PROTECTED];v9`"$$3$N%a!<%k%^%,%8%s$K7G:\$7$F$$$k9-9p!&>pJs$K4X$7$FH/9T<[EMAIL 
PROTECTED]@UG$$rIi$$$^$;$s!#(B
[EMAIL PROTECTED]@UG$$rIi$$$+$M$^$9$N$G$4N;>5$/[EMAIL 
PROTECTED]@UG$$O9-9p7G:\http://hosyou003.orgdns.org/otenki/
 
$B(B 
$BKt$O(Bhttp://hosyou003.orgdns.org/teishi.html$B$+$i$*4j$$$7$^$9!#(B
 $B!!(B
$B9XFI?=$79~$_$NJ}$K!VAw?.!W$5$;$FD:$$$F$^$9!#K|0l!"8mG[$,$"$j$^$7$?$i!"Kt$O!V$$$?$:$i$G!"B>?MMM$N(B
  
$B!!%a!<%k$r;HMQ$7$F9XFI?=$79~$_$r$5$l$F$$$k>l9g$,$"$j$^$9$N$G8mG[$,$"$j!"?=$7LuM-$j$^$;$s!#$4MFe$2$^$9!#(B[$B$"$I$l$9$G2r=|(B]$B$G2r=|$r?=$7e$2$^$9!#(B

$B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B

$BH/?.8E20(B  $B1+(B  $BF^$j0l;~1+(B  
$B?73c(B$B1+(B  $B1+$N$AF^$j(B  
$B6bBt(B$B1+(B  $B1+$N$AF^$j(B  
$BBg:e(B$B1+$N$AF^$j(B  $BF^$j$N$A;[EMAIL PROTECTED](B
$B2,;3(B$B1+$N$AF^$j(B  $BF^$j(B
$B9-Eg(B$BF^$j(B$BF^$j(B
$B9b>>(B$B1+(B  $BF^$j(B
$BJ!2,(B$BF^$j(B[EMAIL PROTECTED](B
$B

Re: Spam fights

2004-06-11 Thread s. keeling 
Incoming from Rick Moen:
> Quoting Russell Coker ([EMAIL PROTECTED]):
> 
> > Some of the anti-spam people are very enthusiastic about their work.  I 
> > wouldn't be surprised if someone writes a bot to deal with CR systems.
> 
> A bot to detect C-R queries and add them to the refused-mail ACL list
> would be most useful.  ;->

A better one would be one that successfully negotiates the C-R
itself.  Then we can give the spammers a copy and teach the C-R
nitwits a lesson.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -

Re: Spam fights

2004-06-11 Thread Rick Moen 
Quoting Russell Coker ([EMAIL PROTECTED]):

> Some of the anti-spam people are very enthusiastic about their work.  I 
> wouldn't be surprised if someone writes a bot to deal with CR systems.

A bot to detect C-R queries and add them to the refused-mail ACL list
would be most useful.  ;->

$B$"$N$H$-#5@iK|1_"#%$%^#1@iK|(B$B1_"#KL5~%*%j%s%T%C%/FC<{"#3Z(B$B!9$7$FBg6b"#6lO+$7$FB;6b"##1(B$B#0#0K|1_>Z7t#67t#6#0#0K|1_>^6b(B

2004-06-11 Thread $B#K#K#BDL?.(B $B!!!!!!!!!!(B 
[EMAIL PROTECTED](B
$B!!(B
$B(B
 $B$3$l$+$i$N!"[EMAIL PROTECTED]|1_0J>eCy6b!!![$O!"[EMAIL 
PROTECTED](B

$B(,(,(B[$B<}F~3HBg$KI,FI!X2?8N9b3[<}F~$K$J$k!*(B 
$B!Y(B]$B(,(,(B[$B>epJs$H(BPR$B$N3hMQ$GL\E*$N$?$a$N<}F~3HBg!*(,(B


$B"!"!"!(,!y!!:#$,7hCG$N%A%c%s%9!&>-Mh$N=PH/[EMAIL 
PROTECTED]/FC<{$KJX>h!!!y(,(,(,(,(,(,(,!~(B

$B"!$"$N;[EMAIL PROTECTED]|1_$"$C$?$i"!:[EMAIL 
PROTECTED]|1_$"$C$?$i"!6a$$>[EMAIL PROTECTED]|1_$,$"$C$?$i"!(B
$B"#$"$N;~$h$j!&6a$$>-Mh$h$j!!!|$$$^$N([EMAIL 
PROTECTED]|1_$"$C$?J}$,$H;W$&J}$OB??t$G$9!|(B

$B!!>[EMAIL 
PROTECTED]|1_$h$j!&7P:Q8z2L$O!&@83h8~>e8z2L$O!&0B?48z2L$O(B
[EMAIL PROTECTED]|1_!W$NJ}$,!"$O$k$+$KBg$-$$8z2L!&3N!&4jK>!&OC$NOC$G$O8z2L$O4|BT$G$-$^$;$s!*>Z5r!"$7$+$bJ*E*>Z5r$+$i=PH/!*(B


$B"#(!(B[PR]$B(!#22/1_(!(!(!(!(!(!(!(!(!(!(!"#>Z5r8+$;$^$9(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B

$B"##32/1_0J>e<}F~Z5rM-!*%M%C%HM>2K3hMQ%S%8%M%9!*!*$G<+M3$K;H$($kK~B-$JBg6b$r%5%,%9!*(B

$B!!(B 
$B%[!<%`$Z!<%8$r$4Mw4j$$$^$9(Bhttp://hosyou-no1.orgdns.org/[EMAIL 
PROTECTED]&5?$&$h$j!&>Z5r$G2r7h=PMh$^$9!#(B

$B(B  
$B(!(B[PR]$B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B
$B!!(B
$B!!"[EMAIL PROTECTED]"[EMAIL 
PROTECTED](B50$BL>8BDj$G!Z;q;:1?MQ%P%$%V%k![$rL5NA?JDh!*!*!!".(B
$B!!(B
$B!!(B $BI,MW$G$9!#G/6b!&ITF0;:!&@G6b!&MBCy6bEy$"[EMAIL 
PROTECTED];q;:[EMAIL PROTECTED],[EMAIL PROTECTED];q;:KI1R(B
$B!!(B 
$B!?9q:]%(%3%N%_%9%H?eLnN4FA4F=$!W$r(B50$BL>MM$K?JDh!*8B$j$,M-$j$^$9$N$G$*Aa$a$K!!(B
$B!!(B
   
$B%[!<%`$Z!<%8$r$4Mw4j$$$^$9!!(Bhttp://www2.health.ne.jp/redirect.php?LID=prenq01960
   
$B(!(B[PR]$B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B

 $B"#$=$NJ]81NA$KG<[EMAIL PROTECTED])<+F0$=$&!*(B
 
$B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B
$B!!(B $B%"%a%j%+%s%[!<%`!&[EMAIL 
PROTECTED]/%H$N<+F02A!WBh#10L!J3t<02q\$7$/$O$3$A$i$+$i(B
  
http://dt.magclick.com/.W/HLT0T7SZq%2BPihm6mRns/JZ5%2BsNWyibHa   


$B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B
$B!!$a$k$^$,%S%8%M%9#0#0#6#0#79f(B
$B!Z!!9-9pEj9F?o;~Jg=8Cf(B 
$B![!!9-9p!!(B5$B2s7G:\!!(B10$BF|!!7G:\$G(B3000$B1_!!9-9p#1#72s!!7G:\#4#5F|(B
$B(B   $B7G:\$G#4#0#0#01_!!(B $B!!(B
$B9-9p#1#02s7G:\!!#6#0F|7G:\$G#5#0#0#01_L5NAEj9F9-9p4?7^(B

$B(B
$B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B
$B"[EMAIL 
PROTECTED];v9`"$$3$N%a!<%k%^%,%8%s$K7G:\$7$F$$$k9-9p!&>pJs$K4X$7$FH/9T<[EMAIL 
PROTECTED]@UG$$rIi$$$^$;$s!#(B
[EMAIL PROTECTED]@UG$$rIi$$$+$M$^$9$N$G$4N;>5$/[EMAIL 
PROTECTED]@UG$$O9-9p7G:\http://hosyou003.orgdns.org/otenki/
 
$B(B 
$BKt$O(Bhttp://hosyou003.orgdns.org/teishi.html$B$+$i$*4j$$$7$^$9!#(B
 $B!!(B
$B9XFI?=$79~$_$NJ}$K!VAw?.!W$5$;$FD:$$$F$^$9!#K|0l!"8mG[$,$"$j$^$7$?$i!"Kt$O!V$$$?$:$i$G!"B>?MMM$N(B
  
$B!!%a!<%k$r;HMQ$7$F9XFI?=$79~$_$r$5$l$F$$$k>l9g$,$"$j$^$9$N$G8mG[$,$"$j!"?=$7LuM-$j$^$;$s!#$4MFe$2$^$9!#(B[$B$"$I$l$9$G2r=|(B]$B$G2r=|$r?=$7e$2$^$9!#(B

$B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B

$BH/?.8E20(B  $B1+(B  $BF^$j0l;~1+(B  
$B?73c(B$B1+(B  $B1+$N$AF^$j(B  
$B6bBt(B$B1+(B  $B1+$N$AF^$j(B  
$BBg:e(B$B1+$N$AF^$j(B  $BF^$j$N$A;[EMAIL PROTECTED](B
$B2,;3(B$B1+$N$AF^$j(B  $BF^$j(B
$B9-Eg(B$BF^$j(B$BF^$j(B
$B9b>>(B$B1+(B  $BF^$j(B
$BJ!2,(B$BF^$j(B[EMAIL PROTECTED](B
$B

Re: Spam fights

2004-06-11 Thread s. keeling 
Incoming from Rick Moen:
> Quoting Russell Coker ([EMAIL PROTECTED]):
> 
> > Some of the anti-spam people are very enthusiastic about their work.  I 
> > wouldn't be surprised if someone writes a bot to deal with CR systems.
> 
> A bot to detect C-R queries and add them to the refused-mail ACL list
> would be most useful.  ;->

A better one would be one that successfully negotiates the C-R
itself.  Then we can give the spammers a copy and teach the C-R
nitwits a lesson.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Rick Moen 
Quoting Russell Coker ([EMAIL PROTECTED]):

> Some of the anti-spam people are very enthusiastic about their work.  I 
> wouldn't be surprised if someone writes a bot to deal with CR systems.

A bot to detect C-R queries and add them to the refused-mail ACL list
would be most useful.  ;->



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Hashcash - was re: Spam fights

2004-06-11 Thread Rens Houben 
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been 
seen typing:
> Besides, with an army of Windows Zombies you could generate those signatures 
> anyway...

Why bother, when said windows machines will have perfectly good
signatures stored on them somewhere already?

> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page

-- 
Rens Houben   |opinions are mine
Resident linux guru and sysadmin  | if my employers have one
Systemec Internet Services.   |they'll tell you themselves
PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc

Re: Hashcash - was re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote:
> It seems that most people here don't like CR systems, and I'd have to
> agree with that consensus.
>
> I'm just wondering what is the general feeling about using hashcash and
> other header signatures systems.

Currently you can't accept only such messages because almost no-one sends 
them.  Most people see no need to send them because almost no-one checks for 
them when receiving a message.

Anti-spam measures may be used on workstations eventually, but have to be 
initially installed at servers if they are to become popular.  The people who 
run big mail servers (AOL, Hotmail, etc) don't want to install hashcash for 
the same reason that spammers won't install it.

Besides, with an army of Windows Zombies you could generate those signatures 
anyway...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 21:38, Dale Amon <[EMAIL PROTECTED]> wrote:
> That said, those who can afford it will hire human
> operators to act as email gatekeepers; those who can't
> will use whatever a salesman can convince them is
> affordable and works. Whether we like it or not will
> not figure into the decision.

Some of the anti-spam people are very enthusiastic about their work.  I 
wouldn't be surprised if someone writes a bot to deal with CR systems.

It should not be technically difficult to publish some email addresses, wait 
for challenge messages to come in response to virus messages, and then have 
it automatically send an appropriate response to the challenge followed by a 
series of flames.

> As to the "type in this random code from a jpeg",
> I use that on samizdata (a major blog for which I'm
> one of the editors). It stopped the problem of blog-spam
> cold; the human entry is stopped cold by having
> a team of writers who delete on sight.

One -> many communication is different.  If you want to get a letter to the 
editor published in a newspaper you have to confirm your identity and contact 
details before it will be considered.  This can involve a journalist phoning 
you to confirm your identity and permission for publication.  If you want to 
send mail to most mailing lists you have to subscribe first.  Blogs are in 
the same category so I agree with what you are doing there.

> At the end of the day, dealing with spam is an
> employment opportunity, not something that will be
> solved technically. Human problems require human
> solutions.

Sometimes human solutions involve humans writing and installing programs to 
implement them.  Totally stopping spam in an automatic manner is not 
possible.  Reducing it by a factor of 100 so that humans can manually deal 
with the residue is possible.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Hashcash - was re: Spam fights

2004-06-11 Thread Patrick Maheral 
It seems that most people here don't like CR systems, and I'd have to
agree with that consensus.

I'm just wondering what is the general feeling about using hashcash and
other header signatures systems.

Patrick

Re: Spam fights

2004-06-11 Thread Greg Folkert 
Sent to list.
On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote:
> Hello!
> 
> W liście z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: 
> > > Don't do it.  Confirmation systems are just as bad as the problems that 
> > > they 
> > > try to solve.
> > 
> > Here, here. Agreement on all fronts. If I get a challenge, I put it into
> > /dev/null
> 
> I'm really surprised with your opinion. Is it so big problem, to press
> reply, when you are sending first email to someone new ?
> You are receving confirmation request whenever you are trying to update
> DNS, subscribe to newsgroup or talking with any automatic service. Is it
> so difficult ?
You see there is a difference there. *I* initiated them, not some
spammer. If someone doesn't want mail that could be very valuable to
them, especially if they asked for it on D-U... forcing me to write
another e-mail JUST to help them... nope, ain't gonna happen.

> Currently, in many cases when I'm sending email to address found on
> website I'm receiving challenge, and I fully understand people doing it.
> Whitelist with email/IP can decrease also number of challenges from
> spammers: email comming from different IP can be treated as spam
> automatically.

I implemented SPAM Filtering software and have continued to train it
with ham and spam. I started when last year when I was getting ~ 6,000
Swen e-mails a day. My e-mail address is posted EVERYWHERE.

Since that point, I get maybe 3 a day. When they ("they" being the
spmmers) find a new way to trick the Bayesian testing I use I'll get a
spat of about 12 or so for a few days then back to maybe 3 a day. I use
server side software (maildrop and procmail) to do the sorting after it
has been graded by the filter.

I still get upto 1000 e-mail messages a day, but those are from mailing
lists and people I support via e-mail. If I had a CR system in place,
I'd have to maintain more than I want. Consider in a given day, I e-mail
about 30+ new people a day.

I also can be and am very busy in Debian's Mailing list(s), Samba, Exim,
Grip, Elitists and many other venues. If I got a CR back for every one
of the e-mails I sent to a mailing list, I'd be answering thousands of
NEW Challenges a week. Sounds like SPAM to me. When you understand that
nearly every challenge I get comes from a forged envelope-from(or
similar), I can't see how it reduces the problem, it just double perhaps
triples the amount of mail traffic. Plus some are web-server driven
auth, thereby causing a loading of the program and grabbing of the URI
indicated in the e-mail I got from the Challenge.

So, basically: You get a piece of SPAM, your systems sends out another
piece of e-mail that is in response to the forged envelope, (assume) I
get this e-mail and then have to delete this mail or respond to it (a
third message) or goto a URI inside the Challenge (more processor time
and bandwidth) just so *YOU* can verify my message was or was not SPAM?

I consider sending me e-mail in Challenge form as unsolicited e-mail.
Therefore under my classification SPAM. Why should *I* verify your SPAM
problem for you. I deal with mine, and mine alone. I am not going to
spend resources (at my cost of those resources) to verify or not it
being SPAM.

Of course if everyone just affirmed the Challenge every time, it would
definitely not work. Where as my solution would continue to.

I also drop all of the "courtesy" notifications that *I* sent an
infected e-mail to a certain domain's user. There is another example of
Unsolicited E-Mail. I don't care to know that someone forged my e-mail
addy inside the one someone got. It does me absolutely ZERO good to even
read these. I have an automated system to send those to /dev/null as
well. 

I deal with enough mail per day, CR systems DO NOT reduce my number,
Spam filtering does.

BY the way, I do support Whitelisting and Blacklisting to make sure
things I want to absolutely get through do, and things I don't won't.

BTW, are you not glad *I* don't CR everyone that e-mails me? It could
have taken you 3 messages to get me to see one.
-- 
[EMAIL PROTECTED]
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup


signature.asc
Description: This is a digitally signed message part

may CAN-2004-041[678] affect on woody?

2004-06-11 Thread sugi 
Hello all,

I found message below on Changelog of cvs 1.11.17.

-
 SERVER SECURITY FIXES
 
* Thanks to Stefan Esser & Sebastian Krahmer, several potential security
  problems have been fixed.  The ones which were considered dangerous enough
  to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, &
  CAN-2004-0418 by the Common Vulnerabilities and Exposures Project.  Please
  see  for more information.
-

But DSA-517-1 seems like that was fixed only CAN-2004-0416.

May CAN-2004-0416, CAN-2004-0417 and CAN-2004-0418 not affect
on Debian woody?  Or, may anyone works for merging this fix?



###
I tried to convert cvs-1.11.16-1.11.17.diff for 1.11.1p1debian-9woody6.
But, I gave up. configure script is too complex for me.
broken one;
http://sugi.nemui.org/tmp/CAN-2004-0416.0417.0418.diff

-- 
Tatsuki Sugiura   mailto:[EMAIL PROTECTED]

Re: Hashcash - was re: Spam fights

2004-06-11 Thread Rens Houben 
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen 
typing:
> Besides, with an army of Windows Zombies you could generate those signatures 
> anyway...

Why bother, when said windows machines will have perfectly good
signatures stored on them somewhere already?

> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page

-- 
Rens Houben   |opinions are mine
Resident linux guru and sysadmin  | if my employers have one
Systemec Internet Services.   |they'll tell you themselves
PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Dale Amon 
On Fri, Jun 11, 2004 at 08:39:12PM +1000, Russell Coker wrote:
> It won't work because challenge-response systems are technically no good.  
> While CR systems are almost never used because the people who use them are 
> universally regarded as cretins, the spammers won't bother about trying to 
> fool them.

First of all, keep in mind that I am strictly talking about 
people for whom email is an office tool equivalent to the 
paper mail coming into their physical inbox. They don't
know how the US/B/other/PO gets it there and don't care.

That said, those who can afford it will hire human 
operators to act as email gatekeepers; those who can't
will use whatever a salesman can convince them is
affordable and works. Whether we like it or not will
not figure into the decision.

I already whitelist; unless I have manually pre-cleared
you, I won't see your mail for some time. Basically until
I have time to wade thorugh the sludge, assuming I'm not
back from a trip and just look for one or two expected mails
before deleting. I imagine I'm not alone. CR may not
be the solution, but more and more people are only
taking pre-authorized (whitelist) mail.

If your business requires recieving unsolicted email,
then your business model will include the wages of 
a presorter. They are cheaper than a knowledgeable
mail admin.

As to the "type in this random code from a jpeg",
I use that on samizdata (a major blog for which I'm
one of the editors). It stopped the problem of blog-spam
cold; the human entry is stopped cold by having 
a team of writers who delete on sight.

At the end of the day, dealing with spam is an
employment opportunity, not something that will be
solved technically. Human problems require human 
solutions.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

Re: Hashcash - was re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote:
> It seems that most people here don't like CR systems, and I'd have to
> agree with that consensus.
>
> I'm just wondering what is the general feeling about using hashcash and
> other header signatures systems.

Currently you can't accept only such messages because almost no-one sends 
them.  Most people see no need to send them because almost no-one checks for 
them when receiving a message.

Anti-spam measures may be used on workstations eventually, but have to be 
initially installed at servers if they are to become popular.  The people who 
run big mail servers (AOL, Hotmail, etc) don't want to install hashcash for 
the same reason that spammers won't install it.

Besides, with an army of Windows Zombies you could generate those signatures 
anyway...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 21:38, Dale Amon <[EMAIL PROTECTED]> wrote:
> That said, those who can afford it will hire human
> operators to act as email gatekeepers; those who can't
> will use whatever a salesman can convince them is
> affordable and works. Whether we like it or not will
> not figure into the decision.

Some of the anti-spam people are very enthusiastic about their work.  I 
wouldn't be surprised if someone writes a bot to deal with CR systems.

It should not be technically difficult to publish some email addresses, wait 
for challenge messages to come in response to virus messages, and then have 
it automatically send an appropriate response to the challenge followed by a 
series of flames.

> As to the "type in this random code from a jpeg",
> I use that on samizdata (a major blog for which I'm
> one of the editors). It stopped the problem of blog-spam
> cold; the human entry is stopped cold by having
> a team of writers who delete on sight.

One -> many communication is different.  If you want to get a letter to the 
editor published in a newspaper you have to confirm your identity and contact 
details before it will be considered.  This can involve a journalist phoning 
you to confirm your identity and permission for publication.  If you want to 
send mail to most mailing lists you have to subscribe first.  Blogs are in 
the same category so I agree with what you are doing there.

> At the end of the day, dealing with spam is an
> employment opportunity, not something that will be
> solved technically. Human problems require human
> solutions.

Sometimes human solutions involve humans writing and installing programs to 
implement them.  Totally stopping spam in an automatic manner is not 
possible.  Reducing it by a factor of 100 so that humans can manually deal 
with the residue is possible.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Vassilii Khachaturov 
[snip]
> If CR systems get popular then spammers will start replying to the
> messages. Most spammers have working email addresses, so it would not be
> difficult to automate a response to a CR system.  Any CR system which just
> requires that you "reply to this email" will be trivially broken by
> spammers.
[snip]

You are right in everything except the tense - it's already happening.
I've had friends that use the CR systems reporting that spammers did reply
to their challenges. Apparently this is done by the "put your computer to
work" victims that spam from their home accounts sometimes even w/o the full 
understanding of what they're doing.

V

Re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 19:29, Dale Amon <[EMAIL PROTECTED]> wrote:
> On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
> > It is anti-social for every idiot on the net to think that they are
> > important enough to require a subscription from everyone who wants to
> > send them email.
>
> Like it or not (and I don't) that is where we are
> headed if other solutions to spam are not implimented
> that cover non-NANOG type persons. I strongly suspect

It won't work because challenge-response systems are technically no good.  
While CR systems are almost never used because the people who use them are 
universally regarded as cretins, the spammers won't bother about trying to 
fool them.

If CR systems get popular then spammers will start replying to the messages.  
Most spammers have working email addresses, so it would not be difficult to 
automate a response to a CR system.  Any CR system which just requires that 
you "reply to this email" will be trivially broken by spammers.

One CR system I saw used a web page with some obscured text that is 
(supposedly) only readable by humans.  There are two ways of solving this (if 
it ever becomes popular).  One way is to make entering such things a 
condition for downloading free porn from a porn site (a document on using 
porn sites to subscribe to hotmail etc was published some time ago).  The 
other way is better OCR software.

Finally, a large chunk of spam is entered by humans.  The "Nigerian" spammers 
often do things manually with cut/paste and don't have software to automate 
it (a friend witnessed a "Nigerian" spammer doing this at an Internet cafe).  
Such people will get past any CR system that could be devised.

> we'll see a generation of mail systems which greylist
> by default at the very least. Perhaps a future
> secreterial job will be to wade through the muck and
> query the boss as to whether one or two should be
> allowed access.

That is a secretarial job today.  Some people (such as Bill Gates) employ a 
team of people to filter their email.

> For some people, even the volume of non-spam mail
> could be rather intolerable. Imagine if you were
> Tom Hanks and your private email got out and you
> had to go through thousands of adoring fan mails
> to find that movie contract from your agent...

It's quite easy to search on From: field.  Of course you need a decently fast 
Internet connection to download all the messages, but I'm sure Tom can afford 
that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Hashcash - was re: Spam fights

2004-06-11 Thread Patrick Maheral 
It seems that most people here don't like CR systems, and I'd have to
agree with that consensus.

I'm just wondering what is the general feeling about using hashcash and
other header signatures systems.

Patrick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Pre-authentication of email is not going to happen

2004-06-11 Thread Duncan Simpson 
You might see a few, IMHO misguided, people implementing sender
pre-authentication systems. A very few high-profile people might
actually have justpficiation for a system that passes some senders to
them and everyone else via their helpers for dealing with fan mail.

Wide-scale deployment of sender pre-authentication would require a
significant number of system administrators to deploy such solutions and
I do not think this is going to happen. I am fairly sure almost no
system administrators support sender pre-authentication.

As a system administrator I need to recieve mail from too many random
people. The same goes for my boss, sales people, etc. If your business
depends on email working, which is increasingly common, sender
pre-authenticated is not an option.

What I think we will see is widespread deployment of at least one system
to authenticate sender's identities at least partially. SPF is
relatively easy to deploy and sendmail is likely to support yahoo's
proposed domain signatures soon. Neither will prevent spam, but both
should make it more expensive[*], possibly by enough to make much of the
current spam unprofitable.

[*] IF you can not forge domain names then you might need to pay for a
new domain name every few spams. This would eat into your profits (it be
easy for registats to identifuy abusers and not grant them new domain
names).

Re: Spam fights

2004-06-11 Thread Greg Folkert 
Sent to list.
On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote:
> Hello!
> 
> W liście z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: 
> > > Don't do it.  Confirmation systems are just as bad as the problems that they 
> > > try to solve.
> > 
> > Here, here. Agreement on all fronts. If I get a challenge, I put it into
> > /dev/null
> 
> I'm really surprised with your opinion. Is it so big problem, to press
> reply, when you are sending first email to someone new ?
> You are receving confirmation request whenever you are trying to update
> DNS, subscribe to newsgroup or talking with any automatic service. Is it
> so difficult ?
You see there is a difference there. *I* initiated them, not some
spammer. If someone doesn't want mail that could be very valuable to
them, especially if they asked for it on D-U... forcing me to write
another e-mail JUST to help them... nope, ain't gonna happen.

> Currently, in many cases when I'm sending email to address found on
> website I'm receiving challenge, and I fully understand people doing it.
> Whitelist with email/IP can decrease also number of challenges from
> spammers: email comming from different IP can be treated as spam
> automatically.

I implemented SPAM Filtering software and have continued to train it
with ham and spam. I started when last year when I was getting ~ 6,000
Swen e-mails a day. My e-mail address is posted EVERYWHERE.

Since that point, I get maybe 3 a day. When they ("they" being the
spmmers) find a new way to trick the Bayesian testing I use I'll get a
spat of about 12 or so for a few days then back to maybe 3 a day. I use
server side software (maildrop and procmail) to do the sorting after it
has been graded by the filter.

I still get upto 1000 e-mail messages a day, but those are from mailing
lists and people I support via e-mail. If I had a CR system in place,
I'd have to maintain more than I want. Consider in a given day, I e-mail
about 30+ new people a day.

I also can be and am very busy in Debian's Mailing list(s), Samba, Exim,
Grip, Elitists and many other venues. If I got a CR back for every one
of the e-mails I sent to a mailing list, I'd be answering thousands of
NEW Challenges a week. Sounds like SPAM to me. When you understand that
nearly every challenge I get comes from a forged envelope-from(or
similar), I can't see how it reduces the problem, it just double perhaps
triples the amount of mail traffic. Plus some are web-server driven
auth, thereby causing a loading of the program and grabbing of the URI
indicated in the e-mail I got from the Challenge.

So, basically: You get a piece of SPAM, your systems sends out another
piece of e-mail that is in response to the forged envelope, (assume) I
get this e-mail and then have to delete this mail or respond to it (a
third message) or goto a URI inside the Challenge (more processor time
and bandwidth) just so *YOU* can verify my message was or was not SPAM?

I consider sending me e-mail in Challenge form as unsolicited e-mail.
Therefore under my classification SPAM. Why should *I* verify your SPAM
problem for you. I deal with mine, and mine alone. I am not going to
spend resources (at my cost of those resources) to verify or not it
being SPAM.

Of course if everyone just affirmed the Challenge every time, it would
definitely not work. Where as my solution would continue to.

I also drop all of the "courtesy" notifications that *I* sent an
infected e-mail to a certain domain's user. There is another example of
Unsolicited E-Mail. I don't care to know that someone forged my e-mail
addy inside the one someone got. It does me absolutely ZERO good to even
read these. I have an automated system to send those to /dev/null as
well. 

I deal with enough mail per day, CR systems DO NOT reduce my number,
Spam filtering does.

BY the way, I do support Whitelisting and Blacklisting to make sure
things I want to absolutely get through do, and things I don't won't.

BTW, are you not glad *I* don't CR everyone that e-mails me? It could
have taken you 3 messages to get me to see one.
-- 
[EMAIL PROTECTED]
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup


signature.asc
Description: This is a digitally signed message part

may CAN-2004-041[678] affect on woody?

2004-06-11 Thread sugi 
Hello all,

I found message below on Changelog of cvs 1.11.17.

-
 SERVER SECURITY FIXES
 
* Thanks to Stefan Esser & Sebastian Krahmer, several potential security
  problems have been fixed.  The ones which were considered dangerous enough
  to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, &
  CAN-2004-0418 by the Common Vulnerabilities and Exposures Project.  Please
  see  for more information.
-

But DSA-517-1 seems like that was fixed only CAN-2004-0416.

May CAN-2004-0416, CAN-2004-0417 and CAN-2004-0418 not affect
on Debian woody?  Or, may anyone works for merging this fix?



###
I tried to convert cvs-1.11.16-1.11.17.diff for 1.11.1p1debian-9woody6.
But, I gave up. configure script is too complex for me.
broken one;
http://sugi.nemui.org/tmp/CAN-2004-0416.0417.0418.diff

-- 
Tatsuki Sugiura   mailto:[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Dale Amon 
On Fri, Jun 11, 2004 at 08:39:12PM +1000, Russell Coker wrote:
> It won't work because challenge-response systems are technically no good.  
> While CR systems are almost never used because the people who use them are 
> universally regarded as cretins, the spammers won't bother about trying to 
> fool them.

First of all, keep in mind that I am strictly talking about 
people for whom email is an office tool equivalent to the 
paper mail coming into their physical inbox. They don't
know how the US/B/other/PO gets it there and don't care.

That said, those who can afford it will hire human 
operators to act as email gatekeepers; those who can't
will use whatever a salesman can convince them is
affordable and works. Whether we like it or not will
not figure into the decision.

I already whitelist; unless I have manually pre-cleared
you, I won't see your mail for some time. Basically until
I have time to wade thorugh the sludge, assuming I'm not
back from a trip and just look for one or two expected mails
before deleting. I imagine I'm not alone. CR may not
be the solution, but more and more people are only
taking pre-authorized (whitelist) mail.

If your business requires recieving unsolicted email,
then your business model will include the wages of 
a presorter. They are cheaper than a knowledgeable
mail admin.

As to the "type in this random code from a jpeg",
I use that on samizdata (a major blog for which I'm
one of the editors). It stopped the problem of blog-spam
cold; the human entry is stopped cold by having 
a team of writers who delete on sight.

At the end of the day, dealing with spam is an
employment opportunity, not something that will be
solved technically. Human problems require human 
solutions.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Michelle Konzack 
Hello Alain, 

Am 2004-06-10 22:03:54, schrieb Alain Tesio:

>Not if the message if refused by the smtp server before it's delivered, right ?
>It's not that antisocial to ask the 1% people who aren't subscribed to 
>subscribe
>before sending a message.

I am subscribed to severa mailinglists on postgresql.org, php.net, 
mutt.org, exim.org and others where I get not more then a half 
SPAM per month.

I am on 146 Mailinglists 46 and on this list I get 80% of the 
normal SPAM (not the last two days)

Because the SPAM filter of murphy works quiet well, I like to 
see a subscriber only List too.

Maybe the Listmaster can istall as script which send a REMINDER 
to people which are not subscribed to subscribe on l-d-o.

>Alain

Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Spam fights

2004-06-11 Thread Dale Amon 
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
> It is anti-social for every idiot on the net to think that they are important 
> enough to require a subscription from everyone who wants to send them email.

Like it or not (and I don't) that is where we are
headed if other solutions to spam are not implimented
that cover non-NANOG type persons. I strongly suspect
we'll see a generation of mail systems which greylist 
by default at the very least. Perhaps a future 
secreterial job will be to wade through the muck and
query the boss as to whether one or two should be
allowed access.

For some people, even the volume of non-spam mail
could be rather intolerable. Imagine if you were
Tom Hanks and your private email got out and you
had to go through thousands of adoring fan mails
to find that movie contract from your agent...

Pre-authorization for email is the way things are
going to go. 

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

Re: Spam fights

2004-06-11 Thread Vassilii Khachaturov 
[snip]
> If CR systems get popular then spammers will start replying to the
> messages. Most spammers have working email addresses, so it would not be
> difficult to automate a response to a CR system.  Any CR system which just
> requires that you "reply to this email" will be trivially broken by
> spammers.
[snip]

You are right in everything except the tense - it's already happening.
I've had friends that use the CR systems reporting that spammers did reply
to their challenges. Apparently this is done by the "put your computer to
work" victims that spam from their home accounts sometimes even w/o the full 
understanding of what they're doing.

V


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Russell Coker 
On Fri, 11 Jun 2004 19:29, Dale Amon <[EMAIL PROTECTED]> wrote:
> On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
> > It is anti-social for every idiot on the net to think that they are
> > important enough to require a subscription from everyone who wants to
> > send them email.
>
> Like it or not (and I don't) that is where we are
> headed if other solutions to spam are not implimented
> that cover non-NANOG type persons. I strongly suspect

It won't work because challenge-response systems are technically no good.  
While CR systems are almost never used because the people who use them are 
universally regarded as cretins, the spammers won't bother about trying to 
fool them.

If CR systems get popular then spammers will start replying to the messages.  
Most spammers have working email addresses, so it would not be difficult to 
automate a response to a CR system.  Any CR system which just requires that 
you "reply to this email" will be trivially broken by spammers.

One CR system I saw used a web page with some obscured text that is 
(supposedly) only readable by humans.  There are two ways of solving this (if 
it ever becomes popular).  One way is to make entering such things a 
condition for downloading free porn from a porn site (a document on using 
porn sites to subscribe to hotmail etc was published some time ago).  The 
other way is better OCR software.

Finally, a large chunk of spam is entered by humans.  The "Nigerian" spammers 
often do things manually with cut/paste and don't have software to automate 
it (a friend witnessed a "Nigerian" spammer doing this at an Internet cafe).  
Such people will get past any CR system that could be devised.

> we'll see a generation of mail systems which greylist
> by default at the very least. Perhaps a future
> secreterial job will be to wade through the muck and
> query the boss as to whether one or two should be
> allowed access.

That is a secretarial job today.  Some people (such as Bill Gates) employ a 
team of people to filter their email.

> For some people, even the volume of non-spam mail
> could be rather intolerable. Imagine if you were
> Tom Hanks and your private email got out and you
> had to go through thousands of adoring fan mails
> to find that movie contract from your agent...

It's quite easy to search on From: field.  Of course you need a decently fast 
Internet connection to download all the messages, but I'm sure Tom can afford 
that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Pre-authentication of email is not going to happen

2004-06-11 Thread Duncan Simpson 
You might see a few, IMHO misguided, people implementing sender
pre-authentication systems. A very few high-profile people might
actually have justpficiation for a system that passes some senders to
them and everyone else via their helpers for dealing with fan mail.

Wide-scale deployment of sender pre-authentication would require a
significant number of system administrators to deploy such solutions and
I do not think this is going to happen. I am fairly sure almost no
system administrators support sender pre-authentication.

As a system administrator I need to recieve mail from too many random
people. The same goes for my boss, sales people, etc. If your business
depends on email working, which is increasingly common, sender
pre-authenticated is not an option.

What I think we will see is widespread deployment of at least one system
to authenticate sender's identities at least partially. SPF is
relatively easy to deploy and sendmail is likely to support yahoo's
proposed domain signatures soon. Neither will prevent spam, but both
should make it more expensive[*], possibly by enough to make much of the
current spam unprofitable.

[*] IF you can not forge domain names then you might need to pay for a
new domain name every few spams. This would eat into your profits (it be
easy for registats to identifuy abusers and not grant them new domain
names).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Spam fights

2004-06-11 Thread Michelle Konzack 
Hello Alain, 

Am 2004-06-10 22:03:54, schrieb Alain Tesio:

>Not if the message if refused by the smtp server before it's delivered, right ?
>It's not that antisocial to ask the 1% people who aren't subscribed to subscribe
>before sending a message.

I am subscribed to severa mailinglists on postgresql.org, php.net, 
mutt.org, exim.org and others where I get not more then a half 
SPAM per month.

I am on 146 Mailinglists 46 and on this list I get 80% of the 
normal SPAM (not the last two days)

Because the SPAM filter of murphy works quiet well, I like to 
see a subscriber only List too.

Maybe the Listmaster can istall as script which send a REMINDER 
to people which are not subscribed to subscribe on l-d-o.

>Alain

Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Spam fights

2004-06-11 Thread Dale Amon 
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
> It is anti-social for every idiot on the net to think that they are important 
> enough to require a subscription from everyone who wants to send them email.

Like it or not (and I don't) that is where we are
headed if other solutions to spam are not implimented
that cover non-NANOG type persons. I strongly suspect
we'll see a generation of mail systems which greylist 
by default at the very least. Perhaps a future 
secreterial job will be to wade through the muck and
query the boss as to whether one or two should be
allowed access.

For some people, even the volume of non-spam mail
could be rather intolerable. Imagine if you were
Tom Hanks and your private email got out and you
had to go through thousands of adoring fan mails
to find that movie contract from your agent...

Pre-authorization for email is the way things are
going to go. 

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]