Re: Hashcash - was re: Spam fights
Russell == Russell Coker [EMAIL PROTECTED] writes: Russell On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Russell Currently you can't accept only such messages because almost Russell no-one sends them. Most people see no need to send them Russell because almost no-one checks for them when receiving a message. SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. [...] Russell Besides, with an army of Windows Zombies you could generate Russell those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... (P.S. I'm the hashcash package maintainer.) -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
Russell == Russell Coker [EMAIL PROTECTED] writes: Russell On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? Russell Presumably the signature would be based on the envelope Russell recipient and therefore signatures you find on someone else's Russell machine would not do any good. If it was otherwise then a Russell single signature would work for an entire spam run. Yes. In hashcash, the hashcash token uses the recipient's address, as well as a date. The recipient can keep a database of received tokens to make sure that the same token isn't used twice. Old tokens can be expired, since the token contains the date too. -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On 16 Jun 2004, Hubert Chan wrote: Russell == Russell Coker [EMAIL PROTECTED] writes: Russell On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: [...] SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. ...makes you wonder how long it will take before someone does generate the headers in SPAM, then. Being in SpamAssassin seems to be a trigger point for a whole lot of things to be worth avoiding/abusing for spammers - the silly haiku header thing being one example. Russell Besides, with an army of Windows Zombies you could generate Russell those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... ...and Windows does have a meaningful low priority for threads which will result in this being pretty much unnoticed by most users, even the observant ones. Sure, you need more machines to get the same effect, but it isn't like there is a shortage of them... OTOH, HashCash sucks a lot less than the other solutions out there, so I am all for it being more widely used; it would be interesting to see if it actually managed to take off. :) Daniel -- Organization and method mean much, but contagious human characters mean more in a university, where a few undisciplinables ... may be infinitely more precious than a faculty full of orderly routinists. -- William James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
Daniel == Daniel Pittman [EMAIL PROTECTED] writes: Daniel On 16 Jun 2004, Hubert Chan wrote: SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. Daniel ...makes you wonder how long it will take before someone does Daniel generate the headers in SPAM, then. Being in SpamAssassin seems Daniel to be a trigger point for a whole lot of things to be worth Daniel avoiding/abusing for spammers - the silly haiku header thing Daniel being one example. Well SpamAssassin, AFAIK, will do proper hashcash checking, including the double-spend database. It won't assign any extra credit to bogus hashcash headers (probably eventually will even increase spamicity for those emails). It also won't credit tiny hashcash tokens (I think the minimum is 20 bits). So spammers would have to generate real hashcash tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On Wed, Jun 16, 2004 at 11:38:10AM -0400, Hubert Chan wrote: tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. Well, since there are millions of vulnerable systems all over the 'net that doesn't seem like such a stretch, does it? Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
Russell == Russell Coker [EMAIL PROTECTED] writes: Russell On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Russell Currently you can't accept only such messages because almost Russell no-one sends them. Most people see no need to send them Russell because almost no-one checks for them when receiving a message. SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. [...] Russell Besides, with an army of Windows Zombies you could generate Russell those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... (P.S. I'm the hashcash package maintainer.) -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Re: Hashcash - was re: Spam fights
On 16 Jun 2004, Hubert Chan wrote: Russell == Russell Coker [EMAIL PROTECTED] writes: Russell On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: [...] SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. ...makes you wonder how long it will take before someone does generate the headers in SPAM, then. Being in SpamAssassin seems to be a trigger point for a whole lot of things to be worth avoiding/abusing for spammers - the silly haiku header thing being one example. Russell Besides, with an army of Windows Zombies you could generate Russell those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... ...and Windows does have a meaningful low priority for threads which will result in this being pretty much unnoticed by most users, even the observant ones. Sure, you need more machines to get the same effect, but it isn't like there is a shortage of them... OTOH, HashCash sucks a lot less than the other solutions out there, so I am all for it being more widely used; it would be interesting to see if it actually managed to take off. :) Daniel -- Organization and method mean much, but contagious human characters mean more in a university, where a few undisciplinables ... may be infinitely more precious than a faculty full of orderly routinists. -- William James
Re: Hashcash - was re: Spam fights
Daniel == Daniel Pittman [EMAIL PROTECTED] writes: Daniel On 16 Jun 2004, Hubert Chan wrote: SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. Daniel ...makes you wonder how long it will take before someone does Daniel generate the headers in SPAM, then. Being in SpamAssassin seems Daniel to be a trigger point for a whole lot of things to be worth Daniel avoiding/abusing for spammers - the silly haiku header thing Daniel being one example. Well SpamAssassin, AFAIK, will do proper hashcash checking, including the double-spend database. It won't assign any extra credit to bogus hashcash headers (probably eventually will even increase spamicity for those emails). It also won't credit tiny hashcash tokens (I think the minimum is 20 bits). So spammers would have to generate real hashcash tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Re: Hashcash - was re: Spam fights
On Wed, Jun 16, 2004 at 11:38:10AM -0400, Hubert Chan wrote: tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. Well, since there are millions of vulnerable systems all over the 'net that doesn't seem like such a stretch, does it? Mike Stone
Re: Spam fights
Can the mailing list software add a X-Subscribed : yes/no in the mail headers ? Then people decide to filter it out or not. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
Can the mailing list software add a X-Subscribed : yes/no in the mail headers ? Then people decide to filter it out or not. Alain
Re: Spam fights
On Sat, 12 Jun 2004 04:22, s. keeling [EMAIL PROTECTED] wrote: Incoming from Rick Moen: Quoting Russell Coker ([EMAIL PROTECTED]): Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. A bot to detect C-R queries and add them to the refused-mail ACL list would be most useful. ;- A better one would be one that successfully negotiates the C-R itself. Then we can give the spammers a copy and teach the C-R nitwits a lesson. Proof that I am correct. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Sat, 12 Jun 2004 04:22, s. keeling [EMAIL PROTECTED] wrote: Incoming from Rick Moen: Quoting Russell Coker ([EMAIL PROTECTED]): Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. A bot to detect C-R queries and add them to the refused-mail ACL list would be most useful. ;- A better one would be one that successfully negotiates the C-R itself. Then we can give the spammers a copy and teach the C-R nitwits a lesson. Proof that I am correct. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Spam fights
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote: It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. Like it or not (and I don't) that is where we are headed if other solutions to spam are not implimented that cover non-NANOG type persons. I strongly suspect we'll see a generation of mail systems which greylist by default at the very least. Perhaps a future secreterial job will be to wade through the muck and query the boss as to whether one or two should be allowed access. For some people, even the volume of non-spam mail could be rather intolerable. Imagine if you were Tom Hanks and your private email got out and you had to go through thousands of adoring fan mails to find that movie contract from your agent... Pre-authorization for email is the way things are going to go. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
Hello Alain, Am 2004-06-10 22:03:54, schrieb Alain Tesio: Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. I am subscribed to severa mailinglists on postgresql.org, php.net, mutt.org, exim.org and others where I get not more then a half SPAM per month. I am on 146 Mailinglists 46 and on this list I get 80% of the normal SPAM (not the last two days) Because the SPAM filter of murphy works quiet well, I like to see a subscriber only List too. Maybe the Listmaster can istall as script which send a REMINDER to people which are not subscribed to subscribe on l-d-o. Alain Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Spam fights
On Fri, 11 Jun 2004 19:29, Dale Amon [EMAIL PROTECTED] wrote: On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote: It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. Like it or not (and I don't) that is where we are headed if other solutions to spam are not implimented that cover non-NANOG type persons. I strongly suspect It won't work because challenge-response systems are technically no good. While CR systems are almost never used because the people who use them are universally regarded as cretins, the spammers won't bother about trying to fool them. If CR systems get popular then spammers will start replying to the messages. Most spammers have working email addresses, so it would not be difficult to automate a response to a CR system. Any CR system which just requires that you reply to this email will be trivially broken by spammers. One CR system I saw used a web page with some obscured text that is (supposedly) only readable by humans. There are two ways of solving this (if it ever becomes popular). One way is to make entering such things a condition for downloading free porn from a porn site (a document on using porn sites to subscribe to hotmail etc was published some time ago). The other way is better OCR software. Finally, a large chunk of spam is entered by humans. The Nigerian spammers often do things manually with cut/paste and don't have software to automate it (a friend witnessed a Nigerian spammer doing this at an Internet cafe). Such people will get past any CR system that could be devised. we'll see a generation of mail systems which greylist by default at the very least. Perhaps a future secreterial job will be to wade through the muck and query the boss as to whether one or two should be allowed access. That is a secretarial job today. Some people (such as Bill Gates) employ a team of people to filter their email. For some people, even the volume of non-spam mail could be rather intolerable. Imagine if you were Tom Hanks and your private email got out and you had to go through thousands of adoring fan mails to find that movie contract from your agent... It's quite easy to search on From: field. Of course you need a decently fast Internet connection to download all the messages, but I'm sure Tom can afford that. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
[snip] If CR systems get popular then spammers will start replying to the messages. Most spammers have working email addresses, so it would not be difficult to automate a response to a CR system. Any CR system which just requires that you reply to this email will be trivially broken by spammers. [snip] You are right in everything except the tense - it's already happening. I've had friends that use the CR systems reporting that spammers did reply to their challenges. Apparently this is done by the put your computer to work victims that spam from their home accounts sometimes even w/o the full understanding of what they're doing. V -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
Sent to list. On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote: Hello! W licie z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null I'm really surprised with your opinion. Is it so big problem, to press reply, when you are sending first email to someone new ? You are receving confirmation request whenever you are trying to update DNS, subscribe to newsgroup or talking with any automatic service. Is it so difficult ? You see there is a difference there. *I* initiated them, not some spammer. If someone doesn't want mail that could be very valuable to them, especially if they asked for it on D-U... forcing me to write another e-mail JUST to help them... nope, ain't gonna happen. Currently, in many cases when I'm sending email to address found on website I'm receiving challenge, and I fully understand people doing it. Whitelist with email/IP can decrease also number of challenges from spammers: email comming from different IP can be treated as spam automatically. I implemented SPAM Filtering software and have continued to train it with ham and spam. I started when last year when I was getting ~ 6,000 Swen e-mails a day. My e-mail address is posted EVERYWHERE. Since that point, I get maybe 3 a day. When they (they being the spmmers) find a new way to trick the Bayesian testing I use I'll get a spat of about 12 or so for a few days then back to maybe 3 a day. I use server side software (maildrop and procmail) to do the sorting after it has been graded by the filter. I still get upto 1000 e-mail messages a day, but those are from mailing lists and people I support via e-mail. If I had a CR system in place, I'd have to maintain more than I want. Consider in a given day, I e-mail about 30+ new people a day. I also can be and am very busy in Debian's Mailing list(s), Samba, Exim, Grip, Elitists and many other venues. If I got a CR back for every one of the e-mails I sent to a mailing list, I'd be answering thousands of NEW Challenges a week. Sounds like SPAM to me. When you understand that nearly every challenge I get comes from a forged envelope-from(or similar), I can't see how it reduces the problem, it just double perhaps triples the amount of mail traffic. Plus some are web-server driven auth, thereby causing a loading of the program and grabbing of the URI indicated in the e-mail I got from the Challenge. So, basically: You get a piece of SPAM, your systems sends out another piece of e-mail that is in response to the forged envelope, (assume) I get this e-mail and then have to delete this mail or respond to it (a third message) or goto a URI inside the Challenge (more processor time and bandwidth) just so *YOU* can verify my message was or was not SPAM? I consider sending me e-mail in Challenge form as unsolicited e-mail. Therefore under my classification SPAM. Why should *I* verify your SPAM problem for you. I deal with mine, and mine alone. I am not going to spend resources (at my cost of those resources) to verify or not it being SPAM. Of course if everyone just affirmed the Challenge every time, it would definitely not work. Where as my solution would continue to. I also drop all of the courtesy notifications that *I* sent an infected e-mail to a certain domain's user. There is another example of Unsolicited E-Mail. I don't care to know that someone forged my e-mail addy inside the one someone got. It does me absolutely ZERO good to even read these. I have an automated system to send those to /dev/null as well. I deal with enough mail per day, CR systems DO NOT reduce my number, Spam filtering does. BY the way, I do support Whitelisting and Blacklisting to make sure things I want to absolutely get through do, and things I don't won't. BTW, are you not glad *I* don't CR everyone that e-mails me? It could have taken you 3 messages to get me to see one. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Hashcash - was re: Spam fights
It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Fri, 11 Jun 2004 21:38, Dale Amon [EMAIL PROTECTED] wrote: That said, those who can afford it will hire human operators to act as email gatekeepers; those who can't will use whatever a salesman can convince them is affordable and works. Whether we like it or not will not figure into the decision. Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. It should not be technically difficult to publish some email addresses, wait for challenge messages to come in response to virus messages, and then have it automatically send an appropriate response to the challenge followed by a series of flames. As to the type in this random code from a jpeg, I use that on samizdata (a major blog for which I'm one of the editors). It stopped the problem of blog-spam cold; the human entry is stopped cold by having a team of writers who delete on sight. One - many communication is different. If you want to get a letter to the editor published in a newspaper you have to confirm your identity and contact details before it will be considered. This can involve a journalist phoning you to confirm your identity and permission for publication. If you want to send mail to most mailing lists you have to subscribe first. Blogs are in the same category so I agree with what you are doing there. At the end of the day, dealing with spam is an employment opportunity, not something that will be solved technically. Human problems require human solutions. Sometimes human solutions involve humans writing and installing programs to implement them. Totally stopping spam in an automatic manner is not possible. Reducing it by a factor of 100 so that humans can manually deal with the residue is possible. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Currently you can't accept only such messages because almost no-one sends them. Most people see no need to send them because almost no-one checks for them when receiving a message. Anti-spam measures may be used on workstations eventually, but have to be initially installed at servers if they are to become popular. The people who run big mail servers (AOL, Hotmail, etc) don't want to install hashcash for the same reason that spammers won't install it. Besides, with an army of Windows Zombies you could generate those signatures anyway... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: Besides, with an army of Windows Zombies you could generate those signatures anyway... Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
Quoting Russell Coker ([EMAIL PROTECTED]): Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. A bot to detect C-R queries and add them to the refused-mail ACL list would be most useful. ;- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
Incoming from Rick Moen: Quoting Russell Coker ([EMAIL PROTECTED]): Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. A bot to detect C-R queries and add them to the refused-mail ACL list would be most useful. ;- A better one would be one that successfully negotiates the C-R itself. Then we can give the spammers a copy and teach the C-R nitwits a lesson. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: Besides, with an army of Windows Zombies you could generate those signatures anyway... Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? Presumably the signature would be based on the envelope recipient and therefore signatures you find on someone else's machine would not do any good. If it was otherwise then a single signature would work for an entire spam run. I am assuming that the sending machine would not store the signatures for messages it sent, which could be re-used if the spam messages were to have an ancient time-stamp. However this still wouldn't be of any great use, not many people have more than 10,000 messages stored in their sent-mail folder and the common case is far less. Capturing a lot of zombies to generate signatures would probably be easier than trying to find a machine that had a large sent-mail folder. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote: It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. Like it or not (and I don't) that is where we are headed if other solutions to spam are not implimented that cover non-NANOG type persons. I strongly suspect we'll see a generation of mail systems which greylist by default at the very least. Perhaps a future secreterial job will be to wade through the muck and query the boss as to whether one or two should be allowed access. For some people, even the volume of non-spam mail could be rather intolerable. Imagine if you were Tom Hanks and your private email got out and you had to go through thousands of adoring fan mails to find that movie contract from your agent... Pre-authorization for email is the way things are going to go. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: Spam fights
Hello Alain, Am 2004-06-10 22:03:54, schrieb Alain Tesio: Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. I am subscribed to severa mailinglists on postgresql.org, php.net, mutt.org, exim.org and others where I get not more then a half SPAM per month. I am on 146 Mailinglists 46 and on this list I get 80% of the normal SPAM (not the last two days) Because the SPAM filter of murphy works quiet well, I like to see a subscriber only List too. Maybe the Listmaster can istall as script which send a REMINDER to people which are not subscribed to subscribe on l-d-o. Alain Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Spam fights
On Fri, 11 Jun 2004 19:29, Dale Amon [EMAIL PROTECTED] wrote: On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote: It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. Like it or not (and I don't) that is where we are headed if other solutions to spam are not implimented that cover non-NANOG type persons. I strongly suspect It won't work because challenge-response systems are technically no good. While CR systems are almost never used because the people who use them are universally regarded as cretins, the spammers won't bother about trying to fool them. If CR systems get popular then spammers will start replying to the messages. Most spammers have working email addresses, so it would not be difficult to automate a response to a CR system. Any CR system which just requires that you reply to this email will be trivially broken by spammers. One CR system I saw used a web page with some obscured text that is (supposedly) only readable by humans. There are two ways of solving this (if it ever becomes popular). One way is to make entering such things a condition for downloading free porn from a porn site (a document on using porn sites to subscribe to hotmail etc was published some time ago). The other way is better OCR software. Finally, a large chunk of spam is entered by humans. The Nigerian spammers often do things manually with cut/paste and don't have software to automate it (a friend witnessed a Nigerian spammer doing this at an Internet cafe). Such people will get past any CR system that could be devised. we'll see a generation of mail systems which greylist by default at the very least. Perhaps a future secreterial job will be to wade through the muck and query the boss as to whether one or two should be allowed access. That is a secretarial job today. Some people (such as Bill Gates) employ a team of people to filter their email. For some people, even the volume of non-spam mail could be rather intolerable. Imagine if you were Tom Hanks and your private email got out and you had to go through thousands of adoring fan mails to find that movie contract from your agent... It's quite easy to search on From: field. Of course you need a decently fast Internet connection to download all the messages, but I'm sure Tom can afford that. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Spam fights
[snip] If CR systems get popular then spammers will start replying to the messages. Most spammers have working email addresses, so it would not be difficult to automate a response to a CR system. Any CR system which just requires that you reply to this email will be trivially broken by spammers. [snip] You are right in everything except the tense - it's already happening. I've had friends that use the CR systems reporting that spammers did reply to their challenges. Apparently this is done by the put your computer to work victims that spam from their home accounts sometimes even w/o the full understanding of what they're doing. V
Re: Spam fights
On Fri, Jun 11, 2004 at 08:39:12PM +1000, Russell Coker wrote: It won't work because challenge-response systems are technically no good. While CR systems are almost never used because the people who use them are universally regarded as cretins, the spammers won't bother about trying to fool them. First of all, keep in mind that I am strictly talking about people for whom email is an office tool equivalent to the paper mail coming into their physical inbox. They don't know how the US/B/other/PO gets it there and don't care. That said, those who can afford it will hire human operators to act as email gatekeepers; those who can't will use whatever a salesman can convince them is affordable and works. Whether we like it or not will not figure into the decision. I already whitelist; unless I have manually pre-cleared you, I won't see your mail for some time. Basically until I have time to wade thorugh the sludge, assuming I'm not back from a trip and just look for one or two expected mails before deleting. I imagine I'm not alone. CR may not be the solution, but more and more people are only taking pre-authorized (whitelist) mail. If your business requires recieving unsolicted email, then your business model will include the wages of a presorter. They are cheaper than a knowledgeable mail admin. As to the type in this random code from a jpeg, I use that on samizdata (a major blog for which I'm one of the editors). It stopped the problem of blog-spam cold; the human entry is stopped cold by having a team of writers who delete on sight. At the end of the day, dealing with spam is an employment opportunity, not something that will be solved technically. Human problems require human solutions. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: Spam fights
Sent to list. On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote: Hello! W liście z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null I'm really surprised with your opinion. Is it so big problem, to press reply, when you are sending first email to someone new ? You are receving confirmation request whenever you are trying to update DNS, subscribe to newsgroup or talking with any automatic service. Is it so difficult ? You see there is a difference there. *I* initiated them, not some spammer. If someone doesn't want mail that could be very valuable to them, especially if they asked for it on D-U... forcing me to write another e-mail JUST to help them... nope, ain't gonna happen. Currently, in many cases when I'm sending email to address found on website I'm receiving challenge, and I fully understand people doing it. Whitelist with email/IP can decrease also number of challenges from spammers: email comming from different IP can be treated as spam automatically. I implemented SPAM Filtering software and have continued to train it with ham and spam. I started when last year when I was getting ~ 6,000 Swen e-mails a day. My e-mail address is posted EVERYWHERE. Since that point, I get maybe 3 a day. When they (they being the spmmers) find a new way to trick the Bayesian testing I use I'll get a spat of about 12 or so for a few days then back to maybe 3 a day. I use server side software (maildrop and procmail) to do the sorting after it has been graded by the filter. I still get upto 1000 e-mail messages a day, but those are from mailing lists and people I support via e-mail. If I had a CR system in place, I'd have to maintain more than I want. Consider in a given day, I e-mail about 30+ new people a day. I also can be and am very busy in Debian's Mailing list(s), Samba, Exim, Grip, Elitists and many other venues. If I got a CR back for every one of the e-mails I sent to a mailing list, I'd be answering thousands of NEW Challenges a week. Sounds like SPAM to me. When you understand that nearly every challenge I get comes from a forged envelope-from(or similar), I can't see how it reduces the problem, it just double perhaps triples the amount of mail traffic. Plus some are web-server driven auth, thereby causing a loading of the program and grabbing of the URI indicated in the e-mail I got from the Challenge. So, basically: You get a piece of SPAM, your systems sends out another piece of e-mail that is in response to the forged envelope, (assume) I get this e-mail and then have to delete this mail or respond to it (a third message) or goto a URI inside the Challenge (more processor time and bandwidth) just so *YOU* can verify my message was or was not SPAM? I consider sending me e-mail in Challenge form as unsolicited e-mail. Therefore under my classification SPAM. Why should *I* verify your SPAM problem for you. I deal with mine, and mine alone. I am not going to spend resources (at my cost of those resources) to verify or not it being SPAM. Of course if everyone just affirmed the Challenge every time, it would definitely not work. Where as my solution would continue to. I also drop all of the courtesy notifications that *I* sent an infected e-mail to a certain domain's user. There is another example of Unsolicited E-Mail. I don't care to know that someone forged my e-mail addy inside the one someone got. It does me absolutely ZERO good to even read these. I have an automated system to send those to /dev/null as well. I deal with enough mail per day, CR systems DO NOT reduce my number, Spam filtering does. BY the way, I do support Whitelisting and Blacklisting to make sure things I want to absolutely get through do, and things I don't won't. BTW, are you not glad *I* don't CR everyone that e-mails me? It could have taken you 3 messages to get me to see one. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Fri, 11 Jun 2004 21:38, Dale Amon [EMAIL PROTECTED] wrote: That said, those who can afford it will hire human operators to act as email gatekeepers; those who can't will use whatever a salesman can convince them is affordable and works. Whether we like it or not will not figure into the decision. Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. It should not be technically difficult to publish some email addresses, wait for challenge messages to come in response to virus messages, and then have it automatically send an appropriate response to the challenge followed by a series of flames. As to the type in this random code from a jpeg, I use that on samizdata (a major blog for which I'm one of the editors). It stopped the problem of blog-spam cold; the human entry is stopped cold by having a team of writers who delete on sight. One - many communication is different. If you want to get a letter to the editor published in a newspaper you have to confirm your identity and contact details before it will be considered. This can involve a journalist phoning you to confirm your identity and permission for publication. If you want to send mail to most mailing lists you have to subscribe first. Blogs are in the same category so I agree with what you are doing there. At the end of the day, dealing with spam is an employment opportunity, not something that will be solved technically. Human problems require human solutions. Sometimes human solutions involve humans writing and installing programs to implement them. Totally stopping spam in an automatic manner is not possible. Reducing it by a factor of 100 so that humans can manually deal with the residue is possible. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Currently you can't accept only such messages because almost no-one sends them. Most people see no need to send them because almost no-one checks for them when receiving a message. Anti-spam measures may be used on workstations eventually, but have to be initially installed at servers if they are to become popular. The people who run big mail servers (AOL, Hotmail, etc) don't want to install hashcash for the same reason that spammers won't install it. Besides, with an army of Windows Zombies you could generate those signatures anyway... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Hashcash - was re: Spam fights
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: Besides, with an army of Windows Zombies you could generate those signatures anyway... Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc
Re: Spam fights
Quoting Russell Coker ([EMAIL PROTECTED]): Some of the anti-spam people are very enthusiastic about their work. I wouldn't be surprised if someone writes a bot to deal with CR systems. A bot to detect C-R queries and add them to the refused-mail ACL list would be most useful. ;-
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: Besides, with an army of Windows Zombies you could generate those signatures anyway... Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? Presumably the signature would be based on the envelope recipient and therefore signatures you find on someone else's machine would not do any good. If it was otherwise then a single signature would work for an entire spam run. I am assuming that the sending machine would not store the signatures for messages it sent, which could be re-used if the spam messages were to have an ancient time-stamp. However this still wouldn't be of any great use, not many people have more than 10,000 messages stored in their sent-mail folder and the common case is far less. Capturing a lot of zombies to generate signatures would probably be easier than trying to find a machine that had a large sent-mail folder. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Spam fights
On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: We are allowing all emails from whitelits. Who is we in this context? Individual users or mailing list administrators? For unknown sender, automated confirmation request is send. If For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. This means that even though my anti-virus software is updated regularly I still get hit by viruses through those stupid confirmation messages! My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. Dmitry On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: We are allowing all emails from whitelits. Who is we in this context? Individual users or mailing list administrators? For unknown sender, automated confirmation request is send. If For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. This means that even though my anti-virus software is updated regularly I still get hit by viruses through those stupid confirmation messages! My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! Me three. I take a confirmation thingy as a sign that the person doesn't really need my email. Hint: if you require confirmations from people who are replying to a request for help, don't expect much help. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
challenge-response antispam systems in the BTS (was Re: Spam fights)
[this is offtopic here, but since the issue was raised on d-security, I thought I'd follow up there and move to d-devel if it's worth a discussion.] * Dmitry Golubev [Thu, 10 Jun 2004 12:27:04 +0300]: On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: For unknown sender, automated confirmation request is send. If My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. has it been discussed before the usage of such systems by bug submitters? I've come up with this situation twice or so, and I found myself thinking what the hell, they're putting extra work on *anybody* wanting to help with *their* problem! so, do you think an address with such system qualifies as non-valid for the BTS? for me, I guess, it's pretty as if they had posted with [EMAIL PROTECTED] in the From: line. OTOH, if all mail to the submitter was sent to [EMAIL PROTECTED], the user could whitelist [EMAIL PROTECTED], but this is not common practice ATM and would also prevent us from stating our dislike for such systems. any thoguths? -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 As an adolescent I aspired to lasting fame, I craved factual certainty, and I thirsted for a meaningful vision of human life -- so I became a scientist. This is like becoming an archbishop so you can meet girls. -- Matt Cartmill -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! If *I* receive a confirmation message, I always respond to it! That's because all confirmation messages I get are in response to spam with my address in the From field. If I confirm, the person sending me the confirmation message will be delivered the spam. If more people did this, confirmation senders would notice that the system doesn't work. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. 3 days ago I got blacklisted by outblaze when I got framed by some virus that triggered my majordomo to respond to a forged subscription request with an outblaze's spamtrap original address. Luckily, the outblaze postmaster was very quick to respond and whitelist me back. I don't actually know how to prevent this happening in the future. A bit unexpected mode of spamtrap operation, isn't it? V. P.S. maybe we should move the thread to NANAE? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Fri, 11 Jun 2004 06:03, Alain Tesio [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. It is not anti-social for a mailing list of (potentially) thousands of people to require a subscription before posting. It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. Dmitry On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: We are allowing all emails from whitelits. Who is we in this context? Individual users or mailing list administrators? For unknown sender, automated confirmation request is send. If For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. This means that even though my anti-virus software is updated regularly I still get hit by viruses through those stupid confirmation messages! My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! Me three. I take a confirmation thingy as a sign that the person doesn't really need my email. Hint: if you require confirmations from people who are replying to a request for help, don't expect much help. Mike Stone
challenge-response antispam systems in the BTS (was Re: Spam fights)
[this is offtopic here, but since the issue was raised on d-security, I thought I'd follow up there and move to d-devel if it's worth a discussion.] * Dmitry Golubev [Thu, 10 Jun 2004 12:27:04 +0300]: On Thursday 10 June 2004 11:58, Russell Coker [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: For unknown sender, automated confirmation request is send. If My response to these scumbags who send me the confirmation messages is that if they are on a mailing list I'm on then I black-list their email address if it's known (or their mail server if their email address is not clear). If a confirmation message appears to be in response to a virus then I respond to it. Let the scumbag get another copy of the virus... I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. I second that. If I receive a confirmation message I never respond to it! (well, when I first received such a message, I wanted to try how it works - that was the only confirmation I responded to). Maybe that's impolite, but I do not want to waste my time answering to that spam. has it been discussed before the usage of such systems by bug submitters? I've come up with this situation twice or so, and I found myself thinking what the hell, they're putting extra work on *anybody* wanting to help with *their* problem! so, do you think an address with such system qualifies as non-valid for the BTS? for me, I guess, it's pretty as if they had posted with [EMAIL PROTECTED] in the From: line. OTOH, if all mail to the submitter was sent to [EMAIL PROTECTED], the user could whitelist [EMAIL PROTECTED], but this is not common practice ATM and would also prevent us from stating our dislike for such systems. any thoguths? -- Adeodato Simó EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621 As an adolescent I aspired to lasting fame, I craved factual certainty, and I thirsted for a meaningful vision of human life -- so I became a scientist. This is like becoming an archbishop so you can meet girls. -- Matt Cartmill
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! If *I* receive a confirmation message, I always respond to it! That's because all confirmation messages I get are in response to spam with my address in the From field. If I confirm, the person sending me the confirmation message will be delivered the spam. If more people did this, confirmation senders would notice that the system doesn't work. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
hi ya jaroslaw On Thu, 10 Jun 2004, Jaroslaw Tabor wrote: In mean time, I've found additional way for spam filtering, but it requires some development. The basic idea is simple and already in use: We are allowing all emails from whitelits. already done ... most MTA support a whitelist and blacklists For unknown sender, automated confirmation request is send. If confirmation comes, receiver can decide to put new sender on white or black list (by reply with prepared subject and token). I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. if you're developing a challenge thingie ... don't bother ... (i'll be the 6th to discourage your efforts on that front ) if you're writing a whitelist/blacklist stuff ... why ??? but if you're writting code to take incoming spam, and add it to the blacklist automatically... that'd be tricky ... - what is the definition of spam ? (i say anyting that is left, after i finished reading the emails) - hundred dozens other definitions of what is spam - than i run my silly script and it all goes to the 'blacklist' - if you make your rbl ( blacklist ) available for others to use .. that has some merit .. as long as one can also prove that they spammed ya ( since spammers are sometimes sue happy ) - i hate and never reply to challenge systems and i go do business elsewhere - even those silly whois database queries at the domain registrars are starting to get super annoying c ya alvin
Re: Spam fights
On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. Alain
Re: Spam fights
For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. 3 days ago I got blacklisted by outblaze when I got framed by some virus that triggered my majordomo to respond to a forged subscription request with an outblaze's spamtrap original address. Luckily, the outblaze postmaster was very quick to respond and whitelist me back. I don't actually know how to prevent this happening in the future. A bit unexpected mode of spamtrap operation, isn't it? V. P.S. maybe we should move the thread to NANAE?
Re: Spam fights
On Fri, 11 Jun 2004 06:03, Alain Tesio [EMAIL PROTECTED] wrote: On Thu, 10 Jun 2004 18:58:33 +1000 Russell Coker [EMAIL PROTECTED] wrote: For mailing lists this can be achieved by making the list subscriber-only. For individual accounts such behaviour is very anti-social as it results in confirmation messages being sent in response to virus messages. Not if the message if refused by the smtp server before it's delivered, right ? It's not that antisocial to ask the 1% people who aren't subscribed to subscribe before sending a message. It is not anti-social for a mailing list of (potentially) thousands of people to require a subscription before posting. It is anti-social for every idiot on the net to think that they are important enough to require a subscription from everyone who wants to send them email. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
