Stefano, Thanks, you make a great point against reject emails.
It was not my intent to create a new reject email but rather to reject it at the incoming SMTP message level. But, as Serge mentions, I might not be able to do include the URL to apply for whitelist at the SMTP reject level, and anyway the mailet API does not support such functionality. I was counting on such capabilities to do rejects without the annoying side effects you mentioned. I obviously need to do more research into how to properly reject without causing extra emails. As to a whitelisted sender being infected by a worm and sending spam, I do not see that as a big flaw, especially if you already have an anti-virus filter on your inbound mail filter chain (a normal precaution). I can't imagine a huge number of spams coming that way, and it would be easy to contact the sender and warn him of his infection. Impersonating someone in my whitelist would probably be an issue, but should be manageable if combined with additional inbound checks like validating IP against DNS. -----Original Message----- From: ext Stefano Mazzocchi [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 10:23 PM To: James Developers List Subject: Why fighting spam with whitelists doesn't work [was Re: Contributing a mailet] On 3 Feb 2004, at 17:16, <[EMAIL PROTECTED]> wrote: > Stefano, I found your questions quite thought-provoking. Good. > Would you mind answering a couple of questions? of course not. > 1) I feel that no other solution other than pure whitelisting will work > in the long run. A whitelist approach estimates that the send is a human being (so that is able to judge and take an action) and that the from: address was not forged. Both are pathetically wrong assumptions these days, especially after SoBig and MyDoom worm outbreaks. > I have had my personal email address for many years > and there are days when I receive over 1000 spams per day. Join the club. > I am > currently using several public blacklists and SpamAssassin set at its > most aggressive setting, which worked for years until a few months ago, > but now spammers are getting very smart about bypassing normal > anti-spam > tools. I use bayesian filtering (bogofilter because it's very fast). It's good enough for almost all sort of spam, but the "random dictionary + image" type. But that's easily modelled with a rule engine (but I receive so few of them lately that it's not even worth bothering writing one) Over the last two weeks, I had 4800 spam messages and only 50 false negatives (99% correctness) and no false positive so far (even if it's admittedly hard to tell, my filter is better than I am in rating spam, that's for sure) My bogofilter database contains something like 30000 ham messages and 10000 spam messages from my own inbox and it's 35Mb big. The database is retrained differentially every 5 minutes so that it adapts to messages I move from my inbox to the spam folder or the various ham folders [i use my 'outbox' as ham folder as well, since I'm likely to like email that looks like the one I send out] > What alternative would you propose to whitelist-only email? a computational based approach for senders [see http://research.microsoft.com/research/sv/PennyBlack/] plus digital signatures for receives (so that you can check that the from address was forged or not) [see the one attached to this message] You will still need some sort of statistical analysis to remove that email that manages to come thru, but the volume would be dramatically reduced if they find a proper algorithm for the computation-based approach [which is very interesting problem from a research perspective] > 2) I know that creating a new "reply" email directed to the "from" or > "reply-to" address can be abused for relaying. no, that's not my concern. My concern is: if I'm *NOT* the one who sent that email, I don't want your stinking "are you really you" whitelist message because that's unsolicited email and that's exactly what we are trying to avoid in the first place! > But wouldn't a reject > of the incoming SMTP transaction itself (with an appropriate error > message) go back ONLY to the real sender? what real sender? you have no way to tell if the from: address is really the guy who sent the email with some sort of trust facility... and trust is not something that you can take for granted or write an algorithm in a piece of software for. > The point is that if somebody > isn't willing to go through some necessary hassle the first (and only > the first) time he sends email to me, then that person is not someone I > want to hear from - EVER. > I am assuming that the mailet API is called > -->before<-- the transaction is complete. And of course, there are > situations, like when joining a mailing list, where whitelisting would > have to be done in advance by the recipient. But please correct me if > I > am wrong. It's not about being right or wrong, it's about assumptions. You assume that the guy you receive email from is really the guy who sent it. This is a false assumption almost everyday. I receive so many "f**k you!" emails by people that believe I'm the one with the stinking worm that tries to infects them. While quite humorous, you are making the same incorrect assumption: I *DON'T* have a virus, it's somebody else's machine pretending to be me! That's why I have to sign email now. [even if some stupid email clients can't read or it scares people because they think that attachment is a virus!] From that matter, it doesn't make any difference on this planet if your whitelist server sends me "f**k you, stop it!" or "hey dude, are you a spammer?": since I didn't write you, such a message is unsolicited and therefore spam. So, in order to stop *your* spam, you are increasing mine. With all due respect, this is what I call a stupid solution. > BTW, OT, I hope you manage to avoid software patents in Europe. Here > in > the US they are already being used to kill many open source projects. > RedHat is already leaving key functionality out to avoid lawsuits (like > MP3 playing and other capabilities) and the cacerts.org site was down > for months because of a patent issue (but they eventually returned). That's FUD. Several of the things the foundation first introduced were later patented by corporations. They will never sue the foundation or nobody else because if they do they will be publically ridiculized (can you say SCO?). They do patent to prevent other corporations from sueing them. Patents are becoming defensive mechanisms, very few companes ever used them as offensive tools and the one who did did it because desperate and the markets reacts by killing them faster because they know that's the last resort so they sell the stocks. Don't get me wrong, I find the patent sitaution in the US ridiculous, but that's not even close to be as bad as you paint it. BTW, don't be paranoid about it, I don't think nobody will be willing to sue you for an idea that makes the problem even worse. -- Stefano.
smime.p7s
Description: S/MIME cryptographic signature