Jeff G. Posted January 29, 2004 Share Posted January 29, 2004 Challenge/Response (C/R) systems are bad for the Internet. Please see the following references: http://www.spamfaq.net/spamfighting.shtml#challenge_response http://www.politechbot.com/p-04746.html http://www.canoe.ca/CNEWS/TechNews/2003/06/08/106782-ap.html http://groups.google.co.uk/groups?selm=brt...88577.news.uni- berlin.de ( http://tinyurl.com/2zej3 ) As Larry would write: Please stop patronizing a spammer. Please stop making posts here as an organized attack from a spammer. Please read the previous messages. This subject is already under discussion in the newsgroup. Before starting fresh topics, please check out recent topics to see if there is one appropriate for adding your comments. Among other things, this helps those looking for the topic be certain they have read all the available comments regarding it. Even though there may be multiple similar topics from which to choose, nothing is served by you starting yet another topic. You can find recent topics by using the newsgroup or the latest web archive by date starting from: http://news.spamcop.net/pipermail/spamcop-help/ and choosing the upper right [ Date ] link in the matrix and going to the bottom of the resulting page. I posted to spamcop.help on 2004-01-22 at 13:18 EST -0500 (18:18 UTC): According to http://www.spamcop.net/w3m?action=checkblock&ip=140.174.9.91 : Query bl.spamcop.net - 140.174.9.91 140.174.9.91 is smtp2.mailblocks.com 140.174.9.91 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported about 70 times by about 10 users. It has been sending mail consistently for at least 14.8 days. In the past 48.4 days, it has been listed 16 times for a total of 25.7 days In the past week, this system has: Been detected sending mail to spam traps Been witnessed sending mail about 1720 times Other hosts in this "neighborhood" with spam reports: 140.174.9.93 A sample sent sometime during the 24 hours beginning Sat Dec 6 00:00:00 2003 GMT Friday 2003/12/05 19:00:00 -0500: Received: from -.-.com (-.-.com [140.174.9.91]) by -.-.net (Postfix) with SMTP id 9- for <-[at]-.com>- Sat, - Dec 2003 - - (-) Subject: - lose pounds - reminder From: mo.. at ..s.com A sample sent sometime during the 24 hours beginning Fri Dec 12 00:00:00 2003 GMT Thursday 2003/12/11 19:00:00 -0500: Received: from -.-.com (-.-.com [140.174.9.91]) by -.-.- (Postfix) with SMTP id -9-9- for <->- Fri, - Dec 2003 - - (-) Subject: - hard - find louis - reminder From: ja.. at ..s.com A sample sent sometime during the 24 hours beginning Mon Dec 15 00:00:00 2003 GMT Sunday 2003/12/14 19:00:00 -0500: Received: from [140.174.9.91] (-.-.com)- by -.-.-.net with smtp id - for -[at]-.-.-.- Mon, - Dec 2003 -9 - Subject: - get the car you want - authorize From: ly.. at ..s.com A sample sent sometime during the 24 hours beginning Tue Dec 16 00:00:00 2003 GMT Monday 2003/12/15 19:00:00 -0500: Received: from [140.174.9.91] (-.-.com) by -.-.-.net with smtp id - for -[at]-.-.-.- Tue, - Dec 2003 - - Subject: - get the car you want - reminder From: ly.. at ..s.com A sample sent sometime during the 24 hours beginning Mon Jan 12 00:00:00 2004 GMT Sunday 2004/01/11 19:00:00 -0500: Received: from - (- -.-.com) ([140.174.9.91]) (- <>)- by -.9-.-.- (qmail-.-) with - for <-[at]-.->- - Jan 2004 - - Subject: - hello - authorize From: be.. at ..s.com According to http://www.spamcop.net/w3m?action=checkblock&ip=140.174.9.93 : Query bl.spamcop.net - 140.174.9.93 140.174.9.93 is smtp3.mailblocks.com 140.174.9.93 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 13.8 days. It has been listed for less than 24 hours. In the past week, this system has: Been reported as a source of spam less than 10 times Been witnessed sending mail about 370 times Other hosts in this "neighborhood" with spam reports: 140.174.9.91 A sample sent sometime during the 24 hours beginning Sat Jan 17 00:00:00 2004 GMT Friday 2004/01/16 19:00:00 -0500: Received: from 140.174.9.93 (- -.-.com) (140.174.9.93) by -.-.-.com with - Sat, - Jan 2004 - - - Subject: your assistance From: ss.. at ..s.com Please stop your Challenge/Response (C/R) system from sending mail to SpamCop's spamtraps. If that is not possible, please stop it from sending mail. Your systems will be independently delisted automatically 48 hours after the last mail hits SpamCop's spamtraps from each of them. If that is not possible, please stop complaining here and find a better service. The following text by Merlyn has helped others to understand the process in the past: Lets go through this step by step together. Please read this carefully and do not just scan it otherwise you will not understand the process. 1.) If you did not post the entire message you received about your email being blocked it will be very hard to help you solve your problem. 2.) Next we will talk about why Spamcop cannot block your email. Spamcop has no access to your email. When you send your email it goes through your ISP's email server and travels through the Internet until it reaches the ISP's server of the person you are sending your mail to then their ISP's server routes it to their mailbox. Spamcop has no access to either server or to the process between servers. 3.) Next we will discuss why you think Spamcop blocked you email. You probably received a "bounced" email saying something like: 451 Blocked - see http://www.spamcop.net/bl.shtml?xxxx.xxxx.xxxx.xxxx: or email from xxx.com blocked,refused by Spamcop,see http://www.spamcop.net or Anything saying your email was "blocked" by Spamcop and they directed you to some page on the Spamcop site. 4.) Now we will talk about who is "really" blocking your email Remember how we discussed the way your email traveled from your computer to the recipients computer in #2? The only person who could block your email is the recipients ISP or the recipient themselves. Most likely the recipients ISP is using the Spamcop List (we will discuss this in the next part #5) and they have blocked this email because the sending ISP's server is a known source of spam on the Internet. You should be complaining to your ISP because they allow spammers to use their resources which in turn caused your email to get blocked. You ISP did receive complaints. You could also contact the recipients ISP asking them to "whitelist" you. They recipients ISP decided on their own to incorporate this list into their email server software. Now you say you do not send spam but before you get upset, read the next part about how this list is compiled by Spamcop. 5.) What is the Spamcop List and why do ISP's use it? Spamcop runs a service for reporting spam. This is a free service where people either send their spam email or copy their spam email in a form that parses the email to find out where it originated from. Once the amount of spam reaches a calculated amount the originating server is placed on the list of spammers. This list is made freely available to anyone running an email server to use to enable them to block email originating from known spam servers. This list only contains IP numbers and not email addresses as email addresses in the "From" field can be readily forged and are not reliable. The only reliable source is the IP address the spam originated from. for more detailed information on how Spamcop works see: http://www.spamcop.net/fom-serve/cache/3.html 6.) Final Notes (VERY IMPORTANT) Before you start getting upset just remember what brought you here. Your email was blocked, not by Spamcop but the ISP of the person you were sending your email to. Spamcop has no control over what they do with their servers. Also, get proactive and help stop the flow of spam. Complain to your ISP because it is their servers that are being blocked. Let them know that you are paying for email service in your contract with them and they are not able to provide you with this service because they allow spammers to abuse their servers. I think you would agree with me that everyone is tired of receiving mortgage quotes, penis enlargement, breast enhancement, weight loss, nude 40 year old teenage sluts, Viagra, vacation, lottery, prescription drug, business opportunities, genealogical, university degrees, gambling, get rich quick, MLM, pyramid schemes, Web Cams, Russian brides, work from home, stock scams, pirated software and everything else that is force fed into our inboxes. If you have any more questions please post them here, there are many people willing to assist. And remember most people in this group are here to help you and they did not block your email so do not take your wrath out on them. HTH HAND Link to comment Share on other sites More sharing options...
brucewagner Posted January 29, 2004 Share Posted January 29, 2004 Barcardi.com blocks Mailblocks.com email..... Thanks to Spamcop.... Bold Funding, Inc. 800-913-BOLD tel 800-FAX-0510 fax http://boldfunding.com -----Original Message----- From: postmaster[at]bacardi.com To: bold[at]mailblocks.com Sent: Thu, 29 Jan 2004 00:02:45 -0500 (EST) Subject: Your message: bold-0ciz0AOaPhwEiNLUl3ZdHj3/yK9fMSZ[at]mailblocks.com has been rejected Your message check out the web site... has been rejected by the Bacardi MailSweeper service. If you feel that this message has been rejected in error, please contact the recipient directly. Server: USBRS017[at]Bacardi.com Rule: Scenarios/Incoming/DNSBLSite: The operation completed successfully. Text Analysis ResultsThis report describes the search expressions found in this message.Scenarios/Incoming/DNSBLSite found the following search expressions in 'X-DNSBLSITE': The phrase 'bl.spamcop.net' was found at the location(s): . Link to comment Share on other sites More sharing options...
brucewagner Posted January 29, 2004 Share Posted January 29, 2004 Mailblocks.com is THE solution to spam! Would someone please remove the Mailblocks.com servers from your spammers lists. By including Mailblocks.com servers on your "blacklist", you are recommending that subscribers to your list NOT accept email from these servers. Your recommendation is causing damage to all the legitimate users of Mailblocks.com who are simply TRY TO AVOID AND DEFEAT spam! Your recommending that organizations not accept email from Mailblocks.com users is an ABUSE of the responsibility you claim to promote. If someone at spamcop does not correct this problem by removing legitimate servers from your "blacklist" of recommendations, the result WILL be.... The organizations are going to continue to hear a fury of backlash against the use of the flawed Spamcop lists, and your "blacklists" will become irrelevent. You owe it to the cause of defeating spam, if that is your real intention and motivation at all....., to correct this fatal flaw in your system. Yet...... No..... Wait.... Spamcop is getting $1,000 per subscription to its blocklist.... If that list becomes deemed as unusable, due to furies of complaints from legitimate users... Spamcop stands to lose a LOT of money... not to mention the damage to their reputation. Bruce Wagner President Bold Funding, Inc. Chicago, Illinois 312-951-7960 bred[at]mailblocks.com Link to comment Share on other sites More sharing options...
Chris Parker Posted January 29, 2004 Share Posted January 29, 2004 Mailblocks.com is THE solution to spam! No, mailblocks.com generates spam. If I didn't send a message to anyone using their system, why should I have to deal with challenge messages in response to spam with forged headers? mailblocks can *easy* fix their problem. Have them contact me. Would someone please remove the Mailblocks.com servers from your spammers lists. They will come off the list 48 hours after mailblocks stops spamming. By including Mailblocks.com servers on your "blacklist", you are recommending that subscribers to your list NOT accept email from these servers. Yup. Your recommendation is causing damage to all the legitimate users of Mailblocks.com who are simply TRY TO AVOID AND DEFEAT spam! You cannot defeat spam by creating it. If someone at spamcop does not correct this problem by removing legitimate servers from your "blacklist" of recommendations, the result WILL be.... result will be what? nothing? You owe it to the cause of defeating spam, if that is your real intention and motivation at all....., to correct this fatal flaw in your system. The flaw is with mailblocks, not spamcop. Yet...... No.....  Wait....  Spamcop is getting $1,000 per subscription to its blocklist.... Nope, free for almost everyone. Link to comment Share on other sites More sharing options...
brucewagner Posted January 31, 2004 Share Posted January 31, 2004 If you have a challenge-response system... If, for example, you have a mailblocks.com account.... And a spammer forges your email address as the FROM address to 58,000,000,000 addresses.... How many auto-replies will you receive? How many info-replies will you receive? How many error-in-sending messages will you receive? How many challenge-response messages will you receive? You will receive exactly zero (0). Because if you did not first SEND to THAT address..., ALL mail FROM that address will not get through to you. Therefore, no spam. You will receive zero, zip, nada... <<<NOW>> Let me ask you this...... If you have an ordinary run-of-the-mill email service... And a spammer forges your email address as the FROM address to 58,000,000,000 addresses.... How many auto-replies will you receive? How many info-replies will you receive? How many error-in-sending messages will you receive? How many challenge-response messages will you receive? Maybe, ahhhh..... 580,000 or so......? CONCLUSION MADE SIMPLE: You need a challenge-response system... perhaps a mailblocks.com account.... They're free now, by the way. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 31, 2004 Share Posted January 31, 2004 CONCLUSION MADE SIMPLE: You need a challenge-response system So everyone in the world needs a C/R system? I don't think so. Why can't you see that sending an unsolicited challenge to someone who did not send the original message is WRONG? For instance, my system at work (not spamcop) rejected 65% of the incoming email (9000/13000) as spam (this does not count the virus messages). Now, I have yet to see more than about 0.001% of spam that has a return address of the actual spammer. SO, if I were using C/R, I would not see the spam (same as now) but 13000 other people would receive an unsolicited message from my system asking if they sent the message. My system would not only still need to download ($ for bandwdth) and hold ($ for storage) those messages for responses to come back, it would also need to send the challenge (more $ for bandwidth) and wait ($ for time). Also, if we are to believe the spammers (I don't but I am using their number to make a point) 60% of confirmations will not be returned. So now, my 9000 customers is reduced to 3600 because they refused to jump through my hoops. This does not even take into account the extra strain on the internet needing 3 separate messages to deliver the first (I know that senders are whitelisted, but most of our messages are from new sources each week). CONCLUSION MADE SIMPLE: C/R does not make $en$e. Link to comment Share on other sites More sharing options...
HillsCap Posted February 2, 2004 Share Posted February 2, 2004 My question is (and I really do want an answer to this question... it's been bugging me for a while now...): If everyone had C/R, and some spammers created forged headers and sent out 1,000,000 emails with those forged headers to addresses that were supposedly protected by a C/R system, would 1,000,000 people receive a false C/R email? If not, what does happen? If so, C/R is flawed, because it allows the spammers to monkey with the system. spam is considered unsolicited email... if the flaws in the C/R system allows forged headers in emails to cause unsolicited C/R emails to go out, then that C/R system is, indeed, spamming people. Now, don't get me wrong... I absolutely love the idea of C/R. It's like a guard at your front door, calling out, "Halt, who goes there!", and keeping the riff-raff out of your home. But, if it's flawed, it's flawed. Which is too bad, because I think the combination of C/R and SpamCop would be something that would knock spammers off the map. If we had some way to report obvious spams from the server (so you wouldn't even have to download them to your mail client), and the C/R system (so only legitimate emaillers (and unusually persistent spammers) would get through, that'd be some awesome combination. And the unusually persistent spammers would then get reported! Perhaps, instead of fighting, you should find a way to get the systems working together... then form a collaborative effort to offer both SpamCop and C/R as one bullet-proof spam abatement system. Link to comment Share on other sites More sharing options...
WB8TYW Posted February 2, 2004 Share Posted February 2, 2004 If everyone had C/R, and some spammers created forged headers and sent out 1,000,000 emails with those forged headers to addresses that were supposedly protected by a C/R system, would 1,000,000 people receive a false C/R email? If not, what does happen? Many networks will stop accepting the challenges. Some networks have already taken that action. If the challenge reponse system used SMTP reject codes, then there would not be much of a problem with challenges going to innocent victims. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
brucewagner Posted February 2, 2004 Share Posted February 2, 2004 If the challenge reponse system used SMTP reject codes, then there would not be much of a problem with challenges going to innocent victims. Hey! I don't pretend to be technical enough to understand the details... But THIS certainly sounds like a solution! Is it possible that C/R systems (Are you listening, Mailblocks Folks?) could use SMTP (whatever that means) to insure that thier C/R messages are really being sent to the real sender... and not innocent victims??? Link to comment Share on other sites More sharing options...
brucewagner Posted February 2, 2004 Share Posted February 2, 2004 My question is (and I really do want an answer to this question... it's been bugging me for a while now...): If everyone had C/R, and some spammers created forged headers and sent out 1,000,000 emails with those forged headers to addresses that were supposedly protected by a C/R system, would 1,000,000 people receive a false C/R email? If not, what does happen? The way you phrased this question, as I understand it... as a C/R user myself (mailblocks.com), the answer is.... No. No one would receive a C/R message. Reason: You question stated "If everyone had c/r..." If everyone had C/R, then no. None of those 1,000,000 people who had their email address forged into the From line would ever receive a C/R message.... BECAUSE.... and only because.... they are protcect by their OWN C/R... Anyway.... I'm interested in hearing more about this SMPT thing... Is it possible to parse an email's headers and VERIFY that the FROM address "MATCHES" the IP address the message originated from...??? If so, how reliable would such a method be? This would only work if there were lookup tables maintained somewhere?? Or would the lookup simply use the internet's own DNS servers? Would there be any, normally occurring, exceptions to this rule? (i.e. Where it would be a normally occurring situation that the FROM address did NOT match the IP address of the sender.) It seems to me that this would only work if: (1) It were 100% reliable, and (2) There were no normally ocurring exceptions. For example, what if I use my Yahoo Mail account when I am travelling... But I have a Reply To address is an email address at my employer's company domain. The sending IP address would not match the email address in the Reply To.... that's for sure. Am I totally misunderstanding how this SMTP concept could work? Link to comment Share on other sites More sharing options...
HillsCap Posted February 2, 2004 Share Posted February 2, 2004 Well, I was wondering... if one C/R system sent out a C/R email in response to the spam, and the receivng C/R system got that C/R email, and sent a C/R response to be sure it was a legitimate email sender, then would the first C/R system then send a C/R email in response to the second C/R system's C/R email, which was in response to the first C/R system's C/R email... Ok, now I'm confused! What's to stop the various C/R systems from just bouncing C/R emails off each other, ad infinitum? And what happens to the C/R emails that should be sent in response to the original spam with forged headers? Link to comment Share on other sites More sharing options...
brucewagner Posted February 2, 2004 Share Posted February 2, 2004 Well, I was wondering... if one C/R system sent out a C/R email in response to the spam, and the receivng C/R system got that C/R email, and sent a C/R response to be sure it was a legitimate email sender, then would the first C/R system then send a C/R email in response to the second C/R system's C/R email, which was in response to the first C/R system's C/R email... Ok, now I'm confused! What's to stop the various C/R systems from just bouncing C/R emails off each other, ad infinitum? And what happens to the C/R emails that should be sent in response to the original spam with forged headers? It's really not all that complex. Think: Auto-Reply. C/R works in almost the same way... What happens if my auto-reply triggers your auto-reply....? The systems are smart enough to only send it once.... per address. As to "what happens to the original message?"..... It is stored in a pending folder for somewhere between 4 days and 14 days (depending on the user's preference settings), then it is automatically deleted forever. In other words, no one ever sees it and it is silently, painlessly, killed. Also Note: If I send you a message, your address is automatically entered into my Approved Addresses list. You will NEVER recieve a c/r message from my system. Never. Ever. ONLY if you send me a message first, AND I've never sent one to you before, AND you've never verified yourself with my c/r before... THEN, and ONLY THEN, will you get a c/r message from my system. Once you verify yourself as a human, OR I add you to my addressbook, OR I send you an email, you will NEVER EVER get another c/r message from my system again... Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 2, 2004 Share Posted February 2, 2004 My question is (and I really do want an answer to this question... it's been bugging me for a while now...): If everyone had C/R, and some spammers created forged headers and sent out 1,000,000 emails with those forged headers to addresses that were supposedly protected by a C/R system, would 1,000,000 people receive a false C/R email? If not, what does happen? The way you phrased this question, as I understand it... as a C/R user myself (mailblocks.com), the answer is.... No. No one would receive a C/R message. Reason: You question stated "If everyone had c/r..." If everyone had C/R, then no. None of those 1,000,000 people who had their email address forged into the From line would ever receive a C/R message.... BECAUSE.... and only because.... they are protcect by their OWN C/R... Then in your scenario, there would be 1,000,000 messages sent to forged addresses and a challenge returned to the forged return path who would challenge them and then there would be another challenge until all internet traffic was bogus challenges going back and forth. As a matter of reality, when spammers send email to a challenge response with a forged return path, the person whose email has been forged gets the challenge which is really annoying - as annoying as spam. I don't see the point to challenge/response. Either I know a person's email address or I don't. If I do, it is because s/he gave it to me to use in which case most email programs have a way to whitelist names which s/he could do. Miss Betsy Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 2, 2004 Share Posted February 2, 2004 Then in your scenario, there would be 1,000,000 messages sent to forged addresses and a challenge returned to the forged return path who would challenge them and then there would be another challenge until all internet traffic was bogus challenges going back and forth. Miss Betsy: I'm not sure it would work that way if (and only if) every mailbox was protected by challenge/response and they were programmed to recognize a challenge from another system. I don't like C/R either, because you will never get everyone using it, but follow this logic for one message. This is similar to the example posted earlier with some extra description added in. Spammer sends message to mailbox A. Mailbox A sends a challenge to the forged sender mailbox B. Mailbox B recognizes* this is a challenge of a message allegedly sent by user B, compares to find no original message is sent (user A is not on the whitelist), and simply drops the challenge. Now where this can break down is if the spammer can send the message to user A forged from an already trusted user B, the spam will get through anyway. While it is unlikely now, if (and only if) everyone was using challenge/response the odds of this happening go down. I already have seen messages arriving at my home account with forged users (non existent) from my work domain. Presumably, those would be white listed on many of these accounts and bypass the system. Steve Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 2, 2004 Share Posted February 2, 2004 It was just a "what if" scenario since not everyone will use a challenge and response system - primarily because most people do not need it. I do not get emails from people I do not know except for spam. Miss Betsy Link to comment Share on other sites More sharing options...
brucewagner Posted February 2, 2004 Share Posted February 2, 2004 It was just a "what if" scenario since not everyone will use a challenge and response system - primarily because most people do not need it. I do not get emails from people I do not know except for spam. Miss Betsy, That is the whole point of challenge-response. You receive lots of mail from people you don't know... And it is called spam. The whole point is to eliminate the need for you to actually manually spend some of your own time, every single day of your life, sifting through trash emails (spam)... for no reason. And besides, although I may be the minority, I have nearly 6,000 names in my Palm PDA addressbook. These are actual friends, contacts, family, associates, acquaintences, mistresses , whatever... I could certainly never remember (memorize) all 6,000 of their email addresses and recognize them.... manually. However, my challenge-response system has automatically accumulated 3,635 of them for me.... so far... And it recognizes email from each of them automatically. I couldn't live without it! In fact, before I had challenge-response I used to spend a minimum of an hour a day sifting through all the spam in all 6 of my email accounts.... Now, nothing is there.... except REAL messages from REAL humans that I WANT to hear from.... I love it! Link to comment Share on other sites More sharing options...
jefft Posted February 2, 2004 Share Posted February 2, 2004 Miss Betsy, That is the whole point of challenge-response. You receive lots of mail from people you don't know... And it is called spam. The whole point is to eliminate the need for you to actually manually spend some of your own time, every single day of your life, sifting through trash emails (spam)... for no reason. Bruce, The problem, IMO, is that what you have done is shift the burden for managing your mailbox from yourself to everybody who emails you. Sure, it's effortless for you. But everybody who emails you gets at least one extra email in their box. More if they don't answer the first email right away. Everybody who emails you has be go to the website of a company with which they might not be familiar. Everybody who emails you has to agree to validate their email address and have it stored in the database of a third-party company. What is that company going to do with those addresses? If I email you, how long do I have to look around the mailblocks.com website to find those answers? And I can't use the link your challenge sends me to find those answers, because by then it's too late. You may think this is silly, but there's already been a well-publicized case where a big challenge-response company did indeed start spamming the addresses of people who had emailed their customers. When called on the carpet, they stated that they had every right to do so, but agreed to stop for the time being. And while you may assert that mailblocks is trustworthy, what about all the other challenge-response companies out there? Even if you don't care about privacy or databases of email addresses, the fact of the matter is that you have just shifted your hassle onto others. You may think that's just fine, but I think it's rude. I won't use challenge-response systems and I won't answer challenges, either. JT Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 3, 2004 Share Posted February 3, 2004 That is the whole point of challenge-response. You receive lots of mail from people you don't know... And it is called spam. The whole point is to eliminate the need for you to actually manually spend some of your own time, every single day of your life, sifting through trash emails (spam)... for no reason. And besides, although I may be the minority, I have nearly 6,000 names in my Palm PDA addressbook.  These are actual friends, contacts, family, associates, acquaintences, mistresses , whatever... I could certainly never remember (memorize) all 6,000 of their email addresses and recognize them.... manually. That is the whole point of challenge-response. You receive lots of mail from people you don't know... And it is called spam. The whole point is to eliminate the need for you to actually manually spend some of your own time, every single day of your life, sifting through trash emails (spam)... for no reason. I did that by changing my email address. Before that I used spamassassin which was very good at catching spam. I understand that there are other filters that have almost no false positives and let very few spam through if you don't want to change your email address And besides, although I may be the minority, I have nearly 6,000 names in my Palm PDA addressbook.  These are actual friends, contacts, family, associates, acquaintences, mistresses , whatever... I could certainly never remember (memorize) all 6,000 of their email addresses and recognize them.... manually. There is another way to remember and receive only emails from people you want. It is called a "whitelist" If you use a whitelist or a filter, then you aren't aggravating the spam problem by forwarding spam on to other innocent people. It is kind of like cleaning your yard of dog poop by scooping it into your neighbor's yard. If you get a lot of emails from people who are not in your address book already, then a good filter is a much better solution. If you don't get emails from strangers, then using a whitelist would make you a better netizen. Miss Betsy Link to comment Share on other sites More sharing options...
WB8TYW Posted February 3, 2004 Share Posted February 3, 2004 Anyway.... I'm interested in hearing more about this SMPT thing... Is it possible to parse an email's headers and VERIFY that the FROM address "MATCHES" the IP address the message originated from...??? That is called an rDNS check, and it does not check the FROM: address, it verifies that the sending mail server is who it says it is. If so, how reliable would such a method be? It is only about 80% reliable. 20% of the spam has a correct rDNS according to the people that have tested it. All mail servers are required to have a working rDNS entry according to RFC, but there is a small fraction of real mail servers that are misconfigured. And it seems that the spammers were quicker to fix their rDNS entries than the real mail servers operators were. This would only work if there were lookup tables maintained somewhere?? Or would the lookup simply use the internet's own DNS servers? The rDNS entry is supposed to be in the DNS server for the mail server. By itself, a bad rDNS is a strong indicator that the incoming message is spam. Would there be any, normally occurring, exceptions to this rule? (i.e. Where it would be a normally occurring situation that the FROM address did NOT match the IP address of the sender.) With SMTP based rejects that does not matter at all. The receiving mail server terminates the SMTP mail transaction with a 5xx failure code, and in the case of a Challenge Response, the instructions for appealing the mail rejection are placed in the rejection notice. If the sending mail server is a real mail server, it takes the code and the text and builds a non-delivery message to the FROM: or envelope information, and delivers it to the sender. If the sending mail system is a compromised system, it just drops the SMTP transaction and moves on to the next spam message. It seems to me that this would only work if: (1) It were 100% reliable, and (2) There were no normally ocurring exceptions. It is as reliable as SMTP E-mail can be. The sending mail server (unless it is an open relay) will trust that the original sender is valid, so it can safely generate the non-delivery report with the challenge information. Most mail servers will not accept any e-mail from open relays, so in that case the non-delivery message will be rejected along with the rest fo the spew from the open relay. It will deliver the challenge message to the sender if it is a real sender. Complaints about incorrect challenges would go to the network that is infected with a spammer or a virus. Spamtraps would list either mail server or the system of the network that is compromised. It is not likely that many innocent victims will get challenges either. For example, what if I use my Yahoo Mail account when I am travelling... But I have a Reply To address is an email address at my employer's company domain. The sending IP address would not match the email address in the Reply To.... that's for sure. The SMTP reject/ challenge will go to the sending address, not the reply to. The challenge will be dellivered by the sending mail server. Am I totally misunderstanding how this SMTP concept could work? Yes. When a mail server gets a e-mail message, all it knows at the beginning is a few things, including the mail server address, and the name that the mail server claims to be. Everything else about the e-mail message can not be trusted. And can not even be looked at until the mail server agrees to pay for the bandwidth to accept the e-mail. As I stated before, the charge for legitimate e-mail to one of my postmasters is over $2,300 per month. If they accepted e-mail from identified spam sources, then the costs per month would be double or triple. The first check that most mail servers do is look at a local list of trusted senders, and passes it through. Then the mail servers check if the I.P. address is on a list of forbidden senders. For conservative blocking with almost zero loss of real e-mail, the following types of lists are normally used: Local blocking lists of I.P. addresses that the postmaster has given up on. Open Relay lists. Open Relays are blocked universally even though there is a chance of them sending a real e-mail. There is little point in sending a challenge to an open relay. It can not be trusted. Any challenges that are not SMTP reject based to an open relay are going to either be undeliverable or to innocent victims and is abusive. Sending challenges to these are a good way to get the sending mail server in local and other blocking lists. Open Proxy lists should then be used, and there is almost no chance of an open proxy delivering a real e-mail, and there is no point in sending a challenge to them. As above, sending challenges to e-mail from open proxies will either be undeliverable, or to an innocent victim, and is a good way to get the sending mail server in local and other blocking lists. xbl.spamhaus.org is a list that is becoming widely used. Another standard check is sbl.spamhaus.org. This lists I.P. addresses that are known to be owned or controlled by spammers. On rare occasion when a network is allowing extreme abuse, spamhaus.org will list the entire network. The spammers that are in spamhaus.org are likely to find a way to answer challenges, or try dictionary attacks until they find an address that is whitelisted in response to the challenges. Even though they know someone using a C/R is not likely to buy from their spew, some of them will make sure the spam will get through to try to convince you that you can not stop them. The chances of getting a real mail from an I.P. address in sbl.spamhaus.org is probably lower than getting a real e-mail from an open relay. So sending a challenge to them is likely a waste of time. And then a conservative DHCP/DUL list would be standard like the commercial MAPS-DUL. This will eliminate almost all of your spam, and if there is an error, the SMTP rejects will notify the sender that they have a problem. And since this is a baseline for many mail servers, it is not likely that any senders that fail these tests are getting many people to accept their e-mail. Again, at this point, you have eliminated almost all of your spam, and have avoided both bandwidth charges, and mail server overhead. Next you can look at the more aggressive blocking lists, the ones that are known to occasionally cause real e-mail to be rejected. dul.dnsbl.sorbs.net is a listing of DHCP addresses. It is mostly accurate, but some networks refuse to properly identify client mail servers. Almost 99% of delivery attempts that you will get from listed addresses will be spam, but there is a possibility that a reail e-mail will come from them. A spamcop.net is a listing of I.P. addresses that spam has been reported from. It does list real mail servers from time to time, but it is unusual for a real mail server to get listed. But still it is too agressive to recommend for direct blocking to a general population. If the sending address is in dul.dnsbl.sorbs.net and a bl.spamcop.net listing, then the odds of it being a real e-mail is about NILL. If the sending address has bad rDNS and a bl.spamcop.net listing then the odds of it being a real e-mail is about NILL. But again, because it costs real operational cash to accept e-mail, many networks will reject based on those two lists. Over all, they have found the lists to be accurate for their needs. They can always whitelist an address that they care about. In a way, my public e-mail addresses are protected by challenge response. If a real e-mail gets rejected, the sender gets a message as to why their e-mail was not accepted. But it is sent to them by their own mail server, not by mine. In the case of one postmaster, the instructions refer to a web page that states the person can either send an e-mail from a different network, or fax instructions. The last time that postmaster posted a status, there had been no requests for an exemption to the I.P. based spam blocks, either by a sender or a receiver. So if he challenge response method used SMTP reject codes, I doubt if you will find anyone complaining about it. Because then it fits in with normal operation of e-mail. But consider that Challenge reponse can not be used for many types of normal e-mail, and that include rebate confimations, and catalog order confirmations, etc. Most of those will not respond to challenges, and you have no way to predict what e-mail address they will come in on. Many e-mail support systems will send from a different e-mail address than they accept e-mail on, so autowhitelisting will still not catch them. So in order to make sure that no mail is missed, you will have to look over the messages that no challenge was received for. Which basically negates the whole purpose of having a spam filter. And if a challenge response method is based on e-mail addresses and not I.P. addresses, it will fall victim if the spammer can guess what e-mail addresses that you have whitelisted. I see the lowest complaints about spam and lost e-mail from systems that use DNSbls to reject spam before it enters the system. And those mail servers have the highest availabilty, even the ones that are not implemented in fault tolerant configurations. I see the most complaints about spam and lost e-mail from systems that attempt to accept all e-mail and then classify it as spam by examining the content. When those systems make an error on what they classify as as spam, usually neither the sender or the receiver knows about it for some time if ever. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.