Re: (OT) Fighting spam (use a layered defense)

RMX, like DSP (Designated Sender Protocol) won't work. Some smarter people than I have already commented on the issue.

Let me add my own observations. RMX and DSP require everyone to participate for it to work. If some people don't bother to implement it, and you wish to receive mail from them, then you have to special-case them. That takes effort. It doesn't work for me, now.

Given the current state of affairs, with the pitiful levels of adherence of the current recommendations, it is illusory to believe that people would implement the new recommendations correctly.

Today, I see people running SMTP servers with incorrect or absent reverse DNS records (PTRs). I see people with MX records that point to CNAMEs, or worse, numeric IP addresses.

I see people connecting to my servers with my IP address, or my domain name, in their HELO string. I see hotmail servers connecting to me with "HELO hotmail.com", rather than giving the FQDN of the machine. Which makes it harder to stop forged hotmail.com messages. If everyone respected the current RFCs (and reading the recommendations as s/should/must/g ) things would already be a whole lot better. Until then, there's not much point adding one more damned thing to go wrong into the picture.

I also see people connecting to me with "HELO yahoo.com" or "HELO compuserve.com". And no legitimate SMTP server from these domains announce themselves that way. So I can block them, and reject their e-mail, right up front, before I see their data.

I block 90% of the incoming spew merely by running simple correlation checks against the envelope (the HELO, the MAIL FROM and the RCPT TO). I delete a bit more by examining the subject line. Send me a message with a subject of "Hi" and you'll get a bounce "only spammers say 'hi'". A message with 10 or more consecutive spaces is also grounds for rejection. I refuse connections from ADSL/cable dialups and similar residential addresses.

With that in place, a trickle of spam still comes through. That can be caught with content-filtering. While the spam in Andy Lester's example fools Bayesian scoring, it won't fool Markov chain analysis. The odds of find the word stream "fixed for rough pencil final happy" in a legitimate message are as close to zero as there is precision in current hardware floating point implementations. (And you are of course not subjected your usual group of servers you exchange messages with to these rules, are you? If a friend wants to joke with me about how I should enlarge my penis, I want to hear about it).

Adaptive blacklists, like Vipul's Razor, and greylisting are other techniques worth investigating. I don't really care to win the spam battle, I just want to make it not worth a spammer's time to try and send me their spew. If enough people do that, it will be enough.

Comment on Re: (OT) Fighting spam (use a layered defense)

Replies are listed 'Best First'.
Re^2: (OT) Fighting spam (use a layered defense) by Aristotle (Chancellor) on Nov 16, 2003 at 21:56 UTC
Noone is interested in the battle with spam.. we all just want a clean inbox. :) I agree with most of your points, and I know the weakness of requiring everyone to participate for RMX based defense to work. Still, if it was relied on strictly enough by a significant enough portion of the internet, the pressure to get your RMX RR right or perish would be significant. Even if only the large mail hubs (Hotmail, Yahoo and the many other freemailers) which are frequently used as forged senders implemented this (on both directions, their own RMX RR as well as requiring them from senders) that would be a step forward. A problem in general is that non-adherence to protocols is not currently punished (enough); which means neither spammers nor half the population of the internet make any effort to adhere. However, even if adherence were enforced, it still wouldn't be that hard to forge a sender address - which is where RMX comes in. Makeshifts last the longest.	[reply]
Re: (OT) Fighting spam (use a layered defense) by jonadab (Parson) on Nov 17, 2003 at 13:06 UTC
we all just want a clean inbox Ah, but we also want to retain the ability to receive legit mail from anyone, even people we've never got mail from before. (I have content on my personal website about puppetry, and about constructing puppet stages. I receive email from arbitrary people who found it in a web search, and wanted additional info about a particular facet of it, on a semi-regular basis. I don't want to make these people jump through extra hoops (web-based "mail" forms and similar) to contact me. Also I maintain a usenet FAQ (though I get fewer questions about that since it's an obscure one). Also, it seems wrong to penalize legitimate people who want to contact me, because of the abuses of a few utter losers. Still, if it was relied on strictly enough by a significant enough portion of the internet, the pressure to get your RMX RR right or perish would be significant. Even if only the large mail hubs (Hotmail, Yahoo and the many other freemailers) which are frequently used as forged senders implemented this (on both directions, their own RMX RR as well as requiring them from senders) that would be a step forward. You're daydreaming. The chances of a major ISP of any kind agreeing to reject possibly legitimate incomming mail because it doesn't comply with some new standard are roughly the same as the chances of Microsoft releasing the complete source code for the current version of Office under the BSD license, or Macromedia producing a useful piece of software. `$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}} split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/` [download]	[reply] [d/l]
Re: Re: (OT) Fighting spam (use a layered defense) by Anonymous Monk on Nov 17, 2003 at 16:54 UTC
I think proposals such as DSP are quite promising. (I'm not sure it's 'there' in its current proposal though). The only real problem with DSP is that some (relatively few, in reality) people want to be able to send mail from one domain through a non-related ISP's SMTP server. Now, a lot of ISPs are blocking this type of use in any case nowadays in an attempt to reduce spam being sent through their servers. Also, if you say that 'I must be able to send mail from any domain through any SMTP server I have access to', then you're essentially removing any possibility of a protocol based attack on spam - as this is ALL that spammers do, that is always detectable. You don't NEED to have everyone using something like DSP to let it help - you can feed it as another variable into a multi-layered spam filtering system. (eg if a message comes from a non-blocked DSP compatible domain, you could automatically white-list it, otherwise do your content filtering etc) You could be cruel, and encourage people to implement it by modifying it so that only people who implement it themselves are allowed to use it :-) And, it's not hard to implement at the DNS level. Many mail servers have something similar built in for RBL lookups etc, so it wouldn't be hard for them to modify that. Once someone implements it, then, yes, they could send spam through their own servers, and a crude DSP check would allow it, but it would then be easier to block as you'd have easier checks to put in place as you'd know the email domain the message was coming from.	[reply]