CircleID

Lovely. Given how many anti-spam companies there are, all claiming to possess the holy grail of anti-spam, can CircleID readers now expect to be presented with advertorials like this on a regular basis?

Without studying the matter beyond this article, it's pretty clear that Sendio's "SAV" technology is "Challenge/Response" by another name. Why not call it C/R? Marketing reasons? Not catchy enough compared to "SAV"? Or is it that Mailblocks claims to have a patent on Challenge/Response (http://about.mailblocks.com/press/press_0507_2003.aspx), and Sendio is trying to make their patent look different? (Or maybe they're the same company now—who has the time to follow the who's who of anti-spam products and patents?)

In any case, let me put my case as to why Challenge/Response technology is every bit as rude as spam itself (in the absence of mitigating technology such as SPF, which Golan refers to in rather patronising tones). C/R (or SAV as Golan would have it) is rude because it makes others do your spam filtering for you, as shown by the following example.

Say Sammy the spammer wants to send advertising to Alice. Sammy the spammer knows better than to put his own address on the outgoing mail, so he picks another address—but not just any address—Sammy uses the address of his arch-nemesis, Joe, who once cut off his Internet connection for violating the terms of service. When the anti-spam gateway at Alice's place picks up the mail, it sends a challenge to Joe, because Joe is listed as the sender. In fact, poor Joe is being inundated by challenges and bounced messages that unthinking and uncaring mail systems everywhere are spewing out, thanks to Sammy's falsified "from" address.

Without realising it, Alice is making Joe do her spam-filtering for her. If Joe responds to Alice's challenge, she'll get the spam, and Joe will get the blame—Sammy the spammer gets off scot-free. Only if Joe ignores the challenge—treating it like a piece of spam and just deleting it—will Alice have her spam-free day. Note that carefully: Alice eliminates one piece of spam by making Joe deal with it for her. This situation is fine if you're Alice, but not so great if you're Joe. And if your name is already on a spammer's list, maybe you'll be Joe on the next spam run.

Yes, a Joe job like this involves fraud. Well I have some news: shocking as it may seem, many spammers are quite willing to resort to this kind of fraud. More often than not the products they sell don't live up to the claims in their sales pitch either. It may be hard to accept, but spammers can and will resort to dishonesty as it suits them, and typically settle out of court without admitting any wrongdoing (e.g. Spitzer vs Richter) if they get prosecuted for it.

The argument against Challenge/Response has many more aspects than this, but I'll leave that to others if they want to take up the slack. If you use a C/R system like this and you're lucky, the challenges you send out will be undeliverable, wasting as little in the way of network and human resources as possible. If you're unlucky, you'll send your challenges to an ill-tempered curmudgeon (like myself), who must then decide whether to give you a spam-free day at his own expense.

What will you do when it's your turn to be Joe?

I have to say I am just as disappointed as Brett to see this article here at CircleID of all places.

I have not a lot to add to Brett's comment save to note that most of the attempts to debunk "myths" fall into the "with one bound he was free" category and do not actually say how they will work.

Example: "Spammers do not typically provide valid return email addresses. A properly implemented SAV system can detect this and withhold the request."

a) Please provide evidence that spammers do not typically provide valid return email addresses. I have a huge archive here full of spams with valid return addresses - it is just that those addresses do not belong to the true sender.

b) How exactly does a properly implemented SAV system detect this, and what is "this" anyway? If "this" is a forged address in a non-existent domain then (absent Sitefinder or near equivalent), this is trivially easy to spot. If "this" is a spoofed but valid return address then, until the entire world has fully implemented SPF, it can't be done.

The bottom line is that any machine generated response to email is potentially hazardous.

http://chris-linfoot.net/plinks/CWLT-62PG98

As per above comments by Chris Linfoot and The Famous Brett Watson: Sometimes articles are posted because they carry points that are determined to offer good bases for a worthwhile debate. They're definitely not advertorials (or a paid inclusions).

Thank you for your continued feedback and valuable participation.

Interesting article from Mr. Golan.  I recall having seen his posts before and think it's great that he's taken the time to contribute. This should always been encouraged as it keeps the forum vibrant.  There's a monicum of respect that's due in this forum which helps distinguish it from a simple newsgroup flame pit. 

You know, I think I get it concerning the SAV and what I read I like.  I use Mailblocks for my personal accounts and am aware of some of the strengths/weaknesses from first hand experience.  One weakness is the response from some people who object to the Challenge.  One strength is that is has been effective.  The curious fact is that I haven't had anyone balk at the Mailblocks challenge.  People that I corrospond with, I suppose, are as annoyed with spam as I am and are willing participants in the solution.  I'm grateful.  I see the SAV approach as being a natural evolution of this and can understand where if I was to use this the positives I'm enjoyed with the Mailblocks service can be maintained while removing the negatives in the presence of this device.

I dropped an email to Mr. Golan and was greeted by his SAV.  It was pleased that I was not lead to another mystery website (normally causing me alarm), that the response was from Mr. Golan (not an otherwise mysterious service).  In the end, I responded to the SAV without concern or alarm.  You know ..if it keeps this guy from getting spam so be it!  The inconvenience to me was zero and my intrigue was high.

Challenge/Response has been quite effective for me but I see the evolution to SAV as being well conceived.  I surely like the idea of an appliance and have had enough discussions with the network guys to know that they don't think too highly of running ANYTHING on the Exchange server or on our desktops (high mainteance)

Apologies to the pro filter folks. In my experience ..even the top rated products used at my work(BrightMail) simply fail ..and in circumstances where SAV would have met my needs.  Ah .. a future discussion with our network folks. 

Cheers to those who hold spammers in the same contempt as I.

The back handed pander towards SPF, while advocating a challenge response approach as the holy grail is flawed.

Let me elaborate from the perspective of a mail list administrator.

If an individual subscribes to a mailing list and verifies her subscription, why is there the added need for the administrator to go through a challenge response process to verify identity? This just adds an administrative headache, unduly punishing those who already follow good mailing practices, while consuming more bandwidth.

Besides, the notice one receives in a challenge response situation typically contains advertising promoting the service.

Sorry, but I don't see how this is good "etiquette." As a mailing list administrator, I did not ask to receive a commercial advertisement generated by Servio.

From the sender's perspective, it is much simpler to publish a sender policy framework record and allow receiving servers to make the required DNS query.

(Yes, I appreciate in doing so, it requires senders to get their DNS house in order. But there can be no denying this is not in the best interest of all.)

Turning to the filter issue, the author somehow suggests the use of sender policy framework for authentication purposes will not allow receivers to carry out further checks.

The sender policy framework presently before MARID allows the receiver to authenticate the sending domain at the transport stage before message content is received.

On the other hand, a challenge response system requires acceptance and storage of the entire message pending the sender going through the response process.

How does this better serve receivers?

Under the proposed framework, if the sending domain is authenticated, the receiver can if she wishes program her mail server to carry out further checks either before accepting delivery of the content, or after delivery of the content.

Prior to content delivery, these checks may involve verifying the sender's reputation.

After delivery, depending on the results, the receiver can decide to filter the message for content. This can either be done at the gateway level or at the end user's level.

One other point. As sender authentication evolves, it may also serve as a useful tool in the legal fight against spoofing and phishing.

How does the challenge/response approach help to serve this purpose?

At the same time, there are many unanswered questions surrounding sender authentication.

Fortunately, it does not hold itself out as the magic bullet. And I anticipate as the online community moves forward, wide scale testing of what ever framework is proposed by MARID will reveal flaws, requiring design changes and further work.

Want to put forward challenge/response as a solution, hey all power to you.

But ... let's not start saying any solution is the holy grail, or the best thing since sliced bread, when we all know better.

John Glube
Toronto, Canada

"The authentication train is about to leave the station, and IT administrators should be buying a ticket to ride."
Cameron Sturdevant
eWeek (8 March 2004)

My email address is forged by spammers 10 or 50 times a day.  So now I will be getting 10 or 50 requests from mail servers asking me to authenticate my email?  How do I separate that one legitimate email I send from the 10 or 50?

Sorry, again a flawed technique.

SPAMmers will just change tactics, and when they harvest e-mail addresses from compromised machines, they will make sure they capture that users e-mail address as well, so as to have a legitimate FROM address, that will allready be verified as acceptable by those e-mail addresses.

There is no silver bullet. Until SMTP is replaced with a protocol that verifies the full e-mail address of the sender at the sending end and double checked to at least to the domain name level at the receiving end (SPF, caller ID etc) the scourge of SPAM will continue.

ISP's also need to take more responsibility.
Some things that ISPs can do in the short term to reduce the ammount of SPAM.
1) Block outgoing port 25 except to their own mail server to force all users to send e-mail through their servers
2) Monitor outgoing e-mails for SPAM (contents/volume) and viruses, and when detected contact the user (either to disinfect their machine, or to tell them to stop spamming depending on what the situation is).
3) By default refuse to receive/send all executable attachments on e-mails unless users request that they be allowed to receive such.  This with 1) above would stop most of the common viruses from spreading and make it harder for SPAMmers to have a masive army of zombie machines.

Once responsible ISP have taken the above actions, pressure can be brough to bear on ISP's and countries that continue to allows SPAMming.

"The biggest thing we can do to reduce spam is sender authentication."
Brian Sullivan
Senior Director for mail operations, AOL
New York Times (23 June 2004)

Yes, but "Verification" is not the same as "Authentication".  I'm all for Authentication, but Verification will not work, and just cause more issues that it solves.

Tal, you reference the eWeek article of March 8, 2004.

This article references the announcement made earlier that Sendmail was prepared to work with Microsoft in testing Caller ID and Yahoo! in testing DomainKeys.

This article is speaking of Sender authentication.

A different animal than challenge response.

On the issue of sender authentication, the reader may also want to review Is The Writing On The Wall For Spam?

As to the NY Times article of June 23, 2004, this was generated as a result of the publication of the Anti Spam Technology Alliance (ASTA) policy paper earlier that week.

ASTA includes AOL, British Telecom, Comcast, Earthlink, Microsoft and Yahoo!.

The focus of the policy document? To deal with email abuse.

Part of the proposed policy includes implementing sender authentication based initially on SPF/Sender ID and ultimately on DomainKeys.

Of couse this was big news, since the FTC had just issued its report on the feasibility of national Do Not Email List a week prior stating the first step was to develop and implement a standard for sender authentication.

Quoting from the article:

"The Internet providers, however, cautioned that both of these technical approaches [referencing SPF/Sender ID and DomainKeys] are just part of the solution to the problem. Once Internet recipients can verify who is sending them mail, they can start to keep track of who sends legitimate mail and who sends spam.

"I don't think that users will see a reduction in spam right away," said Robert Sanders, chief architect at EarthLink. "Identity is just the first step."

People can access a copy of the ASTA policy document from here.

Colin, I agree with your concern about hackers simply getting in to compromised machines, up loading approved from email addresses and then spoofing these to deliver more spam.

Also, we need to understand the MARID Working Group has yet to finish its work.

All hands (Microsoft, Yahoo!, the people involved in SPF and the folks behind CSV, a proposal which has not received much ink) having agreed to submit their work to the IETF, it is important to take into account the outcome of this process.

My point. Yes, Sender authentication as suggested by the FTC and discussed by ASTA is a step in the right direction.

But we need to clearly understand, a lot of work remains. Sender authentication is simply one part of an overall process in chaging the way we send and receive email.

The effort includes consumer education, technology to help bring email abuse under control which will include authenticating the sender's domain and reputation, law enforcement to bring those involved with email absue before the Courts and international cooperation.

However, as I said before, don't let me stop Sendio from marketing Mail Blocks to users who wish to implement it.

However, in my view the approach has its draw backs.

Also, if we are going to talk about sender verification, which is different from sender authentication, it might be helpful to look at other end user products on the market involving sender verification.

These include Titan Key, Vanquish, along with Tmda (a product similar to MailBlocks).

What is difference between SAV and SPF (Sender Policy Framework, http://spf.pobox.com/)?

With SAV, email is accepted and a request for verification is sent back to the purported originator of that email. Given that most spam and virtually all viruses spoof the sender address this can mean that an innocent bystander is left looking at an unsolicited challenge message and wondering what it means.

With SPF, DNS contains a record of those mail servers that should legitimately be sending on behalf of a particular domain. The (SPF aware) recieving system can look up the mail servers permitted to send email on behalf of the domain used by the sender of an email. If a hard fail is encountered, the receiving system may refuse the mail during delivery (so no bounce to a spoofed third party), or accept it and silently delete it instead of delivering it.

Hope that helps.

so here we are a year later - what's happened since then? any advances that would tend towards or away from SAV or C/R?

any comments appreciated

Tony Toews said:

My email address is forged by spammers 10 or 50 times a day.  So now I will be getting 10 or 50 requests from mail servers asking me to authenticate my email?  How do I separate that one legitimate email I send from the 10 or 50?

How about this? My email address is forged by spammers, so that I get 900+ bounces a day! The bounces probably account for 1% of the number of actual emails that have my address forged in them.

So, with SAV being done on some portion of the rest, imagine how many "probes" end up on my mail server!!!

Spammers are forging real addresses to circumvent SAV. Any article that speaks of some "holy grail" for the spam battle is just talking about the latest weapon in a war that will not end any time soon.

I guarantee you this has an effect on people's mail servers. Check out these links to show proof of the the reality and extent of real-address forging problems:

http://profs.logti.etsmtl.ca/cfuhrman/backscatter/
http://taint.org/2007/03/16/134743a.html

hi Tony

I suggest that you download Carrotmail. this is a reliable spam protector and it guarantees 100% protection.

This is a geat system and i can tell u, u will be very pleased and these problems will stop.

hi tony

sorry, if u are interested in subscribing to this go on carrot.org. if u do have any questions just contact me and ill try and help as much as i can.

thanks alexandra