Sunday, 2 October 2005

Another anti-spam tool to avoid

Some company called hendrickson software components is touting a new spam filter called Em@ilCRX.

Guess what? It...

...uses an automated challenge response system, and reverse DNS validation to stop spam from making it into your email inbox.

Oh brother. All together now, say it with me:
  1. Challenge/response causes spam
  2. If you use it, you're a spammer
  3. If everyone used it, email wouldn't work!
This topic previously covered here and here.

Tags: .

16 comments:

Michael said...

I'm not sure I buy your arguments. In general, I agree with previous comments by Dave Bennett on one of your previous entries about C/R.

I DO think the cost of email, in some form, should be on the sender. I think thats the only real way we're going to truly reduce if not eliminate spam.

Secondly, in my experience, most forged addresses go nowhere, not to a legitimate email address.

And thirdly, while only anecdotal, C/R has been working fine for me and I have gotten no complaints (that I know of).

In any case, your blog entry has been the first time I've read of someone who is anti-C/R, and you do make some interesting points. Definitely points I plan to ponder and keep in mind as these spam wars continue.

Richi Jennings said...

Michael, if you think that the forged email addresses don't equate to real mailboxes, you should read my previous post about receiving hundreds of non-delivery notifications when my email address was used as the forged sender.

Jeff Hendrickson said...

You may not have looked enought into the premise behind Em@ilCRX.

Em@ilCRX does an exhaustive DNS based evaluation of every email. If the email is obvious spam, it will mark it as such, and it will not be delivered to the user, and will be available for export to Sp@mX for reporting. No challenges would be sent for messages of this type.

Em@ilCRX will let messages with squeaky clean SMTP headers through.

Em@ilCRX will let messages from members of the user's friends list through.

Em@ilCRX will send a challenge to an email that does not meet any of the above conditions, where the envelope information from the message does not match any of the Mail Exchanges in the received lines. This can happen when a user is using a third party delivery agent, or a program like SquirrelMail. It can also happen if the item is spam.

It has been my experience that over 95% of the messages that are challenged, bounce because the email is spam, and the envelope information is bogus.

I own a software company that does business online, and I can't afford to change my email address every month, or risk missing a customer contact because of an rating error from a content based filter.

Em@ilCRX has been working wonderfully for me, and I don't believe that it has anything to do with contributing to the spam problem as you describe...

Richi Jennings said...

Jeff, I'm not here to cast aspertions on your software engineering skills. It sounds like you have a way to improve the situation vis-a-vis backscatter. This is good.

However, the underlying problem still remains: If everyone used C/R, email wouldn't work!

Not only that, as more and more anti-spam filters are quarantining challenges, your false positive rate must be skyrocketing.

Compared to some in the anti-spam community, my response to C/R is pretty measured. Other might tell you that people using C/R are "clueless," "anti-social," "morons," "abusers," and essentially telling everyone else to FOAD.

jeff hendrickson said...

If you were describing C/R as challenging everyone that is not a friend, I would agree with you, that this approach has problems for many of the observations that you make.

I disagree with you when it comes to a discreet C/R system like Em@ilCRX.

It will only send a challenge to an email that has a possibility of being legit. It also makes use of the harmless bounce, response, or lack thereof to mark an email as spam, or release it to the user adding the email address of the sender to the user's friends list.

As I mentioned before, this has been very effective for me in testing. It's wonderful. It's like having an email butler look at my email, and only deliver the messages that I want to see....

Richi Jennings said...

I'm sure C/R is "very effective [and] wonderful" for you, but it's not so great for the poor people who are suffering backscatter because of it.

Fortunately, C/R is starting to become useless as more and more email providers block challenges, either by policy or by the community effect of users clicking "this is spam".

I've nothing against whitelisting (especially when combined with sender authorization such as DKIM), but don't make me build your whitelist for you.

jeff hendrickson said...

Richi, there are no 'poor people who are suffering backscatter'. Not a one. Reiterating, first Em@ilCRX does an exhaustive evaluation of an email before it will decide to challenge it. Only a fraction of the email is actually challenged.

Next, spammers forge email addresses. The email addresses in the envelope of a spam email are no good. They bounce harmlessly off the email server of the forged address (if one even exists for the forged domain).

Over 95% of the small number of challenges that are sent from my installation of Em@ilCRX bounce, and the email that was challenged is marked as spam, and the bounce discarded. The spammer is traced, and reported using Sp@mX, and a log of the spammer's activity is made on my Common Workspace Server. It's a good thing happening.

I have never, ever had an Em@ilCRX challenge go to a legitimate address, and had someone on the other end send me back an email back saying, "what the...".

So, to recap, let me tell you that I enjoy your blog, you've brought up some valid points about indiscreet challenge response systems, I agree with them, and I'm telling you that your observations do not apply in the case of Em@ilCRX.

If you are really interested in finding out how all of this works, I'd be happy to send you a registration for Em@ilCRX, and Sp@mX and let you take them for a whirl. Just shoot me an email to jeff at hendricom dot com.

Richi Jennings said...

So, to summarize, this tool send challenges to the envelope sender and/or From: header and/or Reply-To: header of spam, and tries not to challenge legitimate mail.

The main problem still stands: these challenges go to forged addresses, many of which actually exist. Spammers often use the addresses of real people because some anti-spam tools check to see if the purported sender actually exists.

Even if, as Jeff implies, 5% of the spam challenges go to innocent 3rd parties, that's a heck of a lot of extra spam being generated.

Say everyone used this tool -- that's about FOUR BILLION extra spam messages per day. (Based on Ferris Research's estimate of 75bn spam messages per day.)

Net-net: this stuff doesn't reduce spam, doesn't scale, doesn't work.

srqcomment said...

"...there are no 'poor people who are suffering backscatter'. Not a one." is simply false to fact. My server was almost knocked offline due to such backscatter when a spammer forged two of my domains in a massive spam run. I received thousands of moronic C/R and Barracuda backscatter. Sorry, but your selfish attitude and refusal to open your eyes will simply cause another batch of amateur admins to find their IP's listed by Spamcop, SORBS and other DNSBL. Such C/R messages are sent in reply to spam and are bulk. They are certainly unsolicited by the person forged by the spammer. Unsolicited bulk email IS spam.

Anonymous said...

The real irony is that Jeff Hendrickson has made almost all of the same mistakes in Sp@mX that Julian Haight made with early versions of SpamCop, in that the reports it sends are shotgunned, mistargeted, or both, and when major provider abuse desks have tried to point these flaws out to him, he's deleted their posts off of the web board on his site. He seems to share the same zeal and arrogance that characterizes a lot of the antispam community, without any of the willingness to work together to actually solve problems that most intelligent antispammers eventually pick up.

Just recently, I heard from one abuse desk that they were shocked to finally see one correctly-targeted Sp@mX report.

--
Huey

Anonymous said...

>Richi, there are no 'poor people who are suffering backscatter'. Not a one.

The only answer to this is: "yet".

Once you've handled a few billion messages (one days load for some ISPs) then you can make this claim, until then it's fatuous.

Your tool is designed to send email to addresses contained in what it believes may be spam. Therefore it is designed to send spam to forged addresses. Eventually some of those will actually exist(especially since you filter out the obviously false ones).

In short your system is just the same as standard C/R but to a slightly lesser degree. Well done, you've polished a turd/put lipstick on a pig, however you want to describe it.

DearWebby said...

The only reasonable way to deal with the half-baked C/R nuisance is to filter it into the trash. Eventually the misguided sheep that use it, will clue in.
DearWebby
http://webby.com/humor/blog

jeff hendrickson said...

Excellent discussion.

A few comments of my own...

- I think the premise of Em@ilCRX's c/r system is still being missed. It does NOT send a challenge to every email. It ONLY sends a challenge to messages that it believes are valid based on a rDNS trace of the information in the SMTP header. Use of this c/r system is also optional.

- Interesting comment about Sp@mX. This product was designed to be used with one email address. Many users "creatively" used this to report all of their spam. This did cause problems, but they were problems that needed an administrative solution, which I have been working hard to implement, educating users on the proper use of the product. If you examine the results from even users that are misuing the product, they are VERY impressive. The average user sees their spam level drop by nearly 90%. Say whatever you want about Sp@mX, but those statistics are hard to argue with....

- In the process of developing this product (or any product) there are lessons learned. I've learned a lot, and I've roled that knowledge into a code base that I've called the Sidewinder Rating Engine. It uses a combination of rating factors (all based on facts, no lexical analysis) to determine if an email is legitimate. It is over 95% accurate, and is suitable for use in business (I use it in my business).

- Lastly, I'd like to make the observation that the comments here are all complaining "oh, this doesn't work, this sucks, work with us, blah blah." No offer of what does work, no offer of alternatives, nothing constructive. If you have an alternative, speak up, or shut up! Users need something to protect them from an email system that is broken, and I intend to deliver software to them to fill that need using the best approach that I can think of today, using technology and infrastructure that is available today, that will help my users today...

I enjoy reading this commentary, and hopefully something useful will come of it...

TempterOfFate said...

It sounds to me as though Em@ilCRX is an updated and advanced version of FairUCE. If I understand correctly, it only sends a challenge if the following conditions have been met:

1) The e-mail address is likely a valid e-mail address because the e-mail address and the DNS information match and

2) The e-mail address is not on the user's whitelist or address book.

If the spam doesn't meet these two criteria it simply is deleted never to be seen or heard from again and unable to ever harass an innocent user again.

Sounds like a fairly sound system to me. I will agree that it may result in limited cases where an innocent individual may receive a challenge, but the number should be very limited as most forged e-mail addresses do not match the DNS information.

What I would like to see is a tool that can track an spam message to its source 100% accurately so that I can catch the spammer at the source. If I could identify the source of the spam in my inbox and had legal recourse to sue the spammer for harassment, I would agree that c/r systems should be dropped entirely. Until that day, however, I see c/r systems as the equivalent of a "No Soliciting" sign at my front door.

Richi Jennings said...

Unfortunately, this idea that SPF or SIDF or DKIM can tell you whether a message is forged is, frankly, naive.

See my latest blog post for more.

jeff hendrickson said...

I have to disagree with you here Richi.

Over 95% of the spam that I receive is filtered by Em@ilCRX because it contains obvious forgeries.

My SMTP server, like others, records the IP address and HELO hostname of the computer that connected to it to deliver an email.

If you do a simple DNS check to make sure that the IP address matches with the HELO hostname this is a good indicator of whether or not the email comes from a legitimate source.

Em@ilCRX provides a total of five checks that are similar in nature to the one that I just described.

If an email passes all five checks, then there is a very good chance (over 95% in my case) that the email is legitimate.

If you combine this with the other filtering technologies available with Em@ilCRX, you can actually achieve email nirvana.

I love your blog.....

Post a Comment