Friday 10 August 2007

IT Blogwatch roundup

As you may know, every day I write the IT Blogwatch column for Computerworld. The idea is to take an IT/tech news story from the past couple of days, and tell the world what bloggers are saying about it.

The column recently won an American Society of Business Press Editors award. Hurrah.

For your delectation, here's a quick roundup of last week's efforts...

Fri 10th: Untangle untangles AV testing mysteries (and ant joke)
Fancy seeing you here. It's Friday's IT Blogwatch: in which we find an interesting test of anti-virus engines at LinuxWorld. And did you hear the one about the ladybug and the ant?..

Thu 9th: Go green: climate change changing data centers (and !bug)
It's an inconvenient Thursday's IT Blogwatch: in which we examine power-saving data centers. Not to mention the classic QA joke, reinterpreted as visual pun...

Wed 8th: New iMacs, iWork, iLife, iEtc. (and pukelight)
Boom! It's Wednesday's IT Blogwatch: in which Steve Jobs unveils a load of new Mac stuff. Not to mention the LED flashlight that makes its victims vomit...

Tues 7th: Linux StinkPads ahoy! (and compendium vol 10)
Strike a light, Mary Poppins, it's only Tuesday's IT Blogwatch: in which ThinkPads are to officially run Linux. Not to mention something for everyone in today's "And Finally"...

Mon 6th: Dateline Las Vegas: hackers whack a mole hack (and outed-FSJ)
Monday's IT Blogwatch: in which an undercover NBC reporter gets busted at DEFCON 15. Not to mention Fake Steve Jobs revealed...

Monday 6 August 2007

C/R and "Spam Index" Conversation Roundup

I wanted to pull together some of the conversations that have been flying around recently about challenge/response spam filtering and this "spam index" idea. As is often the case, quite a bit of the value is in the conversation, in addition to the original posts, hence this roundup...

As the holder of a domain name frequently forged into the From: or Reply-To: fields of spam, I can testify for certain that it doesn't work. In fact, whenever I receive a challenge to one of those forged addresses, I make sure to reply to it to make sure the spam gets through. Petty, perhaps, but I'm not being paid to filter C/R users' spam, so I'll pass it through.

Dean Harding:
I'll admit I was a bit suspicious that if challenge/response was such a panacea why were there not more people using it? My point was not that people should start using challenge/response, though, it was more to just point out that many people are still not happy with their spam filtering.

Len Dressler:
[Richi,] you're really kind of a dork ... It appears you have some sort of agenda of your own, fairly skewed towards blacklist and the like, which from an IT managers perspective, is a joke.

Len, you're entitled to your opinion, and I will defend your right to express it to the best of my ability. Fact is, state of the art spam filters catch 95-99% of spam, with a vanishingly-small false positive rate. Such spam filters use a combination of techniques ... I see no evidence that a single approach—such as IP blacklisting—is viable.

I was interested in learning of Peter's methodology ... I attempted to register on his web site in order to download a copy of his report. I'm still waiting for a response, who knows maybe his acceptance e-mail was justifiably intercepted by my spam filter.

If its my inbox, it is a communication tool for me, and I own the right to ask people to verify they are who they say they are.

Don Marti:
I see lots of “I just started using C-R, it’s great” posts, but no “I’ve been using C-R for years and it’s great” posts. C-R is something that you try and give up on. Or, in my case, watch other people try and give up on.

Effective spam control is possible. It doesn't require cumbersome and work-flow disruptive band-aid solutions like C/R ... What's needed and has been proven to be most effective is a human feedback component. Several of the best anti-spam products available today include this as part of their toolset.

This is not to say that you need a solution where YOU have to be the human in the loop. The best vendors in the space do that for you and push new rules out to their customers every 10 mins or so.

Devil's Advocate:
Asking various people "how happy" they are with their present anti-spam product has absolutely no bearing on the effectiveness of those products ... if you ask if a C/R user sees less spam, you're going to get a "yes". But, what if you ask all the innocent 3rd parties that receive the challenges (which the C/R user doesn't see)? ... All C/R succeeds in doing is displacing the original spam volume in favour of its own variety of spam ... [and] shows a blatant disrepect for the health of the Internet.

Nonsense - I am no expert, just a user, but every fact you make is wrong.

In my spamtrap archive, I have several samples of inappropriate challenges from every C/R system known to me. Just in the past month, I've got challenge-spam from: [long list deleted]
Still don't believe that C/R systems send spam to innocent 3rd parties?

Peter Brockmann:
Your last post proves precisely the point. Users don't care and shouldn't have to care about what falls into YOUR inbox, only what falls into THEIRS.

So users don't care that they're sending spam, as long as they don't get any?
Increasingly, the main issue with C/R isn't that it annoys innocent 3rd parties -- it's that the backscatter hits spamtraps, causing legitimate challenges to go undelivered. Hence, the false positive rate of C/R is actually surprisingly high.

Ask a C/R user about this though, and they'll often be blissfully unaware. It's hard to know when one is missing a legitimate unsolicited message from someone you don't know.

David Merrill:
For recipients, challenge-response and sender verification methods are good, but their use can get your domain blacklisted. Why? Because each incoming message, spam or not, generates an outgoing message, and spammers can (and do) use those in denial-of-service attacks.

Justin Mason:
Focussing the debate on the “user’s inbox” ignores the overall picture, including everyone else’s mailbox, which is where C/R fails.

But my favourite comment has to be from Al Iverson, on the membership-only list, SPAM-L (Al kindly gave me his permission to be quoted here):
C/R is trapped in this eternal September of newbie solution developers who think they're the bee's knees because they figured out how to implement a "new" version of C/R (which is usually exactly the same as every other one). Then they act like a kicked puppy when we don't jump for joy over how awesome it is to see...yet another implementation of C/R.

Eternal September of newbie solution developers? Priceless!

Last week's IT Blogwatch roundup

As you may know, every day I write the IT Blogwatch column for Computerworld. The idea is to take an IT/tech news story from the past couple of days, and tell the world what bloggers are saying about it.

The column has just won an American Society of Business Press Editors award. Hurrah.

For your delectation, here's a quick roundup of last week's efforts...

Who wants a free Google phone? (and comic() {comic();})

Can you hear me now? It's Friday's IT Blogwatch: in which the oft-rumored Google phone gets closer, perhaps. Not to mention a recursive comic-strip...

Something wireless in the AAir (and LOLpresidents)

I'm your humble blogwatcher, fly me. It's Thursday's IT Blogwatch: in which American Airlines and others test in-flight Wi-Fi. Not to mention some hilarious politician macros...

Microsoft's OSI open-source offer (and Nasha... hic!)

Rabbits, white rabbits on Wednesday's IT Blogwatch: in which Microsoft "embraces" open source licensing. Not to mention how NASA discovered those naughty drunken astronauts...

Grub-by open source searching (and weirdest mating ritual)

It's Ruby Tuesday's IT Blogwatch: in which Wikia buys Grub, in Jimmy Wales' bid to take over the world's knowledge. Not to mention the courtship dance of the waved albatross...

And so the iPhone class-action action begins (and recut trailers)

Yes, iT's Monday's iT Blogwatch: iN which we learn of an iPhone class-action lawsuit. Not to mention some more recut classic movie trailers...