[ale] OT: the Penny Black anti-spam proposal

Bob Toxen bob at verysecurelinux.com
Sun Dec 28 17:35:05 EST 2003


On Fri, Dec 26, 2003 at 06:40:53AM -0500, Jim Philips wrote:
> Microsoft is proposing a technical approach to slow down spam. There would be 
> a processing hit on the sender side that could hinder spammers. But for the 
> approach to work, it would have to be an open standard (otherwise Linux users 
> could spam at will). See more at:

> http://news.bbc.co.uk/2/hi/technology/3324883.stm
To summarize, it proposes adding a layer to the SMTP protocol requiring
that the sending computer perform an algorithm that takes roughly 10 seconds
to complete.  The idea is that this will limit an evil spammer to 8000
spams per day.  Once validated, further email from the sender will be
accepted without the 10 second penalty.

> I'm curious to know what others think of this approach...based on its merits, 
> not its source.

Unfortunately, M$ does not understand the problem nor good solutions.  First,
it does not solve the problem as I have received upwards of 100 spams from
a single sender.  Second, the spammers will start sharing "validated sending
addresses", completely destroying the use of the system.  Third, it creates
an incompatibility with the existing world and allows M$ to affect the
cycle time depending on whether the sender is on a Windows system -- just
watch.  Fourth, it penalizes legitimate users.

Realistic solutions (much discussed):
1. Lobby your U.S. Congressman and Senator to pass antispam legislation
   with teeth.  Unfortunately, the Direct Marketing Association has
   succeeded in killing any decent legislation so far.

2. White lists such as what Earthlink/Mindsproing recently implemented
   probably are the ultimate answer.  The first time someone sends to
   you, your mail server intercepts the email and sends them back a
   either a URL of a graphic image with a word in it or in some cases
   a simple text email.  They have to key the word in a reply email or
   or to the web form to release the mail.

   Why is this better than the Microsoft solution?  Because it takes
   30 seconds of a human's time.  Thus, it can't be pawned off on a
   third party's compromised or open relay system.

   The disadvantage is for businesses that want to attract new clients
   who may not bother with it.  Of course, the recipient decides whether
   or not to use this, unlike the Microsoft approach where they control it
   and force everyone to use new software and then surprise them with a
   software patent.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002



More information about the Ale mailing list