Re: Misguided SPAM Filtering techniques

> If something comes that is not whitelisted then email
is sent
> back asking you to confirm that it is not spam.  I
received one of these
> confirmation requests for a piece of spam that I did
not send out.

Whenever I get one of those, I go ahead and confirm the
message so the spam
gets through to the end user. I figure if they think I'm
gonna filter their
mail for free, well, they get what they pay for.  :^)
-- 
Dave Pooser, ACSA
Manager of Information Services
Alford Media http://www.alfordmedia.com

On Sun, 21 Oct 2007 09:37:54 -0500
Dave Pooser <dave.nanogalfordmedia.com> wrote:
> > If something comes that is not whitelisted then
email is sent
> > back asking you to confirm that it is not spam.  I
received one of these
> > confirmation requests for a piece of spam that I
did not send out.
> 
> Whenever I get one of those, I go ahead and confirm the
message so the spam
> gets through to the end user. I figure if they think
I'm gonna filter their
> mail for free, well, they get what they pay for.  :^)

Heh.  Never eve thought of that.  That sounds like enough
fun that I
may even turn off the blocker.  

-- 
D'Arcy J.M. Cain <darcydruid.net>         | 
Democracy is three wolves
http://www.druid.net/darc
y/                |  and a sheep voting on
+1 416 425 1212     (DoD#0082)    (eNTP)   |  what's for
dinner.

Dave Pooser wrote:

> Whenever I get one of those, I go ahead and confirm the
message so the spam
> gets through to the end user. I figure if they think
I'm gonna filter their
> mail for free, well, they get what they pay for.  :^)

And that is probably just fine, as 99% of the true spam
comes from email 
addresses (and often doamins) that either do not exist, or
often are not 
configured to receive email.  The result is that 99% of the
spam filtered by 
spamarrest (or other challenge-response techniques) is never
actually seen by 
any human.  If you didn't send the the email, why bother
confirming it?  Aren't 
you also adding back to the problem?

Even if you confirm your email address, that's all that
spamarrest is asking 
for.  If the email address is valid, then it's done it's
job.  If the email 
address is not valid, then the spam gets stopped.

I use a challenge-response system in conjunction with other
techniques, and have 
reduced the amount of spam I have to deal with by a couple
orders of magnitude.

I also advise the list membership here that if they DON'T
want to get the 
challenge from my agent, they should send responses through
the list.

As fas as the original poster...  When I was working for a
particular MSO the 
topic came up for filtering port 25.  It took me about a
minute to convince them 
that it was a bad idea, as a lot of people with broadband
are the work-fro-home 
type, and not all of them VPN into their work, but instead
use their corporate 
SMTP/POP/IMAP server to do their business.  Since handling
these valid servers 
on a ticket basis would prove to be too much work, the plan
was scrapped.

  -Sean

(Please respond only to the list.)

On Oct 22, 2007, at 11:41 AM, Sean Figgins wrote:
> Dave Pooser wrote:
>
>> Whenever I get one of those, I go ahead and confirm
the message so  
>> the spam
>> gets through to the end user. I figure if they
think I'm gonna  
>> filter their
>> mail for free, well, they get what they pay for. 
:^)
>
> And that is probably just fine, as 99% of the true spam
comes from  
> email addresses (and often doamins) that either do not
exist, or  
> often are not configured to receive email.  The result
is that 99%  
> of the spam filtered by spamarrest (or other
challenge-response  
> techniques) is never actually seen by any human.  If
you didn't  
> send the the email, why bother confirming it?  Aren't
you also  
> adding back to the problem?

Where did you get that 99% #?


> Even if you confirm your email address, that's all that
spamarrest  
> is asking for.  If the email address is valid, then
it's done it's  
> job.  If the email address is not valid, then the spam
gets stopped.

That is neither the statement that most CR systems make in
their  
challenge, nor what most people who use the system think it
means.


> I use a challenge-response system in conjunction with
other  
> techniques, and have reduced the amount of spam I have
to deal with  
> by a couple orders of magnitude.

I'm sure you have.  I'm also certain you have put a burden
on other  
people, which is the reason we all hate spam


> I also advise the list membership here that if they
DON'T want to  
> get the challenge from my agent, they should send
responses through  
> the list.

That would be me. 


> As fas as the original poster...  When I was working
for a  
> particular MSO the topic came up for filtering port 25.
 It took me  
> about a minute to convince them that it was a bad idea,
as a lot of  
> people with broadband are the work-fro-home type, and
not all of  
> them VPN into their work, but instead use their
corporate SMTP/POP/ 
> IMAP server to do their business.  Since handling these
valid  
> servers on a ticket basis would prove to be too much
work, the plan  
> was scrapped.

I'm not at all certain I agree with your reasoning.  If
someone wants  
to send e-mail from home, they can use 587, or your server,
or VPN,  
or .....

I am assuming you also do not list your IP addresses in the
PBL?  So  
the "99%" of your users who do _not_ need to work
from home, but are  
infected, are allowed to spew spam at me?

-- 
TTFN,
patrick

On 10/22/07, Sean Figgins <seanlabrats.us> wrote:
>
> Dave Pooser wrote:
>
> > Whenever I get one of those, I go ahead and
confirm the message so the spam
> > gets through to the end user. I figure if they
think I'm gonna filter their
> > mail for free, well, they get what they pay for. 
:^)
>
> And that is probably just fine, as 99% of the true spam
comes from email
> addresses (and often doamins) that either do not exist,
or often are not
> configured to receive email.

Cite?

I log only valid domains used as the PRA or MFROM in the
spam I
receive, about 10k/day. Counting valid domains only, each
domain is
only seen on about three different spams, when averaged out.
That's a
hell of a lot of domains that actually exist, and I think a
more
accurate assumption is that a significant nonzero amount of
that
backscatter does actually reach a recipient mailbox on the
other end.

Regards,
Al Iverson


-- 
Al Iverson on Spam and Deliverability, see http://www.spamresource.c
om
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com
  --   Chicago, IL, USA
Remove "lists" from my email address to reach me
faster and directly.

Patrick W. Gilmore wrote:

> Where did you get that 99% #?

Statistics from my own mail server.  Yours may vary.  In the
course of 6 months, 
on one honey-pot email address, I received about 10,000 spam
messages that were 
classified as from forged addresses by spam assassin.  I'm
sure you are familiar 
with these, they are like aslkuewshotmail.com, lkjjyesyahoo.com, etc.  I also 
received about 200 other messages that spam assassin
classified as spam for 
overall score.  My statistic is a little off.  98% of them
were forged 
addresses.  Not all of that remaining 2% had a valid
address, most of them were 
either from domains that did not receive email, or addresses
that did not exist.

I have my c/r system setup on this account to discard the
forged hotmail 
accounts, as well as the email that was otherwise classified
as spam.  The rest 
I handle manually until I find a conclusive pattern.

> That is neither the statement that most CR systems make
in their 
> challenge, nor what most people who use the system
think it means.

The problem is that C/R systems is not the only means to
stop spam or viruses, 
or other junk.  As you said, it only validates email
addresses.  If they are 
valid, and confirmed as such, the email gets through. 
Anyone that sees it as 
otherwise is mislead.

> I'm sure you have.  I'm also certain you have put a
burden on other 
> people, which is the reason we all hate spam

So, I burden a VERY small number of people over the course
of 6 months, since 
99% of the forged addresses are dropped at the server, and a
challenge is never 
sent.  I understand that my setup is unique, and that
commercial c/r systems 
likely don't discard anything.

And, is it really a burden if you SEND me an email to
validate yourself?  If it 
IS such a burden, then I invite you not to send email to
start with, especially 
not to me.

> I'm not at all certain I agree with your reasoning.  If
someone wants to 
> send e-mail from home, they can use 587, or your
server, or VPN, or .....

Yeah, and since the ISP only accepts email from their
customers with a valid 
login from their IP addresses, when their customer takes
their laptop elsewhere 
they can't send email.  Most are not going to know to change
their SMTP server, 
and many more aren't going to have a valid SMTP server which
to send email 
through when they are traveling.

And your your comment of VPN or port 587...  Those are not
always options either.

> I am assuming you also do not list your IP addresses in
the PBL?  So the 
> "99%" of your users who do _not_ need to work
from home, but are 
> infected, are allowed to spew spam at me?

If the user is infected, they are infected.  Not much that
can be done about 
that.  Fortunately, most infected PCs do not bother to send
email through the 
user's SMTP server.  As long as the user connects to the
SMTP server, starts TLS 
and authenticates themselves, that's all that I require. 
This is on my personal 
email server, which serves only a handful of trusted users. 
I can't speak to my 
current company's external email server.  The Internal one
requires a VPN, but 
also runs Microsoft software, so it's highly suspect.

  -Sean

(Please respond only through the list)

On Mon, 22 Oct 2007 16:13:52 MDT, Sean Figgins said:

> And, is it really a burden if you SEND me an email to
validate yourself?  If it 
> IS such a burden, then I invite you not to send email
to start with, especially 
> not to me.

That would be all fine and good - if I was being asked to
validate mail that
I actually sent to you.  I've seen very few true positives
for this, compared
to two *large* classes of false positives:

1) I'm being asked to verify my address because some malware
found my address
on a hard drive and stuck it in the From: field.  I'm sorry,
but if you're
asking me to verify that, it *is* a burden - you are
admittedly *starting off*
assuming that it's bad and *needs* some sort of
verification.  So by definition,
you're imposing on people to validate that they're real.

2) The rest of the time, I'm being asked to verify myself
because I posted
to a mailing list, and some idiot failed to whitelist the
list address.

Homework question:  Does this method scale?  What would
happen to your inbox
if *everybody* on this list did this sort of thing?

(Bonus points for figuring out what happens when two people
who *both* use
this scheme try to exchange email.  Hint - my system didn't
recognize your
C/R format, and concluded it was an e-mail addressed to me. 
What happens next?)

> (Please respond only through the list)

This is NANOG. If you wish to hijack the semantics of my
REPLY button,
feel free to actually include a Reply-To: field that
expresses the semantics
that you desire.  

Valdis.Kletnieksvt.edu wrote:
> 1) I'm being asked to verify my address because some
malware found my address
> on a hard drive and stuck it in the From: field.  I'm
sorry, but if you're
> asking me to verify that, it *is* a burden - you are
admittedly *starting off*
> assuming that it's bad and *needs* some sort of
verification.  So by definition,
> you're imposing on people to validate that they're
real.

Why would you care to validate your email address then?  If
you didn't 
send the email, and was not expecting an email from me, then
why would 
you even bother to read, let alone validate?

> 2) The rest of the time, I'm being asked to verify
myself because I posted
> to a mailing list, and some idiot failed to whitelist
the list address.

Yes, except for two things:  First YOU should not get a
challenge to and 
email that was sent by you through the list.  If you are,
then this is 
just inexcusable on the part of the software developer or
admin. 
Second, you should only get a challenge if you "reply
to all" and send a 
copy of the same email to someone directly.

> Homework question:  Does this method scale?  What would
happen to your inbox
> if *everybody* on this list did this sort of thing?

Absolutely nothing, assuming that the the list members have
a clue on 
how the software works and should be configured.  If they
don't white 
list the mailing list, then they are idiots that have no
excuse, and 
quite frankly will be unsubscribed from the list due to
excessive 
bounces.  And if people followed good protocol and trimmed
their 
headers, then there really is no good reason why anyone
would get a 
challenge to an email that they sent to the list.

And as it is, if everyone had a c/r system, I imagine that
everyone 
would get either white listed or validated here pretty
quickly.

> (Bonus points for figuring out what happens when two
people who *both* use
> this scheme try to exchange email.  Hint - my system
didn't recognize your
> C/R format, and concluded it was an e-mail addressed to
me.  What happens next?)

Most of this type of software is specifically designed to
catch loops, 
and as thus will stop them.  When companies send me an email
from an 
address that has an autoresponder behind it, I usually only
get one or 
two emails before the software stops it.

> This is NANOG. If you wish to hijack the semantics of
my REPLY button,
> feel free to actually include a Reply-To: field that
expresses the semantics
> that you desire.  

Why should I do such a thing when it is only common
(uncommon?) sense to 
actually do such a thing?  How highly that people must think
of 
themselves to send the same email to people multiple times.

And I only put that disclaimer in there so people don't
whine about the 
autoresponder.  Considering the group here, I'm sure that
many of them 
actually have their mail reader set to ignore the reply-to
field.  These 
are the same that will whine about the autoresponder if I
didn't let 
them know ahead of time.

  -Sean
(Please respond only to the list.)

Actually it looks like we're being directed to stop, so no
response 
needed, unless you want to take it off line.