FC: Why is Mailblocks' approach different? (Answer: It isn't)

[Declan McCullagh <declan () well com>]

Previous Politech message:

"Will new 'spam reduction' service result in... more spam?"
http://www.politechbot.com/p-04580.html

Also note that Mailblocks has changed their privacy policy (see the next 
Politech message).

-Declan

---

Date: 24 Mar 2003 14:33:55 -0500
From: "John R Levine" <johnl () iecc com>
To: "Declan McCullagh" <declan () well com>
Subject: Re: FC: Will new "spam reduction" service result in... more spam?
Cleverness: None detected

> CNET (among other news sites is touting Mailblocks, a "new class of email
> service that completely rids your Inbox of spam and offers the powerful
> features you want in your web mail." After reading the ToS and privacy
> policy, I certainly will not recommend the service.

The only thing that's new about Mailblocks is that their founder has
a high enough profile that he got reporters to talk to him.  There are
plenty of other mail challenge systems, both freeware and commercial.
Even the ones that aren't privacy disasters don't work well.

For one thing, a lot of people won't respond.  Some less technical users
assume it's spam or another incomprehensible message from their ISP and
delete it.  Some better informed users won't respond because (with good
reason) they don't trust the challenge service not to misuse their
addresses.

Some of us are really tired of misconfigured challenge systems that send
challenges to mail from lists to which the user has subscribed, or to a
response that the challenge user sent, so to minimize the damage we don't
respond to any of them.

In the long run, these challenge systems are a bad idea because they treat
correspondents' e-mail addresses as passwords.  But they're just about the
worst kind of password you can imagine, easy to guess, easy to spoof, and
hard to change.  We're already seeing spam sent with random forged return
addresses, which among other things reverse spams the forged user when the
spam hits a challenge.  If challenges become at all popular, we can expect
spammers to start harvesting mail in bunches to try and maximize the
chance that the forged return address is already in the victim's
whitelist.  And remember that for spammers, if that works 1% of the time,
that's "success".  I can hardly wait.

Regards,
John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web

---

Date: Mon, 24 Mar 2003 20:40:13 +0100
To: declan () well com
From: Brad Knowles <brad.knowles () skynet be>
Subject: Re: FC: Will new "spam reduction" service result in...
 more spam?
Cc: politech () politechbot com
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

At 2:02 PM -0500 2003/03/24, Declan McCullagh wrote:

>  CNET's article here: http://news.com.com/2010-1071-992911.html

        From this article:

                Before allowing e-mails through to your in-box, Mailblocks
                automatically transmits a numerical password to first-time
                correspondents. The senders must then retype the code into
                an onscreen dialog box before the system acknowledges them
                as legitimate.


        This is no different from a package called "TMDA" (see 
<http://tmda.net/>), which has been in existence for a while.  It's not the 
only package of this sort, but is one of the ones that is better-known.

        So, he's going to make money by selling a package that he claims 
is better at doing the TMDA job than TMDA itself, and in return he gets to 
spam you endlessly?  I don't think so....

--
Brad Knowles, <brad.knowles () skynet be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)

---

Date: Mon, 24 Mar 2003 16:16:13 -0800
To: politech () politechbot com
From: Steve Schear <schear () attbi com>
Subject: FC: Will new "spam reduction" service result in... more spam?
Cc: asrg () ietf org
In-Reply-To: <20030324232728.67BCF84F8 () web39t prvt nytimes com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

 From NYTimes.com http://www.nytimes.com/2003/03/24/technology/24PHIL.html

Start-Up Aims to End Spam
March 24, 2003
By JOHN MARKOFF

>In addition to legislative proposals before Congress and
>state legislatures, there are efforts under way within the
>direct marketing industry to try to deal with spam. And
>last week, the Internet Engineering Taskforce, a committee
>of technology experts that sets Internet standards, met in
>San Francisco to listen to proposals for technical
>solutions to spam.

I've been monitoring and contributing to the mail list associated with this
IETF function now for about two weeks.  Most of the people are looking for
a magic bullet to cure spam but I think it will not be that simple.  If it
were it would have already been done.  It seems all the seemingly good long
term spam elimination approaches either require notable changes to the
Internet's email or other infrastructure, make it difficult for some
classes of current email users, or the require the establishment of new
services (e.g., financial infrastructure to support real value e-stamps).


>The Mailblocks antispam service is based on a so-called
>challenge-response mechanism to block bulk mail sent
>automatically to e-mail accounts. When a customer receives
>a new message from an unknown correspondent, the system
>will intercept the message and automatically return to the
>sender a digital image of a seven-digit number and a form
>to fill out. Once a human being views that number and types
>it into the form - demonstrating that he or she is a person
>and not an automated mass-mailing machine - the system will
>forward the e-mail to the intended recipient.

E-gold uses this approach. They call it a Turing number (after the British
mathematician, Alan Turing)
https://www.e-gold.com/acct/login.html Challenge responses may eliminate
spam from bogus addresses but it almost sure to set of an image recognition
arms race between other spammers and Turing number technologists as the try
to fashion ever more cleaver images that supposedly can be easily read by
humans but not machines.  There are already programs to "read" earlier (and
maybe current versions of E-gold's Turing number images.  I would be
surprised if these measures proved effective


steve

---

Date: Mon, 24 Mar 2003 17:32:56 -0800
From: Brad Templeton <brad () templetons com>
To: Steve Schear <schear () attbi com>
Cc: politech () politechbot com, asrg () ietf org
Subject: Re: [Asrg] FC: Will new "spam reduction" service result in... more
+spam?

On Mon, Mar 24, 2003 at 04:16:13PM -0800, Steve Schear wrote:
> E-gold uses this approach. They call it a Turing number (after the British
> mathematician, Alan Turing)
> https://www.e-gold.com/acct/login.html Challenge responses may eliminate
> spam from bogus addresses but it almost sure to set of an image recognition
> arms race between other spammers and Turing number technologists as the try
> to fashion ever more cleaver images that supposedly can be easily read by
> humans but not machines.  There are already programs to "read" earlier (and
> maybe current versions of E-gold's Turing number images.  I would be
> surprised if these measures proved effective

Actually, it is an interesting question of what arms races spammers would
wish to engage in.

>From a purely rational standpoint (bear with me on this!) the spammer
simply wants to send as many messages to the best prospects per unit of
time and bandwidth.

This means that if the spammer gets a challenge (or even something as simple
as a temporarily unavailable status) they can do one of two things:
    a) Try to respond to the challenge
    b) Simply move on to delivering the next message in the list.

As long as B is easier than A, the rational thing to do is to just do B.

This changes in two cases.  If most people start issuing challenges or
other such barriers, B is no longer productive, and so you now start the
arms race -- but only until you have enough people to send to again.

Secondly, if you have some idea as to the "quality" of an address, in terms
of probability of making a sale (direct marketers try to measure this all the
time) then you are motiviated to do extra work on the higher "quality"
targets.

Finally, spammers will not be rational, and may wish to get in an arms race
for the spite or challenge of it.   (There's a lot of spite in both directions
in this field.)

Nonetheless, I think people overestimate the arms race.  I have seen challenge
response systems that try to do natural language questions, or embed images
only the human eye can see in graphics.

I wrote a challenge/response system six years ago that simply asks for any
reply at all -- it doesn't put any burden on the other party, and would be
easy to defeat with something as simple as an autoresponder.   Yet it works,
the spammers have not attempted to use this simple defeat.  Once they start,
I will easily enough move to something else, but it is telling that in six
years they have not, even though others have also built a number of
challenge/response systems since then.    Sometimes spammers have 
autoresponders
for other reasons, but they have been easy for me to eliminate.

---

Date: Tue, 25 Mar 2003 09:13:46 -0500
To: Brad Templeton <brad () templetons com>
From: Kee Hinckley <nazgul () somewhere com>
Subject: Re: [Asrg] FC: Will new "spam reduction" service result in...
 more spam?
Cc: Steve Schear <schear () attbi com>, politech () politechbot com,
        asrg () ietf org
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

At 5:32 PM -0800 3/24/03, Brad Templeton wrote:
>I wrote a challenge/response system six years ago that simply asks for any
>reply at all -- it doesn't put any burden on the other party, and would be
>easy to defeat with something as simple as an autoresponder.   Yet it works,
>the spammers have not attempted to use this simple defeat.  Once they start,

If a challenge response system puts messages in the "look at me
later" queue if you don't respond, then I don't think spammers will
care.  (And it's not clear that you'll be that much happier as a user
of the system.  You will have to scan the queue.)

Why is not clear to me is a) how anyone expects your typical user to
whitelist commercial addresses and mailing lists in advance and b)
how a challenge response system (which had *better* respond to
envelope from) avoids getting them removed from said list, or not
receiving notification about their purchase or what not.

Just consider the following.

1 User sends email to asrg-request () ietf org?subject=subscribe
2 Think quick.  What address should you whitelist?  asrg () ietf org?
asrg-request () ietf org?  Nope.  asrg-admin () ietf org.  And you knew
that because...?
3 asrg sends back a confirmation request.  Now as it happens, it does
this from asrg-admin () ietf org (envelope) and asrg-request (from).
But some mailers use a custom address for this.  But let's assume
we're dealing with the average user here.  They either didn't do
anything at all (forgot they had to) or their software whitelisted
based on the To: address (asrg-request).
4.1 A challenge gets sent back to the asrg list.  The result depends
on a combination of how the list software works and how the challenge
software constructed its reply.
4.1.1 It's treated as a bounce and the user is not added
4.1.2 It's treated as a confirmation and the user is added
4.1.3 It goes to the admin, who says something I can't repeat and
throws it in the trash.
4.2 It makes it through because we whitelisted the right thing.
5 The first list message comes through.  If you had whitelisted
asrg-admin, you're fine.  If you whitelisted asrg-request, we
challenge it.  If the list software uses a different envelope from
each time, you got problems.

Now, let's take amazon.com.

I've received automated email from payments-messages () amazon com,
orders () amazon com, auto-confirm () amazon com, eyes () amazon com,
amazon-news-sender () amazon com, editer-sender () amazon com,
science-fiction-editor () amazon com... and they actually send mail from
their domain--never mind what happens if they higher m0.net or
someone to deliver it.

And if you start sending challenges to those--Amazon's going to see
them as bounces and dump me.

Of course we could just whitelist all of amazon.com.  But I rather
suspect the spammers might figure that one out.

If you want challenge/response to work, the first thing you should do
has nothing to do with challenge/response.  The first thing is to
come up with an RFC for a standard format for challenges so that
automated mail systems can recognize that they aren't the same as
bounces.  And come up with a protocol whereby they can reply and say
"Yo! I'm an automated system you idiot."  Where you go from there I
don't know.

However, see my next message on "Protocols".
--
Kee Hinckley
http://www.puremessaging.com/       Junk-Free Email Filtering
http://commons.somewhere.com/buzz/  Writings on Technology and Society

---

Cc: Brad Templeton <brad () templetons com>,
        Steve Schear <schear () attbi com>, politech () politechbot com,
        asrg () ietf org
To: Kee Hinckley <nazgul () somewhere com>
From: Chuq Von Rospach <chuqui () plaidworks com>
In-Reply-To: <p06000d08baa60f450f0b@[192.168.1.104]>
Message-Id: <E3A4437C-5EDF-11D7-980A-0003934516A8 () plaidworks com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.551)


On Tuesday, March 25, 2003, at 06:13  AM, Kee Hinckley wrote:

>

> Why is not clear to me is a) how anyone expects your typical user to
> whitelist commercial addresses and mailing lists in advance

I think there has to be a responsibility here for the commercial sender
to help the user figure this out. In fact, it's one of the issues I'm
mulling over in revamping system documentation on my lists and other
things. we're now seeing enough challenges that we have to find a way
to help users figure this out. (FWIW, we don't respond to challenges.
We've talked it over and decided if the user hasn't whitelisted us, we
shouldn't validate from the outside. we ring the bell, we don't turn
the knob. To me, the risks of validating a whitelist and upsetting
someone are a lot worse than the risks of someone under a whitelist
expecting to get a subscription and no realizing why it's not
happening.)

We're probably going to add language explaining whitelisting issues to
our stuff down the road, since t seems like whitelists are starting to
be used fairly widely and I expect that trend to continue.

> 1 User sends email to asrg-request () ietf org?subject=subscribe
> 2 Think quick.  What address should you whitelist?  asrg () ietf org?
> asrg-request () ietf org?  Nope.  asrg-admin () ietf org.  And you knew that
> because...?

Because I read the FAQ, and it told me.

> And if you start sending challenges to those--Amazon's going to see
> them as bounces and dump me.
>
> Of course we could just whitelist all of amazon.com.  But I rather
> suspect the spammers might figure that one out.

So amazon has to figure out whitelists, too, and help people understand
what addresses things will come from. With a foot on both sides of this
cashm, I really feel the sender of this mail shouldn't put the burden
of responsibility on the user here. They need to help them out.

---

Cc: Brad Templeton <brad () templetons com>,
        Steve Schear <schear () attbi com>, politech () politechbot com,
        asrg () ietf org
To: Kee Hinckley <nazgul () somewhere com>
From: Chuq Von Rospach <chuqui () plaidworks com>
In-Reply-To: <p06000d08baa60f450f0b@[192.168.1.104]>
Message-Id: <E3A4437C-5EDF-11D7-980A-0003934516A8 () plaidworks com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.551)


On Tuesday, March 25, 2003, at 06:13  AM, Kee Hinckley wrote:

>

> Why is not clear to me is a) how anyone expects your typical user to
> whitelist commercial addresses and mailing lists in advance

I think there has to be a responsibility here for the commercial sender
to help the user figure this out. In fact, it's one of the issues I'm
mulling over in revamping system documentation on my lists and other
things. we're now seeing enough challenges that we have to find a way
to help users figure this out. (FWIW, we don't respond to challenges.
We've talked it over and decided if the user hasn't whitelisted us, we
shouldn't validate from the outside. we ring the bell, we don't turn
the knob. To me, the risks of validating a whitelist and upsetting
someone are a lot worse than the risks of someone under a whitelist
expecting to get a subscription and no realizing why it's not
happening.)

We're probably going to add language explaining whitelisting issues to
our stuff down the road, since t seems like whitelists are starting to
be used fairly widely and I expect that trend to continue.

> 1 User sends email to asrg-request () ietf org?subject=subscribe
> 2 Think quick.  What address should you whitelist?  asrg () ietf org?
> asrg-request () ietf org?  Nope.  asrg-admin () ietf org.  And you knew that
> because...?

Because I read the FAQ, and it told me.

> And if you start sending challenges to those--Amazon's going to see
> them as bounces and dump me.
> Of course we could just whitelist all of amazon.com.  But I rather
> suspect the spammers might figure that one out.

So amazon has to figure out whitelists, too, and help people understand
what addresses things will come from. With a foot on both sides of this
cashm, I really feel the sender of this mail shouldn't put the burden
of responsibility on the user here. They need to help them out.






-------------------------------------------------------------------------
POLITECH evening reception in New York City at 7 pm, April 1, 2003 at CFP:
http://www.politechbot.com/events/cfp2003/
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------