Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.


Stupid program

  • Actually, I wouldn't call the program "stupid," but I certainly do think the concept is bad because it actually serves to aid spammers in further victimizing innocent users who've had their eMail addresses forged by spammers and/or viruses.

    I am going to clarify some points here, however, because it does appear to me that other posters here are misinformed on the issues surrounding spam fighting (see numbered points below...).

    I dislike filters because my bandwidth is still wasted, but I find that blocking SMTP traffic from known spam-supporting ISPs works wonders for cutting down on spamflow.

    I report all spam, including C/R system challenges (because they are spam), to SpamCop.Net, and also share the information with other key people I know and trust who are responsible for SMTP servers throughout the world.

    0.  "SPAM" is a Registered Trademark of Hormel Foods, and junk eMail should be referred to as "spam" or "Spam" instead:

    The following points are intended to address Lance Pickup's numbered points...

    1. Spam filters and DNSBLs (a.k.a. "blocklists" and sometimes "blacklists") are entirely different things.  DNSBLs are not filters, they are merely DNS-based databases of IP addresses (or in some cases internet domain names) that fit a predefined criteria that normally relates to spam.  SMTP server operators make a choice on which DNSBLs to use to block traffic based on which DNSBL's criteria they agree with, thus preventing the eMail from entering their systems at all.  Filters, on the other hand, require that SMTP traffic not be blocked in order to operate, otherwise there would be no content to filter.

    2. Each filter is made differently.  Some filters definitely work better than others, but each site and each user will have different experiences with filters due to being targeted by different spammers.  The whole assumption that spammers have access to all eMail addresses is an incorrect and illogical one, because spammers use a wide variety of techniques for stealing the eMail addresses of innocent users -- they're in competition with each other in many ways, so it would be naive to think that there are any standards among spammers (actually, a common inherent problem with spammers is a lack of moral and ethical standards).

    3. When an eMail is blocked because the destination SMTP server is using a DNSBL to block IPs that are known spam sources (or whatever the criteria of the DNSBL might be), no messages are actually lost -- messages are simply rejected, and the sending server continues to be responsible to notify the sender (or mailling list operator) of the problem.

    4. I wasn't aware that Bayesian filters were considered to be "the best solution."  Can you cite any credible references for this?  At any rate, there are many different types of filters, and Bayesian is just one of many.  There are some SMTP server administrators who have done really well with content filters, but a combination of techniques and filters, and other customizations are required to do this.  Myself, I do very limited filtering on initial headers to check for some basic things (and reject the message if it's not compliant with standards, etc.), which I find blocks some spam, but most effective tool for me have been the DNSBLs.

    5. From the C/R system user's perspective, C/R is a great thing, but unfortunately the user isn't aware of the havoc their beloved C/R system is causing the rest of the internet, and as a result their systems get added to various DNSBLs because of how C/R systems are actually "spam repeaters" (and sometimes even "spam amplifiers" when they send multiple challenge messages for a single message).  C/R systems deserve to be blacklisted.

    6. Bandwidth waste due to spam increases the overall costs for users, even if they are on monthly flat-rate services.  After all, the ISP has their own bandwidth bills, and if more bandwidth is being consumed then that means users will pay higher fees in the end (lower bandwidth fees could mean more discounts and/or fewer price hikes in the monthly fees).  To cite examples of other forms of bandwidth use/waste are the typical ploys that spammers use to justify their criminal behaviour (yes, spam is "theft-of-service"); spam has a much greater cost than bandwidth alone though, don't forget about the time wasted by users in dealing with it, the extra wear-and-tear on equipment, higher electric bills, etc.  In addition to that, it's just a matter of time before some spamware vendor figures out how to automate responses to C/R challenges, and then any spammers who use such spamware will be getting through your beloved C/R system and you won't have any right to call it spam because you chose to automate the delegation of your consent to the senders, including spammers.

    7. Why should I have to jump through hoops just to send an eMail to someone?  That's not the natural course of how eMail is expected to work, thus it's unintuitive.  Consider that I want to buy a certain product and I seek out a few companies to ask for some information and pricing -- those who expect me to jump through additional C/R hoops so I can get my request to them are not going to get my business because I'll just assume that their whole philosophy on doing business is screwed up (Where else will I have to jump through hoops in dealing with them?  Why should I support a spam amplifier?  Are they snobs who think they're elite or something?).

    8. Marco Paganini posed the question "Do you allow strangers into your home?"  My answer to this is "No, of course not, and the same goes for my SMTP servers, which is why I don't use C/R -- a C/R confirmation is more like a key to a locked door, which allows the so-called stranger to open the door and place a message inside my eMail inbox."

    Regarding a "better solution," I'm a big fan of the death penalty, but so far the common member of society only really agrees when it comes to how to deal with child molestors, rapists, and murderers; somehow spammers still get a lot of sympathy from the general public (and that's really sad).

    Unfortunately, sending "Your eMail message is infected with a virus," "Cannot find user, urf, vomit, barf...," and "C/R confirmation" backscatter messages are all forms of eMail abuse.  Sending enough of these to my systems will result in blacklisting by way of a private DNSBL for a time determined partially by the perceived level of arrogance from both the sender and the sender's ISP.  Why?  Because eMail abuse is a form of theft-of-service which is totally unacceptable.

  • bob

    Horse-hockey,  Anonymous Coward !!

    I agree, Anonymous Coward is likely a frustrated spammer himself. You can't get around this one, "Coward."

    I have often wondered if spammers really want to sell me anything at all. It seems if they have a brain at all they will realize their spam so infuriates me that I would never by a produce they advertise.... ever !  I do know that there are people in this world who go to bed with a satisfied grin knowing they have infuriated, annoyed and frustrated 10 people today... and then they scowl and swear that they'll infuriate at least 12 tomorrow.  Is Spam mostly just that? An attempt to infuriate people? I'd bet a lot of it is created by people who are trying to make up for being very poorly endowed in unmentionable parts of their anatomy.

    I am beyond livid. I used to have a mailbox which I and my friends liked for its simplicity: It was destroyed by spammers.  I had to abandon it because of the volume of spam it was receiving.

    There are animals who supply addys to spammers.  These characters are even more despicable than spammers themselves. They robbed me of that simple bob@ addy. They started sending emails to bob@, john@, harry@ etc and looked for bounces. I saw that in my logs. So simple addys were robbed from all of us.

    Almost every day I also see in my logs:
    Relaying denied:
        From [] to 1 Times(s)

    Know what that is? It's some Korean a**s**s... checking to see if he can slip through my mail server and use it as a relay. I emailed, the ISP this character is using.  They don't even bother to answer my emails, much less stop this jerk.

    It is past time... WAY WAY past time for programs like ASK. Yes, it's annoying.  Yes I'm afraid I'll miss some emails. But the alternative of having my email addy effusively destroyed by spammers is worse.  I run a major website. I can't keep changing email addys every time the damned spammers discover me. My site-members would lose me and the valuable contact and help which I give them.

    One other thing: How about children? Does Anonymous Coward also believe that children should get sexually explicit email?

    My site focuses on children. Many have told me that they receive many sexually explicit spam emails... that they have been getting these since they were 8 or so. 

    Lots of lip-service is given to improving the email system. But in reality not chit is being done, except by ASK and other programs like it. How does one require that countries like Korea comply ? Do we declare war on countries that refuse to do anything about Internet abuses?

    Mr Richardson:
    1) I would love to block all Korean ISP's... many systems do.  But I have a lovely Korean girl on my site who uses the site to keep in contact with her American friend. If I block I will also be blocking her because that is her ISP.
    2) SPAM is a registered trademark !!! (As if I and others had no idea!!! nor HAVE any idea what the relevance of your pointing this out might be 0_0)
    3)As for, I spent many hrs there trying to discover a way I might report a spammer.... to no avail.  Do you have some sort of  'secret knowledge' that the rest of us lack?  I gave up on reporting because it's rather like trying to kill an elephant with a bb gun anyways.
    4)You say "Some filters definitely work better than others." For those of us who can read between lines, it's obvious that you are admitting that filters simply don't work... *smile* ... next point...
    5) Why should you jump through hoops to email someone? If you don't care to respond to my C/R that's perfectly fine with me. That simply informs me that neither you nor your message are of any importance whatever to me... that your initial message is essentially the same "Spam" you accuse me of with my C/R... perhaps I should report you?
    5)... It rather seems your attitude is "so the email system doesn't work?... deal with it" You offer no solutions other than the death penalty and tell us that you will report any of us who try to protect ourselves, our children, our time, and our mailboxes from spammers.


    • I still believe that C/R systems are severely, inherently, flawed, and are aiding spammers in their plight to further victimize internet users through theft-of-service [of their bandwidth, etc.].  Here is my response to "usagichan" (a.k.a. "bob")'s response to my last posting here...

      1. That's your choice.  If you know how to configure your SMTP servers to whitelist certain eMail addresses before blocking entire IP netblocks, then you'd be able to continue to service your existing customers while still putting pressure on the offending ISPs they use to take the spam problem seriously -- in fact, this will likely put even more pressure on their ISPs because if it works for some customers and not others, then their system will appear to be unreliable when their users tell them "it works for so-and-so and also works with, etc." (and don't worry, they'll definitely know why).

      2. Actually, it's obvious that many people don't know that "SPAM" is a Registered Trademark because they keep mis-using this term in violation of Hormel's wishes.  One of the ways spam fighters can demonstrate they have integrity is by respecting others' property.  After all, isn't that one of the whole points of fighting spam in the first place?  To protect property (not to mention consent, ethics, decency, etc.)?  Of course it is (to both those questions).

      3. No secret knowledge is needed to use SpamCop.Net for reporting spam since the procedures are all documented clearly.  In addition to that, there are both NNTP-based and web-based forums that welcome anyone to ask for assistance.  I suggest you look into this if you really are serious about using SpamCop.Net to report spam.

      4. You totally ignored my point that blocklists (a.k.a. "DNSBLs") and filters are very different things, and unfortunately you twisted it into "filters simply don't work."  The fact is, some blocklists work especially well.  As for filters, certain types will work while the spammers aren't "on to them," but this mostly depends on how dedicated the owners/administrators are (it boils down to ethical/moral motivation, the economics of time/money, etc.).

      5a. Your arrogant attitude indicates to me that you are frustrated, and I'm guessing it's partly due to the fact that you're in denial about the desperation you feel from delegating your consent to complete strangers.  It's only a matter of time before the spammers will automate the C/R hoop handling and you'll just be back at square one again.  Also, you definitely should NOT report me for spamming because that would be an outright lie.

      5b. Why should I be expected to come up with an alternative solution for a severely flawed system that I didn't have any active role in creating in the first place?  I merely pointed out, with fairly detailed reasoning, why the system is flawed, in the hopes of seeing a response somewhere between complete agreement and sensible counter-arguments; your response failed to meet my expectation.

    • I know the problem. I removed the MX records for two domains because spammers started to use them for forged sender addresses. More than half of the SMTP traffic to my server consisted of bounces (stupid QMail servers, mostly) of undelivered spam.

      But this program is just NOT the solution to the spam problems. I thought the world realized this by now, so I was pretty surprised when I saw a new release of a similar program on FreshMeat.

      All these programs do is make the spam problems worse. Just like QMail with its braindead behaviour of sending bounces instead of the usual 550 response. Spammers use forged sender addresses all the time, sometimes those are real addresses that are real people. So you end up being the spammer yourself.

      Also, if everyone would use such a program I'd have to reply to those confirmation requests every time I send a mail to a new person, or when I accidentally use a different sender address. I got better things to do than that.

      A couple of weeks ago I actually tried to mail someone who used a system like this. His query-system seemed to be broken, or at least I couldn't figure out in less than a minute how to confirm. Sure, that's what we want. IOW, I don't bother, and I hope more people won't.

      So then you end up not getting any non-spam mail anymore either. Congratulations! :-D

      BTW, if you want something that works without contributing to the spam problem, try graylisting. Together with some nice and safe IP blacklists, it keeps pretty much all spam out of your INBOX.

      And to the author, I'm sorry for participating in this kind of flamewars (it *is* pretty low), but this kind of software is just wrong. It's nothing about your program specifically.

      • > ... SMTP traffic to my server consisted of
        > bounces (stupid QMail servers, mostly) of
        > undelivered spam.

        Although I do agree that qmail, by default, lacks in this area, in my opinion it is a first-class mail server that can be programmed to reject at the STMP envelope stage instead of bouncing from the queue.  There are a number of free add-ons for qmail that make this possible in a variety of ways.

        Please keep in mind that qmail was originally designed for an environment where forgeries weren't commonplace as they are today.  There are many other SMTP servers that came later which default to this same behaviour of naively bouncing from the queue, and I consider it the responsibility of the mail server administrator to make the right configuration/software choices when it comes to operating a system responsibly.

        > But this program is just NOT the solution
        > to the spam problems. I thought the world
        > realized this by now ...

        The world never realises anything.  Democracy has already proven this (think "99 people telling 1 person what to do is not freedom" -- people seem to think democracy is freedom, but it is not, it's just a really big strata council), yet people continue to insist that it is the best solution (I don't know what is, but I don't mind living in a democratic^H^H^H^H^H^H^H^H^H^Hstrata-run society given the alternatives) and even wage military wars to force it upon unwilling parties.

        The problem with democracy is that you have followers picking leaders, which in itself should raise some alarm bells for those who posess common sense.

        The implementation of C/R Systems are just another form of bad decisions that don't consider the overall, long-term effects that they have on the internet.  What's the basis for these decisions?  Whatever the reason, it certainly has its roots in selfishness because it just puts the burden on someone else who's eMail address could have been forged.

        At least it does eliminate the spam problem in its entirety because once consent has been delegated to a sender (who could be a spammer to others who don't use a C/R System), it can no longer be considered "spam" because the recipient clearly gave their consent/permission for the sender to eMail them.

        > Also, if everyone would use such a program I'd
        > have to reply to those confirmation requests
        > every time I send a mail to a new person, or
        > when I accidentally use a different sender
        > address. I got better things to do than that.

        You're absolutely right about that.  I wish that folks who choose to implement a C/R System could also see things in this light -- eMail is already pretty dysfunctional, and C/R Systems are only going to make it worse, especially when spammers start automating responses to C/R verification requests.

        > ... I couldn't figure out in less than a minute
        > how to confirm. Sure, that's what we want. IOW,
        > I don't bother, and I hope more people won't.

        I don't bother either.  Recently a business associate of mine implemented C/R System, so I telephoned him and gave him a friendly lecture on the problems with C/R Systems.  At first he just whitelisted my eMail addresses (all 50+ of them), but then later abandoned the idea altogether because he was getting calls from people who thought his eMail wasn't working -- they thought that their messages had bounced!  Yup, you're absolutely right about the confusion aspect, but I think you're generous with 1 minute; most people I know would probably give it no more than 10 or 15 seconds at best.

        > ... works without contributing to the spam
        > problem, try graylisting. Together with some
        > nice and safe IP blacklists ...

        An excellent suggestion.  I do this myself, and I help others implement/modify eMail systems to do the same.  It's quite effective, and depending on the recipient's criteria the statistics show anywhere from roughly a 50-95% blockage, and the users are happy because they get a lot less spam.

        > ... this kind of software is just wrong ...

        I agree, and so do many other professionals who are also responsible for keeping extremely busy mail servers operating reliably for large numbers of users.  A C/R System can increase the bandwidth requirements in a very big way, which is likely one of the reasons C/R isn't seen on large systems.