If you wait longer than 72 hours to respond, then you get black listed. Forever. See ya. Wouldn't want to be ya. -- SPOILSPORT
A couple guys at work mentioned last week that C|Net was running some articles on Challenge-Response spam systems as commercial successes and that I should have patented SPOILSPORT. Actually, I feel like more power to them. I don't think I have what it takes to market software. I'll leave that to those who can. But the world of C/R isn't all roses. Some people prefer bayesian filters which calculate probabilities that an individual mailing is spam or not by comparing its word frequencies to those of known spam. I ran into one such individual tonight....
I've removed his identity because I don't think anyone really cares, but he's someone I respect in the perl/apache community. I was rather surprised by his avarice.
Here's his reaction to getting challenged by SPOILSPORT:
Subject: Re: SPOILSPORT
Date: 06-24-03 2:25 AM
> Larry Wall
It's funny - I never sent you any mail, so this is either a virus or a
spam spoofing my from address. Either way I hate C/R systems enough to
respond to this and hope that all future viruses and/or spams get
through to you.
Hopefully this will make you see the pointlessness of C/R systems!
On Tuesday, Jun 24, 2003, at 01:13 Europe/London, firstname.lastname@example.org wrote:
> Spam to this account has reached an all time high.
> Just sifting through it to delete the spam is taking a significant
> amount of my time.
> Further, I find many to be offensive.
> To deal with this problem I have created SPOILSPORT.
> SPOILSPORT is an acronym for Simple Proof Of Intelligent Life Stops
> Potentially Offensive Robotic Transmissions.
> So the situation is this - you must prove that you represent an
> instance of Intelligent Life.
> Until you do so, your messages will sit in 'email jail' waiting for
> you to bail them out.
> SPOILSPORT has put you on its CHALLENGED list.
> You have 72 hours to answer this challenge correctly.
> And you have only one chance.
> Get it right, and your address will go on SPOILSPORT's white list,
> which means I will always receive your email in the future without any
> Get it wrong, and your address will go on SPOILSPORT's black list.
> This means that all future email from your address will be deleted
> immediately, no questions asked, and I will never hear from you again.
> If you wait longer than 72 hours to respond, then the result is the
> same. You get black listed. Forever. See ya. Wouldn't want to be
> If you have read this far, then it is time to prove it.
> Simply reply to this message and answer my question:
> Who is the creator of Perl ? ( first and last name )
> I will even give you a hint: http://wall.org/~larry/
> Remember, you have 72 hours and only one chance. Good Luck!
> NB: It is possible you are getting this message because your machine
> has become infected by a mail virus. If you did not knowingly send an
> email to me, please disreguard this message and look into getting some
> antivirus software for your systems.
> SPOILSPORT v0.1 beta
Oh well. I can take solace knowing that my system correctly identified him as human, while his system won't allow me to talk about refinancing my home or include tables in my html emails.
jc said on 2003-06-26 09:32:53:
I'm sure something is going to come along to make things better. I also, in the back of my head, have this little twinge that we're taking something basic here and turning it into a complex system where something is bound to become flawed to the point that anything involving email in the future is going to be painful and buggy. I'm thinking an end user system with a simple key at the end of the body of the email would be nice, simple, and highly moddable/scriptable at the users end. This combined with a abuse detector (umm boss? someone just sent everyone on our system the same email in three different colors...), and a possible panic box (holy crap, i sent what to who? UNSEND!UNSEND! Quick before the timer runs out!) possibly with a dynamic timer that adds extra time to it before it's actually sent depending on how vitriolic the language is.
glenn1you0 said on 2003-06-25 15:23:09:
Trust systems are a little tricky. The servers have to maintain lists of everyone's friends. The trust relationships get pretty big, and the trust filtering has to be done at the server level. Whenever a new person sends an email to you, the trust maps on either side have to interact ( A trusts me. Do you trust A? B trusts me. Do you trust B? ... ) I certainly don't know the final answer, but I wouldn't be surprised to see email addresses ( or at least email servers ) end up registered just like domain names, where every email carries a digitaly signed checksum of the content. Then servers or clients could take the signature, compute their own checksum, ask a third party, like our fiend ( r intentionally dropped ) Verisign for the public key, compute their own signature, and see if they match. If they do, then the email is not forged. This is a lightweight version of how PGP mail works, but without the heavy encryption. It doesn't actually filter out the spam, but it does essentially guarrantee that the sender is really who they claim. From that point on, if you mark a sender as a spam source, you can filter it reliably. The other half of the solution, is that the public key doesn't neccessarily need to be managed by verisign. You could put your key up on a public website or public clearing house of some sort( postal service? ), where I can find keys of people I want to trust. In this manner I can get keys for all of my friends into my client. From that point on, my friends can send me keys of their friends if they like. Key propagation becomes pretty casual. I'd never knowingly add the key of a spammer to my keyring. Opt-in mailing lists would have to present me with their key. The use of HTML mail could be used by them to verify that I've accepted their key and received their mailings. Heck, if you wanted to, you could create a website, or email response that prompts would be spammers to donate $10 to your paypal account in order to get you to accept their key for a certain time period. This would work with yahoo mail and hotmail where people wouldn't manage their keys locally. In that way, advertisers would know that the people who they paid to spam, will indeed get the spam for that time period. Who knows, people might sign up for spammable accounts if it actually paid them back. This in some ways parallels the email marketing stuff we're trying to undertake at work, except that we won't leak email addresses to anyone.
jc said on 2003-06-25 10:57:13:
I have to agree that challenge/response is fairly annoying. So is bayesian. Between my 3 main email accounts that i check on a regular basis, I get probably 150 emails a day. Of this, I'd approximate that less than 10 of these emails are non-spam (personal correspondence, and mailing lists that I actually signed up for). On the one account that I have bayesian software running on....no matter how much i train it, I still spend more time dragging the good messages back out of the trash than i would have spent hitting the delete key in the first place. If I had a challenge/response system, I would still have the same problem as my mailing lists and newsletters would get filtered out. On the other end of the email pipe, bad things still happen. First off, with either of these systems, what are the odds that a challenge is going to be sent to the trash bin? I send an email, you send a challenge, my c/r system sends a challenge back, and boom, both parties blacklist each other. Second, what are the odds that a challenge is going to be sent to the garbage by a bayesian system. Third, isn't part of the problem that you don't want to check the junk mail? With any of these solutions, not only am i being inconvenienced by the process, but also by the fact i have to go trashbin diving for any accidental deletions done by "the help". Now that I'm finished griping, I'd think the way to go would be a trust system. Everyone starts at zero in the trust scale. Person A talks to their friend Person B, who is new to the whole trust web thing, B gets a "preference" file from A to get started, or just starts from scratch. B trusts A, so they give them some points, and time passes. C emails B, shows up with a zero rating, but says that A knows them, b clicks a button, which sends a special email message to a, a's software sees that it comes from b, who it trusts, and says "yes, c has a 5 rating from me", c goes on the trusted list of b. Later down the line c posts a chain letter to b, b decides to drop c's trust level down, and at the same time, the software slightly drops the trust level of a, since they referred this person into the trust web to begin with. I've only put a small amount of thought into it, and even at first glance, i don't know how the traffic involved in passing referrals around would compare with the average amount of spam, but, it's a thought. Now, back to my 95% spambox -jc
glenn1you0 said on 2003-06-24 12:01:45:
One more point from Matt: ------------------------- It's all about numbers. Our (Messagelabs) stats show that currently 55% of email is spam, and that's doubling every 2 months right now. Our stats also show that about 60% of that spam has forged return paths. At the current growth rates over half of all email will have forged return paths in the next couple of months. So no, you're *not* pushing the cost onto the sender. You're pushing the majority of the cost of email onto somebody who *never* sent you email. ------------------------------ Valid point, especially if his number are true, which I have no reason to doubt. Perhaps this can only be solved in the infrastructure. If that's so, I hope they do it quick.
glenn1you0 said on 2003-06-24 10:41:05:
I know, commenting on your own entries is perhaps schizophrenic, but I wanted to add an update. Here's an excerpt from Matt's response: --------------------------------------- ... My problem is with C/R systems. I'm not a "bayes fan" though I did create the first commercial bayesian scanner (I write the spam filters for MessageLabs) - all I'm a fan of is filtering spam at the network level. What I'm not a fan of is C/R's cost shifting. You just shifted the burden of *your* spam problem onto *me*. And I didn't send you any email. Frankly that's really offensive, ... --------------------------------------- I agree. If we could eliminate spam at the network level, that'd be great, because then it would be transparent to users. Even better for him since his solution can only be implimented at the level of infrastructure. What that means is that he's in favor of shifting the burden of spam to the ISP's, who would have to buy his special-purpose MTA's ( Mail Transfer Agents - the software that makes up the internet's mail routing system ). Shifting the cost to the ISP's means that the cost will be indirectly shifted back to you and me. Really, I'd like to change my C/R system to ask that those trying to send me should deposit $5 in my paypal account in order to get on my whitelist for 3 months. Sound fair?