Fight Spam With Nolisting 410
An anonymous reader writes with the technique of Nolisting, which fights spam by specifying a primary MX that is always unavailable. The page is an extensive FAQ and how-to guide that addressed the objections I immediately came up with. From the article: "It has been observed that when a domain has both a primary (high priority, low number) and a secondary (low priority, high number) MX record configured in DNS, overall SMTP connections will decrease when the primary MX is unavailable. This decrease is unexpected because RFC 2821 (Simple Mail Transfer Protocol) specifies that a client MUST try and retry each MX address in order, and SHOULD try at least two addresses. It turns out that nearly all violators of this specification exist for the purpose of sending spam or viruses. Nolisting takes advantage of this behavior by configuring a domain's primary MX record to use an IP address that does not have an active service listening on SMTP port 25. RFC-compliant clients will retry delivery to the secondary MX, which is configured to serve the role normally performed by the primary MX)."
Oblig. (Score:5, Insightful)
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Temporary Solution (Score:5, Insightful)
Re:Oblig. (Score:4, Insightful)
Short Term Solution (Score:5, Insightful)
1) It's bad netiquette, and a lot of people don't like that, including myself and I'm sure many other administrators.
2) It's an artificial "defense" that is easily circumvented because the rule is obvious. It's security through obscurity with the added suck that there is no obscurity.
3) It's solving a symptom and not any of the actual problems (e.g. hosts being compromised to send spam).
Thanks, but I'll pass.
I run a mailserver, this is a bad idea (Score:5, Insightful)
Dumb idea. You're better sending all your domain mail to gmail, using their spam filtering, and then pulling it from there.
Won't work. (Score:5, Insightful)
However, this idea would have been *great* six years ago. Once the developer invents a time machine, he's got the spam problem licked for at least a week!
Some spammers target secondary MX first (Score:5, Insightful)
Based on watching a few corporate spam sites and even stuff which reaches my private, never-posted addresses, *much* of the spam could be eliminated by moving non-Windows clients. I'm not just talking about zombies. Some of the spam I see hits lists of addresses which are valid and include very difficult to guess addresses inside the company. Once somebody inside your company, or a buddy of yours is rooted, your previously private address is out there; I've never had this happen via any route but a Windows user. Of course, people who CC: everybody they know with idiotic crap instead of BCC: make this problem much worse.
Oh, and please stop with the lame form letter responses to these articles. It was cute once, long ago. I know at least five people will have posted them by now. Damn spammers.
Spammers often try secondary MX's. (Score:5, Insightful)
The more machines you have to maintain, the more likely you are to focus your efforts on the most critical ones and just let the other slide. Spammers are happy to exploit this.
Re:Temporary Solution (Score:2, Insightful)
And WHY won't google rent out Gmail's filters? (Score:4, Insightful)
Re:This is bullshit! (Score:4, Insightful)
Spam is NOT free speech. You cant come into my home screaming penis ads at me without getting your ass kicked, so why should you be able to do it into my mail server?
Spammers IGNORE the MX priority (Score:5, Insightful)
What's with the breakage to fight spam? (Score:3, Insightful)
Re:Oblig. (Score:5, Insightful)
Those statements could be refering to their use as open relays though.
Re:Temporary Solution (Score:3, Insightful)
Not only do most spammers not pay for bandwidth (stealing it from broadband connected zombies instead), but most legitimate businesses do pay for bandwidth. So you're actually increasing the onus on all email servers in order to get a temporary reduction in spam, which will be reversed as soon as the spammers start programming zombies to try all MX servers listed. Not to mention the additional delay that retries on subsequent MX servers can introduce in mail delivery. People complain as it is if they have to wait 5 minutes for an email that someone sent them.
Re:Oblig. (Score:2, Insightful)
Fine in principal, not so fine if the non-compliant SMTP sender belongs to a client of yours sending a $important_financial_email.
Re:What's with the breakage to fight spam? (Score:3, Insightful)
I like to think there's an answer out there in game theory, but with the players numbering in the hundreds of millions if not billions, may be unsolvable.
Re:Oblig. (Score:3, Insightful)
I didn't say confidential information.
An example would be an invitation to tender. Anyone can read that along the way, but if I lost out on a tender because my spam filter didn't like the sender's SMTP agent, I'd be pissed.
Also, you'd be amazed what happens in the business world. All sorts of stuff are sent via email that shouldn't be.
Re:Oblig. (Score:3, Insightful)
http://www.craphound.com/spamsolutions.txt [craphound.com]
The point is that there aren't any truly novel, effective spam solutions waiting out there. Whatever it is they're suggesting, it's been thought of before, or something like it, and it's already been found wanting.
We don't need to rewrite the objections from scratch, and can just re-tread the old ones by filling out the form. Somebody will fill out that form for EVERY anti-spam solution posted on Slashdot.
Re:This is bullshit! (Score:5, Insightful)
You need not open your mail to have your resources (bandwidth, disk space, processing power) consumed by spam. I work at a major telecom company running the edge mail servers, along with another full time engineer. Of the 12 million emails we get a day, about 100,000 are legitimate mail. The rest is just spam, and it uses up the bandwidth that could've been resold to customers, it uses up the disk space on the expensive mail servers we bought a few months ago, hell it forced us to buy those expensive new servers in the first place. I figure, just in the extra salary (if not for the spam one guy would be enough to handle the load), having to upgrade perfectly adequate five year old servers, and buying licenses for anti-spam products at four different levels of mail delivery throughout the enterprise just to keep our users from being deluged with useless garbage, the company has spent about $200,000 last year, and will spend about the same amount this year. All because a bunch of asshats want to force our employees to read their idiot advertising, using our network resources to push their message.
That's not free speech, that's theft. And that's never been legal.
I for one... (Score:4, Insightful)
One of the worst Ideas I have ever read on /. (Score:3, Insightful)
This is one of the worst ideas I have ever read. Intentionally introducing a large and unpredictable delay into the receipt of all e-mail.
What's next, a recommendation to cut down on telemarketing by setting your PBX to automatically disconnect 50% of all incoming calls?
Re:Oblig. (Score:3, Insightful)
All I actually wrote was the first paragraph & subject. 30 seconds work.
Re:Temporary Solution (Score:3, Insightful)
Re:Oblig. (Score:3, Insightful)
It fails to account for the fact that spammers use fake FROM-addresses, and stupid &%@! SMTP servers bounce the email to the fake FROM-address. I receive around 10000 bounced spam-emails per day of this type because one spammer somewhere decided to use my domain as a fake FROM-address.
Just discard the email. Don't bounce!
Re:"The only solution..." isn't. (Score:1, Insightful)
Oh and I have the RIAA and MPAA on line 1. They say that if the ISPs are going to be the internet traffic police, they want to talk to them about this BitTorrent thing..
Re:MOD PARENT UP +5 THE FUNNAH (Score:5, Insightful)
The second time, I thought it was "ho-hum".
After hundreds, maybe even thousands, they are just plain lame.
The only good thing about them is that you instantly know that you can skip over them and not miss anything at all.
Re:Oblig. (Score:5, Insightful)
Mail should not be silently discarded (except in the most extreme circumstances). Reject it. Rejecting a mail means that the receiving MTA returns an error code (in the 5xx range) to the sending MTA, so that the sending MTA may bounce (which it won't do if it is a zombie, so no scatterback).
Re:MOD PARENT UP +5 THE FUNNAH (Score:3, Insightful)
The reason is that a lot of people preach some new approach to fighting spam, and in reality there are a finite set of reasons which defeat every single one of these ideas to date. When someone comes up with an approach that passes this form, then we'll have something to talk about. If it can't pass this form, then further discussion isn't really merited since it's not even novel enough to get past the standard set of objections that have so far been raised against and successfully predicted the downfall of every failed anti-spam solution to date.
Ideas that can't pass the form are not worth more effort to respond to than putting an X at the appropriate spots on the form.
SPF... (Score:3, Insightful)
And whats with the anti SPF sentiment? Its not like we've got a lot of more effective alternatives on the market and the only real argument I read is the rejection of real email, when softfail pretty much takes care of that (then leaving it to spamassassin to decide if the mail is legit).
We send an receive a good deal of email and I certainly wish SPF was more common. I'm tired of forged bounces and the *slew* of undeliverable responses 'dumb' servers return to our system every day.
Yet instead of taking any real action we bicker while spammers laugh all the way to the bank. Their is no magic bullet, but from my POV SPF is the closest thing yet (unless my DNS gets hi-jacked, but then I'm fucked anyway).
Re:This is bullshit! (Score:2, Insightful)
The joke is that the 'free speech' bus left years ago.
We don't need to outlaw Unsolicited Commercial Email, or Unsolicited Bulk Email, or do anything to make spam illegal. ALL spam is already illegal, because ALL spam is being sent by illegally hijackjed Windows machines.
Note when I say 'All spam', I actually mean 'All spam still happening on the internet'. There are no 'legitimate' spammers anymore, because they were almost all dropped from the internet five years ago, and the few remaining ones find themselves utterly blocked by everyone in existence. All spam that is actually ending up mailboxes is being sent illegally.
We don't need to fucking argue over what 'rights' people have, taking control of someone else's computer and using it to do anything is a 100% flat-out felony.