New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 24)
· Marcia's (CO8)
· Bill G's (CO12)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1193
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsFavForums 

Bouncing - a bad idea in general?

 
Post new topic   Reply to topic       All -> FavForums -> FirstAlert!
View previous topic :: View next topic  
Author Message
cmling

Guest






PostPosted: Mon Feb 09, 2004 6:33 pm    Post subject: Bouncing - a bad idea in general?
Reply with quote

I think that is what the consensus here appears to be? (Then why is it included in MailWasher? I thought it was a nice idea.)

Charley
Back to top
Ikeb

General
General
Premium Member
Premium Member


Joined: Apr 20, 2003
Posts: 3565
Location: Ottawa, Ontario, Canada

PostPosted: Mon Feb 09, 2004 7:54 pm    Post subject:
Reply with quote

Dunno what this has to do with FA! .... But as to your question, I suggest it's because it was a good idea to reduce SPAM (back when SPAMers kept their own lists and it paid to keep them clean).

Times are different now but FireTrust seems to be doing the ostrich thing, perhaps because this was the "flagship" feature of MW in the past.

Hopefully someone from FireTrust will give us the official reason they still promote it as a SPAM reduction strategy ....

_________________
I like SPAM ... on my sandwich!
Back to top
View users profile Send private message Send email
stan_qaz

General
General
Premium Member
Premium Member


Joined: Mar 31, 2003
Posts: 4119
Location: USA

PostPosted: Mon Feb 09, 2004 11:25 pm    Post subject:
Reply with quote

Marketing != Reality

Maybe quietly downplaying it a bit more in each new release would be a good way to go.

Even better would be an automated reply message that the user could configure to say whatever they wanted.
Back to top
View users profile Send private message Visit posters website
AbdLomax

Private
Private



Joined: Mar 10, 2004
Posts: 35
Location: USA

PostPosted: Tue Mar 16, 2004 11:03 am    Post subject:
Reply with quote

I've written elsewhere about this, but bouncing a la original Mailwasher is a pretty bad idea. A few percent of the spam I receive is now bounces from mails I did not send, and many of these bounces are essentially misinformation.

I agree that a user-configurable autoreply is an excellent idea, I'd probably use it, but the default should be no bounce at all; autoreply would be one option among what happens when mail is processed. In fact, there should be more than one possible autoreply. Basically, if something is clearly spam, it is a waste of resources to reply in any form. But if there is a remote possibility that the mail was legitimate, a notification is appropriate. If this can be automated, it becomes much safer to conceal mail for automatic processing.

The real bad idea, and I haven't seen much written on this, is automatic blacklisting. Mailwasher was (is?) configured to automatically add SpamCop-tagged mail to the local blacklist. Very bad idea. First of all, it catches very little spam. Maybe 1% of my spam, when I had such a local blacklist running, was tagged by the blacklist. IP-tagged mail (i.e., SpamCop) has a record of tagging a small percentage of legitimate mail, typically an AOL user whose server was temporarily on the SpamCop list. With autoblacklisting, that user would get added to my local blacklist. Not good. When I killed my huge blacklist it had almost no effect on spam identification.

Here is what I consider a proper use for a local blacklist: I set a spamtrap address on my web site. Mail to that address is nearly certain to be from a spammer. So mail to that address gets the sender added to my local blacklist, and possibly other things get done with it automatically (such as reporting it as spam). However, what if the From address was spoofed? I would definitely want a message to automatically go to the From address with instructions as to how to get removed from the blacklist -- and apologies for the trouble.

_________________
Abd ul-Rahman Lomax
Back to top
View users profile Send private message Send email
Ikeb

General
General
Premium Member
Premium Member


Joined: Apr 20, 2003
Posts: 3565
Location: Ottawa, Ontario, Canada

PostPosted: Tue Mar 16, 2004 11:48 am    Post subject:
Reply with quote

AbdLomax wrote:
However, what if the From address was spoofed? I would definitely want a message to automatically go to the From address with instructions as to how to get removed from the blacklist -- and apologies for the trouble.

Yup that's the rub alright. Forged addresses are particularly troublesome. Sure you could send an apologetic letter but the next SPAM from the same SPAMer has a new forged address. So there you are sending apologies to all those innocent saps who, unbenounced to them, had their address forged. Meanwhile, you have no effective anti-SPAM measure in place since the next address will seldom be the same one. Sad

_________________
I like SPAM ... on my sandwich!
Back to top
View users profile Send private message Send email
AbdLomax

Private
Private



Joined: Mar 10, 2004
Posts: 35
Location: USA

PostPosted: Tue Mar 16, 2004 2:59 pm    Post subject:
Reply with quote

It was written:
"Sure you could send an apologetic letter but the next SPAM from the same SPAMer has a new forged address."

I think the proposed process has not been completely understood. No wonder, when I read the response, my own first reaction was, "Right, that would be useless."

Let me restate the conditions under consideration here. I would set a spamtrap on our web site, a visible address that has some warning text near it saying "DON'T send mail to ." This would be picked up by the bots that search for email addresses, and spam would be sent to it. That spam could be autodelected, no problem. However, I'm monitoring at least five different addresses, several of which are quite public. I've noticed that a new spam often goes to all the addresses, with the same From header. I'm assuming that much of the spam I get to one of the spamtrap addresses would similarly be accompanied by spam to the real addresses found on the same web page. So I'd like to automatically add to a local, short-lived blacklist the source of mail to a spamtrap address. This is easy to do in Mailwasher. But because of spoofing, it is quite possible -- if rare -- that the address added would be of a legitimate mailer being spoofed. So I want a warning to go out.

"So there you are sending apologies to all those innocent saps who, unbenounced to them, had their address forged."

I already get tons of those every day. Now, address forgery is, in the U.S., a federal crime with rather serious penalties. Since spammers do want to sell something, usually, there are ways that spammers who forge from addresses could be prosecuted. It is a more serious crime than that of merely sending unsolicited mail. This may not be very practical at the moment, but is very much a part of what could be done in the future.

"Meanwhile, you have no effective anti-SPAM measure in place since the next address will seldom be the same one."

Hmm.... it depends on whether or not spammers send blocks of mail using the same From header. If they do, the scheme I described would block more spam than it creates. (It creates spam by creating another address that spammers can find and send mail to; however, the spam is trivial to identify, so it would not create a burden for me as a user. The question is whether or not it would catch some additional spam.) However, a better use for a spamtrap would be fast reporting. There is one case where auto-reporting of spam might make sense: mail to a spamtrap address. I think this is already being done to some extent, but any of us with a public web site could set up a spamtrap address. If it met certain standards, it would be quite appropriate to allow mail to the trap to be autoreported.

If such autoreporting were set up at the server level, now *there* would be a fast spam detector. Remember, the faster spam can be detected and confirmed, the fewer people need to see it.

With the First Alert system, this would be particularly effective because it would provide fresh meat for the content analysis and tagging machine.

This is how it could work. I can set on my mail server that mail to a particular address will be autoforwarded to anywhere. So a spam address would be set up. Send spam to this address to have it automatically analysed and added to the spam database. Of course, how spammers might attempt to gum up the system would need to be considered; so some kind of confirmation would still be needed. But the intial reporting would be fast, it could be a matter of seconds from the first spam message going out. Then the mail would go into queue for administrative review. If in the meantime a report from a validated user who has looked at the mail coming in arrives, and the content matches what has just been autoreported from a spamtrap, that would be sufficient to add the mail to the database. At that point one would have a presumptive sign of spam (mail to a spamtrap) plus a human verification that the spam content was not innocent. In order to defeat this system, the spammer would have to grab some legitimate mail and send it to the spamtrap (not difficult, though it involves identifying the spamtrap as such, i.e., it involves a human looking at that web page) *and* have set up a user who has been validated in order to report the spam. Getting a user validated would involve time *and* money. So it would cost the spammer to attempt to gum up the system. If the First Alert system is such that damage from false positives is limited (which could be done if warning messages are sent), then the cost to spammers would exceed the cost to the rest of us. Not a situation they will like.

_________________
Abd ul-Rahman Lomax
Back to top
View users profile Send private message Send email
Pancake

Sergeant
Sergeant



Joined: May 15, 2003
Posts: 98
Location: Australia/Kangaroo Trainer

PostPosted: Tue Mar 16, 2004 8:51 pm    Post subject:
Reply with quote

There is always the option to turn it off should the user so desire.
Back to top
View users profile Send private message
AbdLomax

Private
Private



Joined: Mar 10, 2004
Posts: 35
Location: USA

PostPosted: Tue Mar 16, 2004 10:11 pm    Post subject:
Reply with quote

wrote:
There is always the option to turn it off should the user so desire.


Of course it can be turned off. But if it is a bad idea, it shouldn't be the default. In the SpamCop community, I found that Mailwasher had a bad name because of all the bounces it generates. The kind of bounces that Mailwasher now creates, which are phony mail system messages designed to make the recipient think that the addressee of the original mail is non-existent, do little or no good, and, arguably, do harm. *Most* such bounces are now going to non-existent or spoofed addresses.

What would sometimes be useful is a user-configurable bounce that notifies the sender that their mail has been rejected. The old theory that you should never let a spammer know that your address is valid is probably no longer of much use, at least not for those of us who have public email addresses. But such bounces would never be routine. Rather they would be used in some cases where the identification of mail as spam was less than completely certain.

If you have a private address, maybe silence is golden. Bounces won't necessarily deter a spammer anyway. They don't have the time to review the 300,000 bounces that came back from their last mailing, and the address to which the bounces are going, if it was ever the real sender, has been shut down. It's much easier, I'm sure, to just pass on the list, uncleaned, to the next spammer. And if the address was *not* the real sender, why are we inflicting pain on the poor spoofed sender or adding to the mail system burden? That's why the SpamCop people seemed to be highly prejudiced against Mailwasher.

I've completely turned off Mailwasher bouncing. What I used to do was to bounce and add to my blacklist all SpamCop tagged mail. Then I realized that this was both dangerous and unnecessary, since I was seeing almost no mail tagged from my local blacklist, which had grown to a huge file. Spammers are now constantly changing their Send addresses, so Send blacklists have become, not useless, but no longer useful for detecting the bulk of spam. Given that SpamCop has a small but unavoidable -- from their technique -- false positive rate, adding mail to the blacklist from SpamCop *was* causing us to lose some customer mail. A false SpamCop tag is transient, but if the sender has been added to the blacklist, it becomes long-term. And the sender has not been warned....

MailWasher is quite powerful as a spam-fighting tool, but it is easy to configure it in less-than-optimal ways, and, in my opinion, the default settings were in the past less than optimal and risked the loss of legitimate mail. I haven't looked lately at the new default settings....

_________________
Abd ul-Rahman Lomax
Back to top
View users profile Send private message Send email
stan_qaz

General
General
Premium Member
Premium Member


Joined: Mar 31, 2003
Posts: 4119
Location: USA

PostPosted: Tue Mar 16, 2004 11:39 pm    Post subject:
Reply with quote

AbdLomax, there has been a bunch of bouncing discussion in these forums, you might want to look it over and see if you like any of the other suggestions that have come up. Your user configurable message seems to be one of the most popular ones but making sure the address isn't forged is a real problem otherwise we are just beating up on the poor sucker that got joe jobbed. Check out the discussion of mailblocks (?) on the spamcop groups for a bad implementation.
Back to top
View users profile Send private message Visit posters website
Ikeb

General
General
Premium Member
Premium Member


Joined: Apr 20, 2003
Posts: 3565
Location: Ottawa, Ontario, Canada

PostPosted: Wed Mar 17, 2004 1:59 am    Post subject:
Reply with quote

Yes! I second that request! Abd, your assessment of the bounce discussions to date would be most welcome and appreciated.
_________________
I like SPAM ... on my sandwich!
Back to top
View users profile Send private message Send email
AbdLomax

Private
Private



Joined: Mar 10, 2004
Posts: 35
Location: USA

PostPosted: Wed Mar 17, 2004 7:52 pm    Post subject:
Reply with quote

Ikeb wrote:
Yes! I second that request! Abd, your assessment of the bounce discussions to date would be most welcome and appreciated.


Thanks. I've looked around. What is missing is some kind of response from Firetrust. Nowhere has there been any acknowledgement of the dimensions of the problem from Firetrust, not here (where it is not expected, necessarily), not on the official forum.

From the current Firetrust site, in the info page on Mailwasher:
"MailWasher® Pro is the answer to your time wasting junk mail problems, as well as letting you preview and delete your email before it gets to your computer, MailWasher Pro also lets you bounce email back to the spammers so it looks as though your address is not valid. Watch how quickly this gets you off mailing lists! "

To repeat what is wrong with this:
(1) Bouncing mail with forged or spoofed headers -- this is what MW does -- to make the bounce appear to come from the mail server may be illegal in the United States. Further, some ISPs forbid it, so a user who starts using Mailwasher to autobounce spam might get shut down.
(2) Bounces are quite likely ineffective in reducing spam. Some users may have seen reductions in spam, but given present spammer practice, this is unlikely to have been caused by the bounces. There is a famous case which showed that traffic to a certain non-existent address continued to balloon even though the mail was being bounced.
(3) Because most spam appears to be from spoofed addresses, bounces could not be reducing that spam, plus they create additional traffic, some of which goes to live addresses. About five percent of the garbage mail I get consists of such bounces, typically going to [non-existent-user]@[mydomain].com, or to one of our real addresses.
(4) Bouncing spam is now widely condemned in the anti-spam community.
(5) I used to bounce. I stopped perhaps six months ago. I have seen, if anything, a slight decrease in spam since I stopped bouncing. Not an increase.
(6) If you really want to fight spam, report mail via SpamCop. They could make it easier, to be sure. But SpamCop hits spammers where it hurts, at the ISP. Bouncing does nothing except irritate everyone -- except the spammers, who don't care. They don't see the bounces.

That marketing comment by Firetrust is false advertising. It should be stopped. If it is not stopped, I'll have to assume something I'm reluctant to assume: Firetrust is in this for the short-term, and they know that many users will fall for the argument. In the long-term, it will backfire, but if the company has been sold in the meantime, who cares?

There is little knowledgeable user comment here in support of MW-style bouncing. They should be listening! If they are listening, they should let us know!
Back to top
View users profile Send private message Send email
Ikeb

General
General
Premium Member
Premium Member


Joined: Apr 20, 2003
Posts: 3565
Location: Ottawa, Ontario, Canada

PostPosted: Wed Mar 17, 2004 11:39 pm    Post subject:
Reply with quote

Hear! Hear!

BTW, please, more details regarding:
Quote:
There is a famous case which showed that traffic to a certain non-existent address continued to balloon even though the mail was being bounced.

_________________
I like SPAM ... on my sandwich!
Back to top
View users profile Send private message Send email
rusticdog

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 12, 2002
Posts: 2587
Location: New_Zealand

PostPosted: Thu Mar 18, 2004 6:49 pm    Post subject:
Reply with quote

Quote:
They should be listening! If they are listening, they should let us know!


Hi all

This is a forum for FirstAlert!, and therefore not the medium for these discussions.
I would however encourage you to direct your enquiries to the appropriate people who can be found here http://www.firetrust.com/contact/

Cheers
RD
Back to top
View users profile Send private message Send email Visit posters website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> FirstAlert! All times are GMT - 5 Hours
Page 1 of 1

 
 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops