Passive Spam Revocation

Passive Spam Revocation (PSR)

Currently almost all mail systems (e.g. Hotmail and Gmail) use a spam
filter, which can drop good and important messages.

I propose an optional feature for current mail systems. The main idea
is if a message is considered spam, this spam status can be tracked by
the sender (but not sent to him directly, as the From field can be
faked). The message can be re-marked as "not spam" if the sender can
solve a CAPTCHA.

STEP 1: A is going to send B a message. A's mail client generates a
random code and puts it in a custom field in the outgoing message's
header:
    Code: <random code>
STEP 2: A's mail client sends the message, waits 30 seconds, and then visits:
    https://spamstatus.<B's mail domain>/?msgid=<Message-ID>&code=<Code>
This page displays one of these possible "spam statuses":
    * MESSAGE CONSIDERED SPAM. (A CAPTCHA is also presented below.)
    * MESSAGE CONSIDERED NOT SPAM.
    * PENDING. PLEASE TRY AGAIN LATER.
    * All other responses mean B's mail system doesn't support this feature.
In the first case, A's mail client will report the status and the
CAPTCHA to A. A can choose to solve the CAPTCHA to prove the message
is not spam.

Like the idea? Here is the official Google group for it:
http://groups.google.com/group/passive-spam-revocation

Regards,
Yao Ziyuan
http://sites.google.com/site/yaoziyuan/

Yao Ziyuan wrote:
> Passive Spam Revocation (PSR)

Sounds like a hair-brained idea to me. Too many things would prevent it from working.

Cheers
Graham

On Mon, Oct 26, 2009 at 08:27:00AM +0800, Yao Ziyuan wrote:
Immediate and obvious problems:

1. This increases the cost of receiving email.

2. It does not increase the cost to spammers.

3. It is only useful to a tiny minority of good senders, and not
   to anyone else.

4. Solving a CAPTCHA does not prove the message is not spam.

5. It can be used by spammers as an oracle to determine your
   particular spam tolerances.

And, finally, even if it didn't have all of those problems, it
shouldn't be implemented in qmail. It's plausible that someone
might want to implement it for Spam Assassin or a queue plugin.

-dsr-


--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.

> On Mon, Oct 26, 2009 at 08:27:00AM +0800, Yao Ziyuan wrote:
> > Passive Spam Revocation (PSR)

Dan Ritter wrote:
> Immediate and obvious problems:

I'm not tech-savy enough to comment but...

> 1. This increases the cost of receiving email.

I would not mind a 10x increase in cost($) if it keeps spam to a
tolerable level;

> 2. It does not increase the cost to spammers.

I'd say it does! at least:
- paying for a captcha-solving service;
- keeping track of what was sent during the last 30s (if you send
  bazillions of spam messages per day);

> 5. It can be used by spammers as an oracle to determine your
> particular spam tolerances.

not a problem (assuing my domain is spam-free);

[]s,

--
Otavio Exel /<\oo/>\ oexel@...

On Mon, Oct 26, 2009 at 03:16:26PM -0200, Otavio Exel wrote:
> I would not mind a 10x increase in cost($) if it keeps spam to a
> tolerable level;

I don't know what you do now, but with a 10x increase I'd give a
commercial antispam appliance a try.

> > 2. It does not increase the cost to spammers.
> I'd say it does! at least:
> - paying for a captcha-solving service;
> - keeping track of what was sent during the last 30s (if you send
>   bazillions of spam messages per day);

With up to and more than 6 millions of active zombies in todays
botnets none of the above is a problem.
And how much messages can one zombie send per second? 100? That would
be 3000 messages to keep track of by that zombie ... where is the problem?

        \Maex

>> 1. This increases the cost of receiving email.
>
> I would not mind a 10x increase in cost($) if it keeps spam to a
> tolerable level;
>
The problem is that a) the cost increase isn't just for you, it's for
everyone that touches the system in any way, and b) the likely reduction
in spam is MUCH lower that the 10x cost increase.  I can't say for
certain, but given the tiny rate of false positives and fairly low rate of
false negatives I have on my well-tuned spam filter (~300-500 msg/day to
my combined inboxes) even a 2x cost increase isn't likely to be worth it
given how small the impact on my inboxes would be.

>> 2. It does not increase the cost to spammers.
>
> I'd say it does! at least:
> - paying for a captcha-solving service;
> - keeping track of what was sent during the last 30s (if you send
>   bazillions of spam messages per day);
>
You seem to be under the impression that the spammers pay for most of
their resources.  They don't - they use infected botnets and the like and
have almost no costs associated with this.  And even if they did pay for
it, they wouldn't track the messages, they'd just ignore the replies and
keep spamming.  The majority of people who this would affect are the
people who are spending money to send legitimate (or at least
semi-legitimate) email, and people who were forwarding stuff to their
friends that may or may not have once been spam.

>> 5. It can be used by spammers as an oracle to determine your
>> particular spam tolerances.
>
> not a problem (assuing my domain is spam-free);
>
Incorrect - if they send a spam and it gets flagged, they know you flagged
it.  If it doesn't, they know you don't.  And then they can tune messages
to make sure it isn't.

Spam is much more complicated than you think :)

Josh

Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
  - Layman's translation of the Laws of Thermodynamics
josh@...

On Mon, Oct 26, 2009 at 03:16:26PM -0200, Otavio Exel wrote:
It won't. This is NOT a way of increasing the effectiveness of
your spam filtering. The amount of spam coming through can only
increase.

Consider:

        Sent Spam Not-spam
Thought good A B
Thought bad C D

For case A and B, this service does nothing. Spam and not-spam
both still get through.

For case C, we have spam that was already being stopped. Now
spammers know that it didn't get through -- and you are offering
them a chance to push it through anyway!

For case D, we have not-spam which was sorted badly. This
service offers these senders a chance to correct that problem.

> > 2. It does not increase the cost to spammers.
>
> I'd say it does! at least:
> - paying for a captcha-solving service;
> - keeping track of what was sent during the last 30s (if you send
>   bazillions of spam messages per day);

Spammers don't pay for their computers. They steal time on
Windows boxes.

> > 5. It can be used by spammers as an oracle to determine your
> > particular spam tolerances.
>
> not a problem (assuing my domain is spam-free);

You've got that backwards. A spammer can use this service to
find out what gets past your spam filters, and then change all
their spam to you to get past. So this potentially reduces the
usefulness of your filters.


-dsr-

--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.

On Mon, Oct 26, 2009 at 8:27 AM, Yao Ziyuan <yaoziyuan@...> wrote:
Showing a message's spam status to the sender can be bad, if he is
really a spammer. So the page can also return:
    * SPAM STATUS HIDDEN. (A CAPTCHA is also presented below.)
This means the sender can solve the CAPTCHA to see the status and
change it to NOT SPAM.

>
> Like the idea? Here is the official Google group for it:
> http://groups.google.com/group/passive-spam-revocation
>
> Regards,
> Yao Ziyuan
> http://sites.google.com/site/yaoziyuan/
>

Yes this happens a lot, The spammers develop there techniques every awhile, I was sometimes feel I just play with them -:) My server works with chkuser path on SMTP, They fake some emails some times and send it to some email suers pretend they are from there service providers and they want there password to try some thing, Some users don't know and they send them there passwords, Almost all system admins saw that. And later they use these accounts to send emails with authentication, Found another technique is to limit the number of emails that can be sent on 1 shot, As spammers usually send a lot of spam messages and we had many down times before because of this, Never mind, This no way happen again, But they test some times and I check my logs to see what they are doing. They sand different numbers of emails just to check how many emails your server may accept from 1 user and if there testing sending emails being blocked, They just lower the number and send again, They sue automated scripts to do the task --- On Mon, 10/26/09, Dan Ritter <dsr@...> wrote: From: Dan Ritter <dsr@...> Subject: Re: Passive Spam Revocation To: "Otavio Exel" <oexel@...> Cc: qmail@... Date: Monday, October 26, 2009, 8:10 PM On Mon, Oct 26, 2009 at 03:16:26PM -0200, Otavio Exel wrote: > > On Mon, Oct 26, 2009 at 08:27:00AM +0800, Yao Ziyuan wrote: > > > Passive Spam Revocation (PSR) > > Dan Ritter wrote: > > Immediate and obvious problems: > > I'm not tech-savy enough to comment but... > > > 1. This increases the cost of receiving email. > > I would not mind a 10x increase in cost($) if it keeps spam to a > tolerable level; It won't. This is NOT a way of increasing the effectiveness of your spam filtering. The amount of spam coming through can only increase. Consider:     Sent    Spam    Not-spam Thought good    A    B Thought bad    C    D For case A and B, this service does nothing. Spam and not-spam both still get through. For case C, we have spam that was already being stopped. Now spammers know that it didn't get through -- and you are offering them a chance to push it through anyway! For case D, we have not-spam which was sorted badly. This service offers these senders a chance to correct that problem. > > 2. It does not increase the cost to spammers. > > I'd say it does! at least: > - paying for a captcha-solving service; > - keeping track of what was sent during the last 30s (if you send >   bazillions of spam messages per day); Spammers don't pay for their computers. They steal time on Windows boxes. > > 5. It can be used by spammers as an oracle to determine your > > particular spam tolerances. > > not a problem (assuing my domain is spam-free); You've got that backwards. A spammer can use this service to find out what gets past your spam filters, and then change all their spam to you to get past. So this potentially reduces the usefulness of your filters.