Re: IBM to offer service to bounce unwanted e-mail back to the
On Mar 23, 2005, at 12:37 PM, RSK wrote:
On Tue, Mar 22, 2005 at 10:24:37AM -0800, Andreas Ott wrote:
If this write-up is accurate,
It's not. From the http://www.aunty-spam.com website: IBM Not Spamming Spammers! FairUCE is About Fair Use, Not Abuse! Did you hear? IBM is spamming spammers! It’s all over the Internet, and tongues are a’wagging! Except, it ain’t so. IBM is not spamming spammers. Whether you think that spamming spammers is right or wrong, IBM ain’t doing it, and shame on CNN for getting it so wrong, and making IBM look so irresponsible, and in league with the likes of Lycos’ “Make Love Not Spam” DOSsing Screensaver program, and the notorious Mugu Maurauder bandwidth sucking program. You can’t really blame the folks who read CNN’s horribly wrong piece for spreading the rumour, after all it was quite sensationalist: “Spamming spammers? IBM to offer service to bounce unwanted e-mail back to the computers that sent them. March 22, 2005: 12:22 PM EST NEW YORK (CNN/Money) - IBM unveiled a service Tuesday that sends unwanted e-mails back to the spammers who sent them. The new IBM (Research) service, known as FairUCE, essentially uses a giant database to identify computers that are sending spam. E-mails coming from a computer on the spam database are sent directly back to the computer, not just the e-mail account, that sent them.” Wrong, wrong, wrong. About the only thing which the article got right is that the program is called “FairUCE". FairUCE, according to IBM’s own FairUCE website, readily available for anyone to read (cough…CNN reporters..cough), is a “spam filter that stops spam by verifying sender identity instead of filtering content". Let’s say that again: FairUCE is a spam filter that stops spam by verifying sender identity instead of filtering content. If FairUCE can’t verify sender identity, then it goes into challenge-response mode, sending a challenge email to the sender, to which the sender must reply, to demonstrate that it is not a spambot sending the mail in question, but a real live person. Here is IBM’s explanation of how the FairUCE system works: “Technically, FairUCE tries to find a relationship between the envelope sender’s domain and the IP address of the client delivering the mail, using a series of cached DNS look-ups. For the vast majority of legitimate mail, from AOL to mailing lists to vanity domains, this is a snap. If such a relationship cannot be found, FairUCE attempts to find one by sending a user-customizable challenge/response. This alone catches 80% of UCE and very rarely challenges legitimate mail.” Now, being kind, it’s possible that the good folks at CNN mistook the sending of the challenge for “spamming the spammer".... (Rest at http://www.aunty-spam.com/ibm-not-spamming-spammers-fairuce-is-about- fair-use-not-abuse/) Anne
Anne P. Mitchell, Esq. wrote:
On Mar 23, 2005, at 12:37 PM, RSK wrote:
On Tue, Mar 22, 2005 at 10:24:37AM -0800, Andreas Ott wrote:
If this write-up is accurate,
It's not. From the http://www.aunty-spam.com website:
IBM Not Spamming Spammers! FairUCE is About Fair Use, Not Abuse!
Did you hear? IBM is spamming spammers! It’s all over the Internet, and tongues are a’wagging! Except, it ain’t so. IBM is not spamming spammers.
Whether you think that spamming spammers is right or wrong, IBM ain’t doing it, and shame on CNN for getting it so wrong, and making IBM look so irresponsible, and in league with the likes of Lycos’ “Make Love Not Spam” DOSsing Screensaver program, and the notorious Mugu Maurauder bandwidth sucking program.
You can’t really blame the folks who read CNN’s horribly wrong piece for spreading the rumour, after all it was quite sensationalist:
“Spamming spammers? IBM to offer service to bounce unwanted e-mail back to the computers that sent them. March 22, 2005: 12:22 PM EST
NEW YORK (CNN/Money) - IBM unveiled a service Tuesday that sends unwanted e-mails back to the spammers who sent them.
The new IBM (Research) service, known as FairUCE, essentially uses a giant database to identify computers that are sending spam. E-mails coming from a computer on the spam database are sent directly back to the computer, not just the e-mail account, that sent them.”
Wrong, wrong, wrong.
About the only thing which the article got right is that the program is called “FairUCE". FairUCE, according to IBM’s own FairUCE website, readily available for anyone to read (cough…CNN reporters..cough), is a “spam filter that stops spam by verifying sender identity instead of filtering content".
Let’s say that again: FairUCE is a spam filter that stops spam by verifying sender identity instead of filtering content.
If FairUCE can’t verify sender identity, then it goes into challenge-response mode, sending a challenge email to the sender, to which the sender must reply, to demonstrate that it is not a spambot sending the mail in question, but a real live person.
Here is IBM’s explanation of how the FairUCE system works:
“Technically, FairUCE tries to find a relationship between the envelope sender’s domain and the IP address of the client delivering the mail, using a series of cached DNS look-ups. For the vast majority of legitimate mail, from AOL to mailing lists to vanity domains, this is a snap. If such a relationship cannot be found, FairUCE attempts to find one by sending a user-customizable challenge/response. This alone catches 80% of UCE and very rarely challenges legitimate mail.”
Now, being kind, it’s possible that the good folks at CNN mistook the sending of the challenge for “spamming the spammer"....
(Rest at http://www.aunty-spam.com/ibm-not-spamming-spammers-fairuce-is-about- fair-use-not-abuse/)
Anne
While I wholeheartedly agree with much of the Aunty-Spam article, I also have to note that it appears the original erroneous claim was made by an IBM spokeperson. In the CNN/Money article, the following appears: "IBM has previously offered anti-spam filter technology, but this is the first time the company has developed technology to "send spam back to the spammer," according to IBM spokeswoman Kelli Gail. IBM is not concerned about liability, even in cases where innocent senders might be misidentified as spammers, because all the technology does is bounce back the e-mails, said Gail." That paragraph seems to be the basis for the entire articles claim--and attributes the "sending back to the spammer" idea to IBM. Perhaps we should expand the "Just one more example of why people who are not technically knowledgable should not, you know, report on technology." statement to include technology company's non-technology-literate marketing people;) -- -- -Susan -- Susan Zeigler | Phairos Technologies susan@phairos.com | 515.965.5338 "I'm all in favor of keeping dangerous weapons out of the hands of fools. Let's start with typewriters." -- Frank Lloyd Wright
If FairUCE can't verify sender identity, then it goes into challenge-response mode, sending a challenge email to the sender,
Let me rephrase that more accurately: "...spamming everyone who has been so unfortunate as to have their address forged into a mail message..." Challenges thus issued are unsolicited: the challenged party had aboslutely nothing to do with the inbound mail message. If such a system is used in production, then challenges will, inevitably, be sent in bulk. I trust it's clear that these challenges are email. "unsolicited bulk email", or UBE, is the canonical and only correct definition of [SMTP] spam. So not only does FairUCE ignore a fundamental principle of competent anti-spam defense (e.g. "do not generate still more junk mail traffic at a time when we are drowning in junk mail traffic") it does so by generating outbound spam. How very nice. See, BTW, for some background info: http://www.techzoom.net/paper-mailbomb.asp which discusses similar issues. (Thanks to Bruce Gingery for pointing this out.) Beyond that, as Lycos Europe has already belatedly figured out, attempts to strike back at spammers which presume (as FairUCE naively does) that spammers themselves will not rapidly deploy effective countermeasures are doomed to fail and, in all probability, doomed to abuse innocent third parties. This is why responsible anti-spam techniques do not even *attempt* to fight abuse with abuse. I suggest further discussion be moved to Spam-L (a) before NANOG is overrun with it again and (b) because the most anti-spam experts and other interested parties may primarily be found there, not here -- and extensive discussion of this particular issue is already in progress anyway. ---Rsk
participants (3)
-
Anne P. Mitchell, Esq.
-
Rich Kulawiec
-
Susan Zeigler