Last time, I talked about what I call “sender passive” anti-spam techniques, where the sender doesn’t have to do anything special outside the SMTP protocol to get messages through. These techniques are OK, except for one major problem: because the sender doesn’t have to do anything, it’s no skin of the spammer’s teeth if his message is blocked (or not).
Today I’m going to talk about what I call “sender active” anti-spam techniques, where the sender has to do something in addition to the normal SMTP stuff to get a message through. These kinds of techniques can be quite effective, but they’re not all that common these days. I’ll explain why later.
Sender-ID
Sender-ID is a Microsoft technology that basically tries to “authenticate” a sender via records in the DNS. The concept is quite simple. When someone connects to your SMTP server to send you email, you look at the domain specified in the MAIL FROM command. You do a simply DNS query to see if the IP of the connecting client is listed in the MX record for that domain name, indicating it’s the actual “mail exchanger”, or alternatively if the IP is listed in a special TXT record, indicating it is a designated “mailer” for that domain. If the IP is not in the DNS records for the domain, you don’t let the main through.
Now the Microsoft are interested in something like Sender-ID is because it means people can’t pretend to be sending mail from “@hotmail.com” if they’re actually not a hotmail server. But it also means that botnets become unworkable – because you can’t list the IP address of every computer in your botnet in your domain (since, apart from the performance problems of having 10,000 TXT records, you’ve also given the authorities a wonderful list of all your infected computers!)
While I personally think Sender-ID was a good idea, it never really took off. It suffered a bit from confusing licence agreements, along (possible) more general “this is Microsoft, so it can’t be good” feelings.
Another problem with Sender-ID is that it needs to reach “critical mass” before it become effective. Until everyone uses Sender-ID, it can only be used as a “spam indicator” – meaning you give a mail that failed the Sender-ID a higher “spam score” than one that passes. You’ll still need to do other spam filtering, and you’ll still have to possibly accept mails that fail Sender-ID.
”Click here if you are human”
I’ve not seen this one much, and I don’t know the “official” name of the method. But basically the way this one works is, the first time you send a mail to someone, their email server queues up the message and sends you an immediate reply. The reply message will have text like “in order to verify that you are a human, please click this link” or perhaps “please reply with the words ‘I am human’ in the subject.” Subsequent emails (once you’ve “passed” the test) don’t do this.
This one is very effective at picking the humans from the mass-mailers. But again, it has some problems.
First of all, its quite annoying to send someone an email only to get an immediate “please verify yourself” response. But I guess it only happens once...
Secondly, you also immediately loose out on any legitimate mass emails that you might want (unless you “pre-whitelist” the sender). Someone people might see this as a feature, though.
And finally, if this ever did become popular, spammers would quickly learn what actions they need to perform in order to “verify” their humanity. For example, if the message was a “click here” they have to simulate clicking the link. If it was a “reply to me” they just need to send a new message. This would make it hard for the spammer to run a botnet, of course (because where do the replies go to? Generally a botnet spam’s return address is a black hole.)
Conclusion
I’ve only listed two methods here because there really aren’t all that many “sender active” anti-spam techniques in wide use today. I think that’s a shame, because these are in fact some of the most effective anti-spam techniques available – not only because they effectively block spam, but also because the actual work required by the receiver is fairly minimal.
But at the end of the day, even sender active anti-spam is really only effective because of its relative obscurity. For a “final” solution, you need something that will withstand being ubiquitous. It’s no good having a 100% (or even 95%) effective anti-spam method if it’s only effective because the spammers can ignore it – if it really is that good, you expect more and more people to use it over time, thus brining it to the attention of the spammers!
Next time, I’m going to get into some of the “requirements” I believe a “complete” or “holistic” solution to spam should have.