[hashcash] Re: blacklist to Brown list conversion

Simon Bohlin wrote:

Hi!
The topic is interesting, although I'm sure you could get better answers elsewhere.
know, this is the right place. It would've been better if I had followed my rule number one which is "never write e-mail in the middle of a firefight". What I should have said was something along the lines of "I'm looking for a ideas on how to use hash cash to ameliorate the damage caused by blacklists." Specifically, something simple, something easy to add that wouldn't seem as intimidating as twopenny blue to sites like BellSouth, AT&T, EarthLink.
Mis-configured mail servers is a big problem, and might stay so. Leaving the software wrongly configured shouldn't be an option.
there are two different classes of misconfiguration. Open relays (which should be punished) and protocol element labels such as the domain name in the helo/ehlo sequence (which, as you said below, should not be punished). Discussion as to why saved for later e-mails if folks want. :-)
In this case their mail server vendor quite easily could, but didn't, supply them with enough incentives to configure the mail server correctly. Getting punished (blacklisted) for ignorance without any hint beforehand is mean.
again hazard of violating rule number one. The problem was that the company bought a server (hardware and software) dedicated to the handling of produce shipments (inventory, tracking etc.). It's a great example of how computers can truly be useful and benefit people as well of companies. They were e-mailing directly from their mail machine to the outside world despite the fact that we had reconfigured to send mail on previous versions and told them they were supposed to go directly. Makes one want to reach for the baseball bat. 

Let's add hints.


Suggestions for incentives:
each outgoing email adds a bottom line, saying: This email was sent using (mailserver name) --> free advertising, accepted by MSN/Yahoo users so nobody will get shocked, and and incentive to look into the configuration. When the user does a search for "This email" or other suitable substring, they arrive at the setting for "custom bottom line". Next step here is to make a guided tour from that setting (which is actually a "custom bottom line") to make sure you take care of the other settings. The last setting in this tour might be a well-hidden setting which gives the choice of "bottom-lines", so you can use the default software version text, no bottom line, or the custom bottom line.
I don't believe this suggestion applies and I hope the reasons given above are sufficient explanation. I apologize for sending you down a rat hole.
To reiterate, I think one of the things we could do to garner some support for proof of work postage is to look at possibilities for front-end changes for blacklists with proof of work puzzles as an escape. Is this something we could build as an add-on, a front-end proxy or is it something we would change inside of sendmail, exim, or postfix. Given the crowd of people here, I think hacking on the MTA is easier than hacking on the MUA.
Maybe some of this is useful for twopenny blue, if it comes non-configured after a "standard install"? 

brown listing comes standard as does two other pre-filters:
per address our rival rate limiting
valid recipient address checking
pre-filtering on multiple gateway machines, post queuing filtering on single backend machine 

post queueing filtering:

Hash Cash token
friends list (single address white list)
generic white list (header match white list)
Samoan_lawyer (really large file pass (customer request, going away ))
content filter.
It's amazing. I had never really believed just how much invalid/dictionary attack e-mail messages were sent to a server but when I added the valid recipient check, the amount of spam going to do the content filter dropped by at least an order of magnitude.
This is one of those times when I wish I had the ability to display graphical results of all the filters. But as you can see, there are something like eight filters with 11 outputs. That would be damn difficult to graph especially when three or four the outputs would dominate and the others barely show up.
to bring it back on topic, a blacklist repair service based on proof of work systems could be quite useful. Especially if we can make it something that doesn't have to change the message recipient. For example, make it a transaction between blacklisted site and blacklist database. Something like "I have been blacklisted from..., I want to send one message, how much?" and after they received the price, the sender can either generate the stamp or throw away the message. After some threshold or number of times of generating stamps, the stamp price declines as long as there are no hits reinforcing the pricing level. Or something like that. Yes, I am a fan boy for dynamic pricing systems because that lets us get around Moore's law inflation and reward people for doing good things. 

---eric

--
Speech-recognition in use.  It makes mistakes, I correct some.

Other related posts: