Confused why you're here? My name used to be Ben Balbo. I'm now Ben Dechrau (/bɛn dex-raɪ/).

Archive for the 'Hosting' Category

Page 2 of 4

Challenge/Response Email Verification

Published on April 27, 2007 in Hosting, Security and Work Life. 2 Comments

Challenge/Response email verification (CREV) is a mechanism for reducing the amount of spam you get. It works like this:

  • Alice sends Bob an email,
  • Bob uses a CREV system, and this is the first email he’s received from Alice,
  • The CREV system holds the email and sends an email to Alice asking her to reply or follow a link to verify she is a real person before the email can be released and sent to Bob,
  • Alice replies or follows the link,
  • The CREV system adds Alice to a white-list (so she won’t be asked to verify herself again) and releases the email for delivery to Bob,
  • Bob receives the email.

Compare this with normal email systems:

  • Alice sends Bob an email,
  • Bob receives the email.

Looking at it this way, you might think “Cool! So much less spam! And Alice only has one extra step to allow her email to get trough”.

Well, consider my way:

  • Alice sends Bob an email,
  • Bob’s mail server noticed this is the first email he’s received from Alice,
  • Bob’s mail server tells Alice’s mail server it’s currently busy, and could the email be sent again in 5 minutes (this is referred to as grey-listing),
  • Alice’s mail server holds onto the email and resends 5 minutes later,
  • Bob’s mail server accepts her email on the second attempt – any subsequent emails from Alice to Bob will be immediately accepted in future,
  • Bob receives the email.

This method doesn’t require any extra work on Alice’s behalf, and when implemented in conjunction with other anti-spam mechanisms (such as checking sending mail servers against black lists, which I didn’t include in my flow because this can also be used with CREV systems) cuts down spam enormously. For example, I got 1 spam email yesterday.

You might argue that CREV systems would cut that down to zero spam, but this is not the case. CREV will only allow emails to a user from a given email address. If you receive a spam that appears to come from a white-listed address, it will still get through. This is more likely than you might expect, as many spam and virus-laden emails are sent through spyware applications that email users in the infected person’s address book, which means they come from someone you know. Neither grey-listing nor CREV systems will stop this type of spam.

So what’s wrong with CREV systems? In my opinion, it’s a poor implementation due to the challenge/response requirement that the sender must take action to ensure the email gets through. Imagine a scenario: you’re at the airport, your flight is about to leave. You have to email a document to a client that you haven’t emailed before, and they require it by close of business that day. You hit send, you shut down your laptop and board for a 16 hours flight, only to get to the end and find the challenge response email. Your email has not been delivered, and the client will not get the document they required until the next business day.

With my implementation, you hit send, you shut down your laptop and board the plane. Your email reaches their server, and they pretend to be busy. Your email is resent automatically by your mail server 5 minutes later. The client gets the document 5 minutes after you sent it. All’s well.

Update

I thought I should explain more about why grey-listing works. In the example above, Bob’s mail server correctly retries to send the email to Alice after the 5 minute period. If Sam the spammer sends Bob (or Alice) an email, his mail server will likely ignore the request to resend in 5 minutes. All Sam wants to do is pump out as many emails as possible before his mail server is black-listed. As the email is never resent, it never gets delivered.

And purely for interests sake, here are some other checks my mail servers perform after the grey-listing process before allowing email through:

  • Check the remote mail server communicates using the correct protocol,
  • Check the remote mail server is not black-listed,
  • Check the email address of the sender is valid,
  • This checks that the sender’s mail server will accept email to this address, not just that the address is correctly formed
  • Check the sender’s computer or gateway is not black-listed
  • Check email isn’t identified as spam using a bayesian spam filter

If these checks pass, the email gets delivered.

Oops

Published on February 15, 2007 in Hosting. 0 Comments

So, I moved my site to another server and forgot to copy that special file that makes the RSS feed and sub-pages work! Doh!

All’s well again in my world…

Are anti-spam lists finally worrying the spammers?

Published on August 25, 2006 in Hosting. 0 Comments

I received an email this morning to the abuse@ address of two of my domains. It quotes Dave Hayes’s article Becoming what you oppose which describes how two blacklists are conducting debateably illegal acts (he names extorsion, terrorism, false advertising, and uncompetitive behaviour).

The email emphasises that it was not sent by Dave Hayes, but rather by “concerned net citizens in response to the growing abuse and corruption [of the blacklist organisations]“.

I see two possible explanations here:

  1. The blacklists mentioned really are trying to play power games
  2. The spammers are scared because these lists are so good that their spam isn’t getting through and they’re spreading FUD in order to presure people to stop using them.

If I have time, I’ll look into this further. If anyone out there knows anything, I’d love to hear about it.

Warning: Domains Australia Pty Ltd

Published on August 21, 2006 in Domains and Hosting. 0 Comments

It seems a domain scammer out there has caught the eye of auDA (the Australian domain name administrator).

I’ve received these dodgy letters from Domains Australia Pty Ltd before and ignored them. They send letters to owners of .au domains and offer to register the .net.au equivalent. The letter itself can be confusing and might be assumed to be a renewal notice, but the wording is clear enugh not to be able to get the company into trouble with the law.

The thing that has, however, caused consern is that they charge exorbitant amounts for the .net.au: $225. I charge $66 for .net.au domains and even MelbourneIT only charge $140!

And after charging the $225, it seems that some domains dfon’t even get registered!
The other concern is that Domains Australia Pty Ltd offer a free MP3 player on some of these letters, which also have been reported to not materialise.

New Zealand Domain Registration Ltd, owned by the same guy, have sent out similar letters.

The full email I received:

You are receiving this email because your email address is listed as the registrant contact address for a .au domain name. Please do NOT reply to this email.

auDA has become aware that Domains Australia Pty Ltd is sending letters and/or faxes to some domain name registrants offering to arrange registration of the net.au equivalent of the registrants com.au domain name for $225.

The letter is headed .DOMAIN NAME AVAILABLE. and some versions of it offer a free MP3 player with each registration.

auDA has received numerous complaints which indicate that; 1. despite the net.au name being paid for, it is NOT being registered and 2. registrants are NOT receiving the .free. MP3 player.

Based on the complaints received auDA is concerned that the letters may mislead people into believing that they are renewing their existing com.au domain name when in fact they are purchasing a new net.au name.

Further, consumers should be aware that $225 for a net.au domain name is significantly higher than prices charged by auDA accredited registrars and their resellers.

Domains Australia Pty Ltd is a company controlled by Blair Rafferty, the brother of Chesley Rafferty. It is NOT an auDA accredited registrar nor is it a reseller of an auDA accredited registrar.

auDA has previously successfully taken legal action against Chesley Rafferty and companies controlled by him under the Trade Practices Act.

If you have paid Domains Australia Pty Ltd and the domain name has not been registered or you have not received the .free. MP3 player and you wish to lodge a formal complaint, auDA advises that you immediately contact the Australian Competition and Consumer Commission (ACCC) either by lodging an electronic complaint at http://www.accc.gov.au/ or by faxing it to their Canberra office on (02) 6243 1199. Alternatively you may wish to contact your State based fair trading or consumer affairs office.

A similar mass mail out has also occurred in New Zealand. New Zealand Domain Registration Ltd, owned by Blair Rafferty, was recently exposed on a New Zealand television program Fair Go. To view this video please http://tvnz.co.nz/view/video_popup_windows_skin/816241.

For more information see http://www.auda.org.au.

Quick – we need to backup the Internet!

Published on June 29, 2006 in Hosting and Politics. 0 Comments

The US Dept of Homeland Security might be given the responsibility of ensuring the Internet doesn’t break. Or something like that.

This article describes how an overseas attacker could send the US into an economic and security crisis, and that someone needs to be responsible for “restart[ing] and restor[ing] the Internet” [John J. Castellani, president of Business Roundtable].

Gosh – I know some people don’t know how the Internet works, but you’d imagine someone would have given the DHS and John J. Castellani a quick lesson before they made a fool of themselves.

Of course, it’s probably not about security, just about economy – the economy of the Government coffers. People hate stealth taxes, so why not disguise it as “yet another counter-terrorism measure”?

For more opinions on this, check out the Digg thread.