Have any of you run into this? >From http://zacharyozer.blogspot.com/ Tuesday, October 14, 2008 Biggest. Spam Scam. Ever. A few years ago, MIT purchased an anti-spam solution from Barracuda, a firm specializing in network security products.
I just received an email on one of The Tech's mailing lists about how email from The Tech's mail server are being rejected by the Barracuda Spam Filters. I've edited the message, but goes something like this: -------- Forwarded Message -------- From: Mail Delivery System <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Mail delivery failed: returning message to sender Date: Mon, 1 Jan 2008 00:00:00 -0000 This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] SMTP error from remote mail server after RCPT TO:<[EMAIL PROTECTED]>: host W92-130-BARRACUDA-3.mit.edu [18.7.21.224]: 554 Service unavailable; Client host [18.187.1.1] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=18.187.1.1 Following the link, you're taken to a page where you're asked to fill out a form (which includes a CAPTCHA) in order to verify that you're not spamming people. Were this where things had ended, I would have forgotten this whole thing. While I don't necessarily think requiring people to fill out a quick form is the best way to fight spam, its certainly not completely unreasonable to ask them to do it once in a while. Extra kudos if they can use some sort of certificate, signature, etc to bypass it. However, what follows is one of the most perverted uses of technology and diabolically brilliant business plans I have ever witnessed. Lets assume you'd like to avoid being caught by this spam filter in the future. Barracuda allows you to register with EmailReg.org, an 'organization' which maintains a list of domains and the IP address of their associated mail server. To sweeten the pot, they allow anyone to query their database for free in order verify the authenticity of an email. Many of you are scratching your heads, so let me provide an example. Lets say that you run Google.com. You register with EmailReg.org and tell them, 'Any email that comes from google.com will have to come from one of our SMTP servers. Their IP addresses are 1.2.3.4 and 9.8.7.6'. This means that an email which claims to be from [EMAIL PROTECTED] that didn't come from those IP address probably isn't actually from someone who works at Google and can probably be marked as spam. (Note that identity verification is a big part of spam protection, since spammers often pretend to be someone else, in an attempt to hide how much mail they're sending.) What a great idea right? Spam protection that works and is transparent to users? Until you realize that they charge $20 to register your domain. Per year. Effectively, this means that you have to pay $20 per year to send email to people on domains that use this service to verify email authenticity. This wouldn't be that big of a deal if EmailReg was the definitive source for this information, or if they had some new and brilliant technology, or if there weren't any other good solutions. Instead, EmailReg is nobody, their product is a whitelist (albeit with two parameters – domain and IP), and there are a hundred other, perfectly viable anti-spam techniques. Somehow, they've managed to get a major corporation (Baracuda) on board and they're now gouging people to send e-mail – something which is supposed to be free. I salute the businessman who came up with this idea and the salesman who got Barracuda on board. Beyond that, I'm furious. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
