There's a new spam control feature planned for Outlook 2007 that hasn't received much attention: the math puzzle. When Outlook 2007 tries to submit email to Exchange, Exchange will challenge Outlook with a puzzle, waiting for a correct answer before sending the message. The puzzle is designed to require a significant amount of time to solve -- of the order of half a second.
The functionality will require Exchange 2007, or 2003 with a future service pack, according to Microsoft people we spoke to. (Apparently the functionality is already present in Exchange 2003, but disabled.)
The idea is twofold:
- It will severely throttle the speed of spam-sending malware that tries to use Outlook to send its spam, thus thwarting its ability to flood the Internet with advertisements for fake watches, pirated software, and herbal enlargement products.
- Messages that send using this puzzle can be passed through receiving spam filters, preventing them from becoming false positives.
The first point is interesting, but unlikely on its own to make a significant dent in the spam problem. The "botnet" or "zombie army" problem is most prevalent on consumer PCs, sending direct-to-MX via SMTP, not in corporate networks sending via Exchange RPCs.
The second point is intriguing, but it's unclear how this can be made foolproof. The risk is that spammers will find a way to subvert the system, causing their spam to be delivered to users' inboxes. For example, a spammer can solve a great many math puzzles using botnets.
This is essentially a hybrid hashcash, such as implemented by the Camram spam control project. Microsoft disclosed that it has a patent on the technology (despite its similarity to hashcash methods), and says it's considering ways to make it more widespread.
... Richi Jennings
One Comment
Microsoft (and everyone else) needs to stop wasting time on economic (in this case a “computational tax) approaches to spam control. All they do is make spammers steal more. If you slow down the bots, spammers will just steal more computers to make a bigger botnet. Microsoft should be putting their energy into securing theis operating system and applications instead.
This sounds like a feature dictated directly from Bill Gates after one of his weeks of deep thought in the Cascades. The problem with the computational puzzle approach is that it assumes spammers lack the resources to solve the puzzle. They don’t.
Why not focus on better methods for authenticating sending machines — such as just making use of TLS and then allowing Exchange admins to whitelist based on sender certificates? That would prove far more effective within corporate networks than a puzzle, which sounds like a very effective way of requiring everyone to upgrade Outlook…