Yahoo and Unilateral Anti-Spam Technology? 397
EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."
police will be happy (Score:5, Insightful)
Re:police will be happy (Score:4, Interesting)
Missing the big picture (Score:5, Insightful)
But let me show the fallicy of yahoo's actions.
Yahoos step 1 is to reject forged headers. Forged headers was just made illegal by the Bush administration IIRC. I completely approve.
Yahoos step 2 is to force a signature on every email by the server. Interestingly, Step 2 removes the need for step 1 and makes you wonder if step 2 is their real desire. Note that a solid step 1 also removes the need for step 2, given that open relays are shut down.
This is where I disapprove.
This proposes the same problem as DRM. Who controls which signatures are accepted? Once again we are right back with Verisign, et al. So unless your server has a PURCHASED KEY from verisign, or the like, your server won't be sending email to yahoo or any of the ISPs that adopt this.
I promise they won't be suggesting PGP either And so the spiral begins. Yahoo sells the rights to the certificates it will accept on a yearly basis. Verisign subsells this right in the form of the infamous certificate chain.
So what if the code is free, the certificates are not!
Re:police will be happy (Score:3, Insightful)
This isn't really about tracking/tracing. It's about authentication and verification. If you are accused of doing something illegal via. email (which you didn't), this will be a VERY handy tool in your defense.
I could only see it being tracable if enormous quantities of mail were being sent, in which case, you would either
a) Not care about privacy. It's hard to be private with 10,000 recipients
b) Be doing something illegal. Yes. Mr. S
Re:police will be happy (Score:4, Interesting)
If you are accused of doing something illegal via. email (which you didn't), this will be a VERY handy tool in your defense.
Why should I have to prove I didn't do something? Surely it is up to the police/law enforcement to prove I did do something?
I want to cyrptographically hide the contents of my emails and obfuscate their origins as much as the next guy, and I want to call that privacy while I do it. Nobody in the world is going to make me write in plaintext on a postcard and hand it to the mail man as he passes my door every day, neither will they make me do the same with email. I may or may not have something incriminating in my e/mails, but until I am under suspicion of something illegal I want my privacy, and even then, I want properly mandated, legally and socially approved bodies with responsibilities to myself and the rest of the community to be monitored and restrained in their work.
Handing control of privacy to those who care little for it is itself caring nothing for it.
Re:police will be happy (Score:4, Insightful)
And this proposal does not kill your ability to mail anonymously. What it does is allow server admins to decide to not accept mail that is anonymously mailed.
You have no intrinsic right to expect that your mail recipient will ever read your email, anonymously sent or not.
Re:police will be happy (Score:3, Insightful)
Because, unless you hadn't noticed, in this day and age its heading closer and closer to the situation where everyone is presumed guily until proven innocent.
Far better to insure yourself just in case you get in a sticky situation than sit back and "hope" that justice prevails - because time and time again we've seen that it doesn't work out quite that way.
Exactly (Score:4, Insightful)
The price of spam doesn't come anywhere near the value of privacy and freedom of speech. I happen to like the idea that should a need arise I can easily send an untrackable e-mail. I'm sure plenty of people in more intrusive countries already enjoy this ability.
Click on the link in my sig for my method of dealing with spam which is highly effective that doesn't destroy the privacy of the sender or cost money.
Ben
Filter bounced mail (Score:3, Interesting)
Instead of freaking out, take the time to actually look at bounced messages and find tells so you can filter them out. Those 100% unqiue tells are there.
"I'll never see the bounce."
You will if you allow the tells your mailserver uses to pass through. Or give it a unique bounce message that gets past your filter.
Trackable e-mail requires that everyone
Someone has to step forward (Score:5, Interesting)
Whether it is this technology, or another, something has got to be done. I'll implement this and hope that other admins do the same.
-sirket
Signed Email (Score:5, Interesting)
(A) Signed email signs not just the message headers, but also the message body. No chance of header substitution.
(B) Signed email associates signatures with some certificate chain and, presumably, a CRL (Certificate Revocation List). Abuses can lead to certificates being revoked.
(C) Because of the certificate chain, there is a chain of trust. There is always SOMEONE to sue!
(D) It is a simple measure to simply throw out any email that is not signed.
(E) Because of esign legislation, signed emails can be considered legally binding. In other words, lies, misrepresentations, libel, etc... in signed emails provides you with grounds for prosecution in courts of law - as if the signer wrote you the document and signed his name at the bottom (and yes, they can also be used for legally binding contracts and whatnot).
There is an issue with "Crossing the chasm" with signed email, of course. It would require a body such as AOL and/or Yahoo rising up and providing signature filters on incoming email to force such a solution into the mainstream. But once this is done, SPAM will practically dissappear. And any SPAM that comes in through signed channels can be dealt with in a satisfactory way.
I do not believe this harms any of us, btw...
You want privacy? The same techniques that allow you to sign email also allows you to encrypt email to your destination.
Worried about anonymity? Certificates can be issued that authenticate an email address without full disclosure of the owner of that address (but this may not be satisfactory for stopping abuses). Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?
Re:Signed Email (Score:5, Insightful)
B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.
C. Someone to sue...only in the US is that an attractive feature.
D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.
E. Sure, for that
My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.
Re:Signed Email (Score:3, Informative)
Let's talk about this. Interesting subject.
B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.
CRLs as currently formulated are indeed pretty nasty. They need to evolve. Let's assume that VRSN does run the CRL, for instance... Couldn't they create domain records for checking on the revocation status of certificates? It seems to me that by having a namespace in the DNS registry devoted to certific
Re:Signed Email (Score:3, Informative)
> why PKIs hardly ever get past 100K users.
Ever heard of OCSP ? That solves the problem. Please refrain from expressing uninformed opinions.
Re:Signed Email (Score:3, Insightful)
Re:Signed Email (Score:3, Informative)
Howver, 100k is also a low estimate for hosts.
In 2001, Dan Bernstein did this survey [cr.yp.to] which yields an internet-wide estimate of 4 million reachable IP addresses running an SMTP server. I doubt the figure has decreased.
Scalability over many orders of magnitude is a fairly key requirement for internet protocol design.
Re:Someone has to step forward (Score:3, Informative)
Looking at the log for today, I see... 1,076 messages - of which 24 were not spam.
Yahoo's idea is simple, and is probably a lot more acceptable to the general public than many of the alternatives (government-signed keys, etc.) which we WILL have in a m
Re:The real solution. (Score:3, Insightful)
The finger deamon can be rewritten slighly to return an affirmative if the user actually sent an email to the fingering domain. The SMTP server can drop a line in the
Good move (Score:5, Interesting)
Lets get the implementations out there in the wild and use the feedback to create real solutions!
Re:Good move (Score:3, Interesting)
Re:Good move (Score:2)
Think of it this way - if you have many solutions that works half the time, then when you apply the solutions in series the chance of a spam getting through is exponentially reduced.
Re:Good move (Score:4, Interesting)
You are absolutely correct.
Sender Permitted From (SPF) [pobox.com] is indeed already available and implemented. Yahoo's DomainKeys is not implemented, and a spec has not yet even been published.
In a nutshell, SPF is a way to publish a DNS record that tells other sites what machines transmit email from your domain name. It's a pretty flexible system (detailed info at the SPF site).
Lets get the implementations out there in the wild and use the feedback to create real solutions!
Obviously you missed the article last week that AOL published a SPF record for 24 hours last Friday, for initial testing and to collect feedback. It appears they were pleased with the results, since they have turned it back on as of today.
AOL is not the only site. In fact, as of today, 3575 sites have published SPF records [infinitepenguins.net]. My own site is among them.
If you, dead reader, happen to control the DNS for your own site, please consider adding a SPF record. It's very easy to do with the web-based SPF Publisher Wizard [pobox.com].
I use the telephone and ftp (Score:5, Informative)
It's slower, but not as slow as deleted emails that I never see and can't respond to.
Another spin on that theme (Score:4, Informative)
The solution I use requires that one owns a domain. Simply provide specific addresses to people/places/things depending on your expectation for spam. Filter on the client name based on the to: field and most of the crap drops into the crap folder where it belongs.
This combined with a bayesian filter keeps the spam to a very reasonable level. One added bonus:
You can know who sold you out and pass the word to others.
I use gandi.net for this. They provide e-mail redirection for free with a grab bag for unspecified addresses. 12 euros per year with nice online admin tools combined with very reasonable legal terms makes the service well worth it.
As for the e-mail problem, it is going to come down to trusted mail servers. I believe we all should be able to run mail out of our homes, because that is part of being peers on the Internet.
So, anyone can send mail, but if you expect anyone to actually read it, you need to be trusted by at least someone
Re:Another spin on that theme (Score:5, Informative)
Its solution is basicely the same as yours, plus it's free and it doesn't require you to have your own domain name.
Standards are important (Score:4, Interesting)
Re:Standards are important (Score:3, Interesting)
If someone other than a standards organization, including corporations, comes up with a good idea that stops spam and solves the problem without causing more problems, then that sounds like a Good Thing to me.
Re:Standards are important (Score:2, Insightful)
It's not like the spam problem cropped up overnight either, it's been around for at least a few years and the IETF, et al, are still discussing the issue.
Standards (Score:5, Insightful)
Web folk always moan about MSIE's poor standards complience, for instance, but forget that CSS/Text came from them -- Netscape was pushing CSS/JavaScript at the time. Now, one of those is a standard, and the other is dead.
Ultimitely, either people will like Yahoo's idea and adopt it and it will eventually become a new standard, or it will be ignored by everyone else and forgotten. Only time will tell.
Re:Standards (Score:2)
EGO EGO EGO (Score:4, Interesting)
While the guys at the IETF fight for who has the biggest, ahem..., pen, the known email universe is collapsing under the weight of SPAM.
Let Yahoo hack and slash their way to a solution that works and then the standardization megalomaniacs can claim credit for inventing that idea 15 years ago while undergraduates at Stanford, Cambridge and MIT...
In the meantime, maybe we can have some peace...
It's not a matter of A or B (Score:5, Insightful)
I like the idea of a major player getting on with it and DOING something.
Would we rather have MS dictating an anti-spam standard? You can be sure such a beast would be a lot less benign than Yahoo's proposal
Re:It's not a matter of A or B (Score:2)
I agree. The deafening silence of the Internet "standards bodies" on the subject of spam control speaks for itself.
If Eric Raymond, IETF, et al. are interested in addressing the problem, then let's see their proposed solutions. Otherwise, I'm somewhat less than interested in hearing them whine about attempts by private industry to do their job for them.
Re:It's not a matter of A or B (Score:5, Informative)
Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.
The problem we have is that the standards process in the IETF/IRTF has essentially failled. First the original chair of the group hijacked it to use it as a platform to get his name and that of his company into every anti-spam puff piece in every newspaper arround. He contributed nothing of value and pushed out all the people who did have something to contribute.
There was an opportunity to get something going on the standards track but the IETF establishment decided to nix the idea - basically it will be July before it is possible to even start the process of forming a working group there.
It is no surprise then that most commercial proposals have been avoiding the IETF like it was a bad smell. The IETF has no concept of working to a commercially relevant time scale - like months rather than decades.
So we have ended up with about ten specs that have been circulating samizdat fashion amongst small circles since last February. The premise being that we have to short-circuit the standards process somehow. Only we have now been doing this for almost a year without result while in other areas it has taken less than a year to do a full spec - given the right circumstances.
Fortunately IETF is not the only game in town. OASIS is a far more professional outfit. In OASIS you have a defined membership of the group and you hold weekly or bi-weekly con-calls so that things get done on a weekly basis, not the week before the RFC-editor cuttoff before the next IETF meeting 3 times a year. You also have votes and clear lines of accountability. In the IETF the chair can basically do what the fuck they like and ignore the consensus of the group. You have the illusion of participation but the establishment hold all the cards. It is all about control.
W3C is also OK-ish but the membership fees are ludicrous ($55K) and you keep getting semantic web thrust at you.
OASIS does have the disadvantage of being a commercial consortium rather than a trully open volunteer body, but in practice we get to co-opt anyone we want to a group.
It's bad if you have a different (Score:5, Insightful)
"From" address from what your SMTP server is, in which case I don't see how it could work for you.
This may put a lot of travellers out in the cold.
A solution is badly needed, but it has to work for everybody.
Re:It's bad if you have a different (Score:2)
Re:It's bad if you have a different (Score:2)
1) Don't publish a key for your domain (downside is that you can still be joe-jobbed and nobody can verify that e-mail coming from your domain is authentic, or at least that it passed through an authorized server)
2) Use SMTP AUTH / VPN to connect to your domain's server, just as if you were in the office. (Most corporations, where you are acting as an agent of the corporat
Re:It's bad if you have a different (Score:5, Informative)
Furthermore, mail receivers need not check all purported from addresses. This is just one tool in the toolbox. As I understand it, Yahoo's idea addresses the problem of mail claiming to be from jane_austin@yahoo.com, when it fact it is from a spam criminal (I believe falsifying mail headers is a crime in many places these days). If Yahoo, hotmail, and aol could be validated this way, it would help a lot.
I have gotten emails from people threatening me with bodily harm because they believe I sent them spam. (When they include the message in question, it is obvious from the headers that it never went near the US, much less through any of my machines.) Some spam scum in Asia is using my email as the from address to spam victims in Europe. So I would be interested in signing my emails, if some of the spam victims would check it.
What prevents a spammer from simply reusing properly signed headers with a spam body? Does the signature cover the message content? If so, how is it an improvement over simply signing your email?
Re:It's bad if you have a different (Score:3, Informative)
I myself am on Cox HSI. To send mail from my business domain, I simply use SSH. For Windows, use PuTTY, and set up a tunnel from port 25 to your sendmail server. Then she just sets her outgoing mail server to 'localhost'. We have configure
Re:It's bad if you have a different (Score:3, Insightful)
When de jure standards fail... (Score:5, Insightful)
Yahoo are spam nazis (Score:3, Insightful)
Doesn't sound like this will be too effective in stopping spam for
Yahoo users, and Yahoo is already a pain
to work with.
I setup a proxy and was a spam relay (unknowingly of course) for just
under a week. I got blacklisted on a couple of email sites, my ISP
bitched and I fixed it. So sorry.
So I'm now off every blacklist I know of, and everyone loves me again.
That is except Yahoo, the evil nazi bastards. I've filled out their
stupid, "fill this out to get
un-blacklisted" form at least 30 times (twice a day normally).
It must go into a black hole because they still are rejecting my mail.
Everyone else lets me through but stupid Yahoo, who seem to have NO
admins, no technical people, and a violate once banned for life reject
policy. Grrr. So I guess, if this new system lets them drop their damn
overbearing blacklists, I'm all for it.
Re:Yahoo are spam nazis (Score:5, Insightful)
overbearing blacklists, I'm all for it.
And people want to sue blackhole sites like MAPS out of business. THAT would mean every little mom and pop would maintain their OWN blacklist. Good luck getting off 69,105 blacklists. Your IP and domain would become useless.
I don't know how good the Yahoo system will be, but all the more power to them. At least they are trying.
Re:Yahoo are spam nazis (Score:2, Insightful)
If you can't be trusted to set up a system once, what leads Yahoo (or the rest of us) to believe you are now capable? Sure you may not make the same mistake but what will you overlook next time? Test it man, test it!
It's incapable admins like yourself that are at least partially responsible for the glut of spam.
How many pieces of spam d
A nice thought. (Score:2, Insightful)
Something needs to change (Score:2)
Since there doesn't seem to be any other way to deal with SPAM, I don't object to this. Especially if this is just a temporary measure.
It could be argued that if people go all out with these measures, in a while SPAM will no longer be sent, and then they can all be relaxed. But what will probably happen is this will just be another measure that will get circumvented.
Total overkill (Score:5, Insightful)
Re:Total overkill (Score:2)
SPF has the advantage over RMX that it does not need a new DNS record type, so it doesn't need IANA to assign a number.
I've put SPF records in my DNS, but I don't yet have my MTA (or MUA) patched to look up SPF records for incoming mail.
Re:Total overkill (Score:5, Informative)
This has already been discussed, with two current proposals, RMX [danisch.de] and SPF::Sender [pobox.com]. The latter looks a lot closer to implementation, with AOL already testing it. [slashdot.org]
Re: Reverse MX systems (Score:5, Informative)
However, reverse-MX solutions will not kill off spam (a common mis-conception). The goal of reverse-MX proposals is to stop domain forgery where spammers are able to, with complete impunity, to tack on any old domain name to their spams. Which means that the unfortunate organization who is forged gets to deal with the thousands of e-mail bounces and the irate phone calls / e-mails from people who think that the organization was the source of the spam. As a mail admin, I'm able to control which servers handle inbound e-mail for my domain through specifying MX records. Reverse MX allows me to have the same amount of control over outbound e-mail from my domain.
What will happen instead, once reverse-MX systems (or Yahoo!'s system or other sender-authentication systems) come into play. Spammers will have to change tactics and resort to either forging one of the remaining domains that don't have reverse-MX information published, or they will register throw-away domains by the hundreds. It will drive up their costs a tiny bit (much like the impact of bayesian and other filters requiring them to use randomization techniques).
But the real nice side-effect of reverse-MX, etc., is that you'll be able to more reliable whitelist based on domain name. And your bayesian filters will be able to assign high ham values to domain names.
It also puts a crimp in e-mail worms that attempt to use a built-in SMTP engine to avoid detection. Unless the worm forges a domain with no reverse-MX info published, the worm won't spread (most MTAs will drop the connection). Instead, the worm will have to route through the user domain's SMTP server, where the mail admin is more likely to catch the traffic (virus scanner on the SMTP server, or rate limiters).
Re:Total overkill (Score:3, Insightful)
Why closed source?
Closed-source cryptographic systems (which is essentially what this is) are often very insecure if they are not peer-reviewed. In fact, Bruce Schneier argues often in his books that a properly designed cryptographic system is just as secure if the source/spec is open/published. Most problems are actually due to impl
I am implementing on the 15 or so domains I admin (Score:3, Interesting)
I admin a dozen domains professionally, and run a couple mail servers for volunteer orgs and all of them will get it.
-Brian
Re:I am implementing on the 15 or so domains I adm (Score:3)
If they don't support exim, then I can't use it. Exim developers may implement it, but yahoo can't resonably say that they would start blocking before other projects have a chance to make their own versions.
On the other side of things, I'm going to st
Standard bodies and solutions? (Score:4, Insightful)
E-mail is supposed to do a certain job, and it does that job well, at least from a technical standpoint. The problems with spam are identical to similar problems in every other arena, it's just that they seem worse because of the level of automation. Even if it wasn't automated, spam would still be a problem. With idiots knocking on my door every other week with a hard sale for everything from oil changes to chinese food, I'm starting to almost regret the do-not-call list, because I didn't have to worry as much about these degenerates (if you don't take "No" for an answer and walk away immmediately, you are a degenerate in my book, and very door-to-door jerkwad so far has been one) giving my wife a hard time.
Standards bodies can't do anything to fix human behavior, unfortunately.
Re:Standard bodies and solutions? (Score:2)
Helps if you have a solid door and they can't tell from outside the residence that someone is actually inside, but still, it's worth a shot.
Better to use IP restrictions (Score:4, Interesting)
This extension was based on DNS and basically allowed the mail server to query whether the IP address of the mailer was allowed to send on behalf of the domain.
Yes - this would be open to IP spoofing. Perhaps this DNS extension should be combined with the Yahoo method. If Yahoo, Hotmail and a couple of other providers adopted it could have massive effect.
To intially put live perhaps they could have an authenticated vs non-authenticated flag/filter in their web-mail client.
Repost? (Score:5, Informative)
There were alot of vital ascpects to this point made in the previous article some of which are quite thought provoking!
If you missed the previous thread, I hgihly recommended reading or even reading it.
Business sense (Score:3, Insightful)
How about this? (Score:5, Interesting)
That way, there's no question where the email came from, and exactly which account sent it. Plus traffic goes way down by not passing the content all over the place.
In addition millions of copies of the same email would not have to be held on recipient's servers, they would just sit on the originating server until received or until some time limit expired.
I guess this would prohibit using a (ISP's) email server as a repository, you would have to download everything you wanted to keep, but hey, no more email size limits! - send me the world - if I want it, I'll come and get it!
Could this help in the spam wars?
Re:How about this? (Score:2)
I would think it would be unworkable due to how sending and receieveing mail servers are set up. Most receieving mail servers have oodles have harddisk space to burn on holding messges. Sending servers are usually fewer in number and don't have a lot of harddrive space because they don't have to hold that many messages at a time.
my 2 cents.
Like a news server (Score:2)
Spammers don't send massive e-mails because it takes too much bandwidth to bulk send.
E-mail size limits come from mail servers that don't want individuals e-mailing massive attachments. It takes up bandwidth and storage while it sits waiting for the user to retrieve it.
And your method has already been implemented. It's called a news server. Technically there's nothing stopping you from using one as a primary e-mail address. Unless you can't set it to be post only
Re:How about this? (Score:2)
I've always wondered why it wasn't done that way in the first place...
Of course, it would stop ISPs from worrying at all about SPAM, and there would be no central mail server to do blacklist lookups... maybe instead of providing a mail server, ISPs could provide a local queriable blacklist server.
Now you're talking about:
Re:How about this? (Score:4, Insightful)
Neat idea... in theory. There are a few problems with it:
1. It would reduce overall bandwidth being burned on the Internet and cost the very influential backbone ISPs lots of money that they're charging smaller providers for bandwidth, so they'll hate the idea and lobby against it.
2. The flow of information on the Internet would heavily tilt more towards prime time, creating additional bottleneck issues. Users would be downloading expentially more data during business hours and much less in the off time. Server resources would need to be beefed up and there is no guarantee that the requested mail could be retrieved upon request (an e-mail based "slashdot effect")
3. If you think e-mail headers are misleading now, under such a system things would be a lot worse. You'd be lost in a sea of misleading e-mail you could only verify by exposing yourself to the spammer.
4. When you went to retrieve the e-mail message, you would expose your personal IP address. It would be the equivalent of having a web-page bot allowing spammers and other systems to associate a fixed location in cyberspace with your identity, email and any other info in the e-mail. Serious privacy invasion issues abound.
This is a spammers wet dream! (Score:3, Insightful)
They would write their own mail servers where more than one recpient would be linked to one post on the server. This means that they can send a small header it to a gazillion people and only spend 400 bytes on actually storing the message on their server since they only need one copy of a particular Email.
Bandwith is only wasted when a user comes to look at the mail, which also verifies that that user exists (double spam for you my friend).
So, this would make spam worse.
s
Depends (Score:2)
1) Free of ownership
2) Easy to implement on any platform
3) offers a valid chance of actually working
With those three met, I think it has a chance, especially with one of the more visible players helping it along. Though they might want to participate in some open-source deveopments (mozilla, etc) and contribute the necessary code to also help push along the effort.
Nope (Score:2, Interesting)
Good move, which may actually spur development. (Score:4, Interesting)
There have been a few times in the past where an entrenched technology has hit a wall in functionality, but because it was entrenched no one really did anything about it.
Then, someone said "Fuck standards - I have to DO something about this!" and started pushing thier solution. Other saw that someone was willing to take the first step, and took a step themselves. After some shakeouts, a new, more functional standard emerged.
My hope is that Yahoo has started the "SPAM proof MTA" development war for real this time. I want my e-mail system back.
Soko
Re:Good move, which may actually spur development. (Score:2)
Stop using Yahoo!
Good Move ? (Score:2, Insightful)
Why not Sender Permitted From (SPF)??? (Score:2)
It's on the agenda for my next mailserver deployment. Hopefully others will implement it as well. Seems like a really good, vendor and ISP neutral idea that could really help make a difference. And it has (or had when I last read it) a good deployment plan that allowed for phased deployments and letting each receiving site determine the strictness of the implementation for receiving email fr
OS X mail works fine (Score:2)
This is down from dozens....
About Time (Score:2)
The problem is the standards bodies haven't done a whole lot to curb the problems with SMTP. The implicit trust it conveys is the WHOLE problem with pam and it's time to toss it out and come up with an alternative.
Hopefully whatever the alternative is, it'll allow administrators to verify the sending party or at least the relaying party and convey some level of trust and authenticity. With billions and billions of junk messages per day, email is well on the way to becoming just too much trouble to use.
a flavor of the inevitable (Score:2)
We might as well just admit it. SMTP relays need to be licensed and regulated. This would stop spam. Implementing customized protocol-based front ends just slow things down and aren't horizontal in their implementation. And the idea of some handshake mechanism that denotes an acceptable SMTP source has to have spamming hackers salivating. They'll crack it wit
Re:a flavor of the inevitable (Score:3, Interesting)
Ummm... and who do you propose is going to do the licensing and regulations? What enforcement powers will they have over relays in another jurisdiction?
What's to stop the spammers from bribing officials to get their spam-relays "licensed"?
This is kind of sad.. (Score:5, Insightful)
I don't mean to come off as the thundering asshole, but this situation has grown so slowly its like watching a car crash spread out over the past 15 YEARS.
Please, experiment. Break things. I don't give a shit, but don't let us sit here moaning like helpless children while spammers sit back (laugh) and rake in MILLIONS.
Get fucking aggressive.
And if I hear one more idiot talk about how you have to cut spammers off by not buying their products I'm going to cut him off at the knees! If that would work you and Noah could be shooting dice right now and we'd have a hell of a lot less to worry about.
Programers still know how to experiment, right?
Re:This is kind of sad.. (Score:3, Insightful)
Come on now! (Score:4, Interesting)
I keep hearing horror stories about people getting 100+ spam emails per day. This leaves me with the question, HOW IS YOUR EMAIL ADDRESS GETTING INTO THEIR HANDS!?!?
I don't sign up for every "free" offer that I come across. I don't have business cards made up with my email address. I have two email addresses, I might receive 10 spams per week between them.
WTF are all of you doing to get on so many spammers' lists?
LK
Re:Come on now! (Score:3, Insightful)
2) e-mail addresses in public records
3) common e-mail addresses that you have to monitor (john@domain, webmaster@, abuse@, postmaster@, root@)
4) friends who have posted your address online (good intentions...)
5) corporate espionage where someone makes a copy of a maillist for a spammer for $$$
6) spammer got lucky
Re:Come on now! (Score:3, Insightful)
e-greetings card website sells your email address to spammers.
Lots of variations of this one are around. Check out evite.com and their 'privacy' statement. It only exists to capture your email and browsing habits and web-bug you with invisible pixels with cookies.
--jeff++
Re:Come on now! (Score:3, Informative)
I now have a domain with as many e-mail addresses as I like and although I use it to sign up to all that free software/internet shopping websites
Re:Come on now! (Score:3, Interesting)
Consequently, I get a lot of spam. Most of it filtered, but still a lot more than I'd like. Counting the ones filtered, it's well over 100 a day. Maybe a dozen get through the filters light touch - I really don't want to miss ham), but more every week.
There's no easy solution -
E-mail needs to be "closed" (Score:3, Interesting)
If Yahoo, MSN, and Earthlink all joined together to form an "invitation only" e-mail club, and each took responsibilty for patroling its own user base, the world would be a whole lot closer to a spam-free place. "Pink contracts" would not be tolerated, as the entire ISP would risk being expelled from the club, and therefore not be able to offer functional inter-network e-mail service. Remember, the Internet is nothing but a network formed by joining other networks... nobody has to honor the requests of other networks, however.
Value judgement (Score:4, Interesting)
First, I think the benefits of having free and semi-anonymous e-mail outweigh the disadvantages of having to use and maintain spam filters. Obviously, many people disagree with me here, and more all the time.
(Here's a conspiracy for ya: what if some Big Brother is trying to kill the free exchange of ideas in e-mail by burying the whole system with spam? I don't believe it's true, but it's worth wondering about before jumping to non-free solutions!)
Second, even if I thought that killing spam was worth the cost of crippling some of e-mail's better and more distinctive features, I think going about it in a non-standards-based way is likely to be a road to chaos.
The best solution, I think, would be to supplant e-mail with something new that works in a more trusted and accountable way. If someone really hates spam, they can use only the new system; if they want anonymity and freedom at the cost of spam, they can use the current mail system. The systems could coexist much like Usenet and the Web; each is useful for different things.
Pursue technical and social fixes simultaneously (Score:4, Insightful)
I have a concrete proposal at the end of this post so please read on.
Anyway someone mentioned the tipping point and I am reading this after cleaning a thousand spams out of my mail folder so I am ready to consider lots of things.
But one thing is definite about all this. If these guys were terrorists planning some horror and not just an army of rotten people bent on selling viagra and insurance, they would be shut down in a heartbeat. You can follow the money! (As many people have.)
Note these datapoints:
- Telemarketers don't like getting phone bombed, as Dave Barry launched retaliation against an association of them.
- Spammers are in it for the money
- Their clients pay because they want to sell something.
- Their clients are living in meatspace and are allergic to publicity.
- Spam is by definition, easy to get since so many are sent from each machine. (In fact I get too many to even reply with "unsubscribe" to them all).
- We all see spam, but can't stop it because the spammers are laughing at us by endlessly transforming their campaigns. The helpless feeling I suppose is similar to terrorism in that there is a feeling of a nebulous enemy profiting by your openness, there is nothing to grab hold of.
- People are willing to pay money to stop spam.
- Homeland security (probably) and the NSA and similar national organizations (definitely), and telcos and isps (of course) are sitting in front of the big routers around the world. This information can be coordinated.
- Some big organization wants a steganography analyzer built quickly (recent slashdot story)
From this and a bit of blue skying and paranoia, I get:
1. Spam, which is subtly personalized and includes photos and hyperlinks, could be used as a communications network by terrorists, so definitely falls under the national security bailiwick. Ditto for viruses and worms, though they are maybe too visible.
2. Though maybe it is better to unlock the messages than to stop spam, from a security standpoint.
3. Certainly it is possible to make transparent who exactly is sending spam, and how the money flows from their clients. Both by surveillance and of course just trying to buy some of their services.
4. If it isn't illegal, they can't be put out of business and so long as they have clients, it is a "business opportunity".
5. But by focussing the anger of thousands of people on each client and detected spammer, this lucrative business can be turned into a financially losing proposition.
6. Finally, if we make it impossible for their clients to sell their wares, there will be no point to spamming. This suggests that rather than trying to secure all of the honest email, we should focus on removing spam from the network. I don't think blackholes work, however it is quite possible that a finer granularity and more intelligence might work. (See below)
So I welcome technical fixes against spam but think they should more involve information sharing than an attempt to cryptographically secure the email network, since the power of email is fundamentally that it is so easy to use.
I would propose that a group of people are selected around the world to manually go through their incoming email and note which emails are spam, preferably qualifying what type it is and using some simple tools to also note whether this is the work of nefarious arch-spammer types that play tricks on you, as opposed to honest mailing lists. It should be an open architecture which allows more than one organization to do the grading. Perhaps one will only filter porn, etc. I believe some large antivirus companies do something a little bit like this on an automated level to learn about thre
proprietary solutions (Score:3, Interesting)
"To every challenging problem, there is a solution that is obvious, easy, and wrong."
Proprietary stuff like this one usually is that solution, because not enough eyes looked at it. That's why so many software projects fail, and that's why peer-review is so important in science.
Yahoo can't even teach their mailservers to play nicely with the rest of the world (they bounce when they should have rejected). I don't trust them an inch to patch sendmail or solve the spam problem.
Yahoo might be doing us a big favor (Score:5, Insightful)
One major problem with standards groups is that people like Verisign are on most security standards groups. Verisign has extremely strong motivations to ensure that email uses a Web-like interface, where one purchases an (expiring) Verisign cert for each email server one runs. They have strong incentive to block competing solutions. If you want to come out with a good system that prevents existing folks from milking a market, both industry consortiums and standards groups are pretty much useless. You need to do what happened with PNG -- have a bunch of talented, aggravated engineers sit down, write up a technically good spec, and put out reference code. Later on, let standards committees follow what's in place.
I can't figure out why replay attacks are an issue. I, personally, would suggest, off the cuff, including any To: or CC: lines in the message body (just for signing purposes, not actually sending either header in the body). This way, a replay attack would only allow resending the same email to the same destination from the same source. It's also pretty easy to include a timestamp, if folks are *really* concerned about replays.
Yahoo is pretty much doing what ESR and RMS have been hoping for for years -- contributing to open source systems because there's an itch that needs scratching.
Paul Vixie (disclaimer -- I don't move in his circles, and what I know about him is entirely secondhand) seems to be involved a great deal in politics, rather than technology. He leaves a bit of the same bitter tang in the mouth that Verisign does. He is, apparently, the source of at least some of the IETF objections. Vixie has also made a number of antispam statements that I tend to disagree with, including advocating mass blocking of mail servers on home email connections by netblock.
Make it an RFC... (Score:3, Insightful)
The fact is that anyone can raise a new standard, it will have to do something useful or it will simply be ignored, but it is hardly difficult to get the process started, by raising an Internet Draft, and in a case like this it should only take a few months to become a standard. The IETF work much more efficiently than any commercial standards body that I know of. The process is documented at ftp://ftp.isi.edu/in-notes/rfc2026.txt amongst other places, and surely must be the correct procedure to use. Who cases about ANSI, or BSI, or CENELEC, or any of these bodies that sell you a few pages of copyrighted standard for silly money? The RFCs are published for everyone to use, which is why ithe net works as well as it does, despite the efforts and intentions of some, such as the Convicted Monopolist (had to get him in somewhere..), to "de-commoditise the protocols".
There is no reason why they can't raise an Internet Draft right now and start using the thing, people can then follow the Draft at their own risk of having to do more work if it changes.
Re:All together now! (Score:5, Insightful)
There's always going to be pricks who will do anything for a buck.
Re:All together now! (Score:2, Funny)
Three words:
Tar and Feathers
Re:All together now! (Score:2)
Guns and email systems are just enabling technology. The rub is that email systems are just more efficient than guns. I'd guess there are more murderers than spammers in the world, but we'll all get spam tommorrow, and not many of us will be murdered.
No point. Just an observation.
Re:All together now! (Score:4, Insightful)
I agree that spam is a social problem, but you need to qualify what you mean a little more. Technology is the enabling mechanism to this problem (that some people are willing to be jerks and abuse a medium). Computers are exceedingly good at cranking out spam, day and night, and the medium of email is exceedingly weak against protecting against this kind of abuse. The same kind of social problem exists in all communications mediums, but you don't see just anyone wardialing people to sell viagra and penis pills. Calling a million people is expensive and time consuming, spamming is not. Therefore, this is a technologically exagerated (sp?) manifestation of a very minor social problem, making your point all but useless when trying to solve it. You've got to solve the problem in this situation, which is the enabler - technology.
Re:All together now! (Score:3)
We pretend email is free, so the spammers think they are dividing by zero--and any return on zero investment looks very impressive. This is actually a silly legacy of when the nascent Internet was a non-commercial and purely cooperative enterprise. "You help me with my email and I'll help you with yours. We just won't worry about the details of the bean counting."
Now the spammers say "Y
Re:All together now! (Score:2, Insightful)
Re:All together now! (Score:2, Insightful)
Re:All together now! (Score:5, Interesting)
So if spam is a social problem, what about auto theft? Should that also be solved by economics and/or behavior? Do you think that people shouldn't lock their cars or have alarm systems? Or that they should have push-button starters with no key required? If you believe this, you're a fool.
How about hacking? Should that also be solved by economics and/or behavior? Should remotely-accessible computer systems not be password protected? Instead of having user accounts with passwords to keep hackers out, should we just let anyone log in who wants to, and use other means to punish people who abuse this? How about we connect our military systems to the internet in this way? Again, if you believe this, you're a fool.
Any time a technological measure can be employed to minimize a social problem, it should be, because relying on society to proactively halt the activities of those who prey on weaknesses in the society is foolhardy because society only acts in a reactionary manner.
Re:All together now! (Score:3, Insightful)
But Spam is more about an inappropriate use of technology. SMTP was designed on the assumption that the community at large using it would not be interested in abusing it. This was the case back when the Internet was not yet commercialized, and I remember it pretty well.
I think the only thing that will resolve the spam issue is abandonment of SMTP as we know it, and an adoption of a new protoc
Definitely NOT (Score:3, Interesting)
The sad truth is, there will always be jerks willing to engage in self-profitable activity at the expense of others, and to some extent this activity is what we call crime. There are three prerequisites for it, which are:
- intent (you know it's bad, but you don't care)
- gain (outweighing the cost / risk)
- occasion
This last one you completely overlooked. Why do you think locks exis
Re:Uh no sirree bob.... (Score:2)
Re:inertia (vs pain) (Score:4, Insightful)
Reverse MX and Yahoo!'s proposal, however, don't require widespread adoption at the start. In fact, the tipping point is probably only a few percentage points of the domain namespace.
After all, for just a few minutes worth of work (more if you don't already provide SMTP AUTH, or require users to VPN in to send e-mail already), you protect your domain against joe jobs and forged e-mail bounces. So there's a low cost-of-entry. (Yahoo!'s proposal requires more work then the simpler, less CPU-intensive SPF proposal.)
What happens next is that domain admins that publish keys/SPF information find that they're no longer getting joe-jobbed and they're able to block a higher percentage of spam then they used to. Word gets out and more folks sign on (second wave adopters).
Sometime after that, the big ISPs require your mail servers to publish SPF/keys if you want your e-mail to be delivered to their users. (FYI, this is very similar to AOL's whitelisting program, which is essential a privately-administered reverse-MX system where you tell AOL what IPs your e-mail is allowed to originate from.)
As a WAG about rate of pickup, early adopters have started, second wave folks will probably sign on in the spring/summer, and I wouldn't be surprised to see ISP-blocking by the end of the year.
Re:The cure to spam (Score:3, Insightful)
Yes, you've just described a Challange/Response system. And right now, since domain / origin e-mail addresses are so easily forged - it's extremely annoying to the people who get those (forged) challenges.