Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Spam The Internet

Reviving the Finger Protocol to Fight Spam? 113

Posted by Cliff from the return-of-an-old-friend dept.
Greg asks: "Some will remember the finger protocol which is barely used now. Although this tool was useful in some case, today this tool would be a nice tool for spammers. However, could such be used against spam? Most spammer use bogus email, and most spam-fighters talk about changing SMTP is to implement a certificate system to make sure the sender is valid. While this is great, it'll require a complete re-write of the SMTP protocol, adoption and re-write of all software using SMTP. Wouldn't it be easier to use a 'finger'-like protocol? When receiving a mail we could check if the sender is valid or not. What people think about this?"
This discussion has been archived. No new comments can be posted.

Reviving the Finger Protocol to Fight Spam? More

Reviving the Finger Protocol to Fight Spam?

Comments Filter:

  • More RBL needed? (Score:5, Insightful)

    by secolactico ( 519805 ) on Sunday May 25, 2003 @04:02PM (#6036391) Journal
    Pretty soon somebody will set up a finger server that will simply respond to every query with a "valid user" response.

    Then you'll have to blackhole those servers.

  • Give Spammers the Finger eh... (Score:3, Funny)

    by Spock the Baptist ( 455355 ) on Sunday May 25, 2003 @04:02PM (#6036392) Journal
    Someone had to to make the pun...
  • i thought i saw a cmd called VRFY which is supposed to check if the supplied email is a valid.
    I know it exists on SMTP on windows servers not sure about non-windows smtp servers.
    • this cmd is disactivated on a lot of servers cause it could be/was being used by spammers to find valid addresses.
      The same could be said for finger-servers. Nice to DOS and nice to use to find valid addresses.

      Wanna fight SPAM? Punish spammers hard, punish and close open relays, implement SMTP authentication (at least for external networks)... you'll never be able to banish SPAM completely, but why make it easy on the assholes?
      • Not only spam, another problem with VRFY is that it give blackhats a pretty easy way of finding valid systemaccounts (given that many still use email -> systemaccount)... VRFY doesn't leave as many traces as most other ways of finding valid accounts
    • The VRFY command is for the client to check wether the user exists on the server it is delivering to (and to get some additional information which is the reason it is deactivated on most servers).

      It is NOT for the server to check back politly with the client wether the email is originating from a valid user.

      Anyway, what is a "valid user"?

      Edgar
      • The VRFY command isn't always enabled, because it can be used by a SPAM'er to collect valid email addresses. I'm not sure how much this really matters, because the following mechanism can be used as well, and it cannot be shut off.

        % telnet mail.domain.tld 25 Trying mail.domain.tld...
        Connected to mail.domain.tld...
        Escape character is '^]'.
        220 mail.domain.tld ESMTP Postfix
        EHLO myhost.mydomain.tld
        250-mail.domain.tld
        250-PIPELINING
        250-ETRN
        250-XVERP
        250 8BITMIME
        MAIL FROM: postmaster@myhost.mydomain.tl

      • Anyway, what is a "valid user"?

        someone healthy and active i guess .. as opposed to an invalid .. (i hesitate to use the term invalid user as this also denotes those getting rich off retirement communities for the disabled)

        mail is always going to come from "a valid user" at some point in the trail whether that person is bouncing it off open relays, or using a myriad of other anonymous services. i don't think you can have both privacy of information and full accountability of everyone who might send you
    • Yes. VRFY exists, but is now turned off for many default server installs. The alternative would be to try and email the sender and see if the email is accepted (yeuch).

      You wouldn't (currently) be able to enforce VRFY or FINGER as being required to accept emails, although it could be used as a way to cut down on false positives in spam-filtering. I.E. If you get something that looks like borderline spam, the last check would be to attempt to VRFY the sender. If it succeeds, then classify it as non-spam. If

  • ...so instead of rewriting SMTP and all related programs you would have to write new programs and everything to use a new finger like protocol, which would also have to be written. You're better off sticking with what exists and building off of it, it makes backwards-compatability simpler and overall would require far less work. Something has to be done and it's going to take a lot of work, but why make it a more complex problem than it has to be?
  • A large portion of spam gets sent out under real email addresses that do not belong to the spammer.

    On top of that fatal flaw, this system still has all the major problems of other systems:

    Would require huge infrastructure and deployment efforts
    Not everyone will get on board, either on the receiving end or sending end
    Most email users do not control their own domains and would depend on their ISP for any finger servers
    Most people still accept spam as a 'fact of life' concerning the internet.

    Even now I still tell people that they will just have to accept the spam, though some filters help. It's simply not worth most people's time to fight it yet.

    I wish we didn't have to use any legal measures, but the reality is that any technological measures will be overcome quickly. Laws exist to prevent such 'arms races', and in this case neither party (spammer/user) is willing to back down from their position.

    -Adam

    • kids and spam.. (Score:5, Insightful)

      by zcat_NZ ( 267672 ) <zcat@wired.net.nz> on Sunday May 25, 2003 @05:33PM (#6036812) Homepage
      This makes me angry.

      I set up email for my 8yo daughter. The address has only ever appeared on kid-oriented websites. Here's some of the subject lines from messages spamassassin has caught recently;

      • Subject: RE: About your request of No.1 Teen Hardcore Site
      • Subject: Chick love with beast 0464jjIM9--9
      • Subject: she wanted to do it
      • Subject: SHEMIKA'S pics
      • Subject: Information Requested Please
      • Subject: Improve your Sex Appeal!
      • Subject: Wife wants you to have this Bigger Erection
      • Subject: Make her scream use this
      • Subject: DVD-Teens_About 15 GIGs of BEST Hardcore sex!
      • Subject: See Results Immediately! Enlarge your Penis Today!
      • Subject: Women: Revolutionary Climax Product Will Astonish You..........qzyrkvv
      • Subject: Women: Revolutionary Climax Product Will Astonish You.......qzyrkvv
      • Subject: Private-Viewer Pro provides secure Password Protection for all of your Adult Content.
      • Subject: A New Stimulating Sensual Lubricant For Women (Discount Code #7181835)
      • Subject: CHAROLETTE'S pics 0123IjOv9-354-12
      • Subject: How to Boost Your Penis Size & Confidence username@ourISP.co.nz lpx
      • Subject: [Men Only]
      • Subject: username@ourISP.co.nz Valiumm-Viagraa-Xanaxx No Exam Needed!Simple
        Online Form hj:uqlm;ndiure;c cf;ikjc:

      • Was it a free email service? I've got a solution for you, get her an account with spamblocked.com [spamblocked.com] (where's my check Morely/Rich?) or a similar service that uses lots of RBLs or does heavy filtering. For kids, I really see this as the best way to go. I would never let a child use hotmail/yahoo/etc, they are so limp in the blocking department that it's a joke.
        • You miss the point. He's already managed to block it... it's that these fuckwads would send out disgusting shit like that in the first place, when they know that at least a few kids will see it.

          People shouldn't have to make an effort to block this slime, and certainly not the near-heroic effort that is needed to block even 50% of it.

          If they catch these asshats, they should charge them with child molestation.
        • --Actually yahoo's spam blocking is really quite good. Satisfied user since ~1996 or '97. Even if they block some stuff you're subscribed to, you can instantly tell them to un-block in the future.
          • I'll have to agree. I signed up for Yahoo and Hotmail (pre-msn) accounts in 1997. I've only ever used them for on-line storage storage of email when I had only a pop account at my ISP and recently for IM. When I check my yahoo after a month or so of not using it, it is empty. When I check hotmail, if I have security on, but at the level just below whitelisting, I get 10 spams a day, most of them so crude they would make a sailor blush.
      • I can understand your outrage; I would be too.

        How about a ".kids" domain for email, to which sending such 'explicit' spam is strictly FORBIDDEN?

        • A .kids domain?

          Did i forget to mention the address has only ever appeared on kid-oriented sites?

          Oh yeah, I did mention that..

          Thanks for playing.
          • You are right to be angry.

            However, the spammer has no idea that a specific site only has kids related material. Nobody can classify web sites as to the type of content on them in an automated way. It's why Yahoo had human doing the classification for the longest time. It'd be entirely too much work for the spammer to check all the sites his e-mail addresses come from (so I think the we should require the spammer to do so).

            Saying that it's only on kids sites is a red herring, spammers don't read the s

          • Like the address harvesting spiders care.
        • An interesting idea, but unfortunately it doesn't take into account that spammers don't actually care who they send to. Not only that, but it'd probably be a prime target for paedophiles too.

          Also, what's to stop anybody else from signing up for a '.kids' email address in the hope that they wouldn't receive this sort of spam? Unless you can prove that people using it are in a certain age range, you're not going to be able to "forbid" sending of explicit spam to .kids domains.
        • How about a ".kids" domain for email, to which sending such 'explicit' spam is strictly FORBIDDEN?
          I think a .* domain to which sending such explicit spam is forbidden would be even better.
        • .kids domain? In case you didn't know, diseminating pornography to minors is already illegal and a pretty serious offense I believe. Provided you can find the spammer that is...
      • This will probably just make you angrier, but worse than the fact that spammers don't care, is that pedophiles almost certainly purposely check out websites where children are likely to give out personal information like email addresses.

        Certainly the 6 o'clock news shows like to point out a pedophile contacting a child over the internet (gasp!)* whenever they can.

        * as in "Don't you dare think of using the evil internet, or letting anyone you know look at it, instead of watching the sacred television."

    • A large portion of spam gets sent out under real email addresses that do not belong to the spammer.

      The solution is to use a finger-like protocol that:

      1. Checks that the username is valid
      2. Checks that the message-id for the email recieved is one sent from that username (the server would have to keep a list of all message-ids sent from it in the last month or so)

      Then, if a spammer forges someone's address, they have to know a valid message-id for that user, which is difficult to do.

      (One way a spammer

      • Checks that the message-id for the email recieved is one sent from that username (the server would have to keep a list of all message-ids sent from it in the last month or so)

        This would break nearly every major ISP's SMTP setup.

        Any large-ish ISP (over 200 subscribers or so) will use different servers for inbound and outbound mail.

        Not to mention that it would completely screw anyone who uses email addresses that don't correspond to their ISP. (ie. I send mail from home, using my work email address - how

        • This would break nearly every major ISP's SMTP setup.

          Spam costs ISPs lots of money; I expect most would reconfigure their servers to help stop it.

          how is my work mail server supposed to know what the SMTP ID is of a mail it will never see?

          The whole point of my scheme is to prevent people using a mail address other than what they are actually posting on; if you want to use your work email address, make it a Reply-To:, and have the From: field contain the address you are really posting from.

          • Spam costs ISPs lots of money; I expect most would reconfigure their servers to help stop it.

            It's not a matter of "reconfiguring their servers" - it's a matter of PERFORMANCE.

            The whole reason that it's done this way is because one machine would not be capable of handling it.

            The whole point of my scheme is to prevent people using a mail address other than what they are actually posting on; if you want to use your work email address, make it a Reply-To:, and have the From: field contain the address you a
      • > The solution is to use a finger-like protocol...

        --No.

        --The solution is to find a spammer that has sent this garbage to children, whether "with intent" or not, and do the following:

        o Prove beyond reasonable doubt that this is the guy.
        o Drag him by the hair out of his house.
        o Call the local news affiliate.

        o PUBLICALLY EXECUTE HIM. On Live National TV. (I doubt there's a jury in the COUNTRY that would convict you, esp. if the spammer lives in the South.)

        --Set a few graphic examples and watch the in
      • why not make it a little easier if I send a email
        FROM budgenator@example.com just make sure that the email at least went through example.com. I'm not sure if this would be easier in the pop3 client or the SMTP server. see my journal entry for other ideas I've had on Fighting spam [slashdot.org]

    • but the reality is that any technological measures will be overcome quickly.

      That is bull... There are plenty of ways to stop automated e-mail guessing/harvesting in ways that really can't be overcome.

      Scott Adams now requires the word "dilbert" to be in the subject line of all e-mail sent to his AOL address... everything else is trashed, presumably.

      With that system, there is no feasable way to build a collection of e-mail addresses. Even if it were, it would probably cost a bit more, and be more difficu

  • It's identd (Score:4, Interesting)

    by Lord Sauron ( 551055 ) on Sunday May 25, 2003 @04:15PM (#6036456)
    What you're describing is more like identd [clock.org].

    • Re:It's identd (Score:3, Interesting)

      by zcat_NZ ( 267672 )
      Problem; Both finger and ident rely on the server returning a truthful response. If it's under control of a spammer it won't be. "1) Spammers Lie"

      Spamming is not a technical problem, it's a social problem.

      Here's my suggestion; Most ISP's need to add a clause in their ToS that CLEARLY defines spamming (Bulk unsolicited email, commercial or not) as unacceptable, that violaters WILL be blacklisted and that they will be charged a suitable 'cleanup' fee.

      First Amendment; doesn't apply, this is a private compan
      • Most ISPs do this. Real spammers just get T1 lines (you know, where you pay for bandwidth and you get bandwidth, and you don't have to put up with an ISP that tells you what you can and can't do with it). Sure, it may be expensive, but for some reason, probably stupid marketing departments, spammers tend to have a lot of money. Or the spammers just jump from account to account. It's hard to blacklist someone from every ISP.

        But you're right -- spamming is a social problem, and there's very little we (sl
        • umm, you can't get a T-1 from a Level 3 providers which are the only ISP's that are going to let you do as you wish. Even commercial T-1's from level 2 providers (not very common unless you are a very large national account which will be buying a ton of T-1's or larger) come with restrictive TOS's. What spammers do is go with lax or incompetant ISP's, or they just look for open relays and other means of hiding their tracks so that their ISP doesn't cut them off faster than they can sign up a new account wit
        • I was wondering if I was the only one in favor of branding known spammers. They'd sure have a hell of a time if people knew what the brand ment. "We don't serve spammers here". I also think someone murdering a spammer every few months would help matters.

  • Not an uncommon sight (Score:5, Funny)

    by Wrexen ( 151642 ) on Sunday May 25, 2003 @04:38PM (#6036552) Homepage
    Anyone noticed a trend in "Ask /." lately? Usually looks something like this


    Dear Slashdot,

    I have a great idea for fixing a problem that's been plagueing us all. By simultaenously implementing IPv6 world-wide, converting the US to metric, adding mass transit to rural areas, teaching everyone Esperanto, and making Linux ready for even the most stubborn grandmother, all the worlds problems will be solved. There's just this problem of implementation, i.e., how do I do it? I'm sure some clever /. can come up with a solution. Thanks!
  • Finger is unfortunatly not helpfull since spammers would be happy setting up some one-time finger server and account to get out their x million spam-emails. Unless of course finger-information would be required to bear a signature. But then we could sign the email in the first place.

    Edgar

  • "We need a new protocol!" (Score:4, Informative)

    by onomatomania ( 598947 ) on Sunday May 25, 2003 @04:51PM (#6036616)
    I hear that a lot -- "SMTP is old and crusty and if we could just throw it away and start over we could end spam forever." And that is such a bogus argument in my opinion.

    First, there's the notion of getting the entire planet to upgrade to a new protocol. There are *still* open relays out there, and SMTP has been around for what, 25 years? And that's just a simple configuration change. You're asking every single organization that uses mail to switch to some brand new, perhaps untested program? What about all those millions of automated applications, web scripts, and embedded applications that send or receive email? What do you do, throw those away? And remember, you can't just say "Well, we'll make it backwards compatible for a while" because otherwise the spammers will just keep sending plain old fashioned spam. Perhaps the most fundamental aspect of why email has been so universally embraced by everyone is that it is simple, easy to understand, universal, and standardized. You risk throwing that all away.

    But assuming you can get around the above issue, I still challenge you to come up with a new protocol that satisfies the following requirements:
    • Does not break mailing lists and other legitimate bulk email. You may not be a list-junkie but everyone at some point in time has been on a mailing list that was of real value. I think you would find that many organizations would have a major problem giving up mailing lists. And there's plenty of other examples of legitimate bulk email -- order confirmations, notices, CONFIRMED (closed-loop) opt-in (and no other "opt" variety!), etc. I fear that a lot of the "make it hard for a computer to do it" solutions fail on this account. Hashcash is great and all, but how does a mailserver for a large mailing list deal with it? Whitelisting? You assume way too much about end users, they can't even get it straight how to unsubscribe most of the time, how can you expect them to maintain a whitelist? And how does Junis with his Commodore send email and still have the computation-requirement high enough that a spammer with a dual-Xeon can't send with impunity?

    • Does not require a centralized, top-level organization. A lot of the cryptograpic proposals make the common blunder often seen when designing crypographic systems of ignoring the issue of trust and keys. If you are going to make this work then really the only way I can see it is to have some Verisign-like body that issues certificates, and revokes them if proof of spam is found. However, that is a giant can of worms waiting to happen. They would be subject to lawsuit after lawsuit from the chickenboners (small time spammers) and mainsleeze ("reputable" spammers) for all sorts of counts of "impeding business" or other crys of general unfair practice. This organization will somehow need to be funded, which means you have to either start charging for these certificates, requiring deposits, or taxing the entire system to pay the authority. And I'm not going to get into the issue of international law and jurisdictional issues. I hope you can see that this is a HUGE can of worms and if you hate Verisign think of a world where every email you send depends on their competence. You may claim a web-of-trust scenario will work, I say spammers would just create a fake community that all certify each other.

    • Does not make email a pain in the ass. Whitelisting, TMDA, and a lot of things fail flat on their face here. The reason email is the killer application is because it's simple and universal. You will kill that with an overly complicated scenario that involves fees, licenses, governing organizations, international cooperation, etc.


    If you have an idea for a completely new system that doesn't suck in the ways above, I'd like to hear it. But I haven't heard of one yet...

    • Re:"We need a new protocol!" (Score:1)

      by Anonymous Coward

      Maybe you're right and SMTP can become a spam-free email system. But consider this: Email is universally embraced because of the reasons you listed, but it is quickly losing that acceptance because it is becoming harder to understand, less standardized or plain not worth the effort, largely due to spam and anti-spam measures. Something has to be done.

      Does everybody have to switch at the same time? Certainly not. A good system can run in parallel. When people see that they don't get spammed with the new sys

    • "If you have an idea for a completely new system that doesn't suck in the ways above, I'd like to hear it. But I haven't heard of one yet..."

      Stick with SMTP, stop being such utter idiots about spammer abuse. To succeed the spammers have to send a lot of probing packets to IPs everywhere. Quit ignoring those probes.

      No new protocol required, nothing centralized, no disruption from a switchover, nothing that makes email a pain in the ass (instead it makes spamming a pain in the ass - to spammers).

      It's d

  • no. (Score:4, Insightful)

    by Drakon ( 414580 ) on Sunday May 25, 2003 @04:53PM (#6036625) Journal
    that's not a good solution. sorry. see above
    I don't see why I can send mail from, for example, president@whitehouse.gov
    This is ASTOUNDINGLY easy in UNIX systems
    hostname whitehouse.gov
    useradd -m president
    su - president
    mail -s 'How are you gentelmen???' ...

    • Re:no. (Score:3, Informative)

      by cyb97 ( 520582 )
      Or even easier...

      sendmail -fpresident@whitehouse.gov spamrecipien@dot.com

      Hello dear...

      .

      OR from any OS

      telnet blahblah.example.org 25
      mail from: president@whitehouse.gov
      rcpt to: my favourite spamrecipient...
      data
      blahblah

      .

    • Re:no. (Score:3, Funny)

      by Henry V .009 ( 518000 )
      Heh. That's a great idea. I'm going to mail about 50 petty dictators around the world from president@whitehouse.gov with: "How are you gentlemen??? Make your time." Let the geopolitical chips fall where they may, I say.

    • Re:no. (Score:3, Informative)

      by Quixote ( 154172 )
      This is ASTOUNDINGLY easy in UNIX systems

      Why blame Unix? As long as you have the ability to open a telnet to the outside world (port 25, to be more precise), you can do it from any connected machine.

      Heck, I remember telnetting to the victims' MX servers and typing in the message by hand. It wasn't too difficult.

    • Have you ever looked at a mail header when that is done? It looks something like this

      Received: from whitehouse.gov ([64.110.8.7]) by

      A simple reverse lookup tells the recipient that the sender is bogus.
    • Citadel [citadel.org] solves this problem by requiring that all users log in to the SMTP server, and secondly by rewriting the From: address to the user's actual address. This violates the RFC, but it makes spoofing the From address impossible, and the responsible user very easy (for the Citadel sysadmin) to find.


      (And yes, you can turn this off if you really want to.)

  • "I'm a real girl...finger me and I'll prove it to you!"
  • Isn't this patented by Amazon or AOL already?

    Also, don't most sane firewall operators have port 79 blocked already? This would also require all those people that put NAT "firewalls" on their plug-n-play broadband connection to figure out how to open a port (and just one, for all of our sakes) to send and receive email. I think it would be easier to just rewrite the whole shebang...

  • Every time I see a spam issue mention here on slashdot, I always take the time to metnion that spam exists because SMTP is intrinsicly flawed to allow it. Sure people can implement black-lists, or white-lists, but no such notion exists nativly in SMTP itself. A state can create as many laws as they want, but as long as SMTP is the standard messge passing protocal, spam will exist! This is one of those grey-area's where a law isn't very good to govern technology. You can pass a law into existence to make cer

    • Re:SMTP needs to die! (Score:4, Insightful)

      by schon ( 31600 ) on Sunday May 25, 2003 @07:20PM (#6037329)
      I always take the time to metnion that spam exists because SMTP is intrinsicly flawed to allow it.

      And you're wrong.

      Spam exists because the sociopaths that do it don't think they're doing anything wrong.

      Spam is a social problem. It doesn't matter if SMTP is "intrinsically flawed" (which it isn't) or not - any system you can think of can be abused. Come up with a better solution, and I bet that I can come up with a way to spam through it in under 5 minutes. And if I can, you can bet that spammers can too.
      • It doesn't matter if SMTP is "intrinsically flawed" (which it isn't)

        I duno what planet your from, and I doubt you've read the RFC's regarding SMTP on Earth... cuz the above statements clearly shows your ignorance in the SPAM issue. SMTP can be abused because it is flawed despite what you desire, or perceive, to be true. SMTP is wide open to Spam from an era of wide open, non-security minded protocol design.

        In regards to your silly statement about SMTP not being flawed, security wise... I believe Mark Tw
        • I duno what planet your from, and I doubt you've read the RFC's regarding SMTP on Earth.

          And again you're wrong. I have written an SMTP server, working from RFCs.

          the above statements clearly shows your ignorance in the SPAM issue

          No, they show that you have a closed mind.

          SMTP can be abused because it is flawed despite what you desire, or perceive, to be true

          Then please list the relevant flawed sections. Since you know so much more than me about the RFCs, you should have no problem.

          The whole worl

    • Re:SMTP needs to die! (Score:3, Interesting)

      by zcat_NZ ( 267672 )
      SMTP isn't intrinsically flawed, and more than the phone or FAX are intrinsically flawed.

      In the case of the phone or fax, LAWS were necessary to stop sociopaths from setting up automatic diallers that ran 24/7, and from sending millions of junk faxes.

      In the case of mail; laws have been proposed. However, what might be more effective is that most ISP's decide SPAM is unacceptable and change their ToS to disallow it. Something like "If you spam, we will disconnect you, add your name to a nationwide ISP blac
    • If you're going to think (which is good) why not think more? There are two aspects to the open relay problem, for instance. These are:

      (1) Open relays exist.
      (2) Spammers can find them.

      The campaign to secure open relays aims strictly at (1). The campaign also ignores RFC 2505, which says this is not the way to stop spam, because of (2).

      So if attacking (1) doesn't work isn't it logical to try to attack (2)?

      Spammers have an unbelievably easy task when it comes to finding open relays. They just try to re
    • spam exists because SMTP is intrinsicly flawed to allow it. I have to say that maybe your on to something here, I've never gotten any SPAM when we used good old UUCP.

  • The problems with this, and my counter-proposal. (Score:5, Interesting)

    by wowbagger ( 69688 ) * on Sunday May 25, 2003 @06:11PM (#6037008) Homepage Journal
    The fundemental problem with this is that it gives a spammer a way to insure a user is valid, thus allowing him to continue to spam the user. Thus, it not only does not solve the problem, it makes it worse.

    Here's my counterproposal:

    1) Create a new system, called "Verified Mail Transport System" or VMTS.
    2) A VMTS server has a public/private keypair. The public key is listed via DNS, the private key is held by the server.
    3) Several revocation lists exist - for example, a list of servers known to propagate spam, or to accept mail from non-VMTS servers and send it as though it had come from a VMTS server.
    4) Failure to comply with the rules of VMTS is sufficent cause to be blacklisted - the server's administrators will be given 1 week after notification of violation to correct the problem, and if the problem persists, they are blacklisted. It does not matter whether the server is ittybittyisp.cm or uunet.net.
    5) All servers are REQUIRED to validate the identity of anyone originating mail on that server - this validation can be done by a public/private keypair system similar to the one used between servers, or by RADIUS, or any other means that allows for tracing a given message back to the (l)user who sent it.
    6) The user's machine shall sign the mail with the user's identity, or the user's mail server shall sign the message with its key if the user's system cannot do so. This signature shall be placed in the mail system headers of the message, along with the user's ID (NOTE: the user's ID does not have to be the user's email address or name, just some identifying number).
    7) When a mail server handles a piece of mail, it shall compute a signature of the headers it adds AND the signature of the previous mail server's headers, add place that signature in the headers. That signature shall be based on the mail server's keypair.
    To make this clear, given the following headers:
    1) From: server foo
    2) For: joeblow@bar.ex
    3) Priority: highest
    4) Prev_hdr_sig: 0xf238ace1
    5) From: server narf
    6) For: joeblow@bar.ex
    The receiving server need only check headers 1-4. Header 4 covers header lines 5 up.

    8) A mail server shall validate the headers from the previous server by looking up that server's public key, decoding the signature, and verifying the signature matches the headers.
    9) Upon getting a failure to match in step 8, the server receiving the message shall stop the transfer and drop the message. It MAY also blacklist the sending server, notify its postmaster, or whatever other actions are deems needed.

    NOTE: since all each server in the chain needs to check is just a very small number of headers, this shouldn't add a HUGE load to the server (less than spam filtering does). Since the keys are distributed via DNS (perhaps as TXT records, perhaps as a dedicated record), they get cached, so that the load of getting them is reduced.

    When I, as an end user, get my mail, I can still get SMTP and VMTS. I can then read my VMTS mail first, then worry about the SMTP.

    Now, how does this fight spam?
    1) No unintentional mail servers/relays. Since you have to set up a DNS record to be valid, you won't see accidental open relays.
    2) Intentional spam relays get blacklisted, since that is a part of the rules of the system. The big backbone providers like UUNET can and will get blacklisted if they don't comply, so they cannot play host to pink contracted spammers.
    3) If I want to fully authenticate a message, I can independandly check each header block. If the headers are forged the signature won't decrypt properly (since the forger won't have the private key needed to encrypt it), and I immediately know where the message came into the system (thus, who to blacklist).
    4) If I wish to identify the particular (l)user who sent the message, I could send the originating mail server a message with the following information:
    4a) the signature I've computed for the message
    4b) the signature heade
    • Just one interesting problem. Let's say I want to spam your ISP, say, escape.com. I can setup my DNS a particular way, spam you directly. "Now it's escape.com's job to say, holy crap, he spammed me, blackwhole the fucker." Now that you've blackholed me, I can buy a new domain for about $8, and use that now. I've switched identities.

      Now what if a domain expires? How does the blacklist get updated? When testsomething-001.com gets expired in a registry, we'll never know. Same if someone decides to rere
      • Good questions, actually.

        The short answer is that if you are willing to buy domains and spam from them, there is relatively little anybody can do about it with any system.

        However, you not only have to register the domain, you have to host it somewhere. Obviously, the current IP based blacklists don't go away, so your IP gets blocked as well.

        However, the idea here is to be able to identify WHO YOU ARE - to be able to track the spam back not just to spammer.example, but to Joe Blowe at 1234 Pink Tinned Mea
        • Continnuing on the blacklist problem. Even if it is geometric, what if an IP finally gets decomissioned, either via ARIN et al or an ISP for a particular user... now you have the problem of a user/isp having to figure out to talk to ARIN because they are black listed. Who do you trust when an IP should be reinstated?

          It's a difficult problem, I know. Any system, for good, or for awesome.. or for evil for that matter, has its exploits you can't get around. Look at the Xbox. "You can't modify hardware!"
          • True, but that is no worse than the situation now - for example, my ISP has blacklisted netvision.net.il because they are infected with a virus and won't clean up their act.

            They will remain blacklisted ad infinitum, since it is unlikely they will be able to notify us if and when they clean up their act.

            However, again the idea is to bring pressure to bear quickly upon the spammers, that they are removed from the system before they make any money, and wither and die.
        • 1234 Pink Tinned Meat Lane, FL.

          Ah Ha! So that's where that damned spammer lives!
          Should have been obvious, really.

  • Blah blah blah. SMTP e-mail is going away. Free e-mail is going away. Blah blah blah.

    Here comes the government to solve the problem. Spam is now the enemy. It must be destroyed.

    SMTP v3 or whatever is on its way. The only question is the exact design. Finger protocol or not, it doesn't really matter. The general outline is already known. Real-world verification of identity tied to every e-mail address capable of receiving SMTP v3 e-mail. A transition period where people can sign up for "upgraded" e-mail

  • How about having the SMTP servers to a reverst lookup for those servers trying to send mail. A simple gethostbyaddr() call would filter quite a bit of spam (if who_you_say_you_are != who_your_ip_address_says_you_are then FLUSH). Those pieces of spam that use "legitimate" mail headers would have the ISPs either black listed or not providing service to spamers is short order.
  • How about I give you the finger, and you give me my phone call.
  • Another simple solution would be for ISPs to give out good, advanced filters to all their users, implementing most by default and allowing them to set black and whitelists through an easy-to-use (read: newbie friendly) administration panel. That helps in not receiving the spam at all at the ISP level and reduces our bandwidth consumption.

    I'm sure blocking it from even entering your mailbox will help a lot, although it may not help in elimination. Apart from the crappy filters on webmail services, I haven't

  • Finger Finds Faked "FROM" 'Fectively (Score:4, Interesting)

    by Dark Coder ( 66759 ) on Monday May 26, 2003 @09:49AM (#6040075)
    The first thing I did was made a sendmail milter that does exactly the validation of "FROM:".

    I ran into trouble in various areas:

    1. AO-Hell now has a non-RFC mail server
    2. Yahoo "blindly" approves ANY "FROM:" test
    3. MSN "blindly" approves ANY "FROM:" test
    4. Majordomo may not validate their own "FROM:"
    5. Nothing prevents SPAM'r from "assuming" a valid email address (heck, they have 1 billion to pick from... identity theft here, YES!)
    6. Any attempt to tie DNS MX to the "FROM:" will break the following:
    a. mobile IP
    b. legitimate "forwarder"
    c. NAT environment
    d. valid SMTP-Relay link
    e. Backup SMTP server

    So, my work is also a work-in-progress, but I see the barriers. This is a stretch but I continue to use it nonetheless because the benefit far outweighs the risks of dropped legitimate mail.

    The Finger protocol only protects the end-user against "hit-and-run" spammer (fake FROM:), but not the well-entrenched corporate spammers (real FROM:).

    The last trick up my sleeve is the "WHITELIST" with folding cash-hash challenge or "please type what you see" LARGE TIFF images.

    --
    Hang the Spammer from the highest yardarm!
    -- Uncertainity breeds doubts. So, by always assuming, you'll be right most of the time and look like a genius.

  • I have a simpler solution. (Score:3, Interesting)

    by janda ( 572221 ) <janda@kali-tai.net> on Monday May 26, 2003 @10:46AM (#6040269) Homepage

    First, make sure you have reverse DNS lookup turned on, so that if you're claiming to be from domain foo.com, but your IP address says you're at bar.com, it gets dropped.

    For everything else, set up a blacklist. Any addresses and domains in the blacklist do not get dropped, they get returned to the originator with a "no such user at this address" error message.

    You'd probably need to build in some logic so that if I'm forging things from "invalid.user@foo.com" you don't start wasting bandwidth getting more bounce messages...

    For the rest of it, you'd tests things in the following order:

    • Reverse DNS lookup. If this fails, drop it.
    • User whitelist, these get passed through.
    • User blacklist, these get "no such user".
    • System whitelist, these get passed through.
    • System bkacklist, these get "no such user".
    • RBL, ORBS, etc.
    • Send it to user.

    Personally, I prefer the concept of using spammers as experimental subjects, or perhaps seeing how long they would last underwater without any scuba gear, or something.

  • Unfortunately, the finger method solves the wrong problem. As mentioned by others [slashdot.org] the system provides spammers with the capability they need to defeat it and a more efficient way of checking if their 1000000000 e-mail addresses are good and valid still.

    The problem is veracity of the sender, not existence of the sender.

    Public/private key schemes, rewrites of SMTP are all interesting and all, but standard SMTP is ubiquitous, and any solution that doesn't fit well with SMTP as it is is likely not to amo

  • My spam problem has already been solved.

    Yes, you read that right. No, I'm not full of shit. (Ok, maybe I am, but not on this point.)

    Anybody who wants to email me knows that they have to put a certain phrase in the subject line. I've set up the filters in Kmail so that anything that doesn't contain that phrase goes into the void and I only see the stuff with the phrase.

    So when I give out my email address to someone so they can write me, or when I reply to somone, I give them instructions on what is req
  • Let's all go back to smoke signals! Ooops, nevermind...I'm sure the spammers would find a way to get around that, too. They'd probably start huge fires and call it "marketing."

Slashdot Top Deals

Living on Earth may be expensive, but it includes an annual free trip around the Sun.

Close