Discussion:
[IP] 4 Rivals Almost United on Ways to Fight Spam
(too old to reply)
g***@terabites.com
2004-06-23 19:03:54 UTC
Permalink
<---- Begin Forwarded Message ---->
From: David Farber <***@farber.net>
Subject: [IP] 4 Rivals Almost United on Ways to Fight Spam
Date: Wed, 23 Jun 2004 05:36:29 -0400
4 Rivals Almost United on Ways to Fight Spam
June 23, 2004
By SAUL HANSELL
Four large Internet service providers agreed yesterday to a
partial truce in their battle with one another over
potential technology to stop junk e-mail in hopes that they
can devote their united energy to fighting spam.
More than a year ago the four providers - America Online,
Yahoo, EarthLink and Microsoft - said that they would work
together to create technical standards that could verify
the identity of the sender of an e-mail message.

The core problem with this approach is that it does NOTHING to prevent the
sending of spam... the only thing it does is to help make sure that the return
address on the spam is valid, and it's not even very good at doing that.
Most spam, and nearly all of the messages in the rapidly
growing identity-theft fraud known as phishing, is done
with a fake return address.

Right. But:

1) There is NOTHING that requires that spam be sent with fake return
addresses... spammers use phoney return addresses largely AS A KINDNESS so that
complaints and bounces don't converge back on some poor victim's E-mail inbox.

2) Requiring the use of "real" return addresses, besides not preventing the
sending of spam, makes the spam problem WORSE instead of better... suddenly,
victimized ISPs will have to DELIVER (and store!) all these bounce messages and
complaint messages.

3) A large (and increasing) percentage of all spam messages originate at
spambot zombies, machines that have been infected by worms or viruses and turned
into willing slaves to send spam as spammer proxies. These worms can be
reprogrammed, LITERALLY overnight, to use "real" return addresses and
authorizations belonging to the infected machine's legitimate owner. Once
that's been done, sender authorization is *useless* other than (hopefully)
rapidly identifying the infected machine. But that's still locking the door
after the horse has escaped, since there's thousands of newly infected machines
every day. You're playing a never-ending (if anything, escalating) game of
whack-a-mole... and like whack-a-mole, the machine can pop up moles in the end
stages of the game faster than you could ever hope to club them down.
Many experts suggest that a
system that could identify and discard such falsely
addressed messages is one of the most potent possible
weapons against spam.

Those "experts" are blowing smoke. I don't know why they're so fixated on these
misguided and ill-conceived "authentication/authorization" approaches, but
ultimately these approaches mostly just hurt numerous legitimate users, and do
not really solve the problem.
"The biggest thing we can do to reduce spam is sender
authentication," said Brian Sullivan, the senior director
for mail operations at America Online.

That's simply *rubbish*. Unless and until they get the spambot zombie problem
under control, they cannot solve the spam problem. And it's relatively easy to
solve the spambot zombie problem by using a finely-grained permissions system,
where each recipient authorizes senders to send them familiar and trusted types
of material.

By DEFAULT, anybody could send any recipient plain ASCII text messages, up to
some limited size (say 50K or 100K bytes) and without any attachments. In order
for an E-mail sender to send other types of material and have the recipient
actually see it, they'd have to negotiate with the intended recipient to get the
right to have such mails delivered to that recipient.

For example, I might grant my Aunt Gertrude the right to use fonts and
bold/underline in her E-mails to me, or JPGs of her poodle Fifi, but I wouldn't
grant her the right to send me Javascript, ActiveX, or executable attachments.
E-mails that LOOK like the sort of things I'd expect to get from Gerty would be
delivered to me; even if her machine got turned into a zombie spambot. Stuff
that DOESN'T look like what I expect to receive from Gerty would be summarily
t-canned, even if it (actually and truly) came from her machine and with her
return address. (In practice, most people wouldn't allow ANYBODY AT ALL to send
them executables, PIF files, SCR files, CPL files, VBS files, and the like...
even ZIP files... which would essentially eliminate the ability of infecting
those user machines with zombie spambots! You don't require daily updates of
virus/worm signatures (which, of course, also inevitably LAG the problem) for
that!)

Once HTML is denied in E-mails of unapproved senders, most of the tricks and
deceptions that spammers and phishers use are also prevented. This allows a
good content-based antispam filter to very effectively deal with the spam that's
left.
But the Internet providers have supported different
technical approaches. Last month, Microsoft agreed to merge
its proposal, called Caller ID, with another, called Sender
Policy Framework, or S.P.F., backed by America Online and
EarthLink. The new name of the combined standard is Sender
ID.

Those approaches are ALL fatally flawed for a variety of reasons, but the main
one is simply that (despite that they inconvenience a *LOT* of legitimate users)
they simply DO NOT SOLVE THE PROBLEM.

I think it's awfully telling that AOL (one of the biggest offenders in sending
gratuitously HTML-burdened E-mails, which are a big part of the problem) hasn't
figured out that their use of HTML is a big part of what makes the
spam/virus/worm problem so intractable.
Yahoo had continued to support a very different approach,
called Domain Keys, that is more technically powerful but
would take longer to carry out.

The nice thing about a permissions-based system controlled by a recipient is
that it requires NO complex re-engineering of the world's E-mail infrastructure,
can be implemented IMMEDIATELY, is easy to understand and use, and immediately
benefits those users as soon as they install it.
In an announcement yesterday, the two remaining camps agreed to give limited
support to test each other's technology.

I think this is very sad, since these folks are taking their eye off the ball.
It's sort of the old story about "once you've decided on the hammer as your
tool, you try to make every problem look like a nail." They've developed this
elaborate system for identifying senders, and trying to pretend that it will
work against spam. Even when it should be clear to the most enlightened folks
that it won't solve the problem it's being presented with as justification.

The parallel to presenting invasion of Iraq as a "war against terrorism" with
vague references to 9/11 is too obvious to not mention.
"Over the last year, we had four gorillas learning how to dance," Mr. Sullivan
said. "Finally we can work from the same choreography."
Meng Wong, the author of the S.P.F. protocol, praised the agreement.
Of course, since he's been one of the leaders of the "ignore the facts"
movement. I've presented in the SPF discussion groups many of the failings of
SPF, and gotten only excuses and denial in exchange. I concluded more than six
months ago that SPF was fatally flawed, and consequently left that discussion
group, concluding that pursuing it was a waste of time. Unfortunately, it seems
that other people haven't figured it out yet, so we're embarking on this grand
detour on the way to actually addressing and dealing the spam/virus/worm problem
in a meaningful and effective way.
"It's good news because we now have a road map," he said.
"We can proceed with S.P.F. and Sender ID now and with
Domain Keys as a second wave."

Their "road map" leads to a non-solution. Perhaps they're still happy because
at least they can be SEEN as "doing something", even if it's worthless. But
it's basically dishonest, since they OUGHT to know better.
Indeed, proponents said the two approaches had the
potential to be complementary. The Internet provider that
sends an e-mail message can use both methods at the same
time to vouch for the veracity of the sender's address.

So they require that the zombie spambot software sends the message using the
victim machine's real E-mail address (or, perhaps, the E-mail address of a
different user who happens to use the same ISP domain name). And there the SPF
solution reaches "end of road". You've adopted this grand scheme, and suddenly
you've reached the end of your rope and you've still got the spam/virus/worm
problem. NOW WHAT? Duh!
And the provider that receives a message can also look to
either approach to help determine whether a message should
be discarded as spam.

The problem is that it doesn't really tell you much. Many legitimate messages
will NOT comply with SPF's "rules". Several examples:

1) You're a travelling salesperson or executive and occasionally need to use
Internet cafes, airport waiting lounge kiosks, cruise ship internet cafes, or
other such places to send your important E-mail. Clearly you want to (and NEED
to) send it using your own company's E-mail address, since you won't be at that
location long enough to receive the needed replies at the temporary location
E-mail address. But you won't be (and often can not be) sending via your
habitual SMTP server associated with your domain name.

2) Yahoogroups-like mailing lists, which might forward individual E-mail
messages to group members, or might consolidate them as a daily digest.
America Online and EarthLink said yesterday that they would
use Domain Keys by the end of the year. And Yahoo said it
would probably start using both Domain Keys and Sender ID
by the end of the year. Microsoft did not commit itself to
using Domain Keys, saying it was still evaluating it and
some other related approaches, like one recently proposed
by Cisco.

All of these authentication/authorization approaches (like the micropayments
schemes too, for that matter) simply don't work when zombie spambots commandeer
authorized/authenticated machines and send out spams using a victim's legitimate
authorizations.
Despite the talk of tests, S.P.F. and the new Sender ID
proposal appear to have momentum in being adopted by major
players.

That's very disappointing. They OUGHT to know better.
America Online and EarthLink already use S.P.F. to
verify their outgoing e-mail. And Microsoft has said it
will soon use the Sender ID system.

They ought to know better too.
Perhaps more important, America Online has said that by the
end of the summer it will look to see whether messages it
receives are verified by S.P.F. and that high-volume
mailers will have to use it if they want their messages to
be delivered to AOL subscribers.

The big gorillas certainly can brutalize most people into adhering to stupid and
non-functional schemes, but ultimately they're going to inconvenience a LOT of
people, and end up just looking stupid themselves.
Several large e-mail senders, including Amazon.com and Google, have already
taken the steps necessary to verify their mail using S.P.F.

For some people, SPF isn't a big problem. For others, using it is nearly
impossible for a whole variety of reasons. But E-mail is supposed to be
UNIVERSAL; it's not enough to allow 80% or 90% of users to be able to send
E-mail and ignore the legitimate needs of the remaining 10% or 20%.
S.P.F. and Sender ID have gained a following because they
are the easiest to put in effect. They are based on the
fact that every computer on the Internet has a unique
identifier, called an Internet Protocol number. That number
is much harder to fake than a return e-mail address.
Sender ID allows an organization, like an Internet provider
or a company, to designate certain I.P. addresses as the
computers that are authorized to send e-mail on its behalf.
Any e-mail that pretended to be from that organization but
was not from those designated I.P. numbers would be
suspect.

And that's fine for a little organization with ten or twenty users which only
ever needs to send mail from within their offices.

But bigger organizations (say, Comcast.com/.net, or Earthlink, or AOL) which
have many millions of users and at the very least probably HUNDREDS of mail
servers mean that if a given E-mail comes from a valid ISP E-mail user name and
through ANY of that ISP's mail servers, it will still be "approved" (as indeed,
it would NEED to be... an Earthlink user might be travelling and call in to the
Earthlink access number in a distant city, during a trip). User A's Comcast
E-mail address could be forged by any of six or ten million zombie-infected
Comcast-connected machines in other cities, and still pass these misguided and
ineffective "authorized mail servers for the user's domain" tests with flying
colors. :-(
The problem with this approach is that there are legitimate
cases of one server's sending e-mail on behalf of another.

That's just ONE of the problems.
For example, online greeting card services often send
messages with the return address of the person who sent the
message. That way, if the recipient of that message replies
to it, the response is routed back to the original sender.

A much bigger problem is that of mailing lists, whether Majordomo-style or
Yahoogroups-style.

Frankly, I'd like to see an end to these "online greeting card services" anyhow,
since they're often just a front to collect E-mail addresses. Far better that
the "card company" send the card back to the originator, so they can forward it
themselves. That way, the sender isn't tricked into betraying the recipient by
giving the recipient's E-mail address to a third party. But that's a battle for
another day.
The backers of S.P.F. and Sender ID say there are ways to
work around these problems, but they may require
adjustments to the procedures of some mail senders.

The fact that those "adjustments" are very often infeasible doesn't seem to
bother Wong in the slightest. He's determined to pursue his misguided scheme,
and to hell with everyone who won't or can't comply with it. It might ALMOST be
worth it if the scheme fixed the problem... but it doesn't, and never will!
The Domain Keys approach tries to verify the actual sender
of a message, not the computer used to send it. The author
of an e-mail inserts a short code, known as a digital
signature, into the header of each message. The computer
that receives the message can use the signature to verify
if the message was actually created by the sender in the
"from" line. This method could let one computer send mail
on behalf of another, as in the greeting card example. But
it requires greater changes to the programs that send and
receive e-mail.

If it's possible for a third party to use the signature to send on behalf of the
sender owning the signature, then obviously that same third party could send
spam using the E-mail address and signature too.
The Internet providers, however, cautioned that both of
these technical approaches are just part of the solution to
the problem. Once Internet recipients can verify who is
sending them mail, they can start to keep track of who
sends legitimate mail and who sends spam.

And that's about as far as it gets you, if even there. Okay, now you've
identified an infected machine. Now what? So you clean it up. Next week, next
month, it will probably become infected again. Meanwhile, literally MILLIONS of
new infections elsewhere will occur... tens or hundreds of thousands of
infections a day. Again, this is a never-ending game of whack-a-mole, and the
proposed solution will do DAMNED little to put an end to it. The proposed
solutions just divert attention from coming up with a REAL and EFFECTIVE
solution.
"I don't think that users will see a reduction in spam
right away," said Robert Sanders, chief architect at
EarthLink. "Identity is just the first step."

No, of course they won't see a reduction in spam right away. In fact, based on
these schemes, they NEVER will see a reduction in spam, since these solutions
DON'T SOLVE THE PROBLEM!

Why don't we SOLVE THE PROBLEM, instead, and skip these diversionary and costly
non-solutions that complicate the infrastructure without any truly worthwhile
payback adequate to justify their cost?

By eliminating inappropriate HTML and attachments (via a finegrained permissions
whitelist) coming from unknown/untrusted senders, we can let through the mail we
want and need to receive, while blocking unexpected stuff coming from untrusted
(or even, for that matter, trusted) senders. For most users, who won't have
authorized ANY users to send them executable attachments (even encoded in ZIP or
other archives), we virtually *eliminate* in one fell swoop (and without needing
to download a neverending succession of updated "signature" files, which
*inevitably* lag new malware anyhow) the ability to use E-mail as a vector for
zombie/virus/worm infections... which are the largest single cause of
intractable spam, as well as other nasty problems like DDOS attacks.

Better still, if the problem is solved RIGHT, it requires NO change to the
worldwide E-mail or DNS infrastructure, [thus] NO worldwide consensus on what
needs to be changed, can be made understandable by even unsophisticated users,
and can be implemented IMMEDIATELY and with IMMEDIATE beneficial effect for
early adopters. And it doesn't block ANY legitimate uses of the Net.
http://www.nytimes.com/2004/06/23/technology/23spam.html?
ex=1088982618&ei=1&en=374988bf644214bc
-------------------------------------
Archives at: http://www.interesting-people.org/archives/interesting-people/


<---- End Forwarded Message ---->

Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
George Ou
2004-06-24 21:21:10 UTC
Permalink
Responses below....

----- Original Message -----
From: <***@terabites.com>
To: <***@nytimes.com>; <***@cs.cmu.edu>; <***@microsoft.com>;
<***@ietf.org>; <***@microsoft.com>; <***@microsoft.com>;
<***@aol.com>
Cc: <***@terabites.com>
Sent: Wednesday, June 23, 2004 12:03 PM
Subject: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by g***@terabites.com
1) There is NOTHING that requires that spam be sent with fake return
addresses... spammers use phoney return addresses largely AS A KINDNESS so that
complaints and bounces don't converge back on some poor victim's E-mail inbox.
Kindness? More like they don't want to hear the complaints themselves on
their own spammer equipment. If you're careless enough to let a spammer
zombie your computer, maybe getting an earful of complaints is whats going
to make you wake up and patch your system and upgrade to WinXP SP2 as soon
as it's out.
Post by g***@terabites.com
2) Requiring the use of "real" return addresses, besides not preventing the
sending of spam, makes the spam problem WORSE instead of better... suddenly,
victimized ISPs will have to DELIVER (and store!) all these bounce messages and
complaint messages.
Worse? I've heard of a lot of valid criticisms on why authentication may
not work, but make things worse? You've got to be joking. You're assuming
that all spam in the post authentication world will be sent on hijacked
valid email accounts. If that problem begins to surface, ISPs will begin to
rate limit all users by default to something like 100 messages a day, which
the vast majority of people will not mind. If you need more, do a special
agreement with the ISP or run your own mail servers. If you abuse email
whether intentionally or unintentionally, you deserve all the flack for it.
Post by g***@terabites.com
These worms can be
reprogrammed, LITERALLY overnight, to use "real" return addresses and
authorizations belonging to the infected machine's legitimate owner. Once
that's been done, sender authorization is *useless* other than (hopefully)
rapidly identifying the infected machine.
See rate limitting above, and motivation to patch yourself.
Post by g***@terabites.com
Those "experts" are blowing smoke. I don't know why they're so fixated on these
misguided and ill-conceived "authentication/authorization" approaches, but
ultimately these approaches mostly just hurt numerous legitimate users, and do
not really solve the problem.
Those "legitimate" users need a nice flame in their rear for leaving
themselves wide open. If this gets their email account shut down for
spamming, then let that be a lesson to them. Right now, they just spew and
spew out spam until the ISP shuts off their port 25 access. The post
authentication world will have a much more granular and pin point way to
combat them on the application layer and not just the network layer of
source IPs. You can now track the zombie by legitimate email accounts
rather than a source IP addresses that were acquired via DHCP.
Post by g***@terabites.com
"The biggest thing we can do to reduce spam is sender
authentication," said Brian Sullivan, the senior director
for mail operations at America Online.
That's simply *rubbish*. Unless and until they get the spambot zombie problem
under control, they cannot solve the spam problem. And it's relatively easy to
solve the spambot zombie problem by using a finely-grained permissions system,
where each recipient authorizes senders to send them familiar and trusted types
of material.
Your vision of a "finely-grained" permission system is a grand illusion that
everyone will update their email client software which wouldn't work anyways
without some form of sender authentication. All the proposed authentication
schemes only require action on the part of the SMTP servers and the addition
of a few DNS records. You're proposal requires that all the email clients
of the world be updated which is a pipe dream.
Post by g***@terabites.com
For example, I might grant my Aunt Gertrude the right to use fonts and
bold/underline in her E-mails to me, or JPGs of her poodle Fifi, but I wouldn't
grant her the right to send me Javascript, ActiveX, or executable attachments.
E-mails that LOOK like the sort of things I'd expect to get from Gerty would be
delivered to me; even if her machine got turned into a zombie spambot.
Stuff
Post by g***@terabites.com
that DOESN'T look like what I expect to receive from Gerty would be summarily
t-canned, even if it (actually and truly) came from her machine and with her
return address. (In practice, most people wouldn't allow ANYBODY AT ALL to send
them executables, PIF files, SCR files, CPL files, VBS files, and the like...
even ZIP files... which would essentially eliminate the ability of infecting
those user machines with zombie spambots! You don't require daily updates of
virus/worm signatures (which, of course, also inevitably LAG the problem) for
that!)
Once HTML is denied in E-mails of unapproved senders, most of the tricks and
deceptions that spammers and phishers use are also prevented. This allows a
good content-based antispam filter to very effectively deal with the spam that's
left.
There is an even better approach for combating unintentional malware
execution due out in a few months. It's called Windows XP Service Pack 2,
and it doesn't need your misguided "finely-grained" permission system which
wouldn't work without some form of sender authentication anyways. After
all, what good is sender permissions if you can't verify it's really the
sender?
Post by g***@terabites.com
The nice thing about a permissions-based system controlled by a recipient is
that it requires NO complex re-engineering of the world's E-mail infrastructure,
can be implemented IMMEDIATELY, is easy to understand and use, and immediately
benefits those users as soon as they install it.
It would require action on a billion users (when pigs fly), rather than the
just the action of the top 500 ISPs to adopt Sender ID and/or Domain Keys
and flat out reject any unauthenticated SMTP. No Gordon, people are not
going to "install" your scheme.
Post by g***@terabites.com
So they require that the zombie spambot software sends the message using the
victim machine's real E-mail address (or, perhaps, the E-mail address of a
different user who happens to use the same ISP domain name). And there the SPF
solution reaches "end of road". You've adopted this grand scheme, and suddenly
you've reached the end of your rope and you've still got the
spam/virus/worm
Post by g***@terabites.com
problem. NOW WHAT? Duh!
Spam is an ongoing fight even with SMTP authentication, but SMTP
authentication will be a sanity check that we cannot aford to ignore. No
body is suggesting that SMTP authentication is the silver bullet or a cure
all.
Post by g***@terabites.com
1) You're a travelling salesperson or executive and occasionally need to use
Internet cafes, airport waiting lounge kiosks, cruise ship internet cafes, or
other such places to send your important E-mail. Clearly you want to (and NEED
to) send it using your own company's E-mail address, since you won't be at that
location long enough to receive the needed replies at the temporary location
E-mail address. But you won't be (and often can not be) sending via your
habitual SMTP server associated with your domain name.
Says who, you can email all you like through your own SMTP server so long as
you authenticate, or via HTTPS Webmail so long as you authenticate. What
are you smoking?
Post by g***@terabites.com
All of these authentication/authorization approaches (like the
micropayments
Post by g***@terabites.com
schemes too, for that matter) simply don't work when zombie spambots commandeer
authorized/authenticated machines and send out spams using a victim's legitimate
authorizations.
You talk about zombies a lot, but what happens to your grand
"finely-grained" scheme when one of your "installed" user base gets
infected?
Post by g***@terabites.com
But bigger organizations (say, Comcast.com/.net, or Earthlink, or AOL) which
have many millions of users and at the very least probably HUNDREDS of mail
servers mean that if a given E-mail comes from a valid ISP E-mail user name and
through ANY of that ISP's mail servers, it will still be "approved" (as indeed,
it would NEED to be... an Earthlink user might be travelling and call in to the
Earthlink access number in a distant city, during a trip). User A's Comcast
E-mail address could be forged by any of six or ten million
zombie-infected
Post by g***@terabites.com
Comcast-connected machines in other cities, and still pass these misguided and
ineffective "authorized mail servers for the user's domain" tests with flying
colors. :-(
Will this ever end? Bottom line, if you're careless with your computer or
SMTP credentials, only your email will be bombed with complaints and be shut
down. It's a hell of a lot easier to track a compromised SMTP account that
is spamming than trying to track down some DHCP IP address of a zombie. Ok,
this is where I have to say enough is enough. I'll just cut the rest of
your nonsensical post.
Andreas Saurwein
2004-06-24 23:46:45 UTC
Permalink
Post by g***@terabites.com
For example, I might grant my Aunt Gertrude the right to use fonts and
bold/underline in her E-mails to me, or JPGs of her poodle Fifi, but I wouldn't
grant her the right to send me Javascript, ActiveX, or executable attachments.
E-mails that LOOK like the sort of things I'd expect to get from Gerty would be
delivered to me; even if her machine got turned into a zombie
spambot. Stuff
that DOESN'T look like what I expect to receive from Gerty would be summarily
t-canned, even if it (actually and truly) came from her machine and with her
return address. (In practice, most people wouldn't allow ANYBODY AT ALL to send
them executables, PIF files, SCR files, CPL files, VBS files, and the like...
even ZIP files... which would essentially eliminate the ability of infecting
those user machines with zombie spambots! You don't require daily updates of
virus/worm signatures (which, of course, also inevitably LAG the problem) for
that!)
Sure, and what you think would be the first thing that all the (l)users out
there do? Right, grant every right to everybody, because they dont want to
burden themselves with deciding who can do what.
"You" are talking about users that know what they do. But these users dont
have problems now either. So why bother?
"People" WANT to receive ANYTHING from their friends, familiy, potential
friends, etc. just because it might be something important.

As long as the user CAN send and receive this type of content by mail, they
will do so and it will be abused. Remove the features from all mail clients
to solve this problem. Declare MIME dead. Plain text is the only valid mail
format.
Then you might have a chance to solve these problems.

Andreas
George Ou
2004-06-25 01:22:44 UTC
Permalink
----- Original Message -----
From: "Andreas Saurwein" <***@uniwares.com>
To: <***@ietf.org>
Sent: Thursday, June 24, 2004 4:46 PM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by Andreas Saurwein
As long as the user CAN send and receive this type of content by mail, they
will do so and it will be abused. Remove the features from all mail clients
to solve this problem. Declare MIME dead. Plain text is the only valid mail
format.
Then you might have a chance to solve these problems.
Killing MIME is not the answer, because they will simply send plain text
clickable URLs to the executables hosted by some 3rd party service via FTP
such as ftp://ftp.MyAttachments.com/my.exe. Even if you change the default
behavior of email to not have clickable URLs, users will simply learn to
cut-paste the URL in to their web browser. Case in point in a recent
example, people are obviously dumb enough to open up a password protected
zip called "InfectMe.zip" with the password "IAmSuchAnIdiot" because the
text based email told them to do so.

The better solution is to restrict file execution based on Authenticode
signatures. Windows XP Service Pack 2 does the best job I've ever seen of
addressing this. Even if the attachment is saved to the hard drive, it
retains "memory" of the fact that it came from an untrusted place so that
you cannot execute the file by accident. Of course, you can manually open
it by force if you really wanted to but at least the percentage of
infections will go down.

The bottom line is, the zombie phenomenon will be easier to manage in a post
SMTP authentication world. Instead of receiving spam from a Dynamic IP
address (possibly NATed as well), you will potentially receive spambot
messages from a legitimate email account. Obviously that is a much more
granular situation where you can rate limit user accounts on the SMTP server
and/or shut down that email account. That is a hell of a lot more accurate
and less likely to cause collateral damage than blacklisting the IP address
or blocking outbound port 25 by default.

A much larger problem I predict will be the spammer that buys 1000 domain
names for $7000 and changes their domain name everyday to keep ahead of the
blacklisting game. Since it will only cost $7 a day to operate like this,
it will probably be a much larger problem than the hijacked SMTP accounts.

One possibility that might address this larger issue is if the owner of the
domain will voluntarily register their name, photo, and fingerprint in a
private and secure format and certifiably tie it to their domain. The name
and photo could be encrypted such that only law enforcement off a court
order can decrypt that information for the purpose of tracking spammers or
fraud. Of course, the only way this scheme would work is if the 500 top
ISPs in the world will flat out reject any communications from any SMTP
server whose domain is not certified in this manner. It's all a question of
how badly to you want (need) to fight off the spam problem. Some might say
that it is already possible to track a spammer down and that is true, but
this just makes it really easy and undisputable in a court of law. All I'm
suggesting is that we make the owner of a domain accountable and make it
easy for law enforcement to track down the owner.


George Ou
Lane Sharman
2004-06-25 01:28:49 UTC
Permalink
Friends,

I do not comment too often but I think we need to think about the
problem differently with the following realities in mind.

a) eMail has improved greatly the lives and productivity of individuals
by communicating in rich images, attachments and html.
b) a diversity of interests have transformed eMail into an integral part
of global commerce.
c) Like any system of transportation, with common law rules, there will
be highway robbers, and,
d) A good system of protection, albeit imperfect, will protect the many
from the few, most of the time pretty well.

I see SMTP traffic as a flow which, like water, must go thru a
filtration system. I do not see SMTP water as ever being restored to the
condition it was ante 1985 or so. Let's move on.

Therefore, with SMTP, as with a good old house, let's provide it with
some additional out-of-protocol support. The best I have done as a
company is to license a filtration power plant (postini) to those who
have heard my analysis.

Perhaps, we could agree that 10-20 filtration plants around the world,
as mandatory points of relay, would be a beginning solution point, not
an end but a good beginning.

Lane
Post by Andreas Saurwein
Post by g***@terabites.com
For example, I might grant my Aunt Gertrude the right to use fonts and
bold/underline in her E-mails to me, or JPGs of her poodle Fifi, but I wouldn't
grant her the right to send me Javascript, ActiveX, or executable attachments.
E-mails that LOOK like the sort of things I'd expect to get from Gerty would be
delivered to me; even if her machine got turned into a zombie spambot. Stuff
that DOESN'T look like what I expect to receive from Gerty would be summarily
t-canned, even if it (actually and truly) came from her machine and with her
return address. (In practice, most people wouldn't allow ANYBODY AT ALL to send
them executables, PIF files, SCR files, CPL files, VBS files, and the like...
even ZIP files... which would essentially eliminate the ability of infecting
those user machines with zombie spambots! You don't require daily updates of
virus/worm signatures (which, of course, also inevitably LAG the problem) for
that!)
Sure, and what you think would be the first thing that all the
(l)users out there do? Right, grant every right to everybody, because
they dont want to burden themselves with deciding who can do what.
"You" are talking about users that know what they do. But these users
dont have problems now either. So why bother?
"People" WANT to receive ANYTHING from their friends, familiy,
potential friends, etc. just because it might be something important.
As long as the user CAN send and receive this type of content by mail,
they will do so and it will be abused. Remove the features from all
mail clients to solve this problem. Declare MIME dead. Plain text is
the only valid mail format.
Then you might have a chance to solve these problems.
Andreas
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
--
Lane Sharman
Enterprise and Personal Email Content Filtering and Hosting
http://www.opendoors.com
858-755-2868
George Ou
2004-06-25 03:34:12 UTC
Permalink
So Lane,

Aside from the fact that you probably shouldn't be pushing "Product X" on
this group, what makes "Product X" better than the other Spam appliances on
the market that also effectively stops "99%" of all spam the instant it's
installed?

What makes any of these $40K boxes better than a 1U Intel Architecture box
running Spam Assassin, DCC, and an SMTP antivirus gateway other than the
fact that you get don't have to build it and that you get some support?

What makes you think the Internet community is all of a sudden going to run
all of it's email through a proprietary and metered gateway?


George

----- Original Message -----
From: "Lane Sharman" <***@opendoors.com>
To: <***@ietf.org>
Sent: Thursday, June 24, 2004 6:28 PM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by Lane Sharman
Friends,
I do not comment too often but I think we need to think about the
problem differently with the following realities in mind.
a) eMail has improved greatly the lives and productivity of individuals
by communicating in rich images, attachments and html.
b) a diversity of interests have transformed eMail into an integral part
of global commerce.
c) Like any system of transportation, with common law rules, there will
be highway robbers, and,
d) A good system of protection, albeit imperfect, will protect the many
from the few, most of the time pretty well.
I see SMTP traffic as a flow which, like water, must go thru a
filtration system. I do not see SMTP water as ever being restored to the
condition it was ante 1985 or so. Let's move on.
Therefore, with SMTP, as with a good old house, let's provide it with
some additional out-of-protocol support. The best I have done as a
company is to license a filtration power plant (postini) to those who
have heard my analysis.
Perhaps, we could agree that 10-20 filtration plants around the world,
as mandatory points of relay, would be a beginning solution point, not
an end but a good beginning.
Lane
David Wall
2004-06-25 03:48:43 UTC
Permalink
Post by Lane Sharman
Perhaps, we could agree that 10-20 filtration plants around the world,
as mandatory points of relay, would be a beginning solution point, not
an end but a good beginning.
But water is a single substance, so filtration is easy. Email is not. What
you call filtering, I call censorship. It's not up to someone else to tell
me if my message is okay or not, and I don't want them telling me I can
receive this message, but not that one.

For those who want a more secure system, use one. There are plenty out
there. I'd be happy to list them if you'd like. They are professional,
secure, authenticated, fully tracked, and often support electronic
signatures. Why do people feel compelled to convert email into something
it's not?

David
Seth Breidbart
2004-06-25 04:34:51 UTC
Permalink
What you call filtering, I call censorship.
So buy your email service from a provider that doesn't filter. I can
suggest some. (Panix doesn't unless you want it to, except it had to
put in some virus-rejection because its mailservers would have been
overloaded otherwise.) I have my own .procmailrc.
It's not up to someone else to tell me if my message is okay or
not, and I don't want them telling me I can receive this message,
but not that one.
Then get your own server and do as you wish.
Why do people feel compelled to convert email into something it's
not?
That already happened. Some of us would like to convert it _back_ (as
closely as possible) to what it once was.

Seth
Seth Breidbart
2004-06-25 01:41:42 UTC
Permalink
Post by g***@terabites.com
More than a year ago the four providers - America Online,
Yahoo, EarthLink and Microsoft - said that they would work
together to create technical standards that could verify
the identity of the sender of an e-mail message.
The core problem with this approach is that it does NOTHING to
prevent the sending of spam...
It cuts way down on the spam I get from bounces when my email address
was forged.
Post by g***@terabites.com
the only thing it does is to help make sure that the return address
on the spam is valid, and it's not even very good at doing that.
It's a lot better than the nothing we have now.
Post by g***@terabites.com
1) There is NOTHING that requires that spam be sent with fake return
addresses... spammers use phoney return addresses largely AS A
KINDNESS so that complaints and bounces don't converge back on some
poor victim's E-mail inbox.
Wrong. Spammers use phony return addresses to make their spam look
more like wanted email so it's more likely to get through.

They've forged my email address enough that I know they don't avoid
using real ones.
Post by g***@terabites.com
2) Requiring the use of "real" return addresses, besides not
preventing the sending of spam, makes the spam problem WORSE instead
of better... suddenly, victimized ISPs will have to DELIVER (and
store!) all these bounce messages and complaint messages.
Except that you can no longer victimize ISP X when the spam is coming
from some random zombie elsewhere on the net, since ISP X didn't
authorize the zombie's IP address to send mail on its behalf.

So which victimized ISPs are you referring to?

Not the ones being forged that set up SPF (or whatever).
Not the ones the spam is sent to that check SPF (or whatever).
Post by g***@terabites.com
3) A large (and increasing) percentage of all spam messages
originate at spambot zombies, machines that have been infected by
worms or viruses and turned into willing slaves to send spam as
spammer proxies. These worms can be reprogrammed, LITERALLY
overnight, to use "real" return addresses and authorizations
belonging to the infected machine's legitimate owner.
Good. Then the complaints can come right back at the spam-emitter and
his ISP, and he can be persuaded by whatever means necessary to stop
emitting spam.
Post by g***@terabites.com
Once that's been done, sender authorization is *useless* other than
(hopefully) rapidly identifying the infected machine. But that's
still locking the door after the horse has escaped, since there's
thousands of newly infected machines every day.
And there are millions of oldly infected machines on the net right
now. Making zombies useless in hours rather than months or years is a
big win for the good guys.
Post by g***@terabites.com
You're playing a never-ending (if anything, escalating) game of
whack-a-mole... and like whack-a-mole, the machine can pop up moles
in the end stages of the game faster than you could ever hope to
club them down.
I fail to see how getting faster at whacking them can possibly be a
bad thing. It might not be good _enough_ all by itself, but that
doesn't make it bad.
Post by g***@terabites.com
Many experts suggest that a
system that could identify and discard such falsely
addressed messages is one of the most potent possible
weapons against spam.
Those "experts" are blowing smoke.
It would eliminate a large fraction of the spam I currently get.
Post by g***@terabites.com
I don't know why they're so fixated on these misguided and
ill-conceived "authentication/authorization" approaches, but
ultimately these approaches mostly just hurt numerous legitimate
users,
Who are those "numerous legitimate users" who desire to forge the
email they send?
Post by g***@terabites.com
and do not really solve the problem.
Nobody said it _solves_ the problem. It _helps_.
Post by g***@terabites.com
"The biggest thing we can do to reduce spam is sender
authentication," said Brian Sullivan, the senior director
for mail operations at America Online.
That's simply *rubbish*.
True rubbish, though.
Post by g***@terabites.com
Unless and until they get the spambot zombie problem
under control, they cannot solve the spam problem.
He said that something would *reduce spam*. It will. You're whining
that it won't "solve the spam problem". Nobody said it would. That
doesn't make it "rubbish".
Post by g***@terabites.com
And it's relatively easy to solve the spambot zombie problem
Relative to the outbreak of peach in the Middle East, perhaps.

Relative to a manned flight to Alpha Centauri, probably.

Google for FUSSP.
Post by g***@terabites.com
by using a finely-grained permissions system, where each recipient
authorizes senders to send them familiar and trusted types of
material.
Something that requires action by *each recipient* is _relatively
easy_? What have you been smoking?
Post by g***@terabites.com
Once HTML is denied in E-mails of unapproved senders,
Since you don't believe in SPF or similar sender-verification methods,
how are you going to distinguish between the HTML mail from a phisher
who claims to be eBay and HTML mail from eBay? They look a lot alike.
Post by g***@terabites.com
This allows a good content-based antispam filter to very
effectively deal with the spam that's left.
More FUSSP.
Post by g***@terabites.com
Those approaches are ALL fatally flawed for a variety of reasons,
but the main one is simply that (despite that they inconvenience a
*LOT* of legitimate users)
Tell us about those "*LOT* of legitimate users" who desire to forge
email again.
Post by g***@terabites.com
they simply DO NOT SOLVE THE PROBLEM.
Neither does your FUSSP.

At least their proposal will make a large dent in the problem when
implemented by a few dozen entities, and will provide incentive for
others to join in.
Post by g***@terabites.com
I think it's awfully telling that AOL (one of the biggest offenders
in sending gratuitously HTML-burdened E-mails, which are a big part
of the problem) hasn't figured out that their use of HTML is a big
part of what makes the spam/virus/worm problem so intractable.
HTML email from my mother has nothing whatsoever to do with the
spam/virus/worm problem.
Post by g***@terabites.com
The nice thing about a permissions-based system controlled by a
recipient is that it requires NO complex re-engineering of the
world's E-mail infrastructure, can be implemented IMMEDIATELY, is
easy to understand and use, and immediately benefits those users as
soon as they install it.
So go ahead and implement and install it. Since it's so wonderful,
everybody else will soon join you, right? If not, why should you
care?
Post by g***@terabites.com
In an announcement yesterday, the two remaining camps agreed to
give limited support to test each other's technology.
I think this is very sad, since these folks are taking their eye off the ball.
They want to reduce spam, especially blowback.
Post by g***@terabites.com
It's sort of the old story about "once you've decided on the hammer
as your tool, you try to make every problem look like a nail."
Once you've decided on a FUSSP, every problem looks like your thumb.
Post by g***@terabites.com
They've developed this elaborate system for identifying senders,
and trying to pretend that it will work against spam.
It will.
Post by g***@terabites.com
Even when it should be clear to the most enlightened folks that it
won't solve the problem it's being presented with as justification.
Do you understand the difference between "work against" and "solve"?
Post by g***@terabites.com
I've presented in the SPF discussion groups many of the failings of
SPF, and gotten only excuses and denial in exchange. I concluded
more than six months ago that SPF was fatally flawed, and
consequently left that discussion group, concluding that pursuing it
was a waste of time. Unfortunately, it seems that other people
haven't figured it out yet,
Gee, it's too bad that everybody else isn't as smart as you are.
Post by g***@terabites.com
so we're embarking on this grand detour on the way to actually
addressing and dealing the spam/virus/worm problem in a meaningful
and effective way.
SPF will cut down on the amount of blowback _I_ get. That makes it a
good thing. It isn't perfect, and nobody said it is.
Post by g***@terabites.com
"It's good news because we now have a road map," he said.
"We can proceed with S.P.F. and Sender ID now and with
Domain Keys as a second wave."
Their "road map" leads to a non-solution.
It leads to an _improvement_ (and a partial solution).
Post by g***@terabites.com
Perhaps they're still happy because at least they can be SEEN as
"doing something", even if it's worthless.
An improvement is not worthless to me.
Post by g***@terabites.com
But it's basically dishonest,
They're saying it's an improvement, which it is.

You're saying it's worthless because it isn't a total solution.

I know who _I_ see as being dishonest.
Post by g***@terabites.com
So they require that the zombie spambot software sends the message
using the victim machine's real E-mail address (or, perhaps, the
E-mail address of a different user who happens to use the same ISP
domain name). And there the SPF solution reaches "end of road".
Maybe the ISP won't allow dialup lusers to send email on its behalf,
but only authorize (per SPF) its own mailservers. Then the zombie
can't send anything directly, and sending through the ISP's servers is
subject to filtering, rate-limiting, and other methods of reducing
emitted spam.
Post by g***@terabites.com
You've adopted this grand scheme, and suddenly you've reached the
end of your rope and you've still got the spam/virus/worm problem.
NOW WHAT?
They don't have to be as stupid as you assume they are.
Post by g***@terabites.com
The problem is that it doesn't really tell you much. Many legitimate messages
1) You're a travelling salesperson or executive and occasionally need to use
Internet cafes, airport waiting lounge kiosks, cruise ship internet cafes, or
other such places to send your important E-mail. Clearly you want to (and NEED
to) send it using your own company's E-mail address, since you won't be at that
location long enough to receive the needed replies at the temporary location
E-mail address. But you won't be (and often can not be) sending via your
habitual SMTP server associated with your domain name.
Why not? I've sent email via Panix's outgoing mailservers while at
Internet cafes, airport waiting lounges, hotel rooms, and other such
places. (I've never been on a cruise ship.) So why is there a
problem?
Post by g***@terabites.com
2) Yahoogroups-like mailing lists, which might forward individual
E-mail messages to group members, or might consolidate them as a
daily digest.
The digest clearly comes from Yahoogroups, and says it does, so
there's no problem.

Individual messages sent from lists often have the headers rewritten
to show they were list messages, so SPF (or the combined solution) can
check the appropriate headers for authorization.
Post by g***@terabites.com
All of these authentication/authorization approaches (like the
micropayments schemes too, for that matter) simply don't work when
zombie spambots commandeer authorized/authenticated machines and
send out spams using a victim's legitimate authorizations.
The authorized/authenticated machine is only authorized to send email
via the ISP's mailswerver, which does spam filtering and rate
limiting.
Post by g***@terabites.com
For some people, SPF isn't a big problem. For others, using it is
nearly impossible for a whole variety of reasons.
Such as?
Post by g***@terabites.com
But E-mail is supposed to be UNIVERSAL;
Supposed by whom? Why should I care about your suppositions? (Hint:
Billions of people don't have computer access in the first place.)
Post by g***@terabites.com
it's not enough to allow 80% or 90% of users to be able to send
E-mail and ignore the legitimate needs of the remaining 10% or 20%.
It's enough, for me, to allow the few thousand or so sender I care to
hear from to send me email. I don't care about what you claim are
"legitimate needs".
Post by g***@terabites.com
And that's fine for a little organization with ten or twenty users
which only ever needs to send mail from within their offices.
You mean like AOL, Yahoo, etc. who you're whining about supporting
these methods you dislike because they aren't your FUSSP?
Post by g***@terabites.com
But bigger organizations (say, Comcast.com/.net, or Earthlink, or
AOL) which have many millions of users and at the very least
probably HUNDREDS of mail servers mean that if a given E-mail comes
from a valid ISP E-mail user name and through ANY of that ISP's mail
servers, it will still be "approved" (as indeed, it would NEED to
be... an Earthlink user might be travelling and call in to the
Earthlink access number in a distant city, during a trip).
Fine. So what?
Post by g***@terabites.com
User A's Comcast E-mail address could be forged by any of six or
ten million zombie-infected Comcast-connected machines in other
cities, and still pass these misguided and ineffective "authorized
mail servers for the user's domain" tests with flying colors. :-(
Except that ***@comcast.net doesn't have the password to
***@comcast.net's account, so comcast's servers won't allow joe345
to send email as mike123. Sure, _if_ they did, I'd have no way of
knowing; but they don't have to.
Post by g***@terabites.com
A much bigger problem is that of mailing lists, whether
Majordomo-style or Yahoogroups-style.
No, it isn't. It just needs to mung the headers appropriately.
Post by g***@terabites.com
The backers of S.P.F. and Sender ID say there are ways to
work around these problems, but they may require
adjustments to the procedures of some mail senders.
The fact that those "adjustments" are very often infeasible doesn't
seem to bother Wong in the slightest.
The fact that you don't see how to make them doesn't prove they're
infeasible.
Post by g***@terabites.com
If it's possible for a third party to use the signature to send on
behalf of the sender owning the signature, then obviously that same
third party could send spam using the E-mail address and signature
too.
That's why people keep the private key to their digital signatures
private.
Post by g***@terabites.com
The Internet providers, however, cautioned that both of
these technical approaches are just part of the solution to
the problem.
See? You're claiming they're lying about it solving the whole
problem, and they say it doesn't. So who's lying?
Post by g***@terabites.com
"I don't think that users will see a reduction in spam
right away," said Robert Sanders, chief architect at
EarthLink. "Identity is just the first step."
No, of course they won't see a reduction in spam right away. In
fact, based on these schemes, they NEVER will see a reduction in
spam, since these solutions DON'T SOLVE THE PROBLEM!
Apparently you still don't understand the difference between reducing
the problem and solving it.
Post by g***@terabites.com
Why don't we SOLVE THE PROBLEM, instead, and skip these diversionary
and costly non-solutions that complicate the infrastructure without
any truly worthwhile payback adequate to justify their cost?
You have another FUSSP for us?
Post by g***@terabites.com
Better still, if the problem is solved RIGHT, it requires NO change
to the worldwide E-mail or DNS infrastructure, [thus] NO worldwide
consensus on what needs to be changed, can be made understandable by
even unsophisticated users, and can be implemented IMMEDIATELY and
with IMMEDIATE beneficial effect for early adopters.
When did you implement it? Why not? How do you define "IMMEDIATELY"?

Seth
David Wall
2004-06-25 03:46:08 UTC
Permalink
Post by Seth Breidbart
Not the ones being forged that set up SPF (or whatever).
Not the ones the spam is sent to that check SPF (or whatever).
And what if only a few major ISPs implement this and most everyone else
fails to? It's a solution that may not be implementable since it seems to
solve so little in reality.
Post by Seth Breidbart
Good. Then the complaints can come right back at the spam-emitter and
his ISP, and he can be persuaded by whatever means necessary to stop
emitting spam.
But he said those were zombies, not spammer systems. So the system hurt is
the person who is already a victim, and the ISP of the victim also suffers.
Post by Seth Breidbart
And there are millions of oldly infected machines on the net right
now. Making zombies useless in hours rather than months or years is a
big win for the good guys.
It doesn't make them useless, it just increases the pain a victim has.
Today, their computer processing and bandwidth is used, but with the
bounces, they'll get more processing and bandwidth wasted dealing with the
forged bounces. The "from" will just be the zombie's machine so everything
will look okay to SPF, assuming that the domain has even adopted SPF, which
is a poor assumption (how many people are really updating their DNS to
support SPF for the millions of domains out there?).
Post by Seth Breidbart
I fail to see how getting faster at whacking them can possibly be a
bad thing. It might not be good _enough_ all by itself, but that
doesn't make it bad.
It's bad the way the war on terror is bad. It becomes an arms race and you
can only hope to win by spending more than the other guys and suffering the
pain during the entire struggle.
Post by Seth Breidbart
It would eliminate a large fraction of the spam I currently get.
No, like blacklists and the like, it will just cause spam to arrive another
way. After all, if I setup an SMTP and send out millions of spams, I can
just move later. I can switch ISPs. I can switch domains and switch
hosting companies. The changes will just occur faster and faster and there
will be no end to figuring out what is legit and what is spam.

Spam itself is already illegal. Why not prosecute spammers? It's as if the
solution you figure for burglary is everyone should have cameras positioned
on their daily lives and all people should have tracking devices that
cameras can use to identify people in view. Assume all households contain
burglars, so we need to id them all. Assume all homes will be victims, so
check everyone approaching. That's a bad policy.
Post by Seth Breidbart
Who are those "numerous legitimate users" who desire to forge the
email they send?
Well, just about every employee who has a work email address but cannot send
out email when at home or on the road. Most ISPs only let you use the email
address they assigned, and more and more are blocking direct access to port
25 to reach external SMTP servers.

I don't think it's that odd for people to have numerous email addresses that
represent their various identities, including those that are considered
illicit by some, like people who want to have political arguments without
fear of reprisals from their governments (even the U.S. has problems now
because of the Patriot Act, but "capitalist" nations like Singapore as well
as nasty regimes like the Taliban's suffer even more), want to talk about
kinky sex, recreational drugs, guns, white power, black power, Islamic
power, whatever.
Post by Seth Breidbart
Nobody said it _solves_ the problem. It _helps_.
But it won't. It will just change the nature of the beast and spam won't be
reduced.
Post by Seth Breidbart
True rubbish, though.
Untrue rubbish. You will live and see. Just like Bush will learn that you
can't invade a country with 100,000 troops and you can't beat Islamic hatred
with a big stick.
Post by Seth Breidbart
He said that something would *reduce spam*. It will. You're whining
that it won't "solve the spam problem". Nobody said it would. That
doesn't make it "rubbish".
First, good spam filters already can reduce a lot of bad email. With more
intelligent filters, we will be able to not only filter out unwanted spam,
but perhaps allow desirable spam (some people do want the products being
sold after all), but we can filter out the noise of newsgroups like this so
that we only see messages that contain content we want. This way, we get to
filter our own messages, in effect, censoring ourselves.

It is really sad when I send a message to AOL and it never arrives because
their filters deemed my message to be spam when it was not. Some people get
blacklisted without being told, and they wonder why their email couldn't get
through (they may have suffered under an open relay, a hacked relay, a
zombie, etc.). When corporations decide what's allowed to be received
instead of the recipient, we have a real problem.
Post by Seth Breidbart
Since you don't believe in SPF or similar sender-verification methods,
how are you going to distinguish between the HTML mail from a phisher
who claims to be eBay and HTML mail from eBay? They look a lot alike.
This is actually a great point. One interesting aside, whenever eBay adds a
new email server, it had better remember to update its SPF records a few
days before it goes online lest all email sent by that server be rejected as
invalid. DNS caches and such will mean that you cannot count on immediate
changes to SPF, and what will happen when someone goes "oops, I forgot to
update the TXT DNS record" and thousands of emails were rejected and lost
forever?

But back on point, why is eBay using free email to conduct sensitive
business? This is where spam originated, and the crybabies like AOL are
pathetic since they are the root cause of spam (and even their employee has
been arrested for selling their customer's information to spammers -- and
you know that wasn't the first time nor is AOL alone in this problem). Do
you suppose rogue employees will update DNS with false TXT records since
most people wouldn't notice an addition to SPF that allowed another IP
address to send out? How much would have I have to pay some schmuck at AOL
to do it -- they already will sell me their customer list.

eBay should grow up and stop relying on free email for important business
communications. This is why spam arose. They don't slip notes under our
door, or talk to me over walkie talkies or CB radios. They should use
secure systems that have all of the identity and such built-in to protect
their interest. Companies like Yozons, Zixit, CertifiedMail, Tumbleweed and
no doubt many others offer businesses just such solutions. Just like they
pay for regular mail, they should pay for specialized email. Also, these
emails are typically encrypted to ensure the privacy, and some are digitally
signed on top of being secure, pay-per-use systems that don't suffer from
spam or viruses (because nobody pays to send a virus/spam, especially when
there's full tracking and authentication built in).

All this big businesses have hijacked our open, free and unemcumbered email,
and the spammers just joined in the game. Nobody would be fooled by a
package with a hand-drawn stamp; it would be suspicous. It's time
businesses stopped using a lowest common denominator solution that works
great for casual conversations for business communications. If eBay stopped
using email to communicate with its customers and used one of the secure
alternatives, nobody who used eBay would be tricked by an email that looks
like it came from eBay.
Post by Seth Breidbart
Tell us about those "*LOT* of legitimate users" who desire to forge
email again.
Aside from those with multiple email addresses (like all employees), there
are newslists like this one that send out messages on behalf of others.
Well, this breaks down when SPF goes into play. Same goes for PayPal that
sends out emails on behalf of its customers, as do groupware applications,
among others.
Post by Seth Breidbart
Maybe the ISP won't allow dialup lusers to send email on its behalf,
but only authorize (per SPF) its own mailservers. Then the zombie
can't send anything directly, and sending through the ISP's servers is
subject to filtering, rate-limiting, and other methods of reducing
emitted spam.
I'm glad that you like the idea that companies who carry our email get to
filter our content and decide what we get and what we don't get, what we can
send and what we can't send. Sure, it's not government censorship, but
clearly it's a form of censorship, and the government is using big business
to implement more and more of these liberty reducing values so that people
are becoming the dumb zombies and accepting whatever silly solution that's
proposed for our safety and benefit.
Post by Seth Breidbart
Post by g***@terabites.com
A much bigger problem is that of mailing lists, whether
Majordomo-style or Yahoogroups-style.
No, it isn't. It just needs to mung the headers appropriately.
But that assumes everyone joins the club right away. Those who decide that
they don't want others to tell them get screwed and we end up with island in
which one group can't communicate with another, breaking the very benefit
that the Internet provided.

David
Seth Breidbart
2004-06-25 04:27:25 UTC
Permalink
Post by David Wall
Post by Seth Breidbart
Not the ones being forged that set up SPF (or whatever).
Not the ones the spam is sent to that check SPF (or whatever).
And what if only a few major ISPs implement this and most everyone else
fails to?
More than "a few major ISPs" have already implemented SPF.
Post by David Wall
It's a solution that may not be implementable since it seems to
solve so little in reality.
Whether or not it's implementable has nothing to do with what it
solves, only with the difficulty in implementing it (which is actually
quite small).
Post by David Wall
Post by Seth Breidbart
Good. Then the complaints can come right back at the spam-emitter and
his ISP, and he can be persuaded by whatever means necessary to stop
emitting spam.
But he said those were zombies, not spammer systems. So the system hurt is
the person who is already a victim, and the ISP of the victim also suffers.
The system hurt is the one that is emitting spam at me. When it is
fixed, so it stops emitting spam, then it stops being hurt. The ISP
hurt is the one that allowed its luser to spew spam at me. I refuse
to feel sorry for them.
Post by David Wall
Post by Seth Breidbart
And there are millions of oldly infected machines on the net right
now. Making zombies useless in hours rather than months or years is a
big win for the good guys.
It doesn't make them useless, it just increases the pain a victim has.
It makes them useless for spamming, because they get cut off (and
maybe disinfected).
Post by David Wall
Today, their computer processing and bandwidth is used, but with the
bounces, they'll get more processing and bandwidth wasted dealing with the
forged bounces.
That bandwidth will then be unavailable for the emission of spam; I
consider that good.
Post by David Wall
The "from" will just be the zombie's machine so everything
will look okay to SPF,
Wrong. SPF need not allow every luser dialup to send mail from a
domain; rather, it will specify _only_ the outgoing mailservers (if
set up correctly).
Post by David Wall
assuming that the domain has even adopted SPF, which is a poor
assumption (how many people are really updating their DNS to support
SPF for the millions of domains out there?).
Huh? Each domain sets up SPF for itself. It's easy, just put a few
records in your DNS. I set up SPF for 7 domains (all that I own), I
don't have to do anything for anybody else's.
Post by David Wall
Post by Seth Breidbart
I fail to see how getting faster at whacking them can possibly be a
bad thing. It might not be good _enough_ all by itself, but that
doesn't make it bad.
It's bad the way the war on terror is bad.
Stop with the bogus analogies.
Post by David Wall
It becomes an arms race and you can only hope to win by spending
more than the other guys and suffering the pain during the entire
struggle.
I think AOL would be willing to spend more than all the spammers in
the world put together if that would stop spam; it would save AOL
money.

But it doesn't take spending more money to win, anyway.
Post by David Wall
Post by Seth Breidbart
It would eliminate a large fraction of the spam I currently get.
No, like blacklists and the like, it will just cause spam to arrive another
way.
A lot of the spam I get is bounceback from spam with my address forged
as the sender. That would be stopped.
Post by David Wall
After all, if I setup an SMTP and send out millions of spams, I can
just move later. I can switch ISPs. I can switch domains and
switch hosting companies. The changes will just occur faster and
faster and there will be no end to figuring out what is legit and
what is spam.
So why oppose a technique that makes it easier in some cases?
Post by David Wall
Spam itself is already illegal. Why not prosecute spammers?
Who said we shouldn't? (I prefer Orson Swindle's method, myself,
though.)
Post by David Wall
It's as if the solution you figure for burglary is everyone should
have cameras positioned on their daily lives and all people should
have tracking devices that cameras can use to identify people in
view.
More bogus analogies.

Anyway, some places _do_ put up cameras, to cut down on burglaries.
It hasn't totally eliminated burglary, of course, but clearly the
places that do it think they benefit.
Post by David Wall
Assume all households contain burglars, so we need to id them all.
Assume all homes will be victims, so check everyone approaching.
That's a bad policy.
I have the right to identify people seeking to enter my home, and deny
entrance to those who fail to identify themselves to my satisfaction.
The same holds true for my mailserver.
Post by David Wall
Post by Seth Breidbart
Who are those "numerous legitimate users" who desire to forge the
email they send?
Well, just about every employee who has a work email address but
cannot send out email when at home or on the road.
You mean, the ones whose companies have misconfigured mailservers that
don't accept "submission"?
Post by David Wall
Most ISPs only let you use the email address they assigned, and
more and more are blocking direct access to port 25 to reach
external SMTP servers.
That's why the Submit protocol doesn't use port 25.
Post by David Wall
I don't think it's that odd for people to have numerous email
addresses that represent their various identities, including those
that are considered illicit by some, like people who want to have
political arguments without fear of reprisals from their governments
I don't either.

But I can access my gmail account, and send email from it (emanating
from gmail) from just about anywhere I can run a browser.

I can emanate email from my Panix account on Panix anywhere I can run
ssh.

So what's the problem if I'm vising a friend and getting raw Internet
access through her ISP? I can still send email from my accounts.
Post by David Wall
Post by Seth Breidbart
Nobody said it _solves_ the problem. It _helps_.
But it won't. It will just change the nature of the beast and spam
won't be reduced.
The blowback spam I get will be reduced.
Post by David Wall
Post by Seth Breidbart
True rubbish, though.
Untrue rubbish. You will live and see.
Yes, we will.

For some reason, I'm more inclined to respect the opinions of people
in charge of 50% or so of all the legitimate email on the net than of
others whining about their proposals.
Post by David Wall
Just like Bush will learn that you can't invade a country with
100,000 troops and you can't beat Islamic hatred with a big stick.
Stop with the bogus analogies already.
Post by David Wall
Post by Seth Breidbart
He said that something would *reduce spam*. It will. You're whining
that it won't "solve the spam problem". Nobody said it would. That
doesn't make it "rubbish".
First, good spam filters already can reduce a lot of bad email.
Fine. Nobody is arguing against them.
Post by David Wall
With more intelligent filters, we will be able to not only filter
out unwanted spam, but perhaps allow desirable spam (some people do
want the products being sold after all),
Yeah, and some people want millions of dollars from Nigeria, too.
Post by David Wall
but we can filter out the noise of newsgroups like this
This is a mailing list. Don't you know the difference?
Post by David Wall
It is really sad when I send a message to AOL and it never arrives
because their filters deemed my message to be spam when it was not.
So why do you oppose something that will make legitimate email seem
less like spam?
Post by David Wall
When corporations decide what's allowed to be received
instead of the recipient, we have a real problem.
Run your own mailserver and make your own rules.

Or pay for an ISP that will allow you to make your own rules.

You don't get to require someone else to use the business model you
prefer, you only get to choose whether or not to be their customer.
Post by David Wall
Post by Seth Breidbart
Since you don't believe in SPF or similar sender-verification methods,
how are you going to distinguish between the HTML mail from a phisher
who claims to be eBay and HTML mail from eBay? They look a lot alike.
This is actually a great point. One interesting aside, whenever
eBay adds a new email server, it had better remember to update its
SPF records a few days before it goes online lest all email sent by
that server be rejected as invalid.
Not really; a few hours will suffice (and setting out an entire /24
even if some of it is currently unused isn't a problem, either).
Post by David Wall
DNS caches and such will mean that you cannot count on immediate
changes to SPF,
Negative responses are not cached for very long, if at all.
Post by David Wall
and what will happen when someone goes "oops, I forgot to update the
TXT DNS record" and thousands of emails were rejected and lost
forever?
Rejected email isn't "lost forever". It can be resent.

And when people make mistakes, bad things happen. But isn't it better
to have less valid email lost over the course of a year, even if
there's more lost for a few hours when somebody goofed?
Post by David Wall
But back on point, why is eBay using free email to conduct sensitive
business?
What do you mean "free email"? eBay pays for its network.
Post by David Wall
This is where spam originated, and the crybabies like AOL are
pathetic since they are the root cause of spam
What did they have to do with C&S, or jj?
Post by David Wall
Do you suppose rogue employees will update DNS with false TXT
records since most people wouldn't notice an addition to SPF that
allowed another IP address to send out?
Somebody will, and then the rogue employee will be arrested.
Post by David Wall
How much would have I have to pay some schmuck at AOL
to do it -- they already will sell me their customer list.
I bet the price just went way up, what with the felony prosecutions
and all.
Post by David Wall
eBay should grow up and stop relying on free email for important
business communications. This is why spam arose. They don't slip
notes under our door, or talk to me over walkie talkies or CB
radios. They should use secure systems that have all of the
identity and such built-in to protect their interest.
If you have a better business model, why do they have a $58 Billion
market cap and you're worth how much? (And they earn around $600
Million/year, so it isn't just bubble stock pricing.)
Post by David Wall
Just like they pay for regular mail, they should pay for
specialized email.
Why? How much should they spend to make you happy? Are you worth
that much to them?
Post by David Wall
All this big businesses have hijacked our
What made it "ours" in the first place?
Post by David Wall
open, free and unemcumbered email,
When was it that? (Do you know how restricted the ARPANET originally
was?)
Post by David Wall
It's time businesses stopped using a lowest common denominator
solution that works great for casual conversations for business
communications.
If you can build a better business that way, you should outcompete the
existing ones in the marketplace. I won't invest.
Post by David Wall
If eBay stopped using email to communicate with its customers and
used one of the secure alternatives,
instead of making $600 Million it would make maybe $6 because it
wouldn't have any customers.
Post by David Wall
nobody who used eBay would be
tricked by an email that looks like it came from eBay.
Yes, they would.
Post by David Wall
Post by Seth Breidbart
Tell us about those "*LOT* of legitimate users" who desire to forge
email again.
Aside from those with multiple email addresses (like all employees),
I have multiple email addresses, and I don't have to forge.
Post by David Wall
there are newslists like this one that send out messages on behalf
of others.
Mailinglists already mung headers, there's no reason the list headers
can't be checked by SPF.
Post by David Wall
Well, this breaks down when SPF goes into play.
It needn't.
Post by David Wall
Same goes for PayPal that
sends out emails on behalf of its customers,
That email comes from PayPal, and says it does. (I just got one,
about 10 minutes ago. It says it came from PayPal, and told me what
transaction I did with whom.)
Post by David Wall
as do groupware applications, among others.
So far, I've successfully avoided this "groupware" stuff.
Post by David Wall
Post by Seth Breidbart
Maybe the ISP won't allow dialup lusers to send email on its behalf,
but only authorize (per SPF) its own mailservers. Then the zombie
can't send anything directly, and sending through the ISP's servers is
subject to filtering, rate-limiting, and other methods of reducing
emitted spam.
I'm glad that you like the idea that companies who carry our email
get to filter our content and decide what we get and what we don't
get, what we can send and what we can't send.
Their servers, their rules. (That's one reason I own a box in a colo
center: my server, my rules.)

Anyway, I suspect most will only scan for viruses and record volume.
Post by David Wall
Post by Seth Breidbart
No, it isn't. It just needs to mung the headers appropriately.
But that assumes everyone joins the club right away. Those who
decide that they don't want others to tell them get screwed
You mean, those that don't want to cooperate are marked as not
cooperating, and then it's up to the recipient how to deal with
non-cooperators.
Post by David Wall
and we end up with island in
which one group can't communicate with another,
I _want_ the spammers unable to communicate with me.
Post by David Wall
breaking the very benefit that the Internet provided.
I don't consider their ability to do so a benefit.

Seth
Markus Stumpf
2004-06-25 17:48:51 UTC
Permalink
Post by Seth Breidbart
More than "a few major ISPs" have already implemented SPF.
*sigh*
define implementation.
Adding some SPF records is not implementation, just like adding an A
record for www.domain ist not providing a webserver.
SPF is "implemented" as soon as one not only publishes SPF records
but also rejects based on SPF records, and I still like to see at least
"ONE major ISP" that does this.

If WE did we'd loose around 40% of all legitimate eMails addressed to
our customers.

\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
George Ou
2004-06-25 18:35:34 UTC
Permalink
When the top 500 domains of the world have valid Sender ID (Caller ID + SPF)
records, then they can easily collude to exclude any other domain that
doesn't have valid Sender ID records. Then everyone else would have to
comply with Sender ID if they wish to send mail to the top 500 domains.
Sooner would be better with me. Is this bullying? I hope so. It's not
like it's going to cost a lot to comply.

George

----- Original Message -----
From: "Markus Stumpf" <maex-lists-spam-ietf-***@Space.Net>
To: <***@ietf.org>
Sent: Friday, June 25, 2004 10:48 AM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by Markus Stumpf
Post by Seth Breidbart
More than "a few major ISPs" have already implemented SPF.
*sigh*
define implementation.
Adding some SPF records is not implementation, just like adding an A
record for www.domain ist not providing a webserver.
SPF is "implemented" as soon as one not only publishes SPF records
but also rejects based on SPF records, and I still like to see at least
"ONE major ISP" that does this.
If WE did we'd loose around 40% of all legitimate eMails addressed to
our customers.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
Seth Breidbart
2004-06-25 19:00:06 UTC
Permalink
Post by George Ou
When the top 500 domains of the world have valid Sender ID (Caller
ID + SPF) records, then they can easily collude to exclude any other
domain that doesn't have valid Sender ID records.
It won't take 500. The top 5 would do it.

Especially if their method isn't completely blocking, but greylisting
(don't publish Sender ID, your mail gets delayed for 1 hour)
initially, followed as time goes on by increasing the delay, refusing
a small but increasing percentage of email, etc.

Seth
George Ou
2004-06-25 20:12:19 UTC
Permalink
Ah, good point. I hope they start doing it soon.

I just can't understand all these people that are vehemently against
authentication. There are valid arguments on how spammers will work around
the authentication barrier, but I just can't imagine in any circumstance
that authentication would do anything but push us in the right direction.
What in the world could be wrong with any solution that defeats "mail from"
spoofing? That alone should justify domain level authentication regardless
of whether or not it will directly curtail spam or not.

George


----- Original Message -----
From: "Seth Breidbart" <***@panix.com>
To: <***@ietf.org>
Sent: Friday, June 25, 2004 12:00 PM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by Seth Breidbart
Post by George Ou
When the top 500 domains of the world have valid Sender ID (Caller
ID + SPF) records, then they can easily collude to exclude any other
domain that doesn't have valid Sender ID records.
It won't take 500. The top 5 would do it.
Especially if their method isn't completely blocking, but greylisting
(don't publish Sender ID, your mail gets delayed for 1 hour)
initially, followed as time goes on by increasing the delay, refusing
a small but increasing percentage of email, etc.
Seth
der Mouse
2004-06-25 21:09:07 UTC
Permalink
Post by George Ou
I just can't understand all these people that are vehemently against
authentication.
As, I suspect, one of them - I'm not against authentication; I'm
against this particular form of authentication. (I'm equally against
any other form that suffers from the same patent issues.)
Post by George Ou
What in the world could be wrong with any solution that defeats "mail
from" spoofing?
In a word, patents.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
David Wall
2004-06-25 22:01:43 UTC
Permalink
Post by der Mouse
In a word, patents.
What specifically does that mean? Who has the patent you are worried about?
I didn't think the IETF allowed standards to be implemented that had patents
unless they were royalty free. Or is that just the W3C?

Davd
der Mouse
2004-06-25 22:51:24 UTC
Permalink
Post by David Wall
Post by der Mouse
In a word, patents.
What specifically does that mean?
I have seen it said, by many people, that there is at least one patent
filed that covers at least one of the proposed sender authentication
schemes. Until it (they, if multiple such exist) is issued, nobody
knows exactly what it will cover; in general, patents try to be as
general as they can get away with, so there is a good chance it will
cover more than just its issuer's scheme.
Post by David Wall
Who has the patent you are worried about?
The reports I saw spoke of Yahoo as the corporation who owns (or
rather, would own) the rights and Domain Keys as the
sender-authentication system. But as I said, until the patent is
issued, nobody knows how broad it will be.
Post by David Wall
I didn't think the IETF allowed standards to be implemented that had
patents unless they were royalty free.
I think the language is something like "on a nondiscriminatory basis".
What that actually means is anyone's guess - it could very well just
mean that they require the same $10 million royalty from anyone.

Or, if they really are doing the patent as a purely defensive measure
and want to DTRT, they could grant a perpetual *sublicensable* license
to someone the open-source community trusts. Until and unless they do
something bearing a similar commitment, I don't trust them farther than
I can throw them.

Yes, a USA patent will not directly affect me. My refusal to have
anything to do with it is more a matter of principle than practicality.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
David Wall
2004-06-25 23:42:16 UTC
Permalink
Thanks for the info, limited as it is these days since it's more like a
torpedo right now and we don't know if will hit or not. Just look at the
crazy FAT patent by MSFT....
Post by der Mouse
Yes, a USA patent will not directly affect me. My refusal to have
anything to do with it is more a matter of principle than practicality.
Well, Yahoo likely to have filed patents in Canada and Europe as well. It's
pretty rare that people only file US patents these days because software
reaches far and wide. It's funny, but standards work is getting trickier.
I've been looking into XML DSigs, and it also has several patents that
threaten it. Not to start the anti-patent war on this list, but it does
show how silly it is to allow software patents at all. Copyrights? Yes.
Trade secrets? Yes. Patents. Absurd! It's a form of writing. I mean, I
don't know about you, but I'm pretty damn sure I "write code." <wink>

David
Jim Fenton
2004-06-29 18:49:30 UTC
Permalink
Post by der Mouse
The reports I saw spoke of Yahoo as the corporation who owns (or
rather, would own) the rights and Domain Keys as the
sender-authentication system. But as I said, until the patent is
issued, nobody knows how broad it will be.
Post by David Wall
I didn't think the IETF allowed standards to be implemented that had
patents unless they were royalty free.
I think the language is something like "on a nondiscriminatory basis".
What that actually means is anyone's guess - it could very well just
mean that they require the same $10 million royalty from anyone.
Or, if they really are doing the patent as a purely defensive measure
and want to DTRT, they could grant a perpetual *sublicensable* license
to someone the open-source community trusts. Until and unless they do
something bearing a similar commitment, I don't trust them farther than
I can throw them.
The specific licensing terms for DomainKeys are spelled out at:
http://ietf.org/ietf/IPR/yahoo-ipr-draft-delany-domainkeys-base.txt

I recommend that reading that rather than speculating what the terms might be.

-Jim
der Mouse
2004-06-29 19:05:05 UTC
Permalink
Post by Jim Fenton
Post by der Mouse
Post by David Wall
I didn't think the IETF allowed standards to be implemented that
had patents unless they were royalty free.
I think the language is something like "on a nondiscriminatory
basis". What that actually means is anyone's guess - it could very
well just mean that they require the same $10 million royalty from
anyone.
http://ietf.org/ietf/IPR/yahoo-ipr-draft-delany-domainkeys-base.txt
I recommend that reading that rather than speculating what the terms might be.
It's not clear whether this response of yours is in response to the
paragraph I've placed it with or in response to my other paragraph,
below. If it's in response to this, well, I was talking here about the
IETF's position, not Yahoo's.

As for
Post by Jim Fenton
Post by der Mouse
Or, if they really are doing the patent as a purely defensive
measure and want to DTRT, they could grant a perpetual
*sublicensable* license to someone the open-source community trusts.
Until and unless they do something bearing a similar commitment, I
don't trust them farther than I can throw them.
The current license terms - and that's all the page you cited describes
- are not a commitment; Yahoo can (and quite possibly will) change them
at any future time it feels like. In particular, the licenses
described are neither perpetual nor sublicensable. Until they are
both, I will continue to distrust them, because they will not have
committed themselves to not screwing over everyone who's started using
DK (or anything else the patent may end up covering) at some arbitrary
future time.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
David Wall
2004-06-29 20:51:26 UTC
Permalink
http://ietf.org/ietf/IPR/yahoo-ipr-draft-delany-domainkeys-base.txt
Post by Jim Fenton
I recommend that reading that rather than speculating what the terms might be.
All good points. I just hope Yahoo realizes that the term DomainKeys may be
trademark-able as it relates to their product, but we've used the term
DomainKeys in code (right down to the same InterCap, as that's common in
Java class/interface names!) for some time, as it relates to the keypairs
that we assign to domains within our own technology. Like MSFT's claim to
"windows," I hate the idea that one day we'll be forced not to use such a
common, descriptive name for the keys that belong to a domain.

David
Mark Baugher
2004-06-29 22:37:54 UTC
Permalink
Post by David Wall
All good points. I just hope Yahoo realizes that the term DomainKeys may be
trademark-able as it relates to their product, but we've used the term
DomainKeys in code (right down to the same InterCap, as that's common in
Java class/interface names!) for some time, as it relates to the keypairs
that we assign to domains within our own technology.
I'd say that puts the word in the public domain in many countries but
IANAL. I don't expect that even US copyright law lets someone take a
pre-existing term and copyright it for its pre-existent meaning.

Mark
Post by David Wall
Like MSFT's claim to
"windows," I hate the idea that one day we'll be forced not to use such a
common, descriptive name for the keys that belong to a domain.
David
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
David Wall
2004-06-25 21:50:53 UTC
Permalink
Post by George Ou
I just can't understand all these people that are vehemently against
authentication. There are valid arguments on how spammers will work around
the authentication barrier, but I just can't imagine in any circumstance
that authentication would do anything but push us in the right direction.
What in the world could be wrong with any solution that defeats "mail from"
spoofing? That alone should justify domain level authentication regardless
of whether or not it will directly curtail spam or not.
I think some of it will come out in practice.

For the most part, systems like PayPal, for example, will show the FROM line
as the person who sent you money, but because they have the Return-Path
specified as their own system, SPF will likely allow them to be sent. So
users will still see the "FROM" using a name that they may trust, even if
the actual sending system is not from that person's email domain-allowed
SMTP server. Also, when this occurs, you also tend to lose the natural
"nice bounce" that you would get if you requested money from someone but put
in the wrong email address. Today, if you send money (or request money)
from someone and you mistype their name, you get no indication anything has
gone wrong. You can then click the "resend" button, but that just sends
another email that will also bounce since you don't know anything's gone
wrong. Under the old model, you'd get a bounce, which was very informative,
since it would tell you things like "undelivered in last 4 hours, keep
trying," "unknown user," "failed to delivery after 5 days; deleted" etc.

Bounces are not standardized, so it's nearly impossible to programmatically
extract bounced emails and then automatically inform the sender that
something has gone wrong. There's typically no reliable way to link the
bounce with the original email. Some include the original, some do not, so
it's a real pain to resolve.

Of course, this is not only true of PayPal, but its true of many other
groupware systems, hosted solutions like PayPal in which customers have paid
to belong to a community of one type or another and want to be able to work
with others, typically referencing others via email addresses, but then not
getting any feedback when things bounce.

It's unlikely that many users can add an "INCLUDE: PAYPAL.COM" to their SPF
records since that would mean getting AOL, MSN, Earthlink or others to add
"INCLUDE:" statements for all such groupware systems, and that wouldn't be
practical.

There are also numerous "community web sites" in which a large number of
small companies share a "virtual" community of web sites, all operating on a
single web server and being db-driven. Those systems (they often support
small law offices, small health clinics, local stores, etc.) also have
"features" that will break, like being able to send out newsletters,
coupons, auto-responders, etc. since they will no longer be able to send
those out using the small businesses's email addresses (they sometimes have
their own domains and could do SPF if they knew how, which they generally
don't, or they have AOL, Earthlink, Yahoo! etc. addresses).

By the way, such groupware systems are not just created by systems like
PayPal, but there are other corporate systems that also use such systems to
send out notes between collaborating parties using the same scheme.
Previously, they just sent out emails FROM the one part TO the other party
and all was okay. Those applications will all have to be modified in some
way, with the most likely being that they'll adjust the Return-Path and
users will lose the "handy bounce" that informed them when they got things
wrong.

Another practical concern are mailing lists that cover non-techie topics and
are usually run by sysadmins who aren't technical, have no money or time to
learn about new stuff, threw up a discussion forum mailing list using older
software, and they won't have the capability to upgrade their systems. So a
working system will just stop working and that non-techie community will
suffer.

None of those are spam, but they all have this characteristic of a single
systemt that sends out emails on behalf of a large population of users.
Getting bounces was useful because it let you know that you no longer had a
good email address, but that's lost with SFP forcing a common Return-Path.

Then others have real concerns about "slippery slope" arguments. Each form
of additional authentication comes in slowly and surely until email has lost
one of its nice aspects of being someone anonymous, or perhaps more
accurately, pseudononymous, much like what happens in AA meetings or when
discussing issues that are politically sensitive. When someone goes out as
***@aol.com he's not truly anonymous, but he is pseudononymous, and of
course users can resort to hotmail/yahoo/gmail for their more anonymous
needs (as long as free email accounts are allowed by law). SPF doesn't
really have this problem, but the argument is that SPF won't stop spam
either, so the "next step" will be taken and more and more authentication
will be required until people are forced to identify themselves to send
email, in which anonymous "free" email is outlawed. This tendency seems to
be happening even when these people aren't forced to do so to send plain old
mail. Sure, it may not come to pass, but maybe it'll be worse.

Most of us who are concerned about such liberties wish the world would
instead focus on prosecuting existing spammers. It's like giving up on
justice and just saying we'll hunker down harder rather than stop criminal
behavior in the first place. (By the way, this is certainly not
unreasonable, just sad. After all, we lock our doors and many in cities put
iron bars over their windows despite the obvious fire hazard and ugliness
because law enforcement failed them too.)

David
Barry Shein
2004-06-25 23:27:09 UTC
Permalink
Post by George Ou
Ah, good point. I hope they start doing it soon.
I just can't understand all these people that are vehemently against
authentication. There are valid arguments on how spammers will work around
the authentication barrier, but I just can't imagine in any circumstance
that authentication would do anything but push us in the right direction.
What in the world could be wrong with any solution that defeats "mail from"
spoofing? That alone should justify domain level authentication regardless
of whether or not it will directly curtail spam or not.
There are quite a few of us who have nothing much against these
authentication schemes, only, as you imply, that we doubt they'll do
much any good in the fight against spam.

Since spam is the big problem it's hard to get interested much less
excited about proposals which are presented in anti-spam contexts
constantly whose best recommendation is that they won't do anything
much about spam but might be otherwise helpful somewhere/somehow.

Why don't they just take all these SPF/CallerID/etc proposals to
anti-terrorism conferences since they'll still do just as much good
even if not much about terrorism?

Or anti-drug or money laundering or AIDS or hunger or whatever.

Oh well, I guess because the unifying issue is e-mail.

It's a distraction, that's all, and the more naive (particularly in
the media) get confused and think these non-spam initiatives are
initiatives against spam simply because they're appearing in anti-spam
contexts.

Well, hey, as I've said they're fairly harmless and lord knows nothing
else that's been done about spam in the past 10 years has had the
slightest overall effect other than perhaps emboldening spammers and
making the more skillful of them more valuable by raising the bar a
little on what it takes to get spam through.
--
-Barry Shein

Software Tool & Die | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
Alan DeKok
2004-06-26 13:25:13 UTC
Permalink
Post by Barry Shein
There are quite a few of us who have nothing much against these
authentication schemes, only, as you imply, that we doubt they'll do
much any good in the fight against spam.
Once again, they're not designed to stop spam. Anyone who claims
that they are designed to stop spam is wrong.

What they WILL stop is forgery, and garbage bounces. I'm now
getting a few bounces a day to my personal account from forgeries.
MARID/LMAP/whatever can stop these in their tracks, before they become
as bad a problem as the rest of the spam.

I know people who are getting 10^6 bounces/day. Stopping those will
have significant positive effects on their networks and daily expenses.
Post by Barry Shein
Since spam is the big problem it's hard to get interested much less
excited about proposals which are presented in anti-spam contexts
constantly whose best recommendation is that they won't do anything
much about spam but might be otherwise helpful somewhere/somehow.
So come up with a proposed solution, and stop complaining that
systems which aren't intended to stop spam don't stop spam.
Post by Barry Shein
It's a distraction, that's all, and the more naive (particularly in
the media) get confused and think these non-spam initiatives are
initiatives against spam simply because they're appearing in anti-spam
contexts.
That's their tough luck.

Alan DeKok.
Barry Shein
2004-06-29 23:42:29 UTC
Permalink
Well this might be interesting if my comments weren't in response to
the US FTC report declaring methods like SPF et al preferable or
pre-requisite to do-not-spam lists for fighting spam.

You're shadow-boxing, it's not I who conflated the issues, it was the
us federal agency who apparently was tasked with dealing with it
(perhaps not the only, but certainly one of the most visible.)

That's a bit more than important than a sweep of the hand "oh well so
they're confused" seems to merit.

Forgery is serious. Cancer is serious. Kidnapping is serious.

Lots of things are serious.

That doesn't make them spam.

-b
Post by Alan DeKok
Post by Barry Shein
There are quite a few of us who have nothing much against these
authentication schemes, only, as you imply, that we doubt they'll do
much any good in the fight against spam.
Once again, they're not designed to stop spam. Anyone who claims
that they are designed to stop spam is wrong.
What they WILL stop is forgery, and garbage bounces. I'm now
getting a few bounces a day to my personal account from forgeries.
MARID/LMAP/whatever can stop these in their tracks, before they become
as bad a problem as the rest of the spam.
I know people who are getting 10^6 bounces/day. Stopping those will
have significant positive effects on their networks and daily expenses.
Post by Barry Shein
Since spam is the big problem it's hard to get interested much less
excited about proposals which are presented in anti-spam contexts
constantly whose best recommendation is that they won't do anything
much about spam but might be otherwise helpful somewhere/somehow.
So come up with a proposed solution, and stop complaining that
systems which aren't intended to stop spam don't stop spam.
Post by Barry Shein
It's a distraction, that's all, and the more naive (particularly in
the media) get confused and think these non-spam initiatives are
initiatives against spam simply because they're appearing in anti-spam
contexts.
That's their tough luck.
Alan DeKok.
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
der Mouse
2004-06-25 20:25:58 UTC
Permalink
It's not like it's going to cost a lot to comply.
Just ignoring patent issues.

...which is too high a price for some, such as me.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Markus Stumpf
2004-06-28 16:55:14 UTC
Permalink
Post by George Ou
When the top 500 domains of the world have valid Sender ID (Caller ID + SPF)
records, then they can easily collude to exclude any other domain that
doesn't have valid Sender ID records. Then everyone else would have to
comply with Sender ID if they wish to send mail to the top 500 domains.
Sooner would be better with me. Is this bullying? I hope so. It's not
like it's going to cost a lot to comply.
We get tons of legal email each day from aol.com, hotmail.com,
yahoo.com, ... that is forwarded from other accounts and we have a large
number of customers that forward all of their emails from the mailboxes
they have with us.

If the top 500 domains will comply to SPF or MARID or Sender-ID oder
Call-ID spammers *may* stop abusing those domains. But they will not as
long as a large enough percentage of the MTAs is not *blocking* based
on those information. And then they will switch over to Joe Lusers
domains that have no SPF records or have "send from all" records. So
SPF/MARID/Caller-ID will help the big ones and shift the load to the
small domain owners, that's why all those are IMHO not a solution of any
kind.

In DE we have 6,900,000 domains vs. 144582 non-bogus IP adresses whose
hosts are used in MX records of those domains. An authorization scheme
based on IP addresses will be more effective, more fair and much faster
deployed than any domain name based scheme. Even more as the percentage
of MTA runs by clueful people by far higher than the percentage of
domain owners that know what they need to have in X/Y/Z records for
their domain.

And to repeat myself: anything else than *blocking* spam mails at SMTP
level is a big mistake, as it shifts liability from the sender to the
receiver. It is the liability of the sender/admin to assure that no spam
is passing the server under his control. It is not my liability to sort
zillions of emails each day - even with the help of content filters that
have false positives - nor do I want to bear the costs of sorting this
crap - and those of receiving, neither.


\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
Peter J. Holzer
2004-06-28 19:11:58 UTC
Permalink
Post by Markus Stumpf
In DE we have 6,900,000 domains vs. 144582 non-bogus IP adresses whose
hosts are used in MX records of those domains. An authorization scheme
based on IP addresses will be more effective, more fair and much faster
deployed than any domain name based scheme.
I agree with that in principle. For the early adopters, the situation
could be reversed. For example, I can easily add a spf record to my
hjp.at domain. I'm not sure if I can get my provider to add mta-mark
records for my 8 IP addresses (I can't get them to delegate reverse DNS
to me, I already tried that).

In reality, I think, an IP-based scheme and a domain-based scheme
should be implemented. They have different strengths:

* A domain-based scheme protects the domain. By publishing an SPF record
for hjp.at I protect my domain from being abused by spammers and
worms - that will safe me from lots of bounces. (IF spf is actually
used to reject messages at the SMTP level)

* An address-based scheme protects an IP range. By publishing
_send._smtp._srv TXT "0" records, a provider prevents spammers and
worms from abusing these machines - which will safe his abuse team
from lots of mails and calls (IF mta-mark is actually used to reject
messages at the SMTP level).

Mostly I think, MTA-Mark will be beneficial to business customers of
cable- and dsl providers. They are often in the same address block as
private customers, so they are increasingly blocked by DULs. If MTA mark
was widely deployed, DULs would become obsolete and MTA mark can be much
more fine-grained.

hp
--
_ | Peter J. Holzer | I think we need two definitions:
|_|_) | Sysadmin WSR | 1) The problem the *users* want us to solve
| | | ***@hjp.at | 2) The problem our solution addresses.
__/ | http://www.hjp.at/ | -- Phillip Hallam-Baker on spam
Markus Stumpf
2004-06-28 21:54:14 UTC
Permalink
Post by Peter J. Holzer
* A domain-based scheme protects the domain. By publishing an SPF record
for hjp.at I protect my domain from being abused by spammers and
worms - that will safe me from lots of bounces. (IF spf is actually
used to reject messages at the SMTP level)
Out of 6,900,000 DE domains, how many owners of that domains will
be able to produce correct SPF records? How many of them will be
able to put them into their domain?
We manage about 25000 domains for our customers. I'd guess roughly
5% of them will be able to provide enough and correct information
for *us* to add the records for them.
They use on demand dialin accounts where they get the mailserver to use
per PPPoptions. They use 10 different providers a week to dialin. Do you
expect they know which IP addresses to add to their SPF records?

We have a contact sheet that is in the error message for blocked
messages *only* to the space.net domain. About 50% of the contacts
don't know what an IP address is and wither use "www.example.org"
or "hu? what is an IP address?".

So, how fast do you wish to deploy a SPF like mechanism and who will
benefit from it? And it is so easy for spammers to use the 90% of
domains without SPF records and abuse them. From recent statistics I
have made from out mailserver only a total of 15% of the spam mails
is from the "big players" ... all else are tiny domains or throwaway
domains. And: SPF like schemes only help with accredidation systems,
as it does not prvent spammers from buying 5000 domains like
excitinginternetnews.com
excitingproductline.com
excitingproductpromotion.com
excitingpromotion.com
exclusiveassistance.com
exclusivenetnews.com
enormousdistributor.com
enormousmagic.com
enormousproductservices.com
famousproductservices.com
fascinatingassistance.com
fascinatingpromotions.com
[ ... ]
adding shot-TTL SPF records and blasting them through 0wned hosts.
Oh, I forgot, then you have authentity and can make the owner of the
domain liable, like in
Administrative Contact:
Huang GuiFang
#101 Unit 1 NO.12 Century Garden,
Long cheng Str.
Shun Cheng district
Fu shun Liaoning 113006
China
tel: 86 413 7480040
fax: 86 413 7480040
***@126.com
or how about
Administrative Contact
Leduc Jean
Mr Jean Leduc
Azareih Bldg
Beirut (LB)
8402 2045
9611303822
9611303823
Post by Peter J. Holzer
Mostly I think, MTA-Mark will be beneficial to business customers of
cable- and dsl providers. They are often in the same address block as
private customers, so they are increasingly blocked by DULs. If MTA mark
was widely deployed, DULs would become obsolete and MTA mark can be much
more fine-grained.
MTAMARK will be most useful to protect non-dialup IP space. Dialup IP
space probably should have port 25 outgoing blocked.

\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
Peter J. Holzer
2004-06-29 12:34:51 UTC
Permalink
Post by Markus Stumpf
Post by Peter J. Holzer
* A domain-based scheme protects the domain. By publishing an SPF record
for hjp.at I protect my domain from being abused by spammers and
worms - that will safe me from lots of bounces. (IF spf is actually
used to reject messages at the SMTP level)
Out of 6,900,000 DE domains, how many owners of that domains will
be able to produce correct SPF records? How many of them will be
able to put them into their domain?
Did you notice that IF in capital letters? Yes, that's a big if. If SPF
is never deployed to such a degree that it is actually used to reject
mail, it is useless to those who publish SPF records.

I am an egoist, however, and I don't care about the 6.9 million DE
domains (or the few hundred K AT domains), I care about my domain. If
publishing an SPF record saved me from a significant portion of bounces,
I would be happy (I'm just rather sceptical whether that will be the
case).

Yes, SPF won't make a dent in spam. It is too easy to circumvent, and it
shouldn't be touted as an "anti-spam measure". It's an anti-joe-job
measure, nothing more.
Post by Markus Stumpf
Post by Peter J. Holzer
Mostly I think, MTA-Mark will be beneficial to business customers of
cable- and dsl providers. They are often in the same address block as
private customers, so they are increasingly blocked by DULs. If MTA mark
was widely deployed, DULs would become obsolete and MTA mark can be much
more fine-grained.
MTAMARK will be most useful to protect non-dialup IP space. Dialup IP
space probably should have port 25 outgoing blocked.
Whatever "dialup IP space" may be. Real dial-up IP space (phone line or
ISDN) is IMHO a small and decreasing problem. Dial-up users have little
bandwidth and they aren't long enough online to cause real trouble.

The problem are DSL and cable accounts. They have enough bandwidth, they
are online for many hours, often around the clock, some of them do have
static IP addresses, and they are often operated by people who don't
recognize a security problem if it jumps into their face and bites their
nose off.

However, not all of them are clueless. Some of them do know how to run a
mail server, they have a static IP address, and they prefer (for privacy
or even reliability(!) reasons) to run their own mail server. The
trouble is, you cannot currently distinguish them from their neighbours.

This is where MTAMARK comes in. If, for example, chello (I use them as
an example, because at least one of their address ranges is included in
the SORBS DUL) marks their whole IP range as "doesn't send mail" and
their customers can easily call the helpdesk and say "I want to run a
mail server - please add an MTAMARK record for my IP address", that
would be acceptable to both the customer and the provider. Blocking port
25 on a per-IP basis is probably not feasible, and generally blocking
port 25 for an address block which contains server accounts will get
them in legal trouble.

hp
--
_ | Peter J. Holzer | I think we need two definitions:
|_|_) | Sysadmin WSR | 1) The problem the *users* want us to solve
| | | ***@hjp.at | 2) The problem our solution addresses.
__/ | http://www.hjp.at/ | -- Phillip Hallam-Baker on spam
George Ou
2004-06-28 19:37:48 UTC
Permalink
----- Original Message -----
From: "Markus Stumpf" <maex-lists-spam-ietf-***@Space.Net>
To: "George Ou" <***@netzero.com>
Cc: "Markus Stumpf" <maex-lists-spam-ietf-***@Space.Net>; <***@ietf.org>
Sent: Monday, June 28, 2004 9:55 AM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by Markus Stumpf
In DE we have 6,900,000 domains vs. 144582 non-bogus IP adresses whose
hosts are used in MX records of those domains. An authorization scheme
based on IP addresses will be more effective, more fair and much faster
deployed than any domain name based scheme. Even more as the percentage
of MTA runs by clueful people by far higher than the percentage of
domain owners that know what they need to have in X/Y/Z records for
their domain.
That is a misleading number even if it is accurate. What happens when
you're collocating your domain with others on the same IP address? If you
black list an IP address that was being shared by 100 virtual domains, that
has too much collateral damage for the 99 other well behaving domains that
might be sharing the same IP address with the one bad apple. Black listing
a domain name in a post domain level authentication world is far more
effective. It would not matter if that domain moved to a new IP address.
However, there are times that IP level blocking is appropriate. Ultimately,
IP and Domain level blocking will be small piece of the treatment for spam.
Sender ID and Domain Keys are just a new weapon we have in fighting spam.
It doesn't replace all of the current effective techniques of combating
spam, it complements them.

George
Markus Stumpf
2004-06-28 22:23:17 UTC
Permalink
Post by George Ou
That is a misleading number even if it is accurate.
It is accurate. See the posting of last week:
http://www1.ietf.org/mail-archive/web/asrg/current/msg10425.html
And it is NOT misleading.
Post by George Ou
What happens when
you're collocating your domain with others on the same IP address? If you
black list an IP address that was being shared by 100 virtual domains, that
has too much collateral damage for the 99 other well behaving domains that
might be sharing the same IP address with the one bad apple.
It is about admins giving other admins a hint, as whether that IP address
is meant to be a MTA sending to other MTAs or not. For DE it reduces
- with the assumption of count(receiving MTA) approx. count(sending MTA) -
the number of IP addresses I accept eMails from, from some million to
about 150000.
DNSBLs don't care about virtual domains right now. If a server is abused
it is blacklisted and that is the only correct method until the admin
takes action. But we're not talking about DNSBLs here, but about owners
of IP space giving hints.

And about collateral damage: this will lead to a cleanup. "colocators"
with a rented PIII and 100 virtual domains with dumping prices and no
monitoring or caring or abuse handling will die and leave room for
responsible people with servers closely maintained and monitored.
Problem solved.
Post by George Ou
Black listing
a domain name in a post domain level authentication world is far more
effective. It would not matter if that domain moved to a new IP address.
Moving a "legal" domain will be a pain, as you would have to update your
SPF records to have the new IP address listed. Changing ISPs even with
100 domains will become a nightmare for resellers.
Post by George Ou
However, there are times that IP level blocking is appropriate. Ultimately,
IP and Domain level blocking will be small piece of the treatment for spam.
Sender ID and Domain Keys are just a new weapon we have in fighting spam.
It doesn't replace all of the current effective techniques of combating
spam, it complements them.
No they don't. They open a wide new field for post Sender ID and Domain
Key systems that are needed to accredit the information in the SPF
records or you will be vulnerable to "throwaway domains". 1000 domains
for USD 5000 (or even cheaper) leaves a lot of room. Short-TTL *valid*
SPF records pointing to a network of 150000 abused DSL hosts
http://www.wired.com/news/business/0,1367,60747,00.html
http://www.circleid.com/article/162_0_1_0_C/
that is highly adaptable. For that SPF, Caller-ID, DomainKeys et all
will not change a thing without additional accreditation services.

And one day, not too far away, DNS queries will outnumber SMTP and HTTP
even in bandwidth ;-P

\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
George Ou
2004-06-28 22:57:51 UTC
Permalink
----- Original Message -----
From: "Markus Stumpf" <maex-lists-spam-ietf-***@Space.Net>
To: "George Ou" <***@netzero.com>
Cc: "Markus Stumpf" <maex-lists-spam-ietf-***@Space.Net>; <***@ietf.org>
Sent: Monday, June 28, 2004 3:23 PM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam
Post by Markus Stumpf
And about collateral damage: this will lead to a cleanup. "colocators"
with a rented PIII and 100 virtual domains with dumping prices and no
monitoring or caring or abuse handling will die and leave room for
responsible people with servers closely maintained and monitored.
Problem solved.
Well, it just doesn't work that way since there will always be a need for a
small shop to collocate at a cheap price. So long as there is a demand for
that, that will not change.
Post by Markus Stumpf
Moving a "legal" domain will be a pain, as you would have to update your
SPF records to have the new IP address listed. Changing ISPs even with
100 domains will become a nightmare for resellers.
Ah c'mon, that is a totally bogus argument. Moving a "legal" domain to a
different ISP already entails changing the authoritative DNS server, all the
"A" records such as www, MX records, and a whole bunch of other things in
DNS. So what if you have to change the SenderID records too while you're at
it.
Post by Markus Stumpf
No they don't. They open a wide new field for post Sender ID and Domain
Key systems that are needed to accredit the information in the SPF
records or you will be vulnerable to "throwaway domains". 1000 domains
for USD 5000 (or even cheaper) leaves a lot of room. Short-TTL *valid*
SPF records pointing to a network of 150000 abused DSL hosts
http://www.wired.com/news/business/0,1367,60747,00.html
http://www.circleid.com/article/162_0_1_0_C/
that is highly adaptable. For that SPF, Caller-ID, DomainKeys et all
will not change a thing without additional accreditation services.
I think we already went through this many times on this group. Those throw
away domains can potentially be blacklisted in near real time just like a
unique piece of spam is blocked based on it's pseudo-hash by DCC. However,
using DCC to black list a domain is far more reaching than black listing a
single message based on it's hash. Currently, DCC cannot be used to
blacklist domains because the sender domain can be spoofed. The fact of the
matter is, you can already block 99.9% of spam with almost zero false
positives just using spam assassin and DCC (or some expensive appliance that
essentially does the same thing). SenderID would just make DCC that much
more effective.

If that isn't effective enough, then some form of accreditation service
would be needed. Two possible mechanisms for achieving this is some form of
"bonded sender" or tying the owner's biometrics to the domain.

In the "bonded sender" case (which was proposed before domain authentication
was widely known but would have been useless then), you put up say $1000 per
domain in a bond that you promise not to abuse email with your domain. You
loose the $1000 if you do.

In the second example, if I didn't want to put up the $1000 bond then I
could digitally certify my photo and finger prints (encrypted so only law
enforcement to open) with my domain name. This would make it very easy to
track me down if I break any spam laws. This second option would probably
work better in a post Domain Keys world because every message I send is
digitally signed by my domain's outbound SMTP server. Any piece of spam
that I send would have my digital finger print on it.



George
Alan DeKok
2004-06-30 14:59:12 UTC
Permalink
Post by Markus Stumpf
If the top 500 domains will comply to SPF or MARID or Sender-ID oder
Call-ID spammers *may* stop abusing those domains. But they will not as
long as a large enough percentage of the MTAs is not *blocking* based
on those information. And then they will switch over to Joe Lusers
domains that have no SPF records or have "send from all" records. So
SPF/MARID/Caller-ID will help the big ones and shift the load to the
small domain owners,
... who will then have an incentive to update their systems. In
addition, most of the mail is to/from a few common domains. Therefore
SPF, etc. will protect the majority of mail, and ISP's can treat large
volumes of messages from unknown senders with great suspicion.

This means more legitimate email may be passed through fewer content
filters, and more spam may be passed through more stringent content
filters.
Post by Markus Stumpf
that's why all those are IMHO not a solution of any kind.
That statement does not follow from the previous description.
Post by Markus Stumpf
And to repeat myself: anything else than *blocking* spam mails at SMTP
level is a big mistake, as it shifts liability from the sender to the
receiver. It is the liability of the sender/admin to assure that no spam
is passing the server under his control.
Please describe how I, as a recipient, can ensure that the sender is
doing such blocking.
Post by Markus Stumpf
It is not my liability to sort zillions of emails each day - even
with the help of content filters that have false positives - nor do
I want to bear the costs of sorting this crap - and those of
receiving, neither.
SPF can make this process cheaper for the recipient, who is
*already* spending CPU cycles doing content filtering, because
nothing else will stem the tide of garbage.

Alan DeKok.
Peter J. Holzer
2004-07-01 19:48:44 UTC
Permalink
Post by Alan DeKok
Post by Markus Stumpf
And to repeat myself: anything else than *blocking* spam mails at SMTP
level is a big mistake, as it shifts liability from the sender to the
receiver. It is the liability of the sender/admin to assure that no spam
is passing the server under his control.
Please describe how I, as a recipient, can ensure that the sender is
doing such blocking.
I believe you misunderstood Markus: The Recipient's MTA should block
(reject) the message instead of accepting it and then send it to
/dev/null (or worse, bounce). If the recipient's MTA rejects the
message, it is the sender's MTA who has the responsibility of informing
the sender of the failure.

hp
--
_ | Peter J. Holzer | I think we need two definitions:
|_|_) | Sysadmin WSR | 1) The problem the *users* want us to solve
| | | ***@hjp.at | 2) The problem our solution addresses.
__/ | http://www.hjp.at/ | -- Phillip Hallam-Baker on spam
Alan DeKok
2004-07-02 14:16:57 UTC
Permalink
Post by Peter J. Holzer
I believe you misunderstood Markus: The Recipient's MTA should block
(reject) the message instead of accepting it and then send it to
/dev/null (or worse, bounce). If the recipient's MTA rejects the
message, it is the sender's MTA who has the responsibility of informing
the sender of the failure.
It's difficult for the recipient to do this. The mail may be
rejected or discarded by filters at the final destination, and that
information never makes it back to the sender.

Lack of negative feedback is a contributing factor to spam.

Alan DeKok.
Peter J. Holzer
2004-07-03 13:36:31 UTC
Permalink
Post by Alan DeKok
Post by Peter J. Holzer
I believe you misunderstood Markus: The Recipient's MTA should block
(reject) the message instead of accepting it and then send it to
/dev/null (or worse, bounce). If the recipient's MTA rejects the
message, it is the sender's MTA who has the responsibility of informing
the sender of the failure.
It's difficult for the recipient to do this.
Granted. But that doesn't mean that it shouldn't be tried.
Post by Alan DeKok
The mail may be rejected or discarded by filters at the final
destination, and that information never makes it back to the sender.
Which is why it should not be filtered at the final destination but at
the earliest possibility.

For example, we have two mail servers: One which is listed as MX for our
domains, and one where the mailboxes of the users are and which users
use to send mail (actually, there are more, but these are sufficient to
illustrate the point).

So there are three places where mail can be categorized into spam and
ham: At the MX, at the mailbox-server, and at the MUA.

Most of our users use Mozilla, which has a bayesian junk filter and can
also filter according to various other criteria. That's simple for the
user. But they still get all thoses spams and they may occassionally
miss a legitimate mail because it has been erroneously classified as
spam. If that happens, neither they nor the sender is notified about it
(Mozilla cannot "reject" a message).

On the mailbox server, we also run Spamassassin to mark messages as spam or
non-spam. We could reject messages here, but we don't. All incoming
messages are coming from out MX which would have to generate a DSN.
So there is no feedback at this stage, either.

Everything we can check at the MX we check there: Does the recipient
exist? Does the sender's domain have an A or MX record? Is it in a
black- or whitelist? Is the IP address in a black or whitelist? Is the
HELO parameter in a blacklist? Greylisting, Virus-Checks, A spamassassin
with custom rules to match common bogus virus warnings, ...

By "pushing out" all checks as far as possible, we try to give feedback
to the real sender and not to some poor sod who has been joe-jobbed.

Spammer ratware may or may not record the 4xx and 5xx error codes.
But a legitimate MTA will notice them and generate a bounce to the
sender. This will usually be the real sender, because legitimate MTAs
accept only mails from their own, authenticated (sometimes weakly)
users. So a sender who's mail as erroneously caught by anti-spam
measures on our MX will be notified, but a sender who's mail wasn't read
by a user because it was moved to the "junk" mailbox by the MUA's
filter, won't. And we don't send out bounces to random faked addresses.

Tests for SPF, MTA-MARK etc. would be done on the MX, too.

There are a few tests we can't do at the MX (yet):

I haven't figured out a way to do bayesian filters: They require
feedback from the user. My current idea is to replicate the
training-files from the users (we can do this, because they are on an
SMB-share, not the user's local hard disks), but if we reject mails
based on the bayesian filters, the users will get only correct ham and
false negatives, not correct spam or false positives. Thus the samples
on which the training-files are based will be very lopsided.

Even if I can solve that I don't know how to treat mails to aliases
which expand to several users: Reject it if it had been rejected for
more than half of the individual recipients?

hp
--
_ | Peter J. Holzer | I think we need two definitions:
|_|_) | Sysadmin WSR | 1) The problem the *users* want us to solve
| | | ***@hjp.at | 2) The problem our solution addresses.
__/ | http://www.hjp.at/ | -- Phillip Hallam-Baker on spam
Continue reading on narkive:
Loading...