Slashdot Mirror
The Anti-Spam Research Group's Plan for Spam
egoff writes "Speaking of standards, the ASRG, a member of the IETF, has a plan for "consent-based communications." Among the suggestions, according to Internet Week, are authentication services for falsified addresses, trusted senders, reputation systems (karma?), opt-out tools, best practices for challenge/response, and even a proposal for micropayments on unwanted mail. Instead of defining spam, the ASRG wants to provide administrators and users the tools necessary to avoid what they consider to be unwanted. One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."
This new mechanism will help eliminate forged e-mail from-fields though, and allow for easier message filtering.
I have a real aversion to the idea of paying to send email of any type, so any method that is not in that vein is progress in my opinion.
E-Mail isn't anonymous, and never has been, (your IP is traceable back to you) unless you use an anonymous remailer.
If SMTP2 or whatever is successfull, then people will make anonymous remailers for it.
Nothing to see here; Move along.
Sorry, but spam won't peter out until we run out of idiots--after all, the best way to make money spamming is to sell tools and lists to spammer wannabes.
Given the hordes of people yet to go online, I don't think we'll run out of idiots in out lifetime.
Remain calm! All is well!
No. The reply-to field is for directing replies to an address different from your own, not for indicating who sent the e-mail. Mailing list servers and private whitelists generally check against the From field.
Sure, I could - but Joe Average wouldn't know how to, nor should he have to.
Right now, part of the problem is that ISPs and users are bearing the cost of spam. In the end, any of the costs to the ISPs are passed on to their customers. Making us pay to send, is going to cut down on the usefulness of e-mail to legitimate users. If I have to pay by the message, I'm going to think twice about a quick note to a friend asking if he wants to meet for lunch. I'll pass along fewer cool URLs.
On the flip side, spammers will still send from addresses that can't be collected from. Many spammers are willing to harass people, steal the bandwidth they've paid for, and lie to people about everything from the return address on the e-mail to the fact that the opt-out procedure is actually just a verification that they have a live address. We won't even go into their claims about the efficacy of the products they sell. Is it even a stretch to believe that they will continue to lie to ISPs and defraud them of payments for the e-mail they send?
Micropayments for e-mail would kill it.
The net will not be what we demand, but what we make it. Build it well.
No you miss the point, the point is to check the from/sender address is valid. Yes a spammer can use THEIR domain from any machine, so what? They have to identify their domain. Not my domain for the receiver to accept their email. Yes they can set it up and I will get the spam but for the first time I will be able to trace where it came from. Ah but you say they just bought the domain on a stolen CC card yes perhaps they did but we are starting to get a paper trail to the spammer who would also be a criminal if they did that.
This is a first step to fighting spam "knowing your enemy", war will continue.
James
James
You know, I wouldn't mind receiving advertisements in email if:
1. They were about things I gave a damn about
2. They were marked (like ADV:) for easy filtering
What bothers me about spam are the violations of those two.
That's just you. For many people, the mere volume of unwanted traffic is a major problem. Consider somebody in a third world country[1] on a slow dial-up connection for which they have to pay enormous amounts of money in local terms. Or somebody who has to use webmail, with an awful inefficient interface, because they can't afford a regular ISP.
[1] Or Germany, until recently!
Have you got your LWN subscription yet?
Christ, who do you think is paying for any of this shit? US!!
Mail agents like Mozilla will have to become more sophisticated about what mail relays they use when sending mail. Suddenly it's not okay to send both your personal e-mail and your work-from-home e-mail through your DSL ISP's mail server since your work domain DNS will claim no relationship with your DSL ISP's server.
:-)
Could Mozilla use RMX to determine on the fly what relay to use? It sees that you're sending from a @slashdot.org address, so it does an RMX lookup on slashdot.org and discovers the IP of all the relays for that address. Ah, a nice clean new standard... the desire to abuse it is overwhelming.
An ironic side effect is that mail administrators are going to have to open up more holes in their relays. Your users can't just bounce mail off their random ISPs anymore. They have to use the real corporate mailserver now, which means you can't just lock things down by IP address such that only internal corporate users can use the relay.
You can setup an SSL-Authenicating posting SMTP server that allows relaying from you. It being authenicating means it only works from your laptop. Its also a good thing TM, cos it will queue any messages for you, so you can disconnect from the network and it will worry about delayed messages.
James
The reason it works better than existing checks is that it doesn't just verify that the sender's claimed domain exists (has an SOA or maybe MX record), but also if the new RMX record exists, it can verify that the IP address of the initiator of the SMTP connection is authorized to transfer email on behalf of that domain.
This is a great idea, because it can be phased in gradually. Owners of domain names that are commonly used fraudulently (e.g., hotmail.com) can add the RMX and APL records to their DNS, and then any MTAs that use RMX verification can determine whether the machine sending the mail is authorized. MTAs that don't use RMX are unaffected and will still receive mail regardless of RMX records. If a domain doesn't have an RMX record, a spammer can still forge mail from that domain, because even an RMX-enabled MTA will accept mail from that domain (though if RMX catches on, someday that may change).
If new versions of MTAs have RMX enabled by default, eventually more and more domain owners will respond to complaints about spam forged from their address by adding RMX records to their DNS.
Let's hope that sendmail, qmail, postfix, exchange, etc. implement this soon!
Who "authorizes" my machine to send mail? DHCP on cable modems is evil enough. What new hoops are people thinking of to enforce the "client" nature of all but comerical machines?
Friends don't help friends install M$ junk.
It still doesn't make sense. You're asking admins with open relays to make DNS changes. If they don't want to close their open relays, what makes anybody think they'd be willing to make a DNS change?
Sounds like the "Evil Bit" RFC -- it would work fine if we could just get all the bad guys to cooperate.
Saving random seed...
How about good old-fashioned shunning. Spammers should not be welcome anywhere. Anywhere you have to right to turn them away, you should. Tell their neighbors who they are and what they do. Send them a thoughtful letter explaining why you disapprove. Include copies of every page from several anti-spam web sites. Cut them off in check out lines in grocery stores. Get their cars towed immediately when their parking meters expire. When choosing a fake e-mail address when posting to Usenet, use one that belongs to a spammer.
The internet started on a model of trust. We know we can't trust the spammers and we knock ourselves out trying to implement that distrust. All the while we operate in a manner the spammers can fully trust: if a system says it's an open relay it really is, if a system is secured against being an open relay it proudly proclaims as much. We're just as honest about open proxies. We assist the spammers thousands of times a day by being trustworthy. Isn't that exactly why why they find it so easy to commit abuse? We keep being honest and trustworthy with the spammers - we help them. Stop doing things that lead to our being hurt, start doing things that hurt the spammers. It's an easy and logical progression to make.
It's time to destroy the spammers' trust in us. This should have no impact on anything legitimate: it's targeted on the spammers. Those who never go looking for open relays will never be deceived by fakes - it's only the spammers who fall victim to the deceit. Same for open proxies - who goes looking for them other than abusers? Doesn't that seem to be exactly right - harm those who would do harm, don't touch the rest? There are behaviors that only spammers exhibit. Target those, make life miserable for the spammers.
The ASRG methods, all of them, are designed to be the same for everyone - they are targeted on what spammers and non-spammers do in common and then are supposed to make use by the non-spammers impossible. To do that everything will have to be changed. That will take years and it will take nearly full compliance to be effective. It will be like the "secure open relays" campaign of a few years ago. To actually stop spam that had to be universal, or very nearly so. Instead there are still hundreds of thousands of open relays, more pop up every day. How many years for full compliance? Alternately there may have to be a D-day for a total switchover - a source of huge complexity and disruption. Before commiting to that isn't it necessary to make sure there is not something less drastic which will work to end spam?
If instead people opposed to spam change their behavior toward the things spammers and only spammers do then ordinary email can be left as it is - if those behavior changes end spam. Foremost of the behavior changes would be stop ignoring spammer abuse. Spammer abuse is an easy target, an easy path to hitting spammers and completely missing non-spammers. Spammers have two choices: spam direct or spam via abuse. If you knock down spam via abuse then they're left with direct spam. That you can hit adequately using blocklists. ASRG wants to make spam impossible by making every single spam message imposible. That's overkill - it's only necessary to make spam cost more than it returns. That can be done - without a total reengineering of the system.
The big question is: are anti-spammers smart enough to stop spammers by going after the abuse? I say they are, when you include in "anti-spammers" all the people that do not like spam. The alternative position would seem to be that anti-spammers are smart enough to stop spam by changing the entire internet but not by doing anything lesser. I can't agree to that - not unless those limited-intelligence people explain why that is. Isn't there the roots of a paradox in that?
... but how would you tell the difference? And you would still be able to use your email address as an identifier from anywhere, provided that you use the correct mail server.
It would also be very convenient if you could change the caller-ID of the phone you are dialling from to your home phone number, when dialling from a friend's house or from work...
Most mass mailing worms send infected email with forged sender address. This technique seems can stop large number of these emails too (except when the domain of the forged address is the same as the domain of the real one). This reduces the number of complaints against the wrong person of sending virus.
Whatever. His basic statement is to ditch your existing email, get a new one, get a couple of others for misc purposes, and never give out your email address.
:).
Go Hide.
Bad answer to spam my friend. And frankly, it IS bullshit. I have had my email since 1992. It is me @ my domain. I absolutely possitively REFUSE to give it up.
IT IS MINE.
I won't jump through hoops and do this and that for the spammers to hide from them. I also just happen to have hundreds of spam trap addresses and they silently eat the spam and block the IP subnets. No questions asked. Hoops like this I'll jump through -- because logically it is more fun than "just hit delete". I personally like a good challenge.
The only way to get unblocked is a phone call to me. I have been doing it this way for a while (years) and have gotten now four (4) such calls across a half a dozen domains I manage. I see maybe 1 spam a week now.
There are, however, THOUSANDS of attempts daily and ~100 new subnets being added daily (recently). Shortly I'll have ALL the dialup & dsl lines identified across the entire Internet. Sad really.
I personally like the RMX record setup myself. I've always questioned why it isn't like this already. Can the spammers themselves properly setup a mail server and spam away? Sure. I can also block them that much easier. It's going to be a LOT harder for them to move around all the time. Hi-jacking dialup's and just using them will no longer work (and this has been their #1 method to date). The #2 method, hi-jacking mail servers themselves, will continue, but their numbers are limited (if not already all blocked
This won't mean one more bit of work for the end dialup user moving from ISP to ISP (legit). It will mean another configuration for the domains, but if it works as planned? Problem seriously cut back if not solved.