Slashdot Mirror
The Anti-Spam Research Group's Plan for Spam
egoff writes "Speaking of standards, the ASRG, a member of the IETF, has a plan for "consent-based communications." Among the suggestions, according to Internet Week, are authentication services for falsified addresses, trusted senders, reputation systems (karma?), opt-out tools, best practices for challenge/response, and even a proposal for micropayments on unwanted mail. Instead of defining spam, the ASRG wants to provide administrators and users the tools necessary to avoid what they consider to be unwanted. One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."
"One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."
This would more or less force spammers to send from their own domains... Or from ISP's that are spam friendly.
It might not STOP spam (though blacklisting would be easier), but it'd make it traceable...
Which would make it easier to file complaints under the anti spam laws.
Corporatism != Free Market
1. They were about things I gave a damn about
2. They were marked (like ADV:) for easy filtering
What bothers me about spam are the violations of those two. I don't want emails about printer toner, or bigger schlongs. And I don't like having ads clutter up my inbox, where email from people I know and such belongs.
But if I could filter it all into an "Ads" mailbox, just like I have mailboxes for various mailing lists, I would scan the offers about stuff I might actually want. I'd be much more inclined to "click through" then, while my all-time number of click-throughs of spam email to date totals 0.
I like the idea; the problem is getting uptake on it. You need to encourage a lot of people. The way to do this is to get the "big" ISPs in on the scheme immediately. Participants should alter their mail transfer programs to tag the SUBJECT line of the messages with the word Untrusted. This will cause receivers to know, and significant embarrassment for those not participating...which will cause their mail system to be upgraded to participating status.
Unless the bad effects of not participating are directly visible (as in subject line), it's gonna take too long.
Spam is now the enemy. It must be destroyed. Here comes the IETF to solve the problem.
SMTP Next Generation is on its way. The only question is the exact design. The general outline is already known. First, there will be real-world verification of identity tied to every account capable of sending SMTP NG e-mail. There will be a transition period where people can sign up for "upgraded" (NG) e-mail accounts; then, a period where these "upgraded" accounts can receive e-mail from other NG accounts as well as from old, potentially anonymous accounts. Business and government users will transition to NG.
Then, there will be an Internet-wide deadline, upon which all NG e-mail addresses will be unable to receive e-mail except from other NG addresses. All SMTP old generation traffic will be blocked. The old base of mail users will be forced to transition to SMTP NG. At this point, if there is ever a complaint about spam, the spammer can be tracked down and booted off Internet e-mail forever. As a result, spam will cease to exist.
The day the Internet died. Sure, it will be more "efficient" then. No spam. But it won't be free.
Don't cry about it. It happens to all technology. Those who need anonymous communications will just move to something else. Maybe web-based discussion, for example. Just no more truly private, truly anonymous, or truly free e-mail.
Coming soon to your neighborhood.
Great write-up on RMX, brought to you by the same guy who came up with an easy way to snapshot.
Spam is simply not profitable enough to last much longer. It is the last of a dying breed of pioneering Internet money-making schemes like the pyramid scheme emails and banner ads. Eventually the spammers will move on to other means of money making because their revenue is guaranteed to drop off as their tactics turn more and more people off.
Instead of fighting the good fight here, the best thing to do is let this dying ember peter out on its own. Forcing spammers to use more drastic tactics just results in them doing more harm in the long run. If there had been no resistance at all, we'd probably be seeing a much more mature and respectable online advertising industry instead of the random, haphazard, and very annoying multitude of spam king wannabes downloading their spam kits and setting up shop.
I have been pwned because my
Here's your fly in the soup:
/me sees domains like a cat walking on your keyboard being used as throw-away domain for spamming. (lkjshret.com IN RMX 0/0)
It only works when receiving mail with an forged and uncooperative sender-address. Nothing will prevent a spammer listing 0.0.0.0/0 as authorized sender addresses provided he controls the DNS for the envelope-sender.
It will increase the cost of a spam-run, and that's good news. On second thought: I like it.
The RMX record can return any IP addresses that it wants, the receiving machine just does a DNS lookup on the originating address and makes sure that IP is authorized to send mail. Read the RFC for more details.
We already know who some of the spammers are. Heck, some of them have admitted it! What we need is good old-fashioned mob justice. If we all have a hand in the lynching, how are the coppers supposed to know who exactly did the killing? I suggest that we rename Saturday Spamurday. Every Spamurday we all mob the home of a spammer and lynch them in a very public manner. Soon, the spam should start dropping off, because who would dare risk their lives to mob justice to make a few bucks selling penis enlargers?
Cyde Weys Musings - Scrutinizing the inscrutable
The original discussion on Nanog can be found here or perhaps here. He originally had the proposal on his site (dead link) but he seems to have taken the page down, and I don't see any reference to him contributing to this draft.
Right now, part of the problem is that ISPs and users are bearing the cost of spam. In the end, any of the costs to the ISPs are passed on to their customers. Making us pay to send, is going to cut down on the usefulness of e-mail to legitimate users. If I have to pay by the message, I'm going to think twice about a quick note to a friend asking if he wants to meet for lunch. I'll pass along fewer cool URLs.
On the flip side, spammers will still send from addresses that can't be collected from. Many spammers are willing to harass people, steal the bandwidth they've paid for, and lie to people about everything from the return address on the e-mail to the fact that the opt-out procedure is actually just a verification that they have a live address. We won't even go into their claims about the efficacy of the products they sell. Is it even a stretch to believe that they will continue to lie to ISPs and defraud them of payments for the e-mail they send?
Micropayments for e-mail would kill it.
The net will not be what we demand, but what we make it. Build it well.
Mail agents like Mozilla will have to become more sophisticated about what mail relays they use when sending mail. Suddenly it's not okay to send both your personal e-mail and your work-from-home e-mail through your DSL ISP's mail server since your work domain DNS will claim no relationship with your DSL ISP's server.
:-)
Could Mozilla use RMX to determine on the fly what relay to use? It sees that you're sending from a @slashdot.org address, so it does an RMX lookup on slashdot.org and discovers the IP of all the relays for that address. Ah, a nice clean new standard... the desire to abuse it is overwhelming.
An ironic side effect is that mail administrators are going to have to open up more holes in their relays. Your users can't just bounce mail off their random ISPs anymore. They have to use the real corporate mailserver now, which means you can't just lock things down by IP address such that only internal corporate users can use the relay.
But here's the fun part: As a recipient, each user sets up their account with a "deposit price" for bypassing the whitelist. You can set that price to any amount in your currency of choice. As a sender, you can set the maximum amount that you're willing to pay, so that you don't suddenly get billed/debited/charged some outrageous fee. If someone who is not on your whitelist needs to send you an email, they pay a deposit. When you receive the email, you either accept it or reject it. If you accept it, you do not get paid; the sender keeps the deposit. If you reject it (meaning you've read the email and decided it was spam), the deposit paid by the sender is paid to you. It's enough to set the deposit to something like 50 cents. You'll probably get highly targeted emails at this price. I wouldn't mind risking 50 cents to send someone an email that I think they'll accept. You could set it to a few dollars to reduce the noise even further. But you could set it to any price you want. If you REALLY don't want email from sources not included in your whitelist, you could set the deposit to thousands of dollars. With this system, you'll be HAPPY to receive spam! And spammers either won't be able to afford it, or recipients will start making some money.
The RMX approach is certainly very interesting. Although not based on DNS I had previously asked an AOL postmaster for similar information about what servers could legitimately send mail from any aol.com domains. That simple step has allowed me to block almost 100% of all spam reporting to come from joerandomuser@aol.com. I've been looking for similar information from the other big ISPs that spammers love to forge but with little luck.
Of course there may be a few things that this breaks (not that they shouldn't be fixed to work a different way). One is email intermediaries. SMTP was originally designed to be store and forward, and it used to be quite common that mail took many sometimes unpredictable hops along its way...direct end-to-end connections were not nearly as unbiqutious as they are now. But there still are cases where an SMTP intermediate hop may exist for legitimate reasons, but which may be unknown to the sender; thus they would not be listed in the RMX access list.
Another "questionable" practice that would be affected are services like monster.com, which send mail (usually resumes) to subscribers (companies hunting employees), but forge the sender address as being the real address of the individual, not of monster.com itself. Thus monster.com forges mail from almost any domain all the time; even though that mail can hardly be described as "spam" since the individual being forged has authorized monster to do it, and the recipient is paying monster to recieve them... But that kind of practice would still be affected without some workaround.
Oh, and if you want end-to-end authentication why don't more SMTP servers use the STARTTLS (aka SSL) mechanism with REAL certificates just like web servers do? If this became standard practice then it would be much easier to do SMTP server authentication with existing technology, and in a way that is completely transparent to the users (MTAs).The internet started on a model of trust. We know we can't trust the spammers and we knock ourselves out trying to implement that distrust. All the while we operate in a manner the spammers can fully trust: if a system says it's an open relay it really is, if a system is secured against being an open relay it proudly proclaims as much. We're just as honest about open proxies. We assist the spammers thousands of times a day by being trustworthy. Isn't that exactly why why they find it so easy to commit abuse? We keep being honest and trustworthy with the spammers - we help them. Stop doing things that lead to our being hurt, start doing things that hurt the spammers. It's an easy and logical progression to make.
It's time to destroy the spammers' trust in us. This should have no impact on anything legitimate: it's targeted on the spammers. Those who never go looking for open relays will never be deceived by fakes - it's only the spammers who fall victim to the deceit. Same for open proxies - who goes looking for them other than abusers? Doesn't that seem to be exactly right - harm those who would do harm, don't touch the rest? There are behaviors that only spammers exhibit. Target those, make life miserable for the spammers.
The ASRG methods, all of them, are designed to be the same for everyone - they are targeted on what spammers and non-spammers do in common and then are supposed to make use by the non-spammers impossible. To do that everything will have to be changed. That will take years and it will take nearly full compliance to be effective. It will be like the "secure open relays" campaign of a few years ago. To actually stop spam that had to be universal, or very nearly so. Instead there are still hundreds of thousands of open relays, more pop up every day. How many years for full compliance? Alternately there may have to be a D-day for a total switchover - a source of huge complexity and disruption. Before commiting to that isn't it necessary to make sure there is not something less drastic which will work to end spam?
If instead people opposed to spam change their behavior toward the things spammers and only spammers do then ordinary email can be left as it is - if those behavior changes end spam. Foremost of the behavior changes would be stop ignoring spammer abuse. Spammer abuse is an easy target, an easy path to hitting spammers and completely missing non-spammers. Spammers have two choices: spam direct or spam via abuse. If you knock down spam via abuse then they're left with direct spam. That you can hit adequately using blocklists. ASRG wants to make spam impossible by making every single spam message imposible. That's overkill - it's only necessary to make spam cost more than it returns. That can be done - without a total reengineering of the system.
The big question is: are anti-spammers smart enough to stop spammers by going after the abuse? I say they are, when you include in "anti-spammers" all the people that do not like spam. The alternative position would seem to be that anti-spammers are smart enough to stop spam by changing the entire internet but not by doing anything lesser. I can't agree to that - not unless those limited-intelligence people explain why that is. Isn't there the roots of a paradox in that?