AMTP as an Alternative to SMTP

SamMichaels writes "AMTP was published as an Internet Draft last week. It suggests using a 'Mail Policy Code' during the transaction to identify what kind of mail is being sent (administrative, personal, commercial, etc). Another plus is the use of TLS using x.509 certificates signed by a CA so you know exactly where the mail came from. Sounds like a solid plan...now to get a certificate signed for a decent price is the challenge."

Its a good idea

[blaster]

But in general end to end security models like this have had trouble because it has not been possible to get central signing in a way that can be administrated cheaply enough to allow wide deployment. I fear that this will fester in the same acceptance purgatory as DNSSEC, for roughly the same reasons

Re:Its a good idea

[Ed+Avis]

I'd hardly call it end-to-end. Here we have the mail server poking its nose into what type of mail is being delivered. It would make more sense for the mail system to get out of the way, deliver the messages, and let the users decide what they want to receive. Nobody advocates that IP routers should inspect each packet to see if it contains spam.

However, authenticated connection for mail delivery might not be a bad idea anyway, to stop DoS attacks based on sending millions of messages - even if all those are rejected by the recipient it still clogs the network, and unlike spammers, DoSers aren't trying to make money but just to cause a nuisance.

Apparently the main point of AMTP is to make it harder to spoof addresses. But it's still possible, so I don't think AMTP will change the general rule that no message header is to be trusted. PGP signatures blah blah blah are the only way to make sure a message comes from who it claims to.

Re:Its a good idea

[AftanGustur]

But in general end to end security models like this have had trouble because it has not been possible to get central signing in a way that can be administrated cheaply enough to allow wide deployment.

If the state is serious enough about this problem (and they will, one day) they will manage and issue certificates for whoever wants one.

It shouldn't have to cost more to manage a certificate than it costs to manage a credid card account .. Even less, since once the issuer has issued the certificate, he doesn't have to protect any part of it himself.

Re:Its a good idea

[Omnifarious]

Why is central signing needed at all? That's a complete fallacy. How do you decide that someone is who they say they are in the real world? Do you look at their driver's license or passport? That only happens during the minority of communications in which you actually pay someone, and even then it doesn't happen if you use cash. It cetainly isn't appropriate for every email messge.

Re:Its a good idea

[Omnifarious]

We do present id every time we speak. We normally call it a face or voice.

The 'official' id is the equivalent of certificate signed by a generally accepted authority. And, most people would (rightly) be highly offended if you asked them to present something like that every time you spoke to them, even if it took them no time or effort to present.

but...does it work?

[njet]

So why is this SO different from using TLS ?

Remember that smtp is still used and you have to be backward compatible....

Re:but...does it work?

[bourne]

This solution will only work if it is exclusive of existing practice.

That was their first mistake.

Had they designed this as an SMTP Service Extension so that it could be integrated into existing mail servers, it would stand a chance of eventually being adopted. Sites could accept both, perhaps treating AMTP messages as SPAM-free for filtering purposes, until use was widespread enough to turn away messages that didn't have AMTP verification.

But to make an all-or-nothing stand will just doom the project. Sure, some rare people will want to run AMTP for cred and SMTP for the rest of their mail. Everyone else will wait for sendmail to create a service extension to do the same thing without having to rip out the plumbing.

Should we change HTTP as well?

[acegik]

I truely dont see how this is usefull. It seems like a desperate act against spam. Instead of going after spammers legally and work on a better way to filter junk mail they go for the NUKE? There are also down sides to http/ftp should we change them as well? The answer is no.

Re:Should we change HTTP as well?

[Gunzour]

Yes, this proposal is a drastic move. Quite frankly, I think it's time we start considering drastic solutions to the spam problem. Spam is threatening to collapse our entire email infrastructure. Consider the following:

Some ISPs have long believed that most spam is not about making money but instead is just a massive denial-of-service attack

Recent worms appear to have been designed as a way to send spam through unwitting victims' computers

Spam blocking services are currently combating massive denial of service attacks

Sure, you can track down and go after individual spammers through the legal system, but so far that have proven to be little more than a game of whack-a-mole: knock one down and five more pop up.

AMTP appears to be based on the concept of forcing mail to have accurate headers. To me that seems like a good idea. Unfortunately it does essentially mean replacing the entire email infrastructure. Is it the best solution? I don't know, but it seems to me that it merits serious thought and review.

"What kind of mail is being sent"

As if a spammer's mail will be marked "commercial".

Oh yeah, sure. And I've got this really nice bridge to Brooklyn for sale here, too.

No protection against viruses

Now, viruses browse your contact list and send a message to everyone in the list. If this breaks through, the viruses will browse your contact list, and send a message to everyone in the list using the key, something which Outlook will probably do automatically.

Oh, yes, there is one difference. The CA will get lots of profit for selling certificates.

Security concerns

[fr0z]

From the Draft:

This specification addresses the issue of Unsolicited Bulk Email (UBE) by providing coded tokens to identify mailing handling policies. It is possible for a sender to use a trusted MTA to transmit false tokens and thereby subvert an MTA's policies.

So it would be interesting if implemented with legislation rather than without; that way there is a serious disincentive for spammers who manage to subvert the policy.

Re:Security concerns

[Steve+Cox]

> So it would be interesting if implemented with
> legislation rather than without; that way there
> is a serious disincentive for spammers who manage
> to subvert the policy.

Thats right. Spammers in Asia will feel compelled to comply with US laws.

Re:Why should we pay CA?

A new 4 point plan for SPAM:

1. Hijack domain
2. Get CA to issue cert
3. Spam (or ?????)
4. Profit???

People who routinely hijack entire netblocks to send SPAM are not going to be bothered by providing fraudulent credentials to a CA.

Re:What will stop the spammers

[StrawberryFrog]

What about a spammer puting a false "Personal" bit instead of "commercial" in the protocal to get through?

Let them. Advertising gadgets is not illegal. Lying in order to do so is.

how about charging for mail?

[zarniwhoop]

although i have not researched this idea in much depth, it seems to me that charging fractions of pennies for each outgoing email would go a long way to eliminate spam.
I would envisage building an MTA infrastructure around a PKI that works like the clearing banks. e.g I 'pay' to send you an email, you 'receive' the 'money'. You do the same for sending your email. At the end all the servers 'settle' up. Since spammers send so much more then receive they loose $$$$ and go out of business.

So...

...I can't run an AMTP server off my DSL unless I pay for a CA? Sounds to me like the IETF are trying to lock the widest used method of internet communication into a more 'corporate' structure. I thought we learned our lesson with telco?

Nice Idea

[Goo.cc]

but anonymous communication via e-mail is probably dead with this idea. I wonder if the price is too high.

Too much work for too little gain

[amcguinn]

Using TLS has a benefit in cutting down forgery and making spammers easier to trace, but asking all mail system administrators to set up X.509 certs is a huge amount of work for that small gain. (eg. I'm sending an email to 10 of my friends to ask for sponsorship for a sponsored bungee jump -- how do I tell my ISP's mail server to use entity "ngo" instead of "per", and what are the chances I haven't a clue I'm supposed to do this?)

The Mail Policy Code is a waste of time. Spammers will lie, and a huge proportion of everyone else will get it wrong through carelessness. It's chief benefit would be to help legitimate bulk commercial email (which is difficult to allow through content-based filtering), but I think the future of that kind of communication is in "pull" protocols where the subscriber rather than the publisher controls the subscription. (I outlined a couple of ideas in an earlier comment).

Email will be...

Email is now Dead for public general use, good for corps, bad for people, Pay for a Cert, nope.

You are going to see SMTP run side by side with AMTP, its not going away, if it does, ur going to see IM take over for public comms. (Its already doing that).

Re:Why should we pay CA?

[mabinogi]

The thing you're paying for, is trust.....

Anyone could create their own certificates, but without a mutual trusted third party signing it, how do I know it's real?

CAs are a fairly practical substitute for the Web of Trust concept used in things like PGP...

That said...it still feels wrong to have to pay someone for essentially nothing....
and you still have the problem that the certificate doesn't really prove who you are, only that a CA accepted money to vouch for your identity.

What about bankruptcies?

[taliver]

I'm company A.com, and I buy a certificate (or get one for free from some free-sign authority). I use it completely legitamately. Only for receipts to paying customers, and to deliver "timely updates" for their software or whatever.

Now I fall on hard times. And go broke.

In the liquidation proceedings, a spammer swoops down and buys my certificate. It's a valued commodity to him, and the courts, I don't believe, are not going to care about the nefarious purposes he may have in mind.

But now lots of people are getting spam in my name.

So, would the CA have the power to "ungrant" the certificate, and therefore also be able to hold thousands of companies hostage. (Imagine starting as a 'free' service, and then suddenly 'changing your policy'.)

Or will the clients at the end have to say that certain CA's aren't valid. If so, how is this different form white-list/black-list.

Now, anything that tries to fight spam I am for. However, I believe the number one thing needed is accountability. If someone sends me mail, I need to be able to reach out and touch them, with a phone number or anything else I feel like. And the latest round of email viruses wouldn't work if I couldn't fake the address it was being sent from.

Re:No more anonymous emails?

[ColdGrits]

"What happened to the freedom of speech? "

Absolutely nothing.

You still have exactly the same freedom of speech as you did before.

Who is suddenly removing your right to say things? Nobody.

creating and enforcing more strict SMTP helps too

[HTD]

If mailservers had valid reverse-DNS entries and would send their real name with HELO at the start of SMTP communication a lot of spammers were not able to spread their stuff.

If i enable checking of HELO domains almost all spam is gone, but also a huge number of valid email servers too (sourceforge.net for example) simply because they are setup incorrectly when it comes to HELO and DNS stuff. If DNS and HELO commands were setup correctly (and are checked at the servers) then spammers cannot stay anonymous like now, because they have to use their real domain-name (registered to somebody) have to setup valid reverse lookups (IP adresses normally belong to the ISP - so the ISP has knowledge of who requested which reverse domainname). Now i can log who sends me spam and can identify the person behind it, or blacklist the server. The problem is that correct HELO is not a must in current smtp rfc and people don't give a shit about correct dns setups.

Being more strict on SMTP will not stop spam, but it will make it harder for spammers to stay anonymous and operative (blacklist-servers) plus there's no need to pay a CA to issue SSL certs for all my domains.

Won't work

[Fefe]

First of all, the CA has a business interest in selling as many certificates as possible, so it does not make sense to assume it will exert due diligence to find out whether someone is a spammer.

Second of all, spammers won't go to the CA and make it obvious they are spammers. They will pose as flower delivery agents with a brand new name, and the CA will give them a certificate and that's it. Then the spammer will start spamming, someone will complain to the CA, and they will issue a revocation certificate. In case you don't know TLS very well: revocation certificates do not scale AT ALL, it basically means that the AMTP server needs to have all on disk or we need a protocol to get them (possibly LDAP?). Since spammers will be using throw away identities just like they do now, I am seeing millions of revoked certificates.

So the only thing this approach does is create an artificial bottleneck at the CA, because they will be responsible for revoking the spamming "rights". Spammers will still spam and then in response be denied access, just like now, so even if this CA stuff works perfectly, and we have a high performance revocation certificate request protocol (which by the way entails enormous bandwidth cost for the CA, if all the mail servers in the world send a query for each incoming email, think about it!), we will still have exactly the same amount of spam we have now, because spammers will still spam first and be denied access later.

The next question is: what do we do about non-responsive CAs? Let's say Verisign gets in the email CA business, and they basically run the same fully automated CA business they do now, and they get bribed by the spammers just like ISPs get bribed by them now, and they don't revoke the certificate of a spammer, what are you going to do? Not accept any mail from anyone signed by Verisign ever again? That is basically your only option, and it is even worse than the collateral damage we have these days, when "only" one IP is barred (not counting SPEWS). If you think bribing Verisign is unlikely, consider the stakes! If you successfully bribe Verisign as spammer, you basically have permission to spam everyone, all over the world, and nobody can do anything about it except what we do now, unsuccessfully, i.e. block single IPs. And the spammers are still in business, so it's not enough.

So all in all, I think this is a spectacularly bad idea that will not work on ANY level. The up side is that it may finally bring encrypted email to everyone.

PGP is a better model

[DrXym]

I don't understand why OpenPGP is not being adopted here.

Individuals don't really give a damn about getting CA signature, since if you read the small print for 'personal certs' you'll see the trust bestowed by the signature is worthless anyway. So after a lot of screwing around, you end up with a cert which if you're lucky is free but otherwise costs $10, that carries no trust and expires in a year or six months anyway. Whoopee. That's even assuming you have enough of a clue to figure out how to get a cert in the first place.

OpenPGP is the perfect solution here since people can whip up a key in no time, for free and it effectively implies the same level of trustworthiness as the one from the CA which is to say none whatsoever. Over time however they can build more trust into the key by getting their friends and associates to sign it.

Now for businesses, PGP is fine too. There is nothing to stop a CA signing a PGP key, so if a company wants to buy real trust for their key, it is there to be had in the same way as you get from PKI.

Which begs the question why anyone bothers with PKI at all, or why OpenPGP is not being integrated into the x.509 standard. As it stands no email software integrates PKI seamlessly, it's too complicated, it's too slow (it uses RSA for the entire message unlike PGP), it's too hard to get a key and it offers no more trust that PGP.

It seems to be somewhat of a lame duck really.

Re:PGP is a better model

[azaris]

I don't understand why OpenPGP is not being adopted here.

Why? Because McAfee killed PGP. Something the US DOJ never managed to do.

PGP was a nice idea when it came but then S/MIME became the proposed standard, Microsoft adopted it and McAfee killed the commercial PGP implementation which meant that everybody went to using S/MIME with Outlook. Well not everybody obviously but enough people to make commercial PGP use unviable.

Bunch of *ix hobbyists sending PGP signed mails to each other was not enough to create an Internet-wide standard. Now we're forever stuck with VeriThawte and their greedy two-bit certification schemes that get pasted on just about every new Internet security proposal.

Re:Technical solution to a social problem

[Gunzour]

As long as there's money in spam, there will be spam.

What if, as some people believe, the spammers aren't in it for the money? What if they are just sending spam as a DoS attack?

I get lots of spam that has no business purpose. "Get out of debt now," "Add length to your member," "Herbal Viagra." I challenge you to actually buy the product or service these emails are supposedly advertising. In many cases, it's simply not possible. They are not actually selling anything; they are just being a nuisance.

First of all, we need good, sound anti-spam laws.

I get lots of other spam that is pure fraud. "Hotmail needs your credit card info to prove you are not a spammer. Just enter your credit card number and click submit" or "Help me launder $20 million from Nigeria. Just give me you bank account number and I'll wire it over." These are already illegal. We don't need new laws for these; we need enforcement of existing laws.

There are always already laws in many jurisdictions outlawing emails with forged headers. Yet such emails proliferate. Again, new laws are not the answer, enforcement of existing laws is needed.

Besides, why do *I* have to jump through hoops to get rid of something I never asked for in the first place?

Because we live in a society that is not utopia. As nice as it would be to live in a world where everybody is good and nobody behaves unethically, such a world does not exist. It is every individual's responsibility to take action to protect or defend themselves. When we sit back an accept something such as massive spamming, we are implicitly saying that the status quo is okay with us.

The certificates are for servers, not individuals

[Gunzour]

Lots of posters in this thread seem to be assuming this proposal is to force everyone to buy a cert to be able to send mail. The spec requires mail servers, not individuals, to have certs. Therefore, your ISP would have a cert to say "yes I really am someisp.com" when sending your mail.

Re:What will stop the spammers

[Richard_at_work]

The majority of spammers already stoop to lying in their FROM: header lines, so i doubt that setting a "personal" bit will keep them awake at night.

Re:Good start

[orv]

Yeah, good point... in a rational world, although, I suspect:-

a) my local constabulary in Surrey is going to be totally disinterested in the actions of a florida spammer.

b) so is my local MP. I have enough problems getting him to tackle very local issues.

c) the Florida DA (or whatever would be appropriate) is likely to be disintersted in the plight of some limey recieving spam from one of their tax paying, voting citizens.

Unfortunately I think in these situations the only people likely to get anywhere are the weasels , sorry, lawyers.

Re:Yes, but

[Directrix1]

No all you do is block any Server with a fingerprint that has been shown to be the originator of spam, because that means that they are not authenticating its users, or that they are purposefully spreading spam.

Re:Why should we pay CA?

[eer]

"Just because some random signing-whore ... The CA will sign *any* key for a price"

Speak for yourself. But your point drives home an issue that PGP handles well - webs of trust are more easily grown, though less able to bear liability, than top-down hierarchies. The real question is how do you write an algorithm that allows new folks to send you mail without allowing EVERYONE (including spammers) to send mail. Authentication helps, but it doesn't address the trust issue.

Remember the "old days" when email was mysterious, and the only way some folks could send you mail was if you could send them one first that they could reply to?

Re:The certificates are for servers, not individua

[warpSpeed]

Therefore, your ISP would have a cert to say "yes I really am someisp.com" when sending your mail.

Well I am my own small ISP and I move about 10,000 emails a day for me any my clients (much of which is spam). _I_ would still have to pay an outragious sum for a cert...

What I would like to see is a Mail server with some memory of its history with other mail servers. Histogram of SMTP transations, by IP, sender id and domain, and recipient id and doamin. If you are getting hundreds of spams from an IP address, it would be nice to tar pit/block the SOB with a simple interface into the system, with automatic expiry times. It is the automatic expiry times that are key. If you do not have that it makes going back and cleaning up the future collateral dammage/innocent victims impossible to manage.

The SPAM problem would be significantly reduced if there were software to easly manage incoming mail using statistics by a human. The automates systems are ok, up to a point.

I would write something myslef, but I'm too busy combating the problem to have time. *sigh*...

Re:It helps against faked "from"

[valdis]

Close..

The actual requirement is "The MSA knows who the sender is, and provides an audit trail".

There's no reason for the MSA that I use to know all my E-mail addresses. In fact, once it's authenticated me, there's no real reason for it to even look at the RFC822 From: header, because it knows who I am, it's logged who I am, and if I try anything funny, the MSA admin will know where to find me and beat the snot out of me.

The *real* problem with this proposal is that there's the underlying assumption that a CA can't go rogue because it will hurt business. There's only one problem with that:

There's several *large* providers that are spammer-friendly, and aren't being blocked by the rest of the world mostly because they also have enough *legitimate* customers that it's not feasible to block them.

If you're an ISP, you can't block another ISP because they're a spam haven if the other ISP also happens to be the home of CNN, or Amazon, or (fill in the blank).

Similarly, you can say "We'll just piss on any CA that goes rogue". It's a lot harder to actually DO if you suddenly discover that the same rogue CA also signed the cert for AOL....

Re:Why a central cert?

hm... so how is this supposed to stop any spammer? Of course this would authenticate the server, but couldnt some future spam trojan simply generate those keys?

Re:The certificates are for servers, not individua

Maybe you are looking for greylists?

Breakdowns

[Todd+Knarr]

1. The obvious one: if we can't trust spammers not to forge sender addresses and such in SMTP, why should we suddenly trust them to supply correct policy codes in AMTP?
2. What do you do about individuals getting certificates? There's an increasing number of people who run their own MTA as part of a client setup, bypassing their ISP's mail servers to deliver personal mail directly to the recipient's mail system. This produces the need for an efficient, cheap way of handling a large number of certificates.
3. Who do you trust to give out the certificates? You have to trust the CAs to never provide havens to spammers by giving them certificates on demand with slightly different names, for example. Is there any authority we can trust to do this?
4. In section 4.1 of the RFC, what do you do about mail servers that legitimately have more than one name but only one PTR record? Basically, mail servers that server more than one domain. It'd be reasonable for them to announce themselves as being the domain of the mail they're currently sending, but that would cause the certificate security check to fail. You'd have to require that the server uses only it's primary name in the EHLO line, which may be a problem in some cases.

Re:DRIP is a better option, IMHO

[hey]

Thanks for the pointer. DRIP (Designated Relays Inquiry Protocol) sounds pretty good.

Abstract The Designated Relays Inquiry Protocol, DRIP, is a method for domain name owners to specify the IP addresses that are authorized to relay mail as a domain name. The protocol provides a method for server MTAs to reject SMTP connections from IP addresses not authorized to use a domain name.

I like this because it remains decentralized and is optional.

Rule #1

[taustin]

suggests using a 'Mail Policy Code' during the transaction to identify what kind of mail is being sent (administrative, personal, commercial, etc).

And we all know that spammers never lie!

Unless there is an enforcement mechanisms that involves cattle prods, this is a joke.

price certificates high, not low

[firewood]

Sounds like a solid plan...now to get a certificate signed for a decent price is the challenge."

A major problem with the current system is that domain names and (misused, temporary or stolen) IP address are nearly free. Thus spammers can collect zillions, and the blacklists become unstable (where collateral damage effects some people worse than the spam). The way to avoid this with mail transport certificates is to make them costly enough that spammers can't collect them by the busload, and that also cost enough to pay for determining that the applicant is a real person with a verified contact address (where, say, papers could get served for forgery and violating UCE laws, etc.).

People (and spammers) who can't afford an account on a server with a proper certificate can still use SMTP. But, unless I'm a police/medical/whistleblowers tipline, or have family in Nigeria, I don't have to accept such email.

My own idea for authentication

[Shdwdrgn]

Maybe this has been suggested before, maybe not. How about a key that is only known to the MTA? Any legitimate email sent out will have a header added which includes the hash for the key and the actual email. This hash is added to a list of submitted messages with an expiration time. Once the email is sent out, the receiving end takes that hash, and submits it to the MTA which supposedly originated the message, to be verified or rejected. If a hash is verified the originating MTA will take it off its list.

This should be a simple process which has at least two major uses... First, email viruses which are bypassing the legitimate domain MTA will not have a valid hash in the header. Second, any email where the origination is forged will also not contain a valid hash.

The list of sent hashes that the MTA maintains could further be enhanced by including the hash of the destination address where the email was sent to.

In essence, a header would be added to each outgoing mail as such:
X-Authenticate:

With an ever-changing table of valid hashes, it would be nearly impossible for someone to forge a legitimate hash. Even on the off-change that a hash WAS forged, a spammer would only be able to send a single message with that hash, then the MTA would expire it.

Of course there are some cons against this plan as well... There would be a small increase in traffic required to send a single email (negligable, maybe a few hundred bytes at most). Each MTA would have to reserve space for a hash table, the size of which would be based on the number of unreceived messages at any given moment, and how fast hashes were expired from the table (do you give up on sending a message after 5 minutes or 5 days).

The best thing about this method is that it provides a means of authenticating the sender of a message which is backwards-compatible with existing MTA's.