AMTP as an Alternative to SMTP

SamMichaels writes "AMTP was published as an Internet Draft last week. It suggests using a 'Mail Policy Code' during the transaction to identify what kind of mail is being sent (administrative, personal, commercial, etc). Another plus is the use of TLS using x.509 certificates signed by a CA so you know exactly where the mail came from. Sounds like a solid plan...now to get a certificate signed for a decent price is the challenge."

Why should we pay CA?

[oolon]

WHy should everyone pay CA for the certificates, we already pay for the domain name if they want to require certificates, then you should get one for your domain free with the domain! Ah I hear you say its so CA can vet people. No thats not the case, anyone can get a certificate for a domain they own all this does is make sure you know where the mail came from (not a bad thing) and impose a CA tax on all domains.

James

Re:Why should we pay CA?

[Eric+Savage]

Actually that is the case. Spammers aren't going to be able to fake hotmail and yahoo addresses anymore, and they will have to pay $$ for each domain they get, which will probably last a day or two before its blacklisted, and makes tracking them down easier (if CAs are at all cooperative and/or proactive).

Re:Why should we pay CA?

[hattig]

Domains and Certificates aren't the same thing.

You might want certificates for a certain email address or subdomain of the domain name.

The best you might get is a certificate parented off of the registrar's own certificate and the ability for the administrator of the domain name to create more certificates off of that certificate. I don't see companies wanting to give up such a lucrative product however so easily, and I don't see that being free when you pay sweet FA for domain names these days.

And whilst the cost of certificates is ridiculously high for what you get, the details are checked to a reasonable extent, at least with the more mainstream certificate authorities.

Of course, certificates can be used as another means of validating your email. The mail client could have a rule such as "Move all untrusted e-mail into folder 'Not Verified'", and it will have things like "Reject all e-mail authorised via SpammerCA"...

What will stop the spammers

[Billly+Gates]

Can these certificats be over written ? What about a spammer puting a false "Personal" bit instead of "commercial" in the protocal to get through? If part of the CA key is in the message can it be extracted and used again. For example could a spammer get the key out of IBM and pretend the message came from IBM? I know the CA has the other key to verify it but it would have to do it per message. Both keys could easily be extracted or the spammer could fool the CA to thinking that its message really is from IBM and could gain a key from them. If its a different key per message it would surely help but that seems unlikely since billions of emails are sent daily.

Also spammers could just register themselves and keep spamming. They could just use a different ISP every 48 hours so in this way could never be stopped. A new address for every spam could be used. They could identify themselves as a home user so email filtering software will let it through. After that spammer is banned he/she will have another address and use that.

Re:What will stop the spammers

[Eric+Savage]

Your point about a huge company like IBM putting all it's eggs in one basket is very valid. The notable difference between this and an SSL certificate is that email is a push, while web is a pull.

Switching ISPs isn't really a problem. The vast majority of spam isn't sent through an ISPs mail server, they almost all have stringent controls in place. Its the people that set up DSL/Cable/Colo mail servers that generate most of the spam, and this would force them to buy a new certificate every day or two, which pretty much blows the budgets of alot of spammers. If someone went ahead and got a whole bunch of certificates, there would hopefully be a much better paper trail for litigation, and the veil of forgery and anonyminity would be greatly weakened.

I can see this becoming a "preferred" transport method. So when you send your mail, if your server uses it, it will see if the destination server uses it, and if not, will revert to SMTP. Once it reached a critical mass (through the help of MSFT, sendmail, postfix, etc all adopting it) it would be a pretty effective way to flag messages as spam (or not).

Certificates

[h0tblack]

Certification costs don't seem to be a problem to me. After reading the rfc it seems that self-signed certificates are fine:

A system operator MAY establish different criteria for use over a private network. For example, an ISP may provide self-signed certificates for use by its customers from dynamically-allocated address space. The ISP system operator must use its own precautions to ensure that those self-signed certificates are considered valid only when presented from connections under its control.

Using self-certification a web of trust can be built up, if this is abused, then whichever server is casuing the problems can easily be removed as a trusted server from associated agents. Sure, the system isn't perfect, but it appears to provide a nice balance of compatibility and authentication without adversely effecting a users e-mail experience.

Re:Certificates

[linuxtelephony]

That's fine for the ISP and the ISP's customers. What is not clear is upstream.

This entry sounds more like the ISP can issue self-signed certs to its customers for them to connect to its mail server.

What is not clear is if the ISP will have to have a different, paid for, signed cert to communicate with anybody on connections NOT under its control.

I am all for improving mail, but look at what happened with signed certs on http. I do not want to see something like that start again. Not unless there is an "open" period where anyone can submit their own CA key to be included free of charge and have them recognized automatically by mail servers after X date. And this "open" period would need to be widely publicised. If not, then we end up right back with just a few companies offering certs for outrageous prices and little to no competition.

One more thing, you can sure bet that as soon as something like this is created, big players are going to figure out how to charge the world for delivering mail. It will be represented to their customers as a way of controlling and preventing spam and viruses, perhaps even called secure mail or something like that. Imagine if AOL or MSN/Hotmail required an MTA license, with a fee, in order to deliver mail from your server. No big deal you say, if enough people are inconvenienced they'll leave. Sure they will, but not enough to make any difference, after all they have "secure mail" now. Of course, the AMTP with required certs signed by a CA just makes all this easier to implement and track, technically I guess the same model could be attempted with SMTP.

It would almost seem better if they could use a model more like SSH. Here's my idea, feel free to dissect it and tell me where I left huge gaping holes (point of view is from your server):

1. Remote MTA attempts to deliver mail to local MTA. Remote MTA is unknown. A key exchange similar to SSH is performed - primary difference is the local MTA gets the key from the remote MTA (instead of the remote SSH client getting key and remote user accepting it) and sends it to the postmaster.
2. The remote MTA queues the message for X hours/days/weeks/whatever and retry at appropriate intervals.
3. Postmaster gets mail alerting of new MTA wishing to connect, including details about the remote end. Postmaster would reply to local MTA with confirmation to accept mail from remote MTA. [This could be automated any number of ways, i.e. automatically accept key from MTAs that correctly resolve forward and reverse lookups and that are not on a black list (host or IP based). This would mean only those that failed the forward/reverse test would be sent for manual review. Other rules could be created as well.]
4. If postmaster replies to deny the request, or if the local MTA expires the request after a period of time, and the remote MTA reconnects and gets a denied message, then the remote MTA would immediately bounce the message.

This is just a rough idea. I am pretty sure the proposal for AMTP is meant to force a bit of control to a third party for authentication purposes to prevent abuse of mail like we have now. However, I don't like being forced to give up that control to be compliant with the AMTP approach.

The idea I propose, while still allowing each to create their own identity, still gives the Admin of the local MTA the full control to determine what/how/who/etc. In addition, the remote ends could in theory remain anonymous.

Of course, both methods fail to address hosts that act as relays. If a relaying host has a CA, then it can be used as a relay. Similarly, my idea, if an lax system allows mail from anyone, and acts as a relay, it has the potential to cause problems. With my idea, the local MTA can just bar the remote MTA from his system once he realizes it is an open relay.

Good start

[orv]

A good idea to start with...
However, after having spent the weekend tracking and blocking a flood of SoBig viruses from a couple of large canadian ISP's which has focused my thinking this morning, I think this type of system will again simply cause the spammers to look for alternate delivery systems, i.e. as more ISPs take a tougher line against spam, more and more spammers will start to take extreme measures to propagate their product.

So cable modem users with big bandwidth and vulnerable machines will be used to send the spam. The spammer uses a worm to find vulnerable machines and piggybacks the users connection and sends the spam, it still goes through the ISP's mail server and so will get validated and delivered.

Also, unless I missed something (possible) even though the recipient can specify what type of email he will accept, there's nothing to stop the sender simply specifying whatever they feel like.

An amusing aside, I sent a warning to one of the ISP's (sprint.ca) that was the source of the viruses on friday warning them of their problem, the flood (one every 30 seconds) was still going on during sunday, so I sent the same warning but copied in their 'corporate customer email' and 'noc@' email contact addresses, believe it or not I got a response within an hour telling me that they didn't appreciate me "SPAM"ing their email addresses and I should just email "abuse@"! Oh and the virus flood is still going on. Ho hum.

Open to abuse

[Twylite]

This draft fails to provide any significant advance over SMTP. The use of TLS and authentication between MTAs merely provides a mechanism to identify policy violators. It does not (as the draft recognises) prevent fraud against a CA, it does not address the problem of distributing certificate revocations, it opens the door to a new era of DoS attacks against CA services (which will likely be far less robust than the DNS system), increases the barrier to entry for the ISP market (with costs being passed on to consumers, of course), and the opportunity for politically based service interrupts (like we already see with SPAM black lists) is just plain scary.

Further to the last point: ISPs are generally forced to react to SPAM rather than be proactive (it is generally impossible for an ISP to distinguish between UBE and opt-in lists). This means that spammers will always be one step ahead, and any network with enough bullying power can summarily demand the revocation of another ISP's certificate for policy violations. An entirely new class of disputes will arise, making SPAM black listing arguments seem tame.

The additional responsibilities this draft places on end users is also unacceptable. You will have to remember to flag your message "commercial" or "personal" and whether the distribution is "individual" or "customer". And of course is someone complains about the classification you could end up having your service terminates, so that the ISP can prove it took appropriate action against the "abuse".

We have to accept that it is a fact that we cannot get away from SPAM. The postal and Internet mail systems rely on the opportunity to send a message to any recipient. Implementing a client side PKI-based whitelist for mail would be trivial (and many people do this), but destructive to the communication medium. The object is not to get away from SPAM, but to ensure that we, as recipients, do not bear the cost of SPAM.

Any system that filters messages at your mailbox, or your ISP's server, costs you money. Your bandwidth and your ISP's bandwidth are wasted. AMTP may reduce this, but adds other hidden costs like a certified key and probably the ongoing maintenance of good relations with many peer MTAs to avoid accusations of abuse.

Anyone interested in alternatives to the SMTP system should take a look at D. J. Bernstein's Internet Mail 2000 ideas; in brief, the sender holds the message in his/her mailbox and make his/her bandwidth available to allow the mail to be downloaded by the recipient (who can obviously choose not to download it).

Re:Open to abuse

[fyonn]

hello twy

I agree with some of your points, I'm not sure that this is the way forward, spam is an evil perhaps but I've not seen a proposed solution to deal with it that I am happy with. I certainly get my fair share of spam which I tag at the server and filter into a special spam folder in my imap mailstore. this is the best solution I've come up with so far for myself and it works pretty well.

the big problem I have with most of the proposed solutions is that it destroys the open and free ethos of the internet, the ability to send email to anhyone, perhaps anonymously is a good thing I think, sure it's abused and there is a certain amount of locking down that we all do, not being an open relay or using dns blacklists for example, but in general we accept mail from anyone using well defined standard allowing the interconnection of any mua/mta/OS to any other.

I don't like segmenting the net into distinct chunks that cannot communicate, ie smtp vs amtp vs internet mail 2000 etc. it's like the IM networks which, imho, really ought to be able to all intercommunicate but can't.

yes, spam is an abuse of the system, but I find most of the cures worse than the disease. maybe my spam problem isn't as bad as some (around 30-40 emails a day reach my spam box and a small few a week make it to my inbox) and while I'd like to get less spam, I'd rather peer through my spam folder once every day/few days to scan for false positives, than have a good chunk of the net completely unable to talk to me should they want/have a need to.

im2k is an interesting idea but it's not short of problems itself. I want my emails to be waiting for me in my local mailbox, not have to chweck my mail, click allow on 18 mails, deny on 32 and then "download" and wait for the 3 meg avi attachment from a friend on dialup (and would he have to be online at the time? or would we have im2k smarthosts?).

also the idea of "pay per email" systems I disagree with too, maybe I'm a tight git, but why should I pay to send email, I've already paid for my bandwidth to (mostly) freely access the net and hosts on it, and what about mailing lists I run a few low bandwidth mailling lists which would mean that other people (the ppl on my lists) would be costing me (the list owner and mailserver admin) money.

while I like the idea of more of our email being encrypted (my server supports tls, with my own self signed cert) I certainly don't want to restrict my incoming email to only those that come in one TLS links, a) hardly anyone uses it, more the pity and b) I get spam via tls too. I don't really feel like going out and buying a proper cert and this stuff isn't a commercial venture, it's for me and some friends.

the other thing is that just because I don't like spam, doesn;t mean that others don't actively want it. it's the same reason that I disgree with those who say that ISP's ought to firewall ports 135-139 etc to stop ppl using windows networking over the internet, after all, it's only supposed to be a lan only protocol. well, perhaps it is, but that doesn't stop some people wanting to share a directory over the net, and why shouldn't they, if it hurts no-one else?

I don't like disrupting the supposedly free end to end connectivity that we supposedly have.

dave

PS. okay, okay, so I was rambling there :)

Re:Open to abuse

[NearlyHeadless]

You need to do some reading on spam economics. Traditional postal spam is economical to advertisers, despite the cost of snail mail (even given bulk discounts). The costs run into a lot more than a couple of hundred dollars per "run" of mails.

I have read on the economics of spam. Given the real response rate, it would not be economical for spammers to spend an extra hundred dollars a day. Note that if the certificate authority is acting properly, not only will that particular certificate be revoked, but the information used to purchase the certifcate can be used to revoke any other certificates of the spammer, plus track them down for legal action.

In my particular proposal for TLS-based email (not the AMTP proposoal), I stress that it is important for CAs to not only try to verify identity, but to try to verify to a unique identity. In the U.S., that would be something like a Social Security Number (or taxpayer id for business). I don't know how feasible this is in the third world.

Your estimation of the significance of the cost of a certificate is based on US economics. It doesn't take into account the cost relative to income of $200 to an ISP in countries with lower per capita incomes and weak currency. It also doesn't consider the prejudice to small ISPs in poorly serviced regions.

There are certificate authorities in third-world countries. Presumably they charge appropriately for their own country. There are several things to note:

1. I think you are underestimating how much third-world ISPs have to pay for hardware and bandwidth charges. These charges are still likely to be much more than the cost of a certificate
2. Strong identity and inconvenience can be substituted for cost in issue certificates. If you have to present a government-issued photo ID in person, that will help prevent spammers from obtaining excessive numbers of certificates
3. It is not necessary for each mail server to have its own certificate. Mail servers can forward to a shared host. It would be relatively simple for someone in the U.S. to set up an AMTP server. It would accept authenticated SMTP connections from those who are too small or cheap to want to pay for their own certificate. The AMTP provider would count the number of mails sent by each account to make sure that it is not excessive.

   There are already SMTP providers that do this for less than $100 per year. If that is cheaper for someone than running their own server, they should do that.

Re:Should we change HTTP as well?

[Rhinobird]

There are also down sides to http/ftp should we change them as well? The answer is no.

Actually, the answer IS yes. Or, maybe you would like to go back to using gopher?

If we change to a different email protocol we can still use the old protocol alongside of the new, and when the new protocol is widely accepted and in use, just shut down the old mail service.

Re:Should we change HTTP as well?

[ColdGrits]

"There are also down sides to http/ftp should we change them as well? The answer is no."

Erm, actually, the HTTP spec HAS been changed in the past to overcome deficiencies in the original.

HTTP/1.0
HTTP/1.1
HTTPS

I think the answer you were actually looking for was "yes".

This won't stop spam, but what will?

[Cooper_007]

All this does is prevent people from using their own mailserver to send mail directly to the user. It may provide a clearer path back to the original sender, but you already have that with plain ol' SMTP, and it's not exactly proving effective in stopping, or better yet, PREVENTING spam.

The best way to deal with spam is to educate the masses so that spammers get less and less ROI and eventually go belly-up. Problem is, this will probably *NEVER* happen. There are just too many suckers out there waiting to be taken advantage of.
Laws won't help. If you're lucky enough to catch a spammer in a state/country with strict laws on spam, they'll just get some small fine. If spammers can affort their own mansions from their work, the fine won't really work, and I fear the possibility for abuse with yet more laws is significant.

So what remains? Short of ritually butchering spammers, which I think is still illegal in some places, I don't see any viable options.

Free Certificate

The International Postal Union and the national postal authorities of all the countries of the world should provide free certificates for their citizens. Its a basic authentication document like a passport that should not be left to private concerns for security reasons. Private corporations could be charged some kind of nominal user fee (*really* nominal). I know we don't usually go for government programs but I've never heard anyone suggest that Verisign should be allowed to raise an army, mint coins or issue passports. I think I heard awhile back that the Canadian government is issuing certificates to all its citizens so they can access their confidential government info online. Of course the benefits would be lost if the U.S., for example, subcontracted to Verisign to do the work. That would just be another taxpayer rip-off by a big political contributor. If U.S.P.S. couldn't do the job with internal resources maybe we should find some new people to run it.

Re:Its a good idea

[dnoyeb]

The mail server can not get out of the way. Remember, the end users are annoyed at the SPAM, but the ISPs have to pay for all the traffic. The ISPs will jump at the opportunity to eliminate the SAPM traffic. End user is to late for that.

There are also other alternatives alternative?

[cluge]

As I recall djb had an alternative to SMTP called Internet mail 2000. The interesting thing about that was that the e-mail wasn't stored on the ISP's spool, but the senders spool until requested by the person whom the message was delivered to. It's an interesting concept. I think the combination of AMTP and internet mail 2000 would a good idea. The biggest advantage of this 2 pronged attack would be that the amount of cost shifting that occurs with spam would be greatly reduced and identification of the spammer is easier.

AMTP is a good idea but like any good idea there are a few caveats -

1. SMTP is simple and requires little overhead - that is gone with the X.509 certs and TLS

2. One may setup a web-server or mail-server at a moments notice to deal with traffic or get a project finished pronto. With AMTP that machine will have to get an x.509 cert to be able to send mail (and have it accepted) - thus increasing the amount of time and money that it takes to get these services in place. (Site wide certs would sacrifice the ablity to truly identify an offending machine)

3. There is nothing to stop a spammer from getting thousands of certificates and burning through them as they spam. Many spammers already right off dial up accounts, DSL, T1s and other form of access on an almost daily basis. This will simply be a another small expense that must be endured to send out an advertisement to "21 million confirmed opt in customers".

4. This won't stop spammers from hijacking others valid certs, such as on webservers running formmail.pl or mail servers that allow relaying or proxying through them.

The saddest part of this proposal is that eventually the "altruistic" protocol SMTP will die. Don't get me wrong, SMTP has a lot of flaws, but if you think of it in a more philisophical sense, it's a little sad. The Internet was based on the free exchange of ideas - and more importantly traffic. The spammers have forced us to censor ourselves, reduce or try to eliminate anonomity and move away from the "I trust you" model to the "your bad unless I can prove otherwise" model. The death of an egalitarian idea, that anyone could send e-mail. One more victim of spammers.

In the end if you want to stop UCE you will have to take the costs of such a business out of the cyber world and put them into the real world. This is a step in that direction.

cluge

Re:Yes, but

[Eunuchswear]

does it involve the Evil Bit ?

Why not read the RFC?

The whole point is that it DOES involve the Evil Bit, aka com/optout, but that it includes a mechanism for detecting people who don't set the Evil Bit when they should have.

The only problem is that you have to trust the CA's to revoke certificates from people who misuse the system. Trust Verisign? Hah!.

Re:Its a good idea

[Eunuchswear]

it has not been possible to get central signing in a way that can be administrated cheaply enough

What, you find 370 EUR/year too expensive. Funny, so do I.

Why does slashdot not let me put &EUR;?

Re:Its a good idea

[arivanov]

Sorry. Not a good idea:

1. Security does not go any further then the TLS extension to ESMTP. If you force TLS in ESMTP you get the same result.

2. There is a plethora of "codes" for SPAM which will be abused the same as now and will require regulation.

3. It suffers from the same problem of SMTP as it is hop per hop, not end-to-end.

4. It breaks country laws in many countries which are still being anal-retentive on encryption.

Instead of this horrid garbage all that is needed is the following simple fix/extension to SMTP:

1. Messages should be signed by every gateway on the way with the sertificate of the gateway. The sig should be inserted as a "Received-signature:" header which covers the mail and the lines of the header that exist so far under it. Thus even if you do not have a cert for the end-user, but trust the relay you may decide to accept the mail and optionally add the user to your cert trust tree.

2. Gateways should no longer modify any headers prior to the ones they add (some do - see spamassassin for example).

Re:Should we change HTTP as well?

[shokk]

I begin to wonder who would have an interest in bringing down an infrastructure like email. Maybe not terrorists, but another crop of anarchists. Still, it is almost ridiculous that we put such an economic importance on something so unsecure. Everything else has to be locked down by all sorts of wrappers and authentication, but this we find acceptable. Time to lock the doors before all the horses get out.

Re:Yes, but

[Brushfireb]

Right, but you cant just block *@comcast.net or *@aol.com, just because some jackoff using his cable modem is sending spam. Then you are no better than AOL.

Certs for all

[Directrix1]

The spec does not require everyone to get a cert. It requires everyone to have a log in with an amtp server which has a cert. This way if one server is shown to allow too many spammers through the whole server can be effectively blocked. Essentially, it will force servers to authenticate all mail transfers. But user to server authentication would still be done using user/pass, kerberos, SRP, CRAM, or whatever the server sets up. Sounds pretty good to me. I haven't read the spec yet, I only hope it still includes SASL authentication to make the move a lot easier.

DRIP is a better option, IMHO

[bobcat]

https://www1.ietf.org/mail-archive/working-groups/ asrg/current/msg05876.html

Re:Why a central cert?

[maynard]

hm... so how is this supposed to stop any spammer? Of course this would authenticate the server, but couldnt some future spam trojan simply generate those keys?

To turn that question on its head: how would a central cert stop a spammer? As you point out, either the cert or a public/private keypair offers only assurance that a message was processed by a specific server. It's a signature in the header assuring traceability to a specific point. In neither case would it stop a spammer, especially if the server site administrator allows spamming services to originate from his/her server to the outside net. The primary advantage of a public/private keypair is to remove unnecessary central authorities from the email process. It allows for scalability through decentralization.

As for your trojan question, I'm not sure I understand. If the mail server was compromised, sure - someone could gain access to the private key and then sign outbound messages as that server. This is no different than if a server using a central cert were compromised.

Cheers,
Maynard

For everyone wanting mandatory digital sigs

[scrytch]

... Know who can afford to get "Level 1" certs by the dozens? Spammers. Know who can't afford to get a cert of any kind? The homeless guy at the library computer emailing to his buddies from hotmail about how the cops beat him up (yeah I'm pulling out emotional rhetoric, bad me).

How about those background checks for certs? I bet the aforementioned homeless guy would have alittle problem with that. Not to mention anyone with an interest in privacy. I'm *sure* the chinese government and the ashcroft regime would love a scheme that required that level of certification and registration in order to communicate online...