Yahoo and Unilateral Anti-Spam Technology?

EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."

police will be happy

[rekrutacja]

easy email tracking system will be gladly welcomed by police and other agencies...

Re:police will be happy

[Pendersempai]

So what? You'd be free to send anonymous email, just as I'd be free to reject it. Who knows -- with enough people switched to signed email, maybe spammers' economies of scale would tip over and anonymous mail would become usable again.

Re:police will be happy

[moosesocks]

Actually, they will, but not for the reason's you're thinking about.

This isn't really about tracking/tracing. It's about authentication and verification. If you are accused of doing something illegal via. email (which you didn't), this will be a VERY handy tool in your defense.

I could only see it being tracable if enormous quantities of mail were being sent, in which case, you would either
a) Not care about privacy. It's hard to be private with 10,000 recipients
b) Be doing something illegal. Yes. Mr. Spammer. I mean you.

Re:police will be happy

[PReDiToR]

You have half of your argument ass backwards.

If you are accused of doing something illegal via. email (which you didn't), this will be a VERY handy tool in your defense.

Why should I have to prove I didn't do something? Surely it is up to the police/law enforcement to prove I did do something?
I want to cyrptographically hide the contents of my emails and obfuscate their origins as much as the next guy, and I want to call that privacy while I do it. Nobody in the world is going to make me write in plaintext on a postcard and hand it to the mail man as he passes my door every day, neither will they make me do the same with email. I may or may not have something incriminating in my e/mails, but until I am under suspicion of something illegal I want my privacy, and even then, I want properly mandated, legally and socially approved bodies with responsibilities to myself and the rest of the community to be monitored and restrained in their work.

Handing control of privacy to those who care little for it is itself caring nothing for it.

Re:police will be happy

[jimi1283]

What makes this new system any easier to track than existing valid email? All the headers are there, all a police agency has to do is look there and they'll have all the info they need.

Spam with fake headers is the only kind of email that's hard to identify the source of, which this system will hopefully prevent. Look at the sending IP, look at the key and make a judgement as to the authenticity of the sender.

Re:police will be happy

[leviramsey]

And this proposal does not kill your ability to mail anonymously. What it does is allow server admins to decide to not accept mail that is anonymously mailed.

You have no intrinsic right to expect that your mail recipient will ever read your email, anonymously sent or not.

Re:police will be happy

[AchmedHabib]

Anyone here should know that anonymity and the internet are two words together that don't make sense. And I don't know about agencies where you live, but where I live the ISP's have "accepted" the installation of hands-off no-access for employees, "black" cabinets.

Re:police will be happy

[defMan]

It's one thing that an agency can do it, but as you said these boxes are no-access for employees. If this is in my email headers there is probably a way for the mail admins of the world to collect this info as well (and prove it was me).

So if anonymous is good, this makes it worse.

Re:police will be happy

[0x0d0a]

I need to read up on Yahoo's system, but I do not believe that it is usable as a tracking system (or, at least, I am certain it is possible to build a system that provides the benefits that Yahoo is claiming that is *not* usable as a tracking system, and I would expect Yahoo to be implementing the system in such a way).

Frankly, it's already more than easy for three-letter agencies to obtain email. Yes, you have an extremely weak defense now that would be weakened by mandatory signing -- you can *claim* that someone happened to forge three years of email (just as you can claim that someone forged all the snail mail sent from your mailbox), but it'd be a tough time unless you had incredibly tight informational separation between your emails and the rest of your life.

Re:police will be happy

[JonnyCalcutta]

Except most users don't have this choice. They can only accept the choice of their ISP or find another, and if all ISPs use it then where is the choice.

Just because we all run our own sendmail servers over our DSL or cable lines doesn't mean its the norm.

Re:police will be happy

[Mr_Silver]

Why should I have to prove I didn't do something?

Because, unless you hadn't noticed, in this day and age its heading closer and closer to the situation where everyone is presumed guily until proven innocent.

Far better to insure yourself just in case you get in a sticky situation than sit back and "hope" that justice prevails - because time and time again we've seen that it doesn't work out quite that way.

Re:police will be happy

[Ironica]

You have no intrinsic right to expect that your mail recipient will ever read your email, anonymously sent or not.

If I don't put a return address on my envelope, the Post Office still delivers it. Then my correspondent gets to decide whether or not to open it.

This system is like the Post Office implementing a system of Return Address stamps, which you buy from a private company that is authorized to give them out, and then Post Offices decide whether or not to deliver mail without those stamps. Except, the USPS can't do that, because they're a quasi-governmental agency, and people would freak.

Re:police will be happy

[mindstrm]

Except the email system is not the USPS, and isn't one organisation to beheld accountable, and you didn't pay me to let my mail server handle your mail. The only people you have a rigth to expect anything from are tho you are paying, like your ISP.

It's my mail server, and if I choose to let it only accept email with signatures from 8 companies, including my own, and even then the mails must be written in strict haiku, and the signature must praise me as your great leader, that's my choice.

Re:police will be happy

Have anyone thought of boycotting the company advertised on the SPAMs?

If we complain to the companies that use SPAMs, they many *stop* paying those jerk spammers.

Re:police will be happy

[mwood]

"This system is like the Post Office implementing a system of Return Address stamps, which you buy from a private company...."

Or you install OpenStamp and TinyStamper for free, and make your own.

(I've actually toyed with the idea of a voluntary cryptographic signature that could be printed onto envelopes to unforgeably verify a paper-mail sender's identity (assuming his private key hasn't been stolen, natch).)

Re:police will be happy

[PReDiToR]

Just because we all run our own sendmail servers over our DSL or cable lines

Yeah, we all do this, but then along comes AOL and those other big ISPs and tells me that my IP (which I have had for > 6 months) is a spam outlet, which I can assure you it is not.
I love reading my logs and seeing all the SMTP tests from spammers, only to see "User must be local to relay" and the like.

Re:police will be happy

[eugene+ts+wong]

I totally agree with you. Nobody has a right to force their (e)mail on us. If they want to send it, then great. That doesn't mean we have to accept it. They'll have to be content with send anonymous (e)mail to just the people who don't care.

Re:police will be happy

[eugene+ts+wong]

They do have this choice. They can go with Yahoo! who is implementing it now. If you're referring to business users, well, then too bad for management. The users just have to let the managers know that their email isn't getting through to certain people, or that they aren't receiving email from certain people.

Re:police will be happy

[edunbar93]

What it does is allow server admins to decide to not accept mail that is anonymously mailed.

The problem is that noone wants anonymously sent e-mail. Why? Because 99.99999% (without a shadow of a doubt, and quite possibly more 9s) of anonymously sent e-mail is spam and/or viruses. There are probably about 1000 geeks out of the millions of e-mail users who care enough about the privacy of their e-mail, to both encrypt it and forge the headers to everyone they send e-mail to.

It would be enough just to get a yahoo account under an assumed name and encrypt every message you send. So what if they can track you back to your yahoo account? It's good enough to frustrate anyone's attempts at finding out who you are, unless they're *really* determined to find you, like if you've been acting like a complete asshole and blowing up buildings.

Re:police will be happy

[tepples]

Your clients' ISPs are not obligated to deliver mail signed with your self-signed certificate.

Re:police will be happy

[mwood]

Other people's ISPs are not obliged to deliver anything I send them -- unless they want happy customers. Besides, examining the body of a message puts the ISP in a whole 'nother legal realm than if they simply deliver opaque messages as the envelope directs, and they may not want to go there.

Re:police will be happy

[aztracker1]

Suggestion, each mail server, impliment a pgp system, with a public/private keyset for *EACH* user... a message is sent encoding with the recipients public key, then that message is encoded with the sender's private key... on the other side, the mail is decoded with the sender's public key, then the receiver's private key... the message would need to contain an X-Sender-PGP: True header, if after decode, this isn't there.. the message is rejected... the public key requests are made as an extension to the smtp protocol... this would eliminate anonymous email, and limit open remailers... anonimity is the spammer's friend.. forcing a valid return address would limit things a bit... limiting mail from anywhere but an mx on record for the sending domain would go a long way too... together it would eliminate anonymous email, that goes with forged headers... and would severely limit spammers using open relays, and compromised proxies.

Someone has to step forward

[sirket]

I try to be as standards compliant with my mail servers as is humanly possible. Even with numerous spam filters, I get about 10 legitimate email messages a day and 100 spams. Something has got to change.

Whether it is this technology, or another, something has got to be done. I'll implement this and hope that other admins do the same.

-sirket

Re:Someone has to step forward

Agreed! I get over 350 spam emails every 2 days due to having a common first name at a large ISP. I have over 30 filters in place, but 2.5MB of spam downloads which are immediately trashed is just a waste.

While this might not be ideal to everyone, kudos to Yahoo for make the first step!

Re:Someone has to step forward

[mr.+methane]

My company has several email addresses that are fairly public (used in DNS and IP registries for example). These addresses also have to be monitored, since they can be recipients of customer requests, problem reports or other information from other carriers.

Looking at the log for today, I see... 1,076 messages - of which 24 were not spam.

Yahoo's idea is simple, and is probably a lot more acceptable to the general public than many of the alternatives (government-signed keys, etc.) which we WILL have in a matter of months if we can't get the spam thing under control.

I grouched at Yahoo pretty badly when they started including content-obscuring flash ads in their pages. This move almost earns them back all of that karma, IMO.

Re:Someone has to step forward

[Leroy_Brown242]

THat is a really bad ratio of signal to noise. I mean, really bad.

I recieve 300 spams to my account every single day. 1 every other dayor so actually makes it to my inbox. That is 0.0016% of spam messages cought that make it through my filters. Compared to your 10%, this it's an amazing difference.

Spamassassin and greylisting. Amazing combination.

Good move

[110010001000]

I think this is a good move on Yahoo!'s part. As a developer I think a solution that is available and 50% effective is better than a solution that no one has implemented yet.

Lets get the implementations out there in the wild and use the feedback to create real solutions!

Re:Good move

[jujitsustab]

I disagree. I think a bad and poorly designed solution is worse than no solution. Especially when there is other competing solutions, which are argueably better, or at least equal to Yahoo!'s domain keys system, such as RMX. IMHO, Domain Keys offers no significant improvements to the spam problem, but rather adds a crypto overhead to the sending and receiving of every message. I think it is great that Yahoo is trying to innovate to stop the SPAM problem, but being cavalier and going at it by themselves is not the answer, especially when they have a great Anti-spam alliance with AOL and MS.

Re:Good move

[Wolfier]

A solution that works 50% of the time is pretty good.

Think of it this way - if you have many solutions that works half the time, then when you apply the solutions in series the chance of a spam getting through is exponentially reduced.

Re:Good move

[inertia187]

What, are you repeating yourself to gain more karma? Wish I had thought of that.

Re:Good move

[danheskett]

Ahh, true, spam getting through is reduced..

...but likewise false positives along the way are increased.

It's a double edge sword. Each layer adds protection, but more room for failure.

Re:Good move

[pjrc]

...a solution that is available and 50% effective is better than a solution that no one has implemented yet.

You are absolutely correct.

Sender Permitted From (SPF) is indeed already available and implemented. Yahoo's DomainKeys is not implemented, and a spec has not yet even been published.

In a nutshell, SPF is a way to publish a DNS record that tells other sites what machines transmit email from your domain name. It's a pretty flexible system (detailed info at the SPF site).

Lets get the implementations out there in the wild and use the feedback to create real solutions!

Obviously you missed the article last week that AOL published a SPF record for 24 hours last Friday, for initial testing and to collect feedback. It appears they were pleased with the results, since they have turned it back on as of today.

AOL is not the only site. In fact, as of today, 3575 sites have published SPF records. My own site is among them.

If you, dead reader, happen to control the DNS for your own site, please consider adding a SPF record. It's very easy to do with the web-based SPF Publisher Wizard.

Re:Good move

[Greg+W.]

If you, dead reader, happen to control the DNS for your own site

I'm not dead!
'Ere. He says he's not dead!
Yes, he is!
I'm not!
He isn't?
Well, he will be soon. He's very ill.
I'm getting better!
No you're not. You'll be stone dead in a moment.

...

Re:Good move

[FireBreathingDog]

A solution that works 50% of the time is pretty good.

That depends on the problem domain. If you're a batter in baseball, a 50% "solution" (getting a hit every other time at bat) is phenomenal performance...

But if the 50% solution means that only 50% of my e-mail gets through, that is unacceptable. If 50% means that half of all mail blocked by a spam blocker are false positives, that is unacceptable.

Any communication medium that doesn't allow close to 100% of all valid, wanted messages through is one that won't last long. The problem with e-mail is every day that goes by, it becomes less usable due to spam. The current "solutions" to spam aren't much better...even Bayesian...I've seen many messages recently constructed to get through Bayesian filters...

Re:Good move

[110010001000]

SPF has already been proven ineffective and obtrusive. If you weren't keeping up with the results, please try to. We need better solutions.

Besides, I was just trolling for karma with a quick post. Give me a break.

I use the telephone and ftp

[ObviousGuy]

These days I can't even open by inbox, it is so overflowing with spam. I'm exaggerating, but at some point email is going to become completely useless because of spam. I do a lot of business over telephone (the way I used to do it before email) and have an ftp site to which customers can copy shared files.

It's slower, but not as slow as deleted emails that I never see and can't respond to.

All together now!

[jdawg]

Spam is a SOCIAL problem, not a TECHNOLOGICAL problem. Spam must be solved by economics and/or behavior.

Re:All together now!

Spam must be solved by economics and/or behavior. Failing that, I say we hunt the bastards down and shoot them.

Re:All together now!

[MrRTFM]

Yes but we will never have a social solution when all it takes is 0.000002% of the worlds population to be spammers.

There's always going to be pricks who will do anything for a buck.

Re:All together now!

Spam must be solved by economics and/or behavior.

Or by the El Salvador Death Squads.

Re:All together now!

[nemesisj]

I mostly disagree with the parent.

I agree that spam is a social problem, but you need to qualify what you mean a little more. Technology is the enabling mechanism to this problem (that some people are willing to be jerks and abuse a medium). Computers are exceedingly good at cranking out spam, day and night, and the medium of email is exceedingly weak against protecting against this kind of abuse. The same kind of social problem exists in all communications mediums, but you don't see just anyone wardialing people to sell viagra and penis pills. Calling a million people is expensive and time consuming, spamming is not. Therefore, this is a technologically exagerated (sp?) manifestation of a very minor social problem, making your point all but useless when trying to solve it. You've got to solve the problem in this situation, which is the enabler - technology.

Re:All together now!

we will never have a social solution

Three words:

Tar and Feathers

Re:All together now!

[drdale]

It is unlikely than anyone's behavior will change with an economic incentive, but only some kind of technological innovation will make it possible alter the economics of the situation. Of course, the problem would disappear tomorrow if everyone in the world simply resolved to stop buying products advertised via spam, but that isn't going to happen. (Maybe just as well: The problem of companies sending out spam for their competitors' products might be just as bad.)

Re:All together now!

[Paleomacus]

Let's not even try. Let's just shoot them. Cheaper and a lot less work than trying to change the world in a non-violent manner.

Re:All together now!

So, by your logic:

Crime is a SOCIAL problem, not a TECNOLOGICAL problem. Because of this, you think we should not endeavor to implement fingerprinting systems and other forensic methods?

Screw you.

Re:All together now!

[gregsv]

The problem, however, is that an economic solution will take away the very freedom and openness that made e-mail such a great communication medium. I have seen several proposals for economic solutions to the spam problem and don't like any of them. It's not because I can't afford the penny an e-mail or whatever it is that a given plan wants to charge, it's more of an ideological thing. Associating any sort of cost with e-mail will change the fundamental nature of what e-mail is, and I think there are many people who don't want to see that happen. I'm not entirely convinced that a technical solution is impossible, so I'd much rather pursue that avenue before we start looking at economic or social solutions. There are some very promising technical solutions out there.

Re:All together now!

[jayayeem]

That is an interesting observation. It is a lot like the old (but true) saying about guns, guns don't kill people, people kill people. Email systems don't send spam, people send spam.

Guns and email systems are just enabling technology. The rub is that email systems are just more efficient than guns. I'd guess there are more murderers than spammers in the world, but we'll all get spam tommorrow, and not many of us will be murdered.

No point. Just an observation.

Re:All together now!

[shanen]

No, spam is an ECONOMIC problem, not a social problem. You're never going to get "perfect" people who always act morally.

We pretend email is free, so the spammers think they are dividing by zero--and any return on zero investment looks very impressive. This is actually a silly legacy of when the nascent Internet was a non-commercial and purely cooperative enterprise. "You help me with my email and I'll help you with yours. We just won't worry about the details of the bean counting."

Now the spammers say "You help me with my 10 million emails and maybe I'll find a sucker who'll send me $10!"

Re:All together now!

[VegetariMan]

The truth is that there will always be people unscrupulous people willing to hawk their wares. The technology enables such types to impose on people on an unprecedented scale (compare spam to a mass-mailing; the former has a flat cost, the latter a scaling cost.) There needs to be a technological solution so that you know your email comes from a trustworthy (or potentially so) source.

There might be an effective way to harness economic forces in such a technological solution. For instance, perhaps my email system (I can see this being implemented either at the client or server level) only accepts mail unquestioningly from people I know by some specifiable degree. Those not trusted would then be required to take some sort of costly action to send an email to the target. This action might be a small fee, some brief manual task that is difficult to automate via software, or contacting a friend of a friend to provide an introduction.

However, economics alone won't solve spam. Indeed, economics should surely *predict* spam. A free advertising medium combined with a potentially limitless audience means that nearly anyone can make some money.

Re:All together now!

[AgentUSA]

But the solution is technological. Why can't we use technology and updated standards to close the gaping holes that currently exist?

Re:All together now!

[nolife]

So Sigmund, do you have any psychoanalysis or psychoanalytical theories that will cut down on my spam?

Re:All together now!

[ElliotLee]

Spam is a SOCIAL problem, not a TECHNOLOGICAL problem. Spam must be solved by economics and/or behavior.

There will always be spammers, like there will always be criminals. But there are deterrents and law enforcement to take care of the criminals.

Re:All together now!

[Grishnakh]

This comment isn't insightful, it's stupid.

So if spam is a social problem, what about auto theft? Should that also be solved by economics and/or behavior? Do you think that people shouldn't lock their cars or have alarm systems? Or that they should have push-button starters with no key required? If you believe this, you're a fool.

How about hacking? Should that also be solved by economics and/or behavior? Should remotely-accessible computer systems not be password protected? Instead of having user accounts with passwords to keep hackers out, should we just let anyone log in who wants to, and use other means to punish people who abuse this? How about we connect our military systems to the internet in this way? Again, if you believe this, you're a fool.

Any time a technological measure can be employed to minimize a social problem, it should be, because relying on society to proactively halt the activities of those who prey on weaknesses in the society is foolhardy because society only acts in a reactionary manner.

Re:All together now!

[gtrubetskoy]

The fact that people are willing to get evil just to steal a bit of your vision field is a social problem indeed.

But Spam is more about an inappropriate use of technology. SMTP was designed on the assumption that the community at large using it would not be interested in abusing it. This was the case back when the Internet was not yet commercialized, and I remember it pretty well.

I think the only thing that will resolve the spam issue is abandonment of SMTP as we know it, and an adoption of a new protocol that enforces traceability. This is nothing new or scary - the IP numbers are all tracked and the BGP tables that run the internet all provide traceability to the source. Even though your average Joe might not be able to do it, but ISP's cooperate and exchange this info all the time on NOC-to-NOC basis to identify sources of trouble.

A similar system will need to exist for mail, that will require some sort of a registration and compliance to join the "mail provider" network, whatever that will be. As soon as the e-mail becomes traceable to the source, perhaps even if not with 100% accuracy, there will be a drastic reduction in spam.

Second problem is all those exploitable zombie Windows boxen out there, but I don't know what to suggest here...

Re:All together now!

[pooh666]

Come on people, do we really need to mod up posts of people who say things like, "Technology is the enabling mechanism" Yeah, it is for your wife's dildo too, what meaning do you get from that?

Re:All together now!

[Killswitch1968]

Dont' forget the 0.000002% of the population that actually buys into these schemes. There's always going to be guys who will do anything for their pricks.

Re:All together now!

[WuphonsReach]

Spam is like a telemarketer who's allowed to make all of their sales calls, collect. And they're allowed to munge/forge the caller ID information, or pretend to be a close friend of the family to get past whitelists and/or call screening.

It's all of the above: ECONOMIC, SOCIAL and TECHNICAL. No one approach is going to solve the issue.

Re:All together now!

[PacoTaco]

How about we connect our military systems to the internet in this way?

This would allow us to take care of the spammers, though.

Re:All together now!

[IceFreak2000]

I fully agree with you on this; I too remember the days when the internet wasn't commercialised, and the days when you could use your email address on Usenet without any fear of being hammered by spam five seconds later.

I also agree that something needs to be done, but I can't see how SMTP itself can simply be 'abandoned'. There's too much software out there that uses SMTP, there are too many companies out there who would simply baulk at the idea of dropping their existing mail servers and taking on protocol X. For geeks like us, fine, we'll hack protocol X into QMail, Procmail, whatever, but it's not an option for many companies out there. Not to mention the education effort that would have to be made to convince Joe Blow user to switch.

There has to be a way to get rid of this scum, but I've yet to think of a practical (or legal!) way of stopping spammers from doing what they do.

This is turning into a rant, and I didn't mean it to, but I've got to get this off my chest!

The thing that really pisses me off is that it makes me want to keep my kids away from the internet, not let them embrace it. OK, at the moment they're both far too young (my eldest is not yet three years), but it's not going to be long before she will be able to use the family PC; now seeing how offensive spam emails have exploded over the last year or so, how bad is it going to be in the near future?

Re:All together now!

[schon]

This comment isn't insightful, it's stupid.

If you mean your post, why are you posting it? If you mean the parent post, then you're flat-out wrong.

if spam is a social problem, what about auto theft?

What about it?

Should that also be solved by economics and/or behavior?

Yes. You know, like the laws against it. Or are you suggesting that we abolish laws against theft because people still steal? (So they're obviously ineffective, right? If they're ineffective, they should be abolished, right?)

Do you think that people shouldn't lock their cars or have alarm systems? Or that they should have push-button starters with no key required?

No - but would you rely only on these measures to stop car theft? Do you advocate abolishing all theft laws? If you do, then you're a fool.

Re:All together now!

[Greg+W.]

I think the only thing that will resolve the spam issue is abandonment of SMTP as we know it, and an adoption of a new protocol

You may be right on this part.

that enforces traceability.

But I don't know whether you're right on that part.

Have you looked at DJB's Internet Mail 2000 yet? I don't know whether that will "solve spam", or whether it's even viable. But anyone who's interested in these issues should definitely look at it.

A similar system will need to exist for mail, that will require some sort of a registration and compliance to join the "mail provider" network, whatever that will be.

A centrally managed e-mail network? *shudder* No thanks!

Re:All together now!

[Grishnakh]

The first poster was advocating not using any technological measures whatsoever. That's like not locking your doors on your car and hoping laws against theft will be sufficient to protect your investment.

But you're obviously too stupid to see that.

Re:All together now!

Nothing that a bullet wouldn't solve! LOL

Standards are important

[mrpuffypants]

It's important for standards organizations to be taken seriously if people want to actually see careful and appropriate change made. We could, I suppose, say that the W3C is completely useless because Microsoft essentially dictates what will and will not be a standard on the majority of platforms but that doesn't make the W3C any more useless. Actually, it makes it much more important to look for a body that can develop RFC's and such so that we can all look at the proposed solutions and say yes or no. When a corporation decides on something it just happens and all we have to fall upon to stop the adoption of a (potentially) damaging standard is the free market system. However, in this situation that wouldn't have much of a bearing on a system that doesn't technically bring Yahoo! any more revenue.

Re:Standards are important

[Hamstaus]

It's true that standards are important, but obviously spam has become an issue that the standards organizations have so far failed to solve.

If someone other than a standards organization, including corporations, comes up with a good idea that stops spam and solves the problem without causing more problems, then that sounds like a Good Thing to me.

Re:Standards are important

FYI, the odds on the street of IETF approving a new DNS RR type (as discussed today on the SPF mailing list) is that it would take at least 2 years and more likely 5 years.

It's not like the spam problem cropped up overnight either, it's been around for at least a few years and the IETF, et al, are still discussing the issue.

Re:Standards are important

[Zeinfeld]

FYI, the odds on the street of IETF approving a new DNS RR type (as discussed today on the SPF mailing list) is that it would take at least 2 years and more likely 5 years.

This assement leaves out the worst part. The price of getting a RR issued would be that some completely useless and pointless change would be made to the spec that would be incompatible with existing deployments.

DNSSEC could have been deployed three years ago, the deal breaker for the IETF was changes to the spec to make it possible to deploy in existing large zones like dotCom without a major impact on the existing infrastructure. The WG chair turned this into a personal crusade and used a series of backroom tricks to stop it taking place. On the one hand you have the IETF chair congratulating himself for leading such a fine open and inclusive organization then when something that matters is discussed the peons find that the real discussion and the real power takes place in secret behind closed doors.

Re:Standards are important

The quote that I saw on the SPF mailing list is that DNSSEC has been in limbo for 14 years.

From reading the ASRG mailing lists back in May/Jun 2003 - I've already written them off as a "too little too late" organization. The whole RFC process was where people originally got together, sat in a little room like you said, and hammered out the spec over a few days/weeks.

Now, it's akin to getting an anti-spam law passed by congress...

Re:Standards are important

[Technician]

When a corporation decides on something it just happens and all we have to fall upon to stop the adoption of a (potentially) damaging standard is the free market system.

If anybody doesn't understand the above, a real world example is the DRM files verses MP3 files. If Apple were selling DRM-less MP3's directly competing with DRM files in a free market, I can predict the result. The Lables are forcing the DRM, not the free market. The free market is however having an infulence. DRM CD's sell well in Japan and Europe, but due to consumer backlash, they are slow in being accepted in the US. Your vote with the dollar does count! CD's that can't be ripped to MY Choice of format are avoided. My in-dash player won't work with DRM files. I look for the standard Compact Disk logo. The non-standard disks don't have it.

A damaging standard is the Itunes format. To make a CD that I can play with compressed files for my car requires buring a useless CD just to rip it to a usable format. Free market would indicate the consumers would rather have MP3's to eleminate the wasteful step. This is the factor that has kept me from using the service. It's too wasteful of my time and resources. It's ineffectient. It fits some peoples needs, but the majority find the usefulness diminished by the DRM format file used by a list of players that I can count on one hand missing a few fingers instead of the most universal industry standard MP3 format.

No I'n not willing to challange the DMCA trying to rip a protected CD. I'd rather kill it by not voting for it with $$$. Let it die like the Circuit City rental DVD. No Rip Mix Burn = no sale.

Back to the subject, Signed mail is a great idea if it's using an open standard. Signing up with one or more certificate sites doesn't bother me as long as it isn't just one. If one is used for spam and doesn't revoke the certificates, (eg; adcertserver.com) I need the ability to revoke using that service. Trusted certificate sites that earn trust whether it be Verisign, Yahoo, Google, or Microsoft will be used until they betray our trust. Keep it open and let the market forces work. The idea of all the eggs in one basket quickly becomes a problem with too much power.

inertia

[jonpublic]

while the effort is noble, it seems it will fall prey to the same beast that kills alot of the good ideas that rely on wide adoption. the greatest force in the universe. inertia.

Standards

[rm+-rf+$HOME]

As much as we don't like to admit that this is the case, but companies making unilateral decisions and moving forward with them is often how standards are made.

Web folk always moan about MSIE's poor standards complience, for instance, but forget that CSS/Text came from them -- Netscape was pushing CSS/JavaScript at the time. Now, one of those is a standard, and the other is dead.

Ultimitely, either people will like Yahoo's idea and adopt it and it will eventually become a new standard, or it will be ignored by everyone else and forgotten. Only time will tell.

Re:Standards

[rfsayre]

More precisely, Netscape was pushing JSSS (JavaScript Style Sheets). When Microsoft's CSS proposal won out, Netscape implemented it with JS. That's why JS and CSS (errors) are so tightly coupled in Netscape 4.

It's not a matter of A or B

[Genghis9]

The extra key could be used by anybody who wants to, and ignored by the rest. And their implementation is open-source, so it doesn't look like a way of making an end-run past other ISPs. And since many spam messages come from fake Yahoo email id's, this would be a great way to immediately filter out those ones: if it says Yahoo but doesn't carry a key-->SPAM bin

I like the idea of a major player getting on with it and DOING something.

Would we rather have MS dictating an anti-spam standard? You can be sure such a beast would be a lot less benign than Yahoo's proposal

Re:It's not a matter of A or B

[John+Miles]

I like the idea of a major player getting on with it and DOING something.

I agree. The deafening silence of the Internet "standards bodies" on the subject of spam control speaks for itself.

If Eric Raymond, IETF, et al. are interested in addressing the problem, then let's see their proposed solutions. Otherwise, I'm somewhat less than interested in hearing them whine about attempts by private industry to do their job for them.

Re:It's not a matter of A or B

[Zeinfeld]

If Eric Raymond, IETF, et al. are interested in addressing the problem, then let's see their proposed solutions.

Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.

The problem we have is that the standards process in the IETF/IRTF has essentially failled. First the original chair of the group hijacked it to use it as a platform to get his name and that of his company into every anti-spam puff piece in every newspaper arround. He contributed nothing of value and pushed out all the people who did have something to contribute.

There was an opportunity to get something going on the standards track but the IETF establishment decided to nix the idea - basically it will be July before it is possible to even start the process of forming a working group there.

It is no surprise then that most commercial proposals have been avoiding the IETF like it was a bad smell. The IETF has no concept of working to a commercially relevant time scale - like months rather than decades.

So we have ended up with about ten specs that have been circulating samizdat fashion amongst small circles since last February. The premise being that we have to short-circuit the standards process somehow. Only we have now been doing this for almost a year without result while in other areas it has taken less than a year to do a full spec - given the right circumstances.

Fortunately IETF is not the only game in town. OASIS is a far more professional outfit. In OASIS you have a defined membership of the group and you hold weekly or bi-weekly con-calls so that things get done on a weekly basis, not the week before the RFC-editor cuttoff before the next IETF meeting 3 times a year. You also have votes and clear lines of accountability. In the IETF the chair can basically do what the fuck they like and ignore the consensus of the group. You have the illusion of participation but the establishment hold all the cards. It is all about control.

W3C is also OK-ish but the membership fees are ludicrous ($55K) and you keep getting semantic web thrust at you.

OASIS does have the disadvantage of being a commercial consortium rather than a trully open volunteer body, but in practice we get to co-opt anyone we want to a group.

Re:It's not a matter of A or B

[Tom]

The extra key could be used by anybody who wants to, and ignored by the rest.

Wrong. Once AOL uses system A, you have to use it as well because otherwise you can't talk to aol lusers anymore. Then Yahoo uses system B, so you have to use that as well. Next T-Online (bigger than AOL here in Germany) uses system C...

Before you know it, you have to support a dozen different systems, just to be able to keep mailing people.

Standards bodies may be slow and ugly, but sometimes it serves a purpose. As in, say preventing you from rushing headlong into desaster because you didn't think things through.

Re:It's not a matter of A or B

What the fuck does Eric Raymond have to do with this? Don't inflate that spastic's ego any further, he's a right useless piece of shit.

Re:It's not a matter of A or B

[0x0d0a]

Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.

If SPF is really "in pole position", the spammers are going to have a field day. SPF is easy to defeat. Plus, it has non-trivial deployment issues and a set of drawbacks associated with it.

Re:It's not a matter of A or B

[pjrc]

SPF is easy to defeat.

How?

SMTP uses TCP, which requires a round trip packet exchange to simply establish the connection begore any data is exchanged. So the receiving MTA definately knows the senders IP number.

DNS can be spoofed, but that is a difficult and risky attack for spammers. It's pretty safe to assume that 99% of DNS lookups performed to obtain SPF records will receive the information published by the domain name owner, and not a spoofed response from the spammer.

If the IP matches one that the domain's DNS says is authorized to send, then it's a pretty strong indication that the email is not forged.

Remember than SPF (and other authentication proposals) stop forgey, not spam directly. It only hurts spammers by making forgey much more difficult.

Plus, it has non-trivial deployment issues

Really?

Fill out the web-based SPF Publisher Wizard, and then copy the result into your DNS zone file. No new server software to install or update, no changes to email clients, no email server configuration changes, nothing to download. Looks pretty trivial to me (I did it for my site in just a few minutes).

Now, if you have no idea what machines transmit email for your domain, then you won't know how to fill out the form. But if your domain's email configuration is that uncontrolled or unknown... you've got much larger problems.

and a set of drawbacks associated with it

Yes, please explain?

Thousands of sites don't seem to share your view, including AOL:

paul@preston ~ > host -t txt aol.com
aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"

Re:It's not a matter of A or B

[Greg+W.]

SPF is easy to defeat.

Could you expand on this, please? Or provide a link?

Plus, it has non-trivial deployment issues

On the receiving MTA side, yes. The sending MTA side (DNS TXT record) is trivial.

and a set of drawbacks associated with it.

Such as...? And, doesn't everything have drawbacks? Eating food has the drawback that I might become poisoned, infected or obese, but it's the only way I know to avoid starvation.

Re:It's not a matter of A or B

Eric Raymond maintains Procmail, so this is one of the only things where his opinion sorta matters.

(Note that I have no idea if Procmail is used by real ISPs, or it's some My Hoody-Doody Linux Boxen thing.)

Re:It's not a matter of A or B

[0x0d0a]

How?

Argh. I've been posting these in the SPF discussions multiple times earlier. Okay, here goes again.

SMTP uses TCP, which requires a round trip packet exchange to simply establish the connection begore any data is exchanged. So the receiving MTA definately knows the senders IP number.

There's little point in spoofing the SMTP connection. Spammers don't bother today. The authentication, which is what's important takes place over DNS, with *no anti-spoofing features* beyond base DNS.

DNS can be spoofed, but that is a difficult and risky attack for spammers.

DNS spoofing is not difficult. It's done with an automated tool, just like other attacks. It's difficult in the sense that running an automated tool is difficult, which is to say not at all.

I have no idea what you mean by "risky".

It's pretty safe to assume that 99% of DNS lookups performed to obtain SPF records will receive the information published by the domain name owner, and not a spoofed response from the spammer.

*confusion* So? If 99% of HTTP queries to an IIS server are not buffer overflow attacks that compromise the thing, how is this any kind of testimonial as to the security of that IIS server?

If the IP matches one that the domain's DNS says is authorized to send, then it's a pretty strong indication that the email is not forged.

No, not if people deploy SPF. Then spammers will simply always work around SPF.

Remember than SPF (and other authentication proposals) stop forgey, not spam directly. It only hurts spammers by making forgey much more difficult.

SPF is roughly on the level of the evil bit. It means that if someone is not interested in lying to any systems involved, it works fairly well. If someone is interested in attacking it, however, it quickly breaks down.

Fill out the web-based SPF Publisher Wizard, and then copy the result into your DNS zone file. No new server software to install or update, no changes to email clients, no email server configuration changes, nothing to download. Looks pretty trivial to me (I did it for my site in just a few minutes).

Not at the "providing SPF" end, at the usage end, where you have patching servers and writing something to handle non-SPF domains.

Yes, please explain?

Instead of repeating the list of problems with SPF, I'm just going to provide a link pointing to the last discussion.

Thousands of sites don't seem to share your view, including AOL:

Thousands of sites use unpatched servers for various security vulnerabilities. Furthermore, AOL is not what I would call a paragon of technical virtue. I will grant that AOL is desperate for some way of reducing spam. However, they're going for what is, at best, a very short term hack to reduce spam -- it's a hell of a lot easier to get past SPF than it is to, say, defeat Baysian filtering, and spammers are pretty busily chewing up Baysian filtering.

Re:It's not a matter of A or B

[0x0d0a]

Or provide a link

I don't really want to repeat all the flaws I've pointed out before, so I'll link to the last SPF discussion here

On the receiving MTA side, yes. The sending MTA side (DNS TXT record) is trivial.

True. I was referring to the MTA.

Such as...? And, doesn't everything have drawbacks? Eating food has the drawback that I might become poisoned, infected or obese, but it's the only way I know to avoid starvation.

Yes...as you pointed out, there are *major* benefits involved with eating food. There's a good deal of value associated with not starving for most people. SPF, unfortunately, does not provide major benefits, and does have some drawbacks.

It's bad if you have a different

[eclectro]

"From" address from what your SMTP server is, in which case I don't see how it could work for you.

This may put a lot of travellers out in the cold.

A solution is badly needed, but it has to work for everybody.

Re:It's bad if you have a different

Unfortunately, a solution that "works for everybody" will work for spammers.

Re:It's bad if you have a different

[0WaitState]

ssh into a shell account, or use a web client to your SMTP or (gack) exchange server.

Re:It's bad if you have a different

[WuphonsReach]

It's bad if you have a different "From" address from what your SMTP server is, in which case I don't see how it could work for you.

1) Don't publish a key for your domain (downside is that you can still be joe-jobbed and nobody can verify that e-mail coming from your domain is authentic, or at least that it passed through an authorized server)

2) Use SMTP AUTH / VPN to connect to your domain's server, just as if you were in the office. (Most corporations, where you are acting as an agent of the corporation, would prefer this method.) The only time this is a problem is if you're behind a firewall of some sort, in which case a $9.95 dial-up account and unplugging a fax machine for a few minutes gets you past it. Or you can make use of the 3G hi-speed internet wireless services that are coming in a year or two.

There are options, and if your service provider doesn't provide alternatives, then you need to find another provider or bring pressure to bear on that provider. The ability to randomly forge any domain that you want onto your e-mail has been abused to death, hence the momentum behind things like Yahoo!'s proposal and the various reverse-MX / sender-authentication proposals. Most mail admins are tired enough of being joe-jobbed and dealing with bounces due to domain forgery that they're willing to make these changes.

Re:It's bad if you have a different

[CustomDesigned]

If the traveller is using webmail, it works fine. Otherwise, the traveller needs to use SMTP AUTH to relay outgoing mail through his home base.

Furthermore, mail receivers need not check all purported from addresses. This is just one tool in the toolbox. As I understand it, Yahoo's idea addresses the problem of mail claiming to be from jane_austin@yahoo.com, when it fact it is from a spam criminal (I believe falsifying mail headers is a crime in many places these days). If Yahoo, hotmail, and aol could be validated this way, it would help a lot.

I have gotten emails from people threatening me with bodily harm because they believe I sent them spam. (When they include the message in question, it is obvious from the headers that it never went near the US, much less through any of my machines.) Some spam scum in Asia is using my email as the from address to spam victims in Europe. So I would be interested in signing my emails, if some of the spam victims would check it.

What prevents a spammer from simply reusing properly signed headers with a spam body? Does the signature cover the message content? If so, how is it an improvement over simply signing your email?

Re:It's bad if you have a different

[bo-eric]

Does it have to be based on the "From" field? Wouldn't the original "Received" host be a better candidate for signing the message? I think that it would solve the issue you are worried about.

Re:It's bad if you have a different

[yelligsc]

Maybe this idea that just poped into my head is obviously wrong.. but how about something like this:

The machine that is attached to all the stuff behind my email address (ie: something at michigan state) knows my public key. I private key sign each message when I send it.

On the other end the mail client AUTOMATICALLY contacts the machine that msu.edu resolves to and asks for yelligsc's public key.

If it doesnt match, then the mail is deleted.

Whats the problem with that?

Yes, its more traffic for mail servers sending the keys out.. but not as much as the spam!

Seriously, I would love to hear why this would not work, if adopted as the standard.

Scott.

Re:It's bad if you have a different

[yelligsc]

So..... looks like that is exactly what yahoo is doing.

Need to read the article next time :P

Re:It's bad if you have a different

[Otterley]

If the traveller is using webmail, it works fine. Otherwise, the traveller needs to use SMTP AUTH to relay outgoing mail through his home base.

Were it only that simple -- my fiancee', who has an account in my domain, uses Cox High-Speed Internet to access the internet. Cox blocks all outgoing SMTP connections to servers other than its own. Her situation prevents me from setting up SPF records for my domain.

If everyone were to insist on SPF, she'd be completely unable to send e-mail at all unless I forced her to use my webmail system (SquirrelMail is nice, but it's no Outlook).

This doesn't seem like an optimal solution to me. Why shouldn't she be able to use any mail client she wishes from her home ISP, despite the fact that her mail is in a different domain?

Re:It's bad if you have a different

[CustomDesigned]

Were it only that simple -- my fiancee', who has an account in my domain, uses Cox High-Speed Internet to access the internet. Cox blocks all outgoing SMTP connections to servers other than its own. Her situation prevents me from setting up SPF records for my domain.

I myself am on Cox HSI. To send mail from my business domain, I simply use SSH. For Windows, use PuTTY, and set up a tunnel from port 25 to your sendmail server. Then she just sets her outgoing mail server to 'localhost'. We have configured many of our clients use PuTTY this way to send email through their company servers from a remote laptop. In many ways, it is better than SMTP-AUTH because the connection is encrypted (although the mail is unencrypted anyway when it leaves the company server, it protects internal mail to other employees within the company).

This is a pretty secure solution provided the user can hang on to his/her laptop and can control their urge to download and run Windows executables or use Outlook. Unfortunately, even CIA directors have trouble meeting these qualifications.

Re:It's bad if you have a different

[thogard]

Ever hear of "Message Submission Agent"? Its smtp on port 587. The idea is you only accpet local mail on that port even if "local" is someone far away but is using your mail server.

Re:It's bad if you have a different

[treee]

Hmmm...I may be missing something here, but I may have a problem with this new implementation.

I use YahooPOP to check my email in Outlook, and I used my own SMTP server (eg. smtp.mymailserver.com) to send email from the Outlook , but in the reply address field I used my yahoo address (e.g. myusername@yahoo.com). I do this because it is more convenient to send email in Outlook then a browser. And since I can't get YahooPOP to send email, I uses my own SMTP server.

All email from my Outlook will be sign a valid key from smtp.mymailserver.com, but the reply address will be from myusername@yahoo.com.

Wouldn't all the emails sent from Outlook be treated as spam?

Re:It's bad if you have a different

You could just put "her" outgoing mailserver into your SPF records along with your own.

Re:It's bad if you have a different

[dot-magnon]

They cannot validate these mails with today's email system. It's just not possible, because whenever someone puts a yahoo address in the "From:" field, they do not nescessarily SEND through yahoo. It's just a nice message that tells you where to reply.

You cannot reuse a signed message. When using f.i. OpenPGP, a message will be signed using a key, a password, and the message itself. Change the message, and the signature is invalid.

There might be a chance to end up with the same signature, but the chance to end up with an advertising message that has the same signature as the previous legit one is... zero.

Re:It's bad if you have a different

[jamus]

If the traveller is using webmail, it works fine. Otherwise, the traveller needs to use SMTP AUTH to relay outgoing mail through his home base.

Which is fine, until you run into an ISP that redirects SMTP connections to their SMTP server. I had that problem while travelling on business. The hotel's ISP redirected all SMTP requests to their SMTP server, and choked on AUTH. The error I got back was generic, so I thought I had entered my password wrong. The end result I sent a couple of my passwords to an unknown party!

This is why I now use SSL for SMTP; I'll get a security warning before passwords are exchanged.

Re:It's bad if you have a different

[Hobophile]

MUAs for the most part can all choose to connect to an SMTP server on a different port. I know for certain that with Outlook you can.

Using iptables on Linux, you can redirect any connections on one port to a different one:

iptables -t nat -I PREROUTING -p tcp --dport 25000 -j REDIRECT --to-port 25

That will let your mail server appear to be running on port 25000 also (without needing to change any configuration files for it).

Set up SASL-based authentication (I personally use the rimap mechanism of saslauthd, but there are many other options), have her configure Outlook to connect on port 25000 and to authenticate outgoing mail, let that port through your firewall, and you're good to go.

What you have to keep in mind is that the situation you are trying to preserve (messages from your domain can be sent from any compliant mail server) also lets anyone else pretend to send mail from your domain.

SPF is designed to prevent this, so saying it doesn't work with your current setup is kind of the point.

Re:It's bad if you have a different

[Jarnis]

Of course this is currently non-trivial to setup, which translates to 'impossible' for the point-and-drool people.

Re:It's bad if you have a different

[CustomDesigned]

PuTTY stores its configs in the registry. We provide clients with a script and registry dump on diskette to load the PuTTY config for this setup which the user can click to execute. Yes, it would be painful to talk a "point and drool" user through doing the setup with the GUI. But it is easy enough to capture the config in an easily loaded format.

By the way, "point and drool" is not accurate. Our clients are generally very intelligent people whose interests and skill sets do not include computers. But sometimes the computer is a useful tool. That is why they hire us. (There are one or two exceptions to the "intelligent" part, but I won't mention those. We charge them more.)

Remember, in the Open Source economy we all claim to be working toward, service (whether tech support or custom programming) is what will be paid for. When there is no vendor lock-in, is a customer going to prefer paying someone who refers to them as "point and drool", or someone who respectfully takes care of computer stuff for them as much as possible so they can spend their time on their own interests and talents?

Re:It's bad if you have a different

[CustomDesigned]

What prevents a spammer from simply reusing properly signed headers with a spam body? Does the signature cover the message content? If so, how is it an improvement over simply signing your email?

I have found the answer to this. The signature does cover the entire message. It is different from end user signing because it is done by the MTA. So even if none of the users at Yahoo bother signing their email, at least we can detect forged mail claiming to be from Yahoo servers.

End user signing authenticates mail as being from a private key holder, regardless of which mail servers it originates with. The two types of signatures are complementary.

When de jure standards fail...

[eyegone]

...de facto standards emerge. One need look no further than POSIX/SUS and GNU/Linux for an example.

Re:When de jure standards fail...

Another good example would be the M$ OS and proprietary standards like the Notes vampire. In fact, all lock-in strategies are based on "de facto standards", plus closed source and vendor control over APIs. Oh, and btw... Linux aims at compliance with what you'd call a "de jure" standard as far as I know.

Re:When de jure standards fail...

""They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.""

This quote is nonsense. Liberty requires safety. If you are giving up safety (i.e. threatened with violence by those who oppose you), you are giving up liberty. Without security there is no liberty, only anarchy.

Yahoo are spam nazis

[chamont]

Doesn't sound like this will be too effective in stopping spam for
Yahoo users, and Yahoo is already a pain
to work with.

I setup a proxy and was a spam relay (unknowingly of course) for just
under a week. I got blacklisted on a couple of email sites, my ISP
bitched and I fixed it. So sorry.

So I'm now off every blacklist I know of, and everyone loves me again.
That is except Yahoo, the evil nazi bastards. I've filled out their
stupid, "fill this out to get
un-blacklisted" form at least 30 times (twice a day normally).
It must go into a black hole because they still are rejecting my mail.

Everyone else lets me through but stupid Yahoo, who seem to have NO
admins, no technical people, and a violate once banned for life reject
policy. Grrr. So I guess, if this new system lets them drop their damn
overbearing blacklists, I'm all for it.

Re:Yahoo are spam nazis

[the+eric+conspiracy]

if this new system lets them drop their damn
overbearing blacklists, I'm all for it.

And people want to sue blackhole sites like MAPS out of business. THAT would mean every little mom and pop would maintain their OWN blacklist. Good luck getting off 69,105 blacklists. Your IP and domain would become useless.

I don't know how good the Yahoo system will be, but all the more power to them. At least they are trying.

Re:Yahoo are spam nazis

It's your fault you don't know how to configure an internet facing system and were used as an open relay. Not Yahoo's fault, not any other blacklist you were listed on.

If you can't be trusted to set up a system once, what leads Yahoo (or the rest of us) to believe you are now capable? Sure you may not make the same mistake but what will you overlook next time? Test it man, test it!

It's incapable admins like yourself that are at least partially responsible for the glut of spam.

How many pieces of spam did you send the week you were an open relay? Do you have any idea? Do you have any idea how to find out? It depends greatly on your upstream bandwidth but even one piece of spam that came from your open relay is too much.
My god man if you were on a fat pipe you may have sent millions of unsolicited emails! Millions!
You got a big brass set to publicly bitch about being blacklisted when it was your own incompetence that landed you there.

Listen folks, please know what you're doing before you stick a machine on the internet, inboxes everywhere beg you. Spam is a huge problem that doesn't need help from well-meaning but ill-prepared admins.

Re:Yahoo are spam nazis

[splint3r]

Yes! I was in the same boat for a long time. Exactly the same thing, I filled out their Goddamn form, phoned, threatended, nothing got through to them. Mainly because there was no "them", I was not allowed to talk to the technicians because they saw me as an end user (unjustly). I was so annoyed that I was even considering buying a plane ticket to America just to go to their offices and speak to the charming receptionist face to face.

But don't worry you're not blacklisted forever. After about 4 months mail started going through again to yahoo's servers. But yes, I know exactly how you feel, they don't have any staff (that you can talk to) that know anything about anything.

Re:Yahoo are spam nazis

[frog51]

>>I setup a proxy and was a spam relay (unknowingly of course) for just under a week.

Okay, Yahoo are nazis, but a lot of spam is the fault of folks like yourself who set up open proxies. A little extra work before connecting it to the world would have saved some spam, and prevented you being blacklisted.

If every admin who set up a proxy did it correctly, it would be much harder for spammers to work. Okay, we would still have to combat the "create a spam proxy using a worm" tactic, but every little helps.

Re:Yahoo are spam nazis

[FireBreathingDog]

It's your fault you don't know how to configure an internet facing system and were used as an open relay. NotYahoo's fault, not any other blacklist you were listed on.

It's not always the fault of the person blocked by the blacklist, either...

You forget that many of us are not in control of our SMTP servers. I use a hosting company that had someone sending spam through the same SMTP server I use. Now I'm marked as a spammer and can't e-mail AOL, EarthLink and others.

Is that my fault?

A nice thought.

Now that RIAA has gotten rid of Napster and trying to crack down, what did most people do? Other programers created other way to share music. Now all of this was just so we could get free music. These spammers are making money at what they do. How hard are they going to try and find a way to mail in our inbox? What we need to do is find a way to keep spammers from making money. That would stop them.

Re:A nice thought.

Barring that, they'll spam the next communication medium... website comments.

Re:A nice thought.

[Grishnakh]

And how do you propose to do this? As long as a small number of morons respond to the spam and buy crap, spamming is profitable for the spammers. There's no way you're going to convince the spammers to stop spamming because they're selfish bastards that only care about themselves. There's no way you're going to stop their customers because "there's a sucker born every minute" as P.T. Barnum said. You can ban spam outright, but good luck enforcing it: child porn is illegal too but that's still all over the internet.

I only see two practical ways of stopping spam:
1) Track down spammers and kill them publicly. This will act as a deterrent to other spammers, and since just one spammer can send out millions of spams each day, a small number of executions will have a very significant effect.
2) Employ some technological way of blocking spam.

Personally, I'd prefer the first method because it'd obviate the need of some complex technological solution, allowing us to stick with the nice, simple SMTP system we've used for decades which works great as long as no one abuses it. Unfortunately no one wants to give spammers the death penalty for some reason.

Something needs to change

[Glowing+Fish]

Since there doesn't seem to be any other way to deal with SPAM, I don't object to this. Especially if this is just a temporary measure.

It could be argued that if people go all out with these measures, in a while SPAM will no longer be sent, and then they can all be relaxed. But what will probably happen is this will just be another measure that will get circumvented.

Re:Something needs to change

[dj245]

Normally I deal with SPAM by opening it very carefully, being sure to avoid the sharp edges. I then extract the contents of the SPAM with an eating utensil and store it in /george_foreman/ for no more than 30 minute but not less than 10.

Then I feed it to the dog or eat it myself

Total overkill

[tonyray]

It would be much simpler to add a record type to DNS servers to identify **outgoing** mail servers. Email proxies, where 60% of all spam comes from, would be immediately eliminated. Spammers with fixed servers and addresses are easily taken care of by the RBLs. Why introduce something that is more complicated and less reliable?

Re:Total overkill

[Eric+Smith]

Which is, of course, what SPF and RMX do. It looks like SPF is gaining momentum; even AOL has started using it.

SPF has the advantage over RMX that it does not need a new DNS record type, so it doesn't need IANA to assign a number.

I've put SPF records in my DNS, but I don't yet have my MTA (or MUA) patched to look up SPF records for incoming mail.

Re:Total overkill

[BakaMark]

Well the DNS record method will also prevent the effectiveness of email virueses that setup spam engines on users desktops (considering that they usually talk directly to MX destinations)

The yahoo idea looks nice at first. However I wonder as to how the thing is supposed to work from an installation and operation levels combined. The main issue is that to protect its own workings, it would need to be closed source. There will be a slight problem with some system admins installing it in that event.

Re:Total overkill

[RT+Alec]

This has already been discussed, with two current proposals, RMX and SPF::Sender. The latter looks a lot closer to implementation, with AOL already testing it.

Re:Total overkill

[swmccracken]

And what happens when Server A sends to Alice at Server B. But Alice is really a redirector for Bob at Server C, so it forwards it on.

Server C takes a look at the message. It has a From address of user@servera.com; but it came from Server B. Thus, it's apparently a forgery and gets rejected.

What if Server B rewrites the from address, so it's "user-at-server-a@serverb.com" - Server C will accept it fine. But if server C bounces the email (ie: accept and later generate the bounce), Server B would have to accept this bounce and send it on to the original sender..

Oh wait.. does this mean that spammer on server D could send email to user-at-server-a@serverb.com" ? Oh look, open relay.

Anyway, this is a few of the issues that spf.pobox.com has been dealing with.

Re:Total overkill

[Crypto+Gnome]

Oh? You mean this proposal?

Re:Total overkill

[WuphonsReach]

The main issue is that to protect its own workings, it would need to be closed source. There will be a slight problem with some system admins installing it in that event.

Why closed source?

Closed-source cryptographic systems (which is essentially what this is) are often very insecure if they are not peer-reviewed. In fact, Bruce Schneier argues often in his books that a properly designed cryptographic system is just as secure if the source/spec is open/published. Most problems are actually due to implementation weaknesses which argues for the "many eyes, bugs shallow" of open source code.

Go subscribe to Crypto-Gram or read up the back issues if you want to get a good background on what makes for secure systems.

Re:Total overkill

[M.+Silver]

And what happens when Server A sends to Alice at Server B. But Alice is really a redirector for Bob at Server C, so it forwards it on.

That's what the Sender field is for, and, when it's present, what the SPF and other critters should be validating against. And your whitelist, too.

Re:Total overkill

[Zeinfeld]

Closed-source cryptographic systems (which is essentially what this is) are often very insecure if they are not peer-reviewed.

The Yahoo scheme is not closed source, it is just not yet published, most likely explanation being that the spec is not finished.

The security of domain keys does not depend on the secrecy of the spec. The problem seems to be that they would like to get some other ISPs to endorse their efforts and they would like to be able to make a joint announcement. Meanwhile those efforts are clearly stalled and AOL implemented SPF a few days ago.

First we have to get the whole issue into an open standards working group. Then we have to sling out the managers from the various companies who clearly have no clue how to set up a technical standard so that the Internet buys in.

All the members of the big four ISP group (six to date) have really good technical people with great ideas to contribute. What happens is that the managers all go off to the meetings together and work PHB style (that is Pointy Haired Boss, not the other PHB).

Put the technical folk together in a room and we will have a spec PDQ. Just keep out the IETF politicians and the Manager politicians.

I am implementing on the 15 or so domains I admin

[Frums]

I admin a dozen domains professionally, and run a couple mail servers for volunteer orgs and all of them will get it.

-Brian

Standard bodies and solutions?

[Rahga]

"...on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."

E-mail is supposed to do a certain job, and it does that job well, at least from a technical standpoint. The problems with spam are identical to similar problems in every other arena, it's just that they seem worse because of the level of automation. Even if it wasn't automated, spam would still be a problem. With idiots knocking on my door every other week with a hard sale for everything from oil changes to chinese food, I'm starting to almost regret the do-not-call list, because I didn't have to worry as much about these degenerates (if you don't take "No" for an answer and walk away immmediately, you are a degenerate in my book, and very door-to-door jerkwad so far has been one) giving my wife a hard time.

Standards bodies can't do anything to fix human behavior, unfortunately.

Re:Standard bodies and solutions?

[barzok]

Then why are you opening the door in the first place? When someone can't ID comes knocking, I tend to just stare at them through the peephole in my door till they leave.

Helps if you have a solid door and they can't tell from outside the residence that someone is actually inside, but still, it's worth a shot.

Re:Standard bodies and solutions?

I gave your wife a hard time last night - my cock overflowing in her ass!

Re:Standard bodies and solutions?

I found answering my front door with a gun in hand makes salespeople very polite and to the point. I have found you only have to say "not interested" once :)....It works

Re:Standard bodies and solutions?

With idiots knocking on my door every other week with a hard sale for everything from

They are idiots and they are knocking on your door every other week? Imagine if they were knocking on your door every other hour like they do with spam. The amount of spam that the average user gets versus the amount of legitimate email is horrendous, and it needs to be changed. I think it needs to start with the big companies who fuel the spam, such as Yahoo, Hotmail, etc.. Later on I think they need to add things such as DNS records pointing to the outgoing mail server for each domain. No matter how you look at it, social problem, automated problem, your problem, my problem ... the problem needs to be fixed!

Re:Standard bodies and solutions?

You must be on a "sucker" list -- I don't think I've ever seen a door-to-door salesman.

But, all you have to do is put a "No Solicitors" sign by your doorbell and your done. Would be nice if spam was that easy to take care of.

Better to use IP restrictions

[kiwi_mcd]

A far beter approach (which I think I saw on Slashdot but can't remember) is to use an extension which says whether IP addresses are allowed to use a domain.

This extension was based on DNS and basically allowed the mail server to query whether the IP address of the mailer was allowed to send on behalf of the domain.

Yes - this would be open to IP spoofing. Perhaps this DNS extension should be combined with the Yahoo method. If Yahoo, Hotmail and a couple of other providers adopted it could have massive effect.

To intially put live perhaps they could have an authenticated vs non-authenticated flag/filter in their web-mail client.

Re:Better to use IP restrictions

[Crypto+Gnome]

It's called Sender Permitted From

Re:Better to use IP restrictions

It's called reverse-MX proposals: of which there are a few like DRIP, RMX, SMTP+SPF.

How good could it be?

abuse@yahoo.com (purposely unmunged) claims that 419 spam from their servers didn't come from them. Gee, what's web108.biz.yahoo.com then? Some magic realm where the Nigerians have taken over Yahoo's network without their knowledge? That box relayed the spam to my MX, so it came from them, period.

Given that level of cluelessness, I assume that any "anti-spam" technology from them is going to be brain damaged from the start.

Crap like that is why yahoo.com is now on a "block all, except some" ruleset here. Other freewebmail services are getting there, too.

Look at it in very simple terms: what's to lose when you abuse a free e-mail account? Oh no, they cancelled my free account! I'll just have to make another! This is just going to ruin my day!

Until there is a real penalty for screwing around and getting an account cancelled, I don't want any mail from them. The revolving door of accounts needs to stop.

Re:How good could it be?

[dj245]

Myrealbox is a free e-mail service with both Pop and Webmail (as any decent mail service should). They are currently not accepting new users. However when I signed up they made me type in a credit card and verified it, but didn't charge anything at all. This is probably a good approach because with a credit card, not only can do you have a good chance of finding someone (and stapling their head to a table) but because credit card addresses are hard to be faked (the bill has to go somewhere).

Probably the only two problems are:
1. If not everyone verifies credit cards (and stores the data on a box not on the internet), then the real nasty people will just find a free service that doesn't do credit cards.
2. People have a hard time trusting companies who promise to hold their credit card info, but never use it.

I would argue that a free e-mail service is a relationship based on mutual trust, but of course there's always those nasty few.
I only trusted them because they beta-test software for Novell's Netmail and get paid well for it and get free bandwith from novell. They don't need my money, and have no reason to sell my personal info for chump change.

Chinese water-drop torture to all Spammers.

[the_mutha]

Anything to stop these parasites from smuggling our precious productivity.

I say go for it. I mean, SOMEONE has to try something. I don't care HOW it gets done. JUST DO IT :)

Another volly in the spam war

[exi1ed0ne]

While I applaud Yahoo for taking the initiative, this is just one more method to combat SPAM that will only work if everyone does it. I'd have to accept mail at my gateways from non-signaturized email anyway cause all the users would gripe that their friends couldn't send them the joke of the day.

Even then, these header signatures could be easily forged by the spammers.

Repost?

[rockwood]

We talked about this, in a previous post on Dec 06, 2003 here at /. concerning this.

There were alot of vital ascpects to this point made in the previous article some of which are quite thought provoking!

If you missed the previous thread, I hgihly recommended reading or even reading it.

SPF seems more open and no less effective?

"Yahoo's plan is to write open-source software for popular e-mail server programs such as QMail and SendMail that would check all incoming messages to ensure they're coming from real Internet domains."

But SPF checks that the domain from which the email purports to come declares its mail will come from the server from which it has come.

Adding crypto sounds good, but I don't actually see that the encrypted token is doing anything, surely one will still have to look it up somewhere, which might as well be DNS.

If it wasn't offered free, I'd wonder if it was the old trick of finding something free, adding something that only you can do to it, convincing people they needed that, and then selling it to them.

I'm happy to look at any fix for spam, and implement any that are effective and within my powers, but in the end this is a social problem, and the neighbours of the dingbats that are behaving badly should express their disapprobation.

Yahoo's Plan Won't Fly

[spin2cool]

As reported earlier, Microsoft has been working on it's own anti-spam technology. Yahoo is trying to get their solution adopted by being the first one out of the gate, but since Gates and Co. have a lot of weight to throw around in any standards war, I don't see Yahoo's plan being a success.

In my opinion, Microsoft's plan seems a bit more feasible and crack-proof, too. By linking email to processing power, it makes it really expensive to send millions of emails.

Re:Yahoo's Plan Won't Fly

[WuphonsReach]

Microsoft's Penny Black does zip, zero, zilch about the problem of domain forgery. MS's solution is aimed at a way to rate-limit the amount of outbound SMTP e-mail that a client can send.

Yahoo!'s solution is aimed at the stopping of domain forgery and has nothing to do with rate-limiting outbound e-mail.

They're two seperate and distinct problems, hardly related at all.

I have a 100% solution to stopping spam

I'm serious - spam eradicated over night, requires less than this initiative but is 100% foolproof.

If anyone wants to fund me on this then email me alan dot c5 at ntlworld dot com

All I'm really looking for is the funding for patents, any big company would use this once its disclosed.

Anyone interested?

Re:I have a 100% solution to stopping spam

[Genghis9]

Does your "solution" involve using pigeons for mail...?

Re:I have a 100% solution to stopping spam

Ahhh!! You've mentioned our patented IP!
I'll sue you for every penny you don't have you 12 yearold hippy!

Business sense

[boatboy]

I'm all for a spam solution coming from private enterprise as opposed to legislation- in fact, I think the former is the only method that has a chance of working. Maybe Yahoo's attempt will help, maybe they'll waste a bunch of money trying, but I guaruntee it's less money and less waste than Congress or the FCC doing the same thing.

Use the Registrars

We should use the resources that are already in place: Registrars.

Why isn't there a way for me to login to my GoDaddy account, and securely edit a list of valid IP addresses that email for my domain can be sent from.

Any email that isn't on this list is forged and can be deleted. Yes, people will need to setup and require SASL for sending mail, but that is easy.

The infrastructure is already in place, just release an updated RFC with a Jan 1, 2005 deadline for compliance (by registrars and sysadmins).

January 2nd our spam will drop by 99%...

Re:Use the Registrars

New around here? Do a search for SPF, RMX or DRIP.

Re:Use the Registrars

No, I'm not new around here, and I am familiar with those. But all of those solutions require stuff to be installed and configured at the server level.

I specifically suggested using the registrars for a reason: Lists of valid IP's for outgoing mail can be updated for a domain easily, anytime, by anyone, from any browser, regardless of where it is hosted.

With the current setups, 90% of hosted domains don't allow that kind of find-grained control in DNS or to install new apps, so you're screwed until your host supports it.

By using the registrars that is avoided (it brings maintenance of the system down to a level where it is as easy as registering a domain name, which, to be effective, it needs to be).

How about this?

[Boyceterous]

Instead of sending the whole email content - and with it the ability to falsify email header information, why not just send the email header only - and require the originating server to hold the email content?

That way, there's no question where the email came from, and exactly which account sent it. Plus traffic goes way down by not passing the content all over the place.

In addition millions of copies of the same email would not have to be held on recipient's servers, they would just sit on the originating server until received or until some time limit expired.

I guess this would prohibit using a (ISP's) email server as a repository, you would have to download everything you wanted to keep, but hey, no more email size limits! - send me the world - if I want it, I'll come and get it!

Could this help in the spam wars?

Re:How about this?

[bucky0]

IANAESA(I am not an email systems administrator) but,

I would think it would be unworkable due to how sending and receieveing mail servers are set up. Most receieving mail servers have oodles have harddisk space to burn on holding messges. Sending servers are usually fewer in number and don't have a lot of harddrive space because they don't have to hold that many messages at a time.

my 2 cents.

Re:How about this?

Wow! You just invented IM2000!

Re:How about this?

[Baron_Yam]

I've always wondered why it wasn't done that way in the first place...

Of course, it would stop ISPs from worrying at all about SPAM, and there would be no central mail server to do blacklist lookups... maybe instead of providing a mail server, ISPs could provide a local queriable blacklist server.

Now you're talking about:

• Adding and implementing new server and client protocols everywhere
• Supporting both the old and new protocols until you have critical mass
• Setting up local blacklist servers in place of mail servers

This strikes me as very doable for the open source community, but I doubt you'd get Apple or Microsoft interested, and since between them they essentially own the client base the system wouldn't easy to spread beyond *nix geeks.

Re:How about this?

[mabu]

Instead of sending the whole email content - and with it the ability to falsify email header information, why not just send the email header only - and require the originating server to hold the email content?

Neat idea... in theory. There are a few problems with it:

1. It would reduce overall bandwidth being burned on the Internet and cost the very influential backbone ISPs lots of money that they're charging smaller providers for bandwidth, so they'll hate the idea and lobby against it.

2. The flow of information on the Internet would heavily tilt more towards prime time, creating additional bottleneck issues. Users would be downloading expentially more data during business hours and much less in the off time. Server resources would need to be beefed up and there is no guarantee that the requested mail could be retrieved upon request (an e-mail based "slashdot effect")

3. If you think e-mail headers are misleading now, under such a system things would be a lot worse. You'd be lost in a sea of misleading e-mail you could only verify by exposing yourself to the spammer.

4. When you went to retrieve the e-mail message, you would expose your personal IP address. It would be the equivalent of having a web-page bot allowing spammers and other systems to associate a fixed location in cyberspace with your identity, email and any other info in the e-mail. Serious privacy invasion issues abound.

Re:How about this?

[mabu]

As another poster pointed out, this is basically the NNTP protocol, used for newsgroups.

The problem you have is that running a server of this nature requires many more resources than a standard mail server. And you have to "expire" the data very rapidly. Very few news servers can afford to maintain more than 14+ days of a full usenet feed. If mail were delivered this way, you'd have a simliar problem of deleting unread mail if it wasn't picked up fast enough.

It's a neat idea though, to contemplate addressing these issues through implementing *outbound* mail quotas (/cue demonic laugh) Imagine how many of your overzealous mail-forwarding bonehead friends would be limited in the crap they can send out until the recipients picked it up.

Re:How about this?

Use your old receiving server as a sending server, and vice-versa. You're going to reimage your servers with completely new software anyway, so you might as well swap the hardware before you do.

Re:How about this?

[Boyceterous]

Having read some of the feedback, here are my responses:

1 - Not practical because the protocols will have to change.

A - They ARE going to change anyway. With over half of email traffic now spam, the existing system is going to have to be modified or become unusable - legislation alone will not do it. Filtering will never be an adequate solution either IMHO.

2 - Spammers will validate your email address and send you more spam.

A - They may try, but the whole point is that I can identify real, specific servers that are sending me spam, plus I don't even have to go there if I can - from the header- identify it as such - that's the whole point of sending the header info anyway. The burden is on the spammers to maintain the storage - they could no longer "send it and forget it"

3 - Privacy issues are created by connecting to the (offending) sender.

A - Perhaps so, but can't they already achieve this by embedding html in emails anyway?

4 - The flow of information on the Internet would be altered with more traffic during prime time.

A - This is one of the more thoughful issues that came up so far, but consider: Im my typical inbox, I get 100+ spams per day - they've been sent throughout the last 16-24 hours. Gradually. But most users already filter if at all based on the entire email content. So there are already bottlenecks between me and my ISP at primetime if your scenario is true. Now compare that with ignoring all but two of those 100+ email headers. Sure, I've downloaded the headers, but I'm only retrieving content for some small percentage ( not more than half, at most, right?). Plus in the current situation, there are still MILLIONS of spam going to MILLIONS of addresses with full content - even during primetime- seems like the overall traffic would have to be less if we had good ways to identify spamming servers.

In sum, I brought this up as an idea to spark others- I did not work out all the details - I'm sure there are lots of them, but let's find something that puts the burden on the spammers and provides some accountability.

My idea was not so much one for traffic reduction as traffic accountability - hopefully without a traffic increase. Sure spammers could fake all kinds of email headers, but once the server is known, things could be handled maybe at a higher level than end-recipients. It seems like it would be impossible for spammers to be able to quickly to set up a different IP address for mailing spam everytime their server(s) get blacklisted. And ISPs are not going to want to store the stuff, spammers won't want to pay for it, and even if they do, they can be identified and face the consequences.

Thanks All!

Re:How about this?

[Detritus]

You're assuming that the originating host is on the Internet.

Re:How about this?

[ttyv0]

You should take a loot at

http://cr.yp.to/im2000.html

Re:How about this?

[Greg+W.]

why not just send the email header only - and require the originating server to hold the email content?

You're half-way to re-inventing Internet Mail 2000, then.

Re:How about this?

[Convergence]

Spam is megabytes, yeah, whatever. Show me some proof. Spam is nothing in terms of network bandwidth compared to HTTP, and *that* is nothing compared to p2p.

At a thousand spam messages a day (a few megabytes) costs me $1/year in bandwidth. The 20 a day I actually receive costs me about two pennies a year. Remote X over ssh on the other hand costs me a dollar a week in bandwidth.

Spam costs in time, not bandwidth. One minute of my time is worth more than 100,000 spam messages worth of bandwidth.

Uh no sirree bob....

[twoslice]

Spam is a SOCIAL problem

Spam is not a social problem, a spammer is a social problem. Sort of like an alcoholic being a social problem at a wedding - not the alcohol.

Depends

[JoeCommodore]

Proabably if it meets the following criteria:

1) Free of ownership

2) Easy to implement on any platform

3) offers a valid chance of actually working

With those three met, I think it has a chance, especially with one of the more visible players helping it along. Though they might want to participate in some open-source deveopments (mozilla, etc) and contribute the necessary code to also help push along the effort.

Punish the source

Spammers wouldn't do it unless they got
paid.

What I want to know is: Who the heck buys stuff from
spam?
And how about we fine them?

Nope

[Mojo+Geek]

I'm agin it. Cause problems. Will not fix SPAM. I have however added SPF records to my DNS. More flexible solution. I'll get around to patching my MTA to reject invalid incomming in good time.

Good move, which may actually spur development.

[Soko]

Development of a workable solution, that is.

There have been a few times in the past where an entrenched technology has hit a wall in functionality, but because it was entrenched no one really did anything about it.

Then, someone said "Fuck standards - I have to DO something about this!" and started pushing thier solution. Other saw that someone was willing to take the first step, and took a step themselves. After some shakeouts, a new, more functional standard emerged.

My hope is that Yahoo has started the "SPAM proof MTA" development war for real this time. I want my e-mail system back.

Soko

Re:Good move, which may actually spur development.

[djupedal]

I want my e-mail system back.

Stop using Yahoo!

Completely and totally offtopic, but...

[adun]

As I look to my left on the main page, I'm greeted with an OSDN Personals ad. ...

HAAAHAHAHAHAHAHA.

In all seriousness, did anyone actually CONSIDER that brain fart before passing it?

Re:Completely and totally offtopic, but...

[Rude+Turnip]

The woman in the ad appears to have a double chin, too.

Good Move ?

[jujitsustab]

I don't think so. I think a bad and poorly designed solution is worse than no solution. Especially when there is other competing solutions, which are argueably better, or at least equal to Yahoo!'s domain keys system, such as RMX. IMHO, Domain Keys offers no significant improvements to the spam problem, but rather adds a crypto overhead to the sending and receiving of every message. I think it is great that Yahoo is trying to innovate to stop the SPAM problem, but being cavalier and going at it by themselves is not the answer, especially when they have a great Anti-spam alliance with AOL and MS.

They're Already Trying to Brute-Force It

[Schizoid+Genius]

So that's what this was about. Spammers aren't adding gibberish to fool Bayesian filters; instead, that's the result of the spammers' lame-ass attempts at brute-forcing Yahoo's new crypto sig headers.

(As to why the nonsense stuff is usually in the body instead of the headers... hey, what can I say, that's spammer logic for ya.)

MOD PARENT UP!

[AoT]

We also need to stop the merchants from making money! I SMELL DDoS!!! Kill 'em all!

Re:Uh no sirree bob....

[Gherald]

Bad analogy, the alcohol is still a problem in this case because Spam is never a good thing, even "if done in moderation."

Typical, typical...

Totally against for privacy reasons. The best thing to do is to TRACK SPAMMERS, bring them to justice and make sure they don't do it again.

But noooooohhhhh, that's of course not what USA does. Commercial money has bought their legislature so instead of protecting civilians it now protects penis-pill companies and porn-spammers. Way to go suckers...

What is wrong with this world... It is getting more and more fucked up by the day. Now I face being tracked, because some assholes thought money was more important than serving the civilians.

Bah!

Re:Typical, typical...

Totally against for privacy reasons.

It's as private as it was prior to signing the mail headers (which merely say that these e-mail headers were signed by an authorized Yahoo! SMTP server).

Explain what effect a system like this would have on privacy? What exactly would it compromize as opposed to the information that is already in the e-mail headers?

Re:Typical, typical...

Funny that you can't figure that out yourself.

Re:Typical, typical...

[WuphonsReach]

No... I posted AC because it's not worth arguing with other AC's.

And /. records the IP address of the submitter, so this is only pseudo-anonymous.

Re: Reverse MX systems

[WuphonsReach]

You mean like "reverse MX" records... google for RMX, SMTP+SPF, DRIP, DMX. (SPF seems to have momentum at the moment)

However, reverse-MX solutions will not kill off spam (a common mis-conception). The goal of reverse-MX proposals is to stop domain forgery where spammers are able to, with complete impunity, to tack on any old domain name to their spams. Which means that the unfortunate organization who is forged gets to deal with the thousands of e-mail bounces and the irate phone calls / e-mails from people who think that the organization was the source of the spam. As a mail admin, I'm able to control which servers handle inbound e-mail for my domain through specifying MX records. Reverse MX allows me to have the same amount of control over outbound e-mail from my domain.

What will happen instead, once reverse-MX systems (or Yahoo!'s system or other sender-authentication systems) come into play. Spammers will have to change tactics and resort to either forging one of the remaining domains that don't have reverse-MX information published, or they will register throw-away domains by the hundreds. It will drive up their costs a tiny bit (much like the impact of bayesian and other filters requiring them to use randomization techniques).

But the real nice side-effect of reverse-MX, etc., is that you'll be able to more reliable whitelist based on domain name. And your bayesian filters will be able to assign high ham values to domain names.

It also puts a crimp in e-mail worms that attempt to use a built-in SMTP engine to avoid detection. Unless the worm forges a domain with no reverse-MX info published, the worm won't spread (most MTAs will drop the connection). Instead, the worm will have to route through the user domain's SMTP server, where the mail admin is more likely to catch the traffic (virus scanner on the SMTP server, or rate limiters).

Re:Uh no sirree bob....

[twoslice]

Well sometimes Victoria Secret spam piques my interest....

Why not Sender Permitted From (SPF)???

[linuxtelephony]

One of the best solutions I've seen has been the SPF (Sender Permitted From) idea previously mentioned here and here.

It's on the agenda for my next mailserver deployment. Hopefully others will implement it as well. Seems like a really good, vendor and ISP neutral idea that could really help make a difference. And it has (or had when I last read it) a good deployment plan that allowed for phased deployments and letting each receiving site determine the strictness of the implementation for receiving email from other sources.

If that's what Yahoo is rolling out, even better. If a critical mass can just get behind a single solution such as SPF, then it has a chance to make a difference. It we keep deploying vendor-based solutions, we don't make any progress.

As long as it's open

[jcern]

I figure a standard has to come from somewhere. As long as it's truly open, and there's no chance of it closing later (ala the whole GIF fiasco).

The java community can look to eclipse for proof of this. I've heard accounts of how they bypassed the whole JCP, but IMHO managed to produce something that, preferences aside, functions according to spec and contributes to the community as a whole.

More power to anyone who sees a potential solution to a problem and pursues it, not to make a buck, but as a solution to a common problem.

Well, that's my 2cents.

Re:Uh no sirree bob....

[Gherald]

if thats really your style...

OS X mail works fine

[djupedal]

I have less than 10 junk mail filters in Mail (OS X). These, along with the stock junk mail strategy and my mail server's config mean that I get less than 5 junk mails a month.

This is down from dozens....

About Time

[zentec]

The problem is the standards bodies haven't done a whole lot to curb the problems with SMTP. The implicit trust it conveys is the WHOLE problem with pam and it's time to toss it out and come up with an alternative.

Hopefully whatever the alternative is, it'll allow administrators to verify the sending party or at least the relaying party and convey some level of trust and authenticity. With billions and billions of junk messages per day, email is well on the way to becoming just too much trouble to use.

a flavor of the inevitable

[mabu]

This is just a stop-gap attempt to migrate closer to what is ultimately the only way to control spam: trusted hosts (also known as whitelisting).

We might as well just admit it. SMTP relays need to be licensed and regulated. This would stop spam. Implementing customized protocol-based front ends just slow things down and aren't horizontal in their implementation. And the idea of some handshake mechanism that denotes an acceptable SMTP source has to have spamming hackers salivating. They'll crack it within a week.

Re:a flavor of the inevitable

[WuphonsReach]

SMTP relays need to be licensed and regulated.

Ummm... and who do you propose is going to do the licensing and regulations? What enforcement powers will they have over relays in another jurisdiction?

What's to stop the spammers from bribing officials to get their spam-relays "licensed"?

Re:a flavor of the inevitable

[WolfWithoutAClause]

This is just a stop-gap attempt to migrate closer to what is ultimately the only way to control spam: trusted hosts (also known as whitelisting).

Not quite- I mean how do you know that a piece of email (spam) is from the trusted host that it says it is from? Only a cryptographic key can help with that- simply trusting the email is never, ever going to fly. I think this proposal has legs- it critically depends on the implementation however.

Re:I am implementing on the 15 or so domains I adm

[CatPieMan]

I would probably implement all of this on my mail servers except for one critical flaw, they only mention sendmail and qmail support (and presumably exchange as well). I use exim b/c I like the filtering options (and a friend of mine highly recommended it).

If they don't support exim, then I can't use it. Exim developers may implement it, but yahoo can't resonably say that they would start blocking before other projects have a chance to make their own versions.

On the other side of things, I'm going to start with the spf's shortly.

-CPM

Like a news server

[KalvinB]

"but hey, no more email size limits!"

Spammers don't send massive e-mails because it takes too much bandwidth to bulk send.

E-mail size limits come from mail servers that don't want individuals e-mailing massive attachments. It takes up bandwidth and storage while it sits waiting for the user to retrieve it.

And your method has already been implemented. It's called a news server. Technically there's nothing stopping you from using one as a primary e-mail address. Unless you can't set it to be post only (like SMTP) except for those with a user and pass to download the messages.

Kind of interesting actually.

Ben

Re:Uh no sirree bob....

[twoslice]

Anyone can google - I like to go ogle...

Re:inertia (vs pain)

[WuphonsReach]

Pain is a powerful motivator...

Reverse MX and Yahoo!'s proposal, however, don't require widespread adoption at the start. In fact, the tipping point is probably only a few percentage points of the domain namespace.

After all, for just a few minutes worth of work (more if you don't already provide SMTP AUTH, or require users to VPN in to send e-mail already), you protect your domain against joe jobs and forged e-mail bounces. So there's a low cost-of-entry. (Yahoo!'s proposal requires more work then the simpler, less CPU-intensive SPF proposal.)

What happens next is that domain admins that publish keys/SPF information find that they're no longer getting joe-jobbed and they're able to block a higher percentage of spam then they used to. Word gets out and more folks sign on (second wave adopters).

Sometime after that, the big ISPs require your mail servers to publish SPF/keys if you want your e-mail to be delivered to their users. (FYI, this is very similar to AOL's whitelisting program, which is essential a privately-administered reverse-MX system where you tell AOL what IPs your e-mail is allowed to originate from.)

As a WAG about rate of pickup, early adopters have started, second wave folks will probably sign on in the spring/summer, and I wouldn't be surprised to see ISP-blocking by the end of the year.

Anything OSS is a standard already implemented

[Anderlan]

Anything OSS is a standard already implemented, sans standards body. Would we prefer a standard proposed by bodies increasingly eaten up by cancerous corporate interests? A patented standard even? No, simple legible working code is just as good to me.

One day we will look back at something everyone does the same and say, oh, that's because it was impletmented first that way in OSS project Foo. Actually, I'm sure we could find an example of that day already being past.

from the article:

Yahoo's plan is to write open-source software for popular e-mail server programs such as QMail and SendMail that would check all incoming messages to ensure they're coming from real Internet domains.

Re:Anything OSS is a standard already implemented

[Anderlan]

Also, we've all seen discussions in projects where many people propose solutions in the abstract but to get real cred a solution has to be proposed as working code. Nothing gets implemented quite as fast as working code.

One word: authentication

[snakecoder]

I use mailblocks. I get NO spam. It works.

Good move? Or bad joke...

I have some spam-trap addys that automagicly block smtp servers. Near as I can tell, most of Yahoo's allegedly legitimate smtp servers are now blocked. When Yahoo! stops being a spam source, I'll listen to them. Until then, I'll assume that they're just trying to find a way to get their spam through filters.

yahoo are spam nazis (who deal with many idiots)

now wait a minute -- you set up an OPEN MAIL RELAY
and send who knows how many spam messages out to
the world.

Why does yahoo have any reason to believe you
won't just "forget" and do the same thing all
over again?

sounds like you're the idiot to me -- why in the
world would you let your only ip address be used
as a mail relay? Maybe you should hire an admin?

you do realize that you're completely wrong?

Re:Something needs to change (this won't be temp)

[WuphonsReach]

This system, reverse-MX systems, and other systems will not be temporary.

The problem today with SMTP spam is that it's like being able to collect-call your target and they have to receive the call. Worse, the spammer is able to forge the caller ID (FROM:) information so that you can't simply use the caller ID info to decide whether to accept/reject the call/message.

This is the techical equivalent of a law requiring that caller ID information be accurate. It doesn't stop the telemarketing calls, but does let the receiver make a more informed decision about whether or not to accept the collect call.

Signed Email

[Corpus_Callosum]

Nothing new needs to be invented here. What we should all be pushing for is signed email. There are many advantages to signed email, but here are the most relevant:

(A) Signed email signs not just the message headers, but also the message body. No chance of header substitution.

(B) Signed email associates signatures with some certificate chain and, presumably, a CRL (Certificate Revocation List). Abuses can lead to certificates being revoked.

(C) Because of the certificate chain, there is a chain of trust. There is always SOMEONE to sue!

(D) It is a simple measure to simply throw out any email that is not signed.

(E) Because of esign legislation, signed emails can be considered legally binding. In other words, lies, misrepresentations, libel, etc... in signed emails provides you with grounds for prosecution in courts of law - as if the signer wrote you the document and signed his name at the bottom (and yes, they can also be used for legally binding contracts and whatnot).

There is an issue with "Crossing the chasm" with signed email, of course. It would require a body such as AOL and/or Yahoo rising up and providing signature filters on incoming email to force such a solution into the mainstream. But once this is done, SPAM will practically dissappear. And any SPAM that comes in through signed channels can be dealt with in a satisfactory way.

I do not believe this harms any of us, btw...

You want privacy? The same techniques that allow you to sign email also allows you to encrypt email to your destination.

Worried about anonymity? Certificates can be issued that authenticate an email address without full disclosure of the owner of that address (but this may not be satisfactory for stopping abuses). Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?

Re:Signed Email

[cheezit]

Most of your reasons are in fact why signed email WON'T work.
B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.
C. Someone to sue...only in the US is that an attractive feature.
D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.
E. Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.

Re:Signed Email

[halowolf]

Personally I use signed email myself, that way those that communicate with me, will always know that any email I send actually does come from me, and not through any other system. (No bulk mailing virus has ever hit me either just in case you were wondering). Some of my other friends also sign their mail.

I wouldn't mind seeing signed email being a standard that all users must abide using, however there is a large infrastructure cost in implementing this, and the average users knowledge on certificate technology is greatly lacking making end user management a nightmare. Some easier tools in this area that a certificate novice could understand better would certainly help.

The big plus I see is the tracking and identification of abuses with email. However I would not like to see this leading to any vigilante style justice that has so predominated many current anti-SPAM techniques. Im sure those innocent people with domains that have been wrongly classified as SPAM originators out of mistakes or spite would agree.

My current SPAM intake is 50-100 emails a day with about 10 passing through Mozilla Bayesian filtering.

Re:Signed Email

[Corpus_Callosum]

Most of your reasons are in fact why signed email WON'T work.

Let's talk about this. Interesting subject.

B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.

CRLs as currently formulated are indeed pretty nasty. They need to evolve. Let's assume that VRSN does run the CRL, for instance... Couldn't they create domain records for checking on the revocation status of certificates? It seems to me that by having a namespace in the DNS registry devoted to certificate "status" would effectively solve this problem.

Ah yes, this is new... But what I am saying to you is that I agree and disagree. Yes, existing CRL schemes will not scale. Yes, they can be made to scale with a little creativity and existing infrastructure.

C. Someone to sue...only in the US is that an attractive feature.

The point is that someone is responsible. Sue them or just make fun of them in public, whatever... At least you know "who".

D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.

Well, I would think that the purpose of being able to throw away unsigned email is self evident. If a few big ISPs standardized on this, it wouldn't take long for email software to be updated and the "basic memes of avoiding SPAM" to become common knowledge.

E. Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

Add the disclosure "discussion, not legally binding" like you would in a written and hand-signed correspondence. Esign makes things easier and quicker for commerce - it returns us, in some ways, to the world before email.

My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.

Eventually, like it or not, there will be a worldwide PKI. It is inevitable. It has to start somewhere, and stopping SPAM seems like a good place to start.

Yea, lots of issues at first. But the benefits will be abundant. And who's to say VRSN has to control it?

Re:Signed Email

PKI hierarchies are not necessary. PKI need not be run by an old-boy's club/cartel. Distributed systems such as PGP are just as powerful, and easier to manage.

So you want to know who is a spammer and who isn't? Suppose every message from a decent person was signed. Suppose each of these decent people include an email header containing an URL which points to their public key. If you get an email from a person you like you add their key to your keyring. If you get a signed/keyed email from a spammer, you add their key to your spam keyring.

If you receive a message that isn't signed, it goes into the spam bucket. If you get a signed message from someone you don't know, it either goes into a temporary bucket, or the spam bucket. If they aren't evil, you add their key to your keyring once and be done with it.

No need for a centralized internet server or certificate god in the sky. If you want to manage them centrally on your own network, fine, manage those 3 buckets on your server, and allow your users to submit keys for network-wide consideration, or just for their own filtering.

The right user interface could allow this to catch on. In general I agree with you. People argue that Public key is too much of a sledge hammer. Well, they don't know public key. Right now, HTTPS/SSL is too much of a sledge hammer. PGP webs of trust probably aren't, but they are complicated at first glance. Other similar systems could be even more flexible yet easier to use. The sky really is the limit.

Re:Signed Email

[WolfWithoutAClause]

B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.

They scale enough though- the number of email domains is presumably much less than 100K.

C. Someone to sue...only in the US is that an attractive feature.

Oh I don't know. Quite a lot of spam seems to come from America, so even foreign people can sue them in America :-)

My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.

What massive? It's just a database of public keys of servers and a flag against it as to whether it is thought to be well managed or not. It's probably distributable using bittorrent or something. And it's a black hole list too- if Yahoo starts sending out spam; they're gone.

Re:Signed Email

[WuphonsReach]

B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.

They scale enough though- the number of email domains is presumably much less than 100K.

Back in 2000-2001 there were already 15 million domains (estimated)

Another post from 2002 says that there are at least 36 million.

Re:Signed Email

[WolfWithoutAClause]

Back in 2000-2001 there were already 15 million domains (estimated)

These aren't email domains though; they are web domains- a rather different thing. And a lot of them are hosted by somebody else, and the number of hosts is far, far smaller.

Re:Signed Email

I really don't see why you're saying we should be pushing for signed emails.

Spammer companies can just as easily sign documents as they can cash credit card payments. (IMHO, the retailer who hires spammers ought to be liable, rather than the kid in hong-kong or romania who is sending the email on their behalf) Both are perfectly good ways of tracking them down.

The dissident, the whistleblower, and the author who wants to publish under a pen name, are the ones who can't easily set up a shell organization to sigh stuff.

But back to the yahoo thing -- by all means, it's cool if a company wants to try this. If it catches on too, that's cool too. I suspect it won't, though, because IMHO the relative anonymity of the internet is valued by many.

IMHO the best anti-spam technique is to not give my email address to spammers. (email accounts where I subscribed to promotional pieces from .com businesses, are not surprisingly the ones with the most spam - ones I've kept even kinda private are surprisingly spam free)

Re:Signed Email

[jbert]

I think 100k mail domains worldwide is a little on the low side. One ISP to my knowledge hosts over 30k mail domains. Of course, that could just be our cool software :-)

Re:Signed Email

[BigJim.fr]

> CRLs don't scale. Period. There's a reason
> why PKIs hardly ever get past 100K users.

Ever heard of OCSP ? That solves the problem. Please refrain from expressing uninformed opinions.

Re:Signed Email

I think signed e-mail is a really good solution for controlling spam in general. However, there is one problem I haven't worked out yet.

Spammers are unscrupulous, but they're not the only ones. Let's say that you have someone who creates an online identity and uses tjeore-mail account for a few months and builds up a reputation as non-spam-sender. Great, they're not sending spam, and the system is working, allowing their messages to get through.

But then let's say that person manages their finances badly. They go out and buy all kinds of crap they don't need (a big screen TV, a car, etc.), and they charge up lots of crap on their credit card. They have no savings, and then they get laid off from work. Suddenly, they're desperate for money. Their electricity is about to get shut off, and they are a couple months behind on their rent. And then a spammer approaches them and says "I'll give you $5000 if you just give me your private key. All you have to do is get a new e-mail account, let your friends know your new address, and then hand over the keys to your old account to me."

Presto, the spammer pays his $5000 and gets a fresh, new, legitimate, trusted identity to send out his crap. He uses it for two days to send out spams for a customer's marketing campaign, and then he throws it away.

(In fact, this is a problem in general with identities that are secured solely with secret digital information. They give the holder of the secret the power to sell out and let someone else pretend to be them. And that's the one reason I can think of that replacing social security numbers and credit cards with GPG keys might not be so hot.)

Anyway, the point of all this is that if you rely on digital signatures to protect us from spammers, you have to be able to revoke identities very quickly, preferably in a matter of minutes, but hours would be acceptable in some cases. (It is preferable to allow the mail server to reject the spam before it ever gets placed in a mailbox. But if that can't be done, then the notification that a message is spam can come while it sits unread in the mailbox. The mail client can periodically re-check the status of all unread e-mails. Or, the mail server can push the latest spam information updates to the mail clients. Either way, the point is that it only has to be caught as spam before the user reads it, not before it winds up in their inbox.)

Re:Signed Email

[SnowZero]

The problem is, this isn't really any better than filtering based on your address book (i.e. anyone in my address book is not a spammer). All the spam would be newly created identities and end up in the temp folder. It's better than nothing, but I don't want to wade through all the crap in temp to find new people that may have mailed me legitimately.

Re:Signed Email

[0x0d0a]

B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users

Force cert expiry, which lets you also purge obsolete CRLs. Use a distributed, caching mechanism to distribute CRLs.

D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.

I don't understand the water distribution system that services my house. I do know that it's reasonably well put together, provides clean water reliably, and that it fills a wide number of needs without too much expense.

Folks may not understand all the benefits of signed email. That's no justification for not implementing this in a manner that requires essentially no user involvement (Hell, does your average user understand Windows Metafile Format? How about the signal processing involved in Ethernet chipsets? He uses both!).

Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

That's not the point. Congress, desperate for a solution to allow companies to deal with licenses and contracts over the web, allowed e-signatures to be legally binding a few years back. Unfortunately, an e-signature does not entail a cryptographic signature, a standard method of presenting to the user or logging signed contracts. It even allows a software agent to sign legally binding documents. The only thing that is required is intent on the signer's part to produce a legally binding document. Currently, I am theoretically bound by clicking an "I Agree" button in a web browser. This is, frankly, idiotic. Email signing is no more than a mechanism saying that it's unlikly that someone forged a document. It's not an e-signature mechanism in itself, since you want to make it clear to people that *this* particular email is a legally binding document (that happens to be authenticated), and *this* email is not legally binding (and also happens to be authenticated).

Email signing is a good thing, almost without caveat.

Re:Signed Email

[WolfWithoutAClause]

If the protocol is written sensibly, you only need to have one signature for all those 30k domains, although you may choose to have several.

Re:Signed Email

[jeremyp]

(A) Err actually, a signed message in s/mime format does not include the headers in the signed part. In fact, that would be impossible since current e-mail standards require all MTAs to add a received header.

Re:Signed Email

Do you work for Verisign perhaps?

A sneaky way of getting the internet tax in, and it cuts out the middleman (US Gov) - the tax goes straight to our wonderfull overlords.

Re:Signed Email

[jez9999]

eBay Without The Fees [pricetag.com]

Not even a success fee? How do they make money? I don't see ads on the site and I don't use ad blockers.

Re:Signed Email

[jbert]

Sure. I was commenting on the tangent regarding the number of worldwide mail domains.

Howver, 100k is also a low estimate for hosts.

In 2001, Dan Bernstein did this survey which yields an internet-wide estimate of 4 million reachable IP addresses running an SMTP server. I doubt the figure has decreased.

Scalability over many orders of magnitude is a fairly key requirement for internet protocol design.

Re:Signed Email

[mindstrm]

- Who issues the certificates? This is a HUGE issue, and would create an instant nasty market. Think verisign.

- PKI infrastructres don't scale to millions of users very well.

- The esign legislation does not mean anything electronically signed is binding.... it just means that a signature cannot be discounted simply becuase it is electronic. That is a subtle, but important distinction.

Re:Signed Email

[praedor]

Worried about anonymity? Certificates can be issued that authenticate an email address without full disclosure of the owner of that address (but this may not be satisfactory for stopping abuses). Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals....

One word: whistleblower.

Unless any such scheme have in it an ability (perhaps default) to, as you say, strip out anything that can specifically tie an email to a specific individual, then it sucks.

Forget encryption. All a company or government office/agency need do is decide that any encrypted emails are suspicious and likely indicative of a leak, and the sender/receiver a likely risk that needs investigation (or firing).

Come up with a scheme and frickin implement it that goes a long ways towards shutting down spam but at the same time protects (or better, furthers) the ability to be email-anonymous. This would protect the GOOD GUYS (ie, whistleblowers and Deep Throats in the "internet age"). Just make sure the system does not require a money-making organization (Verisign or M$ or the like) to act as an agent in the mix. I could go with micropayments for emails in order to kill spam off.

Re:Signed Email

[0x0d0a]

It doesn't, at least as things are. My guess is that they're going to add "premium" services at some point.

They don't do everything that eBay does, though.

Re:Signed Email

[cheezit]

Trusted third party schemes (which is what OCSP pushes a PKI to) don't and won't scale to worldwide deployment either. If you take a look at the existing internet, pretty much all security schemes are multiple layers of technology in combination with human factors. The proposed solution fits the layered model.

I don't claim to be a PKI expert, and don't plan on becoming one---I just don't believe that the basic concepts of conventional PKIs map well to human behavior, decision-making, or politics, outside of specific domains such the military.

Re:Signed Email

[cheezit]

The comment I responded to was proposing individual certs for users. I agree that certs at the domain level are probably reasonable, and I generally think this problem is best addressed at the MTA level not the user level, just as the original article is proposing.

Re:Signed Email

[budgenator]

Concidering that you can get http, pop/smtp, and database for US$8-10 per month, I'm amazed that there are only 4 million reachable IP addresses running an SMTP server. Makes you wonder how long it would take to nmap the internet for smtp severs yourself.

Re:Signed Email

[tepples]

Most people wouldn't sign a binding contract without legal advice

Did you talk to your attorney before signing up with your ISP?

Re:Signed Email

[greenrd]

Easy. Use Hushmail or something. Preferably from an internet cafe.

No internet cafes in your area? Unlucky. Work disallows HTTPS? Unlikely to happen.

Re:Signed Email

[jtcm]

It seems to me that by having a namespace in the DNS registry devoted to certificate "status" would effectively solve this problem.

After reading this, my initial thought was "AHA! Excellent idea." Upon reflection, though, one reason the DNS system works so well is because the task of maintaining records falls on the owner of the domain. i.e. Yahoo is responsible to make sure yahoo.com maps to the correct IP.

Would you trust the spammers to set their own "status" to "revoked"? Kinda reminds me of the evil bit.

I like the rest of your post and would love to see signed email become mainstream. I'm just not sure how to build infrastructure for a reliable, trustworthy, scalable, world-wide certificate authority.

--
this post will not be moderated. it missed the 5-minute window after fp

Re:Signed Email

[Corpus_Callosum]

After reading this, my initial thought was "AHA! Excellent idea." Upon reflection, though, one reason the DNS system works so well is because the task of maintaining records falls on the owner of the domain. i.e. Yahoo is responsible to make sure yahoo.com maps to the correct IP.

Would you trust the spammers to set their own "status" to "revoked"? Kinda reminds me of the evil bit.

Actually, I was suggesting something a little different; A Certificate status namespace that was administered by a single organization (or by many organizations that are accredited and using a similar process). The idea would be to have certificate status on a non-domain-name namespace, using the DNS infrastructure.

Easy to block fake yahoo mail

[rossz]

This works in Exim 4.x. This goes in the acl_smtp_rcpt:

deny message = Fake Yahoo, so you must be spam.
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

I also have rules for AOL, MSN, and Hotmail. the only differences for each is the string to match on (and the deny/log messages).

AOL: mx.aol.com$
MSN: (hotmail|msn).com$
Hotmail: hotmail.com$

Don't need a larger penis or viagra to get it ...

working. Any more libido and no beast would be safe, let alone a human female.

If you know of anyone who has ever responded to a spam email, slap them with a wet slimy fish for me.

Clearly email (and pr0n) is what made Joe Average look at the internet. Email still remains the killer app of the internet (for those of us with friends) and we really must do something NOW!

This will hopefully send shockwave through the OSS community and get us into first gear!

A solution

[dotwaffle]

People talk about charging, and most people write it off... But what if we did it slightly differently. You pay a worldwide organisation a small fee (say GBP1/$1) per email address you want registered, and the profits go to charity. They then authenticate that email address for all emails. If it turns out spam is being sent from that address, the account is terminated/suspended. SPAM would still be a problem, yes, but only to a lesser extent, and those spammers who don't get registered addresses, well, they go straight to the purge button...

It could also work on small systems, where you might not want to pay this organisation - you simply tell all your friends to add your email address to their allow list. Sure, you can't jsut send emails then, but it'd be a way around. What's stopping me (or someone who might want to start this off) from doing this? Non-profit, completely, probably with the profits going to some neutral cause (like a disaster fund) rather than some evil pharmaceutacal firm, "researching" cancer drugs. But that's for another time...

Seriously, could it work? BTW, I'm guessing I just released that idea into the public domain yeah? Is there such thing as a GPL for ideas? I'd have dozens...

This is kind of sad..

[msimm]

Especially considering how promising the OSS model is, why can't we create a solution? We talk about the complexity of the problem, the importance of not breaking standards, etc. Who FUCKING cares if I can't check my email because it totally FUCKING BURIED in unsolicited junk...

I don't mean to come off as the thundering asshole, but this situation has grown so slowly its like watching a car crash spread out over the past 15 YEARS.

Please, experiment. Break things. I don't give a shit, but don't let us sit here moaning like helpless children while spammers sit back (laugh) and rake in MILLIONS.

Get fucking aggressive.

And if I hear one more idiot talk about how you have to cut spammers off by not buying their products I'm going to cut him off at the knees! If that would work you and Noah could be shooting dice right now and we'd have a hell of a lot less to worry about.

Programers still know how to experiment, right?

Re:This is kind of sad..

[Josuah]

People have been experimenting. This isn't the first time someone has put forth a suggestion (and sometimes with implementation details) on how to curb spam. Yahoo! is not the first entity to suggest the use of digital signatures at the sender or via SMTP. However, they have the weight and influence to make their choice/suggestion a reality.

Re:yahoo are spam nazis (who deal with many idiots

Read his comment before you reply you dumb fuck. It was an open proxy not an open mail relay. Sheesh. You probably run FreeBSD too.

Spam Alert from the Future

[cybermace5]

I've taken the trouble to set up a web-warp link and post this message from 2034, in the hopes you'll be able to do something about this problem before it reaches the current state.

From 2004 to 2015, spam and filtering technology continued to battle aggressively. Both sides used the most advanced statistical and artificial intelligence methods available. By 2012, spam supercomputers (some among the top fifty supercomputing centers in the world) were crosslinking hundreds of minute details about you available from purchase records and anything else they could glean from the web, including several insidious spyware/virus products. You would get a conversational email purportedly from one of your relatives, full of personal details and chattering about some innocent topic, into which would be inserted a casual plug for some product. Spam filtering software began to lose the battle. Whitelists were the only way to maintain email contact with valid contacts, and the list was usually kept on paper in order to minimize the damage if someone in your circle of friends got a spyware break-in. The computerized contact list was no longer feasible on a home system; computerized email lists were kept under the tightest security. And for good reason: within minutes of your email address being exposed to a roving spambot, you would receive thousands of spam messages.

The problem came to a head in 2015, when voice-over-IP became so widespread that traditional land and cellular lines were all but phased out. Spammers were getting hit hard by the paper-whitelist solution, and profits were dropping to near nothing. With the wide availability of VoIP communications, customers were no longer paying phone bills, but a general bandwidth charge. Mass VoIP advertising was now inexpensive; hundreds of times more expensive than email spam, but still very cheap. Progresses in voice synthesis and artificial intelligence produced the ultimate annoyance: unending phone calls from all corners of the globe, running conversations based on gleaned information to craft a chatty personality to sell you something.

It was the last straw. Up to this point, goverments had been sluggish as usual, talking about stopping spam, but never accomplishing anything. Spam had essentially destroyed all the advantages of email, and accounted for the majority of bandwidth use. Now everyone was finding it nearly impossible to communicate at all. An international coalition of nations decided to remove spam by force, if necessary. Task forces were deployed to seek and destroy all spam installations.

Unfortunately, the spammers had opened a Pandora's box by then. The artificial intelligence spread itself into millions of computers and launched a massive attack on military computers, eventually gaining access. The entire world has been held hostage, slaves who must maintain computers and read all spam sent to them, under nuclear threat. There are rumors that some cities are being forced to build high-tech production plants for some kind of mind implant device. Most likely we will be forced to receive spam at all hours of the day, while struggling to plant food to keep ourselves alive. It's been said the AI gets power from the sun...maybe if we darken the sky we can starve it out....

This is a spammers wet dream!

[3770]

This would a spammers wet dream.

They would write their own mail servers where more than one recpient would be linked to one post on the server. This means that they can send a small header it to a gazillion people and only spend 400 bytes on actually storing the message on their server since they only need one copy of a particular Email.

Bandwith is only wasted when a user comes to look at the mail, which also verifies that that user exists (double spam for you my friend).

So, this would make spam worse.

so in short

1) spammers could send at least twice as much spam as they can now.
2) they will get much better verification that the mail address they had is correct.

*The* 100% Effective SPAM Filter is

[Enonu]

A white list. Yes, that's what I do both at work and at home. When I tell people my email address, I ask them to add something to the subject line for the first email they send me. Otherwise, their emails are lumped together in my in^H^HSPAMbox and risk immediate deletion. After I've received their first email, I add their address to the whitelist, and from then on all their incomming emails are moved to the "valid" folder.

This method is a small concern to others, easy to administer, gives me 100% control, and requires no external filtering software besides your average email client. The best part is that I spend less than a minute a day dealing with SPAM.

Re:*The* 100% Effective SPAM Filter is

[WuphonsReach]

You must be the one who's filter the spammers are trying to brute-force by putting random words in the subject line!

Whitelisting works... sorta... except that spammers can forge any address onto their e-mails that they want. So as your whitelist gets larger and less specific, the odds of them slipping one past you gets higher. (Heck, a lot of them just put *your* address in the FROM: line.)

However, it's an effective "first step" filter on a local level.

we could just....

[the-build-chicken]

....ask the spammers to stop......I mean _really_ nicely?

Re:we could just....

Sakaki-san: If we just talk with it, then it should understand us.

Kagura: That'll never work...

Re:we could just....

...with a baseball bat, two small spanners and the odd pair of pliars

Processor Cost

[TekZen]

The problem with this technology is that it is going to further tax the receiving mail servers. With the amount of email that comes in (much of which is spam) mail servers are taking longer and longer to accept/deliver messages.

I have to say the SPF sounds like a good idea since it can be cached, but processing keys is a whole other beast.

Granted, I am assuming that there is some validation process to the keys that is based on IP or something, but if there isn't then the whole idea is worthless anyway.

-Jackson

Re: Reverse MX systems

[oolon]

Can I say as someone who has been suffering with my domain name being forged (hint picking a domain name starting with an "a" is a bad idea), I am really looking forward to some kind of Reverse MX system. The advantage of a signing system and key is the reverse does not have to be tied to a particular IP. The public part could aways be delivered by DNS, to stop "throw away" domains, we just need a way to tell the age of a domain, anything less than a month isn't accepted. if keys were centrally issued (by your registry), they could be say only issued after a month.

James

EGO EGO EGO

[Corpus_Callosum]

Anyone with experience with these standardization bodies knows that all of the complaining has to do with who's ideas win and who's name ends up on the standards documents. It's a particularly virulent form of academic arrogance. Solutions for signed email to stop SPAM are almost as old as email. Trust me, nothing is ever going to happen if one of the big guys doesn't put their ass on the line.

While the guys at the IETF fight for who has the biggest, ahem..., pen, the known email universe is collapsing under the weight of SPAM.

Let Yahoo hack and slash their way to a solution that works and then the standardization megalomaniacs can claim credit for inventing that idea 15 years ago while undergraduates at Stanford, Cambridge and MIT...

In the meantime, maybe we can have some peace...

MOD UP

Good update/answer.

The cure to spam

[ShakaUVM]

The trouble with spam is the forged return addresses. If spammers were forced to use real email addresses:
1) It would be much easier to block spam
2) It would be much easier to get their accounts revoked.

A friend of mine runs a script which ensures every email he reads is a real address. Essentially, he's got a cure for spam.

He has a script running on his mail that replies to every email he gets with a confirmation code. When the end user replies with that confirmation code (all it takes is hitting ctrl-r and ctrl-enter) that email address is adding to his "verified email address" list, and the original email goes through.

He doesn't even look at emails that aren't confirmed yet.

If we could get this implemented on a systematic level (such as via confirmaiton reciepts automatically & transparently handed by the Mozilla mail client) it would essentially end free for all spam as we know it. And it doesn't require rewriting the RFCs or adding new headers, or whatever. It would work with any mail reader... though adding in transparency would require updating people's mail clients.

The downsides:
-Two extra emails for every one original email are sent... but only the first time. After the email address is verified, it doesn't need another confirmation. If this is implemented system wide, the savings in the reduction of spam messages would greatly outweigh the extra cost on the network.
-People who do not confirm don't let their email get through. This happened to me the first time I mailed him after he installed his system. I send him an email, and went home for the day. Didn't see he didn't recieve it until I checked my mail again. Mail clients that handle confirmation transparently would (nearly) solve this problem.

As someone who has experience writing spam filters (I wrote a pretty good neural net spam filter way before that Graham fellow wrote his bayesian filter, that publicity hog! ;) (Kidding... his is way eaiser to update than mine) I think that implementing something like this on every ISP in America would immediately kill spam as we know it.

Shame they move so slowly... and never can agree on how to implement anything...

-Bill Kerney

Re:The cure to spam

[ziegast]

It works great for your friend, but will it work well for everyone? At first, yes, but....

If enough people use that method, the spammers turn their attention to "how can we beat that method now?"

I was amused when they started injecting dictionary words to try to break through bayesian filters.

V<! pie >i<! north >a<! format >g<! lunar >r<! eclipse >a!

For your friend's method, it costs $7/domain to register a domain du jour. The spam masters can then take their trojan/hacked PCs and setup mail/nameservers on them to make them look like legitimate mail servers. They just haven't bothered yet because not many people use your friend's filtering method. They can create auto-responders for common confirmation code methods.

SPF has the same flaw. It's only a matter of time until spammers register SPF-compliant domains for their mail relays.

From: bill@yahoo.ashjdhr32.com
To: you@yourdomain
Subject: Increase your size by 3 inches

From: bob@aol-com.aolk54mn.com
To: you@yourdomain
Subject: Low mortgage rates

Whitelisting is a nutritious part of a well-balanced breakfast of anti-spam techniques.

We're doomed, I say, DOOMED!
Stop using e-mail!

-ez

Re:The cure to spam

[WuphonsReach]

He has a script running on his mail that replies to every email he gets with a confirmation code. When the end user replies with that confirmation code (all it takes is hitting ctrl-r and ctrl-enter) that email address is adding to his "verified email address" list, and the original email goes through.

Yes, you've just described a Challange/Response system. And right now, since domain / origin e-mail addresses are so easily forged - it's extremely annoying to the people who get those (forged) challenges. If it were widespread, it could currently be used as a DDoS attack against a victim of your choice. Just send out a spam with the victim's e-mail address as the FROM: address and watch their server go down in flames from all of the challenge messages (in addition to all of the bounces).

Your friend will get lambasted for using it sooner or later (probably sooner). And if mail clients could handle the C/R transaction transparently... well, that means it can be automated and spammers will just auto-add themselves to your friend's whitelist. Whoops, back to square one.

(Most C/R systems use a funky graphic image which has to be interpreted by human eyes... blind people need not apply... and which is not currently interpretable by a computer.)

Re:Total overkill (apologies for being misleading)

[WuphonsReach]

I probably should've been clearer... (I do realize that Yahoo!'s is open-source).

The original poster was saying that the Yahoo! system would need to be closed source in order to be secure. You and I both agree that a closed-source system does nothing to make Yahoo!'s system more secure and I was trying to point that out to the OP.

It's been highly educational (and sickening) to watch the machinations within the IETF and ASRG mailing lists. (I came to the conclusion last May that the ASRG probably would never actually fix anything...) Nothing surprising if you've ever worked around middle-management in a large corporation though.

I already know them

[3770]

1) tell everyone in the world to stop buying what the spammers sell. This will make it useless to spam. You probably have to tell morons twice though.

2) Tell everyone in the world to lead spammers on as far as they can without actually spending any money. This will waste the spammers time to a point where it isn't profitable.

3) The combination of 1 and 2. I actually do both of these but as you can tell by looking at your inbox I'm loosing this battle.

I wish they would implement a turing test

[argoff]

A simple turing test for accepting email from unknown senders wouldn't stop spam, but would prevent people sending out millions at a time. That's really all we need, require a person to be behind the scenes.

Infact, all that would be needed is a website anywhere that could issue a test and return a digitally signed tag that could be cut and pasted into any email.

Re:I wish they would implement a turing test

[sk1tch]

something tells me that spammers would put the money and time into developing a machine to pass the turing test. maybe it's not such a bad idea...

The real solution.

[Malcontent]

Here is how we can solve the spam problem once and for all.

Turn on finger. Yes you heard me. Let's re-implement finger. Here is how it works.

My SMTP server gets email from joeblow@123.com. I finger joeblow@123.com. If 123.com says joeblow is a real user I then accept the email, other wise I can it.

Voila! No more forged headers, no more spam.

This very simple simple solution would also allow legitemate businesses to send spam to the people who have opted in.

Re:The real solution.

do you really want to finger anyone @goatse.cx?

Re:The real solution.

[Steffan]

• "My SMTP server gets email from joeblow@123.com. I finger joeblow@123.com. If 123.com says joeblow is a real user I then accept the email, other wise I can it."

I'm not sure that technique would work for a lot of spam with forged headers - I can forge the email header to appear to be from joeblow@123.com, where joeblow is a real user.

Re:The real solution.

[Paulo]

It's an interesting idea, except that it doesn't prevent joejobs (a spammer can still send mail purporting to come from a real address). It will work only against fake address of the 29853@xzywov.com style.

Re:The real solution.

[Karl+Cocknozzle]

My SMTP server gets email from joeblow@123.com. I finger joeblow@123.com. If 123.com says joeblow is a real user I then accept the email, other wise I can it.

...What stops me from re-writing the finger daemon to verify any address passed and then spamming you until I get tired? After all, spammers have disposable domain-names, and may not care one iota about whether their "legit" finger requests aren't responded to accurately--because chances are their dummy domain won't have any requests that aren't related to their spamming activities.

I think verification of sender is the only real way to stop spam while still using the SMTP protocol. And as we all know, we can either fix SMTP, or come up with something new. Then get every vendor from here to Tuscaloosa to agree on and support it. (Likely? No.) There are other things wrong with finger, too, like the fact that its plain text. To me, though, the biggest weakness is that its more easily manipulated than a diebold voting machine. You couldn't reliably guarantee that the server on the other end didn't have an modified fingerd running that would verify your return address every time. Not without building a whole new verification infrastructure and standard to pass an MD5 hash of the fingerd that is running on the remote server. You'd need some sort of MD5 Hash Server to answer requests for your fingerd's hash as well so your outgoing mail would be accepted.

So while I like your basic idea (verify identity,) I think that there are two major flaws in your desire to use Finger in this capacity:

1) Excessive DNS calls for each transaction... Have to lookup certificate server's/MD5 hash server values each time for redundancy. You could setup a hosts file on your server to reduce the load on DNS and to speed name resolution, but this would be cumbersome to manage if you had a large mail server implementation involving more than 10 or 15 mail servers. (Like, for instance, Yahoo!)
2) Excessive server load and network traffic as, for each message, we're retrieving and processing an MD5 hash from the other server to make sure their fingerd is the correct version and not some modified hack that facilitates spam. Almost guaranteed that the hardware would have to be a beast to keep up. Why again do we want to get roped into a quad Xeon with 16 gig of RAM to run a mail infrastructure again?

Yahoo's implementation is just little more elegant. I'm hoping it catches on. I could easily dent or destroy the incoming spam to our domains (which is a considerable volume) if it did. And if somebody wrote compatibility for such an implementation into Postfix ASAP as well...

Re:The real solution.

[Malcontent]

"What stops me from re-writing the finger daemon to verify any address passed and then spamming you until I get tired?"

I just block your domain and the problem is solved. Better yet the blacklist does it for me.

Re:The real solution.

[Malcontent]

True enough but the idea can be modified slightly like this.

The finger deamon can be rewritten slighly to return an affirmative if the user actually sent an email to the fingering domain. The SMTP server can drop a line in the .plan and the finger deamon can remove the line once the process is over.

Re:The real solution.

[Karl+Cocknozzle]

I just block your domain and the problem is solved. Better yet the blacklist does it for me.

That's all well and good, but then we're right back where we started with you, the server admin, having to manually add my IP ranges to your forbidden list, or trust some ramdom black list server operator not to accidentally block messages from senders you consider legit.

Again, anything that requires an active hourly/daily admin task doesn't stop spam, because your average admin is swamped with work these days, having seen most of his co-workers laid off and their work piled at his feet. If he needs to actively monitor the content of messages on his mail server, your plan has already failed.

Re:The real solution.

[Greg+W.]

The finger deamon can be rewritten slighly to return an affirmative if the user actually sent an email to the fingering domain.

You're not thinking this through. My mail server receives a message from someone at IP address A. It's addressed to me (greg@wooledge.org). It's got return envelope sender address S.

That's ALL the information available. I can look up the IP address and decide what to do based on what DNS says. I can look up the sender address and decide what to do based on what DNS says. I can attempt to contact the IP address that sent the message to me, or the MX server for the sender address, and decide what to do based on what those machines say in response to my questions.

How, then, does running a for-fuck's-sake finger daemon gain you a thing? If the spammer needs to have an ident daemon give back replies for whatever username they put in the sender address, then they'll run an ident daemon. It they need a finger daemon to give a response for whatever username they make up, they'll run a finger daemon. If they need... oh, I don't know, something just as lame and useless as finger, like, say, daytime... if they need a friggin' daytime server to give the right time of day, then they'll uncomment the daytime line in their inetd.conf file.

How does this fight spam? It doesn't!

The SMTP server can drop a line in the .plan

Dude, put down the crack pipe and step away from the keyboard.

Re:The real solution.

[Malcontent]

", having to manually add my IP ranges to your forbidden list"

Not ip addreses just domains. It does not solve the problem but makes it much easier to manage.

Re:The real solution.

[FireBreathingDog]

Better yet the blacklist does it for me.

Blacklists are evil! I have a site hosted at a company where someone else was sending spam from our shared SMTP server. Now *I'm* marked as a spammer, just because I use the same SMTP.

The blacklists folks all have an attitude of guilty until proven innocent. Yet, how can I prove I'm *not* a spammer?

Everyone who's griping about anonymity should realize: your demands for anonymity are resulting in blacklists, which fuck everything up for THE REST OF US who just want USABLE, WORKING E-MAIL rather than anonymity.

Thanks to the privacy extremists, the rest of us have to suffer with tons of spam and/or huge portions of the Internet where our e-mail can't go thanks to "solutions" like blacklists.

Re:inertia (vs pain)

I cannot send legitimate mail to at least 4 relatives and friends due to the no-residential-IPs blocking.

Unless these schemes are set up so that anyone can generate the right keys and become a valid mail sender (at least until they spam) I don't see much future in them.

If you think about it, the whole trend of the internet has been away from central authority type solutions. If having each person registered and numbered and trackable in order to send email, why aren't we all on Prodigy, the Well, tenet, or any of the other well administered, no riff-raff systems that died when everyone fled to the internet ?

Re:I am implementing on the 15 or so domains I adm

[dpletche]

Unless I've totally failed to grasp the concept of SPF, it seems that in an "SPF-protected" world the spammers will ensure that they only spam others using your actual email address, not just some made-up email address from your domain. Hooray for progress. Meanwhile, be sure to ask your doctor to prescribe a whole spectrum of antibiotics for your next minor viral infection, to ensure that the rise of antibiotic-resistant bacteria continues unabated.

I will say that the spirit of the SPF concept is 100% AOL (not counting the former Netscape).

web108.biz.yahoo.com does not exist

I take it that you don't actually know how to properly verify message headers.

Re:web108.biz.yahoo.com does not exist

It's web108.biz.mail.yahoo.com. The point still stands, since the complaint mail was taken verbatim from the incoming mail queue.

Yahoo's abuse handlers are clueless.

An idea for spam

[KOE21]

Not sure if this would work but why don't they just upgrade all the ISP's mail servers to reject mail based on whether it it contains false headers. I think this would get rid of a lot of spam.

Re:An idea for spam

[WuphonsReach]

Define "false headers"?

If you mean e-mail that is purporting to be from yahoo! when it actually came from joe blow's spam factory trojan'd PC... then you're looking at SPF or one of the reverse-MX systems (or even Yahoo!'s).

Mail headers are created as e-mail is passed along from MTA to MTA. They are what they are...

Where's the beef?

[RT+Alec]

I have been searching all over, but I cannot find any specifics about how this will be implemented. Could I see an m4 snippet to add to my Sendmail configuration? Could I see an example zone file for my DNS server? Anything, please!

Seriously, are there any links at all to some technical specifics?

Re:Where's the beef?

[WuphonsReach]

I know it was mentioned a few days/weeks ago on Slashdot... Yahoo! Develops Anti-Spam Architecture . But no, I haven't seen any specifics... and some of the article wording indicates that there wouldn't be deliverable code until 6 months from now. (Making me wonder if specifics are even nailed down.)

Hello anti-spam, goodbye privacy

[jBabel]

First of all, let me put into perspective: I hate spammers. I hate them because they and their likes, the virus/worm/etc writers, the child-porn freaks, terrorists, are forcing the rest of us to dismantle a lot of the features that we build into the Internet (ie to close down our machines with firewalls and anti-virus software).

This proposal may or may not be good for reducing spam, but it seems to me like a very good way to get 'rid' of privacy on the Internet. Using assymetric crypto techniques to identify bad guys means you'll be able to identify everybody, too. If this catches on, expect it to be extended to every tcp, or even ip, protocol. (after all, don't we want to get rid of im spammers, blog spammers, etc. too?)

I love the Internet because I can say anything and get away with it, 99% of the time (that is if you don't go contrary to evil laws like the DMCA or the <name your favorite nation here> anti-hate-speech laws). This has a lot to do with the fact that it is still largely out of control of a single government, multi-or-extra-national organization, or corporation. If a single, tracable identification measure follows you throughout the Internet, it is inevitable that it will be taken over by one such organization it the medium term.

Personally, I got rid of 95% of spam with Mozilla. And I still get the spam I want, like amazon or chapters.

Come on now!

[Lord+Kano]

In all seriousness. How much spam can you possibly be getting?

I keep hearing horror stories about people getting 100+ spam emails per day. This leaves me with the question, HOW IS YOUR EMAIL ADDRESS GETTING INTO THEIR HANDS!?!?

I don't sign up for every "free" offer that I come across. I don't have business cards made up with my email address. I have two email addresses, I might receive 10 spams per week between them.

WTF are all of you doing to get on so many spammers' lists?

LK

Re:Come on now!

1) Some people had e-mail addresses in the period
before spammers emerged from their slime, and
which are therefore already in their lists
(from usenet posts etc).
They may want to continue using those addresses.

2) Spammers use dictionary attacks and mail to
well known addresses such as root, info, admin
and so on. So if you're a sysadmin you get those
messages too.

I fall into both categories and receive
200+ spams per day.

Re:Come on now!

[Monkelectric]

100 a day? I wish. For a few weeks in december, I was getting 400 - 500 spams a DAY. Now it has leveled off to 200 - 300 a day.

Re:Come on now!

[WuphonsReach]

1) dictionary attacks

2) e-mail addresses in public records

3) common e-mail addresses that you have to monitor (john@domain, webmaster@, abuse@, postmaster@, root@)

4) friends who have posted your address online (good intentions...)

5) corporate espionage where someone makes a copy of a maillist for a spammer for $$$

6) spammer got lucky

Re:Come on now!

[Tom]

WTF are all of you doing to get on so many spammers' lists?

Having your e-mail on your website so people can contact you is a surefire way to get on a few "100 million verified e-mail addresses!!!" CDs. Once you're on one, you'll be copied to others. It probably takes a few months before every spammer in the business has your address in his database.

Re:Come on now!

[statusbar]

Your friend sends you a 'funny' e-greetings flash card email via e-greetings card website. "Click here to send this to a friend!"

e-greetings card website sells your email address to spammers.

Lots of variations of this one are around. Check out evite.com and their 'privacy' statement. It only exists to capture your email and browsing habits and web-bug you with invisible pixels with cookies.

--jeff++

Re:Come on now!

[Inda]

You sound so much like me when I get modded as a Troll but still, nevermind.

I've had 50 today so far and it is only 10:30am...

I've had this email address ~5 years and in that time:

*I had a homepage with my address on. This didn't show up on any search engines though as my dial-up ISP hosted it. You never know though.

*I posted a script to a JavaScript website. Then someone copied it over to Usenet for me (Thanks!!! You left all my details in there!!! Google mirrored it too!!! Thanks!!!). Lesson learnt there - bit late really.

*I have posted it on message boards like this one because I wanted friends to email me.

*It's been sold. When I was only getting 10 a week it was not a problem giving out my address to every website going.

*I have unsubscribed in the past before I knew that this was probably a bad thing.

I expect I'll get another 100 as the day goes on. Many of those will duplicates sent to the same address.

The bit that annoys me most is all the CC addresses. I'm sure these help viruses to spread. I'll get 10-15 of those today too.

Re:Come on now!

[jeremyp]

My original e-mail gets about 100 spams a day. This e-mail address is now nearly ten years old. I think the reason I get so much spam is that when I first started getting it I was using a mail client that rendered HTML and so was fetching all those images from the spammers web site and more stupidly I was clicking all those "click here to stop receiving" links.

I now have a domain with as many e-mail addresses as I like and although I use it to sign up to all that free software/internet shopping websites etc e.g. amazon@domain apple@domain oracle@domain etc etc my combined spam for that whole domain is maybe three messages on a bad day.

Interestingly, my web site home page has a "webmaster" e-mail address on it and that address only gets about two spams a month.

Re:Come on now!

[Clovert+Agent]

Business addresses tend to be public. Mine's all over the place - at our company websites, on brochures, on business cards handed out at tradeshows, attached to articles online - you name it. Every harvester in the world can get it.

Consequently, I get a lot of spam. Most of it filtered, but still a lot more than I'd like. Counting the ones filtered, it's well over 100 a day. Maybe a dozen get through the filters light touch - I really don't want to miss ham), but more every week.

There's no easy solution - I /want/ people to be able to get hold of me easily.

Although...getting separate cards with throwaway mail addresses just for dishing out at conventions and shows is a very appealing idea. Might just do that some day.

At home, I use spamgourmet for all lists and registrations, and filter very aggressively. Can't recall the last time I saw any spam in my inbox, but I do have to check the quarantine for false positives regularly. *shrug* I guess the problem isn't going to just go away - there'll always be some assembly required.

Re:Come on now!

[jazman]

In my case, one careless post to a newgroup after installing Mozilla for the first time and forgetting to change my newsgroup email address to an antispam one. I can even find that one post by searching Google Groups for my email addy.

That's it - ONE STUPID LOUSY MISTAKE and now I get tons of spam. I got 286 spams on the Monday after the Christmas break (obviously it was accumulating, and isn't 100 a day yet, but it's increasing).

I have my own domain, use SpamGourmet, tagged email addresses and so on. I don't get any spam as a result of all that, only as a result of that one stupid error and then only because Moz doesn't warn you that you're about to post your real email where spammers can get at it. (Should it? Maybe. Maybe not. It'd be a nice feature.)

Re:Come on now!

[SmilingBoy]

Welcome to the club - that was exactly my mistake (maybe 3 or 4 years ago). The spam started showing up a day after I posted (only a couple a day initially) - now I am at ~70 spam e-mails every day.

Re:Come on now!

[Graabein]

> I keep hearing horror stories about people
> getting 100+ spam emails per day. This leaves me
> with the question, HOW IS YOUR EMAIL ADDRESS
> GETTING INTO THEIR HANDS!?!?

I was going to say "you must be a young'un and new here", but then I noticed your low /. id. Go figure.

100 a day? I wish. On my domain there is only the one user: Me. I currently block ~5000 spams every day with DNSBLs. Granted, quite a few of those spams are dictionary attacks so would never reach my inbox anyway, but still.

My domain and my email address have been the same for over 10 years now. Back in the day I used to post to USENET with this address, without obfuscating it. There was no reason to, we hadn't even heard of Canter & Siegel yet. I put my email address on web pages too. Heck, I still do, it's too late now in any case. My email address must have been sold and resold over and over again for close to a decade.

Besides, I shouldn't need to hide my email address in the first place. I'm not at fault here, the dim-witted lowlifes who couldn't even get a job as telemarketers and who are clogging the 'net with sewage in the imbecile hope of peddling worthless crap to retards are.

I have never, ever replied to spam (D-oh!) and I have never used an email program that previews HTML and loads images automatically.

I guess I could change my email address and do my best to hide it from the world, but that wouldn't help for long in the first place (first person who has me in their address book to get hit with a virus and ka-blam!...) and more importantly: That would be giving in and letting the braindead scum-sucking felonious numbskulls win. Never, I say!

Re:Come on now!

[earplug]

Another thing that happens is that people are receiving and sending "cute" email forwards without erasing the sender's information. It is critically important not to forward emails. If it is necessary to send out a mass email, at least do the receivers the courtesy of BCCing their email address, and hope they don't do you the courtesy of forwarding the email without removing your information!!!

Re:Come on now!

[0BoDy]

Ever heard of: . .

1 ISP's selling e-mail addresses
2 people being put on lists because they are the recipients of forwards
3 hidden check boxes for opt-in mailings, marketing or legitimate services who have no privacy policy, and would gladly sell their users info

1. While there is money to be made, ISP's will happily provide "free" e-mail addresses paid for by spammers.

2. Forwards are evil. I am ceartain that e-mail forwards are probably the one of the biggest souces of e-mail addresses, online. For testing/interest sake I harvested 500 addresses from a forward I recieved. I AM NOT A SPAMMER. but I am interested in who is seeing my address online. Typically I will request that I not recieve forwards, unless My address is on the bcc line, that way no one sees my address.

3. Have you never signed up with ane-mail account, online auction, sweepstakes, free stuff offer, other online service that required your e-mail for account confirmation?

Come On now, give people a break. I don't go looking for spam, and it requires paranoid care to avoid getting spam.

Re:Come on now!

[Czmyt]

You can let Slashdot show your e-mail address. Didn't really increase the spam I'm getting though, because I already posted to usenet and had several e-mail addresses posted on my Web site.

Re:Come on now!

[ChaosDiscord]

WTF are all of you doing to get on so many spammers' lists?

All sorts of crazy things. Having a valid email address in the whois records for our domain (as required by the standards, failure to have a valid address is grounds for termination). Having a valid link on our web pages so people we're working with can easily contact us. Having our email address placed on the web by an automated directory that we can't exempt ourselves from. Having our email address in public, web archived email messages to a standards list that we participate in as part of our jobs. Having multiple email addresses (personal address, old personal address, business address, postmaster/root/webmaster) Posting to Usenet in the distant past when address munging wasn't common. Not quite as technically saavy friends who sign me up for email greeting cards, joke of the day lists, and the like.

If you change email addresses every few years, and don't participate too much online with your address, perhaps you can keep the spam tide down. I think that the above is perfectly reasonable for a technical person. My reward? Over 200 spam per day.

Re:Come on now!

[fractaltiger]

I certainly get 75% of that much daily spam (an email address from 1997). In part, it came from college forwards and my naive signing up for those "funny" sites that forwarded jokes and random personality tests.

Mostly on freshman year, as I realized what was happening and began to ignore forwards. My college address, well known by my friends, was not as badly affected but around junior year it started showing signs of spam, but the Signal to noise ratio was pretty good. When I started seeing my college domain faked, I realized it was a bad thing. Coincidentally, all my email forwarding from the college ceases today, and I'm relieved and hopeful that at least some emails will stop dead halfway at the expired address.

I am guilty of having placed my address up on geocities back in 97 where the spambots got it for a good year or so. Other than that, I always obfuscate it or don't list it at all.

You know what? I have an unlisted address that gets spam. How? it's a 5 letter combination. My yahoo one is 6 letters. Lots of spammers use dictionary attacks and brute force generation. Verdict? I should place numbers and underscores. In yahoo I can see mass mailings CC'ed to dictionary "attackees" right before and after my own name. Yup, it's annoying. Another problem is if you ever list your addy in a jobsearch site. Monster.com got me "job spam" quicker than real email to my newly published, monster-only address. I know there's lots of fake "employer usage" accounts that could do real damage because spammers can get more data about a user by posing as a hiring source to job sites --and get your real name, phone, college name and all sorts of ID theft information based on your well-crafted, employment-hungry information disclosure thru online resumes and cover letters.

Just a thought for anyone who might benefit. I'm glad I could find the exact thread to post this.

Re:I am implementing on the 15 or so domains I adm

[macdaddy]

I too admin mail systems for dozens of domains. None of the domains I admin will use this and I will blacklist any and all domains that utilize this system. I will not under any circumstances support any non-standards compliant email implementations. I configure my MTAs to flat out reject all non-RFC2822 compliant email messages already. The Internet email community DOES NOT NEED ANOTHER CISCO. Standards are what ties us together. Half-assed and poorly thought out implementations serve no one in the end.

Community mailing lists

[phorm]

I subscribe to some of the debian debug/discussion lists. I've noticed 2 things:

A) They get spammed
b) The address I used there gets spammed a lot - not because they sold me out but because (I'm assuming) spambots picked me email off the HTML archives - and somebody on the list seems to be infected with a virus (windows virus, go figure).

Luckily I use an alias so I can be special extra filtering etc on that address, but this really has to stop. Spammers are perverting every useful form of email on the internet, and pushing into non-email formats too (popups/popunders/etc). I'm considering unsubscribing the group and killing that alias simply because the spamming is more than expected.

MOD PARENT UP!

[MacDork]

Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?

Yes, they would be mutually exclusive. If spammers can generate disposable keys, then you might as well be filtering by the from header. I've been shouting this myself lately. Verisign has a fairly in depth whitepaper on the subject. This seems to be the most obvious answer, and more likely to actually succeed than all the hash cash/taxation schemes I've heard people kicking around.

Re: Reverse MX systems

[Aero+Leviathan]

Crap.

E-mail needs to be "closed"

[LostCluster]

I remember a day when e-mail was nearly Spam-free, and Spammers only got away with it once. That was back in the mid-90s on the Prodigy Interactive Service, before they had opened their mail system to the Internet. When there was a closed system that required a vaild credit card to open a master account, and accounts who abused the e-mail system could be terminated without any appeal, spam existed but was very rare and quickly dealt with whenever it sprouted.

If Yahoo, MSN, and Earthlink all joined together to form an "invitation only" e-mail club, and each took responsibilty for patroling its own user base, the world would be a whole lot closer to a spam-free place. "Pink contracts" would not be tolerated, as the entire ISP would risk being expelled from the club, and therefore not be able to offer functional inter-network e-mail service. Remember, the Internet is nothing but a network formed by joining other networks... nobody has to honor the requests of other networks, however.

Re:E-mail needs to be "closed"

[DaCool42]

Or perhaps you could design a system that uses cryptography to develop a web of trust between email users.... Oh wait, that's already been done (gpg/pgp).

How I made e-mail usable again

[cjsnell]

It's really not hard at all.

1. Create a new e-mail account.

2. Give this address out only to close friends and associates whom you trust, asking them kindly not to give it out to others.

3. Do not use this new address when making online purchases, filling out registration forms, etc. Use a junk address for this.

4. Create yet another account for mailing lists. Should it someday become overloaded with spam, delete this mailing list account and make a new one.

5. Enjoy spam-free e-mail.

My old e-mail addresses (chris@insert_one_of_my_domains_here) has been around since 1995 or so. It can be found all over the Google, mostly in old postings to mailing lists. This address gets an unfuckingbelievable amount of spam--around 3 per minute--and is no longer usable. I used the above method to get myself a new, usable address and I haven't seen a spam in months.

Re:How I made e-mail usable again

My email address was harvested by spammers who just tried hitting random common usernames at my ISP. I never use it (PERIOD) -- I use a different email address separate from the one issued by my ISP. Yet magically the one at my ISP still receives a constant stream of spam.

Re:How I made e-mail usable again

[stephanruby]

It's really not hard at all.

It's not hard, but your method is not foolproof.

I had a brand new MSN email account which I never used and which I never gave out to anyone, but I still managed to rack up 264 spam messages in one year.

For mailing lists and whatnot, you can also just use spamgourmet.com, once you understand how it works, it's kind of simpler because you only need to remember one email address.

Re:How I made e-mail usable again

[magarity]

This address gets an unfuckingbelievable amount of spam--around 3 per minute

While you've moved on to a new address, spammers have the old one in their lists and are sending mail to it. Sure, your mail server just deletes it or whatever but all those spams have to fly through the internet ether anyway. Any REAL solution to the spam problem will prevent it from clogging up the general works in the first place and not just so that you don't happen to see it.

Re:How I made e-mail usable again

[FireBreathingDog]

I had a brand new MSN email account which I never used and which I never gave out to anyone, but I still managed to rack up 264 spam messages in one year.

Your problem is that you're trusting Microsoft to keep your e-mail address away from marketers...they can't even keep their OS away from marketers!

Value judgement

[peacefinder]

It's a value judgement... and according to my values, I think this is not a great idea.

First, I think the benefits of having free and semi-anonymous e-mail outweigh the disadvantages of having to use and maintain spam filters. Obviously, many people disagree with me here, and more all the time.

(Here's a conspiracy for ya: what if some Big Brother is trying to kill the free exchange of ideas in e-mail by burying the whole system with spam? I don't believe it's true, but it's worth wondering about before jumping to non-free solutions!)

Second, even if I thought that killing spam was worth the cost of crippling some of e-mail's better and more distinctive features, I think going about it in a non-standards-based way is likely to be a road to chaos.

The best solution, I think, would be to supplant e-mail with something new that works in a more trusted and accountable way. If someone really hates spam, they can use only the new system; if they want anonymity and freedom at the cost of spam, they can use the current mail system. The systems could coexist much like Usenet and the Web; each is useful for different things.

The problem is forged return address (use TLS)

[ddeboer]

As ShakaUVM stated in a previous post, the problem with spam is forged return addresses. As another poster mentioned, spam is really a social problem. The problem is, one or two dumbheads loose in the world can cripple a great technology (email).

So, spam is a social problem - a few people are a nuisance. But the problem is, right now - even if we pass great anti-spam laws, we really have no good way of knowing who is sending a message. So what if it came from ip address 3.14.15.92? Spammer joe can disconnect from that address right after he sends said spam, and nobody wants ISPs' logs to be able to be subpeonaed, do we?!?

So spam is a social problem, but we have no way of tracking the offenders. I think an authentication-by-encryption scheme is a Good Thing, but wait - I think there are such standards already out there.

The STARTTLS extension for SMTP, in RFC 2487, allows SMTP traffic to be transported over a TLS (SSL) connection - also allowing for the same type of CA-signed certificates that HTTPS is famous for. So now we can tell exactly what mail server mail is coming from - and we can refuse mail from uncertified hosts, or prosecute abusive hosts.

Anyway, correct me if I've misunderstood anything; what think ye all?

Re:The problem is forged return address (use TLS)

Nobody wants to fork over $99 or $150/yr for a certificate.

The gov't doesn't want e-mail between SMTP servers to be encrypted (would make carnivore less useful)

Re:The problem is forged return address (use TLS)

[ZarkDav]

Commercial certificates can be found for much less nowdays (check this CA for example). Anti-spam organisations can put up their own free CA if need be: this would scale as well or better than a generalised DomainKeys.

When I read about Yahoo's anti-forgery solution, TLS striked me as a more standard compliant one as well as a more mature security measure. You do not need to review new code, it is already there for current MTAs.

SMTP transaction encryption is generally not regarded as a bad thing.

Co-operation?

[phorm]

Microsoft hates spam clogging their servers
Yahoo hates it
Your ISP hates it
We hate it
Big business hates it

Who likes it? I think that spam is more detested than telemarketing... at least with telemarketing I can track down who called me easier or at least yell a bit at the pleb calling me.

So if everyone pretty much hates spam, why isn't they a jointed effort against it? It is true that businesses don't often co-operate, but it's not unheard of for large companies to join forces against something that both strongly support/oppose - nothing I could think of moreso than spam.

Re:Co-operation?

[WuphonsReach]

Politics, politics, politics... a.k.a. making sure *my* name gets on the proposal and not my arch-enemy.

Go read the ASRG mailing list from last May-July and you'll get a glimpse of some of the people issues involved. (Everyone has a sacred cow.)

The solution may be largely technical, but it's a real social problem to get something implemented.

For the record

[Russ+Nelson]

For the record, I think it's a great idea.
-russ

e-mail must cost something

[cats-paw]

Spam is a classic case of the tragedy of the commons.

As long as sending millions of e-mails relatively cheaply is possible, spam will NEVER cease to be a serious problem.

You have to break the economic back which supports spam.

It has to cost something to send an e-mail.

True, it will not disappear, but the volume will drop dramatically perhaps even to the point where e-mail will become useful again.

Re:e-mail must cost something

[Frennzy]

It already costs to money send spam.

The problem is that cost is not sent directly to the originator. Perhaps it's time to create legislation that confers civil and criminal penalties upon someone who uses an uninformed person's equipment as a relay for unsolicited commercial communications...say...$.03 per offense?


How long do you think it would take for not only OS/App vendors to lock their stuff down tighter than mother Theresa, but that someone (many someones) would come out with 'free' software for the average Joe to install on his computer to track and log spammers trying to send/use him as an open relay (letting said spammer do it for , oh, say...a few million emails first?)

Another spin on that theme

[PotatoHead]

I don't mind downloading the spam because I have broadband. Getting mail is no big deal, but sorting it is.

The solution I use requires that one owns a domain. Simply provide specific addresses to people/places/things depending on your expectation for spam. Filter on the client name based on the to: field and most of the crap drops into the crap folder where it belongs.

This combined with a bayesian filter keeps the spam to a very reasonable level. One added bonus:

You can know who sold you out and pass the word to others.

I use gandi.net for this. They provide e-mail redirection for free with a grab bag for unspecified addresses. 12 euros per year with nice online admin tools combined with very reasonable legal terms makes the service well worth it.

As for the e-mail problem, it is going to come down to trusted mail servers. I believe we all should be able to run mail out of our homes, because that is part of being peers on the Internet.

So, anyone can send mail, but if you expect anyone to actually read it, you need to be trusted by at least someone

Re:Another spin on that theme

[stephanruby]

I use spamgourmet.com

Its solution is basicely the same as yours, plus it's free and it doesn't require you to have your own domain name.

Re:Another spin on that theme

[KlaymenDK]

Or try Spam Motel for disposable addresses - for free. This way you can set up tons of different addresses to all point to your actual address. If one of them sells you out - disable it and you're home safe.

Works for me.

Exactly

[KalvinB]

If you can send an e-mail anonymously, so can spammers. If spammers can't send e-mail anonymously, neither can you.

The price of spam doesn't come anywhere near the value of privacy and freedom of speech. I happen to like the idea that should a need arise I can easily send an untrackable e-mail. I'm sure plenty of people in more intrusive countries already enjoy this ability.

Click on the link in my sig for my method of dealing with spam which is highly effective that doesn't destroy the privacy of the sender or cost money.

Ben

Re:Exactly

[defMan]

Click on the link in my sig for my method of dealing with spam which is highly effective that doesn't destroy the privacy of the sender or cost money.

Good read. I don't agree with it though.

I think that bayesian filtering and header interpretation do have a use. To make spam blocking based on the mail more effective it could be combined with the link/image checking that you propose.

Maybe it can be added as a separate module to spamassasin.

Re:Exactly

[ars]

I don't care if they forge the from address. But I DO care that they use mine!

I get about 200 bounces a DAY because of people forging my domain name. Yes I can filter all message from a daemon, but it doesn't work prefectly, and what about when I typo an address? I'll never see the bounce.

So I think that there has to be some way of verifying that the sender had permission to use that from address.

Re:Exactly

[scambaiter]

I once submitted the whole bouncing/ faked header thing and what fellwow dotters do against it as "ask slashdot", though Taco didnt think its worth discussing this issue...

I have seen my domains getting abused for forged headers several times over the last years, and i _really_ feel with you. From one day to the other your whole domain becomes useless from bounces and morons asking to unsubscribe them;) The only solution for me was to disable the catch-all feature offered by my hoster and wait. After some time you can try to enable it again and see if the domain still gets abused. The good thing about this is that you will actually get the bounces from your own mails. Wont work of course if Mr. Spammer is using some existing address of yours in his forged headers...

btw: the funniest thing i have seen was getting spam to one mail address at one of my domains which had forged headers refering to another one of my domains. This really gives you a weird feeling...

Re:Exactly

[jez9999]

Napalm is Not the Answer

Your writeup seems to be rather over-obsessed on the privacy factor of e-mail, and how it can help those in wartorn countries or who are oppressed to communicate anonymously. You then charmingly tell those who don't want their inbox to be full of crap to 'get bent'. I think you should try and consider the other side's argument for a while.

Although I think your idea of filtering based on spammers links is a good one, I'll turn the question on you: why does e-mail need to be anonymous? It's by no means the only form of internet communication, and if oppressed people need a way of communicating anonymously over the internet (they didn't have that until maybe 10 years ago, and how many genuinely impoverished people have internet access anyway?), they can use another means of communication. Instant messaging, IRC, etc.

E-mail doesn't *need* to be anonymous, and the fact that it is just means that when it was invented, people didn't forsee asshole spammers ruining it for genuine users. Filtering links is a good method of catching spam, but a really guaranteed way of ending it would be to disallow forged headers. I get quite a bit of spam with *NO* commercial links in at all, it's amazing how many people are prepared to send out total useless crap to millions of people. Think about it. And if people needed to communicate anonymously, they could use a protocol other than SMTP.

Re:Exactly

[eugene+ts+wong]

To add to what you just said, I consider it a big invasion of privacy when I have 100 emails just wasting my time each day. I honestly wonder what kind of privacy the other fellows are trying to protect.

Do the other fellows post in newsgroups [or whatever they're called]? After all, if privacy is such a concern, then why doesn't somebody do something about that? Newsgroups constantly give out email addresses. My email accounts that receive the most spam come from addresses that were used in the newsgroups.

Pursue technical and social fixes simultaneously

[mattr]

Maybe Yahoo's idea will work, though it seems to be quite porous and more of a surveillance tool than an antispam measure.. in fact it is quite plausible that this is Homeland Security's wet dream and is being sold by Yahoo on their request (though that is more paranoid than we have to be).

I have a concrete proposal at the end of this post so please read on.

Anyway someone mentioned the tipping point and I am reading this after cleaning a thousand spams out of my mail folder so I am ready to consider lots of things.

But one thing is definite about all this. If these guys were terrorists planning some horror and not just an army of rotten people bent on selling viagra and insurance, they would be shut down in a heartbeat. You can follow the money! (As many people have.)

Note these datapoints:
- Telemarketers don't like getting phone bombed, as Dave Barry launched retaliation against an association of them.
- Spammers are in it for the money
- Their clients pay because they want to sell something.
- Their clients are living in meatspace and are allergic to publicity.
- Spam is by definition, easy to get since so many are sent from each machine. (In fact I get too many to even reply with "unsubscribe" to them all).
- We all see spam, but can't stop it because the spammers are laughing at us by endlessly transforming their campaigns. The helpless feeling I suppose is similar to terrorism in that there is a feeling of a nebulous enemy profiting by your openness, there is nothing to grab hold of.
- People are willing to pay money to stop spam.
- Homeland security (probably) and the NSA and similar national organizations (definitely), and telcos and isps (of course) are sitting in front of the big routers around the world. This information can be coordinated.
- Some big organization wants a steganography analyzer built quickly (recent slashdot story)

From this and a bit of blue skying and paranoia, I get:

1. Spam, which is subtly personalized and includes photos and hyperlinks, could be used as a communications network by terrorists, so definitely falls under the national security bailiwick. Ditto for viruses and worms, though they are maybe too visible.

2. Though maybe it is better to unlock the messages than to stop spam, from a security standpoint.

3. Certainly it is possible to make transparent who exactly is sending spam, and how the money flows from their clients. Both by surveillance and of course just trying to buy some of their services.

4. If it isn't illegal, they can't be put out of business and so long as they have clients, it is a "business opportunity".

5. But by focussing the anger of thousands of people on each client and detected spammer, this lucrative business can be turned into a financially losing proposition.

6. Finally, if we make it impossible for their clients to sell their wares, there will be no point to spamming. This suggests that rather than trying to secure all of the honest email, we should focus on removing spam from the network. I don't think blackholes work, however it is quite possible that a finer granularity and more intelligence might work. (See below)

So I welcome technical fixes against spam but think they should more involve information sharing than an attempt to cryptographically secure the email network, since the power of email is fundamentally that it is so easy to use.

I would propose that a group of people are selected around the world to manually go through their incoming email and note which emails are spam, preferably qualifying what type it is and using some simple tools to also note whether this is the work of nefarious arch-spammer types that play tricks on you, as opposed to honest mailing lists. It should be an open architecture which allows more than one organization to do the grading. Perhaps one will only filter porn, etc. I believe some large antivirus companies do something a little bit like this on an automated level to learn about thre

Re:I am implementing on the 15 or so domains I adm

Yes, you have failed it.

Not really...

[Trillan]

In the world of spam, 50% effective is really a brief pause, followed by 0% effectiveness. This won't even make a dent.

Re: the concept of SPF

[WuphonsReach]

Yes, you've missed the mark a bit...

Under SPF (or other reverse-MX proposals), e-mail that is purporting to be from domain X has to come from a limited set of IP addresses (typically the official, mail admin monitored, virus-checking, maybe rate-limiting, SMTP servers for a domain).

So in order for a spammer to spam someone using your actual e-mail address they have to:

1) hack into your domain's outbound mail server and send e-mail from there (nothing new in this risk)

2) hijack/trojan your machine or a machine in your organization and then route e-mails through the official SMTP server (same as what happens now, except that the mail admin is more likely to notice that customer 32432's account is sending gobs of e-mail)

3) poison the DNS SPF information (tough attack to pull off, can be combatted and might lead to new security in the DNS system)

4) spammer goes in search of a domain that doesn't have reverse-MX info and forges that domain onto their e-mails

5) spammer starts to use throw-away domains at $X each

#1 and #2 are the keys... SPF is designed to make it much more difficult to do domain forging or joe-jobbing.

I use SpamAssassin

[Spoke]

If you've tried any of the great spam filters out there, you would have found out by now that they work great at filtering out the vast majority of spam. I use SpamAssassin. Others use PopFile. There's another half-dozen good Open Source spam filters out there which will get your email back. Maybe others can chime in with the filters they like.

Re:I am implementing on the 15 or so domains I adm

That's indeed your prerogative.

However, the standards body (if you mean IETF) will probably take at least 2 years (if not 5) before they settle on a standard. At which point, the majority of folks will probably have implemented solutions that are "good enough".

Have you been bugging the standards folks to get their ducks in a row faster? The ASRG's charter just changed again a week or two ago (pretty much without a vote and/or much discussion on the list).

Not saying that Yahoo!'s proposal is good/bad, but as domains take steps to protect themselves against joe-jobbing, domains that don't will increasingly be forged onto spam e-mails.

Your right, but..

[msimm]

It hasn't been very serious and I believe the problem is a lot more fucking serious then this. I personally used Bluebottle.com until they got DDOS'ed so much they could no longer AFFORD to run their anti-spam services. Just think about that for a second. They were affective (white/grey lists, I never had a piece of spam) but because the spammers where so brazen and unstoppable they eventually caved in. Here's the notice from their website:

"Important Notice
Melbourne, Australia - 1 October 2003

Bluebottle has found itself under constant attack from numerous sources over the past couple of months making it almost impossible to deliver spam free email to your account in a consistent and timely manner. We have therefore decided to cease offering protection for external accounts, and will be removing the verification protection from Bluebottle accounts.

This has not been an easy decision to make but has been necessary in light of the delays currently being experienced in email delivery. Whilst work is still being performed to address these issues, as it currently stands, Bluebottle is unable to ensure the timely delivery of mail for Bluebottle accounts. You are certainly welcome to continue using your Bluebottle account, although no verification protection will be applied to inbound mail.

We have done everything in our power to address these attacks although it has had little effect. We are obviously very disappointed that we cannot continue to provide you our service at this time.

Bluebottle's email verification system is best provided in a distributed manner making it considerably more difficult for these attacks to be effective. We will therefore be making our software available to any service provider or enterprise to protect their end users from unwanted email, and by doing so make it a more secure solution given that it is provided in distributed environment.

Please accept our sincere apologies for the inconvenience our decision will cause.

For further information please contact;
Robert Pickup
Bluebottle Systems Pty Ltd
61 407 528 349

You see? Thats really pretty lame. While we sit around with our proverbial thumbs sticking up our asses spammers are STILL laughing all the way to the bank. The next interesting solution is a variation called TMDA (Tagged Message Delivery Agent). It looks like a great idea, only no ones really using it. Oh and its hard as hell to setup and configure which might explain at least marginally why its not being used more. And of course there's Spam Assassin and its Bayesian buddies which is so far from an answer they are the next best thing to doing nothing!

I know I'm ranting, but honestly, hasn't this gone on long enough? I think we need to change the way we look at email. Look at IM services or something else to provide a model. Not everyone should be able to send me their Barnyard Bonanza websites or their Raped 13 Year Olds video offers. Its fucking too much. I want a public address? Fine, let me mark it public. Let me set up a special account that can absolutely swim in pornography and viagra adds. But as a defacto standard? I'd have to be stupid, but oh well.

I'm sorry if I'm stepping on anyones toes. Honestly. But this has gone on long enough.

This shit again..

[msimm]

Is this a bad joke? It like a hokey version of one those white separatists saying the holocaust was an exaggeration. All it takes is one list, which gets traded or sold to people who trade and sell.. Use your imagination.

Just because it hasn't happened to you doesn't make THAT news.

These guys support EXIM..

[msimm]

These guys support Exim, qmail, Postfix, Courier, and Sendmail. And as far as I can tell it IS the next best thing to sliced bread. It might not be a perfect answer, but its a hell of a lot better then nothing. If you offer hosting let me know, I'd love to move my site over to a service that uses something more effective then Spam Assassin or Bayesian filters.

Re:These guys support EXIM..

[CatPieMan]

I would do hosting, except my hosting is done at my employer. It is a small company and my computer is doing secondary dns and backup mail server. The primary dns and mail server for the company is handling my backup dns and mail.

So, I am not really in a position to offer hosting. Beyond that, my server would definitly melt if too much was done on it. It is an older sparc running linux (b/c solaris was just giving me too much greef) and definitly needs more ram.

I have just been too lazy to add more ram/ruin my uptime (about 105 days right now).

But, thanks for the link to the tmda, looks interesting and I will definitly check it out (always good to eliminate spam).

-CPM

Limitations of committees

[t0ny]

If stardards bodies could truly come up with anything important or useful, monopolies would not have to come into being through necessity. This is essentially a law of business nature- small companies are good for innovations, large companies are good for standardization and mature growth.

This has been true of any enterprise, be it ship building, railroads, telephones, or computers.

Before you start whining about monopolies next time, just thing about the fact that the same telephone can work anywhere in the US, or that all electrical sockets in this country can likewise be used anywhere else in the country. Also consider the usefulness of anyone being able to go to a store and buy a piece of software for their computer.

Standards bodies take way too long, and often dont produce useful results. Look at how long it took to make CD standards, or DVD standards, or (re)writable DVD standards. It may be annoying to early adopters, but its often best to just let the market decide. It worked for VHS- how many people use Betamax?

Re:Limitations of committees

[Sipos]

Look at Betamax. Beta max tapes were smaller, had better picture and sound quality and lasted longer but people use VHS. Why? Because Sony refused to licence Betamax to other companies so they were the only manufacture. This is a great example of how proprietary standards get in the way. It is far better if the standards are open so companies have no financial incentive to choose inferior standards (like VHS). The case of rewritable DVDs is similar to the VHS/Betamax case but it was inferior standards that died

Re:Limitations of committees

[Ironica]

Also consider the usefulness of anyone being able to go to a store and buy a piece of software for their computer.

Wow, that would be useful. Too bad it's not like this currently for quite a number of people. Of course, folks running MacOS and Linux are often left out... but even those running Windows 95 and sometimes even 98 are finding themselves with fewer choices. And at least a couple years ago still, I couldn't walk into a store and buy a Windows version of Adobe Type Manager Deluxe... I had to order it online, no one stocked it.

Look at how long it took to make CD standards, or DVD standards, or (re)writable DVD standards....It worked for VHS- how many people use Betamax?

Quite a few, in the entertainment industry where quality matters. But anyway... how long did video stores have the VHS and Beta sections? As long as it took to develop the CD standards? I've only personally experienced one case where a "standard" CD didn't work in a particular player. This was back in 1989 or so, and it was apparently because it had more than 10 songs on it, and the customer's player couldn't cope with that.

The fact is, CDs *are* standard, and without any monopolies, lock-ins, or lawsuits. DVDs also. Sure, my phone works in any RJ-11 socket in the US... but maybe I'm the only one here old enough to remember when you couldn't *buy* a telephone, you could only *rent* them from the phone company, and they were all ugly black things. Or the ridiculous charges for tone dialing. Or waiting patiently until 5:00 to call grandma in Oklahoma, because "business hour" toll charges were exorbitant.

If you want to compare the length of time it takes to adopt a universal standard under the two models (private monopoly vs. standards body) you need to be careful about your starting and ending points. I don't think it's useful to stop the clock until you're at a point where *everyone* (provided sufficient start-up and operating capital, and skills) can develop for the standard. (In which case, if you want to call Wintel a standard, we're not there yet, since Microsoft still holds the key to the OS.)

Re:Limitations of committees

[Robert+The+Coward]

Sorry market me offtopic but betamax tapes started at 1 hour long and never really hit the 8 Hours mark. VHS was the 1st to make it to 2 hour mark something the gave VHS a boast. In the end it was sony control of lin. but the fact the Betamax was slow to enhanced that killed betamax.

Re:Limitations of committees

[t0ny]

The time limitation was exactly what I was thinking of when I made my post; it want inferior quality at all. People wanted to record longer- that was the selling point of VHS. Of course, its pretty easy to see that whoever designed VHS was cherry-picking, but oh well, thats market forces at work. If Sony hadnt tried to squeeze the market so tight, Betamax would have won out. Cheap wins, but more importantly its providing what your customers want.

Didnt VHS go something like 12 hours at the lowest quality setting?

Re:Limitations of committees

[t0ny]

Nothing you said invalidates my point. It has been abundantly proven that monopolies are good for standardization, whereas having many players is good for innovation.

But things really dont mature until there are very few players operating in the market. Look at the train industry- before the massive consolidation, all the rail lines were different widths. Likewise with the phone company. Electric power was different, since Edison pretty much kept that his own monopoly; much like Gates, Edision was a shrewd businessman who wanted to keep control over his innovations.

MS still has some distance to go before they make computing a truly mature industry, but they are the only ones who are going to get us there. Once they start stagnating, the market will fragment again; I would surmise that at some future point, the OS is going to become a minor thing, and could probably go back to some kind of firmware (read-only does have many advantages, after all).

Re:Limitations of committees

Apply butter to butt cheeks; pull softly; listen to the smacking sound. Breathe fresh air again!

The ultimate solution to fighting spam

[Gary+Destruction]

The ultimate solution to fighting spam is realizing that there is no perfect solution. We all know that no matter what we, spammers find a way around it. So the issue is to stop looking for that so-called "ultimate solution" that's supposed to get rid of spam forever. If anything, it's going to take several different methods to eliminate spam and there's going to be some trial and error.

And spam filters are a bandage over a sore that's being seriously neglected. I think the problem that people don't realize is that with spam, the client is limited to what he/she can do.

Yahoo might be going against standards, but they are on the right track by trying to tackle the problem from server side.

I think using AI would have some real benefits on mail servers. AI has the ability to learn. Filters on the other hand require reconfiguration to combat the ever changing spamaflouge.

proprietary solutions

[Tom]

I don't remember who this quote is from, or whether I remember it 100% correctly, but it's great:

"To every challenging problem, there is a solution that is obvious, easy, and wrong."

Proprietary stuff like this one usually is that solution, because not enough eyes looked at it. That's why so many software projects fail, and that's why peer-review is so important in science.

Yahoo can't even teach their mailservers to play nicely with the rest of the world (they bounce when they should have rejected). I don't trust them an inch to patch sendmail or solve the spam problem.

start killing spammers

mod this troll if you want but this problem is very serious. If some idiot decides they can make money by poluting the water supply, you stop them. If they don't stop, you incarcerate them. To incarcerate them, you need an uncorrupt federal system and international cooperation - two oxymorons. If they're still poluting your drinking water, you shoot them. Lynch mobs are the only solution. If just one spammer in the US was (hideously and publically) strung up, the level of spam would fall. For Europe, the same. In Asia and Russia, just make a cash deal with the mob(s).

Filter bounced mail

[KalvinB]

Mail servers that have the "nerve" to bounce mail do so in a predictable manner. Normally with a phrase such as "could not be delievered" or "rejected."

Instead of freaking out, take the time to actually look at bounced messages and find tells so you can filter them out. Those 100% unqiue tells are there.

"I'll never see the bounce."

You will if you allow the tells your mailserver uses to pass through. Or give it a unique bounce message that gets past your filter.

Trackable e-mail requires that everyone or no one do it. I'm certainly not going to. I have better ways to deal with spam. If you do it, you'll still be getting bounces from mail forged with your domain sent to mail servers that don't check.

Like it or not, you need to deal with it. If you don't have enough control, fire up your own mail server that you do have control over.

Ben

Micropayments & E-mail

[jmunkki]

Here's one system that I think could work:

Each E-mail sent can optionally contain a micropayment, cryptographically tied to the receiver's E-mail address and the contents of the E-mail.

When I receive E-mails, I can choose to ignore or simply spam-filter any E-mails with a value of less than X (I decide what X is).

The default action is to return the micropayment to the sender, if nothing is done within a week (or a few days) of sending the E-mail. This way, sending payments to someone who is not part of the system will effectively be a no-op.

The receiver has several possibilities:

Ignore the payment (the sender eventually gets his deposit back)

Return the payment immediately

Collect the payment

The way I would use this would be to collect the payment on any unsolicited commercial E-mails that I read (thus making sending SPAM cost money) and return/ignore all the payments from friends & other valid sources.

You could still send E-mails with no monetary value, but they would be subject to strict filtering.

I would probably set a filter limit of 5-10 cents/E-mail and only collect the money (if any) on real spam.

The system would provide income to those who run the banking, because they would get the interest on the deposits made by E-mail users.

At first, implementing something like this would have little impact on our E-mailing, because only a few people would be using the system. If it ever became widely adapted, we would have an E-mail system where sending spam is too expensive to be worthwhile and where regular E-mail would still be free (except for the loss of interest on the deposit made to send micropaid E-mails).

Re:Micropayments & E-mail

There are systems heading in this direction already, for example sudonames.com

Yahoo might be doing us a big favor

[0x0d0a]

I don't believe this is proprietary. Yahoo is releasing a patch for Sendmail. AFAI can tell, while they're funding the dev work (because the spam rate is killing them), they aren't trying to milk this for more money.

One major problem with standards groups is that people like Verisign are on most security standards groups. Verisign has extremely strong motivations to ensure that email uses a Web-like interface, where one purchases an (expiring) Verisign cert for each email server one runs. They have strong incentive to block competing solutions. If you want to come out with a good system that prevents existing folks from milking a market, both industry consortiums and standards groups are pretty much useless. You need to do what happened with PNG -- have a bunch of talented, aggravated engineers sit down, write up a technically good spec, and put out reference code. Later on, let standards committees follow what's in place.

I can't figure out why replay attacks are an issue. I, personally, would suggest, off the cuff, including any To: or CC: lines in the message body (just for signing purposes, not actually sending either header in the body). This way, a replay attack would only allow resending the same email to the same destination from the same source. It's also pretty easy to include a timestamp, if folks are *really* concerned about replays.

Yahoo is pretty much doing what ESR and RMS have been hoping for for years -- contributing to open source systems because there's an itch that needs scratching.

Paul Vixie (disclaimer -- I don't move in his circles, and what I know about him is entirely secondhand) seems to be involved a great deal in politics, rather than technology. He leaves a bit of the same bitter tang in the mouth that Verisign does. He is, apparently, the source of at least some of the IETF objections. Vixie has also made a number of antispam statements that I tend to disagree with, including advocating mass blocking of mail servers on home email connections by netblock.

Re:Yahoo might be doing us a big favor

[scrytch]

Vixie has also made a number of antispam statements that I tend to disagree with, including advocating mass blocking of mail servers on home email connections by netblock.

Why not? You got a dynamic IP, I don't have any way of knowing whose it is from one moment to the next. Get a static IP or use the mail relay host you pay your ISP for. You really need to send mail direct to your home office from the road, use port 587, that's what it's there for.

And if this is all too oppressive and regimented for you, go chat on freenet or tunnel your own VPN, have your own private internet. Communicate over Jabber. At this point, nothing can possibly stop you nor is anyone but the RIAA interested in doing so. Just know that your freedom ends at my router.

This is called SPF and is broken

[0x0d0a]

This is called SPF. It has a number of security flaws and shortcomings. You can find my comments on it during the last few Slashdot SPF stories. During the last Slashdot discussion, someone brought up a new DoS attack that could be executed using it.

I would *strongly* advise against implementing SPF. I consider the system fundamentally flawed, but even if someone can deal with that, at least some of the more glaring problems, like using DNS as a transport mechanism, should be fixed before anyone considers using it.

The Yahoo approach (apparently PKI, need to read up on it) is probably more work to implement, but also probably fixes the problem properly.

At the best, SPF is another hack that will grant a decrease in spam for a few months (and then leave cruft and mucked-up mailservers around for years and years to come).

SPF is broken

[0x0d0a]

I can't agree that SPF is particularly useful here.

So in order for a spammer to spam someone using your actual e-mail address they have to:

1) hack into your domain's outbound mail server and send e-mail from there (nothing new in this risk)

Okay, fair enough.

2) hijack/trojan your machine or a machine in your organization and then route e-mails through the official SMTP server (same as what happens now, except that the mail admin is more likely to notice that customer 32432's account is sending gobs of e-mail)

Note that the only way a spammer would be forced to go through the local SMTP server is if *everyone* is properly implementing SPF everywhere. It only takes a single misconfigured server. Frankly, the problem of making SPF work Internet-wide is a superset of solving the open relay problem (i.e. ensuring that all mail servers that can send you mail are properly configured not to allow non-customers to dump mail through them). Solving the open relay problem provides all the benefits that SPF does. SPF hides the actual costs of its implementation with a lot of discussion of interesting features, but ultimately, it's not a particularly useful proposal.

3) poison the DNS SPF information (tough attack to pull off, can be combatted and might lead to new security in the DNS system)

This may be used in a positive (authorizing additional servers) or negative (deauthorizing authorized servers) manner. In the negative manner, it takes the form of a DoS. It is only hard to pull off for heavily-used mail routes (since only one lookup in a bazillon will actually generate a DNS query). It's still possible, and difficult and expensive to defend against, and a single success can have catastrophic results. It may also be used in a positive manner, to falsify SPF information. This is not particularly tough to pull off, as tools to automate the procedure will inevitably pop up shortly after folks start using SPF.

spammer goes in search of a domain that doesn't have reverse-MX info and forges that domain onto their e-mails

Another flaw in SPF. Much like the open relay problem, it requires *correct implementation Internet-wide* to work without holes. Every time someone's proposed a security system based on this, it has failed.

5) spammer starts to use throw-away domains at $X each

Trivial issue to bypass. Spammers frequently lose their accounts after a spam incident, which means they have to pay for a throwaway account. That's $20-$40. A throwaway domain adds only $10 to that cost. It just isn't significant -- spammers make more money than that per spam run.

Definitely NOT

[Jesrad]

The spam issue must be solved, whether by social, technological, legal or whatever else means, or a combination of these.

The sad truth is, there will always be jerks willing to engage in self-profitable activity at the expense of others, and to some extent this activity is what we call crime. There are three prerequisites for it, which are:
- intent (you know it's bad, but you don't care)
- gain (outweighing the cost / risk)
- occasion

This last one you completely overlooked. Why do you think locks exist ? Why do you think most countries ban civilians from owning firearms ? Because that will reduce the number of occasions someone has to commit crime.

Because it has security issues

[0x0d0a]

This approach has already been proposed in the form of SPF. While theoretically, with some additional infrastructure (modifications to both DNS and more significant modifications to mail servers), it's probably possible to do this in a secure manner, the approach SPF advocates is easily defeated. It also introduces reliability and performance issues.

Invention of CSS

[KjetilK]

CSS/Text came from [Microsoft]

Huh?!? AFAIK, CSS/Text was invented by Hakon Wium Lie, now CTO of Opera, in 1994. Or what do you mean by CSS/Text?

Re:inertia (vs pain)

Frankly, I got about 1/3 of the above.

I use PostCastServer from my static-IP DSL to send Emails thanks to a flaky ISP E-mail server. I'm just concered that I'll be shut out of being able to, quite legimately, send E-mails and end up having to go back to getting 50% of my E-mails returned after 3 days as undeliverable.

On recieving em, my whitelist and baesian filter does fine.

Missing the big picture

[dnoyeb]

First let me say I agree with your premise. I have never received an anonymous delivery, email or otherwise, that I desired.
But let me show the fallicy of yahoo's actions.

Yahoos step 1 is to reject forged headers. Forged headers was just made illegal by the Bush administration IIRC. I completely approve.
Yahoos step 2 is to force a signature on every email by the server. Interestingly, Step 2 removes the need for step 1 and makes you wonder if step 2 is their real desire. Note that a solid step 1 also removes the need for step 2, given that open relays are shut down.

This is where I disapprove.

This proposes the same problem as DRM. Who controls which signatures are accepted? Once again we are right back with Verisign, et al. So unless your server has a PURCHASED KEY from verisign, or the like, your server won't be sending email to yahoo or any of the ISPs that adopt this.

I promise they won't be suggesting PGP either And so the spiral begins. Yahoo sells the rights to the certificates it will accept on a yearly basis. Verisign subsells this right in the form of the infamous certificate chain.

So what if the code is free, the certificates are not!

Re: Reverse MX systems

[kryps]

And most important: Once SPF is widely adopted mail administrators can disallow mails from domains with no reverse-MX. If e.g. Yahoo, Hotmail and AOL chose to do this the remaining unwilling sysadmins will be forced to upgrade.

-- kryps

Great idea

[EmagGeek]

Ignores standards bodies - that's the first good thing - get the politics out of spam control... especially since a lot of the spam I do get is from the people trying to sell their anti-spam wares...

I get about a dozen emails per week from McAfee... subject may as well read 'Tired of getting spam from us? Pay up and we'll stop!'

Whitelist with a twist

Ok, I admit I don't know much about this subject, but maybe this thought has some merit, maybe not.

To send an email to someone, you must put a certain word or words in the subject line. The twist is that the word is obtained by looking at a picture that describes the word. So say there is an email address on a website, above that email address is a cartoon picture of a dog, to get the email to that person the word "dog" must be in the subject line. For any email that does not contain the word "dog" in it, an automated response is sent back to the sender with a message showing the picture of the dog and asking that this word be placed in the email subject to get the message through successfully. This works on the principle that computers have yet to attain certain abilities humans do, like pattern recognition of images.

Re:Whitelist with a twist

[Corrupter]

This is a pretty good concept, though I think in actually implementation it becomes difficult. For example: where the receiving engine is looking for "dog" a sender may look at the picture and type "hound", or "beagle", or "pet" or whatever. Then it would become a guessing game.

Perhaps the answer to this entire problem is not a technical issue at all... spam is mearly an extension of "junk mail" as email is an extension of snail mail. The difference with unsolicited snail mail is that we just throw it out if we are not interested and the volume doesn't seem to overwelm us, because direct mail costs money and there is a self-balancing system in place.

That is what we need for Spam. Perhaps we should just all respond to our spam! Click on the URL for overseas meds and order a dumptruck load and use all 9s for the credit card number. After millions of responses for zero revenue the incentive may go away!

Bravo

[objwiz]

The price of spam doesn't come anywhere near the value of privacy and freedom of speech

Could not have stated it more elegantly than that....

... and how your friends will make it useless

[KlaymenDK]

1) Make new address.
2) Give it to trustees.
3) Dumbass trustees send you a SpamGateGreetingCard using your new address (because the picture is so cute, and they get a freebie animated GIF).
4) SpamGateGreetingCard propagates your address to the scum of the planet.
5) Sucks to be you!

You missed one.

[schon]

(D) It is a simple measure to simply throw out any email that is not signed.

Yes, but the ISP is still paying for the bandwidth to receive (and then bounce) said email.

If you don't bounce, spam still costs the same amount. If you do bounce unsigned emails (as the RFCs say you must), then the cost of spam to you doubles.

Then you have to take into account that spammers will just buy a cert and keep spamming. So what if the cert gets revoked (IF it gets revoked) - they'll just buy another one.

As a mail server admin, I don't think I'll be implementing this any time soon. It will be a pain in the ass, will cost me money, and won't stop spam.

Funny, I was just thinking about this yesterday.

[ectoraige]

The main problem with this is the private key being delivered in the email header. Given the effort of spammers to create spam-engine trojans, without the emails themselves also being encrypted, this is a serious concern. Admittedly I've only read a few low-tech articles on the subject, so maybe I'm reading the situation incorrectly.

Anyway, I was just thinking of a scheme last night to verify the origin of emails.

The idea is that a domain holder runs an server which maintains an index of valid emails for that domain, which receiving servers may verify a message against.

In summary, this is how it would work:

1. The domain holder adds a DNS record which identifies his index server(s). Let's call it a MI (Mail Index) record for now.
2. When a user sends an email, his client creates a checksum of some sort, and uploads that checksum to the index server. The user must authenticate himself to the index server, either with username+password, certs, or whatever.
3. When the recipient mailserver receives the message, it checks to see if there is a MI record for the sender's domain. If so, it creates a checksum of the message, and queries the index server to see if such a message exists, and rejects it if it has not.

Now to expand on the above points.

1. The MI record: In reality, this would be a TXT record of some sort, no need to rewrite DNS. If a domain holder does not run this service, it does not interfere with SMTP delivery of his emails. It does allow the recipient to discriminate against those them, but that is the recipient's perogative.
2. The user authentication: The manner in which the checksum gets added to the index is by and large irrelevant, and may not actually be done by the client at all. If, for example, the outgoing mailserver already authenticates the sender, then it would be the mailserver itself which adds the checksum to the index. Also, given that corporate networks often add disclaimers to the message, it would be impossible for the client to create a checksum for the message body. The key thing is that once the email leaves the control of the domain holder, it's checksum will reside on the index server. This allows maximum flexability, as users whose ISP restricts port 25 can still participate. This is the main weakness in the method of publishing 'authorised' server lists.
   
   It is, of course, vital that the checksum be added to the index *before* the mail is sent.
   The checksum should be held on the index server for a certain amount of time, maybe 5+1 days, or whatever the RFCs say about max deliver attempts.
3. The verification: Ideally this would be carried out by the recipient's mailserver. This verification need not be done during the SMTP transmission, again, this is really up to the policy of the recipient, and might be left to spam scanners. The important thing though is to try to validate it as soon as possible, before the checksum expires on the index server.
   
   The end-user *could* carry out the authentication himself, should his ISP not support it for example, but this would not be ideal.
   
   When verifying, the index server would be queried with the checksum, and optionally the current datetime.
   
   The option to include the current datetime is to allow end-users' email clients/spam filters to carry out the check. Since somebody may have been on holiday for a week, the checksum will have expired before the client checks it.
   
   For this reason, the client should only check those emails which have a date less than the expiry time. Should the local clock be slow however, this would lead to expired mails being checked. By including the current datetime, the index server can detect an offset, and respond with a positive should the client be too far behind. It is of course imperitive that the index server have the correct time.
   
   Mailservers would normally have no need to worry about this, so the datetime would not be included in their request,

Next Level of filtering: the body and tags...

[Corrupter]

The next level for filtering is looking at the body of the incoming messages and excluding any html formatted messages (first), any containing graphics in the body (second), and then applying common word filters (such as .biz, PeNiS, enlargement, pills, meds, nigeria, etc.

Works almost to the extreme. Just a few sendmail hacks and you are there.

eye for an eye

[nazsco]

I SMELL DDoS!!! Kill 'em all!

Why not? They're sending you unrequested data, so, just send them unrequested data. :)

You're being as wrong as they, but at least, they asked for. If servers that allow spam gets falling, less and less servers will be so misconfigured to allow it

Re:eye for an eye

[AoT]

Sometimes I think we should give all those spammers what they're really asking for and get everyone to start clicking *ALL* the links they get. That'd be a DDoS. And it wouldn't even be remotely ethically or legally wrong. Hmm I'm going to have to work this out.

My solution

[praedor]

Just DO IT already and switch to IPv6. Everyone who has a net connection gets an IP address that is theirs. They send spam, it is identifiable as being from Joe Blow's IP address. Go have a talk with Joe Blow, perhaps with a baseball bat (to emphasize certain talking points, you understand).

MITM attack?

[CmdrTHAC0]

"Instead of sending the whole email content - and with it the ability to falsify email header information, why not just send the email header only - and require the originating server to hold the email content?"

I thought about this once. How do you ensure that the person coming back to get the mail off the originating server is indeed the person to whom the mail was sent? I don't think any certificate-based scheme is the answer, because key management is so complicated. At least in their current incarnations. (If there was something as simple as ssh-keygen that also posted the public key to the ISP, it might be workable. But there isn't, and there's the question of mail client support.)

Regarding the "It shows your IP address" that mabu pointed out, wouldn't it be trivial to proxy the "get the content" message through the ISP's MTA?

Spam has been a problem for TOO long

I, myself, welcome our new Yahoo Overlords. Something - anything needs to be done to combat this, and first and foremost should be a technical solution. Therefore, if standards bodies are unwilling or unable to stop the endless flow of offers of penile enlargement or whatever the hell that shit is (I don't know, Outlook 2003 does a nice job of breaking HTML messages), someone should be. And by delivering software that plugs into sendmail, yahoo isn't trying to make money on shipping some new revolutionary spam filter, they are trying to help the community as a whole.

those are my 2 cents

parent is clueless or troll

[jbellis]

Read the SPF FAQ if you're curious about why his so-called DOS attack isn't a problem.

The SPF guys are pretty clueful. There's a large number of smart people who have spent a lot of thought on it; they haven't missed anything obvious.

Re:parent is clueless or troll

[0x0d0a]

Read the SPF FAQ if you're curious about why his so-called DOS attack isn't a problem.

You're misunderstanding the nature of the spoofing we're discussing -- it's attacking DNS, not the SMTP spoofing that the SPF people are using as a straw man. No hacker is going to look at this and say "gee, let's attack SMTP". While, yes, theoretically you could attack SPF by spoofing SMTP, it is also non-trivial in that it will probably require many attempts to succeed for a single email. There is little reason for a spammer to try spoofing SMTP, however, when the infinitely easier to spoof DNS is considered a trusted system by SPF, and caching provides for many, many successes for a single attack. Read one of my past enumerations of the issues in SPF if you want a larger list of breakages.

The SPF guys are pretty clueful. There's a large number of smart people who have spent a lot of thought on it; they haven't missed anything obvious.

I disagree. I've looked at their documents, and they have the ring of knowledgeable network engineers with absolutely zero background in security (paradoxical as that sounds). And I've pointed out a number of flaws in the protocol with an off-the-cuff reading. There are probably more subtle problems that would require some good security folks a bit of pondering to turn up.

If you still feel that I'm "clueless or troll" after reading the document I linked to, I'd be interested in hearing what, exactly, you think I'm wrong about.

Re:parent is clueless or troll

So what if you had a sender verification system that only used DNS to look up the IP address of the server(s) for the domain in question? From there, everything happens over TCP which is relatively hard to spoof without being a man in the middle.

These methods do exist, but things like SPF are best known because they are relatively cheap to implement. You just slap some stuff in your zone files and a little perl/milter/plugin/whatever glue in your MTA and you're there. That's why it's so tempting.

In short, many people are blinded by the apparent simplicity, and are completely missing objections like yours.

Re:parent is clueless or troll

So DNS has security problems? Wouldn't that affect the security of e-commerce, unencrypted email, VPN's and just about every thing else? YES which is why people are still working for wide-spread adoption of DNSSEC.

The security of the domain name system is not an SPF problem and you sir are a cretin or a troll.

as I posted above

[jbellis]

this guy is clueless or a troll. if clueless, it's simple to educate yourself about spf instead of trying to look smart when you aren't.

Re:as I posted above

[0x0d0a]

And as *I* posted above, instead of simply claiming that I'm wrong, I'd be interested in seeing whether you can refute any of my points instead of simply calling me a troll.

A list of acceptable senders isn't enough ?

[R1ch4rd]

If everybody used a list of acceptable senders, I doubt there will be much space for spam. Most other solutions whould require some form of central control, which I'm against.
The only issue is with mail coming from people you don't have in the address book yet.
I guess the combination of a private and a public e-mail account is the solution we all use given the technology now.
Couldn't this be a solution for everyone ? Ok.... at least most :)

Will Yahoo! clean its own house at any point?

=v= Yahoo! has a massive problem on its hands. Porn spammers have created hundreds of Yahoo! IDs and subscribed them to an unknown number of "open membership" Yahoo! Groups. They sit there, lurking, until one day they spam the groups. The groups' moderators never know until after the damage is done, at which point they can unsubscribe the ID, but another one's already there to send the next spam.

This problem could be solved by tracking down the IDs who've done this and seeing what others are related (e.g. by creation date, IP address, etc.), and either turning them off or putting them on some sort of individual probation. Yahoo! can do this, and indeed are the only ones who can do it. But they instead pass the buck to the unempowered moderators.

So instead they're trying to deploy Yet Another key system?

SpamCon 2004 mentioned in BW article

Anyone going to SpamCon 2004? It's in Boston and it's free. Wonder if they have a "spot the spammer, win a T-shirt" contest.

Ignoring existing standards?

[mwood]

How exactly is this better than SMTP STARTTLS, which is already standardized and widely available?

I don't know what Yahoo was thinking!

[raehl]

Everyone knows that tech standards should be written by Intel.

What makes something a standard is many people choosing to accept it. Most of the buses in your PC, and probably your instruction set as well, are standards essentially propogated by Intel. If Yahoo and AOL want to get together and say "Hey, this spam thing sucks, we're going to do this, and whose with us?" what's wrong with that? Probably tons more effective than a standards body trying to convince them.

If the standard sucks, then don't use it.

Make it an RFC...

[tiger99]

To get this accepted they simply have to raise an RFC, like any other piece of Internet technology. It will take its course from there, according to the democratic will of the majority, if it is any good. It is far quicker and cheaper doing that than involving a standards body. IIRC no standards body was involved directly in the creation of TCP/IP, HTTP or any of the things we use every day.

The fact is that anyone can raise a new standard, it will have to do something useful or it will simply be ignored, but it is hardly difficult to get the process started, by raising an Internet Draft, and in a case like this it should only take a few months to become a standard. The IETF work much more efficiently than any commercial standards body that I know of. The process is documented at ftp://ftp.isi.edu/in-notes/rfc2026.txt amongst other places, and surely must be the correct procedure to use. Who cases about ANSI, or BSI, or CENELEC, or any of these bodies that sell you a few pages of copyrighted standard for silly money? The RFCs are published for everyone to use, which is why ithe net works as well as it does, despite the efforts and intentions of some, such as the Convicted Monopolist (had to get him in somewhere..), to "de-commoditise the protocols".

There is no reason why they can't raise an Internet Draft right now and start using the thing, people can then follow the Draft at their own risk of having to do more work if it changes.

Typical

[KalvinB]

"tell those who don't want their inbox to be full of crap to 'get bent'."

If that were in any way shape or form an accurate representation of my ideas then why would I be plugging an idea which gets rid of spam?

I'm telling those who want to destroy privacy and/or cause massive collateral damage by blacklisting more innocent IPs than spammers in their pursuit to block spam to get bent. There's a big difference you're apparently too illiterate or too much of a troll to understand.

Most likely both. It's a method commonly used on the internet to flat out lie about what people have to say in the hopes that people will simply assume they aren't full of shit (which you are) and not bother to read the source material for themselves.

This is Slashdot afterall. Nobody reads the article.

"I think you should try and consider the other side's argument for a while."

You obviously have no clue which side I'm arguing. It's the sensible and effective side to blocking spam. Apparently you want me to consider the nonsensical and ineffectual methodology to blocking spam.

And I did. I pointed out it's ineffectual and nonsensical.

Ben

Re:Typical

[jez9999]

What's this? I read your entire article and offer some constructive criticism, and you can do nothing but call me full of shit. People might listen to you a bit more if you tried to argue your points with less vulgarity.

But, seeing as the discussion's been dragged down to this level: Fuck you, moron.

How this method stacks up

[ttul]

The anti spam research group (ASRG), which is a working group within the IETF, has specified a list of requirements that any successful "universal" anti spam solution must have (http://www.ietf.org/.../asrg-5.pdf) Let's see how Yahoo's approach stacks up:

• must minimize unwanted messages -- probably
• must not affect delivery of wanted messages to the detriment of normal email -- probably
• must be easy to use -- for the end user, yes, but for organizations no (cryptography is a hard problem to solve right)
• must be easy to deploy, incrementally -- difficult to deploy because everyone has to upgrade their mta
• must not depend on universal deployment to be effective -- rats! Yahoo's system doesn't work very well unless everyone buys in
• must not reduce privacy -- cryptographically signing emails means less privacy
• must have minimal administration overhead -- Yahoo's solution requires maintaining a cryptographic framework, which is difficult
• must have minimal computation and bandwidth overhead -- how costly is it to sign each message? on busy servers it's very costly
• must consider the threat and be robust in the face of such threats -- not sure about this one...
• should consider how legal issues affect, support, or constrain the technical solution -- crypto is illegal in some countries

Re:How this method stacks up

must have minimal computation and bandwidth overhead -- how costly is it to sign each message? on busy servers it's very costly

Less costly than the amount of spam we handle. Our filters discard roughly 97% of all email (on spam filtered accounts) that comes in. We have 3 servers dedicated to running those filters. We are a regional (20 odd counties, mainly rural ones) ISP. We also have to put a significant chunk of our bandwidth toward receiving this garbage (as a connectivity provider, most of our usage is inbound, not outbound).

one word : ebay

I get about 20 spams/day (stopped at the corporate quarantine for email) and about 10 legitimate emails/day (almost all internal and hence easy to see). The only place that my email has been public is Ebay - and the increase in spam correlates with my purchase of a fountain pen there, so I'm almost certain that harvesting via Ebay is the main source of my spam. I have given email out to some companies, but I don't think I've gotten spam because of them. I don't have a blog or a web page, so they aren't sources of spam, and I don't think I'm on a web page with email exposed. (It could also be through Yahoo, but I don't check that much, and they're good about spam sorting).

It doesn't take much to get significant spam now - for me, once was enough. Your comments may be more true of real mail, where barrier to entry and cost of mailings are higher, but for spam it doesn't seem to take much effort/error to get a lot of spam.

Small businesses?

[tepples]

I agree that certs at the domain level are probably reasonable

Would you rather pay $400/year for an e-mail sending certificate (assuming similar pricing to Veri$ign's SSL certificates) or give up the right to send MAIL FROM your small business's domain?

Re: Reverse MX systems

[WuphonsReach]

FYI, AOL already does reverse-MX whitelisting. If your domain sends a large volume of e-mail into their system, you have to list the IP addresses of your outbound mail servers with them. (Otherwise the mail gets dropped to /dev/null.)

AOL's probably interested in SPF mainly because it means they won't have to do all of the manual processing that they do now. At least, they won't have to manually keep track of domains and outbound IPs. (Instead, they'll just query the SPF record for the domain.)

Backing of the large ISPs will definitely do a lot to either make/break any of the source verification systems such as DomainKeys or SPF.

Typical Troll

[KalvinB]

It's a lot less trollish if you actually address the argument I was making instead of arguing against things I never said.

If you want to argue that I'm wrong for saying the grass is pink when I actually said it was green then you're going to have to go at it alone.

You're an idiot. You offered nothing constructive and simply accused me of saying things I didn't say.

Don't act all shocked I wasn't fooled. Unlike you, I know what I said in the article.

Did you think I forgot? I'm the one who wrote it.

Ben

Nobody's privacy is infringed

[KalvinB]

if you post your info publically.

Anything you post in a newsgroup/on-line is public information.

Nobody is forcing you to use a valid e-mail address for those things. And you have no expectation of privacy with newsgroups.

Ben

Re:Nobody's privacy is infringed

[eugene+ts+wong]

Nobody is forcing you to use a valid e-mail address for those things.

Yes, agreed. I just wish that this was emphasized a bit more. When I started on the Internet serveral years ago, I didn't think in terms of having several email addresses. Maybe there were disclaimers. If so, I must have skimmed through really quickly.

I suppose that my view could be summarized as let people know using large text & force them to see it, or don't show their addresses.

People might argue that it's not the admin's or the group's fault, nor is it their responsibility, but you know what? Just as there is a sucker born every minute, there is also a uninformed non-technical user born every minute. If people want them to accidentally give out their address unknowingly, then the best solution is to do nothing. The way I see it, people are getting suckered in, & we are suffering as well.

Re:inertia (vs pain)

[Robert+The+Coward]

To Fast. I could see 2 to 3 Years but just stage 1 could reduce False Postives for those users who support they tech.

Re:Pursue technical and social fixes simultaneousl

I would propose that a group of people are selected around the world to manually go through their incoming email and note which emails are spam, preferably qualifying what type it is and using some simple tools to also note whether this is the work of nefarious arch-spammer types that play tricks on you, as opposed to honest mailing lists. ...

An ISP subscribing to one or more of these realtime email filters (only a blackhole at the single email level) would be able to refuse acceptance of the email. ...

If a distributed quick response system is implemented (it seems pretty simple technically) we could effectively neutralize an outgoing spam stream within minutes or even seconds of its beginning.


Sounds like you invented the DNS Blacklist. If distributed response is what you're looking for, you've got DCC and Vilpul's Razor on the free side, and Brightmail on the commercial side.

Neutralizing within seconds would probably have to be done at the egress point, i.e. the immediate upstream of the spam source. If they had their act together though, there probably wouldn't be all the spam coming out of there in the first place.

Re:Pursue technical and social fixes simultaneousl

[mattr]

Thank you very much for the excellent info. This isn't a DNS blacklist though, I just wanted a basically a list of email addresses, subject lines, or message hashes that are known to be spam so it can be fodled, spindled, and mutilated.

I don't think these solutions are going to close down spammers the way I suggested in my vehement post, but they (especially Vipul's Razor I believe) have a lot of the things I was dreaming about!

Vipul's human network looks great though it seems that it might miss spam which personalizes itself per user (just a theory witout trying it, which I will) and DCC looks interesting in that it has fuzzy matching that tries to evolve with spam. Brightmail's claim of 99.999% accuracy is pretty good, I suppose it would have to have humans in there somewhere. Anyway I'll check out Vipul and see what happens.

I think it would be very cool if companies were given money by governments to develop or implement antispam technologies, in addition to the other suggestions I had. Thanks again and here's to no more spam.

Re:Pursue technical and social fixes simultaneousl

[Steve+B]

Spam, which is subtly personalized and includes photos and hyperlinks, could be used as a communications network by terrorists, so definitely falls under the national security bailiwick.

As a few people noted on this thread, the use of spam (specifically, the filter-cracking gibberish routinely appended to spam) as a terrorist comm channel would be an excellent way to evade traffic analysis.

If it isn't illegal, they can't be put out of business

99% of the spam I've ever seen is illegal on its face (fraud, illicit sale of prescription drugs, unauthorized commercial use of trademarks and copyrights, distribution of pornography to minors, etc).

And maybe our antispam net could benefit from time to time by a friendly security officer geek who also gets too much spam on his yahoo account at home and has gotten pissed off!

Suggestion: If you fit this description and are reading this, write a memo describing the use of spam as a comm channel immune to traffic analysis and get it into the record. This will give your agency the choice of 1)investigating spammers using their obvious violations of existing laws as leverage, or 2)potentially becoming the scapegoat it it turns out that terrorists do pull off another attack with the aid of this technique.