Yahoo and Unilateral Anti-Spam Technology?

EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."

I use the telephone and ftp

[ObviousGuy]

These days I can't even open by inbox, it is so overflowing with spam. I'm exaggerating, but at some point email is going to become completely useless because of spam. I do a lot of business over telephone (the way I used to do it before email) and have an ftp site to which customers can copy shared files.

It's slower, but not as slow as deleted emails that I never see and can't respond to.

Repost?

[rockwood]

We talked about this, in a previous post on Dec 06, 2003 here at /. concerning this.

There were alot of vital ascpects to this point made in the previous article some of which are quite thought provoking!

If you missed the previous thread, I hgihly recommended reading or even reading it.

Re:Total overkill

[RT+Alec]

This has already been discussed, with two current proposals, RMX and SPF::Sender. The latter looks a lot closer to implementation, with AOL already testing it.

Re:It's bad if you have a different

[CustomDesigned]

If the traveller is using webmail, it works fine. Otherwise, the traveller needs to use SMTP AUTH to relay outgoing mail through his home base.

Furthermore, mail receivers need not check all purported from addresses. This is just one tool in the toolbox. As I understand it, Yahoo's idea addresses the problem of mail claiming to be from jane_austin@yahoo.com, when it fact it is from a spam criminal (I believe falsifying mail headers is a crime in many places these days). If Yahoo, hotmail, and aol could be validated this way, it would help a lot.

I have gotten emails from people threatening me with bodily harm because they believe I sent them spam. (When they include the message in question, it is obvious from the headers that it never went near the US, much less through any of my machines.) Some spam scum in Asia is using my email as the from address to spam victims in Europe. So I would be interested in signing my emails, if some of the spam victims would check it.

What prevents a spammer from simply reusing properly signed headers with a spam body? Does the signature cover the message content? If so, how is it an improvement over simply signing your email?

Re: Reverse MX systems

[WuphonsReach]

You mean like "reverse MX" records... google for RMX, SMTP+SPF, DRIP, DMX. (SPF seems to have momentum at the moment)

However, reverse-MX solutions will not kill off spam (a common mis-conception). The goal of reverse-MX proposals is to stop domain forgery where spammers are able to, with complete impunity, to tack on any old domain name to their spams. Which means that the unfortunate organization who is forged gets to deal with the thousands of e-mail bounces and the irate phone calls / e-mails from people who think that the organization was the source of the spam. As a mail admin, I'm able to control which servers handle inbound e-mail for my domain through specifying MX records. Reverse MX allows me to have the same amount of control over outbound e-mail from my domain.

What will happen instead, once reverse-MX systems (or Yahoo!'s system or other sender-authentication systems) come into play. Spammers will have to change tactics and resort to either forging one of the remaining domains that don't have reverse-MX information published, or they will register throw-away domains by the hundreds. It will drive up their costs a tiny bit (much like the impact of bayesian and other filters requiring them to use randomization techniques).

But the real nice side-effect of reverse-MX, etc., is that you'll be able to more reliable whitelist based on domain name. And your bayesian filters will be able to assign high ham values to domain names.

It also puts a crimp in e-mail worms that attempt to use a built-in SMTP engine to avoid detection. Unless the worm forges a domain with no reverse-MX info published, the worm won't spread (most MTAs will drop the connection). Instead, the worm will have to route through the user domain's SMTP server, where the mail admin is more likely to catch the traffic (virus scanner on the SMTP server, or rate limiters).

Re:It's not a matter of A or B

[Zeinfeld]

If Eric Raymond, IETF, et al. are interested in addressing the problem, then let's see their proposed solutions.

Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.

The problem we have is that the standards process in the IETF/IRTF has essentially failled. First the original chair of the group hijacked it to use it as a platform to get his name and that of his company into every anti-spam puff piece in every newspaper arround. He contributed nothing of value and pushed out all the people who did have something to contribute.

There was an opportunity to get something going on the standards track but the IETF establishment decided to nix the idea - basically it will be July before it is possible to even start the process of forming a working group there.

It is no surprise then that most commercial proposals have been avoiding the IETF like it was a bad smell. The IETF has no concept of working to a commercially relevant time scale - like months rather than decades.

So we have ended up with about ten specs that have been circulating samizdat fashion amongst small circles since last February. The premise being that we have to short-circuit the standards process somehow. Only we have now been doing this for almost a year without result while in other areas it has taken less than a year to do a full spec - given the right circumstances.

Fortunately IETF is not the only game in town. OASIS is a far more professional outfit. In OASIS you have a defined membership of the group and you hold weekly or bi-weekly con-calls so that things get done on a weekly basis, not the week before the RFC-editor cuttoff before the next IETF meeting 3 times a year. You also have votes and clear lines of accountability. In the IETF the chair can basically do what the fuck they like and ignore the consensus of the group. You have the illusion of participation but the establishment hold all the cards. It is all about control.

W3C is also OK-ish but the membership fees are ludicrous ($55K) and you keep getting semantic web thrust at you.

OASIS does have the disadvantage of being a commercial consortium rather than a trully open volunteer body, but in practice we get to co-opt anyone we want to a group.

Re:Someone has to step forward

[mr.+methane]

My company has several email addresses that are fairly public (used in DNS and IP registries for example). These addresses also have to be monitored, since they can be recipients of customer requests, problem reports or other information from other carriers.

Looking at the log for today, I see... 1,076 messages - of which 24 were not spam.

Yahoo's idea is simple, and is probably a lot more acceptable to the general public than many of the alternatives (government-signed keys, etc.) which we WILL have in a matter of months if we can't get the spam thing under control.

I grouched at Yahoo pretty badly when they started including content-obscuring flash ads in their pages. This move almost earns them back all of that karma, IMO.

Re:Signed Email

[Corpus_Callosum]

Most of your reasons are in fact why signed email WON'T work.

Let's talk about this. Interesting subject.

B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.

CRLs as currently formulated are indeed pretty nasty. They need to evolve. Let's assume that VRSN does run the CRL, for instance... Couldn't they create domain records for checking on the revocation status of certificates? It seems to me that by having a namespace in the DNS registry devoted to certificate "status" would effectively solve this problem.

Ah yes, this is new... But what I am saying to you is that I agree and disagree. Yes, existing CRL schemes will not scale. Yes, they can be made to scale with a little creativity and existing infrastructure.

C. Someone to sue...only in the US is that an attractive feature.

The point is that someone is responsible. Sue them or just make fun of them in public, whatever... At least you know "who".

D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.

Well, I would think that the purpose of being able to throw away unsigned email is self evident. If a few big ISPs standardized on this, it wouldn't take long for email software to be updated and the "basic memes of avoiding SPAM" to become common knowledge.

E. Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

Add the disclosure "discussion, not legally binding" like you would in a written and hand-signed correspondence. Esign makes things easier and quicker for commerce - it returns us, in some ways, to the world before email.

My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.

Eventually, like it or not, there will be a worldwide PKI. It is inevitable. It has to start somewhere, and stopping SPAM seems like a good place to start.

Yea, lots of issues at first. But the benefits will be abundant. And who's to say VRSN has to control it?

Re:It's bad if you have a different

[CustomDesigned]

Were it only that simple -- my fiancee', who has an account in my domain, uses Cox High-Speed Internet to access the internet. Cox blocks all outgoing SMTP connections to servers other than its own. Her situation prevents me from setting up SPF records for my domain.

I myself am on Cox HSI. To send mail from my business domain, I simply use SSH. For Windows, use PuTTY, and set up a tunnel from port 25 to your sendmail server. Then she just sets her outgoing mail server to 'localhost'. We have configured many of our clients use PuTTY this way to send email through their company servers from a remote laptop. In many ways, it is better than SMTP-AUTH because the connection is encrypted (although the mail is unencrypted anyway when it leaves the company server, it protects internal mail to other employees within the company).

This is a pretty secure solution provided the user can hang on to his/her laptop and can control their urge to download and run Windows executables or use Outlook. Unfortunately, even CIA directors have trouble meeting these qualifications.

The problem is forged return address (use TLS)

[ddeboer]

As ShakaUVM stated in a previous post, the problem with spam is forged return addresses. As another poster mentioned, spam is really a social problem. The problem is, one or two dumbheads loose in the world can cripple a great technology (email).

So, spam is a social problem - a few people are a nuisance. But the problem is, right now - even if we pass great anti-spam laws, we really have no good way of knowing who is sending a message. So what if it came from ip address 3.14.15.92? Spammer joe can disconnect from that address right after he sends said spam, and nobody wants ISPs' logs to be able to be subpeonaed, do we?!?

So spam is a social problem, but we have no way of tracking the offenders. I think an authentication-by-encryption scheme is a Good Thing, but wait - I think there are such standards already out there.

The STARTTLS extension for SMTP, in RFC 2487, allows SMTP traffic to be transported over a TLS (SSL) connection - also allowing for the same type of CA-signed certificates that HTTPS is famous for. So now we can tell exactly what mail server mail is coming from - and we can refuse mail from uncertified hosts, or prosecute abusive hosts.

Anyway, correct me if I've misunderstood anything; what think ye all?

Re:Come on now!

1) Some people had e-mail addresses in the period
before spammers emerged from their slime, and
which are therefore already in their lists
(from usenet posts etc).
They may want to continue using those addresses.

2) Spammers use dictionary attacks and mail to
well known addresses such as root, info, admin
and so on. So if you're a sysadmin you get those
messages too.

I fall into both categories and receive
200+ spams per day.

Another spin on that theme

[PotatoHead]

I don't mind downloading the spam because I have broadband. Getting mail is no big deal, but sorting it is.

The solution I use requires that one owns a domain. Simply provide specific addresses to people/places/things depending on your expectation for spam. Filter on the client name based on the to: field and most of the crap drops into the crap folder where it belongs.

This combined with a bayesian filter keeps the spam to a very reasonable level. One added bonus:

You can know who sold you out and pass the word to others.

I use gandi.net for this. They provide e-mail redirection for free with a grab bag for unspecified addresses. 12 euros per year with nice online admin tools combined with very reasonable legal terms makes the service well worth it.

As for the e-mail problem, it is going to come down to trusted mail servers. I believe we all should be able to run mail out of our homes, because that is part of being peers on the Internet.

So, anyone can send mail, but if you expect anyone to actually read it, you need to be trusted by at least someone

Re:Another spin on that theme

[stephanruby]

I use spamgourmet.com

Its solution is basicely the same as yours, plus it's free and it doesn't require you to have your own domain name.

Re:Signed Email

[BigJim.fr]

> CRLs don't scale. Period. There's a reason
> why PKIs hardly ever get past 100K users.

Ever heard of OCSP ? That solves the problem. Please refrain from expressing uninformed opinions.

Re:Come on now!

[jeremyp]

My original e-mail gets about 100 spams a day. This e-mail address is now nearly ten years old. I think the reason I get so much spam is that when I first started getting it I was using a mail client that rendered HTML and so was fetching all those images from the spammers web site and more stupidly I was clicking all those "click here to stop receiving" links.

I now have a domain with as many e-mail addresses as I like and although I use it to sign up to all that free software/internet shopping websites etc e.g. amazon@domain apple@domain oracle@domain etc etc my combined spam for that whole domain is maybe three messages on a bad day.

Interestingly, my web site home page has a "webmaster" e-mail address on it and that address only gets about two spams a month.

Re:Signed Email

[jbert]

Sure. I was commenting on the tangent regarding the number of worldwide mail domains.

Howver, 100k is also a low estimate for hosts.

In 2001, Dan Bernstein did this survey which yields an internet-wide estimate of 4 million reachable IP addresses running an SMTP server. I doubt the figure has decreased.

Scalability over many orders of magnitude is a fairly key requirement for internet protocol design.