Slashdot Mirror
Yahoo and Unilateral Anti-Spam Technology?
EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."
These days I can't even open by inbox, it is so overflowing with spam. I'm exaggerating, but at some point email is going to become completely useless because of spam. I do a lot of business over telephone (the way I used to do it before email) and have an ftp site to which customers can copy shared files.
It's slower, but not as slow as deleted emails that I never see and can't respond to.
I have been pwned because my
There were alot of vital ascpects to this point made in the previous article some of which are quite thought provoking!
If you missed the previous thread, I hgihly recommended reading or even reading it.
Never try to beat a professional at his own game!
This has already been discussed, with two current proposals, RMX and SPF::Sender. The latter looks a lot closer to implementation, with AOL already testing it.
Furthermore, mail receivers need not check all purported from addresses. This is just one tool in the toolbox. As I understand it, Yahoo's idea addresses the problem of mail claiming to be from jane_austin@yahoo.com, when it fact it is from a spam criminal (I believe falsifying mail headers is a crime in many places these days). If Yahoo, hotmail, and aol could be validated this way, it would help a lot.
I have gotten emails from people threatening me with bodily harm because they believe I sent them spam. (When they include the message in question, it is obvious from the headers that it never went near the US, much less through any of my machines.) Some spam scum in Asia is using my email as the from address to spam victims in Europe. So I would be interested in signing my emails, if some of the spam victims would check it.
What prevents a spammer from simply reusing properly signed headers with a spam body? Does the signature cover the message content? If so, how is it an improvement over simply signing your email?
You mean like "reverse MX" records... google for RMX, SMTP+SPF, DRIP, DMX. (SPF seems to have momentum at the moment)
However, reverse-MX solutions will not kill off spam (a common mis-conception). The goal of reverse-MX proposals is to stop domain forgery where spammers are able to, with complete impunity, to tack on any old domain name to their spams. Which means that the unfortunate organization who is forged gets to deal with the thousands of e-mail bounces and the irate phone calls / e-mails from people who think that the organization was the source of the spam. As a mail admin, I'm able to control which servers handle inbound e-mail for my domain through specifying MX records. Reverse MX allows me to have the same amount of control over outbound e-mail from my domain.
What will happen instead, once reverse-MX systems (or Yahoo!'s system or other sender-authentication systems) come into play. Spammers will have to change tactics and resort to either forging one of the remaining domains that don't have reverse-MX information published, or they will register throw-away domains by the hundreds. It will drive up their costs a tiny bit (much like the impact of bayesian and other filters requiring them to use randomization techniques).
But the real nice side-effect of reverse-MX, etc., is that you'll be able to more reliable whitelist based on domain name. And your bayesian filters will be able to assign high ham values to domain names.
It also puts a crimp in e-mail worms that attempt to use a built-in SMTP engine to avoid detection. Unless the worm forges a domain with no reverse-MX info published, the worm won't spread (most MTAs will drop the connection). Instead, the worm will have to route through the user domain's SMTP server, where the mail admin is more likely to catch the traffic (virus scanner on the SMTP server, or rate limiters).
Wolde you bothe eate your cake, and have your cake?
Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.
The problem we have is that the standards process in the IETF/IRTF has essentially failled. First the original chair of the group hijacked it to use it as a platform to get his name and that of his company into every anti-spam puff piece in every newspaper arround. He contributed nothing of value and pushed out all the people who did have something to contribute.
There was an opportunity to get something going on the standards track but the IETF establishment decided to nix the idea - basically it will be July before it is possible to even start the process of forming a working group there.
It is no surprise then that most commercial proposals have been avoiding the IETF like it was a bad smell. The IETF has no concept of working to a commercially relevant time scale - like months rather than decades.
So we have ended up with about ten specs that have been circulating samizdat fashion amongst small circles since last February. The premise being that we have to short-circuit the standards process somehow. Only we have now been doing this for almost a year without result while in other areas it has taken less than a year to do a full spec - given the right circumstances.
Fortunately IETF is not the only game in town. OASIS is a far more professional outfit. In OASIS you have a defined membership of the group and you hold weekly or bi-weekly con-calls so that things get done on a weekly basis, not the week before the RFC-editor cuttoff before the next IETF meeting 3 times a year. You also have votes and clear lines of accountability. In the IETF the chair can basically do what the fuck they like and ignore the consensus of the group. You have the illusion of participation but the establishment hold all the cards. It is all about control.
W3C is also OK-ish but the membership fees are ludicrous ($55K) and you keep getting semantic web thrust at you.
OASIS does have the disadvantage of being a commercial consortium rather than a trully open volunteer body, but in practice we get to co-opt anyone we want to a group.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I don't mind downloading the spam because I have broadband. Getting mail is no big deal, but sorting it is.
The solution I use requires that one owns a domain. Simply provide specific addresses to people/places/things depending on your expectation for spam. Filter on the client name based on the to: field and most of the crap drops into the crap folder where it belongs.
This combined with a bayesian filter keeps the spam to a very reasonable level. One added bonus:
You can know who sold you out and pass the word to others.
I use gandi.net for this. They provide e-mail redirection for free with a grab bag for unspecified addresses. 12 euros per year with nice online admin tools combined with very reasonable legal terms makes the service well worth it.
As for the e-mail problem, it is going to come down to trusted mail servers. I believe we all should be able to run mail out of our homes, because that is part of being peers on the Internet.
So, anyone can send mail, but if you expect anyone to actually read it, you need to be trusted by at least someone
Blogging because I can...