Slashdot Mirror
Yahoo and Unilateral Anti-Spam Technology?
EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."
I try to be as standards compliant with my mail servers as is humanly possible. Even with numerous spam filters, I get about 10 legitimate email messages a day and 100 spams. Something has got to change.
Whether it is this technology, or another, something has got to be done. I'll implement this and hope that other admins do the same.
-sirket
I think this is a good move on Yahoo!'s part. As a developer I think a solution that is available and 50% effective is better than a solution that no one has implemented yet.
Lets get the implementations out there in the wild and use the feedback to create real solutions!
It's important for standards organizations to be taken seriously if people want to actually see careful and appropriate change made. We could, I suppose, say that the W3C is completely useless because Microsoft essentially dictates what will and will not be a standard on the majority of platforms but that doesn't make the W3C any more useless. Actually, it makes it much more important to look for a body that can develop RFC's and such so that we can all look at the proposed solutions and say yes or no. When a corporation decides on something it just happens and all we have to fall upon to stop the adoption of a (potentially) damaging standard is the free market system. However, in this situation that wouldn't have much of a bearing on a system that doesn't technically bring Yahoo! any more revenue.
I admin a dozen domains professionally, and run a couple mail servers for volunteer orgs and all of them will get it.
-Brian
A far beter approach (which I think I saw on Slashdot but can't remember) is to use an extension which says whether IP addresses are allowed to use a domain.
This extension was based on DNS and basically allowed the mail server to query whether the IP address of the mailer was allowed to send on behalf of the domain.
Yes - this would be open to IP spoofing. Perhaps this DNS extension should be combined with the Yahoo method. If Yahoo, Hotmail and a couple of other providers adopted it could have massive effect.
To intially put live perhaps they could have an authenticated vs non-authenticated flag/filter in their web-mail client.
abuse@yahoo.com (purposely unmunged) claims that 419 spam from their servers didn't come from them. Gee, what's web108.biz.yahoo.com then? Some magic realm where the Nigerians have taken over Yahoo's network without their knowledge? That box relayed the spam to my MX, so it came from them, period.
Given that level of cluelessness, I assume that any "anti-spam" technology from them is going to be brain damaged from the start.
Crap like that is why yahoo.com is now on a "block all, except some" ruleset here. Other freewebmail services are getting there, too.
Look at it in very simple terms: what's to lose when you abuse a free e-mail account? Oh no, they cancelled my free account! I'll just have to make another! This is just going to ruin my day!
Until there is a real penalty for screwing around and getting an account cancelled, I don't want any mail from them. The revolving door of accounts needs to stop.
That way, there's no question where the email came from, and exactly which account sent it. Plus traffic goes way down by not passing the content all over the place.
In addition millions of copies of the same email would not have to be held on recipient's servers, they would just sit on the originating server until received or until some time limit expired.
I guess this would prohibit using a (ISP's) email server as a repository, you would have to download everything you wanted to keep, but hey, no more email size limits! - send me the world - if I want it, I'll come and get it!
Could this help in the spam wars?
I'm agin it. Cause problems. Will not fix SPAM. I have however added SPF records to my DNS. More flexible solution. I'll get around to patching my MTA to reject invalid incomming in good time.
Development of a workable solution, that is.
There have been a few times in the past where an entrenched technology has hit a wall in functionality, but because it was entrenched no one really did anything about it.
Then, someone said "Fuck standards - I have to DO something about this!" and started pushing thier solution. Other saw that someone was willing to take the first step, and took a step themselves. After some shakeouts, a new, more functional standard emerged.
My hope is that Yahoo has started the "SPAM proof MTA" development war for real this time. I want my e-mail system back.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
This comment isn't insightful, it's stupid.
So if spam is a social problem, what about auto theft? Should that also be solved by economics and/or behavior? Do you think that people shouldn't lock their cars or have alarm systems? Or that they should have push-button starters with no key required? If you believe this, you're a fool.
How about hacking? Should that also be solved by economics and/or behavior? Should remotely-accessible computer systems not be password protected? Instead of having user accounts with passwords to keep hackers out, should we just let anyone log in who wants to, and use other means to punish people who abuse this? How about we connect our military systems to the internet in this way? Again, if you believe this, you're a fool.
Any time a technological measure can be employed to minimize a social problem, it should be, because relying on society to proactively halt the activities of those who prey on weaknesses in the society is foolhardy because society only acts in a reactionary manner.
Also, we've all seen discussions in projects where many people propose solutions in the abstract but to get real cred a solution has to be proposed as working code. Nothing gets implemented quite as fast as working code.
KLAATU, BORADA, NIh*ahem*
Nothing new needs to be invented here. What we should all be pushing for is signed email. There are many advantages to signed email, but here are the most relevant:
(A) Signed email signs not just the message headers, but also the message body. No chance of header substitution.
(B) Signed email associates signatures with some certificate chain and, presumably, a CRL (Certificate Revocation List). Abuses can lead to certificates being revoked.
(C) Because of the certificate chain, there is a chain of trust. There is always SOMEONE to sue!
(D) It is a simple measure to simply throw out any email that is not signed.
(E) Because of esign legislation, signed emails can be considered legally binding. In other words, lies, misrepresentations, libel, etc... in signed emails provides you with grounds for prosecution in courts of law - as if the signer wrote you the document and signed his name at the bottom (and yes, they can also be used for legally binding contracts and whatnot).
There is an issue with "Crossing the chasm" with signed email, of course. It would require a body such as AOL and/or Yahoo rising up and providing signature filters on incoming email to force such a solution into the mainstream. But once this is done, SPAM will practically dissappear. And any SPAM that comes in through signed channels can be dealt with in a satisfactory way.
I do not believe this harms any of us, btw...
You want privacy? The same techniques that allow you to sign email also allows you to encrypt email to your destination.
Worried about anonymity? Certificates can be issued that authenticate an email address without full disclosure of the owner of that address (but this may not be satisfactory for stopping abuses). Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
So what? You'd be free to send anonymous email, just as I'd be free to reject it. Who knows -- with enough people switched to signed email, maybe spammers' economies of scale would tip over and anonymous mail would become usable again.
Anyone with experience with these standardization bodies knows that all of the complaining has to do with who's ideas win and who's name ends up on the standards documents. It's a particularly virulent form of academic arrogance. Solutions for signed email to stop SPAM are almost as old as email. Trust me, nothing is ever going to happen if one of the big guys doesn't put their ass on the line.
While the guys at the IETF fight for who has the biggest, ahem..., pen, the known email universe is collapsing under the weight of SPAM.
Let Yahoo hack and slash their way to a solution that works and then the standardization megalomaniacs can claim credit for inventing that idea 15 years ago while undergraduates at Stanford, Cambridge and MIT...
In the meantime, maybe we can have some peace...
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
SMTP relays need to be licensed and regulated.
Ummm... and who do you propose is going to do the licensing and regulations? What enforcement powers will they have over relays in another jurisdiction?
What's to stop the spammers from bribing officials to get their spam-relays "licensed"?
Wolde you bothe eate your cake, and have your cake?
In all seriousness. How much spam can you possibly be getting?
I keep hearing horror stories about people getting 100+ spam emails per day. This leaves me with the question, HOW IS YOUR EMAIL ADDRESS GETTING INTO THEIR HANDS!?!?
I don't sign up for every "free" offer that I come across. I don't have business cards made up with my email address. I have two email addresses, I might receive 10 spams per week between them.
WTF are all of you doing to get on so many spammers' lists?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You have half of your argument ass backwards.
If you are accused of doing something illegal via. email (which you didn't), this will be a VERY handy tool in your defense.
Why should I have to prove I didn't do something? Surely it is up to the police/law enforcement to prove I did do something?
I want to cyrptographically hide the contents of my emails and obfuscate their origins as much as the next guy, and I want to call that privacy while I do it. Nobody in the world is going to make me write in plaintext on a postcard and hand it to the mail man as he passes my door every day, neither will they make me do the same with email. I may or may not have something incriminating in my e/mails, but until I am under suspicion of something illegal I want my privacy, and even then, I want properly mandated, legally and socially approved bodies with responsibilities to myself and the rest of the community to be monitored and restrained in their work.
Handing control of privacy to those who care little for it is itself caring nothing for it.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
I remember a day when e-mail was nearly Spam-free, and Spammers only got away with it once. That was back in the mid-90s on the Prodigy Interactive Service, before they had opened their mail system to the Internet. When there was a closed system that required a vaild credit card to open a master account, and accounts who abused the e-mail system could be terminated without any appeal, spam existed but was very rare and quickly dealt with whenever it sprouted.
If Yahoo, MSN, and Earthlink all joined together to form an "invitation only" e-mail club, and each took responsibilty for patroling its own user base, the world would be a whole lot closer to a spam-free place. "Pink contracts" would not be tolerated, as the entire ISP would risk being expelled from the club, and therefore not be able to offer functional inter-network e-mail service. Remember, the Internet is nothing but a network formed by joining other networks... nobody has to honor the requests of other networks, however.
It's a value judgement... and according to my values, I think this is not a great idea.
First, I think the benefits of having free and semi-anonymous e-mail outweigh the disadvantages of having to use and maintain spam filters. Obviously, many people disagree with me here, and more all the time.
(Here's a conspiracy for ya: what if some Big Brother is trying to kill the free exchange of ideas in e-mail by burying the whole system with spam? I don't believe it's true, but it's worth wondering about before jumping to non-free solutions!)
Second, even if I thought that killing spam was worth the cost of crippling some of e-mail's better and more distinctive features, I think going about it in a non-standards-based way is likely to be a road to chaos.
The best solution, I think, would be to supplant e-mail with something new that works in a more trusted and accountable way. If someone really hates spam, they can use only the new system; if they want anonymity and freedom at the cost of spam, they can use the current mail system. The systems could coexist much like Usenet and the Web; each is useful for different things.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Spam is a classic case of the tragedy of the commons.
As long as sending millions of e-mails relatively cheaply is possible, spam will NEVER cease to be a serious problem.
You have to break the economic back which supports spam.
It has to cost something to send an e-mail.
True, it will not disappear, but the volume will drop dramatically perhaps even to the point where e-mail will become useful again.
Absolute statements are never true
The ultimate solution to fighting spam is realizing that there is no perfect solution. We all know that no matter what we, spammers find a way around it. So the issue is to stop looking for that so-called "ultimate solution" that's supposed to get rid of spam forever. If anything, it's going to take several different methods to eliminate spam and there's going to be some trial and error.
And spam filters are a bandage over a sore that's being seriously neglected. I think the problem that people don't realize is that with spam, the client is limited to what he/she can do.
Yahoo might be going against standards, but they are on the right track by trying to tackle the problem from server side.
I think using AI would have some real benefits on mail servers. AI has the ability to learn. Filters on the other hand require reconfiguration to combat the ever changing spamaflouge.
Commercial certificates can be found for much less nowdays (check this CA for example). Anti-spam organisations can put up their own free CA if need be: this would scale as well or better than a generalised DomainKeys.
When I read about Yahoo's anti-forgery solution, TLS striked me as a more standard compliant one as well as a more mature security measure. You do not need to review new code, it is already there for current MTAs.
SMTP transaction encryption is generally not regarded as a bad thing.
I don't remember who this quote is from, or whether I remember it 100% correctly, but it's great:
"To every challenging problem, there is a solution that is obvious, easy, and wrong."
Proprietary stuff like this one usually is that solution, because not enough eyes looked at it. That's why so many software projects fail, and that's why peer-review is so important in science.
Yahoo can't even teach their mailservers to play nicely with the rest of the world (they bounce when they should have rejected). I don't trust them an inch to patch sendmail or solve the spam problem.
Assorted stuff I do sometimes: Lemuria.org
Mail servers that have the "nerve" to bounce mail do so in a predictable manner. Normally with a phrase such as "could not be delievered" or "rejected."
Instead of freaking out, take the time to actually look at bounced messages and find tells so you can filter them out. Those 100% unqiue tells are there.
"I'll never see the bounce."
You will if you allow the tells your mailserver uses to pass through. Or give it a unique bounce message that gets past your filter.
Trackable e-mail requires that everyone or no one do it. I'm certainly not going to. I have better ways to deal with spam. If you do it, you'll still be getting bounces from mail forged with your domain sent to mail servers that don't check.
Like it or not, you need to deal with it. If you don't have enough control, fire up your own mail server that you do have control over.
Ben
Work Safe Porn
The spam issue must be solved, whether by social, technological, legal or whatever else means, or a combination of these.
The sad truth is, there will always be jerks willing to engage in self-profitable activity at the expense of others, and to some extent this activity is what we call crime. There are three prerequisites for it, which are:
- intent (you know it's bad, but you don't care)
- gain (outweighing the cost / risk)
- occasion
This last one you completely overlooked. Why do you think locks exist ? Why do you think most countries ban civilians from owning firearms ? Because that will reduce the number of occasions someone has to commit crime.
Maybe we deserve this world ?