Yahoo and Unilateral Anti-Spam Technology?

EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."

police will be happy

[rekrutacja]

easy email tracking system will be gladly welcomed by police and other agencies...

Someone has to step forward

[sirket]

I try to be as standards compliant with my mail servers as is humanly possible. Even with numerous spam filters, I get about 10 legitimate email messages a day and 100 spams. Something has got to change.

Whether it is this technology, or another, something has got to be done. I'll implement this and hope that other admins do the same.

-sirket

Good move

[110010001000]

I think this is a good move on Yahoo!'s part. As a developer I think a solution that is available and 50% effective is better than a solution that no one has implemented yet.

Lets get the implementations out there in the wild and use the feedback to create real solutions!

I use the telephone and ftp

[ObviousGuy]

These days I can't even open by inbox, it is so overflowing with spam. I'm exaggerating, but at some point email is going to become completely useless because of spam. I do a lot of business over telephone (the way I used to do it before email) and have an ftp site to which customers can copy shared files.

It's slower, but not as slow as deleted emails that I never see and can't respond to.

Standards

[rm+-rf+$HOME]

As much as we don't like to admit that this is the case, but companies making unilateral decisions and moving forward with them is often how standards are made.

Web folk always moan about MSIE's poor standards complience, for instance, but forget that CSS/Text came from them -- Netscape was pushing CSS/JavaScript at the time. Now, one of those is a standard, and the other is dead.

Ultimitely, either people will like Yahoo's idea and adopt it and it will eventually become a new standard, or it will be ignored by everyone else and forgotten. Only time will tell.

It's not a matter of A or B

[Genghis9]

The extra key could be used by anybody who wants to, and ignored by the rest. And their implementation is open-source, so it doesn't look like a way of making an end-run past other ISPs. And since many spam messages come from fake Yahoo email id's, this would be a great way to immediately filter out those ones: if it says Yahoo but doesn't carry a key-->SPAM bin

I like the idea of a major player getting on with it and DOING something.

Would we rather have MS dictating an anti-spam standard? You can be sure such a beast would be a lot less benign than Yahoo's proposal

Re:It's not a matter of A or B

[Zeinfeld]

If Eric Raymond, IETF, et al. are interested in addressing the problem, then let's see their proposed solutions.

Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.

The problem we have is that the standards process in the IETF/IRTF has essentially failled. First the original chair of the group hijacked it to use it as a platform to get his name and that of his company into every anti-spam puff piece in every newspaper arround. He contributed nothing of value and pushed out all the people who did have something to contribute.

There was an opportunity to get something going on the standards track but the IETF establishment decided to nix the idea - basically it will be July before it is possible to even start the process of forming a working group there.

It is no surprise then that most commercial proposals have been avoiding the IETF like it was a bad smell. The IETF has no concept of working to a commercially relevant time scale - like months rather than decades.

So we have ended up with about ten specs that have been circulating samizdat fashion amongst small circles since last February. The premise being that we have to short-circuit the standards process somehow. Only we have now been doing this for almost a year without result while in other areas it has taken less than a year to do a full spec - given the right circumstances.

Fortunately IETF is not the only game in town. OASIS is a far more professional outfit. In OASIS you have a defined membership of the group and you hold weekly or bi-weekly con-calls so that things get done on a weekly basis, not the week before the RFC-editor cuttoff before the next IETF meeting 3 times a year. You also have votes and clear lines of accountability. In the IETF the chair can basically do what the fuck they like and ignore the consensus of the group. You have the illusion of participation but the establishment hold all the cards. It is all about control.

W3C is also OK-ish but the membership fees are ludicrous ($55K) and you keep getting semantic web thrust at you.

OASIS does have the disadvantage of being a commercial consortium rather than a trully open volunteer body, but in practice we get to co-opt anyone we want to a group.

It's bad if you have a different

[eclectro]

"From" address from what your SMTP server is, in which case I don't see how it could work for you.

This may put a lot of travellers out in the cold.

A solution is badly needed, but it has to work for everybody.

Re:It's bad if you have a different

[CustomDesigned]

If the traveller is using webmail, it works fine. Otherwise, the traveller needs to use SMTP AUTH to relay outgoing mail through his home base.

Furthermore, mail receivers need not check all purported from addresses. This is just one tool in the toolbox. As I understand it, Yahoo's idea addresses the problem of mail claiming to be from jane_austin@yahoo.com, when it fact it is from a spam criminal (I believe falsifying mail headers is a crime in many places these days). If Yahoo, hotmail, and aol could be validated this way, it would help a lot.

I have gotten emails from people threatening me with bodily harm because they believe I sent them spam. (When they include the message in question, it is obvious from the headers that it never went near the US, much less through any of my machines.) Some spam scum in Asia is using my email as the from address to spam victims in Europe. So I would be interested in signing my emails, if some of the spam victims would check it.

What prevents a spammer from simply reusing properly signed headers with a spam body? Does the signature cover the message content? If so, how is it an improvement over simply signing your email?

When de jure standards fail...

[eyegone]

...de facto standards emerge. One need look no further than POSIX/SUS and GNU/Linux for an example.

Total overkill

[tonyray]

It would be much simpler to add a record type to DNS servers to identify **outgoing** mail servers. Email proxies, where 60% of all spam comes from, would be immediately eliminated. Spammers with fixed servers and addresses are easily taken care of by the RBLs. Why introduce something that is more complicated and less reliable?

Re:Total overkill

[RT+Alec]

This has already been discussed, with two current proposals, RMX and SPF::Sender. The latter looks a lot closer to implementation, with AOL already testing it.

Re:All together now!

[MrRTFM]

Yes but we will never have a social solution when all it takes is 0.000002% of the worlds population to be spammers.

There's always going to be pricks who will do anything for a buck.

Better to use IP restrictions

[kiwi_mcd]

A far beter approach (which I think I saw on Slashdot but can't remember) is to use an extension which says whether IP addresses are allowed to use a domain.

This extension was based on DNS and basically allowed the mail server to query whether the IP address of the mailer was allowed to send on behalf of the domain.

Yes - this would be open to IP spoofing. Perhaps this DNS extension should be combined with the Yahoo method. If Yahoo, Hotmail and a couple of other providers adopted it could have massive effect.

To intially put live perhaps they could have an authenticated vs non-authenticated flag/filter in their web-mail client.

Re:Yahoo are spam nazis

[the+eric+conspiracy]

if this new system lets them drop their damn
overbearing blacklists, I'm all for it.

And people want to sue blackhole sites like MAPS out of business. THAT would mean every little mom and pop would maintain their OWN blacklist. Good luck getting off 69,105 blacklists. Your IP and domain would become useless.

I don't know how good the Yahoo system will be, but all the more power to them. At least they are trying.

Repost?

[rockwood]

We talked about this, in a previous post on Dec 06, 2003 here at /. concerning this.

There were alot of vital ascpects to this point made in the previous article some of which are quite thought provoking!

If you missed the previous thread, I hgihly recommended reading or even reading it.

How about this?

[Boyceterous]

Instead of sending the whole email content - and with it the ability to falsify email header information, why not just send the email header only - and require the originating server to hold the email content?

That way, there's no question where the email came from, and exactly which account sent it. Plus traffic goes way down by not passing the content all over the place.

In addition millions of copies of the same email would not have to be held on recipient's servers, they would just sit on the originating server until received or until some time limit expired.

I guess this would prohibit using a (ISP's) email server as a repository, you would have to download everything you wanted to keep, but hey, no more email size limits! - send me the world - if I want it, I'll come and get it!

Could this help in the spam wars?

Re: Reverse MX systems

[WuphonsReach]

You mean like "reverse MX" records... google for RMX, SMTP+SPF, DRIP, DMX. (SPF seems to have momentum at the moment)

However, reverse-MX solutions will not kill off spam (a common mis-conception). The goal of reverse-MX proposals is to stop domain forgery where spammers are able to, with complete impunity, to tack on any old domain name to their spams. Which means that the unfortunate organization who is forged gets to deal with the thousands of e-mail bounces and the irate phone calls / e-mails from people who think that the organization was the source of the spam. As a mail admin, I'm able to control which servers handle inbound e-mail for my domain through specifying MX records. Reverse MX allows me to have the same amount of control over outbound e-mail from my domain.

What will happen instead, once reverse-MX systems (or Yahoo!'s system or other sender-authentication systems) come into play. Spammers will have to change tactics and resort to either forging one of the remaining domains that don't have reverse-MX information published, or they will register throw-away domains by the hundreds. It will drive up their costs a tiny bit (much like the impact of bayesian and other filters requiring them to use randomization techniques).

But the real nice side-effect of reverse-MX, etc., is that you'll be able to more reliable whitelist based on domain name. And your bayesian filters will be able to assign high ham values to domain names.

It also puts a crimp in e-mail worms that attempt to use a built-in SMTP engine to avoid detection. Unless the worm forges a domain with no reverse-MX info published, the worm won't spread (most MTAs will drop the connection). Instead, the worm will have to route through the user domain's SMTP server, where the mail admin is more likely to catch the traffic (virus scanner on the SMTP server, or rate limiters).

Re:All together now!

[Grishnakh]

This comment isn't insightful, it's stupid.

So if spam is a social problem, what about auto theft? Should that also be solved by economics and/or behavior? Do you think that people shouldn't lock their cars or have alarm systems? Or that they should have push-button starters with no key required? If you believe this, you're a fool.

How about hacking? Should that also be solved by economics and/or behavior? Should remotely-accessible computer systems not be password protected? Instead of having user accounts with passwords to keep hackers out, should we just let anyone log in who wants to, and use other means to punish people who abuse this? How about we connect our military systems to the internet in this way? Again, if you believe this, you're a fool.

Any time a technological measure can be employed to minimize a social problem, it should be, because relying on society to proactively halt the activities of those who prey on weaknesses in the society is foolhardy because society only acts in a reactionary manner.

Signed Email

[Corpus_Callosum]

Nothing new needs to be invented here. What we should all be pushing for is signed email. There are many advantages to signed email, but here are the most relevant:

(A) Signed email signs not just the message headers, but also the message body. No chance of header substitution.

(B) Signed email associates signatures with some certificate chain and, presumably, a CRL (Certificate Revocation List). Abuses can lead to certificates being revoked.

(C) Because of the certificate chain, there is a chain of trust. There is always SOMEONE to sue!

(D) It is a simple measure to simply throw out any email that is not signed.

(E) Because of esign legislation, signed emails can be considered legally binding. In other words, lies, misrepresentations, libel, etc... in signed emails provides you with grounds for prosecution in courts of law - as if the signer wrote you the document and signed his name at the bottom (and yes, they can also be used for legally binding contracts and whatnot).

There is an issue with "Crossing the chasm" with signed email, of course. It would require a body such as AOL and/or Yahoo rising up and providing signature filters on incoming email to force such a solution into the mainstream. But once this is done, SPAM will practically dissappear. And any SPAM that comes in through signed channels can be dealt with in a satisfactory way.

I do not believe this harms any of us, btw...

You want privacy? The same techniques that allow you to sign email also allows you to encrypt email to your destination.

Worried about anonymity? Certificates can be issued that authenticate an email address without full disclosure of the owner of that address (but this may not be satisfactory for stopping abuses). Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?

Re:Signed Email

[cheezit]

Most of your reasons are in fact why signed email WON'T work.
B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.
C. Someone to sue...only in the US is that an attractive feature.
D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.
E. Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.

This is kind of sad..

[msimm]

Especially considering how promising the OSS model is, why can't we create a solution? We talk about the complexity of the problem, the importance of not breaking standards, etc. Who FUCKING cares if I can't check my email because it totally FUCKING BURIED in unsolicited junk...

I don't mean to come off as the thundering asshole, but this situation has grown so slowly its like watching a car crash spread out over the past 15 YEARS.

Please, experiment. Break things. I don't give a shit, but don't let us sit here moaning like helpless children while spammers sit back (laugh) and rake in MILLIONS.

Get fucking aggressive.

And if I hear one more idiot talk about how you have to cut spammers off by not buying their products I'm going to cut him off at the knees! If that would work you and Noah could be shooting dice right now and we'd have a hell of a lot less to worry about.

Programers still know how to experiment, right?

Yahoo might be doing us a big favor

[0x0d0a]

I don't believe this is proprietary. Yahoo is releasing a patch for Sendmail. AFAI can tell, while they're funding the dev work (because the spam rate is killing them), they aren't trying to milk this for more money.

One major problem with standards groups is that people like Verisign are on most security standards groups. Verisign has extremely strong motivations to ensure that email uses a Web-like interface, where one purchases an (expiring) Verisign cert for each email server one runs. They have strong incentive to block competing solutions. If you want to come out with a good system that prevents existing folks from milking a market, both industry consortiums and standards groups are pretty much useless. You need to do what happened with PNG -- have a bunch of talented, aggravated engineers sit down, write up a technically good spec, and put out reference code. Later on, let standards committees follow what's in place.

I can't figure out why replay attacks are an issue. I, personally, would suggest, off the cuff, including any To: or CC: lines in the message body (just for signing purposes, not actually sending either header in the body). This way, a replay attack would only allow resending the same email to the same destination from the same source. It's also pretty easy to include a timestamp, if folks are *really* concerned about replays.

Yahoo is pretty much doing what ESR and RMS have been hoping for for years -- contributing to open source systems because there's an itch that needs scratching.

Paul Vixie (disclaimer -- I don't move in his circles, and what I know about him is entirely secondhand) seems to be involved a great deal in politics, rather than technology. He leaves a bit of the same bitter tang in the mouth that Verisign does. He is, apparently, the source of at least some of the IETF objections. Vixie has also made a number of antispam statements that I tend to disagree with, including advocating mass blocking of mail servers on home email connections by netblock.

Re:Another spin on that theme

[stephanruby]

I use spamgourmet.com

Its solution is basicely the same as yours, plus it's free and it doesn't require you to have your own domain name.

Missing the big picture

[dnoyeb]

First let me say I agree with your premise. I have never received an anonymous delivery, email or otherwise, that I desired.
But let me show the fallicy of yahoo's actions.

Yahoos step 1 is to reject forged headers. Forged headers was just made illegal by the Bush administration IIRC. I completely approve.
Yahoos step 2 is to force a signature on every email by the server. Interestingly, Step 2 removes the need for step 1 and makes you wonder if step 2 is their real desire. Note that a solid step 1 also removes the need for step 2, given that open relays are shut down.

This is where I disapprove.

This proposes the same problem as DRM. Who controls which signatures are accepted? Once again we are right back with Verisign, et al. So unless your server has a PURCHASED KEY from verisign, or the like, your server won't be sending email to yahoo or any of the ISPs that adopt this.

I promise they won't be suggesting PGP either And so the spiral begins. Yahoo sells the rights to the certificates it will accept on a yearly basis. Verisign subsells this right in the form of the infamous certificate chain.

So what if the code is free, the certificates are not!