Slashdot Mirror
FTC Wants Comments on Email Authentication
An anonymous reader writes "Groklaw has the scoop. The Federal Trade Commission and National Institute of Standards and Technology (NIST) will co-host a two-day 'summit' November 9-10 to explore the development and deployment of technology that could reduce spam. The E-mail Authentication Summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems. The FTC will be accepting public comments until Sept. 30, 2004 via snail-mail or email (authenticationsummit at ftc.gov). The FTC has a list of 30 questions they would like answers/comments to. The list available in this PDF of the Federal Register Notice." In a related subject, reader Fortunato_NC submits this writeup of the sequence of events that led to Sender-ID's abandonment.
Seems like slashdot is being spammed with stories about spam.
I will be sending my comments immediately by email. They'll know who I am.
authenticationsummit@ftc.gov
These guys aren't going to be happy until we have to hand over our credit cards, photo ID and social security number just to send an email.
From Groklaw:
7. Whether any of the proposed authentication standards would have to be an open standard (i.e., a standard with specifications that are public).
Of course the standard would have to be open. This shouldn't even be up for discussion. No argument can make security by obscurity work and no argument can get me to change my thinking that we should all be using closed SMTP servers.
Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.
Is to keep email easy to use. SPF is a nice idea, but doesn't cope with a couple issues. The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM. Secondly, its not expensive to register a domain and flood SPAM for a few days until that domain is blacklisted. Wash, rinse, repeat. I'm not saying a solution isn't out there, just nothing that I have seen really talks to these two issues.
8. Whether any of the proposed authentication standards are proprietary and/or patented.
Ignorance is curable, stupid is forever.
Does this mean that the government will now enforce standards?
Opera Watch - An Opera browser blog.
You know, I can't figure out why we can't combat spam by making it illegal to send unsolicited ads via email (or maybe the can-spam act already does this), but then go after the companies who are actually trying to get customers. After all, they either provide valid contact information, or nobody can buy from them. If nobody can sell anything via spam any more, the reason for it would go away.
Have you read my blog lately?
I would be willing to wager a small sum that the only invitees to this meeting will be representative of large, commercial, for-profit software vendors and ISPs. That there will be no representation of/by the Free Software community. And that the FTC will reject any comment not from a commercial software vendor/ISP as having "no standing".
Just a guess.
sPh
That's what I envision.
"Today, we must fight a war, they clog our mail boxes, they offer us penis enhancements, drugs like v1ag|2a, stuff we don't need, they make our wives leave us for believing we go to porn sites and give out our e-mails to just anyone. Today we start the war against spam"
-[Insert head of newly formed organization here]
Just have DNA scanners attached to our PCs..
That would ID you back to your other documents, such as SSN, bank accounts, credit history, what you ate for dinner, your life history of every webpage you viewed, or document you read...
---- Booth was a patriot ----
Just use ident. Maybe return a little extra information, like an "@sitename" suffix.
Yes, it would require immediate global adoption, but not if you just assign a higher score (towards spam) to messages that came from sites with no identd running.
Assume I was drunk when I posted this.
My main question is, how much money do you plan to waste on a system that will be hacked in days?
An effective stop gap measure would be for ISPs to block port 25 ( along with a number of others ) outbound by default, and open it up only on customer requests.
This way, zombie'd machines wouldn't have a chance to spew their virus/spam emails to everyone, I could still run my home email server, and the ISPs would save on bandwidth.
I wonder why this ISN'T yet in place, to be honest.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The only way to fight spam, which is going to be inconvenient as hell for most people, is to autoblock any machine that sends or relays spam.
/dev/nulled for a few months, but that's the alternative to living with spam.
Of course, email systems will buckle and fall, and people won't be getting mad as hell because their emails are bouncing or just not getting there.
Then ISP and other companies will actually spend money (120K+) on very competent email admins and fix their damn servers.
Each spam sets the clock forward by 1 week for domain and IP block.
I guarantee there won't be any spam in 1 year.
Of course, 99% of emails will be
"Piter, too, is dead."
By the time the FTC's summit comes around, it's looking like SPF is going to be pretty well established.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Every eMail that is sent (by SMTP - the Simple Mail Transport Protocol) should be considered "unconfirmed." This means that it may or may not be from the return address.
I propose that we add a new layer called CMTP - the Complex Mail Transport Protocol.
CMTP simply takes an unconfirmed eMail (sent by SMTP) and sends a packet back to the sender. This packet asks for verification of the message. The packet includes a checksum, the length, to, from, subject, and the time/date that the eMail was sent.
The sending mail server receives this CMTP checks all of that information, and replies with a CTMP confirmed message or a CMTP not confirmed message.
There is no limit on the number of times that a mail server may be asked to confirm an eMail. There is a limit that messages should not be confirmed more than 24 hours after they are sent. This may pose a small problem in that SMTP does not place a time limit on mail messages.
CMTP does require that every mail server maintain a list of the eMail it has sent. That COULD be time consuming.
CMTP also adds 2 packets to every eMail sent. SMTP was designed to be dead simple. They thought that they could not afford 2 extra packets. In that time, eMail was 80% of all internet traffic. Today, eMail is such a small percentage of all traffic that trpilling it would not be noticed.
Andy Out!
There are two ways to get rid of spam. Stopping spammers and stopping people from buying via spam. The former never works because spammers will always find ways around it. The latter could work, here's how:
First, equate spam with child pornography and terrorist activity. Get Congress to make it illegal to buy products via spam. Start arresting and imprisoning those who do buy via spam. After a couple years, spam will stop.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Drat! I'm gonna get modded for flamebait but with a sig like mine, who'd notice?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Let's face it: Email doesn't (and can't) fill the role it used to.
There was a time when you shared your email address with everyone. It was on your resume, it was on your web page (if you had one), it was in your sig. Email was the universal, simple, fast, reliable communication medium of the internet.
I used it to get my friends together on a weekend. I used it to organize events and meet people. I used it to share information.
Nowadays, IM fills that role. I've realized that nearly everything I used to use email for can be done just as easily over IM. It's reliable, fast, relatively secure, easily encrypted, etc... Furthermore, it is largely immune to spam for a number of reasons.
I find now that I only use email when registering for something (throwaway address), or for confirmation when I purchase something online. Everything email used to do, IM can do (if used properly... Staying online, logging, offline messages, confirmation, not using the AOL client, etc...)
IM is by-and-large safe from SPAM due to the numerous restrictions placed on its use. Rate limits, authentication, etc... These things provide a layer of security, but also a layer of inconvenience.
Were email to incorporate such restrictions, it would remove the last reason in the world to even be using it in the first place! Email is completely open. If email were to be restricted, it would become nothing more than a slower version of the current capabilities of IM.
GeekNights!
Late Night Radio for Geeks!
There was no mention of sender pays postage as a solution. Anything that prevents anonymous email has an inherent central control which the internet doesn't need more of.
It's a stupid metaphor, and leads to superficial "solutions". Why not try taking a better look at the roots of the problem and deal with that instead of just declaring a "War" to incite the proles?
Isn't this an issue for ICANN/VERSIGN? Why is the FTC spreading to Internet??? Hmmmm....
Clearly the solution is to change SMTP to XML. Its so old fashions that it uses a line-by-line converation. I propose XSMTP which goes like this:
[xml]
[huge header]
[line value=helo]
[/xml]
That oughta fix it.
I am joking.
Last time I checked email was a global technology. Am I the only one that thinks it's strange that the (FTC an entirely US organization) is making decisions about something like this? Isn't there a more appropriate internation technology body that should be handling this? Ultimately this will have to become an ISO standard to get implemented across all mail serving platforms. Wouldn't it make sense to get a global consensus before the US starts making decisions about how best to deal with SPAM.
I live in the US, but if I didn't I wouldn't want the US government telling me how to handle SPAM.
It won't be too long untill this email is bombarded by zillion of nigerian scam zealots commenting on wether FTC should really go on with this plan and wether it is a good move infront of the national economy.
IMHO the real way to lock mail down is to use PGP keys to authenticate legitimate MXs, and blacklist/expire certs that misbehave. Add an X header that signs the payload hash with its own seckey, then send to the destination to have it verify before delivery.
'Trusted' sources (including national post offices) could generate and certify keys for these servers, and expire/blacklist them if they're abused. Put the pubkey into a DNS record for the MX.
Legacy mail not in this system could be flagged as 'untrusted' and jailed appropriately.
(bad form to self-reply, I know :p) ... How about those 'trusted' sources running DNS servers that provide MX resolution for domains? Granted you'd need DNSSEC to trust them that far (and RFC3445 kinda kills the 'put the key in DNS' idea) but the USPS, various national posts, UN, verisign, etc could run DNS servers that handle MX resolution for domains so you can point your MX configuration at those domain servers ala the RBL. Extra sneaky points to building an entire root DNS dedicated to MX.
It's more of a TWL (Trusted Whitehole List) than an RBL (Realtime Blackhole List).
Of course, it goes without saying that all of this is pissing in the wind as long as people's pain threshold is still higher than the bother of implementing all this.
Why can't this work? You sign up for an e-mail account. Let's use MSN Hotmail as an example. Your get your username. So it's username@hotmail.com. Then you get a selection of keys. Perhaps you have username@291.hotmail.com. This key could be set to temporary (such as one week) or permanent (requires manual removal). Then there would be a catch-all option, which would catch all e-mail sent to username@hotmail.com AND username@*.hotmail.com. Perhaps you have username@452.hotmail.com for contacts that are your friends. Or maybe username@news-me.hotmail.com for whenever you contact a news station. This would really hurt spammers, as now they can't simply hit a username, but also hit all possible combinations for that specific username.
Let's hope that's what happens. Then some community will come up with an alternative system that is similar to the current email, but hopefully a bit more spam-proof. The masses can continue to use the crappy current email, while the rest of us will switch to the new system complete with an old-email gateway. Yes, the masses will eventually catch-up and crap on that system too, just like they did with the internet (web, email), rinse, repeat. But that's the way it goes.
I don't know about everyone else - but I hardly notice spam anymore. I mean, between gmail, thunderbird, and even hotmail (obviously not a definitive list) - I don't see it anymore. It's all filtered out automagically. I think this is a case of the government, once again, being a bit too slow on the uptake. Thanks for the thought guys, but we seem to be dealing with it fine ourselves.
Why not do what the RIAA does ... and sue the people receiving the spam? Seems like that'd fix the problem ... right? Right?
Obviously you have never had to be the one running the email servers that get millions of spam every day which costs you in bandwidth and server resources. Just becuase everything is peachy for you doesn't mean it is for everyone else.
Not only do I expect many F/OSS people to be allowed in, I expect the concerns of deploying anti-spam solutions in F/OSS mail servers to be front and center. I also expect there to be people who don't give a flip about F/OSS to be there too, along with a bunch of spammers^Wethikal bidnizmen.
SPF support for most open source mail servers can be found at libspf2.
The article by Fortunato explained that one reason for the failure and disbanding of the IETF MARID working group was that Microsoft's patent application was published last week and turned out to be much broader than expected. As written it would seem to cover SPF, which is odd since the patent was submitted four months after SPF got started.
The truth is that patent applications are written as broadly as possible and it is common for them to be whittled down by the patent office to only those claims which are truly novel and useful. But this still leaves us with considerable uncertainty about just how broad the Microsoft patent will turn out to be when it is finally issued. We won't know the answer for years, given the usual speed of the patent office.
I'm willing to bet that one of the schemes that the FTC is going to propose is one where it becomes illegal for "unlicensed" nodes to connect to a "licensed" MTA unless it is one with whom they have a standing agreement. In other words, you can't be an MTA without getting FTC approval, or "downstreaming" off of someone else's server.
This won't really help SPAM, but it IS something the big ISPs want in order to begin to control where their competition can come from.
Whitelisting is an acceptable solution to the problem of spam. Most of the people who use email are *not* businesses and they only get mail from friends and family; a whitelist will leave their inboxes spam-free. If they want to get email from someone they've met on a forum or elsewhere they can easily add that person to their whitelist.
As for companies it doesn't matter whether they get spammed or not. They aren't part of the target base that make spammers money. If everyone is using white-listing except for businesses, the spammers will go bankrupt; mass white-listing for individual consumers will solve the problem for businesses as well, if indirectly.
I really don't see what the problem is here. The vast majority of email users aren't interested in getting mail from people they don't know. Those that are interested can forego whitelisting, and since this will probably be a small fraction of the population spammers will *still* go out of business since their costs will exceed their returns.
Seems to me that people are making a mountain out of a molehole, and one that already has a solution. Hell, the solution is already part of most email services!
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
I wonder how this will affect email 'nym' servers...that redirect, strip off info..and make your emails truly anonymous?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Do we really want the government more involved with the internet. Yes spam sucks, and I have had some thoughts that I would prefer not to share about spammers, but getting the government involved is a double edged sword. We don't want them censoring what we see (China), yet we want to get them to do something about spammers. My opinion: Bad idea.
Sig free since 2/6/2002
I use throw-away accounts for risky stuff. But...
My primary email address, which I have had since 1992, has been published on the web (in documentation I have written), posted to Usenet (back when I wrote and maintained a FAQ), used in communication with online vendors like Amazon and ebay, and more. It receives lots of spam. It is the account at the educational institution where I work. While I can get a new account elsewhere, and tell my friends to use that email address, I cannot change the address my workplace has assigned me, and I cannot abandon it--it's where other employees (rightly) expect to email me.. So I have to deal with lots of spam.
http://shit.slashdot.org/article.pl?sid=04/09/28/1 534229
1) MTAs are required to have a FQDN in DNS and have a matching RDNS.
y one.0wn must be relayed through their ISP. Wow ISPs responsible for their traffic, humm..
2) The FQDN must have the substring 'mail' or 'smtp' in the hostname.
3) if an email came from a host not matching 1 and 2 the email is rejected.
What does this do to stop spam?
Rule 1 forces all MTAs to be registered with someone (Not gov). Since most ISPs do not delegate RDNS this means the MTAs are registered with their ISP and they are easly found at arin.net. Complaining to an ISP stops spam because they do not want their IPs blacklisted.
Rule 2 forces MTAs to declare themselves as MTAs. Emails from 0wned-boxen-by-virus-or-activex-dsl00032.spamever
Rule 3 says play by the rules or don't play at all.
Overhead? a regexp on a DNS lookup that already happens.
Downside, every MTA must have their own IP.
When Ever some one sends an email they get an electric shock. Very minor a little tickle for normal use this is not an issue. For a spammer this will be far more hazardus.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Why not check this out? I think this seems like a good solution, myself. Sure, people will say:
1) It will (for all practical purposes) eliminate the possibility of geeks who want to run their own mail servers on a DSL line. So what? There's no good reason for them to be doing that, except for fun or for malicious purposes.
2) It will be a blow to anonymity. So what? There has GOT to be a line drawn between anonymity and the need to hold people accountable for abuse of mail servers. Period.
Until people start to understand that there are tradeoffs in these things, things will be going nowhere.
I don't like greylisting, primarily for one reason. It destroys the possibility of near real-time message exchange between persons that have never exchanged e-mail. Consider, for example, a salesperson and a potential customer. Waiting an hour for information someone "just now sent" can be costly. Obviously there's no guranteed e-mail delivery timeframe without SPF, but in practice, it typically arrives before I'm off the phone. Because I cannot turn it on or off as an individual mail recipient, I find it somewhat draconian and inappropriate for admins to impose artificial delays on my communications.
Sure, whitelisting alone helps SOME people. But for many people that's not enough.
- David A. Wheeler (see my Secure Programming HOWTO)
I'm amazed that I haven't seen more about Proof of work tokens for spam-fighting.
Proof of work tokens are hashes (like md5's) that take a relatively long time to compute and are very quick to validate. For most purposes, adding a few seconds to the delivery of email is unnoticable. For spammers, however, it greatly decreases the number of emails that can be sent out within a period of time.
Even though this does not completely eliminate the problem, it can significantly reduce the amount of time spent sifting through spam. Used in combination with public-key cryptography, it could even allow for mass-mailings from known users. (For instance, the Red Hat mailing list.)
The current problem with spam is a result of the fact that it takes almost no money to send spam. Increasing the amount of time spammers need to use in order to send out email is the only way to make a dent.
Links:
HashCash.org
Reusable Proofs Of Work
Currently down, but look at the google cache
"My religion is to live --and die-- without regret." -- Milarepa
Tell me, what does your average user need with outgoing port 25 to anything other than their ISPs mail server? Most wouldn't even notice it, and those that do, I'd want to be able to call up and have it opened up for them.
You can make the same argument for only allowing 110/25, 53/udp inside the ISP, and only port 80 and 443 beyond the ISP.
90% of customers would be happy and it would prevent a fair number of worms and trojans from propogating.
Would you advocate such a position and why or why not?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
One of the key inhibitors to fixing the spam problem has been the lack of ability for any solution to be widely enforced quickly. SPF et al are nice and dandy for what they are, but the time it takes to implement them globally is just too long. Each ISP is faced with two choices:
- enforce new anti-spam technology, and accept that paying customers won't get their email for a while until the rest of the world falls in line
- don't implement it, or wait till everyone else implements it, or partially implement it so that no customer misses their email
Neither of these options will work.
From a purely technical perspective, a lot could be done today to reduce spam dramatically. However almost all suggestions fail on the point that they require every ISP and/or user to adopt the new solution simultaneously, or risk losing email.
If the US FTC is hosting a forum on this, *and* they get support from equivalent bodies in other countries, then *just maybe* a technical solution can be put up and accepted on the understanding that (on some nominated date/time) every significant ISP worldwide will turn it on simultaneously.