Slashdot Mirror
FTC Wants Comments on Email Authentication
An anonymous reader writes "Groklaw has the scoop. The Federal Trade Commission and National Institute of Standards and Technology (NIST) will co-host a two-day 'summit' November 9-10 to explore the development and deployment of technology that could reduce spam. The E-mail Authentication Summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems. The FTC will be accepting public comments until Sept. 30, 2004 via snail-mail or email (authenticationsummit at ftc.gov). The FTC has a list of 30 questions they would like answers/comments to. The list available in this PDF of the Federal Register Notice." In a related subject, reader Fortunato_NC submits this writeup of the sequence of events that led to Sender-ID's abandonment.
Seems like slashdot is being spammed with stories about spam.
I will be sending my comments immediately by email. They'll know who I am.
authenticationsummit@ftc.gov
These guys aren't going to be happy until we have to hand over our credit cards, photo ID and social security number just to send an email.
From Groklaw:
7. Whether any of the proposed authentication standards would have to be an open standard (i.e., a standard with specifications that are public).
Of course the standard would have to be open. This shouldn't even be up for discussion. No argument can make security by obscurity work and no argument can get me to change my thinking that we should all be using closed SMTP servers.
Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.
Is to keep email easy to use. SPF is a nice idea, but doesn't cope with a couple issues. The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM. Secondly, its not expensive to register a domain and flood SPAM for a few days until that domain is blacklisted. Wash, rinse, repeat. I'm not saying a solution isn't out there, just nothing that I have seen really talks to these two issues.
8. Whether any of the proposed authentication standards are proprietary and/or patented.
Ignorance is curable, stupid is forever.
You know, I can't figure out why we can't combat spam by making it illegal to send unsolicited ads via email (or maybe the can-spam act already does this), but then go after the companies who are actually trying to get customers. After all, they either provide valid contact information, or nobody can buy from them. If nobody can sell anything via spam any more, the reason for it would go away.
Have you read my blog lately?
I would be willing to wager a small sum that the only invitees to this meeting will be representative of large, commercial, for-profit software vendors and ISPs. That there will be no representation of/by the Free Software community. And that the FTC will reject any comment not from a commercial software vendor/ISP as having "no standing".
Just a guess.
sPh
...the government will now enforce standards?
/never mind the .gov
No, that's what we have the National Institute of Standards and Technology for.
That's what I envision.
"Today, we must fight a war, they clog our mail boxes, they offer us penis enhancements, drugs like v1ag|2a, stuff we don't need, they make our wives leave us for believing we go to porn sites and give out our e-mails to just anyone. Today we start the war against spam"
-[Insert head of newly formed organization here]
Just use ident. Maybe return a little extra information, like an "@sitename" suffix.
Yes, it would require immediate global adoption, but not if you just assign a higher score (towards spam) to messages that came from sites with no identd running.
Assume I was drunk when I posted this.
An effective stop gap measure would be for ISPs to block port 25 ( along with a number of others ) outbound by default, and open it up only on customer requests.
This way, zombie'd machines wouldn't have a chance to spew their virus/spam emails to everyone, I could still run my home email server, and the ISPs would save on bandwidth.
I wonder why this ISN'T yet in place, to be honest.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The only way to fight spam, which is going to be inconvenient as hell for most people, is to autoblock any machine that sends or relays spam.
/dev/nulled for a few months, but that's the alternative to living with spam.
Of course, email systems will buckle and fall, and people won't be getting mad as hell because their emails are bouncing or just not getting there.
Then ISP and other companies will actually spend money (120K+) on very competent email admins and fix their damn servers.
Each spam sets the clock forward by 1 week for domain and IP block.
I guarantee there won't be any spam in 1 year.
Of course, 99% of emails will be
"Piter, too, is dead."
By the time the FTC's summit comes around, it's looking like SPF is going to be pretty well established.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Every eMail that is sent (by SMTP - the Simple Mail Transport Protocol) should be considered "unconfirmed." This means that it may or may not be from the return address.
I propose that we add a new layer called CMTP - the Complex Mail Transport Protocol.
CMTP simply takes an unconfirmed eMail (sent by SMTP) and sends a packet back to the sender. This packet asks for verification of the message. The packet includes a checksum, the length, to, from, subject, and the time/date that the eMail was sent.
The sending mail server receives this CMTP checks all of that information, and replies with a CTMP confirmed message or a CMTP not confirmed message.
There is no limit on the number of times that a mail server may be asked to confirm an eMail. There is a limit that messages should not be confirmed more than 24 hours after they are sent. This may pose a small problem in that SMTP does not place a time limit on mail messages.
CMTP does require that every mail server maintain a list of the eMail it has sent. That COULD be time consuming.
CMTP also adds 2 packets to every eMail sent. SMTP was designed to be dead simple. They thought that they could not afford 2 extra packets. In that time, eMail was 80% of all internet traffic. Today, eMail is such a small percentage of all traffic that trpilling it would not be noticed.
Andy Out!
Drat! I'm gonna get modded for flamebait but with a sig like mine, who'd notice?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
DNA scanners cannot distinguish between identical twins. Therefore in addition to the DNA scanner, a second system must be applied. Maybe an RFID chip that everyone must get implanted if he wants to use email?
The Tao of math: The numbers you can count are not the real numbers.
Let's face it: Email doesn't (and can't) fill the role it used to.
There was a time when you shared your email address with everyone. It was on your resume, it was on your web page (if you had one), it was in your sig. Email was the universal, simple, fast, reliable communication medium of the internet.
I used it to get my friends together on a weekend. I used it to organize events and meet people. I used it to share information.
Nowadays, IM fills that role. I've realized that nearly everything I used to use email for can be done just as easily over IM. It's reliable, fast, relatively secure, easily encrypted, etc... Furthermore, it is largely immune to spam for a number of reasons.
I find now that I only use email when registering for something (throwaway address), or for confirmation when I purchase something online. Everything email used to do, IM can do (if used properly... Staying online, logging, offline messages, confirmation, not using the AOL client, etc...)
IM is by-and-large safe from SPAM due to the numerous restrictions placed on its use. Rate limits, authentication, etc... These things provide a layer of security, but also a layer of inconvenience.
Were email to incorporate such restrictions, it would remove the last reason in the world to even be using it in the first place! Email is completely open. If email were to be restricted, it would become nothing more than a slower version of the current capabilities of IM.
GeekNights!
Late Night Radio for Geeks!
There was no mention of sender pays postage as a solution. Anything that prevents anonymous email has an inherent central control which the internet doesn't need more of.
Clearly the solution is to change SMTP to XML. Its so old fashions that it uses a line-by-line converation. I propose XSMTP which goes like this:
[xml]
[huge header]
[line value=helo]
[/xml]
That oughta fix it.
I am joking.
Last time I checked email was a global technology. Am I the only one that thinks it's strange that the (FTC an entirely US organization) is making decisions about something like this? Isn't there a more appropriate internation technology body that should be handling this? Ultimately this will have to become an ISO standard to get implemented across all mail serving platforms. Wouldn't it make sense to get a global consensus before the US starts making decisions about how best to deal with SPAM.
I live in the US, but if I didn't I wouldn't want the US government telling me how to handle SPAM.
First, equate spam with child pornography and terrorist activity. Get Congress to make it illegal to buy products via spam.
why that will not motivate anyone.
Equate spam with Violating copyright and hacking. that way we will get jack booted ATF thugs busting down their doors, they get held in prison without a trial for months and laws making it worse than outright murder get passed.
child pornography and terrorist activity does not excite anyone in congress, that is why they pretty much ignore it. yet they want to almost inact the death penalty for "hacking" and downloading and sharing a bad pop music song.
Sorry but getting the government involved is the worst thing to do.
Do not look at laser with remaining good eye.
Actually, my entire post was a joke. Sort of a parody on what's happening to P2P technology. Sorry it wasn't funny enough.
If someone says he and his monkey have nothing to hide, they almost certainly do.
IMHO the real way to lock mail down is to use PGP keys to authenticate legitimate MXs, and blacklist/expire certs that misbehave. Add an X header that signs the payload hash with its own seckey, then send to the destination to have it verify before delivery.
'Trusted' sources (including national post offices) could generate and certify keys for these servers, and expire/blacklist them if they're abused. Put the pubkey into a DNS record for the MX.
Legacy mail not in this system could be flagged as 'untrusted' and jailed appropriately.
A dead spammer wouldn't find a way around it.
And yes, I have absolutely no problem voting in favor of capital punishment for sending spam. For that matter you could tack on writing a virus to that and I'd still be for it.
Appended to the end of comments you post. 120 chars.
(bad form to self-reply, I know :p) ... How about those 'trusted' sources running DNS servers that provide MX resolution for domains? Granted you'd need DNSSEC to trust them that far (and RFC3445 kinda kills the 'put the key in DNS' idea) but the USPS, various national posts, UN, verisign, etc could run DNS servers that handle MX resolution for domains so you can point your MX configuration at those domain servers ala the RBL. Extra sneaky points to building an entire root DNS dedicated to MX.
It's more of a TWL (Trusted Whitehole List) than an RBL (Realtime Blackhole List).
Of course, it goes without saying that all of this is pissing in the wind as long as people's pain threshold is still higher than the bother of implementing all this.
I don't know about everyone else - but I hardly notice spam anymore. I mean, between gmail, thunderbird, and even hotmail (obviously not a definitive list) - I don't see it anymore. It's all filtered out automagically. I think this is a case of the government, once again, being a bit too slow on the uptake. Thanks for the thought guys, but we seem to be dealing with it fine ourselves.
Great! Then I can get you "capital-punished" if I can hack in, change your SPF record, send spam that looks like it is from you. What other proof would be necessary?
--jeff++
ipv6 is my vpn
Yeah, a few of the webmail providers do exactly what you're talking about. They generally call them "temporary addresses".
It works, but it makes using email more complicated, and it creates a situation where even MORE e-mail traffic is going to be flying all over the place, mostly to all those diabled temporary addresses.
What we really need is a single registry for email servers, similar to how DNS works now. If you want to run a mail server (and not have your mail rejected by other servers), you need to "register" it with some big, monolithic organization. If you're not on the authorized list, you get rejected.
Yeah, that kills the "openness" of email. You'll no longer be able to setup a usable mail server without jumping through some verification hoops. But so what.
Why not do what the RIAA does ... and sue the people receiving the spam? Seems like that'd fix the problem ... right? Right?
It was more of a joke then anything else anyway..:)
---- Booth was a patriot ----
Not only do I expect many F/OSS people to be allowed in, I expect the concerns of deploying anti-spam solutions in F/OSS mail servers to be front and center. I also expect there to be people who don't give a flip about F/OSS to be there too, along with a bunch of spammers^Wethikal bidnizmen.
SPF support for most open source mail servers can be found at libspf2.
God, I must be losing it. I thought it was hilarious and obviously a joke. I guess I'll stick to more serious posts and drop the humor from now on. Sorry!
If someone says he and his monkey have nothing to hide, they almost certainly do.
I see you've stumbled upon one of the valuable side effects of my anti-spam/anti-virus program. End users with a vested interest in keeping their systems secure instead of idiots clicking "OK" on every box that pops open in front of their faces is just one of many additional benefits!
Appended to the end of comments you post. 120 chars.
The article by Fortunato explained that one reason for the failure and disbanding of the IETF MARID working group was that Microsoft's patent application was published last week and turned out to be much broader than expected. As written it would seem to cover SPF, which is odd since the patent was submitted four months after SPF got started.
The truth is that patent applications are written as broadly as possible and it is common for them to be whittled down by the patent office to only those claims which are truly novel and useful. But this still leaves us with considerable uncertainty about just how broad the Microsoft patent will turn out to be when it is finally issued. We won't know the answer for years, given the usual speed of the patent office.
I'm willing to bet that one of the schemes that the FTC is going to propose is one where it becomes illegal for "unlicensed" nodes to connect to a "licensed" MTA unless it is one with whom they have a standing agreement. In other words, you can't be an MTA without getting FTC approval, or "downstreaming" off of someone else's server.
This won't really help SPAM, but it IS something the big ISPs want in order to begin to control where their competition can come from.
Whitelisting is an acceptable solution to the problem of spam. Most of the people who use email are *not* businesses and they only get mail from friends and family; a whitelist will leave their inboxes spam-free. If they want to get email from someone they've met on a forum or elsewhere they can easily add that person to their whitelist.
As for companies it doesn't matter whether they get spammed or not. They aren't part of the target base that make spammers money. If everyone is using white-listing except for businesses, the spammers will go bankrupt; mass white-listing for individual consumers will solve the problem for businesses as well, if indirectly.
I really don't see what the problem is here. The vast majority of email users aren't interested in getting mail from people they don't know. Those that are interested can forego whitelisting, and since this will probably be a small fraction of the population spammers will *still* go out of business since their costs will exceed their returns.
Seems to me that people are making a mountain out of a molehole, and one that already has a solution. Hell, the solution is already part of most email services!
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
I wonder how this will affect email 'nym' servers...that redirect, strip off info..and make your emails truly anonymous?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Do we really want the government more involved with the internet. Yes spam sucks, and I have had some thoughts that I would prefer not to share about spammers, but getting the government involved is a double edged sword. We don't want them censoring what we see (China), yet we want to get them to do something about spammers. My opinion: Bad idea.
Sig free since 2/6/2002
I use throw-away accounts for risky stuff. But...
My primary email address, which I have had since 1992, has been published on the web (in documentation I have written), posted to Usenet (back when I wrote and maintained a FAQ), used in communication with online vendors like Amazon and ebay, and more. It receives lots of spam. It is the account at the educational institution where I work. While I can get a new account elsewhere, and tell my friends to use that email address, I cannot change the address my workplace has assigned me, and I cannot abandon it--it's where other employees (rightly) expect to email me.. So I have to deal with lots of spam.
You make a good point, but where's the follow through? What are the roots of the problem as you see them? How can we go about fixing it? Where do we start?
and most importantly.. how do we profit from it?
(note, I'm probably joking about the profit part)
When Ever some one sends an email they get an electric shock. Very minor a little tickle for normal use this is not an issue. For a spammer this will be far more hazardus.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I don't like greylisting, primarily for one reason. It destroys the possibility of near real-time message exchange between persons that have never exchanged e-mail. Consider, for example, a salesperson and a potential customer. Waiting an hour for information someone "just now sent" can be costly. Obviously there's no guranteed e-mail delivery timeframe without SPF, but in practice, it typically arrives before I'm off the phone. Because I cannot turn it on or off as an individual mail recipient, I find it somewhat draconian and inappropriate for admins to impose artificial delays on my communications.
Sure, whitelisting alone helps SOME people. But for many people that's not enough.
- David A. Wheeler (see my Secure Programming HOWTO)
I'm amazed that I haven't seen more about Proof of work tokens for spam-fighting.
Proof of work tokens are hashes (like md5's) that take a relatively long time to compute and are very quick to validate. For most purposes, adding a few seconds to the delivery of email is unnoticable. For spammers, however, it greatly decreases the number of emails that can be sent out within a period of time.
Even though this does not completely eliminate the problem, it can significantly reduce the amount of time spent sifting through spam. Used in combination with public-key cryptography, it could even allow for mass-mailings from known users. (For instance, the Red Hat mailing list.)
The current problem with spam is a result of the fact that it takes almost no money to send spam. Increasing the amount of time spammers need to use in order to send out email is the only way to make a dent.
Links:
HashCash.org
Reusable Proofs Of Work
Currently down, but look at the google cache
"My religion is to live --and die-- without regret." -- Milarepa
Tell me, what does your average user need with outgoing port 25 to anything other than their ISPs mail server? Most wouldn't even notice it, and those that do, I'd want to be able to call up and have it opened up for them.
You can make the same argument for only allowing 110/25, 53/udp inside the ISP, and only port 80 and 443 beyond the ISP.
90% of customers would be happy and it would prevent a fair number of worms and trojans from propogating.
Would you advocate such a position and why or why not?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Well done, you've picked out two reasons which are more than adequate to prevent it ever being implemented.
>> except for fun
What better reason could there be? Why do you think I'm connected to the 'net anyway?
>> GOT to be a line drawn between anonymity and the need to hold people accountable
Yes. And where I come from, that line is firmly set on the side of anonymity. I demand, I insist, I must be able to send anonymous email.
Admittedly I haven't, not since last using anon.penet.fi, but I'm talking about the ability..
Any solutions that prevent that aren't worth having.
~Cederic
One of the key inhibitors to fixing the spam problem has been the lack of ability for any solution to be widely enforced quickly. SPF et al are nice and dandy for what they are, but the time it takes to implement them globally is just too long. Each ISP is faced with two choices:
- enforce new anti-spam technology, and accept that paying customers won't get their email for a while until the rest of the world falls in line
- don't implement it, or wait till everyone else implements it, or partially implement it so that no customer misses their email
Neither of these options will work.
From a purely technical perspective, a lot could be done today to reduce spam dramatically. However almost all suggestions fail on the point that they require every ISP and/or user to adopt the new solution simultaneously, or risk losing email.
If the US FTC is hosting a forum on this, *and* they get support from equivalent bodies in other countries, then *just maybe* a technical solution can be put up and accepted on the understanding that (on some nominated date/time) every significant ISP worldwide will turn it on simultaneously.