Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Wants Comments on Email Authentication

Posted by michael on from the getting-an-earful dept.

An anonymous reader writes "Groklaw has the scoop. The Federal Trade Commission and National Institute of Standards and Technology (NIST) will co-host a two-day 'summit' November 9-10 to explore the development and deployment of technology that could reduce spam. The E-mail Authentication Summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems. The FTC will be accepting public comments until Sept. 30, 2004 via snail-mail or email (authenticationsummit at ftc.gov). The FTC has a list of 30 questions they would like answers/comments to. The list available in this PDF of the Federal Register Notice." In a related subject, reader Fortunato_NC submits this writeup of the sequence of events that led to Sender-ID's abandonment.

26 of 208 comments (clear)

  1. spam about spam by metallikop · · Score: 3, Funny

    Seems like slashdot is being spammed with stories about spam.

  2. My comments? by cuzality · · Score: 4, Funny

    I will be sending my comments immediately by email. They'll know who I am.

    1. Re:My comments? by orthogonal · · Score: 4, Funny
      I will be sending my comments immediately by email. They'll know who I am.

      THIS AUTHENTICATED EMAIL
      HAS BEEN APPROVED
      AS CHRISTIAN AND PATRIOTIC
      BY THE
      REICHSPROTECTOR OF INFORMATION
      FOR THE UNITED HOMELAND
      by direction of
      JOHN D. ASHCROFT,
      REICHSMINISTER OF JUSTICE


      We want all your papers, please!

      And yes, we do know who you are, Citizen!

      CC: PATRIOT DATABASE, REICHSMINISTRY OF INFORMATION
      --
      Opinions on the Twiddler2 hand-held keyboard?
  3. for all the bots... by Anonymous Coward · · Score: 5, Funny


    authenticationsummit@ftc.gov

  4. They won't be happy. by Anonymous Coward · · Score: 3, Insightful

    These guys aren't going to be happy until we have to hand over our credit cards, photo ID and social security number just to send an email.

    1. Re:They won't be happy. by fleener · · Score: 3, Insightful
      Correct. My primary e-mail accounts have been spam-free for 3 years, since I started watching where and how I give people and web sites my address. Through a few simple measures you can protect a new address without the need for spam filters, with no need to hinder your regular personal and professional correspondence (assuming you don't correspond with spammers).

      The *only* spam I receive on my permanent accounts is an occassional worm-sent e-mail and a guessed-address spam every 3 or 4 months (and those have never led to more spam).

      People who piss and moan about spam (basically everyone) are refusing to accept that they live in a dangerous world. There was a time when people left their front door and windows unlocked. An ounce of prevention is worth a billion pounds of cure, in terms of spam.

      I'll never support an authentication system that costs me more money to send e-mail because I have zero need for an authentication system.

      People who don't use throw-away accounts for risky correspondence are having anonymous sex without a condom. Go ahead, mod me down because you don't believe me and think spam is just the cost of doing business on the Internet. It's not.

  5. NOTHING but an open standard. by garcia · · Score: 4, Insightful

    From Groklaw:

    7. Whether any of the proposed authentication standards would have to be an open standard (i.e., a standard with specifications that are public).

    Of course the standard would have to be open. This shouldn't even be up for discussion. No argument can make security by obscurity work and no argument can get me to change my thinking that we should all be using closed SMTP servers.

    Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.

    1. Re:NOTHING but an open standard. by JabberWokky · · Score: 4, Interesting
      Spam is "horrific" and all (BTW I don't get more than 5 a year)

      And I get 1800 a day. That's because I am the public contact for several companies with some of my email addresses dating back over 10 years. In conjunction with theater groups and businesses, my email appears in press releases, on fliers, ancient usenet posts, and otherwise all over the place.

      Individuals using their email account to talk to friends don't have as much a problem as people who use their email address publically for business and publicity.

      My phone number and address are also published. I don't, however, get 1,800 unsolicited calls every day and my junk physical mail is quite reasonable.

      --
      Evan "I'm not even saying Spam is bad, I'm just saying it costs me serious time"

      --
      "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  6. The Hardest Issue by Nos. · · Score: 5, Interesting

    Is to keep email easy to use. SPF is a nice idea, but doesn't cope with a couple issues. The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM. Secondly, its not expensive to register a domain and flood SPAM for a few days until that domain is blacklisted. Wash, rinse, repeat. I'm not saying a solution isn't out there, just nothing that I have seen really talks to these two issues.

    1. Re:The Hardest Issue by thogard · · Score: 3, Informative

      You only found 2 issues with SPF?
      How about a few more

      Since I wrote that, I've managed to come up with SPF rulesets that cause DOS on some of the common implementations, my dns has been scaned countless times looking for SPF records and I've had over 1000 spam messages with valid SPF records.

    2. Re:The Hardest Issue by perp · · Score: 4, Informative
      The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM.

      Yes it will. Almost all of those trojanned machines send mail directly to the receiving server, not through the mail relay of the spoofed sender. If the email purports to be from jblow@someplace.com, the receiving mail server can check someplace.com's spf record and see that the ip address of the trojanned machine is not allowed to send mail. That is the very essense of what it does.

      You are correct that a spammer with a server can publish an spf record, but he is much, much easier to blackhole than a rapidly changing large selection of compromised dsl machines.

      --
      There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
    3. Re:The Hardest Issue by ajs · · Score: 3, Informative

      Repeat after me, "SPF DOES NOT PREVENT SPAM. SPF DOES NOT ATTEMPT TO PREVENT SPAM. IF YOU EXPECT SPF TO PREVENT SPAM, YOU WILL BE DISAPOINTED."

      Ok, yelling done (sorry, but this comes up so often, you'd think the "S" stood for Spam). What SPF *does* do is validate that mail was sent from a machine that was (or was not) authorized to send it by the originating domain.

      It's nothing more or less than that. As a first-pass on the roots of the problem of spam, it's a great tool, but I would never suggest that anyone treat it as an actual solution for spam per se. Joe Jobs are mitigated and you can also begin to build a reputation with the sources of SPF-identified mail. Once you get spam from a machine that's listed as a valid SPF sender for that doamin, you have a great deal more information to apply ot that domain's reputation than if you recieved spam from a non-SPF sender.

      It's not perfect (SPF has its warts, though I think many of your concerns are too minor to be blasting them over), but it is an excellent start, and combined with various other systems out there, helps to address many existing problems.

  7. Why not go after the merchants? by 14erCleaner · · Score: 5, Interesting

    You know, I can't figure out why we can't combat spam by making it illegal to send unsolicited ads via email (or maybe the can-spam act already does this), but then go after the companies who are actually trying to get customers. After all, they either provide valid contact information, or nobody can buy from them. If nobody can sell anything via spam any more, the reason for it would go away.

    --
    Have you read my blog lately?
  8. No Free Software radicals allowed by sphealey · · Score: 4, Insightful

    I would be willing to wager a small sum that the only invitees to this meeting will be representative of large, commercial, for-profit software vendors and ISPs. That there will be no representation of/by the Free Software community. And that the FTC will reject any comment not from a commercial software vendor/ISP as having "no standing".

    Just a guess.

    sPh

    1. Re:No Free Software radicals allowed by JamesTRexx · · Score: 3, Interesting

      Seeing that about 75% of mail is handled by open source mta's, they can't afford to go with ip, moneygrabbing, patentfilled solutions.
      The only standard that will get accepted will be an open, patentfree one supported by the free software community.
      Any closed or patented ones could only be used between the commercial mta's, so it would have little effect on the amount of spam.

      --
      home
  9. Another war on.... by Null537 · · Score: 3, Insightful

    That's what I envision.

    "Today, we must fight a war, they clog our mail boxes, they offer us penis enhancements, drugs like v1ag|2a, stuff we don't need, they make our wives leave us for believing we go to porn sites and give out our e-mails to just anyone. Today we start the war against spam"
    -[Insert head of newly formed organization here]

  10. A stopgap measure by grasshoppa · · Score: 4, Interesting

    An effective stop gap measure would be for ISPs to block port 25 ( along with a number of others ) outbound by default, and open it up only on customer requests.

    This way, zombie'd machines wouldn't have a chance to spew their virus/spam emails to everyone, I could still run my home email server, and the ISPs would save on bandwidth.

    I wonder why this ISN'T yet in place, to be honest.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  11. Publish SPF now, be the 126519th... by pjrc · · Score: 4, Insightful
    If you want to advocate SPF, publish a SPF record for your domain, and then register it. Already, 126518 domains have published SPF records (at the time of this writing).

    By the time the FTC's summit comes around, it's looking like SPF is going to be pretty well established.

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
    1. Re:Publish SPF now, be the 126519th... by wayne · · Score: 4, Interesting
      Actually, I have a list of around 650,000 domains in .COM, .NET and .ORG that have SPF records. These should show up in the SPF Adoption Roll Real Soon Now. Surveys of the .DE and .FR TLDs have also been done, but I don't have the results of those.

      I'd like to know how many of those domaines actually are applying effective policies.

      In the survey of the .COM domains, I found the top ten SPF records to be:

      159416 "v=spf1 mx -all"
      147883 "v=spf1 -all"
      51245 "v=spf1 ip4:10.0.0.0/24 ip4:10.0.0.0/24 ?all"
      28206 "v=spf1 a:smtp.example.net -all"
      21437 "v=spf1 mx ip4:10.0.0.0/19 ~all" ""
      19733 "v=spf1 mx ~all"
      15245 "v=spf1 a:smtp.example.com ~all"
      9488 "v=spf1 ip4:10.0.0.0/24 mx -all"
      6371 "v=spf1 ip:10.0.0.0/24 ip:10.0.0.0/27 ip:10.0.0.0/24 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ?all"
      5842 "v=spf1 ip4:10.0.0.0/24 -all"
      (I have munged the domain names and IP addresses for privacy reasons.)

      As you can see, it is very common to define strict SPF record with the "-all" at the end. Those domains that use the softfail option of "~all" are somewhat more lax, but still moving in the right direction.

      The complete survey results are available to people who follow the IETF MARID list and/or the SPF discuss list. I'm not going to post a link to them here 'cause I don't want to be slashdotted.

      --
      SPF support for most open source mail servers can be found at libspf2.
  12. Here's the system... by RecycledElectrons · · Score: 3, Interesting

    Every eMail that is sent (by SMTP - the Simple Mail Transport Protocol) should be considered "unconfirmed." This means that it may or may not be from the return address.

    I propose that we add a new layer called CMTP - the Complex Mail Transport Protocol.

    CMTP simply takes an unconfirmed eMail (sent by SMTP) and sends a packet back to the sender. This packet asks for verification of the message. The packet includes a checksum, the length, to, from, subject, and the time/date that the eMail was sent.

    The sending mail server receives this CMTP checks all of that information, and replies with a CTMP confirmed message or a CMTP not confirmed message.

    There is no limit on the number of times that a mail server may be asked to confirm an eMail. There is a limit that messages should not be confirmed more than 24 hours after they are sent. This may pose a small problem in that SMTP does not place a time limit on mail messages.

    CMTP does require that every mail server maintain a list of the eMail it has sent. That COULD be time consuming.

    CMTP also adds 2 packets to every eMail sent. SMTP was designed to be dead simple. They thought that they could not afford 2 extra packets. In that time, eMail was 80% of all internet traffic. Today, eMail is such a small percentage of all traffic that trpilling it would not be noticed.

    Andy Out!

  13. As if you didn't already know this was important.. by museumpeace · · Score: 3, Interesting
    Let me undescore the impact the conference is likely to have by pointing out that when NIST speaks, the DOJ listens. Here is a quote from a rejected submission of mine that found other documents NIST has authored that Ashcroft and co. now use.
    Feeding the fascination many /. readers may have for the escalation of technique and counter-technique beteween hackers and computer forensics experts may not be as valuable as keeping clues about how to avoid getting caught out of the hands of the hackers but I just can't resist... Sciencedaily.com pointed me to something hackers and other criminals might want to study carefully: the PDF guidebook that NIST wrote for the DOJ's first responders to computer crime scenes. Though it has John Ashcroft's name at the top, a glance at the document's time line shows that it was authored by experts mostly from outside the DOJ and completed before the current administration's appointments: the imprimatur of Justice Department on the document may not be ironic.

    Drat! I'm gonna get modded for flamebait but with a sig like mine, who'd notice?
    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  14. Email's role on the net by Schezar · · Score: 3, Insightful

    Let's face it: Email doesn't (and can't) fill the role it used to.

    There was a time when you shared your email address with everyone. It was on your resume, it was on your web page (if you had one), it was in your sig. Email was the universal, simple, fast, reliable communication medium of the internet.

    I used it to get my friends together on a weekend. I used it to organize events and meet people. I used it to share information.

    Nowadays, IM fills that role. I've realized that nearly everything I used to use email for can be done just as easily over IM. It's reliable, fast, relatively secure, easily encrypted, etc... Furthermore, it is largely immune to spam for a number of reasons.

    I find now that I only use email when registering for something (throwaway address), or for confirmation when I purchase something online. Everything email used to do, IM can do (if used properly... Staying online, logging, offline messages, confirmation, not using the AOL client, etc...)

    IM is by-and-large safe from SPAM due to the numerous restrictions placed on its use. Rate limits, authentication, etc... These things provide a layer of security, but also a layer of inconvenience.

    Were email to incorporate such restrictions, it would remove the last reason in the world to even be using it in the first place! Email is completely open. If email were to be restricted, it would become nothing more than a slower version of the current capabilities of IM.

    --
    GeekNights!
    Late Night Radio for Geeks!
    1. Re:Email's role on the net by praedor · · Score: 4, Insightful

      Yeah, right. IM. Pa-leeze. IM requires that the person you seek to contact has their fat ass planted 4-square in front of their computer or leaves it on 24/7. Email is very nice. It works no regardless of the type of client you have. It will sit there waiting for you to check it, perhaps after a vacation, after actually getting off your ass and away from the computer to exercise, or whenever you decide to either fire up the computer or turn on your email client. Oh...IM also requires that your contactee be somewhat in the same timezone (besides sitting on their ass forever awaiting IM messages). Try to IM from California to NYC late in the afternoon. Try to IM someone on the opposite side of the globe.


      IM is cute, it is a nice way to reduce your productivity at work and waste time "chatting" back and forth about unimportant nonsense (movies, your new pants, the hot chick from apartment A, etc). Email ain't going away, and it most assuredly wont be replaced by IM, Jabber, IRC, ICQ, Yahoo Messenger, etc. Email works regardless of software/hardware platform, has not propriatory hooks in it (Microsnot tried with their SenderID scheme to add a proprietory hook into email). Nothing beats email for convenience and easy time-shifing.

      --
      In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
  15. No mention of sender pays by gr8_phk · · Score: 3, Interesting

    There was no mention of sender pays postage as a solution. Anything that prevents anonymous email has an inherent central control which the internet doesn't need more of.

  16. FTC A Global Entity? by Muerte2 · · Score: 3, Insightful

    Last time I checked email was a global technology. Am I the only one that thinks it's strange that the (FTC an entirely US organization) is making decisions about something like this? Isn't there a more appropriate internation technology body that should be handling this? Ultimately this will have to become an ISO standard to get implemented across all mail serving platforms. Wouldn't it make sense to get a global consensus before the US starts making decisions about how best to deal with SPAM.

    I live in the US, but if I didn't I wouldn't want the US government telling me how to handle SPAM.

  17. F/OSS will certainly be a main issue there by wayne · · Score: 3, Informative
    Anyone who attended or watched the videos of last year's FTC anti-spam conference will know that the FTC very much has a clue about the spam problem. They showed far more clue than even the average slashdotter, let alone the general public.

    Not only do I expect many F/OSS people to be allowed in, I expect the concerns of deploying anti-spam solutions in F/OSS mail servers to be front and center. I also expect there to be people who don't give a flip about F/OSS to be there too, along with a bunch of spammers^Wethikal bidnizmen.

    --
    SPF support for most open source mail servers can be found at libspf2.