Slashdot Mirror

← Back to Stories (view on slashdot.org)

Meng Wong's Perspectives on Antispam

Posted by samzenpus on from the no-more-online-pharmacy dept.

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

13 of 298 comments (clear)

  1. Phishing is easy to recognize by 4D6963 · · Score: 5, Informative
    Phishing is easy to recognize, well at least for us the leet slashdot geeks.

    But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.

    I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..

    --
    You just got troll'd!
  2. Re:Default deny is dumb. by chill · · Score: 2, Informative

    My bank doesn't have my home address, they have a PO Box. They do not have a phone number for me. I also have several friends who've retired and live on the road, in RVs. They have no permanent address. Hell, in the State of Oregon you can even change your address on your DL to read "Transient" if you live in an RV.

    I deal with my bank via ATMs, direct deposit and e-mail and that is the way I prefer it.

      Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  3. Re:Not All People by Anonymous Coward · · Score: 2, Informative
    OK, oh so smart one. I'm so happy that you won't be fooled. The problem for the rest of us is that the phishing attempts are getting better, and legitimate email sometimes looks phishy.

    Take this quiz to see what I mean.

  4. Re:bzzzzzzzzzt wrong! by chill · · Score: 2, Informative

    Hmmm... I wasn't very specific.

    I run my own mail server and have it set to do things like:

    *REQUIRE* SSL/TLS + AUTH to send/receive mail if you have an account on my system
    Bounce, as if my address doesn't exist, any non-whitelisted e-mail
    ClamAV, updated twice daily, just to be extra safe

      -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  5. RTFA by suwain_2 · · Score: 2, Informative

    What I took away from the article is that he's proposing a central authority (or a series thereof) that say "someone@somewhere.com is a real person's e-mail address." He is not proposing that you only accept mail from those who've already sent you mail; he's proposing that everyone in the world who uses e-mail be in this whitelist.

    I'm not usually one to say "RTFA," but the majority of the comments right now have nothing to do with the article.

    --
    ________________________________________________
    suwain_2 :: quality slashdot p
  6. Re:The simple solution... by Anonymous Coward · · Score: 1, Informative

    It works for a while and then the floodgates open. I stayed spam free for several years, then went from 0 to 30,000 per month in 3 months.

    Why? My guesses:

    - Someone sniffs network packets for e-mail addresses in transit.

    - A 'trusted' website I do business with has been hacked or has on sold information against it's published policy

    - Someone with my e-mail address (most likely my silver-haired relatives) caught a virus that plundered their address book.

  7. Bayes filters do not achieve `99.9%' by gvc · · Score: 3, Informative
    Here are the results of the latest TREC Spam Evaluation. No filter - not even CRM114 or DSPAM - comes close to 99.9% overall accuracy.

    That said, filters can remove 98% of spam with about 0.1% false positives, which makes them pretty useful. Most, but not all, of those 1-in-1000 false positives are marginal anyway.

    If you're interested in doing your own tests, there's a free toolkit and corpus with 92,000 messages.

  8. Re:Meh. by 1u3hr · · Score: 2, Informative
    In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.

    One method is to have whitelisted mail, and bounce others with a message asking you to do something difficult to automate, eg pointing to a web page where they can type in a message, maybe with a captcha.

  9. Re:p2p whitelists anyone? by Fnord666 · · Score: 2, Informative

    There is a project to try and do this.
    From the website:
    LOAF is a simple extension to email that lets you append your entire address book to outgoing mail message without compromising your privacy. Correspondents can use this information to prioritize their mail, and learn more about their social networks. The LOAF home page is at http://loaf.cantbedone.org.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  10. Re:Not All People by ceoyoyo · · Score: 2, Informative

    Ah yes... I had a friend like you. She set up her phone to just ignore anyone not on her caller-id list. Since we couldn't phone her from a cell or pay phone and she lived in a different city we just stopped visiting.

  11. Re:It's not just the fact banks use it. by DavidTC · · Score: 2, Informative
    No, what email clients need is a way to add communications that are 'official'. I suspect via a PGP key or even keeping track of the sending IP or something, and mark them as 'known sender'.

    I.e., a whitelist. But the trick isn't that the client blocks everyone else, it's that they make sure the reader knows they are suspicious looking, and don't let people click links or view images or html without some work.

    There are almost no ways for a client to determine if an email is legit in what it is claiming or not, that would require strong AI, but there are plenty of ways for it to determine that it's seen emails from that person before.

    Possibly you could make it even stronger with a more specific category for 'business emails', where they have to be signed with PGP, and the key has to be downloadable from an ssl website, which properties the user sees in big letters before he adds it to 'known businesses'.

    --
    If corporations are people, aren't stockholders guilty of slavery?
  12. Re:A Radical Solution by Anonymous Coward · · Score: 1, Informative

    You appear to be describing IM2000

  13. Re:Spam is a social problem, not a technical one. by Kphrak · · Score: 2, Informative

    Comparing this to washing hands is probably the best point you have. Like washing hands, it's regularly drummed into people's heads, and just as regularly goes ignored by a minimum of 30% of people.

    As for your idea of influential people decrying spam, it's pretty weak, since it assumes total obedience in those influenced. Marital infidelity is regularly condemned by Oprah and probably 99% of religious leaders (and usually by the president, although we should make an exception at least in the case of the last president ;) ). It still happens all the time.

    --

    There's no sig like this sig anywhere near this sig, so this must be the sig.