Slashdot Mirror

← Back to Stories (view on slashdot.org)

Meng Wong's Perspectives on Antispam

Posted by samzenpus on from the no-more-online-pharmacy dept.

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

4 of 298 comments (clear)

  1. Too much trouble by squeemey · · Score: 5, Interesting
    All this trouble would have been avoided by charging for email in the first place.

    My proposal:

    Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

    The ISP on either end would credit/debit the sender/receiver's account.

    And watch the spam disappear.

    --
    Bill
  2. Considering IP blocking tactics, it's pointless by Peter+Cooper · · Score: 4, Interesting

    I think whitelisting is a pretty good idea. My SpamAssassin-oriented setup kinda does things this way. That is, a non whitelisted mail has to be pretty squeaky clean to get through, whereas whitelisted addresses get straight through.

    But lately I've been hitting a different problem which totally destroys the point of e-mail in many cases for me. That is, idiotic sys admins who firewall out entire IP blocks for, seemingly, no reason.

    Just because someone several machines down the co-lo rack let their machine get hacked is no reason for mail server administrators to *firewall out* entire ranges of IP addresses. Lately I've seen some ridiculous behavior where users of the other mail server can't even e-mail people on MY server because the block is two-way! So I end up with users complaining that only certain e-mail addresses appear unmailable (because only a small percentage of sysadmins are stupid enough to block entire classes) but it's still a major PITA that makes e-mail useless for many people. The worst part is when you complain to these sys admins/ISPs, many of them proclaim innocence and believe they have no blocks.. but it's their upstream provider, etc, etc.

    I'm beginning to think that encouraging people to migrate over to systems like 'GMail for your domain' and the like are going to be the way to go. At least Google has teams of people working 24/7 keeping their machines whitelisted. Having the US government able to subpoena your private information is the least of your worries, as long as you can actually e-mail the people you need to.

    And no, schemes like SPF do not help this problem, since if they're blocking IP ranges outright at their firewall, nothing can break through that except mail proxying (which I've been considering).

  3. p2p whitelists anyone? by fred+fleenblat · · Score: 3, Interesting

    Sometimes I wonder if there is a middle ground in the area of shared whitelists.

    If someone tries to email you, and they aren't on your whitelist but they are on the whitelist of someone who *is* on your whitelist, maybe let it through or at least give it some plus points for the filter based on how many degrees away they are.

  4. Nice straw man. There is lots of middle ground... by jonathan_95060 · · Score: 3, Interesting

    For instance ... Your MUA could still accept all email but any messages from senders not on your white list get flagged with a skull and cross bones, scripts are disabled and when you click on links the HAL/2001 sound clip "I'm sorry Dave, I can't do that" plays in Dolby 5.1 surround sound.

    Then, when you go to add "Phisher Man" to your white list, your MUA asks you some questions along the way:

    * is "Phisher Man" a financial institution?
    * is "Phisher Man" a personal friend?
    * is "Phisher Man" a merchant?

    etc. If you answer "yes" to the financial institution question, your MUA checks to see that "Phisher Man" is registered with the appropriate authorities (e.g. his email is signed with a public/private key that itself has been signed by "Trusty Co." that proves his identity has been verified or, at the very least, he has paid some decent bribes to the right people). If Phisher has not registered and you still want to add him to your financial institution white list your MUA warns you that "you may lose your house, family, wife and kids if this person is not who he says he is, are you really sure you want to do this?".

    Heck I think even my parents could learn to use this system and they are serious luddites.