Slashdot Mirror
Meng Wong's Perspectives on Antispam
netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."
> "The final solution to the phishing problem requires that people
> use a whitelist-only, default-deny paradigm for email."
No, the final solution to the phishing problem requires that stupid, gullible people use a whitelist-only, default-deny paradigm for email.
Of course, that includes most of the human race...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
To stop phishing, the banks and such have to STOP using email to communicate with their customers.
The banks have your home address and your phone number.
The only reason they use email is because it is incredibly cheap and allows them to attach advertising to their messages.
If the banks were responsible for any losses due to phishing, you'd see them drop email overnight. Once the cost exceeds the benefits, it's gone.
If we default-deny email, what do we have left?
In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.
But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.
I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..
You just got troll'd!
The thing about email is you either will spend some of your time managing whitelists, or you'll spend some of your time managing spam. Likely some of both. But the idea of moving to a default-deny is not feasible for most people, because you often have to give your contact info out to someone you want email from -- AND YOU DON'T KNOW WHAT THEIR ADDRESS IS! So you can't whitelist them ahead of time. If a human is sending you the email, no big deal. Many times its not a human (receipt from a company, mailing lists I subscribe to, etc).
My proposal:
Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.
The ISP on either end would credit/debit the sender/receiver's account.
And watch the spam disappear.
Bill
I think whitelisting is a pretty good idea. My SpamAssassin-oriented setup kinda does things this way. That is, a non whitelisted mail has to be pretty squeaky clean to get through, whereas whitelisted addresses get straight through.
But lately I've been hitting a different problem which totally destroys the point of e-mail in many cases for me. That is, idiotic sys admins who firewall out entire IP blocks for, seemingly, no reason.
Just because someone several machines down the co-lo rack let their machine get hacked is no reason for mail server administrators to *firewall out* entire ranges of IP addresses. Lately I've seen some ridiculous behavior where users of the other mail server can't even e-mail people on MY server because the block is two-way! So I end up with users complaining that only certain e-mail addresses appear unmailable (because only a small percentage of sysadmins are stupid enough to block entire classes) but it's still a major PITA that makes e-mail useless for many people. The worst part is when you complain to these sys admins/ISPs, many of them proclaim innocence and believe they have no blocks.. but it's their upstream provider, etc, etc.
I'm beginning to think that encouraging people to migrate over to systems like 'GMail for your domain' and the like are going to be the way to go. At least Google has teams of people working 24/7 keeping their machines whitelisted. Having the US government able to subpoena your private information is the least of your worries, as long as you can actually e-mail the people you need to.
And no, schemes like SPF do not help this problem, since if they're blocking IP ranges outright at their firewall, nothing can break through that except mail proxying (which I've been considering).
Sometimes I wonder if there is a middle ground in the area of shared whitelists.
If someone tries to email you, and they aren't on your whitelist but they are on the whitelist of someone who *is* on your whitelist, maybe let it through or at least give it some plus points for the filter based on how many degrees away they are.
People dumb enough to get phished probably think that whitelisting is something to do with the KluKluxKlan.
Engineering is the art of compromise.
Seriously, it's not that bloody hard to figure out. No legitimate corporation is going to send you emails threatening your account "unless you log on and confirm this information."
Look at it as the digital equivalent of the Survival Of The Fittest.
"I might have made a tactical error in not going to a physician for 20 years." -- Warren Zevon
When a problem seems very very difficult, maybe it is being viewed in an incorrect way.
Spam is a social problem, not primarily a technical one, and the solution is social.
Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.
The president could, during a scheduled speech, ask people never to buy anything advertised with unsolicited email. He could talk about several ways such email is dishonest.
It could be arranged that Oprah Winfrey ask people not to buy things from spam. Religious leaders could ask their congregations.
This kind of solution has already worked. Everyone in the world knows to wash their hands; that has become part of human culture. We need to make anti-spam part of human culture.
--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?
What about n00bs? I very recently had to convince a friend that that nice lady from Sierra Leone was not _really_ going to give him $300,000.
He only just got a PC, and has been oblivious to anything computer related for all his life. Suddenly, he gets a PC, an internet account, and he's told to go off and have fun.
Seriously, I sometimes wish you needed a license to operate a computer.
Or if they do use email, they should use a digital signature that can be traced back to the bank and 100% verified.
A big education campaign would also help (i.e. "never trust emails claiming to be from this bank" or "only trust emails claiming to come from this bank if the digital signature was valid" along with "never follow links in any emails claiming to be from this bank" and "If the email is legitimate, the same information will be available by logging into the online banking and checking the messages")
If I got an email claiming to be from my bank, I would probobly delete it. If the information was geniune, it will appear on my online banking and/or a physical letter too.
I don't think this would work in practice.
.com database and start your own.)
Many hosting companies can fit 300+ clients onto one server. It's not uncommon for someone to signup and start using the account for spam. Most hosting companies take a very strict stance on this, and will immediately close the account. But spammers know they'll get a bit of spamming in before they're stopped.
The problem is that the hosting company could show that their server wasn't being used for spam, but there's nothing stopping someone from beginning to use it that way. Not only would your method still allow spam, but it would, in theory, mark the spam as being entirely legitimate e-mail. Now imagine the e-mail wasn't spam, but phishing e-mails, marked as having come from an approved server.
In addition, a server could 'turn' bad. I could register a server, and for a month or whatnot show you that I wasn't a spammer. One day I could just start spewing spam. $25/year really wouldn't be an impediment to too many spammers.
Plus, some random organization (the e-mail certifiers) would be making a boatload of money, and would essentially have complete control over who could send mail and who couldn't. (Technically, people could ignore this whitelist. Just like you could, technically, ignore the existing
And there are plenty of valid reasons for running your own mailserver. My home ISP used to suck. My school now uses Lotus, which seems to not allow POP/IMAP access, and insists on a bloated e-mail client that really doesn't work well in anything but IE. (Even though it's supposed to.) There are spam filters, but they're not catching any of my spam; in fact, the only mail that it ever caught was a couple messages from one of my professors. Is this not a valid reason to run my own mailserver?
I'm sorry, but I really don't feel that this idea is as good in reality as it looks on paper.
________________________________________________
suwain_2
For instance ... Your MUA could still accept all email but any messages from senders not on your white list get flagged with a skull and cross bones, scripts are disabled and when you click on links the HAL/2001 sound clip "I'm sorry Dave, I can't do that" plays in Dolby 5.1 surround sound.
Then, when you go to add "Phisher Man" to your white list, your MUA asks you some questions along the way:
* is "Phisher Man" a financial institution?
* is "Phisher Man" a personal friend?
* is "Phisher Man" a merchant?
etc. If you answer "yes" to the financial institution question, your MUA checks to see that "Phisher Man" is registered with the appropriate authorities (e.g. his email is signed with a public/private key that itself has been signed by "Trusty Co." that proves his identity has been verified or, at the very least, he has paid some decent bribes to the right people). If Phisher has not registered and you still want to add him to your financial institution white list your MUA warns you that "you may lose your house, family, wife and kids if this person is not who he says he is, are you really sure you want to do this?".
Heck I think even my parents could learn to use this system and they are serious luddites.
You Personally advocate a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
(x) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
(x) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
(x) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a fascist for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
'If you're flammable and have legs, you are never blocking a fire exit.'
That said, filters can remove 98% of spam with about 0.1% false positives, which makes them pretty useful. Most, but not all, of those 1-in-1000 false positives are marginal anyway.
If you're interested in doing your own tests, there's a free toolkit and corpus with 92,000 messages.
I propose a better solution to the e-mail system.
We should change the way e-mail works from the ground up. Currently, the sender's server will send the message to the recipient server where it waits until the client downloads the message. Instead of this, an interesting idea would be to have the sender server HOLD the e-mail message and simply send a notice to the recipient's server that a message awaits. When the client connects, depending on his software configuration, he will download the message from the sender's server or click on a link to go download the message from the sender's server.
What does this accomplish? We add the ability to flag messages as spam or virii. Depending on the sender's server's configuration, if a message gets too many flags, it will block the message from being downloaded in the future. Here's an example of this in action. Spammer sends out 100 messages for V1agR@. The 1st, 5th, and 7th readers are dilligent and mark the message as spam. The server's threshold is 3 warnings and then deletes the message. The message never gets to recipients 8 to 100. The user's account is suspended, and the spammer becomes drastically less effective.
There are other positive side effects to this scheme. Internally, my company will send out big files to one another. Instead of always using a server share, some people e-mail these big files to multiple recipients. If one person e-mails a 20MB file to 10 people, that'll be 200MB of consumed space for the recipients' servers. In a sender-hosted e-mail system, it will still just be 20MB.
Drawbacks to this scheme? Let's say the spammer sets up his own e-mail server and sends out spam from that. Recipients flag it, but the sender's server is configured to ignore the flags. If this were to happen, the spam is still not as effective because the recipient only wlil get a notification that mail exists. The notification would probably be limited to something like 128 characters of text for a subject. The sender's address can't be as easily spoofed because it still must be able to resolve to the sender's server. And better yet, if the ISP is cooperative, reports of this type of abuse to the ISP could lead to the ISP taking legal/criminal actions against violators of their Terms of Service. If the sender wants their message sent, they need to keep their server connected to the ISP, thus making it a lot easier to physically trackdown. If the ISP doesn't care, then we simply add the ISP to a blacklist.
Another side effect is that now the recipient needs to rely on both his e-mail server and the sender's server to be online to get a message, but this should be trivial. Also the server must retain the message for long enough time for the recipient to download the message. This should also be trivial, and in my opinion, it's better to put the onus on the sender instead of the recipient. For example, if the recipient goes on vacation for a few days and comes back to find his mailbox quota is full and he lost a lot of messages, it is quite annoying, and this proposed solution will not have that problem.
The biggest drawback is that this is a fairly major overhaul to the e-mail system. It would probably have to be done in phases where there is one phase that most servers support both types of e-mail protocols. I think it's worth the effort.
Why don't we use this model? Introduce a backbone network of mutually trusting certificate authorities, and require all mail to be signed with a valid certificate. It is the backbone member's responsibility to take due actions in case anyone having their certificate starts sending spam (revoke certificate, prosecute the user, etc), or else the member will be kicked off the backbone. The backbone member may delegate the right to issue certificates, but the responsibility still holds.
This scheme would make the backbone members know who their users and child authorities are, and prosecute the violators. You would still be able to have a free anonymous mailbox to receive mail, but the sender identity would always be revealed, and you would always be responsible for what you're sending.
Unfortunately it's obvious that if we retain an open non-whitelisting scheme, we HAVE to give up anonymity to prevent spam. There should be an easy way to find, block and prosecute the violators, in all other cases spam will continue.