Slashdot Mirror

← Back to Stories (view on slashdot.org)

Meng Wong's Perspectives on Antispam

Posted by samzenpus on from the no-more-online-pharmacy dept.

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

10 of 298 comments (clear)

  1. Not All People by John+Hasler · · Score: 4, Insightful

    > "The final solution to the phishing problem requires that people
    > use a whitelist-only, default-deny paradigm for email."

    No, the final solution to the phishing problem requires that stupid, gullible people use a whitelist-only, default-deny paradigm for email.

    Of course, that includes most of the human race...

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  2. Default deny is dumb. by khasim · · Score: 5, Insightful

    To stop phishing, the banks and such have to STOP using email to communicate with their customers.

    The banks have your home address and your phone number.

    The only reason they use email is because it is incredibly cheap and allows them to attach advertising to their messages.

    If the banks were responsible for any losses due to phishing, you'd see them drop email overnight. Once the cost exceeds the benefits, it's gone.

  3. Meh. by FhnuZoag · · Score: 5, Insightful

    If we default-deny email, what do we have left?

    In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.

    1. Re:Meh. by 2008 · · Score: 4, Funny
      In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.


      Now, I'm no historian, but I've heard that in the past there was a government provided courier service which would deliver messages on paper for a small fee. Perhaps that would work if we reimplemented it?

      Although, being serious, this lacks the (potential) anonymity of email, and involves giving out your physical address. Maybe we can persuade the postal service to provide free, (almost-)anonymous PO Box numbers?
      --
      I quit!
  4. Phishing is easy to recognize by 4D6963 · · Score: 5, Informative
    Phishing is easy to recognize, well at least for us the leet slashdot geeks.

    But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.

    I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..

    --
    You just got troll'd!
  5. Too much trouble by squeemey · · Score: 5, Interesting
    All this trouble would have been avoided by charging for email in the first place.

    My proposal:

    Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

    The ISP on either end would credit/debit the sender/receiver's account.

    And watch the spam disappear.

    --
    Bill
  6. Considering IP blocking tactics, it's pointless by Peter+Cooper · · Score: 4, Interesting

    I think whitelisting is a pretty good idea. My SpamAssassin-oriented setup kinda does things this way. That is, a non whitelisted mail has to be pretty squeaky clean to get through, whereas whitelisted addresses get straight through.

    But lately I've been hitting a different problem which totally destroys the point of e-mail in many cases for me. That is, idiotic sys admins who firewall out entire IP blocks for, seemingly, no reason.

    Just because someone several machines down the co-lo rack let their machine get hacked is no reason for mail server administrators to *firewall out* entire ranges of IP addresses. Lately I've seen some ridiculous behavior where users of the other mail server can't even e-mail people on MY server because the block is two-way! So I end up with users complaining that only certain e-mail addresses appear unmailable (because only a small percentage of sysadmins are stupid enough to block entire classes) but it's still a major PITA that makes e-mail useless for many people. The worst part is when you complain to these sys admins/ISPs, many of them proclaim innocence and believe they have no blocks.. but it's their upstream provider, etc, etc.

    I'm beginning to think that encouraging people to migrate over to systems like 'GMail for your domain' and the like are going to be the way to go. At least Google has teams of people working 24/7 keeping their machines whitelisted. Having the US government able to subpoena your private information is the least of your worries, as long as you can actually e-mail the people you need to.

    And no, schemes like SPF do not help this problem, since if they're blocking IP ranges outright at their firewall, nothing can break through that except mail proxying (which I've been considering).

  7. Racist!! by EmbeddedJanitor · · Score: 4, Funny

    People dumb enough to get phished probably think that whitelisting is something to do with the KluKluxKlan.

    --
    Engineering is the art of compromise.
  8. Spam is a social problem, not a technical one. by Futurepower(R) · · Score: 5, Insightful

    When a problem seems very very difficult, maybe it is being viewed in an incorrect way.

    Spam is a social problem, not primarily a technical one, and the solution is social.

    Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

    The president could, during a scheduled speech, ask people never to buy anything advertised with unsolicited email. He could talk about several ways such email is dishonest.

    It could be arranged that Oprah Winfrey ask people not to buy things from spam. Religious leaders could ask their congregations.

    This kind of solution has already worked. Everyone in the world knows to wash their hands; that has become part of human culture. We need to make anti-spam part of human culture.

    --
    Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

  9. Banks should not use email by jonwil · · Score: 4, Insightful

    Or if they do use email, they should use a digital signature that can be traced back to the bank and 100% verified.

    A big education campaign would also help (i.e. "never trust emails claiming to be from this bank" or "only trust emails claiming to come from this bank if the digital signature was valid" along with "never follow links in any emails claiming to be from this bank" and "If the email is legitimate, the same information will be available by logging into the online banking and checking the messages")

    If I got an email claiming to be from my bank, I would probobly delete it. If the information was geniune, it will appear on my online banking and/or a physical letter too.