Slashdot Mirror
Bye Bye Spam and Phishing with DKIM?
ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"
Does anyone have one of those templates where you check off the various reasons as to why this scheme won't work?
This article advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
It's only a server validiation solution. DKIM won't stop spam. DKIM will only help validate the identity of the server that is sending you email. Right now I get lots of spam from legitimate Yahoo, Mail.com, and Hotmail servers. DKIM isn't going to stop that it's only going to reinforce what I already know.
spam bothers few users
Dunno about anyone else, but as the admin for our company, I get more complaints about spam than anything other single item I can think of...
Because keeping me from running a mail server has not done a damn thing to the spammers.
I'll believe in an anti-spam tech when it comes in the Debian repository and I can once again run a mail server. Until then, I'm afraid the spammers will be the first to sign up for any counter measure.
Friends don't help friends install M$ junk.
Comment removed based on user account deletion
http://yodel.yahoo.com/2007/05/22/one-small-step-f or-email-one-giant-leap-for-internet-safety/
It also has some nice background information on DKIM.
--Robert
No Microsoft, SPF is protecting 8 million domains. Nobody publishes SenderID records, you are misrepresenting the intent of millions of domain holders to claim otherwise! What's worse is that the whores in the IETF working group were complicit in this misrepresentation and have the audacity to blame the SPF guys.
I was looking into DKIM earlier today, I much prefer to reject at SMTP time on mfrom or helo. I really don't like the IETF after witnessing the arrogant, egotistical WG assholes ignoring technical merit to play politics. I guess I'll probably refuse to implement DKIM if the IETF are to specially 'bless' it. Standards by committee that co-incidentally fund junkets for a cliche of dick-fiddlers on the dollar of a handful of major corps should be avoided on principle.
not users by VeriSign and others who will sell hundreds of million domain names encryption keys
is it time to buy shares ?
The world belongs to those who get up early. - I'm far from being the king of Earth then
My initial thought was "Terrific. This really has the potential to eliminate spam." Then I got to looking into the RFC... standard private/public key exchange. But, it allows for individual MUAs to posess the private key, such that they can perform the signature.
This puts the entire burden of security in the scheme upon the MUA. So any time a machine is infected with the spam-virus of the day, that private key will be sent off to the spammers, who will send out floods of seemingly legitimately-signed email. Instead of just selling valid email addresses to other spammers, they'll sell addresses and domain keys.
Furthermore, from an administrative perspective, that means that each time one of your user's machines is hacked and the private key compromised, you have to change your public/private keypair, including updating the MUA on *all* of your sender's machines.
Forcing signing upon the MTAs eliminates much of that work (and hopefully the security exposure), but forces inconvenience on a good number of users. It's a tradeoff I'd be willing to make, but the RFC doesn't seem willing to do so.
Oh, you're not stuck, you're just unable to let go of the onion rings.
And how is this different from what is currently available with PGP?
We could just all agree tomorrow to not accept any mail that is not digitally signed right?
DKIM is a message authentication solution that can also be checked in the MUA. SPF is a server authorization solution, so good that Microsoft still tries to hijack it (the 8 million domains cited in TFA are publishing SPF records - not SenderID).
DKIM is great except, AFAIK:
1) There's still no way of saying "my domain always signs email with DKIM, so no signature means forged mail". At least I couldn't figure it out.
2) Mailing lists add a footer which messes with the signature.
As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.
Furthermore, DKIM is reporting that a lot of valid emails posted to mailing lists (mostly gmail ones) are forged.
If these 2 problems are solved, I think DKIM could be the best way of building a reputation system to stop spam almost completely.
The first problem is easy to solve (just add a new flag to the DKIM DNS record), the second one could be solved by *requiring* the DKIM-verification software to discard everything following the length of the signed body (at the moment it's optional), and by *requiring* to specifiy said length (dkimproxy can't do that, AFAIK).
And they both fail.
Either the domain owner controls and administers the key, in which case spammers (who already use automated bots to registers hundreds, if not thousands, of domains per day) will simply add a new subroutine to the domain registration bot to add in the key, thus ensuring the delivery of their spam.
Or someone else controls your email, which mean nobody with any sense will buy in to it.
Either way, it's useless for combatting spam, as was DomainKeys and SPF.
Page 5 of the PEW Internet study reports that "...only 4% of email users admitted to action that keeps the spam industry viable, which is ordering a product or service from an unsolicited email. This number has always been low; it was 7% in 2003, 5% in 2004, and 6% in 2005."
These figures are interesting because there is often speculation about these numbers during conversations about the financial viability of being a spammer. The article suggests that these figures are "low" but they are much higher than the "back of the envelope" estimate of 1% that I usually see people use when guessing. It is going to be difficult to stop the spam problem when people keep buying things from spammers. Even if technical solutions like DKIM have some degree of success, such a high response rate to spam gives an obvious incentive to spammers to continue to find work-arounds.
What makes you think that this is going to do anything for junk email. Until the burden of the spam is placed on the sender and not the receiver this problem will never go away. See http://cr.yp.to/im2000.html for a workable solution.
Why is this modded redundant? It was posted earlier than the one above that was modded funny.
click
I find it difficult to believe that most users are not bothered by spam. As far as I can tell, legitimate email use has been falling dramatically for the past couple years, as people flee the effects of spam, switching to SMS and IM (Jabber, AIM, etc.) Email use within a single corporation remains popular, but home users seem to be abandoning email outright. Some people have given up ordinary email and only use locked-down email inside of social network sites. Spam seems to be killing email. If that doesn't bother people, it's only because they fled email for IM, SMS, and Myspace. If spam follows them, and they have nowhere else to run, they're going to become pretty irate.
If you mod me down, I shall become more powerful than you could possibly imagine.
Every message *received* needs to be run through an expensive cryptographic routine. If you have high incoming mail volume, just watch your server load skyrocket when DK/DKIM is turned on. You also have to completely accept the entire message before DKIM can be used. With SPF, you can simply reject after the envelope-sender is specified and before the headers and data.
I'll have to get a second job at McDonalds now..
Sooo burger flipper, and now dishwasher as well?
How does PGP stop spam? Just because someone is listed on a key server doesn't mean much.
DK tells me that the mail message actually belongs to the domain and its mail server. Its not user to user but rather server to server (a server validating a server's output). It also doesn't use a CA or other notary, it uses a dns record.
members are seeing something, your seeing an ad
until there is a button which i can click on each email and cause the sender of the mail to explode an a bloody rain of guts and gore, spam will not end.
If you mod me down, I will become more powerful than you can imagine....
Check rDNS - if it doesn't exist, drop it.
If rDNS resolves to Comcast's home addresses (and other ISP's), drop it.
If rDNS resolves to Comcast's (HotMail's, GMail's, AOL's, etc) mail servers, run it through SpamAssassin and drop it if it scores above 8. (HotMail has a problem with this because they add mortgage spam to their outbound messages).
Okay, that should have taken care of 90% of the problem.
Skip to section 8 of the RFC... No, stop laughing.
How can this garbage be on standards track while RFC4408 (SPF) is only experimental?
WTF are they smoking at the IETF?
With SPF, you validate which mail server your getting mail from.
with DKIM, your validating which mail server and a heavy crypto message to compute with SPF.
SPF is only going to fail if you go to a spoofed dns server, or if your mail server is rooted. So where do you get the DKIM sig from. What if it's spoofed?
To make validating your mail server work, all the mail servers have to have SPF entries. The same with DKIM. If I had to vote for one or the other, SPF is good enough. DKIM costs to much, I don't want to have to build any more email machines then I have to. Keeping them all in sync is to much of a pain.
I take no responsibility for what I say. Even though I'm never wrong
Most users are on big consumer ISPs like AOL and MSN, and they do a good if nowhere near perfect job of blocking most of the spam, and they can usually recognize it from the titles and delete it without having to actually open it. And they're sufficiently used to getting *some* spam all the time that they actually see and delete, but to them it's just noise like TV commercials, not an offense like having their precious bodily fluids corrupted by Commies, and the Internet is just another form of TV to them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I think the OpenBSD guys have the best solution to spam bar none. Rather than adding fancy verification, authentication, or filtration layers, they engage in a technique to make the spammers hurt: tar-pitting. Why not force spammers to put up with an SMTP server that is so slow that it causes them to choke. The best solution for fighting spam is not through processor expensive filtration or key decryption process but through a combination of greylisting, greytrapping, and greyscanning. These methods bring about measurable results. This is ingenious. I have set up an OpenBSD spamwall at my father's business. We have gone from several hundred spam messages per day to only 10 per week. In a 24 hour period we were hit with 2000 smtp connection attempts. Of those 1992 of them gave up. The biggest complaint I have recieved was that they were not getting enough spam and there was concern that legitimate email might be lost. Our spam wall has been in service for a month without problems. The system is not perfect, but a drastic reduction is realized. These methods hurt the spammer and if enough people employ them, spam may become a thing of the past. The absolute worst thing that could happen is that a legitimate email might be delayed by 4-6 hours.
DomainKeys is not a solution to spam. What it lets you do is distribute and verify authority for email. It's a solution for email forgery, which is only slightly related to spam.
Don't piss off The Angry Economist
I don't think that people are seeing the point of DKIM here. But let's take a step back. The only way to stop spam is to provide accountability to the email ecosystem. That way, if we get a piece of email that is unsolicited, we can find the server/person who originated the email and sue them or send them a nastygram or in other ways make it costly for people to spam. Right now, it's essentially free to spam. Just hack some boxes, and send away.
:-) I think it's going to be way cool. Have fun!
Now look at DKIM. It provides the tools for people to bring accountability to email. Not directly at first, though. In it's initial implementation, all it will do is help the phishers, since it will make sure that folks can't send email that looks like it's coming from wellsfargo.com or whatever because we can check. But after a lot of people are doing this (including the spammers), we will be able to start looking at the certificates used to sign these emails and make good guesses as to who is good and who is bad, and thus we'll be able to set up reputation systems that will help us classify spam. People will be able to develop web-of-trust systems, where people who are clean can vouch for others who are clean, and thus those people can get their certs signed by CAs which people trust, or maybe somebody will set up a score server to keep track of how good/bad various CAs or individual certificates are, and so on.
So if your email is signed by a self-signed cert that nobody knows about, you'll be able to make a policy in your MTA that it automatically gets more scrutiny and maybe starts out with a negative spamassassin score. If it's signed by a (hypothetical) spamcop CA, then it'll get an automatic in without spam scanning or anything. Or whatever you desire. Maybe you want to accept email from everybody. That's up to you and your MTA. And if you do get spam, you can look at who signed it, and you can go inform the CA or the server owner who signed the key that the message was signed with that this guy is spamming, and they can revoke the certificate or go beat on the customer to get them to stop spamming, or you can look them up in the CA's database and sue them or turn them in, or you can stop trusting that CA, or whatever.
What the certificates ultimately do is provide the tools for us to be able to implement accountability (certificates) in the MTA which we then can use to make policy decisions about (using reputation). As such, it's a HUGE step in the right direction. And since it can be done at the MTA level, it has (IMHO) a much better chance of it getting traction and gradually be used to freeze out bad actors in the email world. Mail administrators have a great interest in stopping spam since their customers/users/friends complain so much about it.
I'm excited about this. Perhaps you can tell.
You just have to do two things:
Mark people who it isn't worth accepting mail from as it comes in. That they sign their messages means that you only have to deal with each identity(-not person...) once.
Only accept mail from people who someone you trust trusts. Or play a few degrees of Kevin Bacon.
Do that, and anonymous crap floods disappear. All that said, I don't want to have to set such a thing up to be able to exchange messages with my mom, so let's not do it.
Nerd rage is the funniest rage.
An outgoing-email service provider that uses DKIM on all of their outbound mail can validate that a spam or abuse complaint about mail purporting to be from exampleuser@their-domain.com really was from that user and not a forgery, so they can kill off that user's account without worrying about false positives or faked complaints or joe-jobs. They can read the message text to see that it's spam, and they can validate the headers to show that it came from that user on their servers, and they can trash the account for TOS violations. This works even if the receiver doesn't ever bother verifying the header - it's enough that the sender's abuse desk can verify it.
That doesn't mean that some cybercafe user or zombie relay can't send mail with From: or Reply-To: NigerianCorruptOffial@yahoo.com , or that it's any easier to get the Yahoo abuse desk to delete the account for TOS violations for email that wasn't sent from their server, but at least they can't send that spam *from* Yahoo accounts without getting them closed easily.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
> The absolute worst thing that could happen is that a legitimate email might be delayed by 4-6 hours.
Is that all? Sounds like a great solution for email based business with a job turnaround time under 2 hours. Where shall I tell them to sign up?
>>"While research from PEW Internet (PDF) shows that few users really are bothered by spam,"
ARE THEY JOKING? few users are bothered by spam??? Everyone I know, both personally, and at work, gets bombarded by 100s of spam email messages a day and is getting quite irate. The discussion about how useless email has become due to spam comes up almost on a daily basis amont me and my associates. Email was a GREAT way to communiacate, but has quicly become quite useless due to all the spam and the associated filtering, etc...
They must be kidding when they say it only bothers a few people, and I would like to know who IS NOT bothered by spam.
-farshad
...and remember in your brain boggle, wrong starts with a wubble-u.
If they are blocking your attempts to reach other people's port 25, they should be commended. Your system may be immune, but hordes of "zombies" would be sending spam from your ISP's network.
This has already failed and failed miserably. There are hordes of zombies sending spam from my ISP's network. They all do as you recommend and use the ISP's SMTP server and this is why more than 80% of all spam comes from zombies. My upload is also capped by my cable modem at a pathetic 60 kB/s.
A better method would be to have the same modem disconnect people who's computers have obviously been turned into spambots. Giving people the freedom to run their own mail servers distributes the spam burden and the ability to fight the spammers. Concentrating that burden at the ISP level is a failure.
Either way, the spammers know the limits and keeping me from running a mail server of my own does nothing beyond those limits. Because the reasons given are so transparently false, we are left only with government surveillance reasons.
Friends don't help friends install M$ junk.
Instead of trying to validate mail, just make it computationally expensive to send. Anyone with a compromised Windows box will know immediately because it will be running at 100% CPU utilization constantly. Even if they don't have the technical expertise to know what's wrong, they'll still have an idea that it's broke.
How come these guys never realize that if a scheme can't stop bots, it's worthless. Also, all these fancy schemes are bound to fail because they try to make fighting spam the lever to get everyone on earth to register with them so they can be the toll collector for the future of email.
The only problem with HashCash is that the biggest detractors will be the providers of free email services. They happen to control most of the mailboxes. They don't want their service to become more expensive, and they don't want to see all their hard work not turn into some future monopoly.
Have the client do the hashcash signing when they connect to Yahoo/GMail/Hotmail and send a message. Speed will be a problem but that can be solved by plugins or modified browsers (add a native-code SHA-256 function callable by JavaScript).
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I get a few messages a month from people that your system would say are spamers. There is no way to tell a legit 1st contact email message from a spammer on todays net.
I just want to say one word to you. Just one word.
Botnets.
Any spam solution that uses Comic Sans on its web site is no spam solution.
Maybe that should be added to the spam solutions form?
If you have one domain dkim is ok, but have one domain and a virus scanner for mail problem.
We tried to implement domainkeys and dkim twice now in a multiple domain environment and i gave up due to signing our email complexity/strangeness.
DKIM while it works assumes that the mail system at the other end verifies it, I do not check for dkim
I'll will give two years and we will have another go then
You guys are missing the entire point of this. Having or not having a valid DKIM signature does not and is not supposed to imply anything about the spamminess of a message. What it is supposed to do is provide a more flexible method of identifying yourself than SPF so that you (or your company, mailing list, etc.) can establish a reputation. Once you sign your messages with DKIM and gain a good reputation, then your mail delivery will improve. Spammers can sign their messages all they want, but unless they hijack a key that already has a good reputation (which will only stay good until recipients start complaining) then signing their mail won't get them anywhere.
A good solution for spam, phishing etc would be the bi-directional login.
As it is right now, we users log in a server and use the available services, but we don't know if the server is what it claims it is. The server may know us because we have submitted a username and password, but we don't know if the server is the correct one. Right now login is uni-directional.
One solution to phishing would be bi-directional login: not we users submit a password to the server, but the server submits a password to us. If both submissions are successful, then the operation could proceed.
Comment removed based on user account deletion
I'm not championing it, just explaining how signing every message could have an impact. If you stack a revokable or graduated trust mechanism on top of it, and accept messages from six or seven degrees of knowing away, you end up with tens of millions of people that you can easily get messages from.
Nerd rage is the funniest rage.
Lets just take 1st degree. I only know one person who murdered another person I knew and due to mental instability, no one would have predicted that. Take two steps to people I know who are in the corrections field who work with lots of murders. If I'm two steps on your chain of trust of people to who deserve to be in jail forever, where does that leave your chin of trust? Chain of trust isn't going to work either.
Oh, I also know people how bought marketing services from people who ended up being spammers as well.
So your friends who bought marketing services from spammers wouldn't go ahead and revoke their trust of the spammers? If the trust is graduated and/or revokable, past relationships don't have to count against you. If I were actually going to try to use it, the trust mechanism would work as a grey list, where being trusted counted for the message and that's it(so I would only use positive information, except for the blacklist that I personally created).
I don't really think it would work all that well, but I also don't think it would be all that hard for a group of people, no matter how large, to establish a mechanism whereby they aggregated information about whether a message from a particular identity was worth spending real person time evaluating. In essence, it would just be another filter.
The identification and privacy issues, and the discomfort associated with publicly categorizing relationships with other people are the bigger problems to me, not the technical details of making it useful.
Nerd rage is the funniest rage.
I work in the email security industry, and the biggest problem with domain keys is that hardly anyone uses it.
Yahoo: check
eBay: check
PayPal: check
My bank? Nope.
My wife's bank? Nope.
Any other bank whose legit mail I have seen? Nope.
Domain keys are an excellent way to fight phishing, and they really help in that area. They are less helpful on fake Yahoo spam because a lot of people set their From address to be their Yahoo address even when not sending through Yahoo.
eBay and PayPal phishing is easy to nail because of the fact that they do use domain keys. Bank phishing is tougher because few if any banks are using them. If they start doing it, fighting phishing be easier. DK(IM) is not a magic bullet, but it's one more thing we can use.
In this forum post Rob Mueller of Fastmail.fm explains why they stopped using the SpamAssassin plugin for DomainKeys.
There was a month before they figured out what they had done. In the chain of trust situation, the spamer would have made use of that trust for a whole month which means billions of messages. If a full chain of trust thing happens, there will be people all over the social networking sties offing popular people $100 to be in their chain of trust. You plan fails to take into account that the spammers have money to throw around.