Slashdot Mirror
Bye Bye Spam and Phishing with DKIM?
ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"
Does anyone have one of those templates where you check off the various reasons as to why this scheme won't work?
This article advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
It's only a server validiation solution. DKIM won't stop spam. DKIM will only help validate the identity of the server that is sending you email. Right now I get lots of spam from legitimate Yahoo, Mail.com, and Hotmail servers. DKIM isn't going to stop that it's only going to reinforce what I already know.
spam bothers few users
Dunno about anyone else, but as the admin for our company, I get more complaints about spam than anything other single item I can think of...
http://yodel.yahoo.com/2007/05/22/one-small-step-f or-email-one-giant-leap-for-internet-safety/
It also has some nice background information on DKIM.
--Robert
No Microsoft, SPF is protecting 8 million domains. Nobody publishes SenderID records, you are misrepresenting the intent of millions of domain holders to claim otherwise! What's worse is that the whores in the IETF working group were complicit in this misrepresentation and have the audacity to blame the SPF guys.
I was looking into DKIM earlier today, I much prefer to reject at SMTP time on mfrom or helo. I really don't like the IETF after witnessing the arrogant, egotistical WG assholes ignoring technical merit to play politics. I guess I'll probably refuse to implement DKIM if the IETF are to specially 'bless' it. Standards by committee that co-incidentally fund junkets for a cliche of dick-fiddlers on the dollar of a handful of major corps should be avoided on principle.
not users by VeriSign and others who will sell hundreds of million domain names encryption keys
is it time to buy shares ?
The world belongs to those who get up early. - I'm far from being the king of Earth then
My initial thought was "Terrific. This really has the potential to eliminate spam." Then I got to looking into the RFC... standard private/public key exchange. But, it allows for individual MUAs to posess the private key, such that they can perform the signature.
This puts the entire burden of security in the scheme upon the MUA. So any time a machine is infected with the spam-virus of the day, that private key will be sent off to the spammers, who will send out floods of seemingly legitimately-signed email. Instead of just selling valid email addresses to other spammers, they'll sell addresses and domain keys.
Furthermore, from an administrative perspective, that means that each time one of your user's machines is hacked and the private key compromised, you have to change your public/private keypair, including updating the MUA on *all* of your sender's machines.
Forcing signing upon the MTAs eliminates much of that work (and hopefully the security exposure), but forces inconvenience on a good number of users. It's a tradeoff I'd be willing to make, but the RFC doesn't seem willing to do so.
Oh, you're not stuck, you're just unable to let go of the onion rings.
DKIM is great except, AFAIK:
1) There's still no way of saying "my domain always signs email with DKIM, so no signature means forged mail". At least I couldn't figure it out.
2) Mailing lists add a footer which messes with the signature.
As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.
Furthermore, DKIM is reporting that a lot of valid emails posted to mailing lists (mostly gmail ones) are forged.
If these 2 problems are solved, I think DKIM could be the best way of building a reputation system to stop spam almost completely.
The first problem is easy to solve (just add a new flag to the DKIM DNS record), the second one could be solved by *requiring* the DKIM-verification software to discard everything following the length of the signed body (at the moment it's optional), and by *requiring* to specifiy said length (dkimproxy can't do that, AFAIK).
If they "protect" your port 25, they are morons, and you should complain or switch the ISP. If they are blocking your attempts to reach other people's port 25, they should be commended.
Your system may be immune, but hordes of "zombies" would be sending spam from your ISP's network. As things stand, the zombies are still infected, but can not send e-mails directly to victims, which throttles the rate a lot.
You can still run a server — just configure your ISP's server as the "smart host". There is no shame in that.
In Soviet Washington the swamp drains you.
"DKIM is a message authentication solution"
OK, the message comes from Hotmail, Mail.com, Yahoo, etc. It's deemed by DKIM to be authentic, yet it is still spam (albeit authenticated spam). All DKIM, and similar solutions, does is to to prevent message and header manipulation in transit. If Yahoo, Mail.com, and Hotmail still allow spammers to sign-up for accounts how does DKIM solve the problem? At best, with full adoption, DKIM can show the world, authentically, who is sending spam. But, you still have a spam problem.
Here is what I would like.
If an IP address makes more then X connections to my SMTP port at the same time it gets routed to a teergrube.
If an IP address attempts to send email to Y number of invalid users it gets routed to a teergrube.
If an IP address sends me Z number of spam as marked by spamassassin it gets routed to a teergrube.
If an IP address is on the RBL of my choice it gets routed to a teergrube.
And of course a teergrube which can handle a few hundred simultaneous connections and keep them busy for hours.
If we all had all this then at least we could make a dent in the amount of spam going out.
evil is as evil does
I find it difficult to believe that most users are not bothered by spam. As far as I can tell, legitimate email use has been falling dramatically for the past couple years, as people flee the effects of spam, switching to SMS and IM (Jabber, AIM, etc.) Email use within a single corporation remains popular, but home users seem to be abandoning email outright. Some people have given up ordinary email and only use locked-down email inside of social network sites. Spam seems to be killing email. If that doesn't bother people, it's only because they fled email for IM, SMS, and Myspace. If spam follows them, and they have nowhere else to run, they're going to become pretty irate.
If you mod me down, I shall become more powerful than you could possibly imagine.
until there is a button which i can click on each email and cause the sender of the mail to explode an a bloody rain of guts and gore, spam will not end.
If you mod me down, I will become more powerful than you can imagine....
I think the OpenBSD guys have the best solution to spam bar none. Rather than adding fancy verification, authentication, or filtration layers, they engage in a technique to make the spammers hurt: tar-pitting. Why not force spammers to put up with an SMTP server that is so slow that it causes them to choke. The best solution for fighting spam is not through processor expensive filtration or key decryption process but through a combination of greylisting, greytrapping, and greyscanning. These methods bring about measurable results. This is ingenious. I have set up an OpenBSD spamwall at my father's business. We have gone from several hundred spam messages per day to only 10 per week. In a 24 hour period we were hit with 2000 smtp connection attempts. Of those 1992 of them gave up. The biggest complaint I have recieved was that they were not getting enough spam and there was concern that legitimate email might be lost. Our spam wall has been in service for a month without problems. The system is not perfect, but a drastic reduction is realized. These methods hurt the spammer and if enough people employ them, spam may become a thing of the past. The absolute worst thing that could happen is that a legitimate email might be delayed by 4-6 hours.
what about haiku
it can be informative
it is not that lame
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.