Slashdot Mirror
Domain Key Identified Mail vs Phishing
alphadogg writes "Some of the Internet's most powerful companies — including Yahoo, Google, PayPal and AOL — are brandishing a new weapon in the ongoing battle against e-mail fraud. DKIM is an emerging e-mail authentication standard developed by the IETF. DKIM, which stands for DomainKeys Identified Mail, allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message. DKIM addresses one of the Internet's biggest threats: e-mail fraud. As much as 80% of e-mail that purports to be from leading brands, banks and ISPs is spoofed, according to a report released in late January by the Authentication and Online Trust Alliance (AOTA)."
... until everybody starts using it! It might help, but all your friends and family won't use it so you cannot rely fully on this alone.
Gee. If you look at the links inside the emails, they always point you to some odd site. If I am going to sign into Paypal, I don't log into paypalphishing.chsslu.nl
You really don't need a lot of expensive authentication software. People will still click the links because they don't read before they click.
...in the fight against spammers. I am all for it. Will this be the end-all-be-all tool? No, such a thing does not exist in the world of the inter-tubes, but if it can stop the majority of spoofing, then it is a good start.
Bearded Dragon
You forgot to add "Your idea will be patented by someone else and you will be sued into oblivion" under reasons this won't work...
Seven Days with Ubuntu Unity
I can see that this might help to reduce false positives (i.e. legitimate mail misclassified as spam), but I don't see how it can reduce false negatives (i.e. spam misclassified as legitimate mail). Basically it's similar to SPF but with cryptographic protection.
If the "big" spam targets (Paypal, Ebay and Amazon spring to mind) and the big mail providers (GMail, Hotmail, AOL etc) work together, it might reduce the amount of spam as well; for example, Paypal could state that *all* of their Mail will be signed with DomainKeys; Gmail could then immediately put all non-signed mail from Paypal into the spam folder (or reject it).
Since more and more people are using the big providers for their personal E-Mail, it might help with false positives there too.
It will not help with E-Mail from Domains not using DomainKeys, for domains set up by spammers (they can DomainKeys as everybody else) and for "small" domains, i.e. not deemed important enough by the big players to be listed as "non-spamming".
If the big players really work together on this, it might reduce spam a little but it will also damage the small players; since they're not whitelisted, their E-Mail is more likely to be classified as spam. Which makes the big players more attractive, so more people will use them and so on. It leads to a centralization of E-Mail.
I'm not sure whether this is good or bad.
Actually, I think they'll see this as a business opportunity. The risk here seems to me not that it will fail, but that it will succeed. That is, that people will start to only trust those big few who can afford to create such an identification mechanism. That will lead to the big ones reaffirming their "portal" role and making it harder for new entrants to achieve legitimacy. On a claim that new entrants are dangerous, it won't surprise me if (as with the network neutrality issue), the big ones jump in and say it's essential that they have special status. They like being special and competing among their (predictable) friends.
I like this technological proposal, btw. I just think it will, like all things, require some refinement before it's really working. But it sounds like a step forward. And at the same time something to be wary of ... in a calm way.
Kent M Pitman
Philosopher, Technologist, Writer
TFA is about "phishing" which is slightly different from "spam" even though both use bulk email methods.
... while only increasing your legit email rejection count a slight bit. You are "winning" against spam. Or it appears that way.
The first problem with blocking "spam" is that there is so much of it (80%+ of all email is spam) that just about any stupid idea will result in a decrease in total spam received. Suppose you refuse to accept any email on odd-numbered dates. Since 80%+ of the email coming in was spam anyway, you've reduced your total spam message count
The second problem is that an approach that works for ONE sub-category will NOT work on a different sub-category.
Example, spam from Gmail is not stopped by greylisting even though greylisting is fairly effective at blocking spam zombies.
Will Domain Keys block spam? No.
Domain Keys will only help against a specific sub-category and only when configured correctly and verified correctly.
I think the hope is that your ISP will already have thrown the email away on your behalf, so you'll not even get to read it.
J.
You're only jealous cos the little penguins are talking to me.
I'd be very surprised if it was any less than 98% fake.
Je fume. Tu fumes. Nous fûmes!
I still want to know why challenge response e-mail never caught on. It's a simple process really, would have been easy to implement (for end users), would have allowed any who complied with it to e-mail anyone else with ease, and would have incurred major costs only for companies who send more than ten thousand or more e-mails a day (mostly advertisers and other really big firms).
It's simple. Your e-mail client gets a message. First, it quarantines the message. Next, it opens a retun connection to the sending server on another port and confirms the server sending the message has correctly identified itself (elimanating 100% of spoofed mail instantly). Now, if the server sending is valid, we ask it to compute the answer to a simple math problem, taking at most 1/10th of a second of CPU time (less for powerful servers). This is the cost that system incurrs to send the message (hurting mass mailing and spam firms the most, hopefully limiting blanket, untargeted spam completely). If the calculation is answered correctly, the message is delivered. If not, it's placed in a quarantine or junkmail folder, so even if it was blocked, you can still get the message. (unless the address was spoofed in which case it's automatically deleted).
The system requires no user interaction, happens in a fraction of a second (typically) and requires only simple software and a firewall rule change to permit the return authentication port. Anyone installing a compliant agent would gain immediate benefit of no more junk mail from firms who do not also upgrade their mail servers to support it, and no spoofed mail period.
Corperate admins would want to upgrade their servers to it quickly because even though there's a CPU hit for sending mail, it would lower incoming traffic by 80-90%, and the savings in ISP alone could pay for the upgrade and license. besides, at fractions of a second per message sent, bandwidth is likely a more limiting factor on mail server performance than the CPU activity from sending a message. They estimated a Xeon 2.3GHz could handle several thousand messages per hour. We're adding this process to stop folks who send millions of messages, not thousands...
spamming from drones or infected PCs would be useless because the challenge response would not make it into a home users PC through their firewall, even if the sending address wasn't spoofed. This type of spyware would cease to exist quickly.
and as far as Microsoft goes, if they didn't support it (which they did not), home users would quickly be dropping outlook express (our Outlook) for thunderbird and other mail programs that do support it.
There is no contest in life for which the unprepared have the advantage.
Except that spoofed mail isn't necessarily bad. I have a gmail account which I use to aggregate a couple of other email addresses that I commonly send messages from and receive mail to. Gmail allows me to send messages out with these addresses after an email exchange with the address to verify that I have access and permission to perform that activity. Preventing spoofing will mean I have to use the actual accounts themselves, which is at best inconvenient.
Actually... your SPOT FUCKING ON, pardon my french. At least IMO.
I am a power user. I have a static IP with a Sonicwall router at home. If my connection was doing something funny, and I don't mean P2P or IP protection/copyright filter/bullshit, I would would feel perfectly fine with an http redirect informing me of the problem, offering a download of the logs, and suggestions on how to fix it. I call that a sign of a responsible ISP. They don't even need to shutdown the whole service, just redirect the HTTP requests.
As for the many non-local SMTP connections, that policy could easily allow email services outside of the ISP. Not many people run their own mail servers, but I feel perfectly justified as a mail server administrator in forcing good security practices on any mail server wishing to operate in a legit fashion. If you have a small business, a static IP address is not that much more money. If it is a remote office location, you can always send all email securely to a gateway. Setting up a DNS properly and running a legit domain is not hard to do either. Basically, they have the right to run a crappy non-conforming mail server, and I have the right to blacklist them into oblivion. Furthermore, it costs practically next to nothing these days to get hosted email services, which allows you have to have a gateway anyways.
In any case, I think that your right. Thousands of outbound email sessions on port 25 is incredibly suspicious for a residential user, as is DDOS and other types of easily recognizable behavior.
As for it flying with commercial users the answer is not so simple. If you are referring to co-located services, I think upstream bandwidth providers already reserve the right to shutdown if you start causing network problems. You are supposed to know better and be watching your systems. I think I am certainly held to a higher level of expectations than anybody using a residential or business ISP account. So commercial users are at a whole different level.
Now high-end users, and business acounts, should be treated exactly the same as low end users. My systems are fairly secure, but I am knowledgeable enough to know that nothing is impossible. I know with enough processing power you could crack the WPA encryption on my access points and gain access to my networks. I use virtualized XP machines to do any questionable surfing/torrents/programs, so I am reasonably sure that any malware, or even rootkits get destroyed before they can do permanent damage.
Even with that being said, I would WELCOME the ISP causing a redirect if my network was to start sending out suspicious traffic. I would actually want that. Hell, I would actually pay a few dollars a month extra for that service.
The more I think about your idea, the better it sounds. I don't think your missing anything.