Postfix's Creator Outlines Spam Solution

SATAN writes "Wietse Venema started out as a physicist, but became interested in the security of the programs he wrote to control his physics experiments. He went on to create several well-known network and security tools, including the Security Administrator's Tool for Analyzing Networks (SATAN) and The Coroner's Toolkit with Dan Farmer. He is also the creator of the popular MTA Postfix and TCP Wrapper. SecurityFocus chatted up Venema to talk about software security, how to improve the code quality, what solutions we might have to fight spam successfully, the principle of least privilege, and the philosophy behind the design of Postfix. Venema is currently a researcher at IBM's T.J. Watson Research Center."

It's easy

[smartin]

Just get everyone to sign their mail including companies that send you receipts and opted in spam.

I would be happy if I could reject any mail that is not digitally signed and then manage the signed mail by signature.

Re:It's easy

[Xugumad]

As a big fan of signed e-mail, I see something like this:

Anything signed by someone I trust, arrives in my inbox. Anything signed but not by someone I trust, goes into a holding box from which I can fish e-mails I want. Anything not signed, or with a corrupted signature is rejected as unacceptable at the MTA level.

Now, anything arriving in my inbox can only be spam if someone I know has a hacked system, which should be rare AND I can contact them to tell them to fix it, because I know who it is from the signature (unlike e-mail viruses that could be practically anyone I know). This means that I know when I get e-mail in my inbox, it's worth me looking at.

Unexpected e-mails are still an issue, and may get lost, but frankly that happens anyway (I get somewhere over 200 spam per day, only a couple of dozen of which make it through enough filters for me to even glance at the subject line).

Filtering could be multi-stage, too; regular inbox for trusted people, a secondary inbox for people who I have been introduced to (for example, by a mailing list), then signed but unrecognised, and then everything else.

Re:It's easy

[Xugumad]

That's because there's very little actual use of SPF. I can do with it X.509 certs (Thawte do free e-mail certs at https://www.thawte.com/secure-email/personal-email-certificates/index.html - highly recommended), or GPG, as well, but the problem is getting uptake high enough for it to work.

Re:It's easy

[Xugumad]

Maybe not solve, but I imagine most people get the vast majority of their e-mail, and ALL critical e-mail, from people they know in advance. This means that "uncertain" e-mail can be ignored safely for significant lengths of time, confident in the knowledge that if your boss e-mails you, you'll still get notification ASAP.

Make sense?

Re:It's easy

[antifoidulus]

Dude, if we could get everyone to do something then there would be a super easy way to stop SPAM: namely get everyone to stop clicking on stupid shit.

Not only does that action give spammers income, it is the #1 vector for the spread of botnets.....

Re:It's easy

[swillden]

Dude, if we could get everyone to do something then there would be a super easy way to stop SPAM: namely get everyone to stop clicking on stupid shit. Not only does that action give spammers income, it is the #1 vector for the spread of botnets.....

Actually, it doesn't give spammers income. Spammers don't care if you click the links. By the time you're deciding whether or not to click, the spammer has already done his job and made his money.

If you think not clicking links is gonna convince all the get-rich-quick scheming fools to stop paying spammers to send their crap then you sadly underestimate the supply of fools.

Re:It's easy

[nabsltd]

No greylisting implementation that I know of requires the sender to do anything special to "validate" their e-mail. What you are thinking of is a challenge-response system, and those suck because they create blowback spam.

Greylisting works on the principle that most spam comes from systems that don't follow RFC because they do not retry if they receive a temporary error. The MTA with the greylisting implmentation always returns a temporary "4xx" error code for any e-mail with a "new" sender/recipient/source IP triple and stores the information in a database. The greylist server keeps returning a temporary error for anything that matches this tuple for the configured timeout (usually about 5 minutes). After that, it lets the connection through as normal (where other anti-spam measures may be taken).

This stops most bot networks from sending spam. It still works remarkably well, as I only use that and SpamAssassin with a reject score of 10, and I see about 1-2 spam e-mails per week.

Will Not Work

[mfh]

Your post advocates a

(x) technical (x) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(x) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
(x) Microsoft will not put up with it
(x) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
(x) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Will Not Work

[pla]

(x) Spammers can easily use it to harvest email addresses - How do digital signatures allow easy harvesting of email addresses?

(x) No one will be able to find the guy or collect the money - If the signature doesn't validate, the message never even gets to your inbox. Yeah, people can still send bogus-signature messages, but they wouldn't get to anyone.

(x) It is defenseless against brute force attacks - Of what nature? Few organizations on this planet have the resources to brute force a valid bogus digital signature, and no one can do it on the sort of scale you'd need to send spam.

(x) Microsoft will not put up with it - Microsoft actually suggested a variant of that approach, except server-signed rather than user-signed.

(x) The police will not put up with it - 100% traceability of every message? They've wanted that for years. Now, if enough people realize it takes no more effort to actually send encrypted mail over merely signed mail, we could have a problem, but the GP didn't go that far.

(x) Requires too much cooperation from spammers - How? It depends on the fact that spammers can't cooperate.

(x) Requires immediate total cooperation from everybody at once - Easy to obtain, in that we really only need the mail server admins to cooperate, then everyone (who wants to get their email) will play along pretty damned quick.

(x) Many email users cannot afford to lose business or alienate potential employers - So they would cooperate even quicker.

(x) Anyone could anonymously destroy anyone else's career or business - How do you anonymously send a signed message?

(x) Laws expressly prohibiting it - Clinton actually made digital signatures legally binding under US law... So quite the opposite.

(x) Lack of centrally controlling authority for email - There, we agree. This would require a community rather than central effort.

(x) Asshats - Simply wouldn't get (or receive) mail.

(x) Jurisdictional problems - The GP didn't suggest a legislative solution, so not applicable.

(x) Willingness of users to install OS patches received by email - No one can save those who lick plugged-in lamp cords.

(x) Armies of worm riddled broadband-connected Windows boxes - Can spam as much as they want, it will never get read.

(x) Eternal arms race involved in all filtering approaches - Unless someone finds a trivial crack to RSA, not applicable.

(x) Extreme profitability of spam - Irrelevant.

(x) Joe jobs and/or identity theft - Would require either knowing their private key, or even in the easiest case, physical access to their machine.

(x) Technically illiterate politicians - Have IT staff paid to make sure the bits flow.

(x) Dishonesty on the part of spammers themselves - Once again, irrelevant, this does not require any cooperation on their part.

(x) Bandwidth costs that are unaffected by client filtering - We already get tons of spam, that wouldn't really matter, but it would get better as the spammers eventually give up.

(x) Outlook - To repeat, MS already proposed something similar.

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical - Because of naysayers, not because of any real barriers to implementation.

(x) Blacklists suck (x) Whitelists suck (x) We should be able to talk about Viagra without being censored - Which all have what to do with signed mail???

(x) Countermeasures must work if phased in gradually - Like IPV6 or changes to daylight savings time?

(x) Why should we have to trust you and your servers? - You shouldn't - So block me, you'll know with 100% certainty who you've blocked.

(x) Feel-good measures do nothing to solve the problem

V for Venema

[digitaldc]

I always said if you had poorly-written code or spam clogging up your inbox, you would need a Venema.

I lost a lot of respect for Wietse Venema

[SuperBanana]

...once I started reading his replies on the postfix-user mailing list. He's extremely blunt. While many are VERY helpful and detailed, a number are a sentence or two long that, paraphrased, consist of "you're an idiot."

However, he's nothing compared to Victor Duchovni (who works for Morgan Stanley, and is a major poster on the postfix-users list). His signature, and I'm not making this up:

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Yeah, you read that right. 11 lines long...and this asshole thinks he's so fucking important, he lectures you about how to thank him so he can delete your acknowledgment/thank you as quickly as possible. He's often more willing to insult than help, and on numerous occasions, comes to the wrong conclusion. Worse still, he often presents his solution with complete authority and confidence, putting the helpless user on a primrose path.

Re:I lost a lot of respect for Wietse Venema

[Camel+Pilot]

and this asshole thinks he's so fucking important

errr maybe he is... I mean important. If someone has specific and in depth knowledge and spends time helping the less knowledgeable, being an asshole sometimes come with the territory.

Re:I lost a lot of respect for Wietse Venema

[shis-ka-bob]

Let me get this straight. Two men help strangers to use free software and you are calling one an ass because he wants to 1) share the results of a fix with future users of the group, and 2) avoid flowery 'thank you' follow ups because he has high pressure work to do (there is no other kind of work at Morgan Stanley). Is that the jist of it?

Re:I lost a lot of respect for Wietse Venema

[superskippy]

It's quite simple. If you write an MTA, you have to be an asshole. It's the law.

Re:I lost a lot of respect for Wietse Venema

[Free+the+Cowards]

For some reason many people prefer to have polite, useless help than have someone who directly solves their problem without a bunch of extra words on the side. It boggles the mind, and it's a large part of why I significantly curtailed the time I spend helping people work through their problems. For some reason, a whole lot of people with questions get angry with people who ask things like "what are you actually trying to do here?" or who tell them that their whole approach is wrong, but are perfectly fine with people who go along answering questions politely and wrongly for dozens of messages.

Re:I lost a lot of respect for Wietse Venema

[nyctopterus]

You know, even if you're doing something good, if you do it with ill temper and lack of grace, you're still being an arse.

Re:I lost a lot of respect for Wietse Venema

[SuperBanana]

The "flowery" thank-you follow-ups you speak of are actually the norm, not vise-versa. On the Sun Managers list, it was EXPECTED that you post a follow-up to your question, explaining what responses you received, what was correct, what you learned, and who to acknowledge for responding and providing correct solutions. It's the de-facto standard on other lists I'm on, though not to as great a degree. It's a user community, not a help-desk queue.

Victor thinks he's so important that he can demand people not extend the courtesy of saying thank you in exactly the way he wants it, because it wastes his precision brainpower and precious seconds to have to read the message body to see whether to hit the "delete" key. If that's not unbridled arrogance, I don't know what is. I'd be willing to bet he doesn't even do that- I bet he's got a rule that deletes any message with "thank you" in the subject.

The funny thing is, I've seen a couple of Postfix-users posters specifically go out of their way to thank him, not put "thank you" in the subject line, AND cc the list. It's delicious.

Re:I lost a lot of respect for Wietse Venema

[mandelbr0t]

Actually, if someone deals with the unwashed masses regularly, it might be a good idea to learn some manners and/or diplomacy. There's no excuse for being an asshole, not even being ridiculously intelligent and having to deal with real idiots. Everyone has stress in their lives, and it's like geniuses can't be bothered to deal with it gracefully. Quietly ignoring the "it works, thanks" e-mail saves just as much time, without alienating the person with his first response.

Re:I lost a lot of respect for Wietse Venema

[Fjan11]

He's extremely blunt.

In his defense: He's also Dutch and male. You could say he is double handicapped. (Most Dutchmen, like me, are not very politically correct. It's a cultural thing that tends to offend those not in the know)

Not only that.

[khasim]

From TFA:

In my personal opinion, the reliability of email reached its maximum near 1998; it has gone down ever since as the result of increasingly aggressive anti-spam/virus measures. This observation has led me to conclude that the spammers aren't destroying the email infrastructure, it's the well-meaning people with their countermeasures.

I use Exim4 as a pre-processor for a GroupWise system.

This allows me to reject messages during the SMTP connection (no receive and then bounce back) and I have customized the rejection messages to include my phone number. As long as YOUR email admin handles error messages in any sane way, you'll get a phone number to call and talk to the guy who set up the system that rejected your email. I get a call about every other month now.

The real problem is not "aggressive anti-spam/virus measures".

It is that 80%+ of the inbound connections are spam-related. So just about ANY action taken will reduce the amount of spam. But the email admins still need to continually evaluate their processes.

Re:Not only that.

[theshowmecanuck]

I think he is talking about reliability in that every email sent gets to its destination. Right now, email can be blocked as spam. It doesn't matter whether you do the blocking at the SMTP level or not, it is still being blocked including some legitimate emails. If legitimate email is being blocked for any reason, it means the service is not reliable. Your caveat "As long as YOUR email admin handles error messages in any sane way" doesn't solve anything since the person sending the email is usually not responsible for how their email server is configured. Meaning that for them, the service is either reliable or it isn't. This ultimately means that if someone's legitimate email gets blocked by you/your server for some erroneous reason, that your email server is not reliable, and less so than in 1998. The article is saying our current anti spam counter measures are what is making email less reliable.

If programming was a million times more difficult

We wouldn't have fewer people interested in it, we would just have a million times more bugs or one millionth the number of programs available.

Just because it is more difficult doesn't mean the people attempting it are going to do a better job at it. Flying men into outer space is difficult, just because flying men to Jupiter is a million times more difficult doesn't mean the approach we create will be more successful at it.

If anything, programming needs to be easier, so more people would do it then we could have more solutions to choose from. A parallel brute force approach with selection can produce better solutions for everybody.

My Solution to Spam?

[Archangel+Michael]

Spam Assassin.

No, not the program of the same name, an actual assassin that kills spammers, CEOs of companies that use SPAM etc.

And if he has some extra time, assassinate some of the Wall Street Pirates responsible for the mess we're in.

I suggest 1 Trillion Dollars as a bounty, since the Government is handing money out like candy.

Re:Er...Spellcheck much?

[halcyon1234]

Little typos like that don't matter. I mean, things work just fine whenever I sign into BankFoAmercia.com. Okay, sometimes the initially login fails, and I have to login at BankOfAmerica.com again, but after that things are fine.

Strange, though, I never can seem to make my paychecks last more than a day or two. Hrm.

Re:Still waiting for a "one solution" email produc

[tomz16]

Getting these to flawlessly get set-up from scratch is a feat in itself. Why don't we have such a product? I am no coder so I cannot do much except reporting problems.

I imagine a single script a user can run then have all those services running within parameters to be supplied. Linux folks are capable of a lot more so this should not be that difficult.

... because mail IS complicated, and each of these products has its own quirks and gotchas.

Someone who cannot be bothered to read the teeny fraction of relevant documentation necessary to properly set up this software probably has no business administering it (especially on a production network). Since a poorly configured mail server really has the potential to piss thousands of people off around the planet, I'm actually content with the current state of affairs...

P.S. you are looking for a product called Microsoft Exchange. It has nice big buttons you can point and click on. Luckily the costs involved and the presence of an official certification program serve as an effective barrier to entry for most amateur admins.

Re:Just use gmail

[theCoder]

The pull model really isn't a good idea, because that is what spammers are already trying to get people to do. They want you to open the email and click the link. A pull model just makes that automatic. Not to mention all the marketing people (pseudo-spammers) that would just love to know which of their recipients actually look at their emails, and how long they look at them, etc. I already get mailings (alumni stuff, etc) that are just links to a web page where I can read the actual letter.

And of course, "just use gmail" isn't really a solution. It only works until someone figures out how to get through gmail's filters, or Google really sells out and starts allowing select "partners" to advertise to members directly. Though there is some irony in the idea that you can avoid email advertising by using a system that has ads in the email viewer. I'm not saying anything bad about Google or gmail, just pointing out the irony :)