Slashdot Mirror
Could We Eliminate Spam With DMARC? (zdnet.com)
An anonymous reader writes:
"The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
sender: me@mydomain.net
actual mailer: my@host.org
REJECT!
Stupid republicans and their idiot outloud thoughts.
I have both DMARC and SPF installed and configured correctly... I still get spam! All the spammer has to do is also set up SPF and DMARC.
Human caused problems generally are easy to solve but are not because established interests prevent them.
Email spam is entirely due to the total absence of sender verification. Require some form of sender verification with the ability to complain (and block those with excessive complaints) and you solve the issue.
excitingthingstodo.blogspot.com
"No."
See, that was easy! Technological solution to a sociological problem, and so on.
I'm not impressed with Barracuda. A client made a decision to buy a Barracuda against my recommendations. I installed it and couldn't find DMARC settings anywhere. It turns out they support validating inbound DMARC, but they won't sign anything outbound. I had to set up an external Haraka mail server that blindly accepted all mail from the IP of their Barracuda, signed it, and attempted to deliver it. It's such a pile of garbage.
On another note, if you send a ~45 MB attachment to the device, apparently it clogs up and refuses to deliver. Other mail will go through without problems, but you have to call their tech support to 'force' it through.
Barracuda is a terrible, over-priced, barely-functional product.
There's no place like
You can't eliminate spam and malware without blocking at least some legitimate mail from outsiders. This is one of those fundamental laws that doesn't have a name yet. Maybe ESR should work on the wording.
The email microtax idea (a 0.001 USD per email, except within an organization) was floated 15 years ago, and still seems to be a pretty decent idea. That won't "eliminate" anything bad, but it might help mitigate the problem.
Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.
There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that those technologies do is establish, in varying degrees of certainty, that the purported sender of the email is who it claims to be. Which, obviously, has nothing to do with spam.
As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...
More than half of the crap in my spam folder has DKIM headers. I have SPF validation turned on. More than three quarters of the spam in my folder passes SPF checks. That pretty much there makes Mr. Edmunds look like a bloody moron. The only fact that they establish is its proven sender's domain name.
SO FUCKING WHAT? Did someone drop this moron in his head, as a child, or what? Is it too much for that knucklehead to comprehend that anyone can register a new domain, establish valid DKIM and SPF keys, to authenticate the domain, that start spewing spam, non-stop, from it? And every last drop of that spam will pass every SPF, DKIM, and alphabet soup that he throws at it. It is true that some portion of the spam from hijacked and hacked zombies will fail SPF/DKIM validation. But this will fail, by far, to be the complete solution for spam, unlike what that knucklehead claims. Is this really so complicated to understand?
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
OR!
Every time you positively IDs someone running a big spam operation, raid their residence and shoot them in both kneecaps.
After it happens four or five times the rest of the spammers will probably find another hobby.
Most of the spam that I get comes from hacked accounts where people have used crap passwords that are easily guessed.
Email outsourcing companies don't seem to place much value on following rules like SPF and DMARC. A lot of the false positives we get in quarantine are from senders using email outsourcing or "relationship management" companies. After all, the company gets paid by their customer for sending the mail, and has no real accountability whether the customer's email is properly formatted and delivered.
And with large institutions (particularly universities) moving to outsource email and other IT services, this problem will get worse.
(By the way, the same concept applies to phone spam: reliable/unforgeable Caller ID would probably shut most of that down. Of course, that would require the Telephone Companies to make changes. Caller ID should either be 'guaranteed' or the incoming call marked as "no Caller ID" when the caller's phone number can't be verified.)
it doesn't eliminate all, but it's cut my span significantly
Spam has economic, legal, technical and psycological causes. That suggests that if you try and treat it as a technical problemalone, you're going to wonder why it isn't fixed already.
I live in Canada, where spammers get fined, over the loud objections of the sleasy side of the business community, and it's having an effect in tle legal and pyscological domains. This summer, the law will also allow suing spammers, which takes it into the ecomomic dimain as well.
If this, along with technical solutions like spamcop.net, starts to significantly cut it down, then I expect other countries will start doing the same things.
Hey, in ten or twenty years, we might get past spam!
davecb@spamcop.net
The majority of malware and spam come from botnet controlled accounts on valid domains. Most of the 419 spam originates at gmail. Not because gmail is worst, but it's because it's a trusted source of mail.
The reason I say this is not going to work is that you will get spam on any popular communication mechanism. Facebook gets quite a bit now, that's not email, and they control both the sender and the receiver, the spam could be zapped before you know about it, you're just seeing that which got through the filters from a sender that has not been reported.
Why UNIX?
but you can be pretty sure that spam will eliminate DMARK.
All you will do is ensure that more "legitimate" accounts and computer systems will be compromised in less obvious ways, in order to continue sending out spam.
But not after more people with crappy, simple and easy to guess email passwords are compromised even more so.
Spam has economic, legal, technical and psychological causes.
Apparently, so does Twitter ... :-)
It must have been something you assimilated. . . .
Therefor it must be done
davecb@spamcop.net
There are a number of problems with email security that all feed back on themselves. One problem is that a shocking number of major corporations don't bother with these measures, making it pointless for anyone else to. If I set up SPF on my mail server, and a test email from none other than Google fails to arrive because their SPF records are wonky, so as a small two-bit operator I need to either disable all this nice security, or maintain an extensive whitelist for all the companies who don't do things properly. And SPF is trivial to implement compared to domainkeys.
And meanwhile, these same companies may block MY email for ridiculously arbitrary reasons. One time I had to troubleshoot why an email sent through my server didn't arrive, and it turned out that the recipient was using some kind of idiotic filter that insisted the EHLO have some kind of ridiculous format that has nothing to do with any security recommendation or in the RFC.
These wonderful doodads like DMARC are useless if nobody can be bothered to implement them, and really, why SHOULD people bother to implement them if nobody else does?
This requires everyone agreeing to work together to get this implemented, which basically guarantees that it never will.
Where I come from, "twit" is by no means a compliment (;-))
davecb@spamcop.net
DMARC was created by PayPal in conjunction with Google, Microsoft and Yahoo! as a way to stop spam and, more importantly, phishing emails from _their_ domains. If you have DMARC setup properly on your MX you mostly likely have zero spam in your user's mailboxes from any domains owned by those companies and to that end, DMARC is 100% successful.
But the entire process is setup to validate the sender's domain, not the trustworthiness of that domain. As many have pointed out, as long as I setup the proper SPF and DKIM records for iamsp.am, DMARC is going to happily accept it. My servers implement DMARC but I still had to specifically blacklist care.com because they were spamming us from properly validated servers (we had canceled our subscription and had all communications options turned off and they were still regularly sending us emails with no opt-out link claiming they were for "admin" purposes).
The one nice feature that DMARC does bring is that you have the option to get notifications from other MX's that use DMARC detailing what traffic they've received claiming to be from your domain and how that traffic scored. It assists in debugging setup problems and identifying servers trying to spoof your domain. We recently caught one server in Germany trying to send a lot of email as one of our domains (Google, Microsoft, and Yahoo all sent DMARC reports listing it). We contacted their ISP and it stopped a couple of days later. Being proactive about that helps keep your domain(s) off shared blacklists but it's a manual/proactive process and it's not going to catch everything.
Given that AI can catch 99.9% of spam, the spam problem has largely been solved.
DMARC isn't even an anti-spam protocol, it's simply a protocol that prevents E-mail addresses from getting forged. But given the huge number of E-mail providers out there, spammers don't need to bother forging the source of E-mails. In addition, spammers can always corrupt and subvert domain registrars. So, DMARC is likely to be of negligible effectiveness compared to existing AI techniques.
DMARC and similar systems would mainly serve to eliminate privacy and threaten free speech by making every piece of E-mail traceable to its real-world sender. That's the real reason why these crooks are trying to push this technology on us even though we don't need it. Don't let them fool you. Tell them to get lost and shove their 1984-fantasies where the sun don't shine.
Shaka, when the walls fell.
Meanwhile, I've disabled DMARC. None of the ton of mailing lists I'm subscribed to and post to work well with DMARC, if you use DMARC to strengthen SPF (ie. fail if SPF doesn't match). Every post I make I get a ton of DMARC fail reports from other subscriber's mail servers because the forwarding done by mailing lists breaks it. I just gave up.
Yes, I know it's not DMARC fault, but good luck convincing the tech mailing lists to move beyond the ancient Mailman or whatever prehistoric CGI mailing stuff they use.
More paperwork isn't the solution.
Why doesn't the U.K.'s National Crime Agency spend a crap ton of money prosecuting spammers off the face of the earth instead? Spam is a crime like any other. It has a source and it makes criminals money. Do something about that and stop wasting time and money on bandaid fixes that will never work.
If ISPs and big mail services like gmail "stopped" filtering spam then we'd all see just how bad the problem really is. Then, maybe, just maybe we'd all get collectively mad enough about it to send a message to government(s) to do something about it. As it is, spam is just brushed under the carpet and we all try to ignore it doesn't exist.
I'm increasignly getting sick and tired of geeks and nerds that think technology will solve problems that are essentially caused by human greed and amorality.
In this particular case, spammers would simply use botnets to spread their spam using legitimate email addresses. Many already do.
Spammers are criminals: Treat them as such.
>"The spam problem would [...] probably almost go away, [...] if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors"
Except we can already deal with that type of spam using RBL and other methods. The majority of spam that remains is the worst kind- from businesses sending us endless marketing crap from legitimate domains, claiming we "opted in", which of course we did not. Every single place we interact with demands a verified Email address- for every account, for every transaction, for every service. And many companies happily spam us to death with it and even sell the information to other companies too.
The marketing companies take no responsibility, because they now increasingly use third-parties to deliver that crap. It used to be fairly easy- block marketing companies like Constant Contact and their ilk. But now they moved to some "too big to block" services- like Google, Microsoft, and Amazon's infrastructure.
There is more than one type of spam. There is no one magic solution. It is no different than caller ID- Even if we could force it to be 100% correct all the time, do you really think that will stop unsolicited calls? Nope.
SPF and DMARC have to do with validating the sending email server and that the content of the message is what it sent. It has nothing whatsoever to do with preventing spam, which is almost always sent from "authorized" servers. Those servers will sign the spam just as they will sign anything else when they send it.
DomainKeys is useless and causes more issues than it solves (it only has to create one issue, since it solves none).
98% of spam is obliterated by requiring strict compliance with the RFC's, including validating the HELO/EHLO and that the sending MTA conforms to the STANDARD for putting a host on the Internet (forward and reverse DNS match). Unfortunately if you do this you also obliterate messages from about 80% of valid MTA's, those MTA's being misconfigured, and those MTAs are being run by some of the largest email companies (and most of the Fortune 1000 on the planet also have severely non-compliant MTA configurations). So you have to maintain a *HUGE* whitelist of non-compliant servers that you actually want to receive from.
Another 1% can be eliminated if everyone had properly configured SPF records. Most asshats don't. Even those who pretend to have SPF records do not have them configured in a manner that is effective and they may as well not bother having them at all.
The remaining 1% comes from "stolen" but valid accounts and no signing or other technological crap will do anything about this.
The only thing that DomainKeys does is provide cryptographic authetication of the sending MTA.
However, that is totally unnecessary as that information can be found in the Received headers.
The only thing it will do is to increase the motivation of spamers to hack machines to send SPAM. Filtering works pretty well, use it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
SPF, DKIM, and DMARC won't stop spam. All they can do is prevent someone from falsely claiming to have sent from you/yourdomain, the old fashioned Joe job.
If you setup SPF and DKIM, AND the recipient server administrators all check SPF and DKIM, then SpamKing can't send a message claiming to be from you.
But, nothing on God's green Earth prevents SpamKing.TLD from sending you Viagra ads. Nor does it stop them from sending from tens of thousand of domains under their control, domains with VALID SPF records and valid DKIM signatures. Regardless of DMARC the spam still flows.
The spammers already deliver billions of messages per day with valid SPF and DKIM signing.
It's a massive ship of fail that can only prevent a Joe job.
I call bullshit. Sending email shouldn't be free. It should cost money. It's a service and there is no such thing as a free lunch. We should kill email as we know it and introduce a system that costs money. Even a single penny for each email would be enough to stop spammers. Their business model would no longer work.
To Terminate, or not to Terminate, that's the question - SCSIROB
Shaka, and the walls fell.
DMARC, SPF, and DKIM are only ways to identify the sender is who they claim to be. If the message fails these tests, you can reject the message or apply other techniques (Bayesian, blacklist, etc) to make a determination.
If it passes the initial tests, you still have to perform those tests and train the filter. Only if the message is signed by a cert you trust can it ever pass straight through. But, PKI is another ball of wax, isn't it.
It's hard for me not to dismiss it as a troll article when it mentions "eliminate" and "spam" in the headline. The answer is "No, no, NO, you're NEVER going to eliminate every annoying email message that someone doesn't regard as spam."
Yeah, the article clarifies that it's really another reduction strategy, but I still feel the best one is to go after the spammers' business models. The most persistent and annoying spammers have business models, and as long as the business models keep working, then those spammers will keep spamming. The best way to tackle the spammers' business models is to consider where the money comes from and get the help of the potential victims.
The spammer who needs a sucker has to be understood by the sucker. There has to be some link from the spam to the sucker's wallet and back to the spammer or there's no point.
Why isn't there an email system that lets US, the potential victims, be good Samaritans in breaking the spammers' business models? You don't have to help, you can be a free rider, but I'd be glad to spend a few minutes a day hurting the spammers by helping to analyze a few pieces of spam and suggesting the countermeasures. I think there are a lot of wannabe good Samaritans out there, but the big email providers like the google just believe in "Live and let spam" as their business model. (Filtering and even DMARC and DKIM obviously do NOT work or the spammers would have already given up.)
Imagine that there were an iterative analysis of spam that would allow you to confirm what's going on, or even bring your personal knowledge to bear. Obvious case in point: What if you receive a really good-looking phishing scam spam? Oh wait, you and ONLY YOU know that you do NOT have any account with that bank, but all of the other people who are actually customers of that bank might be at significant risk. This is a case where the human knowledge matters, and the wannabe spammer fighters could help elevate the priority of the response. (Just one of many such cases, but it's really bothering me after I just read a book that suggested you could always spot the phishing scams by the spelling errors.)
As the joke goes, details available upon polite request. Not holding my joke on today's Slashdot, but I'll probably check back in hopes of finding an actually funny comment so modded.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
The next step is then obvious, fine those companies that pay for that spam as well. Catch a spammer, go through his spam history and fine those companies that paid them.
Chaos - everything, everywhere, everywhen
... Catch a spammer, go through his spam history and fine those companies that paid them.
Follows naturally from opening it up to lawsuits: "if you were paid to do this, testify against the payer and we'll let you off easy".
Thanks, that's a good arguement for opening it up ti suits.
davecb@spamcop.net
capitalism requires people to make money to live and survive. to acquire their basic needs such as education, shelter, healthcare, and whatnot, and most never make enough to obtain these things entirely, you have to get money from somewhere. in this case spam generates enough revenue for many that they keep on doing it.
spam is not normally done as a cyber assault, but once people no longer were required to get money, perhaps the only 'spam' we'd be seeing was assault based, psychological warfare, and criminal behavior, which case police should arrest the people behind the spam.
https://www.obamasweapon.com/
This has like many things like cracking DRM become an arms race between spammers and anti-spam technologies.
I run a small ISP that was established in 1995. Spam was non-existent when we started our company. Since then many anti-spam measures have been implemented. All are effective when deployed. They get less effective over time as spammer find ways around them.
Most of the spam that leaves our network results from infections people get on their computers. These send through our servers and leave with correct SPF data. The only effective way we have been able to deal with this is to impose strict limits on how many email messages a subscriber can send. Your network is only as strong as it's weakest link. For us this link is our customers equipment/practices.
...and jalad at tanagra?
There is an old form used to evaluate anti-spam solutions, at https://craphound.com/spamsolu.... It's a useful tool to evaluate spam solutions and can even be applied to various security software practices.
In this case, I see a number of issues.
( ) Users of email will not put up with it
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Open relays in foreign countries
( ) Huge existing software investment in SMTP
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Joe jobs and/or identity theft
( ) Outlook
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Incompatiblity with open source or open source licenses
In this case, the existence of rootkitted Windows boxes which have DKIM keys is the major problem. Blocking one particular form of spam may reduce the overall spam traffic, but it seems clear from various conferences on spammers that spam evolves. As one type of spam is more effectively blocked, others grow to fill the economic niche occupied by older forms of spam.
There are some things that will work.
A major provider carries email for a lot of people and can tell if mail is spam if
- the people have no intersecting interests
- they mostly receive it at the same time
- a number of users mark it as spam (nearly all users who regularly mark anything as spam)
Google is obviously doing this and some other for-pay providers too, is my guess. I'd pay for a way to be able to test my email headers against such a service without actually running my email through their servers.
Also, you can hire people to actually read email subject lines and decide whether email is spam. Probably a small number of people could make a huge difference and I'd propose that the cost of such a system could easily be borne by government, or be covered by a very low fee.
As first line of defense, you can make a someone lenient automatic system that blocks out common keywords/patterns in email. This would probably cover 98% of spam and could be tweaked by an end user (for example anything about Trump, CNN, gambling, Gwen Stefani or hot tubs is spam 100% for sure). A central repository for such keywords/patterns could be very useful to end users. Personally I have a number of accounts some of which are old and combined they send me a huge amount of spam, so I am considering what to do about it. The above would be a big help.
Has the 'twit'/'twat' debate finally been settled?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I would split it with the tax man. Problem solved.
Don't want spam? Don't have an e-mail account. It is 100% possible in 2017.
I don't see how, at least for residents of Slashdot's home country. The U.S. federal health care marketplace (HealthCare.gov) requires each user to confirm ability to receive e-mail at a unique address.
Is there a geek card to turn in?
Just a couple of weeks ago I asked my colleague if he got an Email I knew he was CC-ed on. "Nope didn't see it".
On inspection we found that the sending company had installed DKIM and SPF and set them to "don't warn, simply refuse the mail".
This was something like paypal or ebay where this came from. Sure, they have big infrastructure which is difficult to get right, but also they should have a big team capable of getting things right.....
it is difficult to get things right. Lots of stuff is being sent automatically from "unattended mailboxes". Any bounces or warnings during the testing phase are going nowhere....
That is the key. There are many, many technologies that, if they could be rolled out everywhere, would solve the spam problem. Come up with something that would solve the problem if rolled out in a minority of hosts, and I will be impressed.
I used to validate SPF and DKIM and reject failures, but I found time and time again that they were misconfigured or expired and I was missing important legitimate emails. I think the administrators who set up authentication don't stick around to maintain it and their successors don't have a clue.