Slashdot Mirror
Could We Eliminate Spam With DMARC? (zdnet.com)
An anonymous reader writes:
"The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
"No."
See, that was easy! Technological solution to a sociological problem, and so on.
I'm not impressed with Barracuda. A client made a decision to buy a Barracuda against my recommendations. I installed it and couldn't find DMARC settings anywhere. It turns out they support validating inbound DMARC, but they won't sign anything outbound. I had to set up an external Haraka mail server that blindly accepted all mail from the IP of their Barracuda, signed it, and attempted to deliver it. It's such a pile of garbage.
On another note, if you send a ~45 MB attachment to the device, apparently it clogs up and refuses to deliver. Other mail will go through without problems, but you have to call their tech support to 'force' it through.
Barracuda is a terrible, over-priced, barely-functional product.
There's no place like
Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.
There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that those technologies do is establish, in varying degrees of certainty, that the purported sender of the email is who it claims to be. Which, obviously, has nothing to do with spam.
As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...
More than half of the crap in my spam folder has DKIM headers. I have SPF validation turned on. More than three quarters of the spam in my folder passes SPF checks. That pretty much there makes Mr. Edmunds look like a bloody moron. The only fact that they establish is its proven sender's domain name.
SO FUCKING WHAT? Did someone drop this moron in his head, as a child, or what? Is it too much for that knucklehead to comprehend that anyone can register a new domain, establish valid DKIM and SPF keys, to authenticate the domain, that start spewing spam, non-stop, from it? And every last drop of that spam will pass every SPF, DKIM, and alphabet soup that he throws at it. It is true that some portion of the spam from hijacked and hacked zombies will fail SPF/DKIM validation. But this will fail, by far, to be the complete solution for spam, unlike what that knucklehead claims. Is this really so complicated to understand?
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Most of the spam that I get comes from hacked accounts where people have used crap passwords that are easily guessed.
I have both DMARC and SPF installed and configured correctly... I still get spam! ...
DMARC and SPF are for senders, not recipients. You can set up DMARC and SPF all you want for your domains, but if the senders who send you mail do not set it up for *their* domains, and you do not reject emails that DMARC flags for you, then you're going to continue getting spam.
.
And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.
All the spammer has to do is also set up SPF and DMARC.
With the authenticated sender (via DMARC and SPF) you would know it is a spammer. That's the point
it doesn't eliminate all, but it's cut my span significantly
Spam has economic, legal, technical and psycological causes. That suggests that if you try and treat it as a technical problemalone, you're going to wonder why it isn't fixed already.
I live in Canada, where spammers get fined, over the loud objections of the sleasy side of the business community, and it's having an effect in tle legal and pyscological domains. This summer, the law will also allow suing spammers, which takes it into the ecomomic dimain as well.
If this, along with technical solutions like spamcop.net, starts to significantly cut it down, then I expect other countries will start doing the same things.
Hey, in ten or twenty years, we might get past spam!
davecb@spamcop.net
The majority of malware and spam come from botnet controlled accounts on valid domains. Most of the 419 spam originates at gmail. Not because gmail is worst, but it's because it's a trusted source of mail.
The reason I say this is not going to work is that you will get spam on any popular communication mechanism. Facebook gets quite a bit now, that's not email, and they control both the sender and the receiver, the spam could be zapped before you know about it, you're just seeing that which got through the filters from a sender that has not been reported.
Why UNIX?
The email microtax idea (a 0.001 USD per email, except within an organization) was floated 15 years ago, and still seems to be a pretty decent idea. That won't "eliminate" anything bad, but it might help mitigate the problem.
Completely unenforceable. SMTP works with end-to-end encryption now, so there's no way of knowing how many e-mails were sent and received from listening to traffic. Unless you put a government snooping e-mail server in every home and business and make it a felony to route around them. I don't want to live in that society.
The same problem exists for fixing caller id.
There are a number of problems with email security that all feed back on themselves. One problem is that a shocking number of major corporations don't bother with these measures, making it pointless for anyone else to. If I set up SPF on my mail server, and a test email from none other than Google fails to arrive because their SPF records are wonky, so as a small two-bit operator I need to either disable all this nice security, or maintain an extensive whitelist for all the companies who don't do things properly. And SPF is trivial to implement compared to domainkeys.
And meanwhile, these same companies may block MY email for ridiculously arbitrary reasons. One time I had to troubleshoot why an email sent through my server didn't arrive, and it turned out that the recipient was using some kind of idiotic filter that insisted the EHLO have some kind of ridiculous format that has nothing to do with any security recommendation or in the RFC.
These wonderful doodads like DMARC are useless if nobody can be bothered to implement them, and really, why SHOULD people bother to implement them if nobody else does?
This requires everyone agreeing to work together to get this implemented, which basically guarantees that it never will.
And then you're blocking pretty much any corporate user of O365 or any number of Microsoft "server" product users
Still failing to see the downside here...
DMARC was created by PayPal in conjunction with Google, Microsoft and Yahoo! as a way to stop spam and, more importantly, phishing emails from _their_ domains. If you have DMARC setup properly on your MX you mostly likely have zero spam in your user's mailboxes from any domains owned by those companies and to that end, DMARC is 100% successful.
But the entire process is setup to validate the sender's domain, not the trustworthiness of that domain. As many have pointed out, as long as I setup the proper SPF and DKIM records for iamsp.am, DMARC is going to happily accept it. My servers implement DMARC but I still had to specifically blacklist care.com because they were spamming us from properly validated servers (we had canceled our subscription and had all communications options turned off and they were still regularly sending us emails with no opt-out link claiming they were for "admin" purposes).
The one nice feature that DMARC does bring is that you have the option to get notifications from other MX's that use DMARC detailing what traffic they've received claiming to be from your domain and how that traffic scored. It assists in debugging setup problems and identifying servers trying to spoof your domain. We recently caught one server in Germany trying to send a lot of email as one of our domains (Google, Microsoft, and Yahoo all sent DMARC reports listing it). We contacted their ISP and it stopped a couple of days later. Being proactive about that helps keep your domain(s) off shared blacklists but it's a manual/proactive process and it's not going to catch everything.
The next step is then obvious, fine those companies that pay for that spam as well. Catch a spammer, go through his spam history and fine those companies that paid them.
Chaos - everything, everywhere, everywhen
If the cloud provider supports SPF, you can include their record so if they change, so do you.
I just checked my DMARC inbox, Yahoo and Microsoft are sending DMARC reports so that's the big three email providers plus a bunch of smaller providers.
DMARC is definitely being adopted.
My what a rose-colored world you live in.
Our domain receives about 1,500 mails per day that pass SPF validation. There's a cartel of spammers that are registering throw-away domains with SPF records that include their zombie senders' IP addresses. Thankfully we have other techniques to filter out those 1,500 messages with around 0.5% false positives. Since spammers have full control over their zombie network I don't see anything preventing them from passing DKIM and DMARC as well, but I've not observed them try that yet.
Remember this: Any published tool/standard you can come up with can be implemented by scum-sucking spammers, too.