Slashdot Mirror

← Back to Stories (view on slashdot.org)

Could We Eliminate Spam With DMARC? (zdnet.com)

Posted by EditorDavid on from the Domain-based-Message-Authentication,-Reporting-and-Conformance dept.

An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.

9 of 124 comments (clear)

  1. "Could We Eliminate Spam With DMARC?" by rainwalker · · Score: 4, Interesting

    "No."

    See, that was easy! Technological solution to a sociological problem, and so on.

  2. Barracuda by darkpixel2k · · Score: 5, Interesting

    I'm not impressed with Barracuda. A client made a decision to buy a Barracuda against my recommendations. I installed it and couldn't find DMARC settings anywhere. It turns out they support validating inbound DMARC, but they won't sign anything outbound. I had to set up an external Haraka mail server that blindly accepted all mail from the IP of their Barracuda, signed it, and attempted to deliver it. It's such a pile of garbage.

    On another note, if you send a ~45 MB attachment to the device, apparently it clogs up and refuses to deliver. Other mail will go through without problems, but you have to call their tech support to 'force' it through.

    Barracuda is a terrible, over-priced, barely-functional product.

    --
    There's no place like ::1 (I've completed my transition to IPv6)
  3. Clueless idiot by mrsam · · Score: 5, Informative

    Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.

    There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that those technologies do is establish, in varying degrees of certainty, that the purported sender of the email is who it claims to be. Which, obviously, has nothing to do with spam.

    As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...

    More than half of the crap in my spam folder has DKIM headers. I have SPF validation turned on. More than three quarters of the spam in my folder passes SPF checks. That pretty much there makes Mr. Edmunds look like a bloody moron. The only fact that they establish is its proven sender's domain name.

    SO FUCKING WHAT? Did someone drop this moron in his head, as a child, or what? Is it too much for that knucklehead to comprehend that anyone can register a new domain, establish valid DKIM and SPF keys, to authenticate the domain, that start spewing spam, non-stop, from it? And every last drop of that spam will pass every SPF, DKIM, and alphabet soup that he throws at it. It is true that some portion of the spam from hijacked and hacked zombies will fail SPF/DKIM validation. But this will fail, by far, to be the complete solution for spam, unlike what that knucklehead claims. Is this really so complicated to understand?

  4. Your post advocates a... by Anonymous Coward · · Score: 5, Insightful

    Your post advocates a

    (x) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (x) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    (x) Requires too much cooperation from spammers
    ( ) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (x) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (x) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    (x) Bandwidth costs that are unaffected by client filtering
    (x) Outlook

    and the following philosophical objections may also apply:

    (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    (x) Blacklists suck
    (x) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    (x) Sending email should be free
    (x) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (x) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    1. Re:Your post advocates a... by MightyMartian · · Score: 4, Informative

      Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.

      It boils down to this. If you want your MTA to function as a general open email transport system, you cannot kill messages based upon whether they pass or fail solutions like DMARC. There's some logic to weighting failures of SPF checks and the like to make it more likely that a failed message will be rejected, but to actual use SPF and its kin as a sort of yes/no logic gate would lead to an unbelievable number of false positives, and I question the legitimacy of anyone claiming to be some sort of cybersecurity expert who claims such solutions are the be-all and end-all.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  5. I think that's bolocks! by 0ryn · · Score: 4, Interesting

    Most of the spam that I get comes from hacked accounts where people have used crap passwords that are easily guessed.

  6. Re:Nonsense by QuietLagoon · · Score: 5, Informative

    I have both DMARC and SPF installed and configured correctly... I still get spam! ...

    DMARC and SPF are for senders, not recipients. You can set up DMARC and SPF all you want for your domains, but if the senders who send you mail do not set it up for *their* domains, and you do not reject emails that DMARC flags for you, then you're going to continue getting spam.

    .
    And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.

    All the spammer has to do is also set up SPF and DMARC.

    With the authenticated sender (via DMARC and SPF) you would know it is a spammer. That's the point

  7. Re:gray listing works by I'm+New+Around+Here · · Score: 4, Funny

    How big was your span originally?

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
  8. Re: Compatible? Nyet! by Anonymous Coward · · Score: 5, Insightful

    And then you're blocking pretty much any corporate user of O365 or any number of Microsoft "server" product users

    Still failing to see the downside here...