IETF to Look at Spam

m00nun1t writes "CNET has an article about the Internet Engineering Task Force (IETF) looking at what they can do about spam. According to the article, many of the proposals seems to "require changes in basic e-mail technology", which presumably means SMTP (and about time!). Maybe they are looking beyond just SMTP - anyone have any insights here?"

IM2000?

[dialt0ne]

Although I'd find it hard for the IETF to swallow djb's personality, there's always IM2000.

http://cr.yp.to/im2000.html

You can sign up for the mailing list here:

[Saint Aardvark]

https://www1.ietf.org/mailman/listinfo/asrg [ietf.org]

Among many, many others, I saw Vernon Schryver, the guy behind Distributed Checksum Clearinghouse [rhyolite.com], on the list. It's been pretty high volume, though, and I haven't had a chance to really spend some time reading it yet.

Move the onus from the recipient to the sender.

[wackybrit]

Someone posted a response to another spam story a few weeks ago, sadly I can't find it, but they described an interesting mail delivery system they'd created.. and it sounded, to me, as if it could certainly be the future of mail delivery.

They said that when someone sent a mail, it simply went to the local server, and no further.

It sounded like a 'reverse IMAP' style system to me. That is, your outgoing mail simply went to a folder on your server, which allowed you to edit and even delete mails BEFORE they were picked up by the recipient. The recipient's e-mail server would only receive a 'notice' that someone had mail for them.

When the recipient went to collect their mail, their own mail server would then have a basic list of where the e-mails for the recipient are, and then it'd go ask for them from the remote servers and feed them through.

So, how does this help spam?

It allows spam to be truly filtered on the OUTGOING rather than the incoming!

Why's that a great thing? Well, it means that if you're an AOL or MSN user, you're not going to lose 80% of your mail simply because of over-zealous filtering by your ISP. Instead, spam mail will not even be sent, let alone received!

Of course, bad eggs could always set up servers with no filtering systems on them and send their spam that way.. but BECAUSE e-mail will be picked up FROM the senders server with this system, it means blacklisting is a whole lot easier! You just ban a server and you know you've got rid of the bad eggs.. whereas the current SMTP system allows open relays and all sorts of 'trickery' to get around filtering systems.

So.. the conclusion is.. make e-mail stay on the sender's server until it's time for it to be collected. It allows you to edit or delete mail before the recipient collects it, it stops spam, and it reduces bandwidth(!) -- if someone never collects their mail, then the mail has never gone across the net.. it's still on the sender's server.

I hope the original poster of this idea will pop up here again and correct me if I got his ideas wrong, but he was certainly on to something.

Sender Pays!

[LostCluster]

The fundemental diference that protects most communication systems from Spam-like abuse is that the sender is responsible for a majority of the costs of the message. Yeah, there are telemarketers and junk postal mail, but the are seriously limited by the fact that there is a noticiable cost assosciated with each additional message they send. The fact that it costs money to send such communications makes it impractical to bother people with offers with an extremely low reponse rate.

SMTP/POP3 e-mail presently leaves the cost of holding the message during the wait for the intended reader to be available on the receive-side server. The spammer doesn't even have to maintain a constant and consistant Internet connection.

Under the current system, a sender can send 100 MB of messages in an hour without penalty. However, a receiver who gets 100 MB of messages in an hour usually will find any other messages sent to them bouncing.

Requiring the message be held on a sender-side server instead would transfer the costs of sending a large volume of e-mail onto the sender, and therefore discurages the practice better than any law ever could.

Internet Mail 2000

[oohp]

Dan Bernstein [cr.yp.to] has a project called Internet Mail 2000 [cr.yp.to], ment to design a new Internet mail infrastructure which makes mail storage the sender's responsibility.

Re:Move the onus from the recipient to the sender.

[andyveitch]

This is Dan "Qmail" Bernstein's Internet Mail 2000 [cr.yp.to].

Dr. Jeffery Race's proposal on NANOG

[djmitche]

A participant in the NANOG (North American Network Operators' Group) mailing list recently posted a Best Current Practice proposal [merit.edu] regarding spam to that list. He was fairly heavily flamed by some of the frequent posters on the list, but his idea (which has a basis in sociology) does have some merit.

He uses the idea of emergent structure. To quote, " if all (or even most) players expect other players to act in a certain way, a predictable pattern of behavior emerges which becomes compelling for all players. This is the way all organizations work."

That should be Internet RESEARCH Task Force

[notonymous]

Actually, it's the IRTF -- not the IETF -- that is undertaking this work. To quote from the IRTF home page [irtf.org] - "[Mission] To promote research of importance to the evolution of the future Internet by creating focused, long-term and small Research Groups working on topics related to Internet protocols, applications, architecture and technology."

Don't expect a quick fix from this initiative.

Summary of IETF ASRG discussions

[wayne]

Four days ago when this was mentioned on slashdot [slashdot.org], I posted the following summary of what had been discussed. Sadly, this summary is still pretty complete.

From what I take from all this discussion is that the only "solution" to spam is to do the types of things that we have been doing for years, but to do more of it and quicker. Use well run DNS blacklists (Spamhaus SBL [spamhaus.org], ordb [ordb.org], dsbl [dsbl.org], etc.), use good content filters (bayesian filters, etc.), use bulk mail detectors such as DCC [rhyolite.com] or vipul's razor [sourceforge.net], etc.) and per-user whitelists and blacklists.

Or, combine all of the above techniques by using SpamAssassin [spamassassin.org]

--

I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.

The most interesting discussions that I've seen so far are:

• Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later. This is completely backwards compatible and doesn't require end users to do anything.

  Most spam specific programs will not queue and retry, and thus the spam will be dropped.

  Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.

  Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.

  Apparently the "canit" program already does this, but I had not heard of this technique before.

• Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server.

  If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.

  Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.

• There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.

  Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.

  The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.

Re:Sender Pays!

[soundofthemoon]

It's not just the storage space for the message. It's also the bandwidth costs. That's the nice thing about this approach. It doesn't bother ordinary users, but is death for spammers. Instead of making a send raid on a few SMTP servers, they have to keep their servers running while a million readers all come calling. It's like they have set up a DDoS attack on themselves. It would be fine for non-spam businesses like amazon.com to do that, as they maintain some whompin big servers. But it would kill the small spammer, as the capital outlay for spamming would go up a lot.

Re:Sender Pays!

[Ben Hutchings]

Currently the spammer is likely to be sending a few thousand copies of the email to someone else's mail server, each specified as being for a few hundred recipients. The mail server expands this to a million copies.

I was the original poster ...

[Art Pollard]

I was the original poster. You got it basically right in your synopsis too.

To recount, my idea is for when someone sends a mail message, the message itself goes onto the local mail server and the header for the message would go to the recipient. The recipient's mail client would then download the message. However, it would be possible for the mail server to delete the message _before_ the mail client ever sees it in which case, the mail server tells the client this and the client would then throw away the header and the end user _would_never_even_know_ that the mail (spam) had been sent. This would be totally transparent. It would also allow of course, for sender of the mail to be able to tell if / when a mail message had been picked up. (Not read but simply picked up.)

One of the big advantages of a system such as this is that you know for 100% certainty where the spam (or other e-mail) is coming from. You don't have to spend time looking through forged headers etc. in order to send a complaint to the ISP.

ISPs on the other hand would be capable of canceling spam after it had been sent and before it was picked up by the end user. For example, someone send's 100,000 spams from an AOL account. Somebody notifies AOL that they received spam from the offending person, AOL looks and AOL then is capable of cancelling all unpicked up spams -- before they are ever delivered to the end user. Alternatively, AOL could also simply look on their servers and say: "hey, we have 100,000 messages that are waiting to be picked up, we had better look into this" and then make a determination from that point as to whether the mail should be canceled -- again before anybody (or very few) sees the spam.

Blacklists could easily be created too where the site is blacklisted for only a certain period of time. So after three days (for example) the blacklisting would go away automatically. This avoids the problem that many ISPs have where they get blacklisted due to a single user and then they can't figure out how to get off the blacklist. Using this approach, the blacklisting would only last for as long as the spambarrage continued.

Blacklists would easily be able to be created within certain organizations or groups of people who have similar "moderating" views rather than trying to make one (or very few) blacklist(s) meet everybody's needs as is now the case -- and often hurting people's ability to send and receive legitimate mail.

The protocol could not only specify what server the mail came from but also the user. So, for example, if someone were spamming from AOL, it might not be a great idea to blacklist AOL but only that user from AOL. This would work for mail systems where you know it is a legitimate business but with a few unruly users.

So, using this technique, it would be possible for a spammer to get a few spams out but it would be nearly impossible for them to spam very many people before it was caught by their ISP and canceled or the user/ISP was blacklisted for a period of time.

-Art
Pollarda@Lextek.com
Lextek: Suppliers of High Performance Text Retrieval Engines

Re:Move the onus from the recipient to the sender.

[Art Pollard]

Yes, this is correct. The end user would never even know that they have received the spam. It would go into the bit-bucket (if it was spam) before it ever appeared in their in-box if the sending server (or for that matter the senders themselves) canceled it before it was picked up. So it would be totally transparent to the user and this avoids having confused users wondering where their mail is.

Since most spam affects 100's if not 100's of 1,000's of people, using a local blackhole list would create allow e-mail to be self moderating. After 1 or N people had reported a given server or server/user as a source of spam, they would be automatically added for a period of N days and this would last until the spam barrage was over. So while yes, some spam would get out, only very few would ever see it before it was canceled by the originating ISP or by others who recived the spam before you did.

-Art
Pollarda@lextek.com
Lextek: Suppliers of High Performance Text Retrieval Engines.

Re:Tempfailing first time email

[Anonymous Coward]

It's an excellent idea, and I've been running it since November. It also has the nice side-effect of destroying dictionary attack wankers, since they all tend to "hit and run" more than most.

In the nearly 5 months it's been running, there has been only one snag. Some twit with a Lotus mail server couldn't send mail to anyone unless she sent it twice. That's right - her mail server was treating 4xx errors as permanent failures.

Personally, I don't see that as a problem, but I wanted to warn anyone who was thinking about doing something similar.