FTC Wants Comments on Email Authentication

An anonymous reader writes "Groklaw has the scoop. The Federal Trade Commission and National Institute of Standards and Technology (NIST) will co-host a two-day 'summit' November 9-10 to explore the development and deployment of technology that could reduce spam. The E-mail Authentication Summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems. The FTC will be accepting public comments until Sept. 30, 2004 via snail-mail or email (authenticationsummit at ftc.gov). The FTC has a list of 30 questions they would like answers/comments to. The list available in this PDF of the Federal Register Notice." In a related subject, reader Fortunato_NC submits this writeup of the sequence of events that led to Sender-ID's abandonment.

They won't be happy.

[Anonymous Coward]

These guys aren't going to be happy until we have to hand over our credit cards, photo ID and social security number just to send an email.

NOTHING but an open standard.

[garcia]

From Groklaw:

7. Whether any of the proposed authentication standards would have to be an open standard (i.e., a standard with specifications that are public).

Of course the standard would have to be open. This shouldn't even be up for discussion. No argument can make security by obscurity work and no argument can get me to change my thinking that we should all be using closed SMTP servers.

Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.

No Free Software radicals allowed

[sphealey]

I would be willing to wager a small sum that the only invitees to this meeting will be representative of large, commercial, for-profit software vendors and ISPs. That there will be no representation of/by the Free Software community. And that the FTC will reject any comment not from a commercial software vendor/ISP as having "no standing".

Just a guess.

sPh

Re:Standards

[Anonymous Coward]

...the government will now enforce standards?

No, that's what we have the National Institute of Standards and Technology [nist.gov] for.

/never mind the .gov

Another war on....

[Null537]

That's what I envision.

"Today, we must fight a war, they clog our mail boxes, they offer us penis enhancements, drugs like v1ag|2a, stuff we don't need, they make our wives leave us for believing we go to porn sites and give out our e-mails to just anyone. Today we start the war against spam"
-[Insert head of newly formed organization here]

Re:Why not go after the merchants?

[Sneeper]

Spammers will render that system useless by sending out spam for innocent companies. You could attack your competitor by anonymously sending spam for them.

Both guilty and innocent merchants will claim they aren't sending out any spam. Who do you believe?

--Sneeper

Publish SPF now, be the 126519th...

[pjrc]

If you want to advocate SPF, publish a SPF record for your domain, and then register it. Already, 126518 domains have published SPF records [infinitepenguins.net] (at the time of this writing).

By the time the FTC's summit comes around, it's looking like SPF is going to be pretty well established.

Re:No Free Software radicals allowed

[slashjames]

I tend to agree with your assessment. However, I wonder what they would do if, say, the lead developers of Sendmail arrived. They certainly aren't people of "no standing" with regards to email!

Yes, I know alternatives such as Qmail and Postfix are out there, but Sendmail is pretty much the standard MTA.

Re:The Hardest Issue

[glesga_kiss]

SPF is a nice idea, but doesn't cope with a couple issues. The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM.

No, but when the luser finds out that their e-mail is broken, they might just do something about their trojaned machine. Which is in fact fixing the problem and not the symptom. Any "authenticated user" idea for SPAM prevention has to account for the fact that there will need to be a "compromised" flag on the account to mark if mails are suspect.

Email's role on the net

[Schezar]

Let's face it: Email doesn't (and can't) fill the role it used to.

There was a time when you shared your email address with everyone. It was on your resume, it was on your web page (if you had one), it was in your sig. Email was the universal, simple, fast, reliable communication medium of the internet.

I used it to get my friends together on a weekend. I used it to organize events and meet people. I used it to share information.

Nowadays, IM fills that role. I've realized that nearly everything I used to use email for can be done just as easily over IM. It's reliable, fast, relatively secure, easily encrypted, etc... Furthermore, it is largely immune to spam for a number of reasons.

I find now that I only use email when registering for something (throwaway address), or for confirmation when I purchase something online. Everything email used to do, IM can do (if used properly... Staying online, logging, offline messages, confirmation, not using the AOL client, etc...)

IM is by-and-large safe from SPAM due to the numerous restrictions placed on its use. Rate limits, authentication, etc... These things provide a layer of security, but also a layer of inconvenience.

Were email to incorporate such restrictions, it would remove the last reason in the world to even be using it in the first place! Email is completely open. If email were to be restricted, it would become nothing more than a slower version of the current capabilities of IM.

Re:RFC1413

[slamb]

That wouldn't work:

• It requires a connection back to the originating MTA. Slow.
• The information returned would be useless - my machine would always say "postfix". Unless you're talking about a new identd linked with the mail server. But that's not what RFC1413 [faqs.org] says. It says the "owner of that connection" - that's always going to be postfix.
• It includes no provision for telling if the machine shouldn't be sending this message at all.

A good SASL setup, along with SPF, does far, far more for authenticated email. My machine has this: it rejects any inbound email claiming to be from one of my user's domains unless SASL-authenticated as that user. And has SPF records so other servers can reject messages from these domains unless they come from my server. Thus, it's very difficult to forge an email from my users' domains to a server with SPF checking enabled.

FTC A Global Entity?

[Muerte2]

Last time I checked email was a global technology. Am I the only one that thinks it's strange that the (FTC an entirely US organization) is making decisions about something like this? Isn't there a more appropriate internation technology body that should be handling this? Ultimately this will have to become an ISO standard to get implemented across all mail serving platforms. Wouldn't it make sense to get a global consensus before the US starts making decisions about how best to deal with SPAM.

I live in the US, but if I didn't I wouldn't want the US government telling me how to handle SPAM.

Re:Here's the system...

[PitaBred]

For any email server with a moderate load, do you even realize how much computation that is? checksumming isn't a trivial process computationally. Besides, it'd make spam even easier. The checksums, etc. would all be the same, so all I'd have to do is respond with a canned reply to any query on a spam I (theoretically) sent. All the while this imposes a PENALTY on LEGITIMATE mail, because of the necessary individual calculations.
Nice idea. It has some major flaws, though.
And according to NetFlow [internet2.edu], mail still accounts for 1.19% of all packets, which isn't anything to sneeze at.

Re:Why not go after the merchants?

[gowen]

Except everyone knows who the US spammers are. Drug importation is a massive business, employing millions of people worldwide. There are only a dozen US spammers individually responsible for nearly all the western world's spam. Your analogy is idiotic.

Re:A stopgap measure

[Muerte2]

The ISP that I work at did exactly that. We were getting on average 2 to 3 complaints a week about spam leaving out network from customer IP addresses. We're a relatively small ISP too! Not to mention the only fix was to call said customer and explain what an open relay/trojan is and then help them fix it. The time required to do this for each customer was pretty horrendous.

So we decided to block that port outbound for all IPs unless a customer requests it (if they're running a mail server etc...). Very few people even notice, it works out pretty well actually.

Re:They won't be happy.

[fleener]

Correct. My primary e-mail accounts have been spam-free for 3 years, since I started watching where and how I give people and web sites my address. Through a few simple measures you can protect a new address without the need for spam filters, with no need to hinder your regular personal and professional correspondence (assuming you don't correspond with spammers).

The *only* spam I receive on my permanent accounts is an occassional worm-sent e-mail and a guessed-address spam every 3 or 4 months (and those have never led to more spam).

People who piss and moan about spam (basically everyone) are refusing to accept that they live in a dangerous world. There was a time when people left their front door and windows unlocked. An ounce of prevention is worth a billion pounds of cure, in terms of spam.

I'll never support an authentication system that costs me more money to send e-mail because I have zero need for an authentication system.

People who don't use throw-away accounts for risky correspondence are having anonymous sex without a condom. Go ahead, mod me down because you don't believe me and think spam is just the cost of doing business on the Internet. It's not.

Re:Email's role on the net

[praedor]

Yeah, right. IM. Pa-leeze. IM requires that the person you seek to contact has their fat ass planted 4-square in front of their computer or leaves it on 24/7. Email is very nice. It works no regardless of the type of client you have. It will sit there waiting for you to check it, perhaps after a vacation, after actually getting off your ass and away from the computer to exercise, or whenever you decide to either fire up the computer or turn on your email client. Oh...IM also requires that your contactee be somewhat in the same timezone (besides sitting on their ass forever awaiting IM messages). Try to IM from California to NYC late in the afternoon. Try to IM someone on the opposite side of the globe.

IM is cute, it is a nice way to reduce your productivity at work and waste time "chatting" back and forth about unimportant nonsense (movies, your new pants, the hot chick from apartment A, etc). Email ain't going away, and it most assuredly wont be replaced by IM, Jabber, IRC, ICQ, Yahoo Messenger, etc. Email works regardless of software/hardware platform, has not propriatory hooks in it (Microsnot tried with their SenderID scheme to add a proprietory hook into email). Nothing beats email for convenience and easy time-shifing.

Re:NOTHING but an open standard.

[Anonymous Coward]

Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.

Why do you think Government inserted itself so awkwardly into the Spam Situation to begin with?

Bipartisanship in any political matter is something you should always be suspicious of. Some people in high places in the US Government salivate for control of the Internet just as much as the totalitarian PRC.

Re:No Free Software radicals allowed

[sphealey]

he only standard that will get accepted will be an open, patentfree one supported by the free software community.

You are insufficiently paranoid ;-(

How about an FTC regulation banning the use of any MTA which does not have commercial indemnification guaranteed by a licensed reinsurance firm? Because clearly in these dangerous times we cannot trust our e-mail to software written by Communist hippies who might even be from other countries.

That is the kind of thing FOSS will be facing in the next four years.

sPh

Isn't this a bit too late?

[irate_canadian]

I don't know about everyone else - but I hardly notice spam anymore. I mean, between gmail, thunderbird, and even hotmail (obviously not a definitive list) - I don't see it anymore. It's all filtered out automagically. I think this is a case of the government, once again, being a bit too slow on the uptake. Thanks for the thought guys, but we seem to be dealing with it fine ourselves.

Re:NOTHING but an open standard.

[JimDabell]

an open standard (i.e., a standard with specifications that are public).

In my mind, an "open standard" isn't just one anybody can read, but one that is open to anybody implementing it - which means patent-free. It's no good everybody being able to read the specifications if nobody is allowed to do anything with them.

Re:They won't be happy.

[Arngautr]

You are largely correct, but I strongly disagree with the conclusions you draw. Why should we have to use images for email addresses just so a bot doesn't pick it up, why should we bow down to the spammers and hide contact info:

fleener
(email not shown publicly)

Wouldn't it be nice if we could actually use email as it was intended?

Re:They won't be happy.

[dubl-u]

The *only* spam I receive on my permanent accounts is an occassional worm-sent e-mail and a guessed-address spam every 3 or 4 months (and those have never led to more spam).

Then you're a lucky fellow. A few months back I enabled a bunch of aliases for common dictionary attack names, and those aliases are rising rapidly in volume. (That's fine with me, as they're just fed right to the Bayesian training program.) But eventually, it will spread, and your oh-so-pure address will be compromised.