Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Spam IT

Meng Wong's Perspectives on Antispam 298

Posted by samzenpus
from the no-more-online-pharmacy dept.
netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."
This discussion has been archived. No new comments can be posted.

Meng Wong's Perspectives on Antispam

Comments Filter:
  • Not All People (Score:5, Insightful)

    by John Hasler (414242) on Wednesday February 15, 2006 @08:20PM (#14729124) Homepage
    > "The final solution to the phishing problem requires that people
    > use a whitelist-only, default-deny paradigm for email."

    No, the final solution to the phishing problem requires that stupid, gullible people use a whitelist-only, default-deny paradigm for email.

    Of course, that includes most of the human race...
    • Racist!! (Score:5, Funny)

      by EmbeddedJanitor (597831) on Wednesday February 15, 2006 @08:36PM (#14729210)
      People dumb enough to get phished probably think that whitelisting is something to do with the KluKluxKlan.
    • Re:Not All People (Score:2, Informative)

      by Anonymous Coward
      OK, oh so smart one. I'm so happy that you won't be fooled. The problem for the rest of us is that the phishing attempts are getting better, and legitimate email sometimes looks phishy.

      Take this quiz [mailfrontier.com] to see what I mean.

    • For instance ... Your MUA could still accept all email but any messages from senders not on your white list get flagged with a skull and cross bones, scripts are disabled and when you click on links the HAL/2001 sound clip "I'm sorry Dave, I can't do that" plays in Dolby 5.1 surround sound.

      Then, when you go to add "Phisher Man" to your white list, your MUA asks you some questions along the way:

      * is "Phisher Man" a financial institution?
      * is "Phisher Man" a personal friend?
      * is "Phisher Man" a merchant?

      etc.
    • you apparently mean "people who dont have my knowledge base."

      If a majority of the users of a class of products, or even a significant minority, are prone to using that product in a way that gives their identities away and makes their finances vulnerable, then the problem is NOT with the users.

      It is a design problem, or at best a serious unaddressed education problem.

      Blaming the customers when a large number of them repeatedly experience the exact same problem, is simply scapegoating the customers for the pr
    • Scores pretty well actually, but I still doubt it'll prevent it unless there's some big move toward default-deny in a way that forces people to consider it (i.e. Microsoft shipping the next version of Outlook Express with it on by default).

      Your post advocates a

      (x) technical ( ) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws wh

  • by khasim (1285) <brandioch.conner@gmail.com> on Wednesday February 15, 2006 @08:20PM (#14729125)
    To stop phishing, the banks and such have to STOP using email to communicate with their customers.

    The banks have your home address and your phone number.

    The only reason they use email is because it is incredibly cheap and allows them to attach advertising to their messages.

    If the banks were responsible for any losses due to phishing, you'd see them drop email overnight. Once the cost exceeds the benefits, it's gone.
    • My credit union has never started communicating with me via email. I wish they would use email for some purposes, though of course I would want it signed and encrypted with GPG. That isn't going to happen.
      • Because you know that they have never used it, you will be VERY careful if you ever receive a message claiming to be from them.

        Once they do start using it, they lose that edge.

        Something that has never happened before attracts a lot more of you attention than something that happens frequently. Something that happens frequently, but is a bit different this time, may be missed.
      • it depends on what they are communicating.
        FOr example something like:

        "We have detected an anomily with your acount, please contact your local bracnh immediatly" is pretty harmless.

        Send "We detected an anomoly with acount number 4856846353a34, please call 180005556565" is not harmless

        Or even:"Please check you account for important information" and don't provide a link.
      • Reminds me of ICQ - afaik they have never used their own service to contact their members. Nevertheless I'm recieving something like this every week since '97: "ICQ is going to charge a monthly fee if this message isn't going to be forwarded to at least 10 people on your contact list". While it is a widely known fact that ICQ is still free and that no company would ever put such decisions on customer feedback like this some people still seem to buy this kind of crap (otherwise I wouldn't recieve it).

        Nothi
    • by chill (34294)
      My bank doesn't have my home address, they have a PO Box. They do not have a phone number for me. I also have several friends who've retired and live on the road, in RVs. They have no permanent address. Hell, in the State of Oregon you can even change your address on your DL to read "Transient" if you live in an RV.

      I deal with my bank via ATMs, direct deposit and e-mail and that is the way I prefer it.

        Charles
      • by geekoid (135745) <dadinportland AT yahoo DOT com> on Wednesday February 15, 2006 @08:41PM (#14729242) Homepage Journal
        yes, becasue nobody did that before the internet....

        I would ne interested to know what bank allows only a PO Box for an account. I have some friends who say they need to get 15,000,000 into the country since a forgotten reletive of mine died.

        • by chill (34294)
          To open a bank account I had to show up in person and give them two forms of ID (DL and Passport in my case). It *is* possible to open an account via a telephone, but you'll have to have photocopies of your IDs notarized and faxed/mailed in.

          Use an address of a relative with the same last name or a PO box for the initial correspondence and then put in a "moved, no forwarding address" card. Voila! No address on record. Until they try and mail you something, they'll never know. I had an account with a Cre
      • The banks can still deal with you by having a login to their system (as most do now) where you can check your balance and such (and even send messages to their staff and receive them).

        There, almost all the functionality and none of the phishing issues.
    • It is not so much the communications as providing online services. You can con someone with snailmail just as easily as conning them with email. The difference is that it is easy to understand the postal paradigm. If you got a letter saying "Please sign all the checks in your checkbook and post them to Ima Crim at POBox xxxx" very few would do that.

      However very few people understand security or the distinction beween their computer and what's on the internet. To many it is just "the computer" and part of "t

      • That's totally true. I do tech support for the unwashed masses, and those with broadband will say, when questioned, that they're not connected to the Internet right now, meaning that they're not running IE at that particular moment. They can mess with their cable modem's connection to split to a TV, but having knocked out their Internet as a consequence they will call their computer manufacturer and not their cable company, because that couldn't possibly be the problem since the Internet is supposed to be i
    • If I might expand on that thought...

      The problem with the whitelist solution isn't just that banks and businesses use email to communicate, it's that they don't tell their customers what email address they use to send mail, and most use many. Take eBay for example. I get emails from outbidnotice@ebay, member@ebay, status@ebay, ect. and there's no reason to. Why can't all the emails just come from user-alert@ebay or some other such address and let the subject lines tell me what the email is regarding alone. I
      • Not only do they do as you say (use different email addresses), but they also use different DOMAINS. I forget if it was Bank of America or MBNA who was the worst offender.

        It's like certain banks are doing everything they can to make it easy to defraud their customers.
      • This is all pretty stupid. If banks use one email address to communicate with everybody, the phishers will spoof that address, that is all, and people will trust the phishing emails even more. I like the current scheme, where many of the phishing emails are quite distinguishable just by the originating address.
        • My point is Meng Wong says we all need to start using whitelists and this solution is simply not practical. To get an email you have to know what address it will be coming from beforehand, and businesses don't tell you this, and they want to use a differnt address for every situation making the whitelist maintainence a hassle.

          Yes, the phishers will all start to spoof the One True Address of the business, but if I'm using a whitelist then I'll only recieve those spoof emails on the account the business norma
    • If the banks were responsible for any losses due to phishing...

      Hm. First time I ever heard someone suggest that, in order to stop criminals, you have to punish their victims.

      I mean, I know we have a lot of "whack" social-engineering running around these days masquerading as "wisdom," but that one sure brought me up short.

  • Six: Let's create a world where the consensus reality is as inclusive as possible.
    I dunno. Smart cards are the big new thing in the US Department of Defense.
    Inclusive, they are not, but they seem to be quite effective.
    Once somebody arrives at a smart card used to implement DRM (quick: trademark DRMstick), society will transition from 'sheep' to 'card-carrying sheep'.
    • People have used smartcards to enforce DRM for many many years. Sattelite reciever boxes are a shining example.
  • Meh. (Score:5, Insightful)

    by FhnuZoag (875558) on Wednesday February 15, 2006 @08:23PM (#14729140)
    If we default-deny email, what do we have left?

    In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.
    • Re:Meh. (Score:4, Funny)

      by 2008 (900939) on Wednesday February 15, 2006 @09:19PM (#14729429) Journal
      In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.


      Now, I'm no historian, but I've heard that in the past there was a government provided courier service which would deliver messages on paper for a small fee. Perhaps that would work if we reimplemented it?

      Although, being serious, this lacks the (potential) anonymity of email, and involves giving out your physical address. Maybe we can persuade the postal service to provide free, (almost-)anonymous PO Box numbers?
    • Re:Meh. (Score:2, Insightful)

      by thext (88177)
      Some call it the telephone... *gasp*
      • Re:Meh. (Score:3, Insightful)

        by imsabbel (611519)
        Because you really want to give your telephone number to people you wouldnt trust not spamming your email account.
        Yeah right.
    • Re:Meh. (Score:3, Informative)

      by 1u3hr (530656)
      In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.

      One method is to have whitelisted mail, and bounce others with a message asking you to do something difficult to automate, eg pointing to a web page where they can type in a message, maybe with a captcha.

  • by 4D6963 (933028) on Wednesday February 15, 2006 @08:27PM (#14729153)
    Phishing is easy to recognize, well at least for us the leet slashdot geeks.

    But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.

    I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..

    • Simple, because they won't know what to allow, and what not to allow without manualy checking all emails.

      I recived a phishing email the other domain, the Phishers 1) registered a domain that fitted into other domains the bank had, had the complete site down pat, had an ssl cert, the only thing that gave the page away as a phishing page, was that the extenstion was .aspx, and the form submit was a .pl file, the bank doesn't use that... that was the only difference, i'm quite quite sure, that even alot of sla
    • I'm sure someone has already posted this before, but this is a pretty good scenario of techniques used today:

      http://isc.sans.org/diary.php?storyid=1118 [sans.org]

      Snippets of your credit card info (the first part of the card number is usually the same for a issuer's customer base)
      Non-obfuscated links (not a link to a .ru domain)
      Valid SSL certificate
      Valid links to other credentialing organizations

      Most of us are aware of the typical phishing attempt. Message from your bank, paypal, ebay, etc asking you to log in to "veri
    • If ISPs scanned heavily on emails, what you would get are better and better phishing emails. It's what Darwin said for biology and applies as well for many fields. It may eventually get to a point where not even a slashdot geek will figure out.

      For your example a machine will need to know the email is supposely coming from a bank, who deceive that better will pass.

      From the white list point of view, it won't work if you expect to receive emails from any major company and from people you don't know yet.

      You cou
    • Phishing is easy to recognize, well at least for us the leet slashdot geeks.

      Sadly, we're not the target demographic for phishing attempts. If we were, my inbox probably would have stopped filling up with these emails long ago as they would have almost immediately ceased to become profitable!

      I still wonder why legitimate emails from places like PayPal aren't digitally signed. It probably wouldn't make a difference for the end user as I still feel most digital signing stuff for email isn't anywhere near th

  • Not workable (Score:3, Insightful)

    by Anonymous Coward on Wednesday February 15, 2006 @08:28PM (#14729162)
    The thing about email is you either will spend some of your time managing whitelists, or you'll spend some of your time managing spam. Likely some of both. But the idea of moving to a default-deny is not feasible for most people, because you often have to give your contact info out to someone you want email from -- AND YOU DON'T KNOW WHAT THEIR ADDRESS IS! So you can't whitelist them ahead of time. If a human is sending you the email, no big deal. Many times its not a human (receipt from a company, mailing lists I subscribe to, etc).
  • Too much trouble (Score:5, Interesting)

    by squeemey (925509) <lovecat99@hotmail.com> on Wednesday February 15, 2006 @08:28PM (#14729167)
    All this trouble would have been avoided by charging for email in the first place.

    My proposal:

    Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

    The ISP on either end would credit/debit the sender/receiver's account.

    And watch the spam disappear.

    • by geekoid (135745)
      also, you would watch anominity disapear.
      For those of you playing at home that can think beyond your cube, this is a bad thing.

      otoh, charging after the first 1000 email per day may be a good compromise. Meaninging, if you don't have a CC on file, then it won't let you send more.

    • Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

      The ISP on either end would credit/debit the sender/receiver's account.

      And watch the spam disappear.


      If it could be done, you might be right. Even so, the game would then change to, "How do I steal all those pennies?".
    • Won't work (Score:3, Insightful)

      by Animats (122034)
      As long as we have a zombie problem, that won't work. Spammers will take over user's PCs and run up their mail bills.

      This same problem applies to most source-based mail authentication systems.

      Nobody sends spam from their own server any more. That gets the spammer shut down, fast.

    • ... on a system that gives corporation a new avenue to collect revenue. If we allow ISPs to charge a penny per email this year then next year it'll be two cents, then five then a dime...

      Once you start down that road email will become a corporate revenue source and the abuse will start.
    • And watch the spam disappear.

      Also watch mailing lists disappear. Oh, and look how the spammers that are now using zombies to send spam now use them to send email to their account so they can make even more money while doing even more damage. I think you could check most of the options on the standard "your approach will not work" checklist.
  • Phishing isn't a problem for me; I simply ignore any unexpected email that has anything to do with money passwords or other stuff that has no business being in an unencrypted channel like email.

    I do use SPF and other methods to turn away crap at the smtp server (I see by the readout on my screen that I'm currently getting 0.647 emails per second; maybe two of those in a day will look genuine enough to be accepted by the server) but default deny is functionally the same as saying you don't use email.

    TWW

  • by Peter Cooper (660482) on Wednesday February 15, 2006 @08:31PM (#14729188) Homepage Journal
    I think whitelisting is a pretty good idea. My SpamAssassin-oriented setup kinda does things this way. That is, a non whitelisted mail has to be pretty squeaky clean to get through, whereas whitelisted addresses get straight through.

    But lately I've been hitting a different problem which totally destroys the point of e-mail in many cases for me. That is, idiotic sys admins who firewall out entire IP blocks for, seemingly, no reason.

    Just because someone several machines down the co-lo rack let their machine get hacked is no reason for mail server administrators to *firewall out* entire ranges of IP addresses. Lately I've seen some ridiculous behavior where users of the other mail server can't even e-mail people on MY server because the block is two-way! So I end up with users complaining that only certain e-mail addresses appear unmailable (because only a small percentage of sysadmins are stupid enough to block entire classes) but it's still a major PITA that makes e-mail useless for many people. The worst part is when you complain to these sys admins/ISPs, many of them proclaim innocence and believe they have no blocks.. but it's their upstream provider, etc, etc.

    I'm beginning to think that encouraging people to migrate over to systems like 'GMail for your domain' and the like are going to be the way to go. At least Google has teams of people working 24/7 keeping their machines whitelisted. Having the US government able to subpoena your private information is the least of your worries, as long as you can actually e-mail the people you need to.

    And no, schemes like SPF do not help this problem, since if they're blocking IP ranges outright at their firewall, nothing can break through that except mail proxying (which I've been considering).
    • What happens when I'm running a whitelist with the associated trust that is implied and my mom's computer gets zombied, emailing everyone in the address book?
      Whitelists simply don't address this issue.
  • by fred fleenblat (463628) on Wednesday February 15, 2006 @08:32PM (#14729189) Homepage
    Sometimes I wonder if there is a middle ground in the area of shared whitelists.

    If someone tries to email you, and they aren't on your whitelist but they are on the whitelist of someone who *is* on your whitelist, maybe let it through or at least give it some plus points for the filter based on how many degrees away they are.
    • Good thought, but there would be people on my whitelist, who I would want to exclude.

      Instead just use authentication. Not on your whitelist? it sends an email back asking if you are a real person. At which point it puts you on a temp list until you confirm or deny they email.
      • Instead just use authentication. Not on your whitelist? it sends an email back asking if you are a real person. At which point it puts you on a temp list until you confirm or deny they email.

        My ISP does exactly that if you have your anti-spam setting at High. Unless the sender's on your whitelist, it puts the message in a "suspect" folder and emails back a request for authentication. You have (I think; I don't bother with it myself.) 72 hours or so to reply, after which it's presumed spam.

    • There is a project to try and do this.
      From the website:
      LOAF is a simple extension to email that lets you append your entire address book to outgoing mail message without compromising your privacy. Correspondents can use this information to prioritize their mail, and learn more about their social networks. The LOAF home page is at http://loaf.cantbedone.org. [cantbedone.org]
  • by RiffRafff (234408) on Wednesday February 15, 2006 @08:37PM (#14729220) Homepage
    Seriously, it's not that bloody hard to figure out. No legitimate corporation is going to send you emails threatening your account "unless you log on and confirm this information."

    Look at it as the digital equivalent of the Survival Of The Fittest.

    • Only problem is that banks *really do* put links into mass-mailings announcing, e.g., new features which take you to websites. There was a good example posted earlier this week. Yes, the marketing team which decided "Hmm, lets reserve www.specialpromotionforBankOfStupid.com and direct all of our customers to go to it and enter their login information" deserved to be flown to Nigeria and shot by the undersecretary to Boutrain Gimulkembo for stealing his ONE HUNDRED MILLION DOLLARS ($100,000,000.00). But t
  • I say we should adapt education, not an e-mail whitelist. Some of us try that model for everything else in life.
  • If you moved to whitelist only email, some clever guy would write something to deactivate the whitelist mechanism -- whatever that took -- and then he'd be sending out highly-effective phishing spam.

    Some of it would get through, and the people who'd get it would be far more likely to trust it, as their expectation of trust would be higher.

    Similarly, if you get on a plane in the US, the window-dressing security probably makes you less safe: resources are pointlessly consumed when they could be spent on real
  • Even the least technically aware people are starting to realise what phishing is and the forms the scams take and are developing a healthy sceptisim of anything that arrives through e-mail. You only have to see a few scams for it to begin to register with people that e-mails may not be genuine no matter how convicing they look, thankfully the time taken to reach the current sophistication level has resulted in users having time to become aware of the frauds.

    The nigerian scams have been well covered, receiv
    • What about n00bs? (Score:4, Insightful)

      by Mr_Tulip (639140) on Wednesday February 15, 2006 @08:52PM (#14729301) Homepage
      What about n00bs? I very recently had to convince a friend that that nice lady from Sierra Leone was not _really_ going to give him $300,000.

      He only just got a PC, and has been oblivious to anything computer related for all his life. Suddenly, he gets a PC, an internet account, and he's told to go off and have fun.

      Seriously, I sometimes wish you needed a license to operate a computer.
    • I think sometimes we underestimate our users.

      I am not sure how you meant that, in sarcasm?

      Users will cut and paste a userlist from Exchange into a questionable site and with in days spam doubles for everyone and the user is innocent? I got hundreds of stories like this.

      It is why I asked to be off of the "public" work Exchange system.

      There are inexpensive solutions that work well and cause spammers grief but you need management support to do it as some user is going to whine that he can't get mail from

  • When a problem seems very very difficult, maybe it is being viewed in an incorrect way.

    Spam is a social problem, not primarily a technical one, and the solution is social.

    Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

    The president could, during a scheduled speech, ask people never to buy anything advertised with unsolicited email. He could talk about several ways such email is dishonest.

    It could be arranged that Oprah Winfrey ask people not to buy things from spam. Religious leaders could ask their congregations.

    This kind of solution has already worked. Everyone in the world knows to wash their hands; that has become part of human culture. We need to make anti-spam part of human culture.

    --
    Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?
    • Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

      The less people spend on spamvertized junk, Nigerian scams, phishing and other fraud, the more they have to spend on legitimate merchandise and services, often sold by business owned by rich people. Thus, cutting down on spam benefits the rich.

    • Spam is a social problem, not primarily a technical one, and the solution is social.

      No, it's an economic problem, thus the solution is an economic one. As long as it costs essentially nothing for the spammer to blast out a hundred million email messages, he or she will continue to do so, regardless of the social considerations. Make it cost even a tenth of a cent per recipent, and you'll reduce the probem by more than three orders of magnitude. But realistically, there's no reason why the payment sho

      • I don't know, yet, if I agree that paying for sending is the best solution. Its certainly _a_ solution that would do a lot to kill spam.

        I do however completely agree with your statement that it is an economic problem for the same reasons you've outlined. I wish I hadn't used my mod points already, because I don't think the GP post is very accurate and it is modded pretty highly.

        Asking people not to do something would probably just draw more attention to it. If the president got up and talked about spam enco
    • Spam is a social problem, not primarily a technical one, and the solution is social.

      This I equate with. Spam isn't so much different than having mobs on the street robbing people or too many DWI drivers on the road.

      Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

      Although the president of the USA is a very powerful person, free internet communications has a country like China, with guns, going amiss. The

    • Everyone in the world knows to wash their hands; that has become part of human culture.

      Oh, ummmmmmmmm, was I supposed to get a memo?

      KFG
    • Comparing this to washing hands is probably the best point you have. Like washing hands, it's regularly drummed into people's heads, and just as regularly goes ignored by a minimum of 30% of people [cleaning101.com].

      As for your idea of influential people decrying spam, it's pretty weak, since it assumes total obedience in those influenced. Marital infidelity is regularly condemned by Oprah and probably 99% of religious leaders (and usually by the president, although we should make an exception at least in the case of the la

  • by realmolo (574068) on Wednesday February 15, 2006 @08:45PM (#14729266)
    Seriously. Just create a central database of "valid" mail servers. Require anyone that wants to run a mail server to pay $25/year, and go through a "verification" process that shows they aren't spammers, and that their servers are setup correctly.

    Anytime an e-mail is sent, the receiver checks to see if they're in this "master database", if not, their mail is dumped. Obviously, you'd have some kind of public key encryption going on to prevent spoofing.

    Now, creating a central authority for mail servers would be difficult, but it's a hell of a lot easier than trying to change things on the CLIENT side.

    As for those of you saying "But I want to run my OWN mailserver! Why should I have to pay! And what if I want to run it in a way that doesn't meet the standards!".

    Well...fuck off. You don't need to run your own mailserver. There's just no valid reason to do so.
    • by suwain_2 (260792) on Wednesday February 15, 2006 @09:15PM (#14729415) Journal
      I don't think this would work in practice.

      Many hosting companies can fit 300+ clients onto one server. It's not uncommon for someone to signup and start using the account for spam. Most hosting companies take a very strict stance on this, and will immediately close the account. But spammers know they'll get a bit of spamming in before they're stopped.

      The problem is that the hosting company could show that their server wasn't being used for spam, but there's nothing stopping someone from beginning to use it that way. Not only would your method still allow spam, but it would, in theory, mark the spam as being entirely legitimate e-mail. Now imagine the e-mail wasn't spam, but phishing e-mails, marked as having come from an approved server.

      In addition, a server could 'turn' bad. I could register a server, and for a month or whatnot show you that I wasn't a spammer. One day I could just start spewing spam. $25/year really wouldn't be an impediment to too many spammers.

      Plus, some random organization (the e-mail certifiers) would be making a boatload of money, and would essentially have complete control over who could send mail and who couldn't. (Technically, people could ignore this whitelist. Just like you could, technically, ignore the existing .com database and start your own.)

      And there are plenty of valid reasons for running your own mailserver. My home ISP used to suck. My school now uses Lotus, which seems to not allow POP/IMAP access, and insists on a bloated e-mail client that really doesn't work well in anything but IE. (Even though it's supposed to.) There are spam filters, but they're not catching any of my spam; in fact, the only mail that it ever caught was a couple messages from one of my professors. Is this not a valid reason to run my own mailserver?

      I'm sorry, but I really don't feel that this idea is as good in reality as it looks on paper.
      • Why would the hosting company allow anyone on their system that sends spam? That would be part of the "verification" process I talked about: if you, as a hosting provider, are known to allow all kinds of spammers to use your system, you don't get on.

        Yeah, you could still have individual USERS sign-up for e-mail accounts, and use those to send spam, but those accounts can easily be deactivated. Plus, how many spammers are going to pay for a new e-mail account every day, just to send out a few thousand spa
    • You don't need to run your own mailserver. There's just no valid reason to do so.

      Says you.

      Is that really what we want the Internet to be? I thought the idea was to make information flow as freely (as in unhindered) and reliably as possible? Now you are proposing that there are services I CANNOT/SHOULD NOT run on the 'Net because YOU don't think I have a valid reason to do so?

      How's this for a valid reason to run my own mail server: I own a business and I want the flexibility to configure things b
    • You Personally advocate a

      ( ) technical ( ) legislative (x) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
      (x) No one will be able to find the guy or collect the
  • The final solution ... requires that people use a whitelist-only

    Where have a heard this before?

  • by texaport (600120)
    Use a "graylist" for webmail clients: Highlight anything in an Inbox from a user or entity that has never mailed you.

    It provides useful service for legitimate mail (first contact) while making spam stand out even more than already.

    The smartest thing a spammer could do is send out a fake first mail, but then the user can already blacklist them.

    GMAIL certainly could implement it, while Yahoo and Hotmail probably have the capabilities if they'll admit to it.

    It demands nothing of the enduser other than

  • by jonwil (467024) on Wednesday February 15, 2006 @09:00PM (#14729347)
    Or if they do use email, they should use a digital signature that can be traced back to the bank and 100% verified.

    A big education campaign would also help (i.e. "never trust emails claiming to be from this bank" or "only trust emails claiming to come from this bank if the digital signature was valid" along with "never follow links in any emails claiming to be from this bank" and "If the email is legitimate, the same information will be available by logging into the online banking and checking the messages")

    If I got an email claiming to be from my bank, I would probobly delete it. If the information was geniune, it will appear on my online banking and/or a physical letter too.
  • I doubt this is her... All I remember her for was asking "Does the Black Hole suck in all the matter?!?" in a physics course, and the professor replying "There are only 3 kinds of orbits. There is no suck orbit."
  • by Llywelyn (531070) on Wednesday February 15, 2006 @09:25PM (#14729454) Homepage
    I recently attended a conference for a large project that mutliple companies are involved in. While there, I listed my email address with the express intent of having an individual contact me later with the minutes from the meeting and any additional information that may come along.

    If I had a default-deny system, I would need know what email address I would be mailed from, which I don't think they were organized enough to know ("someone loosely affiliated on some level with MITRE" isn't a valid whitelist criteria). When the emails did go out, many people hit "reply-all" and I was included in the discussion. I would need a client that was smart enough to figure out that I wanted to receive any replies to those messages.

    Then there is the ever-present problem of "oh yeah, everyone, I switched email addresses" after someone has moved. It would require the foresight of everyone to send those notifications *before* moving or keeping an offline contact list.

    Two other instances that come to mind are that a while back a senior engineer emailed me from his cell phone to tell me he wasn't coming in that day along with some brief instructions. Having never received email from that address, using a default-deny there wouldn't have been a good way for him to reach me at that time. I also have a bit of a website. That gets occasional email, and that is generally email I want to see.

    Some of the things that make email attractive to me--open communication, many people can reach me from a variety of sources, people who don't know me can reach me with legitimate reason--are the very things that make it attractive to phishers, spammers, and scam artists. There is no good solution to the latter without removing a large part of the utility of the medium.
  • Greylisting is doing pretty good for me at the moment.

    Once the spammers adapt to it, and they will, I'll have to find something else.

    One thing I'd like to do is to use SPF rules to identify the legitimate e-mail servers of some domains so that I can whitelist them to get around the greylist. The main reason for this is that if they are using RFC compliant servers, the e-mail is going to be delivered anyway. Except for Nigerian spams from hotmail.com, the big problem is zombie machines in people's homes.

  • RTFA (Score:3, Informative)

    by suwain_2 (260792) on Wednesday February 15, 2006 @09:43PM (#14729548) Journal
    What I took away from the article is that he's proposing a central authority (or a series thereof) that say "someone@somewhere.com is a real person's e-mail address." He is not proposing that you only accept mail from those who've already sent you mail; he's proposing that everyone in the world who uses e-mail be in this whitelist.

    I'm not usually one to say "RTFA," but the majority of the comments right now have nothing to do with the article.
  • How did I do it?

    Simple:

    http://www.kuro5hin.org/story/2004/3/16/13579/3506 [kuro5hin.org]

    I track my email carefully, I use unique email aliases for all the websites I visit, I use special aliases for the mailing lists I'm on, I provide images to interpret for people trying to contact me, and I give out my "real" email address to close friends and family *only*.

    I haven't been sent a spam that I couldn't immediately block--permanently--ever since I implemented this scheme. It was bliss turning off bogofilter for the last ti
    • You Personally advocate a

      (x) technical ( ) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collect the
    • I think this is ultimately the correct approach. I'm currently in the process of implementing something similar for my home email. Each user will get a base email address (say, foo at dreezel.org). Only whitelisted addresses will be delivered to that address; all other mail will bounce.

      The user can create new, or targetted email alias from that base, say foo.slashdot at dreezel.org. If the user is very educated, they can create access lists for each specialized address. Otherwise, the aliases are default-ac
  • by clambake (37702) on Wednesday February 15, 2006 @10:33PM (#14729774) Homepage
    Greylisting is the answer, because it works on the behavior of the spammer, something that cannot change easily, not on the content, something that changes with every message. If spammer cannot send as many emails as possible, as fast as possible, then the price of spam goes up dramatically. To overcome greylisting, a spammer must be willing to implement a full mail-server on thier end. In current implementations they must be willing to queue messages for resending, and must be on a traceable, non-changing IP that will not go down for at least an hour after the last message they sent went out. It forces spammers to be responsible. No more "fire and forget" style mass mailings. And the great thing about it is there is no defense, no way a spammer can change his stripes and still be capable of the volume of email that made spamming so profitable.

    If you don't implement even a five minute greylist on yur mailserver, stop what you are doing and go implement it now [puremagic.com].
  • A Radical Solution (Score:3, Insightful)

    by superchi (751308) on Wednesday February 15, 2006 @10:41PM (#14729813)
    I propose a better solution to the e-mail system.

    We should change the way e-mail works from the ground up. Currently, the sender's server will send the message to the recipient server where it waits until the client downloads the message. Instead of this, an interesting idea would be to have the sender server HOLD the e-mail message and simply send a notice to the recipient's server that a message awaits. When the client connects, depending on his software configuration, he will download the message from the sender's server or click on a link to go download the message from the sender's server.

    What does this accomplish? We add the ability to flag messages as spam or virii. Depending on the sender's server's configuration, if a message gets too many flags, it will block the message from being downloaded in the future. Here's an example of this in action. Spammer sends out 100 messages for V1agR@. The 1st, 5th, and 7th readers are dilligent and mark the message as spam. The server's threshold is 3 warnings and then deletes the message. The message never gets to recipients 8 to 100. The user's account is suspended, and the spammer becomes drastically less effective.

    There are other positive side effects to this scheme. Internally, my company will send out big files to one another. Instead of always using a server share, some people e-mail these big files to multiple recipients. If one person e-mails a 20MB file to 10 people, that'll be 200MB of consumed space for the recipients' servers. In a sender-hosted e-mail system, it will still just be 20MB.

    Drawbacks to this scheme? Let's say the spammer sets up his own e-mail server and sends out spam from that. Recipients flag it, but the sender's server is configured to ignore the flags. If this were to happen, the spam is still not as effective because the recipient only wlil get a notification that mail exists. The notification would probably be limited to something like 128 characters of text for a subject. The sender's address can't be as easily spoofed because it still must be able to resolve to the sender's server. And better yet, if the ISP is cooperative, reports of this type of abuse to the ISP could lead to the ISP taking legal/criminal actions against violators of their Terms of Service. If the sender wants their message sent, they need to keep their server connected to the ISP, thus making it a lot easier to physically trackdown. If the ISP doesn't care, then we simply add the ISP to a blacklist.

    Another side effect is that now the recipient needs to rely on both his e-mail server and the sender's server to be online to get a message, but this should be trivial. Also the server must retain the message for long enough time for the recipient to download the message. This should also be trivial, and in my opinion, it's better to put the onus on the sender instead of the recipient. For example, if the recipient goes on vacation for a few days and comes back to find his mailbox quota is full and he lost a lot of messages, it is quite annoying, and this proposed solution will not have that problem.

    The biggest drawback is that this is a fairly major overhaul to the e-mail system. It would probably have to be done in phases where there is one phase that most servers support both types of e-mail protocols. I think it's worth the effort.
  • or if you are thinking about running a mail server , you should take the time to read this page

    http://www.acme.com/mail_filtering/ [acme.com]

    its not the be all and end all, but there are several very very good ideas.

    OAM
  • Fidonet anyone? (Score:3, Insightful)

    by ringm000 (878375) on Wednesday February 15, 2006 @11:14PM (#14729947)
    Remember Fidonet? It had no anonymity, and had responsibility delegation. If you were not a "node" of the network, you could still participate as a "point". In this case, you had no responsibility to the network, but your "boss" (the network node you connected through) was responsible for all your actions (and he knew who you were and you could get beaten if you're doing something wrong, e.g. if you start spamming).

    Why don't we use this model? Introduce a backbone network of mutually trusting certificate authorities, and require all mail to be signed with a valid certificate. It is the backbone member's responsibility to take due actions in case anyone having their certificate starts sending spam (revoke certificate, prosecute the user, etc), or else the member will be kicked off the backbone. The backbone member may delegate the right to issue certificates, but the responsibility still holds.

    This scheme would make the backbone members know who their users and child authorities are, and prosecute the violators. You would still be able to have a free anonymous mailbox to receive mail, but the sender identity would always be revealed, and you would always be responsible for what you're sending.

    Unfortunately it's obvious that if we retain an open non-whitelisting scheme, we HAVE to give up anonymity to prevent spam. There should be an easy way to find, block and prosecute the violators, in all other cases spam will continue.

  • I have always wished that sites would implement a version of semi- public key encryption. When I log on to paypal or my bank or whatever I want all my communication with them to be automatically signed by my semi-public key. It isn't truly public, but I can use it to verify the authenticity of sender. One key pair for each of the critical communications senders sending to me. A lot of email clients have close to this capability built right in with their public key encryption, but not a lot of automated syst
  • I'm sorry to say this, but the Phishing problem would only a problem for idiots if companies stopped using email as an official means of communication.

    What we really need is a method other then a simple password to authenticate. We need real a real bidirectional authentication method that's easy to use.

    Here's one idea: Give the user something like a USB thumbdrive, you could even make it Bluetooth, it doesn't matter because a user would need to type in a password, and all sessions with it would be encr
  • by null etc. (524767) on Thursday February 16, 2006 @12:34AM (#14730234)
    The real problem is a lack of centralized mechanisms for verifying the identity and ownership of a website. Nearly all phishing attacks would be rendered useless if a user could click on an icon somewhere within the browser (and not the web page) that would tell you "This site is in fact owned and operated by Central Bank of Manhattan, Inc., whose address is x, phone number is y, and tax id is n" etc.

    As phishing scams get more elaborate, even saavy users such as myself have to go through complicated steps just to verify the identity of a website. i.e. whois, verification of SSL certificates, etc. No average user should have to become a detective in order to verify that www.chase.com belongs to the same Chase bank that issues his credit card. Especially when it's an URL such as chasenetaccesss.com or chaseonlinebanking.com, etc.

    The point is to make faking or forging the identity of ownership much more difficult than the current state of affairs, which is deciding whether or not to believe that www.ebaysecurityreinstatement.com is a valid eBay website or not.

  • by Vainglorious Coward (267452) on Thursday February 16, 2006 @02:06AM (#14730576) Journal

    SPF is a failure. Unlike the submitter, its proponents don't even pretend that it's an anti-spam method (there are more spam messages with SPF than ham), focussing instead on its authentication promise. Now it seems even Meng has abandoned that as being worth anything if the FUSSP [rhyolite.com] is whitelist-only. Imagine that - saving email by destroying it!


    Email has been a phenomenal success because it costs close to zero to contact people with whom you otherwise would never easily be able to communicate. UBE is a problem precisely because it costs close to zero to contact people with whom you otherwise would never easily be able to communicate. Any FUSSP that destroys either of those two qualities, cost and ubiquity, is a cure that's worse than the disease.

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay

Working...