Meng Wong's Perspectives on Antispam 298
netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."
Phishing is easy to recognize (Score:5, Informative)
But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.
I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..
Re:Default deny is dumb. (Score:3, Informative)
I deal with my bank via ATMs, direct deposit and e-mail and that is the way I prefer it.
Charles
Re:Not All People (Score:2, Informative)
Take this quiz [mailfrontier.com] to see what I mean.
Re:bzzzzzzzzzt wrong! (Score:3, Informative)
I run my own mail server and have it set to do things like:
*REQUIRE* SSL/TLS + AUTH to send/receive mail if you have an account on my system
Bounce, as if my address doesn't exist, any non-whitelisted e-mail
ClamAV, updated twice daily, just to be extra safe
-Charles
RTFA (Score:3, Informative)
I'm not usually one to say "RTFA," but the majority of the comments right now have nothing to do with the article.
Re:The simple solution... (Score:1, Informative)
Why? My guesses:
- Someone sniffs network packets for e-mail addresses in transit.
- A 'trusted' website I do business with has been hacked or has on sold information against it's published policy
- Someone with my e-mail address (most likely my silver-haired relatives) caught a virus that plundered their address book.
Bayes filters do not achieve `99.9%' (Score:4, Informative)
That said, filters can remove 98% of spam with about 0.1% false positives, which makes them pretty useful. Most, but not all, of those 1-in-1000 false positives are marginal anyway.
If you're interested in doing your own tests, there's a free toolkit and corpus with 92,000 messages.
Re:Meh. (Score:3, Informative)
One method is to have whitelisted mail, and bounce others with a message asking you to do something difficult to automate, eg pointing to a web page where they can type in a message, maybe with a captcha.
Re:p2p whitelists anyone? (Score:2, Informative)
From the website:
LOAF is a simple extension to email that lets you append your entire address book to outgoing mail message without compromising your privacy. Correspondents can use this information to prioritize their mail, and learn more about their social networks. The LOAF home page is at http://loaf.cantbedone.org. [cantbedone.org]
Re:Not All People (Score:3, Informative)
Re:It's not just the fact banks use it. (Score:2, Informative)
I.e., a whitelist. But the trick isn't that the client blocks everyone else, it's that they make sure the reader knows they are suspicious looking, and don't let people click links or view images or html without some work.
There are almost no ways for a client to determine if an email is legit in what it is claiming or not, that would require strong AI, but there are plenty of ways for it to determine that it's seen emails from that person before.
Possibly you could make it even stronger with a more specific category for 'business emails', where they have to be signed with PGP, and the key has to be downloadable from an ssl website, which properties the user sees in big letters before he adds it to 'known businesses'.
Re:A Radical Solution (Score:1, Informative)
Re:Spam is a social problem, not a technical one. (Score:3, Informative)
Comparing this to washing hands is probably the best point you have. Like washing hands, it's regularly drummed into people's heads, and just as regularly goes ignored by a minimum of 30% of people [cleaning101.com].
As for your idea of influential people decrying spam, it's pretty weak, since it assumes total obedience in those influenced. Marital infidelity is regularly condemned by Oprah and probably 99% of religious leaders (and usually by the president, although we should make an exception at least in the case of the last president ;) ). It still happens all the time.