Meng Wong's Perspectives on Antispam

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

Not All People

[John Hasler]

> "The final solution to the phishing problem requires that people
> use a whitelist-only, default-deny paradigm for email."

No, the final solution to the phishing problem requires that stupid, gullible people use a whitelist-only, default-deny paradigm for email.

Of course, that includes most of the human race...

Default deny is dumb.

[khasim]

To stop phishing, the banks and such have to STOP using email to communicate with their customers.

The banks have your home address and your phone number.

The only reason they use email is because it is incredibly cheap and allows them to attach advertising to their messages.

If the banks were responsible for any losses due to phishing, you'd see them drop email overnight. Once the cost exceeds the benefits, it's gone.

Meh.

[FhnuZoag]

If we default-deny email, what do we have left?

In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.

Not workable

[Anonymous Coward]

The thing about email is you either will spend some of your time managing whitelists, or you'll spend some of your time managing spam. Likely some of both. But the idea of moving to a default-deny is not feasible for most people, because you often have to give your contact info out to someone you want email from -- AND YOU DON'T KNOW WHAT THEIR ADDRESS IS! So you can't whitelist them ahead of time. If a human is sending you the email, no big deal. Many times its not a human (receipt from a company, mailing lists I subscribe to, etc).

Or maybe just don't click on obvious emails

[RiffRafff]

Seriously, it's not that bloody hard to figure out. No legitimate corporation is going to send you emails threatening your account "unless you log on and confirm this information."

Look at it as the digital equivalent of the Survival Of The Fittest.

Re:Too much trouble

[geekoid]

also, you would watch anominity disapear.
For those of you playing at home that can think beyond your cube, this is a bad thing.

otoh, charging after the first 1000 email per day may be a good compromise. Meaninging, if you don't have a CC on file, then it won't let you send more.

Re:Too much trouble

[Neil Blender]

Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

The ISP on either end would credit/debit the sender/receiver's account.

And watch the spam disappear.

If it could be done, you might be right. Even so, the game would then change to, "How do I steal all those pennies?".

Spam is a social problem, not a technical one.

[Futurepower(R)]

When a problem seems very very difficult, maybe it is being viewed in an incorrect way.

Spam is a social problem, not primarily a technical one, and the solution is social.

Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

The president could, during a scheduled speech, ask people never to buy anything advertised with unsolicited email. He could talk about several ways such email is dishonest.

It could be arranged that Oprah Winfrey ask people not to buy things from spam. Religious leaders could ask their congregations.

This kind of solution has already worked. Everyone in the world knows to wash their hands; that has become part of human culture. We need to make anti-spam part of human culture.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

What about n00bs?

[Mr_Tulip]

What about n00bs? I very recently had to convince a friend that that nice lady from Sierra Leone was not _really_ going to give him $300,000.

He only just got a PC, and has been oblivious to anything computer related for all his life. Suddenly, he gets a PC, an internet account, and he's told to go off and have fun.

Seriously, I sometimes wish you needed a license to operate a computer.

Banks should not use email

[jonwil]

Or if they do use email, they should use a digital signature that can be traced back to the bank and 100% verified.

A big education campaign would also help (i.e. "never trust emails claiming to be from this bank" or "only trust emails claiming to come from this bank if the digital signature was valid" along with "never follow links in any emails claiming to be from this bank" and "If the email is legitimate, the same information will be available by logging into the online banking and checking the messages")

If I got an email claiming to be from my bank, I would probobly delete it. If the information was geniune, it will appear on my online banking and/or a physical letter too.

Re:We need SERVER authentication, not user

[suwain_2]

I don't think this would work in practice.

Many hosting companies can fit 300+ clients onto one server. It's not uncommon for someone to signup and start using the account for spam. Most hosting companies take a very strict stance on this, and will immediately close the account. But spammers know they'll get a bit of spamming in before they're stopped.

The problem is that the hosting company could show that their server wasn't being used for spam, but there's nothing stopping someone from beginning to use it that way. Not only would your method still allow spam, but it would, in theory, mark the spam as being entirely legitimate e-mail. Now imagine the e-mail wasn't spam, but phishing e-mails, marked as having come from an approved server.

In addition, a server could 'turn' bad. I could register a server, and for a month or whatnot show you that I wasn't a spammer. One day I could just start spewing spam. $25/year really wouldn't be an impediment to too many spammers.

Plus, some random organization (the e-mail certifiers) would be making a boatload of money, and would essentially have complete control over who could send mail and who couldn't. (Technically, people could ignore this whitelist. Just like you could, technically, ignore the existing .com database and start your own.)

And there are plenty of valid reasons for running your own mailserver. My home ISP used to suck. My school now uses Lotus, which seems to not allow POP/IMAP access, and insists on a bloated e-mail client that really doesn't work well in anything but IE. (Even though it's supposed to.) There are spam filters, but they're not catching any of my spam; in fact, the only mail that it ever caught was a couple messages from one of my professors. Is this not a valid reason to run my own mailserver?

I'm sorry, but I really don't feel that this idea is as good in reality as it looks on paper.

It Really Isn't That Simple

[Llywelyn]

I recently attended a conference for a large project that mutliple companies are involved in. While there, I listed my email address with the express intent of having an individual contact me later with the minutes from the meeting and any additional information that may come along.

If I had a default-deny system, I would need know what email address I would be mailed from, which I don't think they were organized enough to know ("someone loosely affiliated on some level with MITRE" isn't a valid whitelist criteria). When the emails did go out, many people hit "reply-all" and I was included in the discussion. I would need a client that was smart enough to figure out that I wanted to receive any replies to those messages.

Then there is the ever-present problem of "oh yeah, everyone, I switched email addresses" after someone has moved. It would require the foresight of everyone to send those notifications *before* moving or keeping an offline contact list.

Two other instances that come to mind are that a while back a senior engineer emailed me from his cell phone to tell me he wasn't coming in that day along with some brief instructions. Having never received email from that address, using a default-deny there wouldn't have been a good way for him to reach me at that time. I also have a bit of a website. That gets occasional email, and that is generally email I want to see.

Some of the things that make email attractive to me--open communication, many people can reach me from a variety of sources, people who don't know me can reach me with legitimate reason--are the very things that make it attractive to phishers, spammers, and scam artists. There is no good solution to the latter without removing a large part of the utility of the medium.

Re:Phishing is easy to recognize

[powerspike]

Simple, because they won't know what to allow, and what not to allow without manualy checking all emails.

I recived a phishing email the other domain, the Phishers 1) registered a domain that fitted into other domains the bank had, had the complete site down pat, had an ssl cert, the only thing that gave the page away as a phishing page, was that the extenstion was .aspx, and the form submit was a .pl file, the bank doesn't use that... that was the only difference, i'm quite quite sure, that even alot of slashdots would of been fooled by something that complex. Now if the ISP personal that's checking theese things, doesn't use the same bank as me, HOW would they know ?

Won't work

[Animats]

As long as we have a zombie problem, that won't work. Spammers will take over user's PCs and run up their mail bills.

This same problem applies to most source-based mail authentication systems.

Nobody sends spam from their own server any more. That gets the spammer shut down, fast.

Re:Phishing is easy to recognize

[Hunter-Killer]

I'm sure someone has already posted this before, but this is a pretty good scenario of techniques used today:

http://isc.sans.org/diary.php?storyid=1118 [sans.org]

Snippets of your credit card info (the first part of the card number is usually the same for a issuer's customer base)
Non-obfuscated links (not a link to a .ru domain)
Valid SSL certificate
Valid links to other credentialing organizations

Most of us are aware of the typical phishing attempt. Message from your bank, paypal, ebay, etc asking you to log in to "verify" your info. Old hat.

How about this: You get an email newsletter from Newegg or Amazon. Look, a brand new HP Laserjet printer for only $3.99. Whoa, those guys screwed up! You click the link, and sure enough, the price is valid, though they undervalued the printer by a factor of 100. You're lucky, there's only three left in stock (but don't worry, there's more on the way!) You log into your account; heart pounding, racing to get your order submitted and shipped before the price is corrected.

Congratulations, you've just been hit by a targeted phishing scheme.

Spam is an economic problem, not a social problem

[Eric Smith]

Spam is a social problem, not primarily a technical one, and the solution is social.

No, it's an economic problem, thus the solution is an economic one. As long as it costs essentially nothing for the spammer to blast out a hundred million email messages, he or she will continue to do so, regardless of the social considerations. Make it cost even a tenth of a cent per recipent, and you'll reduce the probem by more than three orders of magnitude. But realistically, there's no reason why the payment shouldn't be much higher. Why should I bother reading email from a stranger if the stranger wasn't willing to spend ten cents or perhaps even a quarter on sending it? The obvious solution is a micropayment system, with an SMTP extension so that the recipient can adjust how much he or she charges to receive unsolicited email, and a sender can adjust how much he or she is willing to spend to send the email. Both the sender and recipient can make exceptions, e.g., the recipient can charge no money to senders on his or her whitelist, and an opt-in mailing list sender can set the maximum payment to zero. The problem is that there is no effective way to handle direct peer-to-peer micropayments, so a clearinghouse is needed. Ideally there would be multiple competing clearinghouses, with gateways between them. If Joe tries to send Bob an email, for which Bob wants to be paid $0.001, the payment might go from Joe to his clearinghouse to Bob's clearinghouse to Bob, with each clearinghouse taking a percentage as a fee. Joe and Bob would probably settle with their clearinghouses every month or every quarter. The percentage would probably be somewhere between 5% and 30% of the payment. If a spammer tries to blast out ten million email messages without making prior arrangements with his clearinghouse for payment, his clearinghouse is going to reject all payment requests beyond the spammer's credit limit, thus very few spam messages will actually be sent.

Re:Meh.

[thext]

Some call it the telephone... *gasp*

Re:It's not just the fact banks use it.

[thext]

This is all pretty stupid. If banks use one email address to communicate with everybody, the phishers will spoof that address, that is all, and people will trust the phishing emails even more. I like the current scheme, where many of the phishing emails are quite distinguishable just by the originating address.

The solution isn't only technological

[Via_Patrino]

If ISPs scanned heavily on emails, what you would get are better and better phishing emails. It's what Darwin said for biology and applies as well for many fields. It may eventually get to a point where not even a slashdot geek will figure out.

For your example a machine will need to know the email is supposely coming from a bank, who deceive that better will pass.

From the white list point of view, it won't work if you expect to receive emails from any major company and from people you don't know yet.

You could do great use of technology to avoid phishing, like forcing users to use a smart card connected to their computers and charging an insurance from those who don't, instead of only using simple (almost) static strings for authentication.

But the definitive solution isn't only technological, some people will prefer to don't use those smartcards, smartcards will have defects. You need other approaches together.

A bizarr effect of technology only aproaches is what we are seeing today on spam. Spam filters today are really good, at least the filters I use, but they let pass a few spams. That's great right? From the point of the sys admin that avoid bouncing and storing emails it may be.

But on the spammer side it incentives their activity, because whoever pass that layer of filters will get exclusive access to the "market", and much more "profit". So you see little decrease on virus creation, hacking and the amount of traffic getting to your firewall.

To defeat spam and phishing we need to attack the other side of the equation: making spam more expensive and more risky (some may also say making the damage of the risk higher but, for me, that sounds draconian and a cheap response to bad efficiency).

You can partially get the first with technology, very good filters can make finding a mail hub harder but not impossible, and as AOL is proposing with taxes, until a spammer discover a way to bypass that, maybe on the expense of someone else (creating another problem).

The second aspect is more risk. Criminals knowing they have good chances of being busted and, if they do, will loose everything they got facing proportional time in jail.

But to that happen the government need to know that spam isn't about sending "funny" emails about V|AGRA and people complaining about how full their mailbox is.

There's a whole criminal activity in the background, the same used by asumed thieves (phishing) that needs the appropriate treatment by the law.

I forgot to mention but education is also a good idea, we should see commercials on TV saying "SPAM is bad", "Don't answer emails that somehow ask for your password" and putting these same messages on the back of your PINs and bills.

Greylisting is the answer

[clambake]

Greylisting is the answer, because it works on the behavior of the spammer, something that cannot change easily, not on the content, something that changes with every message. If spammer cannot send as many emails as possible, as fast as possible, then the price of spam goes up dramatically. To overcome greylisting, a spammer must be willing to implement a full mail-server on thier end. In current implementations they must be willing to queue messages for resending, and must be on a traceable, non-changing IP that will not go down for at least an hour after the last message they sent went out. It forces spammers to be responsible. No more "fire and forget" style mass mailings. And the great thing about it is there is no defense, no way a spammer can change his stripes and still be capable of the volume of email that made spamming so profitable.

If you don't implement even a five minute greylist on yur mailserver, stop what you are doing and go implement it now [puremagic.com].

Re:Snail mail is also easy to fake

[Feanturi]

That's totally true. I do tech support for the unwashed masses, and those with broadband will say, when questioned, that they're not connected to the Internet right now, meaning that they're not running IE at that particular moment. They can mess with their cable modem's connection to split to a TV, but having knocked out their Internet as a consequence they will call their computer manufacturer and not their cable company, because that couldn't possibly be the problem since the Internet is supposed to be in the computer somewhere. And yes, those with dialup may insist they have to dial before going to the control panel or loading up Word or any number of things. Not all of them are like this, but way too many are.

A Radical Solution

[superchi]

I propose a better solution to the e-mail system.

We should change the way e-mail works from the ground up. Currently, the sender's server will send the message to the recipient server where it waits until the client downloads the message. Instead of this, an interesting idea would be to have the sender server HOLD the e-mail message and simply send a notice to the recipient's server that a message awaits. When the client connects, depending on his software configuration, he will download the message from the sender's server or click on a link to go download the message from the sender's server.

What does this accomplish? We add the ability to flag messages as spam or virii. Depending on the sender's server's configuration, if a message gets too many flags, it will block the message from being downloaded in the future. Here's an example of this in action. Spammer sends out 100 messages for V1agR@. The 1st, 5th, and 7th readers are dilligent and mark the message as spam. The server's threshold is 3 warnings and then deletes the message. The message never gets to recipients 8 to 100. The user's account is suspended, and the spammer becomes drastically less effective.

There are other positive side effects to this scheme. Internally, my company will send out big files to one another. Instead of always using a server share, some people e-mail these big files to multiple recipients. If one person e-mails a 20MB file to 10 people, that'll be 200MB of consumed space for the recipients' servers. In a sender-hosted e-mail system, it will still just be 20MB.

Drawbacks to this scheme? Let's say the spammer sets up his own e-mail server and sends out spam from that. Recipients flag it, but the sender's server is configured to ignore the flags. If this were to happen, the spam is still not as effective because the recipient only wlil get a notification that mail exists. The notification would probably be limited to something like 128 characters of text for a subject. The sender's address can't be as easily spoofed because it still must be able to resolve to the sender's server. And better yet, if the ISP is cooperative, reports of this type of abuse to the ISP could lead to the ISP taking legal/criminal actions against violators of their Terms of Service. If the sender wants their message sent, they need to keep their server connected to the ISP, thus making it a lot easier to physically trackdown. If the ISP doesn't care, then we simply add the ISP to a blacklist.

Another side effect is that now the recipient needs to rely on both his e-mail server and the sender's server to be online to get a message, but this should be trivial. Also the server must retain the message for long enough time for the recipient to download the message. This should also be trivial, and in my opinion, it's better to put the onus on the sender instead of the recipient. For example, if the recipient goes on vacation for a few days and comes back to find his mailbox quota is full and he lost a lot of messages, it is quite annoying, and this proposed solution will not have that problem.

The biggest drawback is that this is a fairly major overhaul to the e-mail system. It would probably have to be done in phases where there is one phase that most servers support both types of e-mail protocols. I think it's worth the effort.

Re:We need SERVER authentication, not user

[Anonymous Coward]

OK, but you pay the 25$ to me.

No? then who gets it?

Fidonet anyone?

[ringm000]

Remember Fidonet? It had no anonymity, and had responsibility delegation. If you were not a "node" of the network, you could still participate as a "point". In this case, you had no responsibility to the network, but your "boss" (the network node you connected through) was responsible for all your actions (and he knew who you were and you could get beaten if you're doing something wrong, e.g. if you start spamming).

Why don't we use this model? Introduce a backbone network of mutually trusting certificate authorities, and require all mail to be signed with a valid certificate. It is the backbone member's responsibility to take due actions in case anyone having their certificate starts sending spam (revoke certificate, prosecute the user, etc), or else the member will be kicked off the backbone. The backbone member may delegate the right to issue certificates, but the responsibility still holds.

This scheme would make the backbone members know who their users and child authorities are, and prosecute the violators. You would still be able to have a free anonymous mailbox to receive mail, but the sender identity would always be revealed, and you would always be responsible for what you're sending.

Unfortunately it's obvious that if we retain an open non-whitelisting scheme, we HAVE to give up anonymity to prevent spam. There should be an easy way to find, block and prosecute the violators, in all other cases spam will continue.

Gee, What Would You Do In The Case of A Rape?

[Illbay]

If the banks were responsible for any losses due to phishing...

Hm. First time I ever heard someone suggest that, in order to stop criminals, you have to punish their victims.

I mean, I know we have a lot of "whack" social-engineering running around these days masquerading as "wisdom," but that one sure brought me up short.

authoritative email headers since when?

[inca34]

Since when has origin been a significant means for authentication? Whitelists are only useful when we have authentic sender information. Then, even if we have authentic sending information, what about hijacking address lists then spamming the people who recieve mail from you. Can't say this chain-mail approach has never been done before. Nope. Not once.

I say this, if we want to get rid of spam and phishing, we should find the people who are doing it and hire Bruno from "the local mafia" shop to make him an offer he can't refuse. Surely the iron fist approach will work were all else has failed. =)

Better authentication schemes

[null etc.]

The real problem is a lack of centralized mechanisms for verifying the identity and ownership of a website. Nearly all phishing attacks would be rendered useless if a user could click on an icon somewhere within the browser (and not the web page) that would tell you "This site is in fact owned and operated by Central Bank of Manhattan, Inc., whose address is x, phone number is y, and tax id is n" etc.

As phishing scams get more elaborate, even saavy users such as myself have to go through complicated steps just to verify the identity of a website. i.e. whois, verification of SSL certificates, etc. No average user should have to become a detective in order to verify that www.chase.com belongs to the same Chase bank that issues his credit card. Especially when it's an URL such as chasenetaccesss.com or chaseonlinebanking.com, etc.

The point is to make faking or forging the identity of ownership much more difficult than the current state of affairs, which is deciding whether or not to believe that www.ebaysecurityreinstatement.com is a valid eBay website or not.

SPF - a solution looking for a problem

[Vainglorious Coward]

SPF is a failure. Unlike the submitter, its proponents don't even pretend that it's an anti-spam method (there are more spam messages with SPF than ham), focussing instead on its authentication promise. Now it seems even Meng has abandoned that as being worth anything if the FUSSP [rhyolite.com] is whitelist-only. Imagine that - saving email by destroying it!

Email has been a phenomenal success because it costs close to zero to contact people with whom you otherwise would never easily be able to communicate. UBE is a problem precisely because it costs close to zero to contact people with whom you otherwise would never easily be able to communicate. Any FUSSP that destroys either of those two qualities, cost and ubiquity, is a cure that's worse than the disease.

Re:Not All People

[Anonymous Coward]

No, you don't win. Some legitimate email will direct you to funny variations of the company's URL. (Yeah, it is a bad idea, but it happens.) Trying to track down things from the main web site or calling on the phone can be difficult -- the company just assumes that you'll be clicking on the URL they provide you, and they don't provide alternate ways to access things.

While you can assume everything is a phishing attempt, that will be about as useful as assuming all email is spam. You won't suffer from the bad emails, but you might as well not have a computer.

Sorting out phishing attacks is getting much harder. See for example. [sans.org]

Re:Meh.

[imsabbel]

Because you really want to give your telephone number to people you wouldnt trust not spamming your email account.
Yeah right.

Re:Considering IP blocking tactics, it's pointless

[Haeleth]

You support a spamming ISP, you get blocked. If you don't like it, vote with your money.

Absolutely: it's clearly right to punish people for being associated with wrongdoers, even though the people in question may have no way to determine what wrong is being done or why they are being punished. In addition, it's clearly right to punish people for associating indirectly with wrongdoers, such as by being the customers of the same ISP as someone whose computer is hacked and used to send spam. Obviously every customer of that ISP has a shared responsibility for failing to ensure that every other customer of that ISP is taking sensible security precautions on their computer.

No, wait, actually that's the stupidest comment I've ever read. You might as well say that when someone commits murder, you should execute everyone who worked for the same company, because they shouldn't have been employed by a company that employs murderers.