Meng Wong's Perspectives on Antispam

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

Too much trouble

[squeemey]

All this trouble would have been avoided by charging for email in the first place.

My proposal:

Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

The ISP on either end would credit/debit the sender/receiver's account.

And watch the spam disappear.

Considering IP blocking tactics, it's pointless

[Peter Cooper]

I think whitelisting is a pretty good idea. My SpamAssassin-oriented setup kinda does things this way. That is, a non whitelisted mail has to be pretty squeaky clean to get through, whereas whitelisted addresses get straight through.

But lately I've been hitting a different problem which totally destroys the point of e-mail in many cases for me. That is, idiotic sys admins who firewall out entire IP blocks for, seemingly, no reason.

Just because someone several machines down the co-lo rack let their machine get hacked is no reason for mail server administrators to *firewall out* entire ranges of IP addresses. Lately I've seen some ridiculous behavior where users of the other mail server can't even e-mail people on MY server because the block is two-way! So I end up with users complaining that only certain e-mail addresses appear unmailable (because only a small percentage of sysadmins are stupid enough to block entire classes) but it's still a major PITA that makes e-mail useless for many people. The worst part is when you complain to these sys admins/ISPs, many of them proclaim innocence and believe they have no blocks.. but it's their upstream provider, etc, etc.

I'm beginning to think that encouraging people to migrate over to systems like 'GMail for your domain' and the like are going to be the way to go. At least Google has teams of people working 24/7 keeping their machines whitelisted. Having the US government able to subpoena your private information is the least of your worries, as long as you can actually e-mail the people you need to.

And no, schemes like SPF do not help this problem, since if they're blocking IP ranges outright at their firewall, nothing can break through that except mail proxying (which I've been considering).

p2p whitelists anyone?

[fred fleenblat]

Sometimes I wonder if there is a middle ground in the area of shared whitelists.

If someone tries to email you, and they aren't on your whitelist but they are on the whitelist of someone who *is* on your whitelist, maybe let it through or at least give it some plus points for the filter based on how many degrees away they are.

We need SERVER authentication, not user

[realmolo]

Seriously. Just create a central database of "valid" mail servers. Require anyone that wants to run a mail server to pay $25/year, and go through a "verification" process that shows they aren't spammers, and that their servers are setup correctly.

Anytime an e-mail is sent, the receiver checks to see if they're in this "master database", if not, their mail is dumped. Obviously, you'd have some kind of public key encryption going on to prevent spoofing.

Now, creating a central authority for mail servers would be difficult, but it's a hell of a lot easier than trying to change things on the CLIENT side.

As for those of you saying "But I want to run my OWN mailserver! Why should I have to pay! And what if I want to run it in a way that doesn't meet the standards!".

Well...fuck off. You don't need to run your own mailserver. There's just no valid reason to do so.

Snail mail is also easy to fake

[EmbeddedJanitor]

It is not so much the communications as providing online services. You can con someone with snailmail just as easily as conning them with email. The difference is that it is easy to understand the postal paradigm. If you got a letter saying "Please sign all the checks in your checkbook and post them to Ima Crim at POBox xxxx" very few would do that.

However very few people understand security or the distinction beween their computer and what's on the internet. To many it is just "the computer" and part of "the computer" does not work when it isn't dialled up. Many can't understand the distinction and will dial up anyway, even to play Solitair, "just to be sure". With broadband the distinction is even more blurred.

Whitelisting is not going to be effective because it disrupts the normal flow of email and is too complicated for most people to do effectively, so most people will just disable it. They'll end up with a false sense of security.

Bank of America has a solution

[Anonymous Coward]

Bank of America recently implemented a feature where you get to select a random image and enter a phrase or your choice. Then on the screen where you enter your password, they display the image and text you chose, so you can be sure you logging into the right place. Pretty nifty.

SPAM for Dummies, Vol 2

[texaport]

Use a "graylist" for webmail clients: Highlight anything in an Inbox from a user or entity that has never mailed you.

It provides useful service for legitimate mail (first contact) while making spam stand out even more than already.

The smartest thing a spammer could do is send out a fake first mail, but then the user can already blacklist them.

GMAIL certainly could implement it, while Yahoo and Hotmail probably have the capabilities if they'll admit to it.

It demands nothing of the enduser other than admitting that you've given up privacy in order to get free webmail.

Re:Default deny is dumb.

[chill]

To open a bank account I had to show up in person and give them two forms of ID (DL and Passport in my case). It *is* possible to open an account via a telephone, but you'll have to have photocopies of your IDs notarized and faxed/mailed in.

Use an address of a relative with the same last name or a PO box for the initial correspondence and then put in a "moved, no forwarding address" card. Voila! No address on record. Until they try and mail you something, they'll never know. I had an account with a Credit Union for almost 2 years with them having no address on record (and they knew it). I finally gave them a PO box when they needed to mail me another debit card because my first one had expired.

Check out http://www.howtobeinvisible.com/ [howtobeinvisible.com] for info on how a U.S. Citizen can open a Canadian bank account for even more privacy.

  -Charles

Nice straw man. There is lots of middle ground...

[jonathan_95060]

For instance ... Your MUA could still accept all email but any messages from senders not on your white list get flagged with a skull and cross bones, scripts are disabled and when you click on links the HAL/2001 sound clip "I'm sorry Dave, I can't do that" plays in Dolby 5.1 surround sound.

Then, when you go to add "Phisher Man" to your white list, your MUA asks you some questions along the way:

* is "Phisher Man" a financial institution?
* is "Phisher Man" a personal friend?
* is "Phisher Man" a merchant?

etc. If you answer "yes" to the financial institution question, your MUA checks to see that "Phisher Man" is registered with the appropriate authorities (e.g. his email is signed with a public/private key that itself has been signed by "Trusty Co." that proves his identity has been verified or, at the very least, he has paid some decent bribes to the right people). If Phisher has not registered and you still want to add him to your financial institution white list your MUA warns you that "you may lose your house, family, wife and kids if this person is not who he says he is, are you really sure you want to do this?".

Heck I think even my parents could learn to use this system and they are serious luddites.

the actual answer

[Anonymous Coward]

"...it sends an email back asking if you are a real person."

This email causes the mail server of the person who emailed you to send you a message asking you if you're human. Both messages get flagged as spam; which they sort-of are.

I'd prefer it if we all used encrypted, digitally signed email with all that public/private key stuff. Keys can be linked to identities or anonymous. No one would buy anything from an anonymous key user*, and if a key with an ID attached is used then you know who sent the spam and can prosecute appropriately. As a bonus sysadmins, ISP techs and Echelon could no longer read your mail.

*I hope. Some people are real idiots, after all. Tying the keys to bank accounts so online money transfer is impossible without one might work, although I hate to give banks any more power.

Re:Considering IP blocking tactics, it's pointless

[Fnord666]

What happens when I'm running a whitelist with the associated trust that is implied and my mom's computer gets zombied, emailing everyone in the address book?
Whitelists simply don't address this issue.