Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Spam

The Anti-Spam Research Group's Plan for Spam 225

Posted by michael from the bit-bucket dept.
egoff writes "Speaking of standards, the ASRG, a member of the IETF, has a plan for "consent-based communications." Among the suggestions, according to Internet Week, are authentication services for falsified addresses, trusted senders, reputation systems (karma?), opt-out tools, best practices for challenge/response, and even a proposal for micropayments on unwanted mail. Instead of defining spam, the ASRG wants to provide administrators and users the tools necessary to avoid what they consider to be unwanted. One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."
This discussion has been archived. No new comments can be posted.

The Anti-Spam Research Group's Plan for Spam More

The Anti-Spam Research Group's Plan for Spam

Comments Filter:

  • THAT would be very useful... (Score:5, Interesting)

    by WCMI92 ( 592436 ) on Tuesday May 27, 2003 @09:06PM (#6053219) Homepage
    "One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."

    This would more or less force spammers to send from their own domains... Or from ISP's that are spam friendly.

    It might not STOP spam (though blacklisting would be easier), but it'd make it traceable...

    Which would make it easier to file complaints under the anti spam laws.
    • Unfortunately, no it wouldn't. A lot of people are multi-homed these days, and legitimately send mail with one domain from an ISP using another domain. A simple case would be someone who has a hotmail account for pseudo-anonymous matters and a real isp email account. They could very well wish to send from their browser's mail client using their hotmail address, while not actually using hotmail to send it (say conversing with a personal respondent they're not sure of yet). Or maybe you're at home and wan

      • Reverse MX lookup wouldn't occur on the From: address (unless an admin is particularly stupid)

        It would occur on the MAIL FROM command in SMTP. There's no reason I can think of to have the domain part be different from something on the same network as the SMTP server.

        • It would occur on the MAIL FROM command in SMTP. There's no reason I can think of to have the domain part be different from something on the same network as the SMTP server.

          I believe that will show up in the From_ line, which defeats the purpose of trying to hide your identity, and it also requires changes on the sending side, which RMX is trying to avoid (I'm pretty sure most mail transports use the From: in the MAIL FROM by default, though I haven't actually tested it).

      • Re:THAT would be very useful... (Score:4, Interesting)

        by secolactico ( 519805 ) on Tuesday May 27, 2003 @10:25PM (#6053590) Journal
        This is where SMTP Auth comes in handy. Have your smtp server authenticate you and allow you to send e-mail from wherever.

      • This can be solved by using an authenticating SMTP server or some other way of routing the email through the mail server responsible.

        The problem you mention is more political rather than technical. Or to quote the end of section 10.2 of the draft (emphasis added by me):

        But as I saw from the comments on the first version of this draft, people religiously insist on sending e-mail with their domain from any computer with any IP address in the world, e.g. when visiting a friend using her comput

        • This can be solved by using an authenticating SMTP server or some other way of routing the email through the mail server responsible. The problem you mention is more political rather than technical. Or to quote the end of section 10.2 of the draft (emphasis added by me): But as I saw from the comments on the first version of this draft, people religiously insist on sending e-mail with their domain from any computer with any IP address in the world, e.g. when visiting a friend using her computer. It appear

          • Re:THAT would be very useful... (Score:5, Insightful)

            by keli ( 143788 ) on Tuesday May 27, 2003 @11:05PM (#6053814) Homepage
            ... but how would you tell the difference? And you would still be able to use your email address as an identifier from anywhere, provided that you use the correct mail server.

            It would also be very convenient if you could change the caller-ID of the phone you are dialling from to your home phone number, when dialling from a friend's house or from work...
          • Exactly. We don't require that if you put a return address on an envelope, that you send it by leaving it in your mailbox at your house.

            I have one e-mail address I use, but travel all over and send e-mail from home. Until recently, I had no access to an authenticated mail server so I HAD to send using postfix on my home machine/laptop/etc. This is very useful to me, less so since AOL started blocking this behavior. Plus, as I understand it, it isn't so useful to spammers since sending all the mail from the

  • Reverse MX possible problems? (Score:4, Insightful)

    by dzym ( 544085 ) on Tuesday May 27, 2003 @09:08PM (#6053225) Homepage Journal
    Many if not most ISPs have very odd setups for e-mail for load-balancing purposes where outgoing e-mail does not go through the same SMTP server that incoming mail heads into. I wonder how that will affect this system?

    This new mechanism will help eliminate forged e-mail from-fields though, and allow for easier message filtering.

  • Cooperate and I'll Read (Score:5, Interesting)

    by AvantLegion ( 595806 ) on Tuesday May 27, 2003 @09:10PM (#6053238) Journal
    You know, I wouldn't mind receiving advertisements in email if:

    1. They were about things I gave a damn about
    2. They were marked (like ADV:) for easy filtering

    What bothers me about spam are the violations of those two. I don't want emails about printer toner, or bigger schlongs. And I don't like having ads clutter up my inbox, where email from people I know and such belongs.

    But if I could filter it all into an "Ads" mailbox, just like I have mailboxes for various mailing lists, I would scan the offers about stuff I might actually want. I'd be much more inclined to "click through" then, while my all-time number of click-throughs of spam email to date totals 0.

    • You know, I wouldn't mind receiving advertisements in email if:

      1. They were about things I gave a damn about
      2. They were marked (like ADV:) for easy filtering

      What bothers me about spam are the violations of those two.

      That's just you. For many people, the mere volume of unwanted traffic is a major problem. Consider somebody in a third world country[1] on a slow dial-up connection for which they have to pay enormous amounts of money in local terms. Or somebody who has to use webmail, with an awful inef

    • Re:Cooperate and I'll Read (Score:5, Insightful)

      by Eggplant62 ( 120514 ) on Tuesday May 27, 2003 @09:44PM (#6053413)
      But if I could filter it all into an "Ads" mailbox, just like I have mailboxes for various mailing lists, I would scan the offers about stuff I might actually want. I'd be much more inclined to "click through" then, while my all-time number of click-throughs of spam email to date totals 0.
      Why not just be honest. Didn't you really mean to say /dev/null? Ads mailbox my ass. IF I WANT IT IN MY MAILBOX, I'LL SIGN UP TO IT. OTHERWISE, KEEP THE FUCK OUT. Marketers don't realize that I'll allow free access to friends, relatives and anyone else I've had an existing business relationship with. All others can pay ME to use it or subsidize my ridiculously expensive internet bill, which their current efforts are what keeps it so friggin' high in the first place.

      Christ, who do you think is paying for any of this shit? US!!
      • How much do you pay for email? Come on, stop bullshitting. As far as I know, most email providers are either free (hotmail) or flat-rate (your ISP), regardless of volume. Also, if you take basic precautions (like not posting your email address in robot-readable form), you will not get more than one or two spams a month.
        • And the flat rate is determined by what? Yes, average cost. Considering that 2/3 of email traffic is spam, they should at least be able to cut costs by a 1/3 if a method was found that eliminated say, 90% of spam.

          Also, your "precautions" involve avoiding things that in many cases, I would like to do. I want to be able to post my email address in a machine readable form so that possible employers/customers can reach me. Also, once you get on the list (which even if with full precautions can happen; if I
          • A T3 costs the same whether you use it or not. I don't think that email makes for a huge part of an ISP's bandwidth bill. They might be able to lower the cost by 2% or so if their message volume was reduced 60%. Remember that your ISP probably spends most of its money not on bandwidth, but on employees, salaries, buildings, etc. Of the bandwidth, most of it is probably taken up by hosting and web access, not email. Besides, why would I care that my ISP reduced its costs by 1/3? They won't pass those s
        • How much do you pay for email?

          I can tell you how much I've paid for spam delivery :
          My "Junk Mail" Maildir folder is 42788 kbytes - it contains 4439 messages, dating back to 22/08/2001.
          Data on my permanent modem connection via Tel$tra is 15c / Megabyte.

          So it's cost me a total of $6.41, over the past two years or so.

          4439 emails in 22 or so months is 200 per month. Seeing as my email address is a business address, I'd like it to be available to people, so ordinary "keep your email secret" advice is not rea

      • Ads mailbox my ass.

        If it's not in the Inbox, it's not hurting me. I already have a Spam mailbox where my pretty successful mail filters route junk mail. I go through it pretty routinely, and even occasionally look at things.

        But part of the point is that people could send it to /dev/null instead of an Ads box if they wanted.

        Spam's not going to go away entirely, because people actually read it and click through 'em. If they had 0% response rates, they would give up. If you could set 1 filter that take

    • Re:Cooperate and I'll Read (Score:5, Funny)

      by ryanvm ( 247662 ) on Tuesday May 27, 2003 @10:02PM (#6053507)
      I don't want emails about printer toner, or bigger schlongs.

      I thought I was getting 50 spam messages a day before I found out that it was just my wife trying to get me a bigger dingus.
  • I have a real aversion to the idea of paying to send email of any type, so any method that is not in that vein is progress in my opinion.

    • Paying to send e-mail is not the solution (Score:5, Insightful)

      by dsplat ( 73054 ) on Tuesday May 27, 2003 @09:39PM (#6053392)
      Right now, part of the problem is that ISPs and users are bearing the cost of spam. In the end, any of the costs to the ISPs are passed on to their customers. Making us pay to send, is going to cut down on the usefulness of e-mail to legitimate users. If I have to pay by the message, I'm going to think twice about a quick note to a friend asking if he wants to meet for lunch. I'll pass along fewer cool URLs.

      On the flip side, spammers will still send from addresses that can't be collected from. Many spammers are willing to harass people, steal the bandwidth they've paid for, and lie to people about everything from the return address on the e-mail to the fact that the opt-out procedure is actually just a verification that they have a live address. We won't even go into their claims about the efficacy of the products they sell. Is it even a stretch to believe that they will continue to lie to ISPs and defraud them of payments for the e-mail they send?

      Micropayments for e-mail would kill it.
      • The only reason micropayments are being pushed is because there is a lot of money to be made in that. However, from a purely logical perspective, that is the most idiotic solution possible. The real reason is that some company wants to become the email micropayment monopoly. Imagine taking a small cut from every email sent -- that would add up to a fortune.

      • Right now, part of the problem is that ISPs and users are bearing the cost of spam. In the end, any of the costs to the ISPs are passed on to their customers. Making us pay to send, is going to cut down on the usefulness of e-mail to legitimate users. If I have to pay by the message, I'm going to think twice about a quick note to a friend asking if he wants to meet for lunch. I'll pass along fewer cool URLs.

        This functionality is now provided by instant messengers. Sure, some people don't use them, but

        • This functionality is now provided by instant messengers.

          Actually, I thought about that point when I wrote my original comment. You are completely right. And it validates my point. Charging for e-mail will drive people to alternative protocols. There are already numerous ways to communicate with people online. If e-mail costs per message, we'll grab onto something else in a big hurry.

          Frankly, I could see a merging of e-mail, P2P and IM creating something with some of the capabilities of each. A dis
    • Would you rather pay to receive e-mails? including spam? Because that is what you are doing at the moment, regardless of whether you pay a flat rate or not, the cost is being passed onto you.

      The cost to send email could easily be included into your ISPs monthly bill, even as a flat rate. For example, they could give you 100 free email sends per month, and charge a flat rate. If you go over, then they start charging per email, similar to bandwidth control. Doesn't affect the average user, but would be prohi

  • good incremental approach (Score:5, Interesting)

    by rossjudson ( 97786 ) on Tuesday May 27, 2003 @09:12PM (#6053256) Homepage
    I like the idea; the problem is getting uptake on it. You need to encourage a lot of people. The way to do this is to get the "big" ISPs in on the scheme immediately. Participants should alter their mail transfer programs to tag the SUBJECT line of the messages with the word Untrusted. This will cause receivers to know, and significant embarrassment for those not participating...which will cause their mail system to be upgraded to participating status.

    Unless the bad effects of not participating are directly visible (as in subject line), it's gonna take too long.

  • inevitable (Score:5, Interesting)

    by falsification ( 644190 ) on Tuesday May 27, 2003 @09:15PM (#6053269) Journal
    It's inevitable. E-mail as we know it is going away.

    Spam is now the enemy. It must be destroyed. Here comes the IETF to solve the problem.

    SMTP Next Generation is on its way. The only question is the exact design. The general outline is already known. First, there will be real-world verification of identity tied to every account capable of sending SMTP NG e-mail. There will be a transition period where people can sign up for "upgraded" (NG) e-mail accounts; then, a period where these "upgraded" accounts can receive e-mail from other NG accounts as well as from old, potentially anonymous accounts. Business and government users will transition to NG.

    Then, there will be an Internet-wide deadline, upon which all NG e-mail addresses will be unable to receive e-mail except from other NG addresses. All SMTP old generation traffic will be blocked. The old base of mail users will be forced to transition to SMTP NG. At this point, if there is ever a complaint about spam, the spammer can be tracked down and booted off Internet e-mail forever. As a result, spam will cease to exist.

    The day the Internet died. Sure, it will be more "efficient" then. No spam. But it won't be free.

    Don't cry about it. It happens to all technology. Those who need anonymous communications will just move to something else. Maybe web-based discussion, for example. Just no more truly private, truly anonymous, or truly free e-mail.

    Coming soon to your neighborhood.

    • Re:inevitable (Score:5, Insightful)

      by bobbozzo ( 622815 ) on Tuesday May 27, 2003 @09:19PM (#6053296)
      Just no more truly private, truly anonymous, or truly free e-mail.

      E-Mail isn't anonymous, and never has been, (your IP is traceable back to you) unless you use an anonymous remailer.

      If SMTP2 or whatever is successfull, then people will make anonymous remailers for it.

      • Yes, it is anonymous. IP address != real-world identity. If not, then please tell the FBI how to track down Al Qaeda.

        Obviously, the point of an SMTP NG would be to prevent all anonymous remailing by requiring a valid real-world identity to send any and all SMTP NG mail.

    • Re:inevitable (Score:3, Interesting)

      by WCMI92 ( 592436 )
      "The day the Internet died. Sure, it will be more "efficient" then. No spam. But it won't be free.

      Don't cry about it. It happens to all technology. Those who need anonymous communications will just move to something else. Maybe web-based discussion, for example. Just no more truly private, truly anonymous, or truly free e-mail. "

      Why? People can communicate more or less anon they way I have been FORCED to communicate already (since my e-mail account is virtually useless)...

      Message Boards

      Instant Messengi
    • As a result, spam will cease to exist.

      Creating a central authority will no more eliminate spam than FCC control of the airwaves provided educational, infomrative material. It will simply create the power to sell adverts much like radio and TV. Some dumb asses will then make the case that the only way for all this great content to be created is through adverts, especially the newer TIA emailed spam.

      It does not have to happen and if it does, we must create an alternate network. Want to kill spam? It's

    • Uh, no... (Score:3, Interesting)

      by delmoi ( 26744 )
      There are ways to have email with the same level of anonymity that we have today without requiring some kind of authoritarian system. The most promising is the use of sender-verification. Rather then having some big brother type system setup, you have individual mail clients verify senders by replying to them and asking them to validate their humanity.

      As long as it's a real person with a real email address sending the info, it should get through.

  • Great article on RMX (Score:5, Informative)

    by mfago ( 514801 ) on Tuesday May 27, 2003 @09:15PM (#6053271)
    Great write-up on RMX [mikerubel.org], brought to you by the same guy who came up with an easy way [mikerubel.org] to snapshot [slashdot.org].

  • Short lived phenomenon (Score:5, Interesting)

    by ObviousGuy ( 578567 ) <ObviousGuy@hotmail.com> on Tuesday May 27, 2003 @09:16PM (#6053276) Homepage Journal
    Spam is simply not profitable enough to last much longer. It is the last of a dying breed of pioneering Internet money-making schemes like the pyramid scheme emails and banner ads. Eventually the spammers will move on to other means of money making because their revenue is guaranteed to drop off as their tactics turn more and more people off.

    Instead of fighting the good fight here, the best thing to do is let this dying ember peter out on its own. Forcing spammers to use more drastic tactics just results in them doing more harm in the long run. If there had been no resistance at all, we'd probably be seeing a much more mature and respectable online advertising industry instead of the random, haphazard, and very annoying multitude of spam king wannabes downloading their spam kits and setting up shop.
    • "Instead of fighting the good fight here, the best thing to do is let this dying ember peter out on its own. Forcing spammers to use more drastic tactics just results in them doing more harm in the long run. If there had been no resistance at all, we'd probably be seeing a much more mature and respectable online advertising industry instead of the random, haphazard, and very annoying multitude of spam king wannabes downloading their spam kits and setting up shop."

      MATURITY? From people that send me dozens
    • Sorry, but spam won't peter out until we run out of idiots--after all, the best way to make money spamming is to sell tools and lists to spammer wannabes.

      Given the hordes of people yet to go online, I don't think we'll run out of idiots in out lifetime.
    • And what happens when it dies off? People start trusting and using email a lot more, and depend on it as a reliable communication medium. great, right? yeah, except once that happens, spammers come back and abuse this medium that people have come to trust and look to for informed opinions.

      Just like advertising in capitalist environments, if everyone would stop advertising we would all be on level ground and be at the same place we are with advertising, but without spending any money... but then the one guy
    • If there had been no resistance at all, we'd probably be seeing a much more mature and respectable online advertising industry instead of the random, haphazard, and very annoying multitude of spam king wannabes downloading their spam kits and setting up shop.

      You forgot another advises:

      • don't lock the car. If there had been no resistance at all, we'd probably be seeing a much more mature and respectable "used car utilization" industry instead of the random, haphazard, and very annoying multitude of car th

  • RMX sounds kewl, but... (Score:4, Interesting)

    by Anonymous Coward on Tuesday May 27, 2003 @09:16PM (#6053280)
    Here's your fly in the soup:

    It only works when receiving mail with an forged and uncooperative sender-address. Nothing will prevent a spammer listing 0.0.0.0/0 as authorized sender addresses provided he controls the DNS for the envelope-sender. /me sees domains like a cat walking on your keyboard being used as throw-away domain for spamming. (lkjshret.com IN RMX 0/0)

    It will increase the cost of a spam-run, and that's good news. On second thought: I like it.

    • Re:RMX sounds kewl, but... (Score:5, Insightful)

      by oolon ( 43347 ) on Tuesday May 27, 2003 @09:41PM (#6053398)
      No you miss the point, the point is to check the from/sender address is valid. Yes a spammer can use THEIR domain from any machine, so what? They have to identify their domain. Not my domain for the receiver to accept their email. Yes they can set it up and I will get the spam but for the first time I will be able to trace where it came from. Ah but you say they just bought the domain on a stolen CC card yes perhaps they did but we are starting to get a paper trail to the spammer who would also be a criminal if they did that.

      This is a first step to fighting spam "knowing your enemy", war will continue.

      James

      James
      • and a big plus: no more innocent third parties.

        Forged headers not only is an annoyance for the target of the spam, but the admin of the domain that was (falsely) used as a return address will not have to contend with thousands of bounced notices/abuse complaints.

    • Re:RMX sounds kewl, but... (Score:2, Insightful)

      by rog ( 6703 )
      It still doesn't make sense. You're asking admins with open relays to make DNS changes. If they don't want to close their open relays, what makes anybody think they'd be willing to make a DNS change?

      Sounds like the "Evil Bit" RFC -- it would work fine if we could just get all the bad guys to cooperate.
    • Nothing will prevent a spammer listing 0.0.0.0/0 as authorized sender addresses

      Then you just block that email because the RMX record lists too many valid IPs.

      From the RMX document, chapter 7 (Enforcement policy)

      Domain owners will still be free to have an RMX record with a network and mask 0.0.0.0/0, i.e. to allow e-mails with that domain from everywhere. On the other hand, mail receivers will be free to refuse mails from domains without RMX records or RMX records which are too loose. Advanced MTAs mig

  • We already know who some of the spammers are. Heck, some of them have admitted it! What we need is good old-fashioned mob justice. If we all have a hand in the lynching, how are the coppers supposed to know who exactly did the killing? I suggest that we rename Saturday Spamurday. Every Spamurday we all mob the home of a spammer and lynch them in a very public manner. Soon, the spam should start dropping off, because who would dare risk their lives to mob justice to make a few bucks selling penis enlargers?
    • We already know who some of the spammers are. Heck, some of them have admitted it! [spamhaus.org]

      I keep submitting this link as a slashdot story. It keeps getting rejected. FFS guys, stop hassling one spammer at a time when they happen to make the news. Let's put pressure on the whole bunch. Start now, and keep it up until they stop spamming.

    • Shun the spammers (Score:2, Insightful)

      by Anonymous Coward
      How about good old-fashioned shunning. Spammers should not be welcome anywhere. Anywhere you have to right to turn them away, you should. Tell their neighbors who they are and what they do. Send them a thoughtful letter explaining why you disapprove. Include copies of every page from several anti-spam web sites. Cut them off in check out lines in grocery stores. Get their cars towed immediately when their parking meters expire. When choosing a fake e-mail address when posting to Usenet, use one that

  • Paul Vixie proposed something like this (Score:5, Informative)

    by dvanduzer ( 563848 ) <dvd@tennica.net> on Tuesday May 27, 2003 @09:32PM (#6053358)
    The original discussion on Nanog can be found here [cctec.com] or perhaps here [dragoninc.on.ca]. He originally had the proposal on his site [vix.com] (dead link) but he seems to have taken the page down, and I don't see any reference to him contributing to this draft.

  • Hidden Features (Score:5, Insightful)

    by Voivod ( 27332 ) <cryptic.gmail@com> on Tuesday May 27, 2003 @09:44PM (#6053415)
    Mail agents like Mozilla will have to become more sophisticated about what mail relays they use when sending mail. Suddenly it's not okay to send both your personal e-mail and your work-from-home e-mail through your DSL ISP's mail server since your work domain DNS will claim no relationship with your DSL ISP's server.

    Could Mozilla use RMX to determine on the fly what relay to use? It sees that you're sending from a @slashdot.org address, so it does an RMX lookup on slashdot.org and discovers the IP of all the relays for that address. Ah, a nice clean new standard... the desire to abuse it is overwhelming. :-)

    An ironic side effect is that mail administrators are going to have to open up more holes in their relays. Your users can't just bounce mail off their random ISPs anymore. They have to use the real corporate mailserver now, which means you can't just lock things down by IP address such that only internal corporate users can use the relay.

  • Pay a deposit to send a spam. (Score:5, Interesting)

    by rice_burners_suck ( 243660 ) on Tuesday May 27, 2003 @09:46PM (#6053426)
    Here is what I think. Forget all the complicated stuff. At the ISP, give every email account a whitelist, containing email addresses to be let through. Each email that is sent is checked against the whitelist. If the sender is not included on the whitelist, the email is automatically rejected. Users can optionally set up their account to accept any emails.

    But here's the fun part: As a recipient, each user sets up their account with a "deposit price" for bypassing the whitelist. You can set that price to any amount in your currency of choice. As a sender, you can set the maximum amount that you're willing to pay, so that you don't suddenly get billed/debited/charged some outrageous fee. If someone who is not on your whitelist needs to send you an email, they pay a deposit. When you receive the email, you either accept it or reject it. If you accept it, you do not get paid; the sender keeps the deposit. If you reject it (meaning you've read the email and decided it was spam), the deposit paid by the sender is paid to you. It's enough to set the deposit to something like 50 cents. You'll probably get highly targeted emails at this price. I wouldn't mind risking 50 cents to send someone an email that I think they'll accept. You could set it to a few dollars to reduce the noise even further. But you could set it to any price you want. If you REALLY don't want email from sources not included in your whitelist, you could set the deposit to thousands of dollars. With this system, you'll be HAPPY to receive spam! And spammers either won't be able to afford it, or recipients will start making some money.

  • RMX does nothing to solve what it breaks (Score:3, Interesting)

    by Kjella ( 173770 ) on Tuesday May 27, 2003 @09:47PM (#6053431) Homepage
    Any server that has a RMX record, should also have a compulsory, authenticated way of sending email from an unauthorized address. For instance, I'm now at home, and I would like to send mail with my University address. I can not do that, because the University blocks relaying from external IPs. So I send mail with my ISP account, but with the headers of my University account. If my University implemented a RMX record, I could no longer to that. And unless I can authenticate with the University servers to send mail through them, I can't send mail with my own mail address on it! If I can authenticate and send with my Uni account then it is fine, if not this will cause a big stink and RBX being dropped. Really.

    Kjella
    • > So I send mail with my ISP account, but with the headers of my University account. If my University implemented a RMX record, I could no longer to that.

      Untrue. This is not how RMX would work. If you send mail from home using your Uni email address, you change the "From: Kjella@uni.edu". However, the envelope sender (normally not displayed in email programs but an integral part of each email) would not be changed, no matter what email address you put as your from.

      So the question becomes not if your Un

  • Monster.com and intermediaries (Score:5, Informative)

    by dmeranda ( 120061 ) on Tuesday May 27, 2003 @09:55PM (#6053476) Homepage

    The RMX approach is certainly very interesting. Although not based on DNS I had previously asked an AOL postmaster for similar information about what servers could legitimately send mail from any aol.com domains. That simple step has allowed me to block almost 100% of all spam reporting to come from joerandomuser@aol.com. I've been looking for similar information from the other big ISPs that spammers love to forge but with little luck.

    Of course there may be a few things that this breaks (not that they shouldn't be fixed to work a different way). One is email intermediaries. SMTP was originally designed to be store and forward, and it used to be quite common that mail took many sometimes unpredictable hops along its way...direct end-to-end connections were not nearly as unbiqutious as they are now. But there still are cases where an SMTP intermediate hop may exist for legitimate reasons, but which may be unknown to the sender; thus they would not be listed in the RMX access list.

    Another "questionable" practice that would be affected are services like monster.com, which send mail (usually resumes) to subscribers (companies hunting employees), but forge the sender address as being the real address of the individual, not of monster.com itself. Thus monster.com forges mail from almost any domain all the time; even though that mail can hardly be described as "spam" since the individual being forged has authorized monster to do it, and the recipient is paying monster to recieve them... But that kind of practice would still be affected without some workaround.

    Oh, and if you want end-to-end authentication why don't more SMTP servers use the STARTTLS (aka SSL) mechanism with REAL certificates just like web servers do? If this became standard practice then it would be much easier to do SMTP server authentication with existing technology, and in a way that is completely transparent to the users (MTAs).
    • This is why the RMX should actually be a public key, authorised servers to post for that domain have a copy of thatr public key, infact, there is no reason why every server could not have a different one which could be published in the DNS. If a private key is stolen you just revoke it and generate a new one. Relays could relay but would not be able to change the content. The problem with a key system is its far more difficult to get everyone to agree to what they key format and encryption should be, there
      • If Monster.com wants to send an email as one of its customers, it should authenticate with the customer's email server and send the email. If the customer wants to allow them to do this, they can give Monster.com their authentication info.

        The reason why mail servers don't bother to support authentication and secure support is simple: there's no point to it. So long as I can send an email as anyone from any computer on the internet, what is the point of requiring authentication at a server that I can avo
        • I was not thinking of using a secure transport I was thinking that the messaged would be signed with the public key so the reserving server know it orginated from a server that was allowed to send email for that domain even though it might have been though a number of relays before it got to it. Yup everyone could have signing in there clients, but that means end users have to be educated rather than System admins.

          James

          • Yes, that sounds like something that actually could be very useful. Have the keys actually distributed in the DNS RRs, rather than having to rely upon a complex and sometimes untrustable CA network. There would then have to be something in DNS that could state a sender's policy, such as "all mail coming from my domain must be signed by this key -or- must originate from this IP address(es)"

            Of course the biggest win for a company signing its email in such a manner is not immediately to reduce its volume o

    • Another "questionable" practice that would be affected are services like monster.com, which send mail (usually resumes) to subscribers (companies hunting employees), but forge the sender address as being the real address of the individual, not of monster.com itself.

      The simple solution here is for monster.com to do the right thing and only "forge" the From line in the header, not the envelope sender address. The envelope sender should use VERP [cr.yp.to], which would allow monster to know when a specific email bounc
  • Really, this stuff should have been done years ago.

    I doubt it will help all that much though, for one thing spammers could forge headers for any of the huge number of domains with lazy admins that do not use reverse MX. The vast majority of admins can't be bothered to close their relays, so I doubt this will help to much.

    Even when the vast majority of sites out there implement it, a spammer can simply buy a domain name, and setup a DNS server with entries for all of the open relays they find, or used a h
  • These plans are awful. Authentication services and trusted senders are a way for the certificate authorities to decide who can or cannot send mail (be it spam or political speech) [1]. Micropayments are a tax on speech. Challenge/response is patented. Opt-out tools depend on a centralized database from which spammers will harvest addresses. Reputation systems are an invasion of privacy.

    Most of the proposals are probably patented (as ridiculous as that may sound). No doubt the recent spam proposals a

  • Let's find a cure, not a treatment. (Score:4, Interesting)

    by mabu ( 178417 ) on Tuesday May 27, 2003 @10:32PM (#6053622)
    The spam issue has some interesting parallels in the models of the new economy. Just like in other industries like healthcare and pharmacuticals, the major players are not interested in a "cure". That's not profitable for them. A more appealing approach for them is some method of "treatment", preferably something that obligates the user to continually do business with them in perpetuity in order to maintain their spam-free condition.

    Efforts to regulate the content of spam messages, inconsequential civil penalties, client side filtering, and any system which filters mail based on content caters to this impotent approach to addressing the spam problem. It offers no cure. It does nothing to reduce spam; it does nothing to discourage spammers; it does nothing to address the most serious problem of spam, which involves unfair and often illegal exploitation of resources.

    Maybe this is the new way. We don't actually solve any problems. We just put bandaids on them and allow them to consume more wasted resources, and the demand for more resources, hardware and bandwith is what drives the new economy.

    Call me idealistic, but I think it sucks. I am appalled that so many people will settle for such shallow and ineffective approaches to these problems. But I guess I shouldn't be surprised. Most of these people profit from the existence of spam so why bite the hand that feeds them on a major artery when you can collect some bucks and merely trim their nails?

  • The Internet was Founded on Trust. Do This. (Score:5, Insightful)

    by minas-beede ( 561803 ) on Tuesday May 27, 2003 @10:32PM (#6053627)
    The internet started on a model of trust. We know we can't trust the spammers and we knock ourselves out trying to implement that distrust. All the while we operate in a manner the spammers can fully trust: if a system says it's an open relay it really is, if a system is secured against being an open relay it proudly proclaims as much. We're just as honest about open proxies. We assist the spammers thousands of times a day by being trustworthy. Isn't that exactly why why they find it so easy to commit abuse? We keep being honest and trustworthy with the spammers - we help them. Stop doing things that lead to our being hurt, start doing things that hurt the spammers. It's an easy and logical progression to make.

    It's time to destroy the spammers' trust in us. This should have no impact on anything legitimate: it's targeted on the spammers. Those who never go looking for open relays will never be deceived by fakes - it's only the spammers who fall victim to the deceit. Same for open proxies - who goes looking for them other than abusers? Doesn't that seem to be exactly right - harm those who would do harm, don't touch the rest? There are behaviors that only spammers exhibit. Target those, make life miserable for the spammers.

    The ASRG methods, all of them, are designed to be the same for everyone - they are targeted on what spammers and non-spammers do in common and then are supposed to make use by the non-spammers impossible. To do that everything will have to be changed. That will take years and it will take nearly full compliance to be effective. It will be like the "secure open relays" campaign of a few years ago. To actually stop spam that had to be universal, or very nearly so. Instead there are still hundreds of thousands of open relays, more pop up every day. How many years for full compliance? Alternately there may have to be a D-day for a total switchover - a source of huge complexity and disruption. Before commiting to that isn't it necessary to make sure there is not something less drastic which will work to end spam?

    If instead people opposed to spam change their behavior toward the things spammers and only spammers do then ordinary email can be left as it is - if those behavior changes end spam. Foremost of the behavior changes would be stop ignoring spammer abuse. Spammer abuse is an easy target, an easy path to hitting spammers and completely missing non-spammers. Spammers have two choices: spam direct or spam via abuse. If you knock down spam via abuse then they're left with direct spam. That you can hit adequately using blocklists. ASRG wants to make spam impossible by making every single spam message imposible. That's overkill - it's only necessary to make spam cost more than it returns. That can be done - without a total reengineering of the system.

    The big question is: are anti-spammers smart enough to stop spammers by going after the abuse? I say they are, when you include in "anti-spammers" all the people that do not like spam. The alternative position would seem to be that anti-spammers are smart enough to stop spam by changing the entire internet but not by doing anything lesser. I can't agree to that - not unless those limited-intelligence people explain why that is. Isn't there the roots of a paradox in that?
    • I disagree. The Internet was founded on exactly the opposite. The whole distributed computing concept was bourne out of a distrust for any single node being too important.

      In effect, on the Internet, nothing is trusted.

      The reason we have a spamming problem is not because the net is too trusting by design. It's because the medium is largely unregulated and transgressions therein are unenforced, so spammers operate with little fear of consequences.

      In no other medium can you exploit other peoples' resourc
  • There are several good scenarios which depend upon the way the SMTP system works currently that will break as a result of a change like this.

    What do we do for the millions and millions of users who currently send mail via older software from their home system, tell them that they are screwed out of sending email? The beauty of SMTP is that it works. Assuming that this change is implemented, it will probably cause millions of users pain, and those users won't put up with it.

    Once those users switch to a dif

  • SPAM@Home (Score:2, Interesting)

    by More Trouble ( 211162 )
    Most of the SPAM that comes to my site is currently of the SPAM@Home variety, i.e. the same message comes from hundreds or thousands of compromised hosts, from thousands of different addresses, to thousands of my users. As far as I can tell, rMX won't have any effect on these distributed SPAM networks.

    :w
  • My organization has roughly 120 Internet email users and a quick grep -c of the logs reveals that in the last week my server has denied 700 messages from open relays or known sources of UCE. In spite of this I have to wade through around ten spam emails each morning before I can get to work and I regularly get questioned by vice presidents and the CEO about why I'm "not blocking pornographic emails". RMX, micropayments, filtering, and other solutions may not be ideal. They may, to some degree, restrict fre

  • Make Your Own Spam Arrest (Score:2, Interesting)

    by xombo ( 628858 ) *
    My article for building this got denied last night so I'll post it here instead. To create a list of authenticated users automatically that allows people to enter their address etc.. via a web form (much like Spam Arrest [spamarrest.com] visit this how-to [xombo.com]. It requires only a web server, php interpreter and Mercury e-mail server.

  • RMX-plus (Score:3, Interesting)

    by delmoi ( 26744 ) on Wednesday May 28, 2003 @01:04AM (#6054412) Homepage
    Here are some ideas I came up with that build on RMX to help prevent, and prosecute spam.

    The first involves anonymous domain names. The author of the draft suggests simply not accepting mail from annon domains. I don't know if I really like this idea. A better system might be a RTBL type list of anon domains known to vouch for spam. That way someone could get a domain name without giving up personal info, and still be able to send mail.

    Another usefull feature would be to sue non-forging spammers. Everyone could upload their spams to a group server. Since most states have laws that allow you to sue spammers for small amounts of money per message, once enough are collected from a single domain a lawsuit with enough of a financial incentive to actualy go through could be undertaken.

  • Erm... (Score:3, Funny)

    by aaaurgh ( 455697 ) on Wednesday May 28, 2003 @05:18AM (#6055257)
    "the ASRG wants to provide administrators and users the tools necessary"

    Are they going to e-mail everyone with an offer to sign up? Oops! ;-)

  • What's wrong with using the law for this one? (Score:3, Interesting)

    by Richard_Davies ( 250599 ) on Wednesday May 28, 2003 @05:37AM (#6055311)
    Slashdot is for geeks so I guess a technical solution to spam seems logical. However, is fixing this legally really that hard? First, it is a problem that has governments and corporations and users - in fact everyone except the spammers - are all on one side. It should be possible to get an international agreement to ban spam in this case. International agreements can/do work if they have support and they are realistic (for example banning CFCs worked). So the support is there - is it realistic? One of the things this group avoided is to try to define spam. But why do you need to have a precise definition? Something simple should work like:

    For any mass email that is sent, the sender must be able to prove that the receieve gave his/her permission. Certain standards could be set here (eg. this permission must be opt-in for example). All bulk email must contain the details of the sending company and the option to ask said company to remove your details. Any company violating any of these rules or *aiding* a company to conceal this information (eg running an open gateway) should be fined heavily. Any country not signing up should be suject to sanctions (eg they cannot receieve international internet access or IT services from any signing country until they enforce these laws).

    Now there are probably places where suggesting like this could be refined - but why is a legal solution to this problem such a wrong idea in general?!

Slashdot Top Deals

Remember to say hello to your bank teller.

Close