E-Mail authentication fight looming: Microsoft pushing Sender ID
Not wanting to throw gasoline on an already raging e-mail authentication fire, but it _does_ look like a fight is gearing up between Domainkeys Identified Mail (DKIM), a joint effort between Cisco, Yahoo and a number of other vendors, and Microsoft's Sender ID scheme. http://abcnews.go.com/Technology/wireStory?id=872527 [and] http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=207abd98-7bf7-455b-bedf-bf75871b73c9&newsType=Latest%20News - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
Microsoft had this working even one year ago (i.e. they showed presentations in private with those yellow warning tags), but going public with this and corresponding press announcements right now likely have to do with that IESG is reviewing SID drafts (their teleconference is tomorrow) and MS wants to put more pressure on them because so far its failing to gain enough votes because of technical problems with SID scheme and that it wants to reuse v=spf1 without proper authorization of domain owners in incompatible way: https://datatracker.ietf.org/public/pidtracker.cgi?command=print_ballot&ballot_id=1573&filename=draft-lyon-senderid-core (where as SPF itself has more votes and might actually pass though barely) For more info on what MS and SID is doing wrong see: http://www.openspf.org/OpenSPF_community_position_v102.html http://www.gossamer-threads.com/lists/spf/discuss/19859 P.S. It would really be great if IETF remained true to its origin and goals did did technical reviews and selected proposals based on the technical capabilities and not on what large company is exerting pressure on them (especially not by means of press announcements). But I guess "E" is now turning more and more into "V", see: http://www.merit.edu/mail.archives/nanog-futures/msg00019.html -- William Leibzon Elan Networks william@elan.net
On Wed, Jun 22, 2005 at 06:39:07PM -0700, william(at)elan.net wrote:
P.S. It would really be great if IETF remained true to its origin and goals did did technical reviews and selected proposals based on the technical capabilities and not on what large company is exerting pressure on them (especially not by means of press announcements).
Yes, it would. It would also be great if the IETF realized that there is really very little need for email authentication: (a) forgery is a minor problem compared to spam, and even solving the forgery problem completely (which isn't gonna happen) would have a temporary and negligible effect on spam; (b) the authentication problem can't be "solved" anyway until the complete lack of security on hundreds of millions of network endpoints is "solved"; and (c) the originating IP address of any SMTP connection tells you _exactly_ who is responsible for that traffic, whatever it turns out to be. ---Rsk
Not wanting to throw gasoline on an already raging e-mail authentication fire, but it _does_ look like a fight is gearing up between Domainkeys Identified Mail (DKIM),
The real fight is to find ANY techniques that have long-term, global benefit in reducing spam. Yes, advocates for particular techniques are getting aggressive when they have any leverage, but the market tends to be good at marginalizing schemes that do not really provide benefit. It's a big network out there.
[late followup, sorry] On Thu, Jun 23, 2005 at 05:42:17AM -0700, Dave Crocker wrote:
The real fight is to find ANY techniques that have long-term, global benefit in reducing spam.
We've already got them -- we've always had them. What we lack is the guts to *use* them. As we've seen over and over again, the one and only technique that has ever worked (and that I think ever *will* work) is the boycott -- whether enforced via the use of DNSBLs or RHSBLs or local blacklists or firewalls or whatever mechanism. It works for a simple reason: it makes the spam problem the problem of the originator(s), not the recipient(s). It forces them to either fix their broken operation (any network which persisently emits or supports spam/abuse is broken) or find themselves running an intranet. We've known that this works for 20-odd years. It hasn't stopped working; what's stopped is the willingness to use it en masse, and to endure the consequences of thereof. And no new technology, however clever, is a substitute for the will to make this happen when necessary. I grow rather tired of people whining about the spam (and abuse) problem on the one hand...while refusing to take simple, well-known, and proven steps to push the consequences back on those responsible for it. While we may no longer be in a position to remove particularly egregious networks from the Internet, we most certainly are in a position to remove the Internet from them via coordinated group action -- producing an equivalent result. It's gonna come down to this sooner or later anyway. We might as well do it now, rather than waste another decade fiddling around with clever-but-useless technical proposals and worthless legislation while the problem continues to proliferate and diversify. ---Rsk
On 7/6/05, Rich Kulawiec <rsk@gsp.org> wrote:
I grow rather tired of people whining about the spam (and abuse) problem on the one hand...while refusing to take simple, well-known, and proven steps to push the consequences back on those responsible for it. While we may no longer be in a position to remove particularly egregious networks from the Internet, we most certainly are in a position to remove the Internet from them via coordinated group action -- producing an equivalent result.
It's the group interaction this requires that is the problem. For instance, as a small ISP, it's hard to make a difference at all if you block someone like, say, comcast or verizon (not pointing fingers, just using examples) ... A small ISP could, conceivably put themselves out of business doing something like that.. Coordinating something like that is difficult to begin with, but if you're on the receiving end, I'm sure there will be lawsuits involved. Regardless of the legality, a lawsuit costs money, money a smaller ISP may not have. Then there's the problem with getting everyone to agree to block someone .. Not everyone is going to agree that company X needs to be blocked. Overall it's a great idea, but I don't think it's practical ... I've stuck to using blocklists and intelligent filtering. I've spent a great deal of time over the past few years developing our system and I think it's doing a fine job at the moment.. :)
---Rsk
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
As we've seen over and over again, the one and only technique that has ever worked (and that I think ever *will* work) is the boycott -- whether enforced via the use of DNSBLs or RHSBLs or local blacklists or firewalls or whatever mechanism. It works for a simple reason: it makes the spam problem the problem of the originator(s), not the recipient(s). It forces them to either fix their broken operation (any network which persisently emits or supports spam/abuse is broken) or find themselves running an intranet.
I agree that the "boycott" approach is effective. It does not, however, completely resolve the issue that is SPAM. First and foremost, it does not make the spam a problem of the originator at all times. The issue is directly illustrated with smtp servers that are RFC ignorant and don't notify the sender that an error occurred. Sure, there's not too much work involved, I'm asked about a message that was supposed to be delivered, nope it wasn't, must be an issue on your end. It still requires me to look into the problem. The second issue with boycotting, is the false positives. And dhcp makes this a nightmare issue because some blacklists are retarded about how long entries are left in the list. Quite honestly, I think a good blacklist lookup and some sane bogon filters is relatively effective. Just be careful about what blacklist sites you use. Some blacklist sites require you to pay them to have entries removed. You can gurantee a lot of false positives arise from using sites like these. Or simply build your own. Rich is correct. The design and technology has been in place for at least a couple of decades. It does work, for the most part. Tim
On Wed, 6 Jul 2005 trainier@kalsec.com wrote:
The second issue with boycotting, is the false positives.
No, the *point* of the boycott is the "false positives". ISPs *will* react when their general users find themselves unable to send e-mail because the entire netspace of the offending ISP is blocked (boycotted). Blocking only a small subset of an offending ISP, in order to isolate the block to only the downstream spammer, is not a boycott; it's looking the other way. (I may believe in the principles here, mind you, but I'm far to small to make a point. A workable net-boycott absolutely requires that action be taken by a non-castrated 800lb gorilla.) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On 07/09/05, Todd Vierling <tv@duh.org> wrote:
(I may believe in the principles here, mind you, but I'm far to small to make a point. A workable net-boycott absolutely requires that action be taken by a non-castrated 800lb gorilla.)
Having lots of vocally unhappy customers == castration? The obvious response is to say "well, think about how unhappy they are with all the spam" -- but that's not how it works in the real world. Instead, the customer STILL gets tons of spam, and is incensed that can't e-mail Aunt Tillie whose only crime is to use the same ISP as some zombied machine. Boycotts worked great back when spammers were stationary and users were more complacent, but spam sending techniques have evolved a lot in the past ten years. -- J.D. Falk a decade of cybernothing.org <jdfalk@cybernothing.org> registered 24 June 1995
On Sat, 9 Jul 2005, J.D. Falk wrote:
(I may believe in the principles here, mind you, but I'm far to small to make a point. A workable net-boycott absolutely requires that action be taken by a non-castrated 800lb gorilla.)
Having lots of vocally unhappy customers == castration?
No, "castration" here means not having the bollocks to instigate a mail block against an entire remote ISP (even for a short time) so that the offending ISP will wake up and take notice. And, of course, *sending* mail to the offending ISP is unaffected. 8-) Of course, this sort of response is the kind that is only warranted in principle when a cesspool gets really bad. That's unfortunately subjective, but a network with several *hundred thousand* zombied boxes, and doing nothing about it, would probably qualify. As would a provider collecting pink contracts by the pallet. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Sat, 9 Jul 2005, J.D. Falk wrote:
On 07/09/05, Todd Vierling <tv@duh.org> wrote:
(I may believe in the principles here, mind you, but I'm far to small to make a point. A workable net-boycott absolutely requires that action be taken by a non-castrated 800lb gorilla.)
Boycotts worked great back when spammers were stationary and users were more complacent, but spam sending techniques have evolved a lot in the past ten years.
A lot of them are still stationary. You may see lots of traffic coming from spam proxies but these are all controlled by farms of servers and ISPs hosting these farms know what these servers are for and let it be. They are just happy they don't get reports about it any more and their hosting of such customers can be hidden and behind the scene ... -- William Leibzon Elan Networks william@elan.net
On 09/07/05, Todd Vierling <tv@duh.org> wrote:
On Wed, 6 Jul 2005 trainier@kalsec.com wrote:
The second issue with boycotting, is the false positives.
No, the *point* of the boycott is the "false positives". ISPs *will* react when their general users find themselves unable to send e-mail because the entire netspace of the offending ISP is blocked (boycotted).
It depends, of course, on who is doing the spam filtering. I've seen several people I respect, doing good and sensible filtering that is as surgical as possible, but remarkably effective given that this filtering is applied at 800 lb gorilla sites. I've also seen some people, with root and/or enable on remarkably large networks, who don't realize that good spam filtering is not just knowing the syntax for "access list 101 deny" or "vi /etc/mail/access, then makemap hash access.db < access"., and who I wouldn't trust to be postmaster@etch-a-sketch, let alone on a production cluster of mailservers. Kind of the difference in effect that a fused bundle of dynamite has, when it is used by * A trained mining engineer * Wile E Coyote Though, to be fair, Wile E affects only himself, and he's back up and running within seconds even though he's interestingly blackened with frizzed eyebrows and smoking whiskers. Dumb spam filtering affects a whole lot of innocent users, a lot more than a dynamite blast or a fall off a high cliff into high voltage power lines seems to affect Wile E. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, 10 Jul 2005, Suresh Ramasubramanian wrote:
The second issue with boycotting, is the false positives.
No, the *point* of the boycott is the "false positives". ISPs *will* react when their general users find themselves unable to send e-mail because the entire netspace of the offending ISP is blocked (boycotted).
It depends, of course, on who is doing the spam filtering.
I've seen several people I respect, doing good and sensible filtering that is as surgical as possible, but remarkably effective given that this filtering is applied at 800 lb gorilla sites.
Which is exactly what I said, too. One particular gorilla has at least started to enforce long-established RFC "standards" that most folks blindly ignored out of laziness for years.
I've also seen some people, with root and/or enable on remarkably large networks, who don't realize that good spam filtering is not just knowing the syntax for "access list 101 deny" or "vi /etc/mail/access, then makemap hash access.db < access"., and who I wouldn't trust to be postmaster@etch-a-sketch, let alone on a production cluster of mailservers.
And this is the problem -- but then, such miserably inept admins are usually also responsible for the *outflow*, and are thus working for a highly intersecting set of ISPs that should be targeted for escalation, "collateral damage", "false positive" blocking in order to get them to wake up and read documentation for once.... -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On 11/07/05, Todd Vierling <tv@duh.org> wrote:
And this is the problem -- but then, such miserably inept admins are usually also responsible for the *outflow*, and are thus working for a highly intersecting set of ISPs that should be targeted for escalation, "collateral damage", "false positive" blocking in order to get them to wake up and read documentation for once....
I'd not be too quick to blame them considering that they are after all supposed to be on the same side we are. And because occam's razor is always in mind. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Wed, 2005-07-06 at 15:23 -0400, Rich Kulawiec wrote:
[late followup, sorry]
On Thu, Jun 23, 2005 at 05:42:17AM -0700, Dave Crocker wrote:
The real fight is to find ANY techniques that have long-term, global benefit in reducing spam.
We've already got them -- we've always had them. What we lack is the guts to *use* them.
As we've seen over and over again, the one and only technique that has ever worked (and that I think ever *will* work) is the boycott -- whether enforced via the use of DNSBLs or RHSBLs or local blacklists or firewalls or whatever mechanism. It works for a simple reason: it makes the spam problem the problem of the originator(s), not the recipient(s). It forces them to either fix their broken operation (any network which persisently emits or supports spam/abuse is broken) or find themselves running an intranet.
The looming battle is not about a reluctance to utilize reputation. This "authentication" effort is a shift from using the remote IP address into utilizing the domain name. This changes the nature of how reputation affects shared servers. A name is more specific, and at the same time, more pervasive. This change to the use of domains is progress. However, path registration is really just an "authorization" mechanism. Calling this an "authentication" mechanism presumes the domain owner enjoys exclusive use of their domain on the server. While this may satisfy the typical bulk email distributor, the average domain owner may discover they remain prone to forgery. Such domain owners may also be harmed publishing server authorization in this case, while creating a support nightmare. The user-feedback reputation schemes suggested overlook the uncertainty created when which header or parameter being assured by the sender is unknown, or when domain exclusivity is not maintained at the server. In an era where networks are often populated by zombie systems, this oversight is troubling. Unless the domain owner administers their own servers, and doesn't expect messages to forwarded accounts not to be lost, then they should consider using a signature based alternative instead. In addition, signatures will likely represent less overhead than path registration. Path registration, due to the need to place higher priority on unseen headers, will not offer effective anti-phishing solutions either. Signature based alternatives again hold greater promise for anti-phishing as well. There are few email recipients that do not use various types of black-hole lists. As this battle shifts into using domain names, be careful. Make sure you can defend your domain's reputation. If not, a name-based reputation system directing your domain's email to a "junk" folder will having you longing for the good ol' days of black-hole lists. -Doug
participants (10)
-
Dave Crocker
-
Douglas Otis
-
Fergie (Paul Ferguson)
-
J.D. Falk
-
Jason Frisvold
-
Rich Kulawiec
-
Suresh Ramasubramanian
-
Todd Vierling
-
trainier@kalsec.com
-
william(at)elan.net