I am worried about the tools we are developing and deploying to control spam.
Fundamentally, we are no smarter than anyone else. Competent engineers are not uniformly "good", heck we can't even all agree on what constitutes "good". Creating the tools ourselves does not create the demand for those tools - if some party (a totalitarian government of whatever stripe, for example) wants them badly enough, they will create them, or dangle enough money in front of someone who can to entice them to do so. That said, I feel that the only technological solution to the spam problem is a large-scale re-structuring of Internet mail to provide for secure authentication and cost sharing for received e-mail. The scale and cost of such a deployment makes something like that a political and social problem, however. Other technological solutions are holding actions only. -- Scott Hazen Mueller zorch@wenet.net +1 415 281 6550 x269 Vice President Engineering, Whole Earth Networks (Hooked and The Well)
At 10:14 AM 10/28/97 -0800, Scott Hazen Mueller wrote:
That said, I feel that the only technological solution to the spam problem is a large-scale re-structuring of Internet mail to provide for secure authentication and cost sharing for received e-mail. The scale and cost of such a deployment makes something like that a political and social problem, however.
What if the equivalent of "caller ID" was built into sendmail? Making sure that the sender is a valid email address. AGIS is looking for viable solutions to the overall problem. We have moved any customers that we receive UBE complaints into AS 3830 (which is getting emptier), making them even more visible. This assists in blocking SPAM domains at the router level. For those using the Vixie like approaches, this works. Notwithstanding, this thread focuses on the threat of such efforts. Phil Lawlor President AGIS Voice - 313-730-1130 Fax - 313-563-6119
On Tue, Oct 28, 1997 at 02:05:36PM -0500, Phil Lawlor wrote:
At 10:14 AM 10/28/97 -0800, Scott Hazen Mueller wrote:
That said, I feel that the only technological solution to the spam problem is a large-scale re-structuring of Internet mail to provide for secure authentication and cost sharing for received e-mail. The scale and cost of such a deployment makes something like that a political and social problem, however.
What if the equivalent of "caller ID" was built into sendmail? Making sure that the sender is a valid email address.
Similar to source address validation on dialup connections, another topic that has been bandied about here in the past. Properly configured sendmail's do this, mostly. My local one, certainly, correctly identifies the actual sender even when the HELO is forged.
AGIS is looking for viable solutions to the overall problem. We have moved any customers that we receive UBE complaints into AS 3830 (which is getting emptier), making them even more visible. This assists in blocking SPAM domains at the router level. For those using the Vixie like approaches, this works. Notwithstanding, this thread focuses on the threat of such efforts.
Phil Lawlor President AGIS
In light of the recent disconnection of CyberPromo and litigation, I guess we'll tentatively believe this. Of course, you realize that you're not going to get treatment as generous as mine from many of the members of this list, who consider you as a major contributor to the problem. One section from my personal anti-spam reply form letter might be indicative, and it's last paragraph in particular: ============================================================================== Notice to Postmasters Your systems were used to send this message. If this is contrary to your AUP's, please act accordingly. If it is not, you may wish to take advice on whether not adding such a provision leaves you open to legal exposure. Please note that you may have gotten this message even if it's obvious to me that your machine was used solely as a transit system for the email in question; I mean to cause you to decide that a bit more care in the choice of whose mail to forward would be A Good Thing. And, you may even have received a copy of this if you simply provide wholesale connectivity to a sender of unsolicited commercial email -- this shouldn't remain An Acceptable Dodge, either. Finally, please note that if your company policy is such that you appear to publically not care whether your customers behave in unethical or illegal manners -- yes, AGIS, I mean _you_ -- then any legal theories which make you civilly or criminally liable in tort or statute _will_ be pursued. Govern yourself accordingly. ============================================================================== This is a _HOT_ topic. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
At 02:34 PM 10/28/97 -0500, Jay R. Ashworth wrote:
Properly configured sendmail's do this, mostly. ^^^^^^
I am not a sendmail expert, but I am told that it is in the forgery area that it could be improved. Forgery and relay hijacking seem to be the largest areas of abuse. If these areas could be improved, it could go a long way to solving the problem. Phil Lawlor President AGIS Voice - 313-730-1130 Fax - 313-563-6119
Phil Lawlor wrote:
I am not a sendmail expert, but I am told that it is in the forgery area that it could be improved. Forgery and relay hijacking seem to be the largest areas of abuse. If these areas could be improved, it could go a long way to solving the problem.
I tend to agree with Phil - to a point. Nip it in the bud. Everyone could use some strengthening in their AUP and it is up to each ISP to come down hard on those who abuse the net. Ease of use, and the free flow of information must be maintained. Fraud, unrepentant misuse, and theft-of-services should result in loss of access. Zero-tolerance, and/or a charge structure (fines?) can be levied by ISPs to combat the scourge. -- David J. Bowie GTE Internetworking Powered by BBN
On Tue, Oct 28, 1997 at 04:05:24PM -0500, David Bowie wrote:
Phil Lawlor wrote:
I am not a sendmail expert, but I am told that it is in the forgery area that it could be improved. Forgery and relay hijacking seem to be the largest areas of abuse. If these areas could be improved, it could go a long way to solving the problem.
I tend to agree with Phil - to a point. Nip it in the bud. Everyone could use some strengthening in their AUP and it is up to each ISP to come down hard on those who abuse the net.
Indeed. As we noted last month on the topic of ingress filtering, you have to catch this stuff on the _intake_ side, to have any real hope of spotting the offenders. Personally, if the spam isn't forged, and is for a real product, and doesn't include a stupid bulkmail software ad at the top, I no longer chase it, I just delete it.
Ease of use, and the free flow of information must be maintained. Fraud, unrepentant misuse, and theft-of-services should result in loss of access. Zero-tolerance, and/or a charge structure (fines?) can be levied by ISPs to combat the scourge.
Fines on whom? How would you implement this? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
At 06:32 PM 10/28/97 -0500, Jay R. Ashworth wrote:
Indeed. As we noted last month on the topic of ingress filtering, you have to catch this stuff on the _intake_ side, to have any real hope of spotting the offenders.
Back to sender verification (equivalent of caller ID). This would allow better reporting of AUP violations to the sending domain from the receiving domain. Logs could be used to document the violation. Phil Lawlor President AGIS Voice - 313-730-1130 Fax - 313-563-6119
At 06:32 PM 10/28/97 -0500, Jay R. Ashworth wrote:
Indeed. As we noted last month on the topic of ingress filtering, you have to catch this stuff on the _intake_ side, to have any real hope of spotting the offenders.
Back to sender verification (equivalent of caller ID).
This would allow better reporting of AUP violations to the sending domain from the receiving domain. Logs could be used to document the violation.
there is provision for sender verification in the exim MTA (a drop in sendmail replacement that a lot of people are starting to switch to.) i used it for a while, but it's overly sensitive to sluggish and/or malconfigured DNS in its current form, so i had to turn it off to avoid complaints about legitmate business related email getting canned by administrative prohibition. the verification only assured that the domain in the helo was legit, and the domain in the mail from: was legit; it didn't do anything useful for spammers with addresses like 12345678@aol.com, unfortunately. sigh, richard -- Richard Welty Chief Internet Engineer, INet Solutions welty@inet-solutions.net http://www.inet-solutions.net/~welty/ 888-311-INET
On Wed, 29 Oct 1997, Richard Welty wrote:
there is provision for sender verification in the exim MTA (a drop in sendmail replacement that a lot of people are starting to switch to.) i used it for a while, but it's overly sensitive to sluggish and/or malconfigured DNS in its current form, so i had to turn it off to avoid complaints about legitmate business related email getting canned by administrative prohibition.
the verification only assured that the domain in the helo was legit, and the domain in the mail from: was legit; it didn't do anything useful for spammers with addresses like 12345678@aol.com, unfortunately.
Even if AOL allowed VRFY so you could connect back to them and verify that the given address was valid, you still have the problem of what if the message being sent isn't sent by the owner of that address. I could easily send mail that had postmaster@aol.com as the from address, and that is certainly a valid from address, but it isn't the correct one. The problem is that fundamentally you can verify that the supplied from address is "correct" based soley on what is supplied in the message. The only way I know to do this is to also require something that is not sent in the message, but is reflected in the message, such as a digital signature. If every MTA signed outgoing messages, the receiving MTA could then decide whether to accept that message based on the certifying autority chain. You can then rely on CA's policies to base your acceptance of incoming mail. If you get spammed, you know who did it by the signature, you report it to their CA (assuming the CA's policy says you can't send out unsolicited email), they investigate it and revoke their certificate if they broke the rules. If say, an ISP has a dialup customer send spam, they should be able to demonstrate the user that sent it has been terminated and avoid being decertified. Of course, some CA's could require proactive policies (require correct from address at that ISP, limit the number of outgoing messages, block connections to third-party MTAs, etc) in the ISP, and someone that wanted to make sure they didn't get any spam would only accept messages signed by those CA's with that policy. I'm not naive enough to think this (or any similarly effective implementation) will actually be done any time soon. There are simply too many MTAs out there, many of which are never upgraded. I do think that something along these lines which allow the technology to enforce policy automatically is the only way to truly eliminate spam. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801
Phil Lawlor writes:
Properly configured sendmail's do this, mostly. ^^^^^^ I am not a sendmail expert, but I am told that it is in the forgery area
At 02:34 PM 10/28/97 -0500, Jay R. Ashworth wrote: that it could be improved.
SMTP in general has no mechanism whatsoever to prevent forgeries. .pm
On Tue, 28 Oct 1997, Perry E. Metzger wrote:
Phil Lawlor writes:
Properly configured sendmail's do this, mostly. ^^^^^^ I am not a sendmail expert, but I am told that it is in the forgery area
At 02:34 PM 10/28/97 -0500, Jay R. Ashworth wrote: that it could be improved.
SMTP in general has no mechanism whatsoever to prevent forgeries.
I just get a flame mail from someone that got spamed with a TO portion of the header stating : "everyone@your.net". Most people would think, "Duh they sent this to mean everyone at MY site." But this genious kept thinking WE had something to do with it because a customer of ours has your.net as a domain name. Hurrra for whois and traceroute! What to do.. what to do. Forderies need to be prevented and people need to use some common everyday brain power to figure out who it really is coming from.
.pm
T..S
participants (8)
-
David Bowie
-
Jay R. Ashworth
-
John A. Tamplin
-
Perry E. Metzger
-
Phil Lawlor
-
Richard Welty
-
Scott Hazen Mueller
-
Todd R. Stroup