Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FTC Wants Comments on Email Authentication

michael posted more than 10 years ago | from the getting-an-earful dept.

Spam 208

An anonymous reader writes "Groklaw has the scoop. The Federal Trade Commission and National Institute of Standards and Technology (NIST) will co-host a two-day 'summit' November 9-10 to explore the development and deployment of technology that could reduce spam. The E-mail Authentication Summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems. The FTC will be accepting public comments until Sept. 30, 2004 via snail-mail or email (authenticationsummit at ftc.gov). The FTC has a list of 30 questions they would like answers/comments to. The list available in this PDF of the Federal Register Notice." In a related subject, reader Fortunato_NC submits this writeup of the sequence of events that led to Sender-ID's abandonment.

Sorry! There are no comments related to the filter you selected.

spam about spam (3, Funny)

metallikop (649953) | more than 10 years ago | (#10374879)

Seems like slashdot is being spammed with stories about spam.

Frost pist for morbax!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10374884)

Grattis 8-)

Re:Frost pist for morbax!! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#10374949)

ooooOOOOoooOO

Re:Frost pist for morbax!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10374977)

I'm afraid I must inform you, good sir, that you fucking failed it. Please try again at a more convenient time.

My comments? (4, Funny)

cuzality (696718) | more than 10 years ago | (#10374888)

I will be sending my comments immediately by email. They'll know who I am.

Re:My comments? (4, Funny)

orthogonal (588627) | more than 10 years ago | (#10375674)

I will be sending my comments immediately by email. They'll know who I am.

THIS AUTHENTICATED EMAIL
HAS BEEN APPROVED
AS CHRISTIAN AND PATRIOTIC
BY THE
REICHSPROTECTOR OF INFORMATION
FOR THE UNITED HOMELAND
by direction of
JOHN D. ASHCROFT,
REICHSMINISTER OF JUSTICE


We want all your papers, please!

And yes, we do know who you are, Citizen!

CC: PATRIOT DATABASE, REICHSMINISTRY OF INFORMATION

for all the bots... (5, Funny)

Anonymous Coward | more than 10 years ago | (#10374896)


authenticationsummit@ftc.gov

They won't be happy. (3, Insightful)

Anonymous Coward | more than 10 years ago | (#10374903)

These guys aren't going to be happy until we have to hand over our credit cards, photo ID and social security number just to send an email.

Re:They won't be happy. (0, Redundant)

unknown_goth (773919) | more than 10 years ago | (#10374953)

. . . . . urine sample, first child, your dog's footprint, and a letter from your mother. the list can go on and on but the key factor here is . . . ah shit i just had that list and that's all

DNA Readers (0)

nurb432 (527695) | more than 10 years ago | (#10374985)

Just have DNA scanners attached to our PCs..

That would ID you back to your other documents, such as SSN, bank accounts, credit history, what you ate for dinner, your life history of every webpage you viewed, or document you read...

Re:DNA Readers (1)

maxwell demon (590494) | more than 10 years ago | (#10375097)

DNA scanners cannot distinguish between identical twins. Therefore in addition to the DNA scanner, a second system must be applied. Maybe an RFID chip that everyone must get implanted if he wants to use email?

Re:They won't be happy. (3, Insightful)

fleener (140714) | more than 10 years ago | (#10375260)

Correct. My primary e-mail accounts have been spam-free for 3 years, since I started watching where and how I give people and web sites my address. Through a few simple measures you can protect a new address without the need for spam filters, with no need to hinder your regular personal and professional correspondence (assuming you don't correspond with spammers).

The *only* spam I receive on my permanent accounts is an occassional worm-sent e-mail and a guessed-address spam every 3 or 4 months (and those have never led to more spam).

People who piss and moan about spam (basically everyone) are refusing to accept that they live in a dangerous world. There was a time when people left their front door and windows unlocked. An ounce of prevention is worth a billion pounds of cure, in terms of spam.

I'll never support an authentication system that costs me more money to send e-mail because I have zero need for an authentication system.

People who don't use throw-away accounts for risky correspondence are having anonymous sex without a condom. Go ahead, mod me down because you don't believe me and think spam is just the cost of doing business on the Internet. It's not.

Let's hope so (0)

Anonymous Coward | more than 10 years ago | (#10375484)

Let's hope that's what happens. Then some community will come up with an alternative system that is similar to the current email, but hopefully a bit more spam-proof. The masses can continue to use the crappy current email, while the rest of us will switch to the new system complete with an old-email gateway. Yes, the masses will eventually catch-up and crap on that system too, just like they did with the internet (web, email), rinse, repeat. But that's the way it goes.

NOTHING but an open standard. (4, Insightful)

garcia (6573) | more than 10 years ago | (#10374913)

From Groklaw:

7. Whether any of the proposed authentication standards would have to be an open standard (i.e., a standard with specifications that are public).

Of course the standard would have to be open. This shouldn't even be up for discussion. No argument can make security by obscurity work and no argument can get me to change my thinking that we should all be using closed SMTP servers.

Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.

Re:NOTHING but an open standard. (0)

Anonymous Coward | more than 10 years ago | (#10374934)

we should all be using closed SMTP servers.

Oh sure, closed SMTP servers, right -- but of course they would have to be open as well.

Re:NOTHING but an open standard. (0)

Anonymous Coward | more than 10 years ago | (#10375143)

> BTW I don't get more than 5 a year

Do you have an email account? Does it work?

Re:NOTHING but an open standard. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#10375181)

garcia is a known nutfucker - please excuse his stupidity

Re:NOTHING but an open standard. (0)

Anonymous Coward | more than 10 years ago | (#10375205)

Do you have an email account? Does it work?

Do you sign up for offers on every website you visit? Do you openly hand out your email address on every postcard/website/business you see? Do you run your own mail server? Do you let people email you on group lists without masking your address behind a BCC?

If you don't, I have no sympathy for you. Hide yourself and protect the rest.

Re:NOTHING but an open standard. (0)

Anonymous Coward | more than 10 years ago | (#10375280)

You might want to re-read your post because it is a logical disaster. You basically said you sympathize with people who sign up for every offer, openly hand out their email address, run a mail server, and let people email you without masking behind BCC.

I do only one of those things (run my on email server) and I can tell you that spam is a nightmare. I get bombarded with every possible name @ my domain name. On one tiny, hardly known site I get over 2000 emails a day - 85% are blocked or deleted outright and 1% is actually legit email. The rest are viruses and spam just marked or quarantined but not deleted.

Re:NOTHING but an open standard. (0)

Anonymous Coward | more than 10 years ago | (#10375595)

I'm afraid it's pretty rare for me to receive spam either. Here's how I do it, I guess: I don't put my e-mail address on any web sites. I don't give my e-mail address to any web registration forms. I don't get my e-mail address on huge mailing lists that don't BCC, and I discourage all of my friends from propagating chain letters, at least to me.

Lastly, I discourage my friends from using Outlook and Outlook Express, if they intend to put my name in their address book. That part's really the tough one. But apparently it works. Probably six or seven spams in a year, and most happened right after my wife's Outlook-using grandpa got a virus.

Re:NOTHING but an open standard. (4, Interesting)

JabberWokky (19442) | more than 10 years ago | (#10375273)

Spam is "horrific" and all (BTW I don't get more than 5 a year)

And I get 1800 a day. That's because I am the public contact for several companies with some of my email addresses dating back over 10 years. In conjunction with theater groups and businesses, my email appears in press releases, on fliers, ancient usenet posts, and otherwise all over the place.

Individuals using their email account to talk to friends don't have as much a problem as people who use their email address publically for business and publicity.

My phone number and address are also published. I don't, however, get 1,800 unsolicited calls every day and my junk physical mail is quite reasonable.

--
Evan "I'm not even saying Spam is bad, I'm just saying it costs me serious time"

Re:NOTHING but an open standard. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#10375494)

Spam is "horrific" and all (BTW I don't get more than 5 a year) but we certainly shouldn't even be considering ending it by choosing applications that will eliminate an open society.

Why do you think Government inserted itself so awkwardly into the Spam Situation to begin with?

Bipartisanship in any political matter is something you should always be suspicious of. Some people in high places in the US Government salivate for control of the Internet just as much as the totalitarian PRC.

Re:NOTHING but an open standard. (2, Insightful)

JimDabell (42870) | more than 10 years ago | (#10375623)

an open standard (i.e., a standard with specifications that are public).

In my mind, an "open standard" isn't just one anybody can read, but one that is open to anybody implementing it - which means patent-free. It's no good everybody being able to read the specifications if nobody is allowed to do anything with them.

The Hardest Issue (5, Interesting)

Nos. (179609) | more than 10 years ago | (#10374919)

Is to keep email easy to use. SPF is a nice idea, but doesn't cope with a couple issues. The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM. Secondly, its not expensive to register a domain and flood SPAM for a few days until that domain is blacklisted. Wash, rinse, repeat. I'm not saying a solution isn't out there, just nothing that I have seen really talks to these two issues.

Re:The Hardest Issue (3, Informative)

thogard (43403) | more than 10 years ago | (#10374998)

You only found 2 issues with SPF?
How about a few more [abnormal.com]

Since I wrote that, I've managed to come up with SPF rulesets that cause DOS on some of the common implementations, my dns has been scaned countless times looking for SPF records and I've had over 1000 spam messages with valid SPF records.

Re:The Hardest Issue (1)

qtp (461286) | more than 10 years ago | (#10375161)

"I've had over 1000 spam messages with valid SPF records."

That's likely due to the sending ISP having lax policies.

SPF only provides methods of communicating the sender policy and of checking wheter or not an email is compliant.

OTOH, this does allow us to determine if an ISP is lax about allowing their users to spam, or if it is doing nothing to let their users know that their machines have been compromised.

Re:The Hardest Issue (1)

AnotherBlackHat (265897) | more than 10 years ago | (#10375298)

You only found 2 issues with SPF?
How about a few more [abnormal.com]

I agree with most of the comments, but I don't quite understand the "No sane firewall is going to let TXT records through" one.

I don't know of any firewall that blocks a specific type of UDP packet.
To a firewall all DNS replies look alike.
Sure, it could parse the data part of a DNS packet in the firewall, but AFAIK no firewall actually does.

-- Should you question authority?

Re:The Hardest Issue (1)

Rellik66 (596729) | more than 10 years ago | (#10375425)

At least SPF prevents sunburns ;)

Re:The Hardest Issue (1)

CodeWanker (534624) | more than 10 years ago | (#10375002)

I still like the pay as you go approach: if you had to pay a nickel for every unsolicited e-mail you sent over the internet (as opposed to a company's intranet), spammers would be shut down overnight.

Of course, there's the logistical issues to deal with, but having escrow accounts for every ISP and "approved to receive" lists for no-charge e-mails would allow us to get past this annoyance.

Right now, we've got people selling snake-oil penis enlargements, counterfeit prescription drugs, and fraudulent stock tips. This seems to me like a reasonable price to pay to clamp down on that kind of crime.

Re:The Hardest Issue (1, Funny)

Anonymous Coward | more than 10 years ago | (#10375660)

I've bought snake-oil in the past, but I've never put it on my penis. Thanks for the tip!

Re:The Hardest Issue (2, Insightful)

glesga_kiss (596639) | more than 10 years ago | (#10375100)

SPF is a nice idea, but doesn't cope with a couple issues. The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM.

No, but when the luser finds out that their e-mail is broken, they might just do something about their trojaned machine. Which is in fact fixing the problem and not the symptom. Any "authenticated user" idea for SPAM prevention has to account for the fact that there will need to be a "compromised" flag on the account to mark if mails are suspect.

Re:The Hardest Issue (4, Informative)

perp (114928) | more than 10 years ago | (#10375138)

The first is that a lot of SPAM comes from trojan'd machines. SPF won't prevent or help mark email coming from these machines as SPAM.

Yes it will. Almost all of those trojanned machines send mail directly to the receiving server, not through the mail relay of the spoofed sender. If the email purports to be from jblow@someplace.com, the receiving mail server can check someplace.com's spf record and see that the ip address of the trojanned machine is not allowed to send mail. That is the very essense of what it does.

You are correct that a spammer with a server can publish an spf record, but he is much, much easier to blackhole than a rapidly changing large selection of compromised dsl machines.

Re:The Hardest Issue (2, Informative)

iabervon (1971) | more than 10 years ago | (#10375311)

It doesn't cope with world hunger, the war in Iraq, or many other issues. SPF doesn't really have anything to do with unsolicited email. Its only intented effect is to make solicited email more distinctive. This can eliminate some significant false positives in spam filters (email that would be spam if it weren't sent from a government agency that you had applied for a grant from, for instance).

SPF will not prevent or help mark any email as SPAM. It will mark a lot of phishing scams as forgeries. It will let people avoid having spam sent with their address forged on it. It will give people sending non-spam to people who know them a way of marking their email as non-spam in a way that is very difficult for spammers to imitate.

Let the patent wars begin (1)

TFGeditor (737839) | more than 10 years ago | (#10374924)

8. Whether any of the proposed authentication standards are proprietary and/or patented.

Standards (0, Flamebait)

TheJavaGuy (725547) | more than 10 years ago | (#10374925)

Does this mean that the government will now enforce standards?

Re:Standards (1, Insightful)

Anonymous Coward | more than 10 years ago | (#10374969)

...the government will now enforce standards?

No, that's what we have the National Institute of Standards and Technology [nist.gov] for.

/never mind the .gov

Why not go after the merchants? (5, Interesting)

14erCleaner (745600) | more than 10 years ago | (#10374933)

You know, I can't figure out why we can't combat spam by making it illegal to send unsolicited ads via email (or maybe the can-spam act already does this), but then go after the companies who are actually trying to get customers. After all, they either provide valid contact information, or nobody can buy from them. If nobody can sell anything via spam any more, the reason for it would go away.

Re:Why not go after the merchants? (1, Interesting)

garcia (6573) | more than 10 years ago | (#10375004)

Because, as much as the United States would like to, we cannot control the happenings in the rest of the world?

Spam is here to stay no matter how much fucking legislation is out there.

Re:Why not go after the merchants? (1, Interesting)

Basehart (633304) | more than 10 years ago | (#10375078)

"Because, as much as the United States would like to, we cannot control the happenings in the rest of the world?"

Enough with the rest of the world crap - it all starts here:

10097 Cleary Blvd, Suite 203, Plantation FL 33324

and here:

ESI, 5072 N. 300 W. Provo, UT 84604

and....you get the picture.

Re:Why not go after the merchants? (1)

gowen (141411) | more than 10 years ago | (#10375083)

Because, as much as the United States would like to, we cannot control the happenings in the rest of the world?
The majority of spam originates in the US. Much of the rest advertises sites owned and operated from within the US, and hosted elsewhere.

Arresting these people wouldn't solve the problem overnight, but by christ it'd be a bloody good start.

Re:Why not go after the merchants? (1)

garcia (6573) | more than 10 years ago | (#10375157)

Arresting these people wouldn't solve the problem overnight, but by christ it'd be a bloody good start.

yes, just like the drug war right? We know that most of the drugs come into the country at certain points and all we have to do is arrest the people behind the importation at those points.

Cut one head off and another one rises to take its place.

Re:Why not go after the merchants? (2, Insightful)

gowen (141411) | more than 10 years ago | (#10375195)

Except everyone knows who the US spammers are. Drug importation is a massive business, employing millions of people worldwide. There are only a dozen US spammers individually responsible for nearly all the western world's spam. Your analogy is idiotic.

Re:Why not go after the merchants? (0)

Anonymous Coward | more than 10 years ago | (#10375101)

,i> Because, as much as the United States would like to, we cannot control the happenings in the rest of the world?


oh yes we can...

we got frigging nukes man, and one of these days we will elect a nutcase that will use them.

Re:Why not go after the merchants? (2, Insightful)

Sneeper (182316) | more than 10 years ago | (#10375033)

Spammers will render that system useless by sending out spam for innocent companies. You could attack your competitor by anonymously sending spam for them.

Both guilty and innocent merchants will claim they aren't sending out any spam. Who do you believe?

--Sneeper

Re:Why not go after the merchants? (1)

Trigun (685027) | more than 10 years ago | (#10375047)

Given that those are our options, that's easy. The innocent ones.

Re:Why not go after the merchants? (0)

Anonymous Coward | more than 10 years ago | (#10375088)

It doesn't matter who you believe. You go after the one who cashes the checks.

Re:Why not go after the merchants? (1)

Elwood P Dowd (16933) | more than 10 years ago | (#10375166)

(or maybe the can-spam act already does this)

Nope. The CAN-SPAM act explicitly legalizes unsolicited ads via email. It requires that those unsolicited ads comply with a few (totally useless) requirements. The recent lawsuits under the CAN-SPAM act (read "The Yes, you are allowed to SPAM act") are because many spammers do not comply with those totally useless requirements. So the ISPs can go after them, even though spam is legal.

Re:Why not go after the merchants? (1)

Basehart (633304) | more than 10 years ago | (#10375341)

" It requires that those unsolicited ads comply with a few (totally useless) requirements. "

Even the email spam I get from my wireless provider - AT&T Wireless - requires that I go to their website and actively opt out from getting it. I also had to do the same to stop the text message spam they were sending to my cellphone.

This was spam trying to sell me ringtones, so it was a third party who was ultimately spamming me through AT&T.

On both occasions nothing happened within three months and I had to make the usual threatening phone call with excessive attitude to work my way up the chain of command to speak to someone who actually had a clue what they were doing and turned it off.

And that's a company I give $127 a month to.

Which box did, or didn't I check to get roped in to that deal!?!

Re:Why not go after the merchants? (1)

RAMMS+EIN (578166) | more than 10 years ago | (#10375308)

You cannot go after the companies whose products are being advertised. How would you know if they auhtorized the campaign, or someone is trying to harm their reputations?

Also, a lot of unwanted email I get is virus mail. What do you do about that?

What I can't understand is why SMTP is still unauthenticated. This is why spam is so hard to trace, and since authentication is already done for virtually every other major Internet protocol, the solution seems easy to see and implement.

Re:Why not go after the merchants? (0)

Anonymous Coward | more than 10 years ago | (#10375397)

Ignoring the obvious point about the international aspect of the internet... For the same reasons that organizations aren't fined for posting bills on streetlamps.

Re:Why not go after the merchants? (1)

Have Blue (616) | more than 10 years ago | (#10375446)

Spam is a social/technical problem (people want to spam, and plain SMTP provides no way to prevent them), so it requires a social/technical solution (convince everyone not to buy things through unsolicited email pitches, change the protocol to shift the costs of email traffic and make spam unprofitable). It's the best example of the tragedy of the commons in history.

Re:Why not go after the merchants? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#10375622)

OK, welcome to the United States. Hello??! Why would we *enforce the law*??

When we have a crime problem, do we hire more cops? Invest more in education? Uhhh, NO. We make sure everyone can get guns as easily as possible. DUH.

When we want to prevent young Islamic men in the Middle East from becoming raving anti-American terrorists, do we stop supplying the missiles used to blow up their cars and wheelchair-bound priests? Of course not, moron! We throw them naked into jail, threaten them with dogs, make them jack off, smear feces on them and have them stand hooded on one leg for hours at a time. Logically.

When we need to improve our schools to give young people the scientific reasoning and critical thinking needed to de-mystify the modern world, do we give them books? Oh, that's a bright idea, Einstein. Pshha. No, we give them PRAYER. IN CLASS. Oh, and a pledge of allegience.

When we want to help the poor, do we just give them money, or give them food and shelter? No, idiot. We create an obscure tax credit that can eventuallky be used to further enrich billionaires and large corporations.

And how to we ensure American corporations remain lean, efficient and globally competitive? With no-bid contracts, massive subsidies, trade barriers and cheap Mexican labor.

So when we want to end spam, you don't follow the money and actually take it back from the people who incentivize spam. We need a very large, time-consuming, overpriced technical solution, preferably from the very companies that send out spam, over-engineered and under-thought, which does everything but get the job done. Throw in some ham-handed prosecutions of the smallest possible fish in the spam pool, and at least a decade of languishing and energy-wasting, and you have yourself an AMEIRCAN solution.

Re:Why not go after the merchants? (1)

sxmjmae (809464) | more than 10 years ago | (#10375657)

True. But is the company is from Ding Dong Village in some small dink hole country? The US governement may try to control the world's OIL but they can not control millions of small companies that would gladely pay for someone to flood the internet world with new news about their product.

No Free Software radicals allowed (4, Insightful)

sphealey (2855) | more than 10 years ago | (#10374948)

I would be willing to wager a small sum that the only invitees to this meeting will be representative of large, commercial, for-profit software vendors and ISPs. That there will be no representation of/by the Free Software community. And that the FTC will reject any comment not from a commercial software vendor/ISP as having "no standing".

Just a guess.

sPh

Re:No Free Software radicals allowed (0)

Anonymous Coward | more than 10 years ago | (#10375082)

Based on the questions they are asking, they have at least heard most of the arguments that we are making. They want answers about open standards, proprietary/patented solutions, interoperability, etc. I expect there are people at the FTC that real Slashdot, and want to make sure that they are doing their job as a public agency.

Whether they allow just any random hacker to show up and talk is a question, but I expect they would allow a representative of OSI or FSF to take part.

Re:No Free Software radicals allowed (2, Insightful)

slashjames (789070) | more than 10 years ago | (#10375090)

I tend to agree with your assessment. However, I wonder what they would do if, say, the lead developers of Sendmail arrived. They certainly aren't people of "no standing" with regards to email!

Yes, I know alternatives such as Qmail and Postfix are out there, but Sendmail is pretty much the standard MTA.

Re:No Free Software radicals allowed (3, Interesting)

JamesTRexx (675890) | more than 10 years ago | (#10375330)

Seeing that about 75% of mail is handled by open source mta's, they can't afford to go with ip, moneygrabbing, patentfilled solutions.
The only standard that will get accepted will be an open, patentfree one supported by the free software community.
Any closed or patented ones could only be used between the commercial mta's, so it would have little effect on the amount of spam.

Re:No Free Software radicals allowed (2, Insightful)

sphealey (2855) | more than 10 years ago | (#10375556)

he only standard that will get accepted will be an open, patentfree one supported by the free software community.
You are insufficiently paranoid ;-(

How about an FTC regulation banning the use of any MTA which does not have commercial indemnification guaranteed by a licensed reinsurance firm? Because clearly in these dangerous times we cannot trust our e-mail to software written by Communist hippies who might even be from other countries.

That is the kind of thing FOSS will be facing in the next four years.

sPh

Another war on.... (3, Insightful)

Null537 (772236) | more than 10 years ago | (#10374975)

That's what I envision.

"Today, we must fight a war, they clog our mail boxes, they offer us penis enhancements, drugs like v1ag|2a, stuff we don't need, they make our wives leave us for believing we go to porn sites and give out our e-mails to just anyone. Today we start the war against spam"
-[Insert head of newly formed organization here]

Re:Another war on.... (1)

gCGBD (532991) | more than 10 years ago | (#10375110)

And another czar. The "Spam Czar".
Great.

More wars and more czars. Just what this country needs.

Oceania has always been at war with Eastasia. (0)

Anonymous Coward | more than 10 years ago | (#10375134)

Yeah, remember when we won LBJ's "War on Poverty"?!!! And when we used to have a drug problem, but then the government declared a "War on Drugs"?!!! And now we're fighting the "War on Terrorism".

It's a stupid metaphor, and leads to superficial "solutions". Why not try taking a better look at the roots of the problem and deal with that instead of just declaring a "War" to incite the proles?

Re:Another war on.... (2, Funny)

JamesTRexx (675890) | more than 10 years ago | (#10375373)

Will precision bombing be optional?

RFC1413 (2, Interesting)

jcuervo (715139) | more than 10 years ago | (#10374995)

Just use ident. Maybe return a little extra information, like an "@sitename" suffix.

Yes, it would require immediate global adoption, but not if you just assign a higher score (towards spam) to messages that came from sites with no identd running.

Re:RFC1413 (2, Insightful)

slamb (119285) | more than 10 years ago | (#10375132)

That wouldn't work:
  • It requires a connection back to the originating MTA. Slow.
  • The information returned would be useless - my machine would always say "postfix". Unless you're talking about a new identd linked with the mail server. But that's not what RFC1413 [faqs.org] says. It says the "owner of that connection" - that's always going to be postfix.
  • It includes no provision for telling if the machine shouldn't be sending this message at all.

A good SASL setup, along with SPF, does far, far more for authenticated email. My machine has this: it rejects any inbound email claiming to be from one of my user's domains unless SASL-authenticated as that user. And has SPF records so other servers can reject messages from these domains unless they come from my server. Thus, it's very difficult to forge an email from my users' domains to a server with SPF checking enabled.

Re:RFC1413 (1)

Pharmboy (216950) | more than 10 years ago | (#10375165)

And this would stop spam from zombie Windows boxes, HOW, exactly? Since that is the source of most spam, even IF identd could not be spoofed (yea, right...) it would be useless.

how much! (0)

Anonymous Coward | more than 10 years ago | (#10375016)

My main question is, how much money do you plan to waste on a system that will be hacked in days?

A stopgap measure (4, Interesting)

grasshoppa (657393) | more than 10 years ago | (#10375021)

An effective stop gap measure would be for ISPs to block port 25 ( along with a number of others ) outbound by default, and open it up only on customer requests.

This way, zombie'd machines wouldn't have a chance to spew their virus/spam emails to everyone, I could still run my home email server, and the ISPs would save on bandwidth.

I wonder why this ISN'T yet in place, to be honest.

Re:A stopgap measure (1)

Mr Guy (547690) | more than 10 years ago | (#10375204)

I'd bet because the ISP's wouldn't open it back up again. Your TOS most likely says they don't have to.

Re:A stopgap measure (2, Insightful)

Muerte2 (121747) | more than 10 years ago | (#10375248)

The ISP that I work at did exactly that. We were getting on average 2 to 3 complaints a week about spam leaving out network from customer IP addresses. We're a relatively small ISP too! Not to mention the only fix was to call said customer and explain what an open relay/trojan is and then help them fix it. The time required to do this for each customer was pretty horrendous.

So we decided to block that port outbound for all IPs unless a customer requests it (if they're running a mail server etc...). Very few people even notice, it works out pretty well actually.

Re:A stopgap measure (0)

Anonymous Coward | more than 10 years ago | (#10375287)

An effective stop gap measure would be for ISPs to block port 25 ( along with a number of others ) outbound by default, and open it up only on customer requests.
Assuming that they will open up any port, *no questions asked*. If they ask a few questions or charge for it, then there will be trouble.

Re:A stopgap measure (0)

Anonymous Coward | more than 10 years ago | (#10375460)

An effective stop gap measure would be for ISPs to block port 25 ( along with a number of others ) outbound by default, and open it up only on customer requests.

They don't even need to open it up then. The customers can use third-party email through the submission port, which exists for this purpose. MTAs typically accept mail on either the smtp or submission ports but require SASL authentication for submission. Thus submission is useless for spammers but perfect for MTAs.

Re:A stopgap measure (1)

TheTomcat (53158) | more than 10 years ago | (#10375532)

Both of my ISPs do [sympatico.ca] this [videotron.ca] . It's not a problem. I either use their SMTPs for outgoing mail, or tunnel to my own SMTP via openvpn/ssh, or use SMTP-AUTH on a different port.

All traffic on both of these ISPs, on port 25 gets blocked before it hits the real world.

S

I Thank you for )your time (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#10375029)

Only one way to fight spam: (1)

chris_mahan (256577) | more than 10 years ago | (#10375044)

The only way to fight spam, which is going to be inconvenient as hell for most people, is to autoblock any machine that sends or relays spam.

Of course, email systems will buckle and fall, and people won't be getting mad as hell because their emails are bouncing or just not getting there.

Then ISP and other companies will actually spend money (120K+) on very competent email admins and fix their damn servers.

Each spam sets the clock forward by 1 week for domain and IP block.

I guarantee there won't be any spam in 1 year.

Of course, 99% of emails will be /dev/nulled for a few months, but that's the alternative to living with spam.

Publish SPF now, be the 126519th... (4, Insightful)

pjrc (134994) | more than 10 years ago | (#10375049)

If you want to advocate SPF, publish a SPF record for your domain, and then register it. Already, 126518 domains have published SPF records [infinitepenguins.net] (at the time of this writing).

By the time the FTC's summit comes around, it's looking like SPF is going to be pretty well established.

Re:Publish SPF now, be the 126519th... (2, Informative)

qtp (461286) | more than 10 years ago | (#10375270)

I'd like to know how many of those domaines actually are applying effective policies.

SPF is great for communicating a domain's policy and for allowing the reciever to check for compliance, but this does little if the originating domaine's policy is lax (or worse, "no policy). This brings us back to what I have seen as the heart of the SPAM problem since the beginning, ISPs are all for protecting their users from SPAM, but as soon as you ask them to do something about spam originating from within their domain, they act as if nothing can be done. Only if the ISP is willing to set an effective policy, and is willing to take measures to enforce it, does SPF help to reduce spam.

That said, SPF does appear to be the most effective and implementable tool that has been proposed for ISPs to use in the fight against SPAM so far. I just hope all of those participating ISPs have admins that are capable of using it effectively.

Re:Publish SPF now, be the 126519th... (4, Interesting)

wayne (1579) | more than 10 years ago | (#10375603)

Actually, I have a list of around 650,000 domains in .COM, .NET and .ORG that have SPF records. These should show up in the SPF Adoption Roll [infinitepenguins.net] Real Soon Now. Surveys of the .DE and .FR TLDs have also been done, but I don't have the results of those.

I'd like to know how many of those domaines actually are applying effective policies.

In the survey of the .COM domains, I found the top ten SPF records to be:

159416 "v=spf1 mx -all"
147883 "v=spf1 -all"
51245 "v=spf1 ip4:10.0.0.0/24 ip4:10.0.0.0/24 ?all"
28206 "v=spf1 a:smtp.example.net -all"
21437 "v=spf1 mx ip4:10.0.0.0/19 ~all" ""
19733 "v=spf1 mx ~all"
15245 "v=spf1 a:smtp.example.com ~all"
9488 "v=spf1 ip4:10.0.0.0/24 mx -all"
6371 "v=spf1 ip:10.0.0.0/24 ip:10.0.0.0/27 ip:10.0.0.0/24 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ?all"
5842 "v=spf1 ip4:10.0.0.0/24 -all"
(I have munged the domain names and IP addresses for privacy reasons.)

As you can see, it is very common to define strict SPF record with the "-all" at the end. Those domains that use the softfail option of "~all" are somewhat more lax, but still moving in the right direction.

The complete survey results are available to people who follow the IETF MARID list and/or the SPF discuss list. I'm not going to post a link to them here 'cause I don't want to be slashdotted.

Here's the system... (3, Interesting)

RecycledElectrons (695206) | more than 10 years ago | (#10375054)

Every eMail that is sent (by SMTP - the Simple Mail Transport Protocol) should be considered "unconfirmed." This means that it may or may not be from the return address.

I propose that we add a new layer called CMTP - the Complex Mail Transport Protocol.

CMTP simply takes an unconfirmed eMail (sent by SMTP) and sends a packet back to the sender. This packet asks for verification of the message. The packet includes a checksum, the length, to, from, subject, and the time/date that the eMail was sent.

The sending mail server receives this CMTP checks all of that information, and replies with a CTMP confirmed message or a CMTP not confirmed message.

There is no limit on the number of times that a mail server may be asked to confirm an eMail. There is a limit that messages should not be confirmed more than 24 hours after they are sent. This may pose a small problem in that SMTP does not place a time limit on mail messages.

CMTP does require that every mail server maintain a list of the eMail it has sent. That COULD be time consuming.

CMTP also adds 2 packets to every eMail sent. SMTP was designed to be dead simple. They thought that they could not afford 2 extra packets. In that time, eMail was 80% of all internet traffic. Today, eMail is such a small percentage of all traffic that trpilling it would not be noticed.

Andy Out!

Re:Here's the system... (2, Insightful)

PitaBred (632671) | more than 10 years ago | (#10375192)

For any email server with a moderate load, do you even realize how much computation that is? checksumming isn't a trivial process computationally. Besides, it'd make spam even easier. The checksums, etc. would all be the same, so all I'd have to do is respond with a canned reply to any query on a spam I (theoretically) sent. All the while this imposes a PENALTY on LEGITIMATE mail, because of the necessary individual calculations.
Nice idea. It has some major flaws, though.
And according to NetFlow [internet2.edu] , mail still accounts for 1.19% of all packets, which isn't anything to sneeze at.

Getting rid of spam is easy... (0, Troll)

Anita Coney (648748) | more than 10 years ago | (#10375086)

There are two ways to get rid of spam. Stopping spammers and stopping people from buying via spam. The former never works because spammers will always find ways around it. The latter could work, here's how:

First, equate spam with child pornography and terrorist activity. Get Congress to make it illegal to buy products via spam. Start arresting and imprisoning those who do buy via spam. After a couple years, spam will stop.

Re:Getting rid of spam is easy... (1)

Lumpy (12016) | more than 10 years ago | (#10375186)

First, equate spam with child pornography and terrorist activity. Get Congress to make it illegal to buy products via spam.

why that will not motivate anyone.

Equate spam with Violating copyright and hacking. that way we will get jack booted ATF thugs busting down their doors, they get held in prison without a trial for months and laws making it worse than outright murder get passed.

child pornography and terrorist activity does not excite anyone in congress, that is why they pretty much ignore it. yet they want to almost inact the death penalty for "hacking" and downloading and sharing a bad pop music song.

Sorry but getting the government involved is the worst thing to do.

Re:Getting rid of spam is easy... (1)

Anita Coney (648748) | more than 10 years ago | (#10375225)

Actually, my entire post was a joke. Sort of a parody on what's happening to P2P technology. Sorry it wasn't funny enough.

Re:Getting rid of spam is easy... (1)

JudgeFurious (455868) | more than 10 years ago | (#10375307)

A dead spammer wouldn't find a way around it.

And yes, I have absolutely no problem voting in favor of capital punishment for sending spam. For that matter you could tack on writing a virus to that and I'd still be for it.

Re:Getting rid of spam is easy... (1)

statusbar (314703) | more than 10 years ago | (#10375614)

Great! Then I can get you "capital-punished" if I can hack in, change your SPF record, send spam that looks like it is from you. What other proof would be necessary?

--jeff++

As if you didn't already know this was important.. (3, Interesting)

museumpeace (735109) | more than 10 years ago | (#10375089)

Let me undescore the impact the conference is likely to have by pointing out that when NIST speaks, the DOJ listens. Here is a quote from a rejected submission of mine that found other documents NIST has authored that Ashcroft and co. now use.
Feeding the fascination many /. readers may have for the escalation of technique and counter-technique beteween hackers and computer forensics experts may not be as valuable as keeping clues about how to avoid getting caught out of the hands of the hackers but I just can't resist...
Sciencedaily.com [sciencedaily.com] pointed me to something hackers and other criminals might want to study carefully: the PDF guidebook that NIST wrote [ncjrs.org] for the DOJ's first responders to computer crime scenes. Though it has John Ashcroft's name at the top, a glance at the document's time line shows that it was authored by experts mostly from outside the DOJ and completed before the current administration's appointments: the imprimatur of Justice Department on the document may not be ironic.

Drat! I'm gonna get modded for flamebait but with a sig like mine, who'd notice?

Email's role on the net (3, Insightful)

Schezar (249629) | more than 10 years ago | (#10375117)

Let's face it: Email doesn't (and can't) fill the role it used to.

There was a time when you shared your email address with everyone. It was on your resume, it was on your web page (if you had one), it was in your sig. Email was the universal, simple, fast, reliable communication medium of the internet.

I used it to get my friends together on a weekend. I used it to organize events and meet people. I used it to share information.

Nowadays, IM fills that role. I've realized that nearly everything I used to use email for can be done just as easily over IM. It's reliable, fast, relatively secure, easily encrypted, etc... Furthermore, it is largely immune to spam for a number of reasons.

I find now that I only use email when registering for something (throwaway address), or for confirmation when I purchase something online. Everything email used to do, IM can do (if used properly... Staying online, logging, offline messages, confirmation, not using the AOL client, etc...)

IM is by-and-large safe from SPAM due to the numerous restrictions placed on its use. Rate limits, authentication, etc... These things provide a layer of security, but also a layer of inconvenience.

Were email to incorporate such restrictions, it would remove the last reason in the world to even be using it in the first place! Email is completely open. If email were to be restricted, it would become nothing more than a slower version of the current capabilities of IM.

Re:Email's role on the net (4, Insightful)

praedor (218403) | more than 10 years ago | (#10375394)

Yeah, right. IM. Pa-leeze. IM requires that the person you seek to contact has their fat ass planted 4-square in front of their computer or leaves it on 24/7. Email is very nice. It works no regardless of the type of client you have. It will sit there waiting for you to check it, perhaps after a vacation, after actually getting off your ass and away from the computer to exercise, or whenever you decide to either fire up the computer or turn on your email client. Oh...IM also requires that your contactee be somewhat in the same timezone (besides sitting on their ass forever awaiting IM messages). Try to IM from California to NYC late in the afternoon. Try to IM someone on the opposite side of the globe.


IM is cute, it is a nice way to reduce your productivity at work and waste time "chatting" back and forth about unimportant nonsense (movies, your new pants, the hot chick from apartment A, etc). Email ain't going away, and it most assuredly wont be replaced by IM, Jabber, IRC, ICQ, Yahoo Messenger, etc. Email works regardless of software/hardware platform, has not propriatory hooks in it (Microsnot tried with their SenderID scheme to add a proprietory hook into email). Nothing beats email for convenience and easy time-shifing.

Re:Email's role on the net (1)

Have Blue (616) | more than 10 years ago | (#10375504)

Authentication? Most IM programs can be configured to store the necessary password and server information, so this only has to be done once.

The real difference between email and IM is that the former is store-and-forward and the latter is direct transmission. Real-time email conversations are the exception, not the norm, and people are often completely unavailable through IM.

A 100% open, anonymous, and unrestricted communications medium (like email) is not feasible in the real world in the long run. It's too easy to abuse and too hard to counter said abuse, and both of those traits tend to become stronger as the pool of users grows.

No mention of sender pays (3, Interesting)

gr8_phk (621180) | more than 10 years ago | (#10375129)

There was no mention of sender pays postage as a solution. Anything that prevents anonymous email has an inherent central control which the internet doesn't need more of.

Re:No mention of sender pays (1)

otis wildflower (4889) | more than 10 years ago | (#10375542)

There was no mention of sender pays postage as a solution.

Sender pays _today_. You can't send a single email without a data line and at least client software running on some form of computer. All these things cost money to _someone_ at some point, so while the sender costs are minimal they exist. And yeah, they don't pay per-msg postage. The point is there's no reason to have two extremes: untrusted anonymail _or_ per-message postal fees. It's a false dichotomy, which only benefits those that hold those positions.

Anything that prevents anonymous email has an inherent central control which the internet doesn't need more of.

Fair enough, there should always be an option to send mail anonymously. However, don't be surprised if anonymail becomes a Nth class citizen if we start ranking transports and exchangers by trust.

Why the FTC (0)

Anonymous Coward | more than 10 years ago | (#10375144)

Isn't this an issue for ICANN/VERSIGN? Why is the FTC spreading to Internet??? Hmmmm....

I know... XSMTP (1)

hey (83763) | more than 10 years ago | (#10375147)

Clearly the solution is to change SMTP to XML. Its so old fashions that it uses a line-by-line converation. I propose XSMTP which goes like this:

[xml]
[huge header]
[line value=helo]
[/xml]

That oughta fix it.
I am joking.

Re:I know... XSMTP (0)

Anonymous Coward | more than 10 years ago | (#10375250)

Your proposition is accepted. Now go back to work!

FTC A Global Entity? (3, Insightful)

Muerte2 (121747) | more than 10 years ago | (#10375155)

Last time I checked email was a global technology. Am I the only one that thinks it's strange that the (FTC an entirely US organization) is making decisions about something like this? Isn't there a more appropriate internation technology body that should be handling this? Ultimately this will have to become an ISO standard to get implemented across all mail serving platforms. Wouldn't it make sense to get a global consensus before the US starts making decisions about how best to deal with SPAM.

I live in the US, but if I didn't I wouldn't want the US government telling me how to handle SPAM.

spammers demand a clarification (0)

Anonymous Coward | more than 10 years ago | (#10375175)

The FTC will be accepting public comments until Sept. 30, 2004 via snail-mail or email (authenticationsummit at ftc.gov).

It won't be too long untill this email is bombarded by zillion of nigerian scam zealots commenting on wether FTC should really go on with this plan and wether it is a good move infront of the national economy.

MX certification (1)

otis wildflower (4889) | more than 10 years ago | (#10375228)

IMHO the real way to lock mail down is to use PGP keys to authenticate legitimate MXs, and blacklist/expire certs that misbehave. Add an X header that signs the payload hash with its own seckey, then send to the destination to have it verify before delivery.

'Trusted' sources (including national post offices) could generate and certify keys for these servers, and expire/blacklist them if they're abused. Put the pubkey into a DNS record for the MX.

Legacy mail not in this system could be flagged as 'untrusted' and jailed appropriately.

Or, to be super cheap... (1)

otis wildflower (4889) | more than 10 years ago | (#10375453)

(bad form to self-reply, I know :p) ... How about those 'trusted' sources running DNS servers that provide MX resolution for domains? Granted you'd need DNSSEC to trust them that far (and RFC3445 kinda kills the 'put the key in DNS' idea) but the USPS, various national posts, UN, verisign, etc could run DNS servers that handle MX resolution for domains so you can point your MX configuration at those domain servers ala the RBL. Extra sneaky points to building an entire root DNS dedicated to MX.

It's more of a TWL (Trusted Whitehole List) than an RBL (Realtime Blackhole List).

Of course, it goes without saying that all of this is pissing in the wind as long as people's pain threshold is still higher than the bother of implementing all this.

Spam solution (0)

Anonymous Coward | more than 10 years ago | (#10375464)

Why can't this work? You sign up for an e-mail account. Let's use MSN Hotmail as an example. Your get your username. So it's username@hotmail.com. Then you get a selection of keys. Perhaps you have username@291.hotmail.com. This key could be set to temporary (such as one week) or permanent (requires manual removal). Then there would be a catch-all option, which would catch all e-mail sent to username@hotmail.com AND username@*.hotmail.com. Perhaps you have username@452.hotmail.com for contacts that are your friends. Or maybe username@news-me.hotmail.com for whenever you contact a news station. This would really hurt spammers, as now they can't simply hit a username, but also hit all possible combinations for that specific username.

Re:Spam solution (2, Interesting)

realmolo (574068) | more than 10 years ago | (#10375654)

Yeah, a few of the webmail providers do exactly what you're talking about. They generally call them "temporary addresses".

It works, but it makes using email more complicated, and it creates a situation where even MORE e-mail traffic is going to be flying all over the place, mostly to all those diabled temporary addresses.

What we really need is a single registry for email servers, similar to how DNS works now. If you want to run a mail server (and not have your mail rejected by other servers), you need to "register" it with some big, monolithic organization. If you're not on the authorized list, you get rejected.

Yeah, that kills the "openness" of email. You'll no longer be able to setup a usable mail server without jumping through some verification hoops. But so what.

Isn't this a bit too late? (2, Insightful)

irate_canadian (619208) | more than 10 years ago | (#10375565)

I don't know about everyone else - but I hardly notice spam anymore. I mean, between gmail, thunderbird, and even hotmail (obviously not a definitive list) - I don't see it anymore. It's all filtered out automagically. I think this is a case of the government, once again, being a bit too slow on the uptake. Thanks for the thought guys, but we seem to be dealing with it fine ourselves.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?