Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Meng Wong's Perspectives on Antispam

samzenpus posted more than 8 years ago | from the no-more-online-pharmacy dept.

Spam 298

netscoop writes "CircleID is running an interesting blog by Meng Wong, best known as the lead developer of the anti-spam authentication scheme, SPF. While touching on various recent hot issues, Meng has this to say about phishing: 'The final solution to the phishing problem requires that people use a whitelist-only, default-deny paradigm for email. Many people already subscribe to default-deny for IM and VoIP, but there is a cultural resistance to whitelist-only email -- email is perceived as the medium of least reserve. I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.' Right or wrong, definitely worth a read."

cancel ×

298 comments

Not All People (4, Insightful)

John Hasler (414242) | more than 8 years ago | (#14729124)

> "The final solution to the phishing problem requires that people
> use a whitelist-only, default-deny paradigm for email."

No, the final solution to the phishing problem requires that stupid, gullible people use a whitelist-only, default-deny paradigm for email.

Of course, that includes most of the human race...

Re:Not All People (1)

mctk (840035) | more than 8 years ago | (#14729175)

Okay! That sounds great! Where do I sign up? Do you need any personal information?

Racist!! (4, Funny)

EmbeddedJanitor (597831) | more than 8 years ago | (#14729210)

People dumb enough to get phished probably think that whitelisting is something to do with the KluKluxKlan.

Re:Not All People (1)

TheGhostOfDerrida (953992) | more than 8 years ago | (#14729323)

I believe that the final solution actually has to do with some sort of social cleansing... maybe that's what's implied? interesting diction... wonder what Freud would say...

Re:Not All People (2, Informative)

Anonymous Coward | more than 8 years ago | (#14729362)

OK, oh so smart one. I'm so happy that you won't be fooled. The problem for the rest of us is that the phishing attempts are getting better, and legitimate email sometimes looks phishy.

Take this quiz [mailfrontier.com] to see what I mean.

Re:Not All People (0)

Anonymous Coward | more than 8 years ago | (#14729400)

The answer to all of the above is: Ignore the email and go to the companies site yourself (and don't get their url from the email). Do I win?

Default deny is dumb. (5, Insightful)

khasim (1285) | more than 8 years ago | (#14729125)

To stop phishing, the banks and such have to STOP using email to communicate with their customers.

The banks have your home address and your phone number.

The only reason they use email is because it is incredibly cheap and allows them to attach advertising to their messages.

If the banks were responsible for any losses due to phishing, you'd see them drop email overnight. Once the cost exceeds the benefits, it's gone.

Re:Default deny is dumb. (1)

John Hasler (414242) | more than 8 years ago | (#14729159)

My credit union has never started communicating with me via email. I wish they would use email for some purposes, though of course I would want it signed and encrypted with GPG. That isn't going to happen.

They're being smart. (1)

khasim (1285) | more than 8 years ago | (#14729192)

Because you know that they have never used it, you will be VERY careful if you ever receive a message claiming to be from them.

Once they do start using it, they lose that edge.

Something that has never happened before attracts a lot more of you attention than something that happens frequently. Something that happens frequently, but is a bit different this time, may be missed.

Re:They're being smart. (1)

jonwil (467024) | more than 8 years ago | (#14729252)

I have never been with a bank that uses email for communication.
All banks I have been with use physical mail or messages sent through the online banking.

Re:They're being smart. (1)

eric76 (679787) | more than 8 years ago | (#14729473)

My bank sends out notices of their yearly hot dog luncheon in the parking lot by e-mail. I don't think they send any other mailings by e-mail.

Re:Default deny is dumb. (1)

geekoid (135745) | more than 8 years ago | (#14729258)

it depends on what they are communicating.
FOr example something like:

"We have detected an anomily with your acount, please contact your local bracnh immediatly" is pretty harmless.

Send "We detected an anomoly with acount number 4856846353a34, please call 180005556565" is not harmless

Or even:"Please check you account for important information" and don't provide a link.

Re:Default deny is dumb. (1)

nbert (785663) | more than 8 years ago | (#14729425)

Reminds me of ICQ - afaik they have never used their own service to contact their members. Nevertheless I'm recieving something like this every week since '97: "ICQ is going to charge a monthly fee if this message isn't going to be forwarded to at least 10 people on your contact list". While it is a widely known fact that ICQ is still free and that no company would ever put such decisions on customer feedback like this some people still seem to buy this kind of crap (otherwise I wouldn't recieve it).

Nothing wrong about PGP. One can dream...

Re:Default deny is dumb. (2, Informative)

chill (34294) | more than 8 years ago | (#14729165)

My bank doesn't have my home address, they have a PO Box. They do not have a phone number for me. I also have several friends who've retired and live on the road, in RVs. They have no permanent address. Hell, in the State of Oregon you can even change your address on your DL to read "Transient" if you live in an RV.

I deal with my bank via ATMs, direct deposit and e-mail and that is the way I prefer it.

  Charles

Re:Default deny is dumb. (3, Funny)

geekoid (135745) | more than 8 years ago | (#14729242)

yes, becasue nobody did that before the internet....

I would ne interested to know what bank allows only a PO Box for an account. I have some friends who say they need to get 15,000,000 into the country since a forgotten reletive of mine died.

Re:Default deny is dumb. (2, Interesting)

chill (34294) | more than 8 years ago | (#14729359)

To open a bank account I had to show up in person and give them two forms of ID (DL and Passport in my case). It *is* possible to open an account via a telephone, but you'll have to have photocopies of your IDs notarized and faxed/mailed in.

Use an address of a relative with the same last name or a PO box for the initial correspondence and then put in a "moved, no forwarding address" card. Voila! No address on record. Until they try and mail you something, they'll never know. I had an account with a Credit Union for almost 2 years with them having no address on record (and they knew it). I finally gave them a PO box when they needed to mail me another debit card because my first one had expired.

Check out http://www.howtobeinvisible.com/ [howtobeinvisible.com] for info on how a U.S. Citizen can open a Canadian bank account for even more privacy.

  -Charles

You don't need email for that. (1)

khasim (1285) | more than 8 years ago | (#14729272)

The banks can still deal with you by having a login to their system (as most do now) where you can check your balance and such (and even send messages to their staff and receive them).

There, almost all the functionality and none of the phishing issues.

Re:You don't need email for that. (1)

chill (34294) | more than 8 years ago | (#14729328)

Correct. This is the method I use for most of my interaction with the bank. They even have an "opt out" of mailing you your written statements. Instead, I get an e-mail telling me the monthly statement is available online on their secure system.

Snail mail is also easy to fake (2, Interesting)

EmbeddedJanitor (597831) | more than 8 years ago | (#14729298)

It is not so much the communications as providing online services. You can con someone with snailmail just as easily as conning them with email. The difference is that it is easy to understand the postal paradigm. If you got a letter saying "Please sign all the checks in your checkbook and post them to Ima Crim at POBox xxxx" very few would do that.

However very few people understand security or the distinction beween their computer and what's on the internet. To many it is just "the computer" and part of "the computer" does not work when it isn't dialled up. Many can't understand the distinction and will dial up anyway, even to play Solitair, "just to be sure". With broadband the distinction is even more blurred.

Whitelisting is not going to be effective because it disrupts the normal flow of email and is too complicated for most people to do effectively, so most people will just disable it. They'll end up with a false sense of security.

Institutions in many countries already don't (1)

Via_Patrino (702161) | more than 8 years ago | (#14729303)

Bank institutions in many countries already don't use email to communicate with their clients. In my country they all spontaniously agreed on that.

But, unfortunately people seen to don't know this...

Re:Default deny is dumb. (1)

Expert Determination (950523) | more than 8 years ago | (#14729369)

Well if the banks digitally signed and encrypted their emails (and it's completely ridiculous that they don't) then there wouldn't be a problem (or at least there'd be less of one). But don't expect encryption and signatures to arrive any time soon - nobody is actually looking for a solution for spam, just making lots of noise about it.

It's not just the fact banks use it. (1)

SeaFox (739806) | more than 8 years ago | (#14729404)

If I might expand on that thought...

The problem with the whitelist solution isn't just that banks and businesses use email to communicate, it's that they don't tell their customers what email address they use to send mail, and most use many. Take eBay for example. I get emails from outbidnotice@ebay, member@ebay, status@ebay, ect. and there's no reason to. Why can't all the emails just come from user-alert@ebay or some other such address and let the subject lines tell me what the email is regarding alone. I can still filter just as effectively. And don't get me started on Sony and their multiple mail servers.

If companies/banks had one email address and made it easy to find out, customers could add it to their whitelist for the email account they give the business. This would stop phishing schemes that use a spoofed address if the email goes to the wrong acct. "Did I give BankofAmerica my Yahoo address, or my Hotmail?". But when a company uses a different email address for every concievable type of email they send out, it's harder for a customer to tell if something (even with proper SPF records, ect) from administrator@yourisp.com asking you to verify your account details is real or not.

If I may expand upon your expansion... (1)

khasim (1285) | more than 8 years ago | (#14729461)

Not only do they do as you say (use different email addresses), but they also use different DOMAINS. I forget if it was Bank of America or MBNA who was the worst offender.

It's like certain banks are doing everything they can to make it easy to defraud their customers.

Umm... (0, Offtopic)

Chilluhm (953659) | more than 8 years ago | (#14729129)

Phishing. Is that like Dead-Heading?

Hmmm (1)

smitty_one_each (243267) | more than 8 years ago | (#14729134)

Six: Let's create a world where the consensus reality is as inclusive as possible.
I dunno. Smart cards are the big new thing in the US Department of Defense.
Inclusive, they are not, but they seem to be quite effective.
Once somebody arrives at a smart card used to implement DRM (quick: trademark DRMstick), society will transition from 'sheep' to 'card-carrying sheep'.

Meh. (5, Insightful)

FhnuZoag (875558) | more than 8 years ago | (#14729140)

If we default-deny email, what do we have left?

In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.

Re:Meh. (0, Offtopic)

slashbob22 (918040) | more than 8 years ago | (#14729183)

On the other hand, there are many times at work where I would like a default deny to my inbox. While only a small amount if it is spam, the bulk of my incoming emails may be considered a waste of time.

Spam emails are not the only source of email non-sense. I was sucked into an email conversation with a person whose workspace is 20m (65 feet) from mine. While the question was valid, a simple walk across the room would have solved the question much quicker then the banter. In the interest of my sanity, I was forced to walk to their area and complete the instruction.

Re:Meh. (0)

Anonymous Coward | more than 8 years ago | (#14729229)

didn't u have intercom?

Re:Meh. (2, Funny)

baylanger (780885) | more than 8 years ago | (#14729412)

If we don't have email for this role, then we need something similar to replace it.

That's an easy one. Just create your own alt.yourname in Usenet! Once the group is created, you'll have plenty of people contacting you!

Re:Meh. (4, Funny)

2008 (900939) | more than 8 years ago | (#14729429)

In the end, it is at times absolutely necessary that complete strangers can contact us without prior warning. If we don't have email for this role, then we need something similar to replace it.


Now, I'm no historian, but I've heard that in the past there was a government provided courier service which would deliver messages on paper for a small fee. Perhaps that would work if we reimplemented it?

Although, being serious, this lacks the (potential) anonymity of email, and involves giving out your physical address. Maybe we can persuade the postal service to provide free, (almost-)anonymous PO Box numbers?

Re:Meh. (1)

sryx (34524) | more than 8 years ago | (#14729478)

If we don't have email for this role, then we need something similar to replace it. What about things like MySpace? Is that's the core of the issue, that valuable and sensitive information comes of the same channel as the ten funniest pictures of cats falling. If someone thinks that a serious offer to change ones PayPal password would arrive over MySpace as a last resort then that fool and their money really should be separated. -Jason

Nope (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14729141)

His point of view couldn't be more wong.

Wrong or Wong? (-1, Flamebait)

fewnorms (630720) | more than 8 years ago | (#14729149)

"Right or wrong, definitely worth a read."

Am I the only one who read that as "Right or Wong, definatly worth a read."? :)

Phishing is easy to recognize (5, Informative)

4D6963 (933028) | more than 8 years ago | (#14729153)

Phishing is easy to recognize, well at least for us the leet slashdot geeks.

But I still wonder why mail providers don't scan the typical phishing mails (PayPal and eBay) and check whether the links point to ebay or paypal's site or some obscure IP.

I'm pretty sure that checking such typical phishing mails for their authenticity this way would help getting inboxes rid of it. My two cents..

Re:Phishing is easy to recognize (2, Insightful)

powerspike (729889) | more than 8 years ago | (#14729463)

Simple, because they won't know what to allow, and what not to allow without manualy checking all emails.

I recived a phishing email the other domain, the Phishers 1) registered a domain that fitted into other domains the bank had, had the complete site down pat, had an ssl cert, the only thing that gave the page away as a phishing page, was that the extenstion was .aspx, and the form submit was a .pl file, the bank doesn't use that... that was the only difference, i'm quite quite sure, that even alot of slashdots would of been fooled by something that complex. Now if the ISP personal that's checking theese things, doesn't use the same bank as me, HOW would they know ?

Re:Phishing is easy to recognize (2, Insightful)

Hunter-Killer (144296) | more than 8 years ago | (#14729551)

I'm sure someone has already posted this before, but this is a pretty good scenario of techniques used today:

http://isc.sans.org/diary.php?storyid=1118 [sans.org]

Snippets of your credit card info (the first part of the card number is usually the same for a issuer's customer base)
Non-obfuscated links (not a link to a .ru domain)
Valid SSL certificate
Valid links to other credentialing organizations

Most of us are aware of the typical phishing attempt. Message from your bank, paypal, ebay, etc asking you to log in to "verify" your info. Old hat.

How about this: You get an email newsletter from Newegg or Amazon. Look, a brand new HP Laserjet printer for only $3.99. Whoa, those guys screwed up! You click the link, and sure enough, the price is valid, though they undervalued the printer by a factor of 100. You're lucky, there's only three left in stock (but don't worry, there's more on the way!) You log into your account; heart pounding, racing to get your order submitted and shipped before the price is corrected.

Congratulations, you've just been hit by a targeted phishing scheme.

Not workable (3, Insightful)

Anonymous Coward | more than 8 years ago | (#14729162)

The thing about email is you either will spend some of your time managing whitelists, or you'll spend some of your time managing spam. Likely some of both. But the idea of moving to a default-deny is not feasible for most people, because you often have to give your contact info out to someone you want email from -- AND YOU DON'T KNOW WHAT THEIR ADDRESS IS! So you can't whitelist them ahead of time. If a human is sending you the email, no big deal. Many times its not a human (receipt from a company, mailing lists I subscribe to, etc).

Re:Not workable (0)

Anonymous Coward | more than 8 years ago | (#14729235)

I've had a business card that listed my email address and a required subject word that bypassed my default-deny. Worked well until I ran out of cards. Now I have a shiny new email address that doesn't get too much spam. Yet.

Too much trouble (5, Interesting)

squeemey (925509) | more than 8 years ago | (#14729167)

All this trouble would have been avoided by charging for email in the first place.

My proposal:

Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

The ISP on either end would credit/debit the sender/receiver's account.

And watch the spam disappear.

Re:Too much trouble (1)

Anonymous Crowhead (577505) | more than 8 years ago | (#14729208)

If it is a even a word: Unimplementable.

Re:Too much trouble (1)

squeemey (925509) | more than 8 years ago | (#14729251)

How so? Your ISP has an account on you. Simple to count your incoming and outgoing emails.

Re:Too much trouble (1)

Anonymous Crowhead (577505) | more than 8 years ago | (#14729264)

How so? Your ISP has an account on you. Simple to count your incoming and outgoing emails.

Well for one....no wait, not worth the effort.

Re:Too much trouble (1)

dsci (658278) | more than 8 years ago | (#14729484)

Problem #1: I don't get my mail via my main ISP; my in-mail and out-mail goes via different providers. Surely not talking about my ISP monitoring my POP3 traffic to a server they don't own or manage? The plan you describe is very tunnel visioned in terms of business set-ups. Oh, what about all the intermediate providers that route the mail; there is a load on their systems too, why don't they get a cut?

Problem #2: I get involved in some projects for which we send a LOT of email back and forth between client, contractor(s) and subcontractors. So, even at $0.03 per shot, that needlessly drives up the cost of the project. This means the client has to pay a higher bill, which in turn probably means they charge more for their product.

How are going to predict at the start of a project how many emails this project is going to take? We could flat-rate the cost, but imo that just adds a needless line-item to the proposal.

Problem #3: My ISP currently invoices me for service; you are going to add to the complexity of their accounting system (and overhead on their systems keeping track of who got what email) to manage all this, for PENNIES a shot, and the net result is I pay the ISP a higher monthly rate. What about auditing? What if I show I received 500 legit emails a month and they show I only got 400?

No thanks, I'd just prefer continue hitting "Delete" on phishing email when they do get past the antispam measures in place.

Re:Too much trouble (1, Insightful)

geekoid (135745) | more than 8 years ago | (#14729224)

also, you would watch anominity disapear.
For those of you playing at home that can think beyond your cube, this is a bad thing.

otoh, charging after the first 1000 email per day may be a good compromise. Meaninging, if you don't have a CC on file, then it won't let you send more.

Re:Too much trouble (1)

squeemey (925509) | more than 8 years ago | (#14729278)

Excellent idea. Let everyone have a minimum number in and out.

Re:Too much trouble (2, Insightful)

Neil Blender (555885) | more than 8 years ago | (#14729243)

Charge 3 cents per letter. One cent goes to the ISP sending the mail, one cent to the ISP receiving the mail, and one cent to the recipient.

The ISP on either end would credit/debit the sender/receiver's account.

And watch the spam disappear.


If it could be done, you might be right. Even so, the game would then change to, "How do I steal all those pennies?".

Re:Too much trouble (1)

njerseyguy (953143) | more than 8 years ago | (#14729290)

Opening the doors for the ISP to collect money per-email is lunacy. It is all to easy for them to simply add a another cent, here and there, as some sort of a "service charge". Remember that the original income tax in the US started by only taxing 1% of the highest income bracket.

Re:Too much trouble (1)

Yehooti (816574) | more than 8 years ago | (#14729365)

There comes a time when frustration wins and the attitude of, "Do something, anything, even if it's wrong." takes hold. I'm about there.

Charging is worth a try.

Won't work (2, Insightful)

Animats (122034) | more than 8 years ago | (#14729532)

As long as we have a zombie problem, that won't work. Spammers will take over user's PCs and run up their mail bills.

This same problem applies to most source-based mail authentication systems.

Nobody sends spam from their own server any more. That gets the spammer shut down, fast.

There should be no mercy (0, Flamebait)

Pig Hogger (10379) | more than 8 years ago | (#14729168)

There should be no mercy. Banks should positively tell their clients what phishing is. Then, the clients should acknowledge what phishing is; if they do not acknowledge, the banks shall cut their online access. And if ever they fall for a phish, well, though fucking noogies. They were warned, with proof on file.

Re:There should be no mercy (1)

ljw1004 (764174) | more than 8 years ago | (#14729371)

Then an insurance company will come along that offers phishing insurance against your "though fucking noogies". And most banks will start bundling this insurance as part of their basic deals to attract customers. And they'll attract more customers and get less bad press than the banks that don't. And so we'll end up at exactly where we are now.

Re:There should be no mercy (0)

Anonymous Coward | more than 8 years ago | (#14729567)

Do you really think a bank like Bank of America (which uses SSN's for login IDs) understands the first thing about phishing or any other security issue? How exactly are they going to "tell their clients what phishing is"?

Yeah, that's how to increase security and stop phishing. Place the liability on the customer! Sorry, but banks don't force liability on the consumer because if they do, the consumer will find another bank.

Sane security practices can resolve this problem. Banks should:

1. Preferably not use email to communicate (use messaging through the website instead).
2. If email must be used follow these rules:
a. Digitally sign the email.
b. Encrypt the email if possible/necessary.
c. Provide information about phishing within the email - including a message that the customer should even doubt _that_ email.
d. Not provide any links within the email.
3. NOTIFY CUSTOMERS OF ITS ANTI-PHISHING STRATEGY (e.g. If a bank never uses email, it should tell its customers it never uses email and that all such emails are fake.)
4. Always provide the same look/interface at login (i.e. stop advertising at login - get folks used to seeing the same thing every time they log in to the legitimate site).

Get lost (1)

nagora (177841) | more than 8 years ago | (#14729169)

Phishing isn't a problem for me; I simply ignore any unexpected email that has anything to do with money passwords or other stuff that has no business being in an unencrypted channel like email.

I do use SPF and other methods to turn away crap at the smtp server (I see by the readout on my screen that I'm currently getting 0.647 emails per second; maybe two of those in a day will look genuine enough to be accepted by the server) but default deny is functionally the same as saying you don't use email.

TWW

Considering IP blocking tactics, it's pointless (4, Interesting)

Peter Cooper (660482) | more than 8 years ago | (#14729188)

I think whitelisting is a pretty good idea. My SpamAssassin-oriented setup kinda does things this way. That is, a non whitelisted mail has to be pretty squeaky clean to get through, whereas whitelisted addresses get straight through.

But lately I've been hitting a different problem which totally destroys the point of e-mail in many cases for me. That is, idiotic sys admins who firewall out entire IP blocks for, seemingly, no reason.

Just because someone several machines down the co-lo rack let their machine get hacked is no reason for mail server administrators to *firewall out* entire ranges of IP addresses. Lately I've seen some ridiculous behavior where users of the other mail server can't even e-mail people on MY server because the block is two-way! So I end up with users complaining that only certain e-mail addresses appear unmailable (because only a small percentage of sysadmins are stupid enough to block entire classes) but it's still a major PITA that makes e-mail useless for many people. The worst part is when you complain to these sys admins/ISPs, many of them proclaim innocence and believe they have no blocks.. but it's their upstream provider, etc, etc.

I'm beginning to think that encouraging people to migrate over to systems like 'GMail for your domain' and the like are going to be the way to go. At least Google has teams of people working 24/7 keeping their machines whitelisted. Having the US government able to subpoena your private information is the least of your worries, as long as you can actually e-mail the people you need to.

And no, schemes like SPF do not help this problem, since if they're blocking IP ranges outright at their firewall, nothing can break through that except mail proxying (which I've been considering).

p2p whitelists anyone? (3, Interesting)

fred fleenblat (463628) | more than 8 years ago | (#14729189)

Sometimes I wonder if there is a middle ground in the area of shared whitelists.

If someone tries to email you, and they aren't on your whitelist but they are on the whitelist of someone who *is* on your whitelist, maybe let it through or at least give it some plus points for the filter based on how many degrees away they are.

Re:p2p whitelists anyone? (1)

geekoid (135745) | more than 8 years ago | (#14729203)

Good thought, but there would be people on my whitelist, who I would want to exclude.

Instead just use authentication. Not on your whitelist? it sends an email back asking if you are a real person. At which point it puts you on a temp list until you confirm or deny they email.

Re:p2p whitelists anyone? (1)

fred fleenblat (463628) | more than 8 years ago | (#14729238)

right, but what's to keep the spammer/phisher from setting up an auto-responder on a bot somewhere?

Re:p2p whitelists anyone? (0)

Anonymous Coward | more than 8 years ago | (#14729442)

The TMDA (Tagged Message Delivery Agent) page [tmda.net] addresses just this issue:

Unfortunately, TMDA uses messy addresses that my friends, family and vendors have trouble dealing with. (I had one vendor just pitch the email address because in their system they have to retype the address by hand!)

Re:p2p whitelists anyone? (1)

techno-vampire (666512) | more than 8 years ago | (#14729326)

Instead just use authentication. Not on your whitelist? it sends an email back asking if you are a real person. At which point it puts you on a temp list until you confirm or deny they email.

My ISP does exactly that if you have your anti-spam setting at High. Unless the sender's on your whitelist, it puts the message in a "suspect" folder and emails back a request for authentication. You have (I think; I don't bother with it myself.) 72 hours or so to reply, after which it's presumed spam.

Re:p2p whitelists anyone? (0)

Anonymous Coward | more than 8 years ago | (#14729505)

This is a really good thought - "trust networks" for email. Has anyone thought of this before ? Of course, this would lock you into an email-id but that is not necessarily such a bad thing. And it does not deal with the email-spoofing-by-zombies problem. But it would sure eliminate a lot of crap from the likes of Ivana Likit and Hugo Mungus.

Too easy to fake addresses (0, Troll)

trimCoder (954838) | more than 8 years ago | (#14729212)

I think the main issue that needs to be addressed is the ease of sending mail out as a false addresses. Default deny is great, except that the spammer will then pretend to be your aunty flow.

The simple solution... (0, Troll)

chill (34294) | more than 8 years ago | (#14729213)

...is two have two e-mail addresses. One is whitelist only, and you never "publish" it. Only give that one out to people you want to have it explicitly. Make it clear they are not to share.

The second address is for public consumption. Use that one for everything else, including mailing list subscriptions, site subscriptions, Slashdot postings, and anyone else you even suspect will sell/give away your e-mail address. Ideally this would be something like a Google/Yahoo/MSN address or one from your ISP.

The first address should then be kept pristine and you never have to worry about spam on it. The second would be suspect, but some inbox rules and white/blacklists could clean up most of it.

I've been doing this for 3+ years now and have 0 spam on my private address. Gmail does a good job of keeping the other pretty clean.

  -Charles

Re:The simple solution... (1)

AuMatar (183847) | more than 8 years ago | (#14729299)

Exactly. I even make the private address available in a few places (its on my resume) and I still haven't gotten spam in years.

bzzzzzzzzzt wrong! (1)

Spy der Mann (805235) | more than 8 years ago | (#14729337)

Even e-mail addresses that are NEVER published are prone to SPAM. Why? Because spammers (or harvesters) scan mail servers by bulk mailing (doh) addresses and collecting those that don't rebounce.

I've gotten mails that are completely blank. They have no message, ANYTHING. Why do you think a spammer would send those?

An approach I'd choose to solve SPAM is to ask for the message first, check if the user exists later. This way the mail server could do some filtering and post a "recipient not found" if it's spam.

Re:bzzzzzzzzzt wrong! (2, Informative)

chill (34294) | more than 8 years ago | (#14729397)

Hmmm... I wasn't very specific.

I run my own mail server and have it set to do things like:

*REQUIRE* SSL/TLS + AUTH to send/receive mail if you have an account on my system
Bounce, as if my address doesn't exist, any non-whitelisted e-mail
ClamAV, updated twice daily, just to be extra safe

  -Charles

Re:The simple solution... (0)

Anonymous Coward | more than 8 years ago | (#14729368)

Works great until someone on your whitelist decides to publish your email address on the web (in text, without even rudimentary antispam measures in my case). Happened to me late last year with a conference I was helping to organise, went from 0 spam to 100's/week in a matter of months. Of course, I now have a new whitelist address, which will never, ever, EVER be given to the person in question...

A variant which works well (1)

SysKoll (48967) | more than 8 years ago | (#14729395)

A variant of that approach is to create multiple addresses forwarded to your "real" (secret) mailbox, which you don't give the address of. You personalize the addresses given to banks and other such institutions, with the domain name for instance. If an email claiming to be sent by Chase doesn't have "chase.xxx" in its From field (where xxx is a special string a phisher wouldn' know), then it's phishing. The free spamgourmet.com offer one implementation. There are others.


Of course, this assumes that the institution doesn't sell its email list or doesn't leave laptop with their unencrypted customer database laying around to be Trojaned or plain stolen. Considering the number of companies that don't have a freakin' clue about security and privacy, that might be a tall order.

Re:The simple solution... (1)

suwain_2 (260792) | more than 8 years ago | (#14729526)

I do something similar, except I haven't had the luck you have. I have my own domain, and tend to give everyone their own address. Amazon gets amazon@mydomain, Slashdot gets slashdot@mydomain, etc. Only friends and family know my 'real' address. And yet I get a bunch of spam there.

But I've gathered is that someone I know got a virus or whatnot that started harvesting addresses and sent them off to spammers. This is the simplest way I could think of that this could happen. (I now get spam at some really obscure addresses that almost no one should know existed. Unfortunately, they're not limited enough that only one person would know about them.)

I don't really know what's going on, but I'm convinced that there are now address-harvesting viruses/worms going around.

Or maybe just don't click on obvious emails (3, Insightful)

RiffRafff (234408) | more than 8 years ago | (#14729220)

Seriously, it's not that bloody hard to figure out. No legitimate corporation is going to send you emails threatening your account "unless you log on and confirm this information."

Look at it as the digital equivalent of the Survival Of The Fittest.

Education (1)

msbsod (574856) | more than 8 years ago | (#14729221)

I say we should adapt education, not an e-mail whitelist. Some of us try that model for everything else in life.

Whitelist only (1)

putko (753330) | more than 8 years ago | (#14729225)

If you moved to whitelist only email, some clever guy would write something to deactivate the whitelist mechanism -- whatever that took -- and then he'd be sending out highly-effective phishing spam.

Some of it would get through, and the people who'd get it would be far more likely to trust it, as their expectation of trust would be higher.

Similarly, if you get on a plane in the US, the window-dressing security probably makes you less safe: resources are pointlessly consumed when they could be spent on real security, and people "go to sleep" as they figure the security has already been taken care of.

I don't agree. (1)

jaseuk (217780) | more than 8 years ago | (#14729227)

Even the least technically aware people are starting to realise what phishing is and the forms the scams take and are developing a healthy sceptisim of anything that arrives through e-mail. You only have to see a few scams for it to begin to register with people that e-mails may not be genuine no matter how convicing they look, thankfully the time taken to reach the current sophistication level has resulted in users having time to become aware of the frauds.

The nigerian scams have been well covered, receiving e-bay e-mail notifications when you don't even have an ebay account and banking security notices from a bank you don't even bank with have all raised awareness of the problem. The scams may now be of much higher quality but users are very skeptical. Most non-technical users have always been very wary of online banking and shopping.

I think sometimes we underestimate our users.

Jason

What about n00bs? (3, Insightful)

Mr_Tulip (639140) | more than 8 years ago | (#14729301)

What about n00bs? I very recently had to convince a friend that that nice lady from Sierra Leone was not _really_ going to give him $300,000.

He only just got a PC, and has been oblivious to anything computer related for all his life. Suddenly, he gets a PC, an internet account, and he's told to go off and have fun.

Seriously, I sometimes wish you needed a license to operate a computer.

Re:I don't agree. (1)

canuck57 (662392) | more than 8 years ago | (#14729452)

I think sometimes we underestimate our users.

I am not sure how you meant that, in sarcasm?

Users will cut and paste a userlist from Exchange into a questionable site and with in days spam doubles for everyone and the user is innocent? I got hundreds of stories like this.

It is why I asked to be off of the "public" work Exchange system.

There are inexpensive solutions that work well and cause spammers grief but you need management support to do it as some user is going to whine that he can't get mail from a porn site when their business is diapers. But in the mean time the same company uses spammers on the false belief it will enhance their business. I wonder if they measure the customers they piss off? Hey Viagra, Cailis where are you?

Lets face it, business of all types like spam or in fact they would take rational and earnest steps to change it. Things like user awareness, some firings, rational choices should replace spending on mail filtering, use of spammers to do business and plain apathy of management.

And maybe worse, there are enough lonely users out there that like spam so their mail box is not empty when they get home from work... send a friend an email today!

Spam is a social problem, not a technical one. (5, Insightful)

Futurepower(R) (558542) | more than 8 years ago | (#14729248)

When a problem seems very very difficult, maybe it is being viewed in an incorrect way.

Spam is a social problem, not primarily a technical one, and the solution is social.

Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

The president could, during a scheduled speech, ask people never to buy anything advertised with unsolicited email. He could talk about several ways such email is dishonest.

It could be arranged that Oprah Winfrey ask people not to buy things from spam. Religious leaders could ask their congregations.

This kind of solution has already worked. Everyone in the world knows to wash their hands; that has become part of human culture. We need to make anti-spam part of human culture.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

Re:Spam is a social problem, not a technical one. (1)

techno-vampire (666512) | more than 8 years ago | (#14729355)

Here's a solution that would work if we had a real leader as president of the U.S., and not someone who is only interested in benefiting the rich.

The less people spend on spamvertized junk, Nigerian scams, phishing and other fraud, the more they have to spend on legitimate merchandise and services, often sold by business owned by rich people. Thus, cutting down on spam benefits the rich.

I meant the corrupt rich. (1)

Futurepower(R) (558542) | more than 8 years ago | (#14729435)

True.

I didn't mean the good rich, who earned their money honestly, I meant the corrupt rich, like spammers and illegal lobbyists.

Scott Lockwood: Feces King of Chicago (0)

Anonymous Coward | more than 8 years ago | (#14729257)

Ever been to Vlad's house? I have. Here's what it is. Wall-to-wall three-foot piles of human shit. Puddles of urine everywhere. Infants and toddlers living in feral conditions. Human suffering unseen anywhere outside of sub-Saharan Africa. This is the truth. This is the face of Vlad, a wretched, sorry son of a fuck if there ever was one.

Re:Scott Lockwood: Feces King of Chicago (0)

Anonymous Coward | more than 8 years ago | (#14729268)

BTDTGTTS

We need SERVER authentication, not user (2, Interesting)

realmolo (574068) | more than 8 years ago | (#14729266)

Seriously. Just create a central database of "valid" mail servers. Require anyone that wants to run a mail server to pay $25/year, and go through a "verification" process that shows they aren't spammers, and that their servers are setup correctly.

Anytime an e-mail is sent, the receiver checks to see if they're in this "master database", if not, their mail is dumped. Obviously, you'd have some kind of public key encryption going on to prevent spoofing.

Now, creating a central authority for mail servers would be difficult, but it's a hell of a lot easier than trying to change things on the CLIENT side.

As for those of you saying "But I want to run my OWN mailserver! Why should I have to pay! And what if I want to run it in a way that doesn't meet the standards!".

Well...fuck off. You don't need to run your own mailserver. There's just no valid reason to do so.

Re:We need SERVER authentication, not user (3, Insightful)

suwain_2 (260792) | more than 8 years ago | (#14729415)

I don't think this would work in practice.

Many hosting companies can fit 300+ clients onto one server. It's not uncommon for someone to signup and start using the account for spam. Most hosting companies take a very strict stance on this, and will immediately close the account. But spammers know they'll get a bit of spamming in before they're stopped.

The problem is that the hosting company could show that their server wasn't being used for spam, but there's nothing stopping someone from beginning to use it that way. Not only would your method still allow spam, but it would, in theory, mark the spam as being entirely legitimate e-mail. Now imagine the e-mail wasn't spam, but phishing e-mails, marked as having come from an approved server.

In addition, a server could 'turn' bad. I could register a server, and for a month or whatnot show you that I wasn't a spammer. One day I could just start spewing spam. $25/year really wouldn't be an impediment to too many spammers.

Plus, some random organization (the e-mail certifiers) would be making a boatload of money, and would essentially have complete control over who could send mail and who couldn't. (Technically, people could ignore this whitelist. Just like you could, technically, ignore the existing .com database and start your own.)

And there are plenty of valid reasons for running your own mailserver. My home ISP used to suck. My school now uses Lotus, which seems to not allow POP/IMAP access, and insists on a bloated e-mail client that really doesn't work well in anything but IE. (Even though it's supposed to.) There are spam filters, but they're not catching any of my spam; in fact, the only mail that it ever caught was a couple messages from one of my professors. Is this not a valid reason to run my own mailserver?

I'm sorry, but I really don't feel that this idea is as good in reality as it looks on paper.

Re:We need SERVER authentication, not user (1)

realmolo (574068) | more than 8 years ago | (#14729470)

Why would the hosting company allow anyone on their system that sends spam? That would be part of the "verification" process I talked about: if you, as a hosting provider, are known to allow all kinds of spammers to use your system, you don't get on.

Yeah, you could still have individual USERS sign-up for e-mail accounts, and use those to send spam, but those accounts can easily be deactivated. Plus, how many spammers are going to pay for a new e-mail account every day, just to send out a few thousand spam mails before they get de-activated? As far needing to run your own mailserver because your ISP/employer/whoever has a crappy one...

Again, that would be part of the verification process. There would be STANDARDS for what a mailserver has to support/not support. There wouldn't BE any "bad" mailservers, because they wouldn't pass the tests.

To my mind, the whole problem with the current e-mail system is that there is no accountability at any level. It's impossible to point fingers at anyone. Until that is fixed, spam won't go away.

Re:We need SERVER authentication, not user (1)

dsci (658278) | more than 8 years ago | (#14729562)

You don't need to run your own mailserver. There's just no valid reason to do so.

Says you.

Is that really what we want the Internet to be? I thought the idea was to make information flow as freely (as in unhindered) and reliably as possible? Now you are proposing that there are services I CANNOT/SHOULD NOT run on the 'Net because YOU don't think I have a valid reason to do so?

How's this for a valid reason to run my own mail server: I own a business and I want the flexibility to configure things best for my situation. I don't have to pay/depend on anyone outside my own organization to get done what I want done. I want virtual users mapped a certain way. Done. I want aliasing done a certain way? Done.

freudian slip (0)

Anonymous Coward | more than 8 years ago | (#14729284)

Am I the only one to have read the title several times as "Men's wong..." and not made any sense of it?

Wait a minute (1)

pHatidic (163975) | more than 8 years ago | (#14729288)

The final solution ... requires that people use a whitelist-only

Where have a heard this before?

Bank of America has a solution (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14729315)

Bank of America recently implemented a feature where you get to select a random image and enter a phrase or your choice. Then on the screen where you enter your password, they display the image and text you chose, so you can be sure you logging into the right place. Pretty nifty.

SPAM for Dummies, Vol 2 (2, Interesting)

texaport (600120) | more than 8 years ago | (#14729338)

Use a "graylist" for webmail clients: Highlight anything in an Inbox from a user or entity that has never mailed you.

It provides useful service for legitimate mail (first contact) while making spam stand out even more than already.

The smartest thing a spammer could do is send out a fake first mail, but then the user can already blacklist them.

GMAIL certainly could implement it, while Yahoo and Hotmail probably have the capabilities if they'll admit to it.

It demands nothing of the enduser other than admitting that you've given up privacy in order to get free webmail.

Banks should not use email (4, Insightful)

jonwil (467024) | more than 8 years ago | (#14729347)

Or if they do use email, they should use a digital signature that can be traced back to the bank and 100% verified.

A big education campaign would also help (i.e. "never trust emails claiming to be from this bank" or "only trust emails claiming to come from this bank if the digital signature was valid" along with "never follow links in any emails claiming to be from this bank" and "If the email is legitimate, the same information will be available by logging into the online banking and checking the messages")

If I got an email claiming to be from my bank, I would probobly delete it. If the information was geniune, it will appear on my online banking and/or a physical letter too.

VoIP and IM comparison is flawed (1)

chipace (671930) | more than 8 years ago | (#14729366)

VoIP and IM are interactive means of communication, where email is quite asynchronous. Of course you have to whitelist VoIP and IM, or else you could have to be online all the time.

I knew someone named Meng Wong in college (1)

brian0918 (638904) | more than 8 years ago | (#14729392)

I doubt this is her... All I remember her for was asking "Does the Black Hole suck in all the matter?!?" in a physics course, and the professor replying "There are only 3 kinds of orbits. There is no suck orbit."

mens wrong perspectives on antispam (0)

Anonymous Coward | more than 8 years ago | (#14729443)

a quick glance read:

mens wrong perspectives on antispam

hmmmm

Whitelist only for business e-mail? (1)

noidentity (188756) | more than 8 years ago | (#14729444)

Why not have your personal e-mail address for all non-official things, without whitelisting, and a business e-mail address that only accepts e-mail from your whitelist? That way if you get something claiming you need to update account information or whatever and it's to your personal e-mail address, you know it's fake. Businesses have no business (ha) contacting you unless you have prior contact with them, so you will add them to your whitelist before you give them your e-mail address.

In geek terms, personal e-mail = non-executable; business e-mail = executable (metaphorically speaking, not actual executable binary content).

Mess with them back! (1)

BlueScreenOfTOM (939766) | more than 8 years ago | (#14729447)

I like messing with the Phishers, by leaving usernames like "ScrewYouBastards" with passwords like "IHopeYouDie". On a related note, ever seen 419Eater.com [419eater.com] ? They mess with the Nigerian 419 spammers with the theory that, by wasting their time, thats one less person they can scam.

It Really Isn't That Simple (2, Insightful)

Llywelyn (531070) | more than 8 years ago | (#14729454)

I recently attended a conference for a large project that mutliple companies are involved in. While there, I listed my email address with the express intent of having an individual contact me later with the minutes from the meeting and any additional information that may come along.

If I had a default-deny system, I would need know what email address I would be mailed from, which I don't think they were organized enough to know ("someone loosely affiliated on some level with MITRE" isn't a valid whitelist criteria). When the emails did go out, many people hit "reply-all" and I was included in the discussion. I would need a client that was smart enough to figure out that I wanted to receive any replies to those messages.

Then there is the ever-present problem of "oh yeah, everyone, I switched email addresses" after someone has moved. It would require the foresight of everyone to send those notifications *before* moving or keeping an offline contact list.

Two other instances that come to mind are that a while back a senior engineer emailed me from his cell phone to tell me he wasn't coming in that day along with some brief instructions. Having never received email from that address, using a default-deny there wouldn't have been a good way for him to reach me at that time. I also have a bit of a website. That gets occasional email, and that is generally email I want to see.

Some of the things that make email attractive to me--open communication, many people can reach me from a variety of sources, people who don't know me can reach me with legitimate reason--are the very things that make it attractive to phishers, spammers, and scam artists. There is no good solution to the latter without removing a large part of the utility of the medium.

Greylisting (1)

eric76 (679787) | more than 8 years ago | (#14729462)

Greylisting is doing pretty good for me at the moment.

Once the spammers adapt to it, and they will, I'll have to find something else.

One thing I'd like to do is to use SPF rules to identify the legitimate e-mail servers of some domains so that I can whitelist them to get around the greylist. The main reason for this is that if they are using RFC compliant servers, the e-mail is going to be delivered anyway. Except for Nigerian spams from hotmail.com, the big problem is zombie machines in people's homes. And some of our users don't understand why it can take an extra 20 or 30 minutes to deliver an e-mail through a server that hasn't sent us anything in a while.

For example, I might whitelist nasa.gov servers listed in their SPF records (if they had them), but not a provider that I don't know or that sends "targed advertisements to those who agreed to receive them".

One problem is not too many organizations create SPF records. I've read that ad mailing lists that border on spam are more likely to add them than regular companies and smaller service providers.

Another is that some providers don't try to list their e-mail servers, they list their entire address space. For example, look at panix.com:

panix.com text = "v=spf1 ip4:166.84.0.0/16 ip4:198.7.7.0/24 ?all"

I don't know if that is every address they have, but I doubt that have on the order of 66,000 mail servers.

But I'm thinking of writing a small program for my mailserver that checks the SPF records of a select list of domains each morning and creates a whitelist from the results. That way, if someone adds more e-mail servers to their SPF records, our whitelist will be updated within 24 hours and if someone of interest who has not published SPF records should do so, then we'll have them on the whitelist within 24 hours.

Re: Spam (1)

DreadHarn (946926) | more than 8 years ago | (#14729474)

There is a simple solution - Naive Bayes Classifier 1) Customizable (per account) 2) 99.9% accuracy after training 3) Discovers non-obvious patterns Why does this keep getting ignored by the general public? There are several software suites that use this model to detect spam.

SPF says that it is not anti-spam technology (0)

Anonymous Coward | more than 8 years ago | (#14729482)

And it fucks up forwarded email - yahoo.com forwards internally from servers named prodigy*.* and from user's domains and it fucking bounces legit email - yeah, yeah, "just" have yahoo et al change the server architecture and blah fucking blah blah and it will work - fuck him and his fucked up "standard".

Yeah, I'm bitter and I have a "hard fail" SPF record - so STFU.

Fittingly, my captcha for posting is "cuckoo" - lol

Default Deny is ... (0)

Anonymous Coward | more than 8 years ago | (#14729519)

I see his point, but I don't feel it's realistic.

Take for example someone who's job hunting. Unless you have some crystal ball (if you do, I'd like to borrow it!), you can't really determine who will be emailing you. You could have a per-user deny, perhaps - but the overhead in maintaining this on an active system wouldn't, in my opinion, be worth the trouble.

Whether it be spam or something else, there are always going to be idiots out there who like their little botnets, script kiddies, and the like. We have to accept that as a part of the environment in a "free" Internet, and adjust our technology accordingly.

RTFA (2, Informative)

suwain_2 (260792) | more than 8 years ago | (#14729548)

What I took away from the article is that he's proposing a central authority (or a series thereof) that say "someone@somewhere.com is a real person's e-mail address." He is not proposing that you only accept mail from those who've already sent you mail; he's proposing that everyone in the world who uses e-mail be in this whitelist.

I'm not usually one to say "RTFA," but the majority of the comments right now have nothing to do with the article.

I haven't been spammed in years. (1)

sudog (101964) | more than 8 years ago | (#14729579)

How did I do it?

Simple:

http://www.kuro5hin.org/story/2004/3/16/13579/3506 [kuro5hin.org]

I track my email carefully, I use unique email aliases for all the websites I visit, I use special aliases for the mailing lists I'm on, I provide images to interpret for people trying to contact me, and I give out my "real" email address to close friends and family *only*.

I haven't been sent a spam that I couldn't immediately block--permanently--ever since I implemented this scheme. It was bliss turning off bogofilter for the last time. It was sheer delight when I no longer had to comb through spam- and hamlists for false positive or negatives.

I removed myself entirely from the spam/anti-spam wars. I have transcended the drudgery that those people put themselves through, and the best part? My now nonexistent spam filters never sort real emails into a spambin where they're neglected.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...