Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bye Bye Spam and Phishing with DKIM?

Zonk posted more than 7 years ago | from the teflon-for-your-mailbox dept.

Spam 134

ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

Ah, yes the solution of the week (2, Funny)

Anonymous Coward | more than 7 years ago | (#19261511)

Does anyone have one of those templates where you check off the various reasons as to why this scheme won't work?

Re:Ah, yes the solution of the week (5, Funny)

DMNT (754837) | more than 7 years ago | (#19261597)

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Not a bad try, though. Usually way more crosses on the form.

Re:Ah, yes the solution of the week (1)

SP33doh (930735) | more than 7 years ago | (#19264587)

Asshats are obviously not accounted for.

Users are not bothered by spam? (4, Interesting)

Gary W. Longsine (124661) | more than 7 years ago | (#19262431)

I find it difficult to believe that most users are not bothered by spam. As far as I can tell, legitimate email use has been falling dramatically for the past couple years, as people flee the effects of spam, switching to SMS and IM (Jabber, AIM, etc.) Email use within a single corporation remains popular, but home users seem to be abandoning email outright. Some people have given up ordinary email and only use locked-down email inside of social network sites. Spam seems to be killing email. If that doesn't bother people, it's only because they fled email for IM, SMS, and Myspace. If spam follows them, and they have nowhere else to run, they're going to become pretty irate.

Better blocking, less bothered (1)

billstewart (78916) | more than 7 years ago | (#19263181)

Remember that most users aren't like anybody who reads Slashdot :-)


Most users are on big consumer ISPs like AOL and MSN, and they do a good if nowhere near perfect job of blocking most of the spam, and they can usually recognize it from the titles and delete it without having to actually open it. And they're sufficiently used to getting *some* spam all the time that they actually see and delete, but to them it's just noise like TV commercials, not an offense like having their precious bodily fluids corrupted by Commies, and the Internet is just another form of TV to them.

Re:Users are not bothered by spam? (1)

Thwomp (773873) | more than 7 years ago | (#19266971)

That's just some clever spin thrown in because the guy's a spammer. I mean come on... check out the dodgy domain name linked to his user name. Do they even have the internet in Ecuador? That's a dead give away.

Not a solution to spam. (1)

Russ Nelson (33911) | more than 7 years ago | (#19263285)

DomainKeys is not a solution to spam. What it lets you do is distribute and verify authority for email. It's a solution for email forgery, which is only slightly related to spam.

Re:Not a solution to spam. (1)

icknay (96963) | more than 7 years ago | (#19263957)

Forgery is very much related to spam. Here's how it works:

spammy email -> spammer's source domain

Think of this as extra good data for Spamsieve and the RBLs to use. If you are a spammer, how are you going to send a million emails without associating them all with a spammy domain? A different domain for each email? For each 100,000 emails? And of course it'll be easy to give a bad spam score to either a domain that was registered with the last week or a domain for which the world has not seen valid email previously.

I think the DKIM people are setting a low expectation, but in fact this will be a HUGE step forward for spam elimination. The spam filters do a pretty good job now with really pretty crappy data. DKIM exposes the whole filtering stack (Spamsieve, RBL databases, ...) to a source of far better data.

Re:Ah, yes the solution of the week (1)

Nichol4sC4rter (1106887) | more than 7 years ago | (#19264637)

"spam bothers few users", not all spans are harmful, some are useful:) MP4 Converter [mp4-converter.net]

spam will never end (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19261531)

stop trying to stop it, idiots

Here we go again... (5, Funny)

ZeldorBlat (107799) | more than 7 years ago | (#19261565)

This article advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Why would you mod this down? (1, Informative)

Anonymous Coward | more than 7 years ago | (#19262243)

Why is this modded redundant? It was posted earlier than the one above that was modded funny.

Re:Why would you mod this down? (1)

8ball629 (963244) | more than 7 years ago | (#19264251)

Some people are just backwards...

Re:Why would you mod this down? (1)

zenslug (542549) | more than 7 years ago | (#19265633)

Even without another post above, it's just not that funny/informative and has been done to death. About as funny as people writing their posts in rhyme/song format. Lame.

It's only a server validiation solution (5, Insightful)

jimpop (27817) | more than 7 years ago | (#19261593)

It's only a server validiation solution. DKIM won't stop spam. DKIM will only help validate the identity of the server that is sending you email. Right now I get lots of spam from legitimate Yahoo, Mail.com, and Hotmail servers. DKIM isn't going to stop that it's only going to reinforce what I already know.

Re:It's only a server validiation solution (4, Insightful)

MightyMartian (840721) | more than 7 years ago | (#19261765)

A quick read of the RFC tells me that this is simply a more computationally-intensive variant of SPF. It still requires rewriting the headers for forwarding, will likely not have the degree of adoption so that anyone in charge of a mail system actually feels confident enough to use it as another weighting factor for testing spam, and still leaves those sitting behind systems that still force users with outside email addresses to use their mail servers. The mere fact that any such system (SPF, DomainKeys or whatever) has to essentially remain completely compatible with older SMTP-based systems means that it really won't solve the problem. The underlying SMTP relay system has problems, and Domain Keys and SPF are just kludgy solutions that really are limited in what exactly they can solve.

Re:It's only a server validiation solution (2, Funny)

madsheep (984404) | more than 7 years ago | (#19262251)

A quick read of the RFC tells me that this is simply a more computationally-intensive variant of SPF.
But the real question is will it prevent me from being sunburned??

DKIM Lets ISP verify spamming-user complaints (1)

billstewart (78916) | more than 7 years ago | (#19263493)

DKIM doesn't solve most of the spam-related problems I care about, but there's one thing it's good for:

An outgoing-email service provider that uses DKIM on all of their outbound mail can validate that a spam or abuse complaint about mail purporting to be from exampleuser@their-domain.com really was from that user and not a forgery, so they can kill off that user's account without worrying about false positives or faked complaints or joe-jobs. They can read the message text to see that it's spam, and they can validate the headers to show that it came from that user on their servers, and they can trash the account for TOS violations. This works even if the receiver doesn't ever bother verifying the header - it's enough that the sender's abuse desk can verify it.


That doesn't mean that some cybercafe user or zombie relay can't send mail with From: or Reply-To: NigerianCorruptOffial@yahoo.com , or that it's any easier to get the Yahoo abuse desk to delete the account for TOS violations for email that wasn't sent from their server, but at least they can't send that spam *from* Yahoo accounts without getting them closed easily.

Re:DKIM Lets ISP verify spamming-user complaints (0)

Anonymous Coward | more than 7 years ago | (#19263563)

An outgoing-email service provider that uses DKIM on all of their outbound mail can validate that a spam or abuse complaint about mail purporting to be from exampleuser@their-domain.com really was from that user and not a forgery,

Grepping the logs for message id is so difficult for an admin team. What we need instead is to sign every outgoing message, then spammers can replay thousands of valid signed emails from our domain through their bot nets. Only then will we be able to check for abusive mail users.

Re:It's only a server validiation solution (1)

icknay (96963) | more than 7 years ago | (#19263889)

Parent is incorrect! DKIM accounts for forwarding and other use cases ... exactly the cases for which SPF has problems. Seriously .. do you think the IETF working group works on this thing for years, and doesn't think of some case you thought of from "A quick read of the RFC" ?

DKIM in conjunction with SPF and client filtering has a real chance to make Spam be not such a problem. It enables reputation system for senders, and Spammers will show up in such a system in a pretty obvious way. It will make far better data available for the spam ranking systems, so however well they work now ... well they'll have much better (and unforgeable) data to use.

Re:It's only a server validiation solution (1)

thogard (43403) | more than 7 years ago | (#19265613)

If IETF has been working on it for years , its broken.

Re:It's only a server validiation solution (1)

grahamm (8844) | more than 7 years ago | (#19266767)

DKIM does NOT re-writing headers for forwarding. Unlike SPF (which I also use) it requires absolutely no action on the part of forwarders to preserve the validity of the signature. That is, unless the forwarder changes an existing header such as mailing lists adding [listname] to the start of the subject. With use of the 'l=' parameter it will even survive those forwarders who add a footer to the body. Though it could be argued that use of the 'l=' feature, and not making it obvious to the recipient where the signed part of the body ends, defeats the purpose of signing

Re:It's only a server validation solution (1)

spatley (191233) | more than 7 years ago | (#19261949)

And how is this different from what is currently available with PGP?
We could just all agree tomorrow to not accept any mail that is not digitally signed right?

Re:It's only a server validation solution (1)

hpavc (129350) | more than 7 years ago | (#19262631)

How does PGP stop spam? Just because someone is listed on a key server doesn't mean much.

DK tells me that the mail message actually belongs to the domain and its mail server. Its not user to user but rather server to server (a server validating a server's output). It also doesn't use a CA or other notary, it uses a dns record.

Re:It's only a server validation solution (1)

maxume (22995) | more than 7 years ago | (#19263379)

You just have to do two things:

Mark people who it isn't worth accepting mail from as it comes in. That they sign their messages means that you only have to deal with each identity(-not person...) once.

Only accept mail from people who someone you trust trusts. Or play a few degrees of Kevin Bacon.

Do that, and anonymous crap floods disappear. All that said, I don't want to have to set such a thing up to be able to exchange messages with my mom, so let's not do it.

Re:It's only a server validation solution (1)

thogard (43403) | more than 7 years ago | (#19265629)

I get a few messages a month from people that your system would say are spamers. There is no way to tell a legit 1st contact email message from a spammer on todays net.

NO it isn't (0)

Anonymous Coward | more than 7 years ago | (#19261951)

DKIM is a message authentication solution that can also be checked in the MUA. SPF is a server authorization solution, so good that Microsoft still tries to hijack it (the 8 million domains cited in TFA are publishing SPF records - not SenderID).

Re:NO it isn't (2, Insightful)

jimpop (27817) | more than 7 years ago | (#19262109)

"DKIM is a message authentication solution"

OK, the message comes from Hotmail, Mail.com, Yahoo, etc. It's deemed by DKIM to be authentic, yet it is still spam (albeit authenticated spam). All DKIM, and similar solutions, does is to to prevent message and header manipulation in transit. If Yahoo, Mail.com, and Hotmail still allow spammers to sign-up for accounts how does DKIM solve the problem? At best, with full adoption, DKIM can show the world, authentically, who is sending spam. But, you still have a spam problem.

Re:NO it isn't (1)

h2_plus_O (976551) | more than 7 years ago | (#19263023)

All DKIM, and similar solutions, does is to to prevent message and header manipulation in transit.
Identifying senders and sources won't prevent them sending spam, but it will make the existing rules much easier to enforce. It won't solve the problem, but it sure won't hurt- if anything, it'll reduce the number of variables involved in identifying and shutting down spam-sending boxes.

Re:It's only a server validiation solution (1)

JonathanR (852748) | more than 7 years ago | (#19265091)

The only way to stop spam is to increase the burden on everyone who sends mail, rather than passing the burden onto those receiving it. Mail servers of the sender should store the message until it is retrieved by the receiver. That way, the spammers would have to keep their mail server online till a significant number of recipients have downloaded their mail. This would increase the time available to law enforcement (or vigilantes) to shut down the server before the spammer acheives his objective. It also means that the spammer's mail server must have sufficient bandwidth to accommodate the multiple requests. Yes, the load could be distributed across a botnet, but this would add to the complications and load on the botnet, still making life more difficult, and less profitable, for the spammers.

Re:It's only a server validiation solution (1)

jimpop (27817) | more than 7 years ago | (#19265433)

"Mail servers of the sender should store the message until it is retrieved by the receiver." That would require spammers to be honest. I'd think you would have better luck convincing lawmakers to pass a law that all persons who take cash out of bank remain until the bank and customer(s) are satisfied that the transaction was upright and complete.

Re:It's only a server validiation solution (1)

JonathanR (852748) | more than 7 years ago | (#19266593)

This already happens. Why do you think banks sit on deposited cheques till they clear before crediting the cheque amount to your balance?

few users (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19261601)

spam bothers few users

Dunno about anyone else, but as the admin for our company, I get more complaints about spam than anything other single item I can think of...

Re:few users (0)

Anonymous Coward | more than 7 years ago | (#19261977)

Then it is about time that you deploy a decent spam filtering solution!

Re:few users (5, Informative)

WrongSizeGlass (838941) | more than 7 years ago | (#19261999)

Ditto.
The ISP of one of my clients just turned on 'greylisting' and their mail volume dropped 71%, knocking their spam % down to 11% of their new volume.

They would rather spend the budget on stopping spam rather than upgrading their servers. It's that big of a problem.

DKIM will help (until fake 'certificates' show up) but it won't solve the problem. Only flame-throwers, and lots of them, will fix this once and for all.

Re:few users (1)

rthille (8526) | more than 7 years ago | (#19262455)

Greylisting worked really well for me, but I've been starting to get spammers that retry (not sure if they are retrying the same message, or a new one, since my greylisting software just goes by IP, not the tupple), so I've been meaning to feed back IPs from mails I identify as spam into the greylisting software and have it dark-dark-gray list them...

Re:few users (1)

antic (29198) | more than 7 years ago | (#19265289)

I think badware is a far more dangerous and significant concern than spam.

Spam is a big issue for administrators, web developers, etc - probably not quite as annoying for other users.

Will my ISP Quit Blocking Port 25, Finally? (1)

twitter (104583) | more than 7 years ago | (#19261627)

Because keeping me from running a mail server has not done a damn thing to the spammers.

I'll believe in an anti-spam tech when it comes in the Debian repository and I can once again run a mail server. Until then, I'm afraid the spammers will be the first to sign up for any counter measure.

Re:Will my ISP Quit Blocking Port 25, Finally? (0)

Anonymous Coward | more than 7 years ago | (#19261905)

Dude, don't let a blocked port stop you from running a server.
http://www.dyndns.com/services/mailhop/outbound.ht ml [dyndns.com]

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

WrongSizeGlass (838941) | more than 7 years ago | (#19262049)

Dude, don't let a blocked port stop you from running a server.
Or stop you from sending out Spam. If there's a will there's a way. ;-)

Re:Will my ISP Quit Blocking Port 25, Finally? (2, Insightful)

mi (197448) | more than 7 years ago | (#19262015)

Will my ISP Quit Blocking Port 25, Finally?

If they "protect" your port 25, they are morons, and you should complain or switch the ISP. If they are blocking your attempts to reach other people's port 25, they should be commended.

Your system may be immune, but hordes of "zombies" would be sending spam from your ISP's network. As things stand, the zombies are still infected, but can not send e-mails directly to victims, which throttles the rate a lot.

You can still run a server — just configure your ISP's server as the "smart host". There is no shame in that.

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

owlstead (636356) | more than 7 years ago | (#19262857)

Bah, my ISP blocks port 25 this way. Of course, I can just go to the service pages and turn the protection off. Average Joe don't direct connections to mail servers, and I don't think that there are any trojans attacking the (frequently changing) service pages of my ISP - if you never log into them they don't know the password anyway. They used to charge for email scanning as well, but I (and others) pointed out that infected machines were their problem as well. Now it is included in the charge, and you can turn it off if you really want to. Again, average Joe doesn't read the manuals and will never know about - let alone turn of - the mail scanning. We also got a user configurable spam assasin, which is turned on in default. Average Joe does not want the spam send to my ISP (about 95% of the mail volume is spam!).

This is how you deal with security *and* keep your customers happy.

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

ThinkingInBinary (899485) | more than 7 years ago | (#19263855)

Shit, what is your ISP? I want some!

I've got Verizon DSL right now, and 1) they block port 80 inbound (they turned it off for that big worm, and never turned it back on), and 2) they're very lame.

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

Kadin2048 (468275) | more than 7 years ago | (#19263029)

You can still run a server -- just configure your ISP's server as the "smart host". There is no shame in that.

Unfortunately it's still a problem with the ISPs who don't let you send out email through their servers unless the Reply-To address is within their domain. I haven't run into this recently, so maybe it's only a feature of the very low-end dialup ghetto, but I definitely ran into it once or twice.

This is a serious issue, if it occurs together with the blocking of outgoing connections on Port 25, because it effectively locks you into ISP-supplied email addresses (or webmail, which still isn't a replacement for desktop mail clients).

Just another thing that can be chalked up to the Windows monoculture 'o crap, though it's borne by everyone.

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

damium (615833) | more than 7 years ago | (#19266607)

GMail allows authenticated relays through port 465 if you want to use another address. This is also how I setup my mail servers. IMHO clients should stop using port 25 for sending out email port 25 should be for server-to-server and legacy connections only.

This is bullshit and I'm tired of hearing it. (1)

twitter (104583) | more than 7 years ago | (#19263759)

If they are blocking your attempts to reach other people's port 25, they should be commended. Your system may be immune, but hordes of "zombies" would be sending spam from your ISP's network.

This has already failed and failed miserably. There are hordes of zombies sending spam from my ISP's network. They all do as you recommend and use the ISP's SMTP server and this is why more than 80% of all spam comes from zombies. My upload is also capped by my cable modem at a pathetic 60 kB/s.

A better method would be to have the same modem disconnect people who's computers have obviously been turned into spambots. Giving people the freedom to run their own mail servers distributes the spam burden and the ability to fight the spammers. Concentrating that burden at the ISP level is a failure.

Either way, the spammers know the limits and keeping me from running a mail server of my own does nothing beyond those limits. Because the reasons given are so transparently false, we are left only with government surveillance reasons.

Re:This is bullshit and I'm tired of hearing it. (0)

Anonymous Coward | more than 7 years ago | (#19264371)

BS. You'd have to use the username/password for the person's account to use the ISP smtp server.
So unless the person actually uses the crappy ISP email, I doubt they'll get that.

What? (0)

Anonymous Coward | more than 7 years ago | (#19266895)

twitter, no dollar signs? What is up with that?? Here, let me help you:

Thi$ ha$ already failed and failed mi$erably. There are horde$ of zombie$ $ending $pam from my I$P'$ network. They all do a$ you recommend and u$e the I$P'$ $MTP $erver and thi$ i$ why more than 80% of all $pam come$ from zombie$. My upload i$ al$o capped by my cable modem at a pathetic 60 kB/$.

A better method would be to have the $ame modem di$connect people who'$ computer$ have obviou$ly been turned into $pambot$. Giving people the freedom to run their own mail $erver$ di$tribute$ the $pam burden and the ability to fight the $pammer$. Concentrating that burden at the I$P level i$ a failure.

Either way, the $pammer$ know the limit$ and keeping me from running a mail $erver of my own doe$ nothing beyond tho$e limit$. Becau$e the rea$on$ given are $o tran$parently fal$e, we are left only with government $urveillance rea$on$.

Re:Will my ISP Quit Blocking Port 25, Finally? (3, Interesting)

killjoe (766577) | more than 7 years ago | (#19262257)

Here is what I would like.

If an IP address makes more then X connections to my SMTP port at the same time it gets routed to a teergrube.
If an IP address attempts to send email to Y number of invalid users it gets routed to a teergrube.
If an IP address sends me Z number of spam as marked by spamassassin it gets routed to a teergrube.
If an IP address is on the RBL of my choice it gets routed to a teergrube.

And of course a teergrube which can handle a few hundred simultaneous connections and keep them busy for hours.

If we all had all this then at least we could make a dent in the amount of spam going out.

I take a slightly easier solution. (1)

khasim (1285) | more than 7 years ago | (#19262937)

Check rDNS - if it doesn't exist, drop it.

If rDNS resolves to Comcast's home addresses (and other ISP's), drop it.

If rDNS resolves to Comcast's (HotMail's, GMail's, AOL's, etc) mail servers, run it through SpamAssassin and drop it if it scores above 8. (HotMail has a problem with this because they add mortgage spam to their outbound messages).

Okay, that should have taken care of 90% of the problem.

Re:I take a slightly easier solution. (1)

laffer1 (701823) | more than 7 years ago | (#19265073)

Differentiate between HOME and BUSINESS comcast accounts. My mail server is blocked because I'm on a comcast business package. There is a big difference between the $45 account and a business grade $160 account. I can't afford a big pipe and i'm punished for it. As for reverse dns, try getting comcast to properly setup the ptr record for you.

Upon random checks of spam lately, most of it is coming from IPs with valid A/PTR records that are also mail servers. Botnets still exist, but I think spammers are focusing on using existing mail servers to circumvent lists of cable/dsl ips.

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

Holi (250190) | more than 7 years ago | (#19263097)

Try DynDNS mailhop relay, relays smtp to any port you choose.

Re:Will my ISP Quit Blocking Port 25, Finally? (1)

rolfc (842110) | more than 7 years ago | (#19265517)

SPF comes in the Debian Repository, so you can run your mailserver.

Darnit! (1)

UPZ (947916) | more than 7 years ago | (#19261647)

I'll have to get a second job at McDonalds now..

Re:Darnit! (1)

Frostalicious (657235) | more than 7 years ago | (#19262595)

I'll have to get a second job at McDonalds now..

Sooo burger flipper, and now dishwasher as well?

yahoo press release (3, Informative)

Ramses0 (63476) | more than 7 years ago | (#19261681)

http://yodel.yahoo.com/2007/05/22/one-small-step-f or-email-one-giant-leap-for-internet-safety/ [yahoo.com]

It also has some nice background information on DKIM.

--Robert

Re:yahoo press release (1)

QuasiEvil (74356) | more than 7 years ago | (#19261819)

Phishing, maybe if enough real organizations support it - spam, no fix here, folks. The only thing DKIM prevents is domain spoofing. So spammers have to have a real domain and sign their mail - that's so incredibly hard to do that I don't think any spammer wil... er, wait, a quick check of my spam box shows an unbelievable number are signed correctly.

On the other hand, if spammers are authenticating with a real domain, then filtering based on RBLs just got easier...

Also, exim guys - we could really use MTA-level support for DKIM on outgoing mail...

Re:yahoo press release (1)

maxume (22995) | more than 7 years ago | (#19263537)

Are you going to RBL Yahoo!? I get plenty of signed spam from them.

Prefer SPF (2, Interesting)

Anonymous Coward | more than 7 years ago | (#19261769)

Microsoft, despite its involvement in submitting DKIM to the IETF, is still backing Sender ID and recently bragged that it protects over 8 million domains worldwide.

No Microsoft, SPF is protecting 8 million domains. Nobody publishes SenderID records, you are misrepresenting the intent of millions of domain holders to claim otherwise! What's worse is that the whores in the IETF working group were complicit in this misrepresentation and have the audacity to blame the SPF guys.


I was looking into DKIM earlier today, I much prefer to reject at SMTP time on mfrom or helo. I really don't like the IETF after witnessing the arrogant, egotistical WG assholes ignoring technical merit to play politics. I guess I'll probably refuse to implement DKIM if the IETF are to specially 'bless' it. Standards by committee that co-incidentally fund junkets for a cliche of dick-fiddlers on the dollar of a handful of major corps should be avoided on principle.

Re:Prefer SPF (3, Interesting)

MightyMartian (840721) | more than 7 years ago | (#19261913)

SPF is protecting 8 million domains
I think the proper phrase is "SPF has cluttered up the TXT field of 8 million domain records, most of them with NEUTRAL because no one has the balls to actually let this creature roam the Internet without a heavy chain".

I believed in SPF about three years ago, but it became very clear that it (and Sender ID too) wouldn't do a damn thing, and Domain Keys seems no different.

Re:Prefer SPF (0)

Anonymous Coward | more than 7 years ago | (#19262029)

I've been publishing -all for several domains since 2004, I was an early adopter. In all that time I've had only a handful of problems because of SPF.

It's real value is in preventing back-scatter when you're being joe'd. I wish more large providers would grow a pair and start checking.

Re:Prefer SPF (3, Interesting)

MightyMartian (840721) | more than 7 years ago | (#19262223)

The problem with putting your eggs in a basket is that it you're putting a helluva lot of trust in a system which is nothing more than a good neighbor policy. A lot of guys I know simply put in SPF records that set them to neutral, because they were ISPs who had clients who were sending from various restrictive networks that blocked them (yes I know, switching ports, SMTP auth and all that ought to do the trick, but we're in the real world here). SPF wasn't perfect, and forwarding was a major failure that was only solved by envelope-rewriting.

I adopted SPF on the domains I ran early on too, not because I thought it would do a damn thing, but because I didn't want to get screwed by some anal-retentive at RoadRunner who decided to start blocking everything that didn't come from an SPF-record holding domain.

SPF, SenderID and DomainKeys probably could have a good deal more success if they were more widely adopted, but they still wouldn't stop some of the big sources of spam. Even with that in place, the mail system is still vulnerable. We were getting such a high volume of distributed dictionary attacks at the place I worked at that we literally had to hide our mail server behind some Postfix proxies which did nothing more than reject hundrds of thousands (and some days millions) of individual attacks per day.

Re:Prefer SPF (0)

Anonymous Coward | more than 7 years ago | (#19262423)

We were getting such a high volume of distributed dictionary attacks at the place I worked at that we literally had to hide our mail server behind some Postfix proxies which did nothing more than reject hundrds of thousands (and some days millions) of individual attacks per day.

I feel your pain. I have no qualms about rejecting DSL connections, abusive netblocks or entire [T|S]LDs (.th, .cn, .com.tw) using an access table. If it's a ghetto block and mailing abuse@ doesn't help (rarely does) then I'll hard firewall it, no problem. Time consuming but immensely satisfying.

Anyway, I find SPF useful even for just preventing back-scatter. There is no silver bullet, SPF is just another piece of the puzzle.

Re:Prefer SPF (1)

Degrees (220395) | more than 7 years ago | (#19264885)

I'm kind of surprised that people place SPF records out there as Neutral. Mine says Fail if the sending MTA is not in my specific IP address range. Period.

Now admittedly, I don't have users that want to be outside our network and send mail as if they are inside our network. This is a problem I expect a huge corporation (or like you say in another post: an ISP) might have. But for every small business (or even medium sized business or agency), I'd think it would be SOP.

I guess I don't see the downside to publishing the information to hard fail any impersonating spam engines.

The problem I see with DKIM is that I'm going to burn a huge number of CPU cycles to receive "signed" spam. I can get 90% of the forgery problem solved with SPF and reverse DNS lookups with far far fewer cpu cycles burned. Since the spam problem isn't solved, why not go for the trivial forgery solution?

I suppose my attitude is a little less aggressive than it used to be, because I'm in the deployment phase of an anti-spam solution that has so far worked great: quarantine them all, and let the users sort them out. ;-)

Re:Prefer SPF (1)

MightyMartian (840721) | more than 7 years ago | (#19265681)

I found greylisting to be by far the most reliable solution, but it does have the trade off that some legitimate mail is going to be delayed. Unfortunately in the age of high speed Internet, people just assume that email is a form of instantaneous communications, so when a message gets delayed for an hour, they freak out and phone tech support insisting that the mail service is busted. I had a Postfix configured at the front end that was doing nothing more than verifying that incoming mail was going to legitimate addresses on our end and greylisting nasty offenders. I'd say, unscientifically, that our spam and virus detectors further on down saw about a ninety percent drop in crap. I was working for an outfit selling spam protection on top of regular account access, so I was told to stop the greylisting at once because it was too effective and rendered the fee-paying spam services moot. That, coupled with some angry people who phoned moaning because their Aunt Edna's mail took a whopping hour or two to get to them pretty much doomed the experiment. People would rather get a shit-load of viruses and V1agra ads than see the odd message take a little longer to make it through the queue.

and the winners are (2, Funny)

Atreide (16473) | more than 7 years ago | (#19261915)

not users by VeriSign and others who will sell hundreds of million domain names encryption keys

is it time to buy shares ?

Re:and the winners are (1)

bmzf (731840) | more than 7 years ago | (#19263325)

NO. DKIM is an improvment upon Domainkeys. SPF says which mail servers are ok to be sending mail for a specific domain. Domainkeys verifies that the email is coming from the source that it claims and that the contents are not tampered. SPF + Domainkeys = full accountability for emails sent. I.E. all emails are immediately traceable to the source. At least with Domainkeys, the mailer generates the certificates himself. Uses part to encrypt on his server, and publishes the public portion in DNS, where SPF records are also kept, so a certificate authority has no role in this. Verisign, etc don't get to sell anything here. The point is that the mailer puts out the key to verify the signed messages... it's publically available in DNS. The only winners are email users.

Sooooo close... but not going to work. (4, Insightful)

NerveGas (168686) | more than 7 years ago | (#19261945)


    My initial thought was "Terrific. This really has the potential to eliminate spam." Then I got to looking into the RFC... standard private/public key exchange. But, it allows for individual MUAs to posess the private key, such that they can perform the signature.

    This puts the entire burden of security in the scheme upon the MUA. So any time a machine is infected with the spam-virus of the day, that private key will be sent off to the spammers, who will send out floods of seemingly legitimately-signed email. Instead of just selling valid email addresses to other spammers, they'll sell addresses and domain keys.

    Furthermore, from an administrative perspective, that means that each time one of your user's machines is hacked and the private key compromised, you have to change your public/private keypair, including updating the MUA on *all* of your sender's machines.

    Forcing signing upon the MTAs eliminates much of that work (and hopefully the security exposure), but forces inconvenience on a good number of users. It's a tradeoff I'd be willing to make, but the RFC doesn't seem willing to do so.

Re:Sooooo close... but not going to work. (3, Informative)

MightyMartian (840721) | more than 7 years ago | (#19262103)

You've come close to what I arrived at in the last few months of my job working for an ISP, that all these kludgy attempts to beef up SMTP would always be fatally flawed unless we (and by that I mean Joe Average and admins) was prepared for inconveniences. That means putting an end to straight-out forwarding, because that pretty much busts everything without the major overhead of rewriting the headers. It means locking down the servers themselves and not expecting some "good neighbor" protocol to somehow magically take care of the problem. As someone else has pointed out, how is DomainKeys any different than PGP signing, which has been around for two decades now. Even if we went to DomainKeys or PGP, it still wouldn't stop all those zombies out there from happily sending signed spam. It means that distributed dictionary attacks would have to come in with a legitimate address from the source network, but I doubt the spammers are going to give a damn about that.

The problem with spam is that it isn't just an email problem. If it was, then we'd all have had this beat a long time ago.

Re:Sooooo close... but not going to work. (1)

RazzleDazzle (442937) | more than 7 years ago | (#19265395)

Without having read the RFC and just inferring the pub/private key system is similar (or identical) in principal to PGP/GPG signing system, can't these private keys be encrypted themselves on the machines running the MUA? Then if the private key is taken, spammers still can't use it. Am I missing something or is it just too much of an inconvenience to have to enter in your passphrase when you want to use email?

Re:Sooooo close... but not going to work. (0)

Anonymous Coward | more than 7 years ago | (#19262221)

I did not read the RFC, but the systems I admin do use domain keys. I'm not really sure where individual users come in to play here. In order for domain keys to work you must place your public key in a TXT record for that domain. When your mailserver sends out mail it signs the message, the remote host polls the TXT record, checks the signature is okay and reacts accordingly. So in the event of a compromised machine, you need to fix the machine (as you always need to) generate a new key, and update your TXT record. So your customers/users get compromised and turned into zombies all outbound mail sent through you will have a valid domainkey signature. This is the intended behavior though. If xyzz23.com has a zombie lobbing emails claiming they are 8asds.com - no domain key, you penalize accordingly (possible joe job). If xyzz23.com's zombie lobs emails with a source from xyzz23.com (routed through xyzz23.com's mails server) it will have a proper domain key. But not xyzz23.com has a reason to actually give a crap since the spam clearly points directly back at them.

Will this solve spam - no. But this does help protect innocents from being blamed for a joe job.

Re:Sooooo close... but not going to work. (1)

Magila (138485) | more than 7 years ago | (#19262927)

Securing MUAs shouldn't be too big of a problem. ISPs just have to charge a replacement fee when a user's private key is compromised. Same as landlords charging a lock replacement fee when you loose your keys. The vast majority of users will wise up pretty quick after being slapped with a couple of 50$ fees.

DKIM allows a domain admin to create a hierarchy of authorized keys. So each MUA can have it's own key-pair .

Re:Sooooo close... but not going to work. (1)

Jim Fenton (514449) | more than 7 years ago | (#19264213)

Actually, DKIM permits MUAs to sign and verify messages, but we really expect the vast majority of DKIM signing and verifying to be done my MTAs, at the domain level. The ability to delegate keys to individual users is to handle those few cases where an individual user needs to sign a message, plus other outsourced functions (such as an enterprise's outsourced benefits provider) where a party outside the domain needs to be able to apply a signature. It's less of a leap of trust to do this when the key is constrained to a specific address.

I am trying DKIM (2, Interesting)

wizeman (170426) | more than 7 years ago | (#19261993)

DKIM is great except, AFAIK:

1) There's still no way of saying "my domain always signs email with DKIM, so no signature means forged mail". At least I couldn't figure it out.
2) Mailing lists add a footer which messes with the signature.

As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.

Furthermore, DKIM is reporting that a lot of valid emails posted to mailing lists (mostly gmail ones) are forged.

If these 2 problems are solved, I think DKIM could be the best way of building a reputation system to stop spam almost completely.

The first problem is easy to solve (just add a new flag to the DKIM DNS record), the second one could be solved by *requiring* the DKIM-verification software to discard everything following the length of the signed body (at the moment it's optional), and by *requiring* to specifiy said length (dkimproxy can't do that, AFAIK).

Re:I am trying DKIM (1, Informative)

Anonymous Coward | more than 7 years ago | (#19264137)

1) There's still no way of saying "my domain always signs email with DKIM, so no signature means forged mail". At least I couldn't figure it out.

Basically you omit the t=y dns entry and specify o=-, but because of the relative immaturity of the standard, it might be ignored.

2) Mailing lists add a footer which messes with the signature.

It really depends at what stage you add the footer. The intent of DKIM is to verify at the MTA level, so if you can check the signature before you change the message content, DKIM is still worthwhile.

As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.

Much of the spam I encounter is from forged Hotmail (SPF/SenderID), Yahoo (DomainKeys) and GMail (SPF/Domainkeys/DKIM) accounts and implementing these systems help to control, or at least identify the source of the spam. It also helps in preventing spammers from abusing your domain because almost all free webmail providers implement at least one of these standards, and your messages are less likely to end up classified as junk.

Only two ways this can go (1)

taustin (171655) | more than 7 years ago | (#19262081)

And they both fail.

Either the domain owner controls and administers the key, in which case spammers (who already use automated bots to registers hundreds, if not thousands, of domains per day) will simply add a new subroutine to the domain registration bot to add in the key, thus ensuring the delivery of their spam.

Or someone else controls your email, which mean nobody with any sense will buy in to it.

Either way, it's useless for combatting spam, as was DomainKeys and SPF.

Metric on number of responses to spam (1)

Greg Koenig (92609) | more than 7 years ago | (#19262217)

Page 5 of the PEW Internet study reports that "...only 4% of email users admitted to action that keeps the spam industry viable, which is ordering a product or service from an unsolicited email. This number has always been low; it was 7% in 2003, 5% in 2004, and 6% in 2005."

These figures are interesting because there is often speculation about these numbers during conversations about the financial viability of being a spammer. The article suggests that these figures are "low" but they are much higher than the "back of the envelope" estimate of 1% that I usually see people use when guessing. It is going to be difficult to stop the spam problem when people keep buying things from spammers. Even if technical solutions like DKIM have some degree of success, such a high response rate to spam gives an obvious incentive to spammers to continue to find work-arounds.

Re:Metric on number of responses to spam (0)

Anonymous Coward | more than 7 years ago | (#19266603)

That statistic is people who have ever done, not the response rate. The response to any individual spam message is probably much lower (although I'm sure you have the pathological cases out there who feel compelled to buy everything spam tells them to).

we still haven't solved junk snail mail (1)

Ice Station Zebra (18124) | more than 7 years ago | (#19262219)

What makes you think that this is going to do anything for junk email. Until the burden of the spam is placed on the sender and not the receiver this problem will never go away. See http://cr.yp.to/im2000.html [cr.yp.to] for a workable solution.

Re:we still haven't solved junk snail mail (0)

Anonymous Coward | more than 7 years ago | (#19262525)

Not a bad idea. It's such a good idea, we call it NNTP.

My solution... (1, Informative)

Anonymous Coward | more than 7 years ago | (#19262289)

click [mailto]

Re:My solution... (1)

ChameleonDave (1041178) | more than 7 years ago | (#19262583)

click [mailto]

Hmm, good, except that at some point you will have to enter your pass code (the "Do_not_edit_this_subject_line_or_I_won't_receive_ your_email!" part) into a website so that the website can e-mail you, and then all the spammers have to do is build a database of addresses paired with codes.

So, your solution will work fine until a significant number of people are doing it and the spammers learn about it.

The reason why I don't use DKIM or recommend it (1)

statemachine (840641) | more than 7 years ago | (#19262519)

Every message *received* needs to be run through an expensive cryptographic routine. If you have high incoming mail volume, just watch your server load skyrocket when DK/DKIM is turned on. You also have to completely accept the entire message before DKIM can be used. With SPF, you can simply reject after the envelope-sender is specified and before the headers and data.

Re:The reason why I don't use DKIM or recommend it (0)

Anonymous Coward | more than 7 years ago | (#19263645)

I'm not familiar with DKIM implementations, but you should still be able to REJECT the spam. Admittedly, you'll have to wait until after you receive the data, but as long as you can process DKIM as the message comes in, you can still do a REJECT. I consider this to be a huge advantage because, when false positives happen, it gives feedback to legitimate people sending you email that there was a mix-up.

Re:The reason why I don't use DKIM or recommend it (1)

statemachine (840641) | more than 7 years ago | (#19266253)

You don't appear familiar with SMTP either. Bouncing (as opposed to an SMTP level rejection code) is to be avoided at all costs, because you end up sending the entire e-mail message back to what could, and is very likely, a forged address. And besides the social aspects of this, you've now wasted your bandwidth _twice_ (once accepting the entire e-mail, and again transmitting the backscatter e-mail [wikipedia.org] ) and now the unwitting victim of the address joe job [wikipedia.org] gets his bandwidth wasted too, at which point he may complain and accuse *you* of sending spam -- all because you're a nice guy. (taking a deep breath now) Have I mentioned yet that some spammers use this method to relay spam?

You're better off sending a friendly message to the published address of the system administrator than scaring some random user. Sometimes, you might be better off not sending anything at all.

explode button (2, Funny)

timmarhy (659436) | more than 7 years ago | (#19262889)

until there is a button which i can click on each email and cause the sender of the mail to explode an a bloody rain of guts and gore, spam will not end.

Re:explode button (1)

swordgeek (112599) | more than 7 years ago | (#19263037)

At least SOMEONE understands how things work.

You're absolutely right. Until near-certain death is the consequence of spam, there will be spam. No technology will prevent that.

TOTALLY USELESS (0)

Anonymous Coward | more than 7 years ago | (#19262947)

Skip to section 8 of the RFC... No, stop laughing.

How can this garbage be on standards track while RFC4408 (SPF) is only experimental?

WTF are they smoking at the IETF?

No better then SPF (1)

wizkid (13692) | more than 7 years ago | (#19263013)


With SPF, you validate which mail server your getting mail from.

with DKIM, your validating which mail server and a heavy crypto message to compute with SPF.

SPF is only going to fail if you go to a spoofed dns server, or if your mail server is rooted. So where do you get the DKIM sig from. What if it's spoofed?

To make validating your mail server work, all the mail servers have to have SPF entries. The same with DKIM. If I had to vote for one or the other, SPF is good enough. DKIM costs to much, I don't want to have to build any more email machines then I have to. Keeping them all in sync is to much of a pain.

barking up the wrong tree (2, Interesting)

DaMattster (977781) | more than 7 years ago | (#19263209)

I think the OpenBSD guys have the best solution to spam bar none. Rather than adding fancy verification, authentication, or filtration layers, they engage in a technique to make the spammers hurt: tar-pitting. Why not force spammers to put up with an SMTP server that is so slow that it causes them to choke. The best solution for fighting spam is not through processor expensive filtration or key decryption process but through a combination of greylisting, greytrapping, and greyscanning. These methods bring about measurable results. This is ingenious. I have set up an OpenBSD spamwall at my father's business. We have gone from several hundred spam messages per day to only 10 per week. In a 24 hour period we were hit with 2000 smtp connection attempts. Of those 1992 of them gave up. The biggest complaint I have recieved was that they were not getting enough spam and there was concern that legitimate email might be lost. Our spam wall has been in service for a month without problems. The system is not perfect, but a drastic reduction is realized. These methods hurt the spammer and if enough people employ them, spam may become a thing of the past. The absolute worst thing that could happen is that a legitimate email might be delayed by 4-6 hours.

Forgive the sarcasm but... (0)

Anonymous Coward | more than 7 years ago | (#19263505)

> The absolute worst thing that could happen is that a legitimate email might be delayed by 4-6 hours.

Is that all? Sounds like a great solution for email based business with a job turnaround time under 2 hours. Where shall I tell them to sign up?

Re:Forgive the sarcasm but... (1)

MightyMartian (840721) | more than 7 years ago | (#19265799)

The worst thing that happened to email was the minute it was seen as some sort of instantaneous communications. In the old days, you were thrilled if an email wormed its way through the bang path to New Zealand in twelve or thirteen hours, and now if Aunt Martha doesn't get your 20mb JPEG of your little brat vomiting pasta salad all over the neighbor's dog within fifteen seconds of you hitting the bloody send button, there's angry calls to ISP tech support demanding death or at least painful torture.

Greylisting works incredibly well, and quite frankly I think whatever the solution ultimately is, one of the key steps will be in re-educating the spoiled masses that you can either get your mail fast and easy and put up with tons of spam and viruses, or have some stuff delayed and have a more reliable and less troublesome email service. It's very clear that you can't have both.

Re:barking up the wrong tree (1)

gringer (252588) | more than 7 years ago | (#19263801)

Your description reminds me of the greylisting and "could you please try sending that again in an hour or so" approach [acme.com] of Jef Poskanzer. Read more about his troubles here [acme.com] .

Oh, and remember: address@example.com is a better choice for email addresses used in examples, as it uses one of the reserved domains from RFC2606 [faqs.org] .

Re:barking up the wrong tree (1)

dodobh (65811) | more than 7 years ago | (#19266233)

Because the spammers have all those zombies under their control. Your resources are far more expensive than the most expensive spammer resources.

DKIM rocks. (0)

Anonymous Coward | more than 7 years ago | (#19263339)

I don't think that people are seeing the point of DKIM here. But let's take a step back. The only way to stop spam is to provide accountability to the email ecosystem. That way, if we get a piece of email that is unsolicited, we can find the server/person who originated the email and sue them or send them a nastygram or in other ways make it costly for people to spam. Right now, it's essentially free to spam. Just hack some boxes, and send away.

Now look at DKIM. It provides the tools for people to bring accountability to email. Not directly at first, though. In it's initial implementation, all it will do is help the phishers, since it will make sure that folks can't send email that looks like it's coming from wellsfargo.com or whatever because we can check. But after a lot of people are doing this (including the spammers), we will be able to start looking at the certificates used to sign these emails and make good guesses as to who is good and who is bad, and thus we'll be able to set up reputation systems that will help us classify spam. People will be able to develop web-of-trust systems, where people who are clean can vouch for others who are clean, and thus those people can get their certs signed by CAs which people trust, or maybe somebody will set up a score server to keep track of how good/bad various CAs or individual certificates are, and so on.

So if your email is signed by a self-signed cert that nobody knows about, you'll be able to make a policy in your MTA that it automatically gets more scrutiny and maybe starts out with a negative spamassassin score. If it's signed by a (hypothetical) spamcop CA, then it'll get an automatic in without spam scanning or anything. Or whatever you desire. Maybe you want to accept email from everybody. That's up to you and your MTA. And if you do get spam, you can look at who signed it, and you can go inform the CA or the server owner who signed the key that the message was signed with that this guy is spamming, and they can revoke the certificate or go beat on the customer to get them to stop spamming, or you can look them up in the CA's database and sue them or turn them in, or you can stop trusting that CA, or whatever.

What the certificates ultimately do is provide the tools for us to be able to implement accountability (certificates) in the MTA which we then can use to make policy decisions about (using reputation). As such, it's a HUGE step in the right direction. And since it can be done at the MTA level, it has (IMHO) a much better chance of it getting traction and gradually be used to freeze out bad actors in the email world. Mail administrators have a great interest in stopping spam since their customers/users/friends complain so much about it.

I'm excited about this. Perhaps you can tell. :-) I think it's going to be way cool. Have fun!

Re:DKIM rocks. (0)

Anonymous Coward | more than 7 years ago | (#19263453)

Yeah DKIM rocks... that is apart from the numerous insurmountable problems listed in the RFC.

It's like the Windows Vista of email auth; a slow, bloated, resource intensive Johnny-come-lately with nothing but disadvantages over solutions already deployed in the field.

Apart from that, it definitely rocks.

are they kidding? (1)

ffa (104185) | more than 7 years ago | (#19263561)

>>"While research from PEW Internet (PDF) shows that few users really are bothered by spam,"

ARE THEY JOKING? few users are bothered by spam??? Everyone I know, both personally, and at work, gets bombarded by 100s of spam email messages a day and is getting quite irate. The discussion about how useless email has become due to spam comes up almost on a daily basis amont me and my associates. Email was a GREAT way to communiacate, but has quicly become quite useless due to all the spam and the associated filtering, etc...

They must be kidding when they say it only bothers a few people, and I would like to know who IS NOT bothered by spam.

-farshad

I still like HashCash better (1)

Jaime2 (824950) | more than 7 years ago | (#19263877)

Instead of trying to validate mail, just make it computationally expensive to send. Anyone with a compromised Windows box will know immediately because it will be running at 100% CPU utilization constantly. Even if they don't have the technical expertise to know what's wrong, they'll still have an idea that it's broke.

How come these guys never realize that if a scheme can't stop bots, it's worthless. Also, all these fancy schemes are bound to fail because they try to make fighting spam the lever to get everyone on earth to register with them so they can be the toll collector for the future of email.

The only problem with HashCash is that the biggest detractors will be the providers of free email services. They happen to control most of the mailboxes. They don't want their service to become more expensive, and they don't want to see all their hard work not turn into some future monopoly.

Have the client do the calculation (1)

Myria (562655) | more than 7 years ago | (#19264391)

Have the client do the hashcash signing when they connect to Yahoo/GMail/Hotmail and send a message. Speed will be a problem but that can be solved by plugins or modified browsers (add a native-code SHA-256 function callable by JavaScript).

just one word (1)

olman (127310) | more than 7 years ago | (#19267001)

I just want to say one word to you. Just one word.

Botnets.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>