[FoRK] At what point is email officially broken?

Justin Mason < jm at jmason.org > on > Thu Dec 7 03:47:35 PST 2006

Aaron +1!

Here are some more key points, from several years' involvement with
SpamAssassin, ASRG and other anti-spam efforts:

> We need an email infrastructure that does not permit spam.

The only thing that can "solve" spam (almost) entirely would be to close
it down -- turn it into a closed-address-book AIM-like protocol, where you
cannot receive emails from someone you haven't added to a whitelist in
advance, out-of-band.  Once you've done that, it's no longer email,
unfortunately.

Any open protocol where you can receive messages from people you haven't
pre-whitelisted, is spammable.  See also weblog spam, Trac spam, etc.

Spam is here to stay.  It's a side-effect of the economic effects of
infinitely-duplicatable bits, the automation possibilities of computers,
and the antisocial crassness of spammers.

Having said that -- a reasonable solution would be to reduce the _scale_
of the spam problem to manageable, pre-2000 levels.  The current scale of
the problem is caused by the botnet problem -- which *is* entirely caused
in turn by Microsoft's insecure software.

One approach to deal with botnets is, instead of locking down MS operating
systems with additional security patches, is instead for the ISPs hosting
the bots to take action.  MAAWG (a trade group for massive ISPs/mailers)
has issued recommendations that deal with botnets, by blocking port 25
from dynamic pools (and thereby not allowing them to relay directly to
spam targets).  Unfortunately, conservatism of ISPs is the problem -- they
aren't adopting those best practices.

Part of this is because they can't afford to, given the current pricing
models for the ISP access industry -- they don't have the margins to
increase anti-abuse monitoring effectively.  The ISP industry has
historically operated on a model of "give them an IP and let them do what
they want".

The conservatism issue applies with DK/DKIM/SPF adoption, especially among
phish targets like the banks (who still insist on sending shitty HTML
that's indistinguishable from phish).  If they got together and realised
that _they_ have to change their behaviour to avoid allowing phish to
proliferate, things might get better -- but they're not.

Another key factor, as Aaron noted, would be for spamming, and advertising
in spam, to become solidly marked as criminal activity.  Right now, there
are sufficient "gray areas" that many spammers can get away with it, even
operating in plain sight in the US.  This is entirely due to the lobbying
efforts of the DMA, which resulted in the useless CAN-SPAM act.

Finally, signing mail won't help particularly; this is a common fallacy --
the confusion between Authentication and Reputation.   If I know for sure
that the mail was sent by jimw at example.com, does that _really_ tell me if
it's spam or not, any more than knowing it was sent by the IP address
157.22.41.50 with rDNS xent.com?

--j.


Aaron Burt writes:
> On Wed, Dec 06, 2006 at 01:29:01PM -0800, Jim Whitehead wrote:
> > >>Feels like we need an "Iraq Study Group" for the spam problem. We're
> > >>not winning the war, and we're in serious denial.
> > >
> > >Grr.  Ask any harried, hard-working sysadmin if we're in "serious  
> > >denial."
> > 
> > In this analogy, the sysadmins are the ground troops, while the  
> > people who could create new email protocols are the authorities in  
> > denial.
> 
> Roughly speaking, the two are the same.  And they have worked very, very
> hard on the problem.  Did you read the page I linked to at the beginning?
> 
> > >>As far as I can tell, there are no IETF working groups addressing the
> > >>issue of fixing the email infrastructure.
> > >
> > >What needs fixing?  The fact that it can be abused?  If that were the
> > >criterion, we'd need to "fix" every piece of technology from the stone
> > >hammer onwards.
> > 
> > We need an email infrastructure that does not permit spam.
> 
> We need rocks that do not permit hitting people over the head, too.
> 
> > We do not  have this at present. The gap between what we have now, and
> > what we  need, is what "needs fixing."
> 
> Why, yes, I got that the first time.  What specifically needs fixing?
> 
> > >One thing that would make a serious dent in spam would be to throw out
> > >the CAN-SPAM act, which effectively legalized it and preempted several
> > >state laws that empowered spam-fighters.
> > 
> > It's unclear to me how a series of national laws can effectively  
> > address an international problem. Let's see, international law  
> > regimes have been effective at preventing content piracy, drug trade,  
> > and the prostitution slave trade.
> 
> You're right, they have.  Can't get 'em all, but you can make long-term
> and large-scale operations infeasable.
> 
> > >Another thing would be to go after the criminals who control and rent
> > >out the botnets of hacked Windows PCs that send out most spam and are
> > >also used for extortion and harassment through DDOS.
> > 
> > Or, one could design a protocol stack such that control of a botnet  
> > would provide no advantage in delivering spam. This would eliminate  
> > the benefit of having a botnet (at least for spam delivery, DDOS is  
> > another matter).
> 
> Botnet = privately-owned PCs running Windows = computers that must be
> able to send email = computers that can send spam.
> 
> > >Another would be to support and stand by the brave folks who monitor
> > >those criminals.  See http://www.spamhaus.org/rokso/index.lasso
> > 
> > Agreed, though the valiant efforts of these people have, to date, not  
> > completely stopped email. An incomplete solution.
> 
> Did you mean that as written?  I might note that those fine folks have
> mainly received lawsuits from spammers and rebuffs from the authorities.
> 
> > >Of course, the most effective measure would be to eliminate Windows
> > >and Outlook altogether, but sadly, that's not on the table.
> > 
> > Eliminating all security holes in software the size of current  
> > applications is, as far as I know, beyond the current state of the  
> > art in software engineering.
> 
> Correct.  So what's your point?   I guess I was mistaken in assuming
> that you were already aware that Windows has so many holes, an unpatched
> machine will likely be compromised in less time than it takes to
> download the patches.
> 
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork

More information about the FoRK mailing list