Why Not Eliminate ALL Spam?
Computers and Technology
| June 3, 2008
| Tim
I don't understand why we're having such a hard time preventing e-mail spam. It seems to me that with a few modifications to SMTP (the mail transport protocol used on the internet), a huge amount of spam (or perhaps even all of it) should be preventable.
Most spam, as I understand it, gets sent this way:
1. Hacker takes over a computer.
2. Hacker uses someone else's (X) e-mail address to send spam to a possible victim address (Y).
3. If the email address Y is right, spam is delivered, or at least suppressed.
4. If email address Y is wrong, a complaint about the situation is sent back to X's domain, which had nothing to do with the matter.
It seems to me the whole thing could be cleared up by adding a simple third verification step. Why not have Y's mail server, before accepting the message, check with X's domain to see if the given message is really coming from X?
For example, let's say I'm visiting Japan, am using an unfamiliar public network, and wish to send mail to you. In the first step, my mail program talks to my own domain (in some secure, password-enabled fashion) and gets or sets a token which allows mail to be sent from me today. Then, my mail program attaches that to the message and sends it along. Next, the recipient host receives the message, contacts my domain, and asks if the given token could have come from me, and, only if so, delivers it.
On the other hand, the spammer can't send a message the same way, as he has no idea how to generate the necessary token. Usually, they don't even know a valid origin e-mail address (often just a domain), but even then, they wouldn't have the password or key encryption information to get/generate the necessary token. Any repeated failed attempt to do so would quickly identify the person as a spammer, and allow the server to quickly block all messages coming from that sender host.
From the spammer's point of view, he'd have to register an entire domain name to use -- for a very limited time -- and set up and register a pair of DNS servers as well as an SMTP server -- all traceable to whoever registered the domain name. (And getting your new domain up takes a while too, which is nice.) If registrars were found to have loose policies, all their hosted domains could be blacklisted as well, essentially driving them out of business.
What's so awful or impossible about this idea?
Unlike some of the solutions from companies like Micro$oft, there are no concerns about privacy or centralizing control -- no more than at present, given that everyone has to register their domain somewhere. When sending e-mail, wouldn't all have to contact one centralized server. (Sorry Bill.) And if I can set up my own domain, I can also set up the auxiliary software to make sure messages are really mine. (Or likewise pay someone else to do both.)
Anyone could write compliant software, for any desired platform. You could even grandfather in existing email clients by redirecting their mail delivery to a tiny SMTP server running on their own computer, which would add the additional check before relaying mail along to their real SMTP server.
Sure, there's slightly more bandwidth per valid message (since I have to contact two domains to send a message, and the mail server must two to deliver it) but compared to the current flood of spam, it would be a vast reduction.
Best yet, it seems to me that such a solution could implemented incrementally. First, make the extra check auxiliary: if it passes, we give priority to the message and know it's not spam. If not, we use the old strategy for a while. After a couple years, we gradually stop doing it the old way.
An even simpler solution would be to only let domains send mail from their own users. So instead of sending mail directly to the recipient, I contact my SMTP server with a password, and give it the mail to forward. Then the recipient domain only accepts mail from DNS-identified mail servers for my domain.
These ideas seem rather simple to me, so why isn't someone pursuing them? Surely greater minds than mine must have thought of strategies like these years ago. Am I overlooking an obvious flaw?
Sort of like SPF, which has some issues, mostly regarding forwarding and mailing lists. Setting up a domain doesn't take all that much time, and I believe I read somewhere that said spammers are the primary source of registering new domains. Newer domains are more likely to be spam, and so spamassassin marks domains that were created within the last day or so as more likely spam.
I think it is really hard to change the SMTP protocol, and have it be implemented all over the place. Certainly, you can increase the "score" of a spam if it doesn't implement your strategy, but if you take a look at all the different methods people have tried to implement, they haven't really gone very far. (SPF, hashcash, domainkeys, etc).
Also, your first scenario (the bouncing back to X) if Y's mail server is misconfigured. If Y delivers the spam to someone who didn't send it, he is now at fault, and should be treated as a spammer. There is no excuse (well, there's one, but I don't think it counts) for bouncing a message to someone who you don't know if they sent it (or worse, bouncing a message because you think it is a virus to someone who you definitely know didn't send it, since that is how the virus works)
SpamCop started accepting spam reports a couple years ago for mail servers that were incorrectly configured. I think some places have fixed their servers, but there are many that are still misconfigured. The more they get reported, and blacklisted, the more motivation they have to fix their servers.
http://www.spamcop.net/fom-serve/cache/329.html
I'm not sure I track what you're saying exactly. In fact, I've probably misunderstood.
Are you saying a person would need to set up a password with an external spam checking service for each email address that they create, which would check a user-supplied password for each email (or for a single login?) Are you essentially asking that people log into their email service twice, which would be more secure than logging in once? Or have I misread you? Probably.
... Personally, I wonder why Cpanel offers features to help screen out spam from others (somewhat poorly), but doesn't do much to identify when servers have been hijacked for spam. That would seem to be an easier task. Yahoo has such features. A simple Captcha (read this weird text to prove you're human) if you trip the alarm would probably go a long way. Those who own servers have some incentive not to be blacklisted as spammers and implement this. Why don't the existing filters simply point in both directions on more machines?
First, Jon, thanks for the intelligent comments. The nice part about the first idea is that it wouldn't be so much a change to existing SMTP protocol per se (the token could be added as an SMTP header) as it would be an additional optional step on each end.
As mentioned, on the client side, that step could be carried out by a relatively simple SMTP proxy. On the sever side, servers like Qmail already have pluggable evaluation steps, where the additional check could be carried out.
To clarify for Ryan, and others I've probably misled: No, I'm saying that domain hosts (people hosting domain, say, xyz.net) would install an additional piece of software for validating e-mail messages as non-spam.
When I go to read my mail, I *already* have to supply a password to get into the POP3/IMAP which delivers my mail to me. All I'm proposing is that you install another piece of software right "next door".
To spell out the steps in more detail:
1. I type in my e-mail message from me (tim@sender.foo) to Bob (bob@receiver.foo), and click "send".
2. My e-mail clients is configured (perhap via proxy) to generate a unique random "token" (just a string of random characters) which it tosses into an extra field on the message.
3. My client ALSO contacts my domain's e-mail validation server (located on the same box as sender.foo's SMTP server), logs in with a password (I don't see this or have to think about it, it just does it automatically) and informs it about the random token and destination.
4. My e-mail client sends rest of the message as usual: It contacts the destination STMP server (at destination.foo) and transmits the message.
5. When destination.foo receives my message, it notices it allegedly comes from tim@sender.foo, looks up the SMTP server associated with domain sender.foo, contacts the validation server running on that host (anonymously -- no login required, the port # is well known too) and asks: "Hey: Did tim@sender.foo send a message with token XL4q90xZ5 to bob@receiver.foo?" My e-mail authenticator service say, in its best June Cleaver voice: "Well, yes, he did. How nice of you to ask!" After this, milk and cookies are offered.
6. The mail delivery agent for receiver.foo can then confidently dump my message into Bob's box, knowing full well that the alleged sender REALLY did send said message -- as opposed to someone else simply pretending to be that person.
And, certainly, as mentioned above, one could register entire spam domains. But they could easily be traced to the registrar, and the registrar could trace them to the one doing the registering. And if the registrar didn't choose to do that final step, spam-conscious ISP could start disallowing all mail from domains associated with "loose" registrars.
SPF appears, in some ways, more or less complicated that what I'm proposing here. Superficially less complicated in that it appears instead of running a validation server (I haven't had time to dive in deep) they're instead trying to distribute all the spam-prevention information through DNS records! Ugh! More complicated (and less useful) in the long run though.
Further, they're restricting the list of hosts who can send a message from that domain. How useless! In an age of mobile IP addresses, that's hard to predict -- you'd end up with my second solution (all mail must originate from it's domain), which is simpler to describe, but a much bigger change to SMTP. (And would require more bandwidth, because you couldn't send the message directly to the recipient. My proposal solves that because only the permission needs to be sent to the alleged originating domain. And it could be a once-a-day token, or even less, if large-prime strategies are used.)
It also seems it wouldn't prevent spam from people who have hijacked your machines. Or users trying to send spam as another user in your domain.
Regarding Ryan's comment about closing out spam hosts, that's nearly useless. There are oodles of zombie hosts our there, operating in coordinated fashion. Count the number of target domains for spam, and multiply them by the size of a spammer's zombie army (typically, in the thousands) and that's how many permutations you'd have to exhaust before shutting down that particular spammer. (Nonetheless, this proposal would *still* help with that, as it would immediately identify the IP address as having been hijacked.)
That's why shutting down their vulnerable point (the originating address) would be so useful. And it's a lot harder to make zombie domains than mere zombie SMTP-sending clients. (And, again, always traceable at least to the registrar. SPF & I agree on that much.)
Also, a huge part of the burden of spam is the zillions of nonexistent e-mail addresses which the spammer sends mail to. Since the recipient is forged, he never learns to eliminate these addresses. A "can't deliver" notice is then delivered, for each one of these, to the forged e-mail recipient's domain. And these receipts represent a HUGE amount of a given SMTP server's workload.
Again, what I'm proposing eliminates that: If the e-mail token comes up false, the mail can just be dropped to /dev/null, nothing more needs to be said or done.
Being as most of these spam processes installs a SMTP server to send the spam messages under its own processes your method would be ineffective. The spam process would just add the "token" to the message and approve it when the authentication request came back. I understand what you are trying to say with this, but it just wouldn't work, to easy to get around considering how spam is usually sent from the zombie machines.
Only allowing SMTP messages from their own servers is a better solution, but not perfect either. For instance I have several email addresses, some of them are on my ISP's domain, some of them are on my work domain, and some still are on my own domain, so I am never on the domain of all three, as such how do I send my emails? Why shouldn't I be able to send my work email from home and my home email from work?
Being as most of these spam processes installs a SMTP server to send the spam messages under its own processes your method would be ineffective. The spam process would just add the "token" to the message and approve it when the authentication request came back.
The final SMTP server (the one which ultimately delivers it to the end-users mailbox) would check the token with the SMTP server specified by the DNS entry for the sender's domain.
I have several email addresses, some of them are on my ISP's domain, some of them are on my work domain, and some still are on my own domain, so I am never on the domain of all three, as such how do I send my emails?
I think this was answered already:
let's say I'm visiting Japan, am using an unfamiliar public network, and wish to send mail to you. In the first step, my mail program talks to my own domain (in some secure, password-enabled fashion) and gets or sets a token which allows mail to be sent from me today. Then, my mail program attaches that to the message and sends it along. Next, the recipient host receives the message, contacts my domain, and asks if the given token could have come from me, and, only if so, delivers it.
The comment rules will apply. Please post only once.
« Reactions to Father Pfleger |
Front Page |
Page Two
| The Next Wave »
|
Sort of like SPF, which has some issues, mostly regarding forwarding and mailing lists. Setting up a domain doesn't take all that much time, and I believe I read somewhere that said spammers are the primary source of registering new domains. Newer domains are more likely to be spam, and so spamassassin marks domains that were created within the last day or so as more likely spam.
I think it is really hard to change the SMTP protocol, and have it be implemented all over the place. Certainly, you can increase the "score" of a spam if it doesn't implement your strategy, but if you take a look at all the different methods people have tried to implement, they haven't really gone very far. (SPF, hashcash, domainkeys, etc).
Also, your first scenario (the bouncing back to X) if Y's mail server is misconfigured. If Y delivers the spam to someone who didn't send it, he is now at fault, and should be treated as a spammer. There is no excuse (well, there's one, but I don't think it counts) for bouncing a message to someone who you don't know if they sent it (or worse, bouncing a message because you think it is a virus to someone who you definitely know didn't send it, since that is how the virus works)
SpamCop started accepting spam reports a couple years ago for mail servers that were incorrectly configured. I think some places have fixed their servers, but there are many that are still misconfigured. The more they get reported, and blacklisted, the more motivation they have to fix their servers.
http://www.spamcop.net/fom-serve/cache/329.html
Posted by: Jon Daley on June 3, 2008 09:45 AM