[lug] Getting mail out of the Qwest/MSN mire

Sean Reifschneider jafo at tummy.com
Sat Jul 8 22:37:43 MDT 2006


On Fri, Jul 07, 2006 at 01:39:39PM -0600, Nate Duehr wrote:
>The whole idea behind unauthenticated, unencrypted mail services still 
>being used for real business in the year 2006, is loathesome, really.

How does encrypted, authenticated e-mail help the spam problem?  So now I'm
getting encrypted e-mail from an authenticated spammer...  It's still
there.

Answer these two questions:

   Who is the mail service who is one of the biggest user of authenticated
   e-mail?

   Who is the mail service that I get the vast majority of my spam from?

I'll give you a hint, the answer to both of these is the same.  I'll give
you another hint, the answer rhymes with "yahoo".

We live in a world where spammers are giving away porn, to get people to
fill out captchas for them.  Spammers are attacking and compromising
machines all over the Internet.  Where spammers generate random but
reasonable text to accompany image attachments selling their wares.

The spammers are highly motivated to get in, they probably will.  You've
probably heard that a determined attacker is going to get in, no matter
what you do?  Spammers are a prime example of this.

>the root-cause of the problem... mail is not authenticated end-to-end...
>There wouldn't be any spam.  Fix the root cause.

I wish it were that easy, but it's not...  We already have several
mechanisms for authenticating e-mail: SPF (which I see you use, hurrah),
DomainKeys (or whatever it's called today), S/MIME and similar, etc...

The problem is not that we don't know who the senders are, it's that once
we know who the senders are, we aren't really any better off.  How do we
know that we want to hear from this person?  Do we block them until they've
proven themselves to us?  That takes us back to a situation as bad as why
this thread got started: blacklisting a whole group of people who haven't
done anything wrong.

The mail geeks are talking about reputation systems, for giving reputations
to senders once we know who they are.  However, I feel that's still a big
can of worms.  Someone with no reputation can't get mail through, and you
can't get reputation if your mail isn't getting through.  And there's
nothing to stop a spammer from building up reputation and then spamming.
Or taking over someone elses identity and reputation.

>Every mail server that touches a message should also digitally 
>sign/stamp the message.

Why?!?

>It would have to be a company or government organization big enough that 
>people HAVE to communicate with them... and the flood of "realization" 
>would start, and other companies and individuals would follow suit.

There is nobody that people HAVE to communicate with by e-mail.  Anyone who
does this will have to not only staff up their phones for the people who
would have e-mailed now phoning, but they also would have to deal with the
people calling in to complain about their e-mail.  ;-/

>EVERYTHING BUT... E-mail.  Business deals big enough to affect thousands 
>of people's lives get "inked" via an un-encrypted, un-authenticated 

Perhaps, but how does that impact spam?

Thanks,
Sean
-- 
 "Engineering Tablets?  Does that mean if I swallow one, I'll be an engineer?"
                 -- Evelyn Mitchell
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability




More information about the LUG mailing list