[lug] Getting mail out of the Qwest/MSN mire

Nate Duehr nate at natetech.com
Sat Jul 8 23:52:04 MDT 2006 

On Jul 8, 2006, at 10:37 PM, Sean Reifschneider wrote:

> On Fri, Jul 07, 2006 at 01:39:39PM -0600, Nate Duehr wrote:
>> The whole idea behind unauthenticated, unencrypted mail services  
>> still
>> being used for real business in the year 2006, is loathesome, really.
>
> How does encrypted, authenticated e-mail help the spam problem?  So  
> now I'm
> getting encrypted e-mail from an authenticated spammer...  It's still
> there.

But you have a 100% definitive way to throw it away before you ever  
see it without fear of collateral damage, if it's truly  
authenticated.  REAL authentication.  Down to the person who sent it,  
or entity, either one of which makes for a great filter object.

> Answer these two questions:
>
>    Who is the mail service who is one of the biggest user of  
> authenticated
>    e-mail?
>
>    Who is the mail service that I get the vast majority of my spam  
> from?
>
> I'll give you a hint, the answer to both of these is the same.   
> I'll give
> you another hint, the answer rhymes with "yahoo".

Gotta have the authentication to the sending human being or entity  
level, not their "transport" which is all Yahoo is in this case.  If  
Yahoo wouldn't "transport" anything not signed, that'd be what I was  
talking about.  Nothing about Yahoo's signup process forces me to  
give real information about WHO I am.  Fake information works just as  
well.

> We live in a world where spammers are giving away porn, to get  
> people to
> fill out captchas for them.  Spammers are attacking and compromising
> machines all over the Internet.  Where spammers generate random but
> reasonable text to accompany image attachments selling their wares.
>
> The spammers are highly motivated to get in, they probably will.   
> You've
> probably heard that a determined attacker is going to get in, no  
> matter
> what you do?  Spammers are a prime example of this.
>
>> the root-cause of the problem... mail is not authenticated end-to- 
>> end...
>> There wouldn't be any spam.  Fix the root cause.
>
> I wish it were that easy, but it's not...  We already have several
> mechanisms for authenticating e-mail: SPF (which I see you use,  
> hurrah),
> DomainKeys (or whatever it's called today), S/MIME and similar, etc...
>
> The problem is not that we don't know who the senders are, it's  
> that once
> we know who the senders are, we aren't really any better off.  How  
> do we
> know that we want to hear from this person?  Do we block them until  
> they've
> proven themselves to us?  That takes us back to a situation as bad  
> as why
> this thread got started: blacklisting a whole group of people who  
> haven't
> done anything wrong.

We really only know what the sender's IP address is.  It takes quite  
a bit more detective work to find out WHO is really using that server.

> The mail geeks are talking about reputation systems, for giving  
> reputations
> to senders once we know who they are.  However, I feel that's still  
> a big
> can of worms.  Someone with no reputation can't get mail through,  
> and you
> can't get reputation if your mail isn't getting through.  And there's
> nothing to stop a spammer from building up reputation and then  
> spamming.
> Or taking over someone elses identity and reputation.

I got a kick out of Blue Frog, but it ultimately was doomed.  I  
haven't heard how the "new" one is doing, but it wasn't the right  
idea.  But it *was* the first thing that REALLY annoyed the spammers  
in years.  The first original idea that WORKED in a long time.   
Hurrah to them, even if their tactics were wrong.  Strategy-wise,  
they were right, but they didn't execute that strategy to the  
fulllest.  Ultimately that comment is easy to prove... all humans  
tend to do whatever benefits them that they can get away with.  If  
the spammers can't get away with it anymore, they'll have to go back  
to some other panzi scheme.

  The ultimate soultion just has to annoy the hell out of spammers  
directly.  It doesn't have to stop all spam.

>
>> Every mail server that touches a message should also digitally
>> sign/stamp the message.
>
> Why?!?

Because those TRANSPORTING the spam message also can then be known.   
Why not?

>> It would have to be a company or government organization big  
>> enough that
>> people HAVE to communicate with them... and the flood of  
>> "realization"
>> would start, and other companies and individuals would follow suit.
>
> There is nobody that people HAVE to communicate with by e-mail.   
> Anyone who
> does this will have to not only staff up their phones for the  
> people who
> would have e-mailed now phoning, but they also would have to deal  
> with the
> people calling in to complain about their e-mail.  ;-/

Yeah I know, but there's a lot of places that it's actually EASIER to  
communicate with by mail than any other way.  (www.irs.gov vs.  
calling them, for example!)  That's motivation enough if THOSE places  
started requiring people to fully identify themselves BEFORE they can  
put mail in your inbox.

>
>> EVERYTHING BUT... E-mail.  Business deals big enough to affect  
>> thousands
>> of people's lives get "inked" via an un-encrypted, un-authenticated
>
> Perhaps, but how does that impact spam?

It's just another good reason that we shouldn't be this far behind  
the rest of the technologies that were formed in the very early days  
of the Net in the "e-mail realm".  We keep building better MTA's,  
MUA's that can also filter things, and better EVERYTHING about e- 
mail, except really defining who really sent that message from the  
Great Beyond to your inbox?

--
Nate Duehr
nate at natetech.com

More information about the LUG mailing list