You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2010/12/01 16:27:13 UTC
Do we need a new SMTP protocol? (OT)
I've been thinking about what it would take to actually eliminate spam
or reduce it to less than 10% of what it is now. One of the problems is
the SMTP protocol itself. And a big problem with that is that mail
servers talk to each other using the same protocol as users use to talk
to servers.
Rather than get all users to change maybe it would be easier to get
server software to change. This transition can be done by making server
software that can do both protocols to maintain compatibility but will
use the new protocol if both sides are capable of talking at that level.
I'm not sure what the specification of the new protocol should be but it
should at least be different than what email clients use so that server
to server communication isn't the same as client to server
communication. Perhaps server protocols can have more authentication
information that would protect them from being spoofed. But having
something different - even if it's just a port change - is better than
what we have now.
Thoughts?
(sorry about posting the same message to the dev list. My mistake)
Re: Do we need a new SMTP protocol? (OT)
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Marc,
This is like solving the Suzuki Samauri rollover problem by making
a newer, wider standard for road widths so that the automakers can make
wider cars.
After all the current road width standard is set the way it is because
of Roman chariots which specified that the road needed to be wide enough
for 2 horses.
If you think about it, if we added a few feet in width to semi trucks
we would save millions of gallons of diesel fuel every year, reduce many
thousands of trucks on the road, and reduce the chance of a truck rollover.
It is an engineering solution that is utterly practical, and would
work perfectly - from an engineering standpoint.
But it is completely impractical and impossible from a common sense
standpoint.
Just like your suggestion of changing the SMTP standard.
Eric Allman himself, inventor of the SMTP standard, has repeatedly
said that what happened with SMTP was predictable. SMTP -HAD- to be
open and flexible to work in the first place, and that flexibility
caused it to be widely adopted - then once widely adopted, that
flexibility itself is now a problem. If the SMTP standard had been
tighter in the beginning so that people would like it today, then it
never would have been adopted, and instead some other, flexible and
open standard would have been adopted - and we would be exactly where
we are now.
I submit that many things in life are like this and you can't do
anything about it other than to just shrug your shoulders and let it be.
Ultimately, in the far future, e-mail itself will become obsolete
by something else, just as e-mail today is obsoleting paper mail.
Maybe at that time we will have a chance to do it right.
Ted
On 12/1/2010 7:27 AM, Marc Perkel wrote:
> I've been thinking about what it would take to actually eliminate spam
> or reduce it to less than 10% of what it is now. One of the problems is
> the SMTP protocol itself. And a big problem with that is that mail
> servers talk to each other using the same protocol as users use to talk
> to servers.
>
> Rather than get all users to change maybe it would be easier to get
> server software to change. This transition can be done by making server
> software that can do both protocols to maintain compatibility but will
> use the new protocol if both sides are capable of talking at that level.
>
> I'm not sure what the specification of the new protocol should be but it
> should at least be different than what email clients use so that server
> to server communication isn't the same as client to server
> communication. Perhaps server protocols can have more authentication
> information that would protect them from being spoofed. But having
> something different - even if it's just a port change - is better than
> what we have now.
>
> Thoughts?
>
> (sorry about posting the same message to the dev list. My mistake)
>
Re: Do we need a new SMTP protocol? (OT)
Posted by Toni Mueller <su...@oeko.net>.
Hi,
On Wed, 01.12.2010 at 11:02:54 -0500, Michael Scheidell <mi...@secnap.com> wrote:
> On 12/1/10 10:56 AM, Toni Mueller wrote:
> >Ok, now let's be serious, there*must* be a reason why this didn't
> >happen long ago, right?
> Because the internet 'must be free'. as in accessable, not as in free beer.
you are preaching to the choir. ;)
I only wanted to illustrate that there *are* means, but it should be
obvious why (almost) nobody wants to use them. Eg. there's the "virtual
poststamp" method, as suggested by Microsoft, and it's patented, thus
protected from abuse, too...
Kind regards,
--Toni++
Re: Do we need a new SMTP protocol? (OT)
Posted by Michael Scheidell <mi...@secnap.com>.
On 12/1/10 10:56 AM, Toni Mueller wrote:
> Ok, now let's be serious, there*must* be a reason why this didn't
> happen long ago, right?
>
>
>
> Kind regards,
> --Toni++
Because the internet 'must be free'. as in accessable, not as in free beer.
Because like I said, all the BIG guys decided not to follow the specs
anyway.
Because if aol/hotmail/comcast/ (youname it.net) wanted to stop zombot
spam, they could.
New specs only work if you can REGULATE THE WHOLE WORLD WIDE INTERNET.
(remember, the internet 'must be free')
never gonaa happen see those links at rhyolite.
ps, I have a new email spec, and if anyone wants to send me email they
have to adhere to this new spec.
ITS CALLED THE CURRENT RFC'S.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Do we need a new SMTP protocol? (OT)
Posted by Michael Scheidell <mi...@secnap.com>.
On 12/1/10 10:56 AM, Toni Mueller wrote:
> I think that it's almost easy to fix the spam
> problem if we are prepared to abandon the SMTP protocol.
>
Actually, published research seems to indicate spam isn't all that much
of a problem anymore.
Yes, 95% of all email is spam, but currently (commercially) available
anti-spam engines are doing a pretty good job of sifting through
spam/ham, and SA does a reasonable job itself.
so, even if 95% of all email is spam, there really is only a small
percentage (very small) getting through to users.
Its so small, that if a user gets ONE SPAM per week, they are likely to
complain about it.
With zero day malware detection, and rules against accepting 'one click
execute' attachments, you have to work pretty hard to get infected via
email now.(unless you work at google, it seems), but then again, we
don't know how hard those individual users worked to open up that
malware that infected their workstations a while back.
Is it a constant battle of wits between the spammers, hackers, phishers?
yes. But the technology has matured enough in the last couple of years
that its a win able battle.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Do we need a new SMTP protocol? (OT)
Posted by Toni Mueller <su...@oeko.net>.
Hi,
On Wed, 01.12.2010 at 10:50:49 -0500, Michael Scheidell <mi...@secnap.com> wrote:
> On 12/1/10 10:33 AM, David F. Skoll wrote:
> >And authentication will stop spam... how?
> >>> Thoughts?
> >You're wasting your time.
> Ditto. we can't even get big providers (Microsoft/blackberry) or
> ISP's to adhere to current RFC's.
:)
while I fully agree that it's impossible to really fix the spam problem
within the SMTP protocol, I think that it's almost easy to fix the spam
problem if we are prepared to abandon the SMTP protocol.
Solution:
Just switch exclusively to X.400 email, and be done with spam. :}
Ok, now let's be serious, there *must* be a reason why this didn't
happen long ago, right?
Kind regards,
--Toni++
Re: Do we need a new SMTP protocol? (OT)
Posted by Michael Scheidell <mi...@secnap.com>.
On 12/1/10 10:33 AM, David F. Skoll wrote:
> And authentication will stop spam... how?
>
>> > Thoughts?
> You're wasting your time.
>
> Regards,
>
> David.
Ditto. we can't even get big providers (Microsoft/blackberry) or ISP's
to adhere to current RFC's.
If you enforce ALL the RFC's in a pre-queue filter, you would reduce
your spam. Go head. Set up your mail server to only accept email from
RFC complaint senders.
1) FQDN for (e)helo / domain, hostname, with full path RDNS
2) not on RFC ignorant list (must have working postmaster,abuse, whois
address. yes, its in the RFC's)
3) SPF (IF IT USES SPF) must follow spec, including SRS. if it doesn't
publish SPF, then don't worry about this (I put this in for all of you
to argue back and forth about SPF. but it is in the RFC's)
4) DNS/NDR's . (guess what!!) the RFC's say you MUST reject the email if
you can't deliver it..
5) only accept email from hostname/domains that block outbound port 25
from workstations (RBL's for that)
6) block email from ip's that are zombots, open relays, have broken,
abuseable web email forms.
As the links above mention, we have fought this battle since 1994. I
have personally fought this battle since 1994.
How much email do you think you will get if you follow ALL the RFC's?
Oh, lets start a NEW spec that no one will follow. Considering how easy
it is to force senders to follow the current specs.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Do we need a new SMTP protocol? (OT)
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 01 Dec 2010 07:27:13 -0800
Marc Perkel <ma...@perkel.com> wrote:
> I've been thinking about what it would take to actually eliminate
> spam or reduce it to less than 10% of what it is now. One of the
> problems is the SMTP protocol itself. And a big problem with that is
> that mail servers talk to each other using the same protocol as users
> use to talk to servers.
http://www.rhyolite.com/anti-spam/you-might-be.html#senior-IETF-member-5
http://www.rhyolite.com/anti-spam/you-might-be.html#spammers-are-stupid-3
http://www.rhyolite.com/anti-spam/you-might-be.html#knows-SMTP-4
http://www.rhyolite.com/anti-spam/you-might-be.html#knows-SMTP-5
http://www.rhyolite.com/anti-spam/you-might-be.html#programmer-11
> Rather than get all users to change maybe it would be easier to get
> server software to change. This transition can be done by making
> server software that can do both protocols to maintain compatibility
> but will use the new protocol if both sides are capable of talking at
> that level.
And spammers' incentive not to force a downgrade to SMTP will be... what?
> I'm not sure what the specification of the new protocol should be but
> it should at least be different than what email clients use so that
> server to server communication isn't the same as client to server
> communication. Perhaps server protocols can have more authentication
> information that would protect them from being spoofed.
And authentication will stop spam... how?
> Thoughts?
You're wasting your time.
Regards,
David.
Re: Do we need a new SMTP protocol? (OT)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote:
> I've been thinking about what it would take to actually eliminate spam
> or reduce it to less than 10% of what it is now. [...]
The FUSSP! Hooray!
> I'm not sure what the specification of the new protocol should be [...]
Oh, no, it is not. You did not offer a solution.
> Thoughts?
> (sorry about posting the same message to the dev list. My mistake)
Yes. Thoughts. This is off-topic.
Please go find a better audience to rehash this subject yet again. This
horse has been beaten to death many times before.
Neither SA list would have been appropriate to raise that topic.
guenther -- your friendly moderator
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Do we need a new SMTP protocol? (OT)
Posted by Raul Dias <ra...@dias.com.br>.
On 12/01/2010 02:13 PM, Martin Gregorie wrote:
> On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote:
>> I've been thinking about what it would take to actually eliminate spam
>> or reduce it to less than 10% of what it is now. One of the problems is
>> the SMTP protocol itself. And a big problem with that is that mail
>> servers talk to each other using the same protocol as users use to talk
>> to servers.
> I don't think that would help at all. Bots would just pretend to be mail
> servers and use SMTP. Any other form of spam could be circumvented by
> setting up spammer-owned MTAs that spammers would use to inject spam.
>
> IMO the best solution would have been a charge per e-mail provided it
> was universally enforced. A small charge, e.g. $0.001 to $0.01 per
> addressee per message would be almost unnoticable to a normal user or
> business while still being enough to discourage volume spammers by
> wiping out their profits. Another benefit would be that the bill
> received by a bot-infected user would serve as a powerful wake-up call
> to get disinfected.
Much simpler is to have a per user whitelist.
There are a few projects for this and even SA can be used to do it.
The problem is that the spam problem is thrown at the user rather than
the admin.
There is no need to an extra RFC for this.
The server returns a 5xx/4xx error for non-whitelisted mails.
For the lazy ones, managing the whitelist from the mail client is very
important.
Even a period of transition can be easily setup.
a - the users are aware of the change and how to manage this.
b - users start to setup their whitelists (specially for maillists).
c - post spam filtered messages are automatically replied about the need
- if not already in the whitelist.
this would let the known sender to poke the lazy contact.
d - whitelist in effect returning a 5[4]xx error with some explaniation
message.
Then we got the point on how to know the addresses to whitelist it in
the first place (first contacts).
A first time sender could have its message reformated in a way to let
the user know about it and white/blacklist (e.g. links to the admin site
- GUI action).
Somewhat like an IM works (or should).
-rsd
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
Posted by Ken A <ka...@pacific.net>.
On 12/1/2010 11:47 AM, Rob McEwen wrote:
> On 12/1/2010 12:05 PM, David F. Skoll wrote:
>> Where did you hear that? I can't imagine that
>> IPv6 is any less (or any more) anonymous than IPv4.
>
> One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
> nightmare. A spammers (and blackhat ESPs) would potentially send out
> each spam from a different IP and then not use each IP again for YEARS!
>
> This will make DNSBLs much less effective.. and it will bloat their file
> sizes and memory/resource requirements exponentially. The DNSBLs will
> have no choice but to make their entire DNSBL the equivalent of a /24
> list today... except painting with a much broader stroke, and many will
> complain about unfair collateral damage. Even then, the bloat will STILL
> be out of control.
>
> SOLUTIONS?
>
> Personally, I prefer everyone everywhere agree that, unless the e-mail
> is password authenticated to one's own mail server, all mail be rejected
> unless the mail server had IPv4. But purists won't like that because
> their goal is to eventually *end* IPv4.
>
> So what else could be done?
v6 is now at the core and at the edge, and much of the server-to-server
talking in the middle is going to remain v4 for a while. Significant
numbers of smtp servers will remain v4 only, and so v6 only servers will
need to use a v4 gateway to be of any real use to their customers. I
think we can safely firewall, or whitelist v6 on port 25 until we have a
useful whitelist, and probably a large droplist. Greylisting and
watching for IPv6 "hopping" would probably be useful too..
Ken
>
> If we must receive mail from IPv6 IPs, then I recommend doing the
> equivalent of the following (put in IPv4 terms for simplicity):
>
> (A) All other non-authenticated mail rejected... unless the message came
> from a "XXX.XXX.XXX.0" IP (this is in IPv4 terms... translate this into
> some equivalent IPv6 standard... but case a super wide net!) That will
> greatly reduces the number of possible valid mail sending IP. (again,
> auth mail to one's own server need not fulfill this standard)
>
> (b) industry wide, agree that mail is NOT accepted from IPv6 unless it
> does "Forward Confirmed reverse DNS" FCrDNS
>
> If one or both of those were agreed upon up front--this would go a long
> way towards preventing the coming nightmare. (and forgive me of RFCs
> have already established those as absolute standards for IPv6... I
> haven't kept up with all the RFC for IPv6!)
>
--
Ken Anderson
Pacific Internet - http://www.pacific.net
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol?
(OT))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 01 Dec 2010 13:29:28 -0500
Rob McEwen <ro...@invaluement.com> wrote:
> When DNSBL resources are order of magnitudes higher... when the
> largest data files for DNSBLs go from 100MB to probably Terabytes...
> and then trying to transfer that via rsync... and getting all the
> mirrors to handle loading that much data into rbldnsd... THAT will be
> a nightmare. (will Terabytes of RAM be affordable anytime soon?)
I don't follow you. DNSBLs will only list addresses (actually, /64s)
that have been seen to be abusive. That number is limited not by the
number of possible IPv6 addresses, but by the number of actual /64
allocations.
[...]
> We have a chance to impose some strict standards for mail sending on
> IPv6 that will lessen these problems. Why wait until its too late?
Because those strict standards all make sending mail less convenient
without affecting spam.
Regards,
David.
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
Posted by Ted Mittelstaedt <te...@ipinc.net>.
On 12/1/2010 10:29 AM, Rob McEwen wrote:
> On 12/1/2010 12:55 PM, David F. Skoll wrote:
>> I don't see any nightmare.
>
> When DNSBL resources are order of magnitudes higher... when the largest
> data files for DNSBLs go from 100MB to probably Terabytes... and then
> trying to transfer that via rsync... and getting all the mirrors to
> handle loading that much data into rbldnsd... THAT will be a nightmare.
> (will Terabytes of RAM be affordable anytime soon?)
>
>> DNSBLs are a useful anti-spam tool that
>> will be made somewhat less effective with the advent of IPv6, but they're
>> by no means the only or most effective anti-spam tool we have.
>
> Not the only tool... but (particularly for IP DNSBLs worthy of blocking
> at the MTA...) they are the BEST tool from a price/performance
> perspective. In contrast, content scanning messages is comparatively
> resource expensive.
>
which we currently are doing.
If Wonkulating Gronkulator ISP Inc. has 2000 customers on their
mailserver in an IPv4 world, they will have 2000 customers on their
IPv6-enabled mailserver. They will thus be doing the same amount of
work content scanning on the IPv6-enabled mailserver as they are now
doing on the IPv4-enabled mailserver.
Adding more IP addresses into the market isn't going to increase
the amount of spam being sent.
What really increases the amount of spam being sent (IMHO) is
increasing the number of HOSTS that can directly send out via
port 25.
Without question the real driver of IPv6 is stuff like cell phones,
blue ray players, and so on that need more IP addresses. Do these
devices need unrestricted port 25 access? Absolutely not. So it
seems that the organizations constructing the IPv6 networks that these
devices need, have every incentive to be responsible and block such
access.
If for example your an ISP managing a FIOS network who is looking into
going to IPv6 you know your going to either have to replace firmware in
your customer's CPEs or provide them with new CPEs. And the new
CPE cannot depend on NAT it will need to have a real firewall in it.
Why would you NOT set an outbound port25 block as a DEFAULT?
Today, Comcast blocks SMB ports, I have run tests with techs here and
I can guarantee that it is impossible to map a drive over Comcast,
unless you either use nonstandard ports or put it in a VPN. Yet
does the average customer notice? NO. So then why would it be so
difficult for them to block port 25? it WOULDN'T.
We know that with the newer broadband networks - wiMax, cable, fios
and FTTN, that in the US at any rate we are heading into a monopoly
age where the wire carrier will be the ISP. Thus there will not be
many ISPs out there and those that will be out there will be
gigantic. We know that for these megaliths to go to IPv6 they will
need to forklift upgrade their CPE's. We also know these CPEs will
not be NAT devices and thus will need stateful firewalls to do IPv6.
So the opportunity is to have the ISPs today that will be doing this
set the defaults in these CPE devices to block things like outbound
SMTP. If the customer is clueful they can login and turn off the
block, if they are clueless they should definitely not be turning
off any SMTP blocks.
Problem solved.
Ted
> I suppose a nation's military *could* fight a war without airplanes,
> without ships, and without missiles.. and just depend on the foot
> soldiers and tanks to do *all* the work. But is that wise? Does that
> happen without a steep price?
>
> We have a chance to impose some strict standards for mail sending on
> IPv6 that will lessen these problems. Why wait until its too late?
>
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
Posted by Rob McEwen <ro...@invaluement.com>.
On 12/1/2010 12:55 PM, David F. Skoll wrote:
> I don't see any nightmare.
When DNSBL resources are order of magnitudes higher... when the largest
data files for DNSBLs go from 100MB to probably Terabytes... and then
trying to transfer that via rsync... and getting all the mirrors to
handle loading that much data into rbldnsd... THAT will be a nightmare.
(will Terabytes of RAM be affordable anytime soon?)
> DNSBLs are a useful anti-spam tool that
> will be made somewhat less effective with the advent of IPv6, but they're
> by no means the only or most effective anti-spam tool we have.
Not the only tool... but (particularly for IP DNSBLs worthy of blocking
at the MTA...) they are the BEST tool from a price/performance
perspective. In contrast, content scanning messages is comparatively
resource expensive.
I suppose a nation's military *could* fight a war without airplanes,
without ships, and without missiles.. and just depend on the foot
soldiers and tanks to do *all* the work. But is that wise? Does that
happen without a steep price?
We have a chance to impose some strict standards for mail sending on
IPv6 that will lessen these problems. Why wait until its too late?
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2010/12/01 12:55 PM, David F. Skoll wrote:
>
> Actually, since the smallest allocation unit is a /64, you could switch
> IP addresses once per nanosecond and not run out for almost 585 years.
> If you have a /48, you could last for about 38 million years.
>
> So at a minimium, an IPv6 DNSBL will have to list a /64, not individual
> IPv6 addresses. That's fine. Most botnet nodes are individual home PCs
> and they won't be able to pick an address outside their /64 allocation
> (assuming a competent ISP... a big assumption!)
>
For what it's worth, the recommended allocation to end users is a /56 to
the home and a /48 to small businesses, though many are suggesting a /48
to everyone to keep routing simpler.
> Also, DNSWLs will start becoming more important as we concentrate on
> listing known-good machines.
>
+1 blacklists simply won't be able to maintain unless they list the
entire prefix, and even that won't last forever.
>
> Rob McEwen wrote:
>
>> If one or both of those were agreed upon up front--this would go a
>> long way towards preventing the coming nightmare.
E-mail is already being sent on IPv6. Better hurry up on writing those
RFC's!
--
/Jason
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol?
(OT))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 01 Dec 2010 12:47:16 -0500
Rob McEwen <ro...@invaluement.com> wrote:
> One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
> nightmare. A spammers (and blackhat ESPs) would potentially send out
> each spam from a different IP and then not use each IP again for
> YEARS!
Actually, since the smallest allocation unit is a /64, you could switch
IP addresses once per nanosecond and not run out for almost 585 years.
If you have a /48, you could last for about 38 million years.
So at a minimium, an IPv6 DNSBL will have to list a /64, not individual
IPv6 addresses. That's fine. Most botnet nodes are individual home PCs
and they won't be able to pick an address outside their /64 allocation
(assuming a competent ISP... a big assumption!)
Also, DNSWLs will start becoming more important as we concentrate on
listing known-good machines.
> Personally, I prefer everyone everywhere agree that, unless the e-mail
> is password authenticated to one's own mail server, all mail be
> rejected unless the mail server had IPv4. But purists won't like that
> because their goal is to eventually *end* IPv4.
It's not just purists who won't like that. At some point, you won't
be able to *get* an IPv4 address.
[...]
> If one or both of those were agreed upon up front--this would go a
> long way towards preventing the coming nightmare. (and forgive me of
> RFCs have already established those as absolute standards for IPv6...
> I haven't kept up with all the RFC for IPv6!)
I don't see any nightmare. DNSBLs are a useful anti-spam tool that
will be made somewhat less effective with the advent of IPv6, but they're
by no means the only or most effective anti-spam tool we have.
Regards,
David.
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
Posted by Rob McEwen <ro...@invaluement.com>.
On 12/1/2010 12:05 PM, David F. Skoll wrote:
> Where did you hear that? I can't imagine that
> IPv6 is any less (or any more) anonymous than IPv4.
One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
nightmare. A spammers (and blackhat ESPs) would potentially send out
each spam from a different IP and then not use each IP again for YEARS!
This will make DNSBLs much less effective.. and it will bloat their file
sizes and memory/resource requirements exponentially. The DNSBLs will
have no choice but to make their entire DNSBL the equivalent of a /24
list today... except painting with a much broader stroke, and many will
complain about unfair collateral damage. Even then, the bloat will STILL
be out of control.
SOLUTIONS?
Personally, I prefer everyone everywhere agree that, unless the e-mail
is password authenticated to one's own mail server, all mail be rejected
unless the mail server had IPv4. But purists won't like that because
their goal is to eventually *end* IPv4.
So what else could be done?
If we must receive mail from IPv6 IPs, then I recommend doing the
equivalent of the following (put in IPv4 terms for simplicity):
(A) All other non-authenticated mail rejected... unless the message came
from a "XXX.XXX.XXX.0" IP (this is in IPv4 terms... translate this into
some equivalent IPv6 standard... but case a super wide net!) That will
greatly reduces the number of possible valid mail sending IP. (again,
auth mail to one's own server need not fulfill this standard)
(b) industry wide, agree that mail is NOT accepted from IPv6 unless it
does "Forward Confirmed reverse DNS" FCrDNS
If one or both of those were agreed upon up front--this would go a long
way towards preventing the coming nightmare. (and forgive me of RFCs
have already established those as absolute standards for IPv6... I
haven't kept up with all the RFC for IPv6!)
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 01 Dec 2010 16:55:17 +0000
Martin Gregorie <ma...@gregorie.org> wrote:
> Besides, I seem to remember hearing that IPV6 is never anonymous
Where did you hear that? I can't imagine that
IPv6 is any less (or any more) anonymous than IPv4.
> OT comment 1: if IPV6 is indeed never anonymous, where does *that*
> leave spammers and botnets.
Spammers and botnets *do not care* about anonymity. Why should they
when they can easily steal someone's identity by subverting his or her
computer? That is why pretending that strong authentication will affect
spam is fantasyland.
[Well, the botnet operators care about personal anonymity, I guess, so
they cover their tracks. But they don't care about anonymity as far as
interacting with SMTP servers goes.]
Regards,
David.
Re: Do we need a new SMTP protocol? (OT)
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Dec 2010, Martin Gregorie wrote:
>> On Wed, 01.12.2010 at 16:13:06 +0000, Martin Gregorie <ma...@gregorie.org> wrote:
>>
>>> IMO the best solution would have been a charge per e-mail provided it
>>> was universally enforced. A small charge, e.g. $0.001 to $0.01 per
>>> addressee per message would be almost unnoticable to a normal user or
>>> business while still being enough to discourage volume spammers by
>>> wiping out their profits.
>
> How, exactly do you work that out? Send through your ISP, ISP knows who
> you are anyway and collects.
I own my own domain and send all my mail via a hosted server that I
administer. I _don't trust_ someone else to handle my email on my behalf.
Who do I pay? My ISP at home? My hosting provider? Myself?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
14 days until Bill of Rights day
Re: Do we need a new SMTP protocol? (OT)
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2010-12-01 at 17:29 +0100, Toni Mueller wrote:
> Hi,
>
> On Wed, 01.12.2010 at 16:13:06 +0000, Martin Gregorie <ma...@gregorie.org> wrote:
> .....
>
> > IMO the best solution would have been a charge per e-mail provided it
> > was universally enforced. A small charge, e.g. $0.001 to $0.01 per
> > addressee per message would be almost unnoticable to a normal user or
> > business while still being enough to discourage volume spammers by
> > wiping out their profits. Another benefit would be that the bill
> > received by a bot-infected user would serve as a powerful wake-up call
> > to get disinfected.
>
> This is imho a very bad idea, as it would destroy much of the freedom
> of the Internet in one go, since it would then be impossible to send
> anonymous emails.
>
How, exactly do you work that out? Send through your ISP, ISP knows who
you are anyway and collects.
Send through, say, TOR and either you use a wrapper (your ISP collects
that and TOR strips the wrapper and sends the actual message, or you use
a browser to connect to Tor and they collect. Either way, since I
believe a mail can't be tracked through Tor, the result is anonymity.
Besides, I seem to remember hearing that IPV6 is never anonymous and
we're all going to be on that as soon as IPV4 address space is
exhausted, and there are only two /8 chunks left unassigned.
OT comment 1: if IPV6 is indeed never anonymous, where does *that* leave
spammers and botnets.
OT comment 2: another major source of spam is web forums, yet I seldom
hear anything about controlling those sources.
Martin
Re: Do we need a new SMTP protocol? (OT)
Posted by Toni Mueller <su...@oeko.net>.
Hi,
On Wed, 01.12.2010 at 16:13:06 +0000, Martin Gregorie <ma...@gregorie.org> wrote:
> I don't think that would help at all. Bots would just pretend to be mail
> servers and use SMTP. Any other form of spam could be circumvented by
> setting up spammer-owned MTAs that spammers would use to inject spam.
nothing new so far.
> IMO the best solution would have been a charge per e-mail provided it
> was universally enforced. A small charge, e.g. $0.001 to $0.01 per
> addressee per message would be almost unnoticable to a normal user or
> business while still being enough to discourage volume spammers by
> wiping out their profits. Another benefit would be that the bill
> received by a bot-infected user would serve as a powerful wake-up call
> to get disinfected.
This is imho a very bad idea, as it would destroy much of the freedom
of the Internet in one go, since it would then be impossible to send
anonymous emails. Although not very much people make use of this
feature, I find it MUCH too valuable to abandon and have the Internet
policed by those who would want to cash you, and/or prevent you from
sending email in the first place.
It's quite sad to find the ugly joke with X.400, which would be mostly
just that, electronic postage per email, to be taken for real...
Kind regards,
--Toni++
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
Posted by RW <rw...@googlemail.com>.
On Sat, 4 Dec 2010 16:08:36 +0000
RW <rw...@googlemail.com> wrote:
> On Sat, 04 Dec 2010 12:44:37 +0100
> Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote:
>
>
> > C/R is only means to make it move your own effort over to others.
> >
> > The really "interesting" case is if both sides choose to require C/R
> > to get the first mail delivered.
> > Which should be a clear sign to everyone that C/R is basically a bad
> > idea.
>
> That's only a problem in very naive C/R systems. It can be solved by
> using a time-limited disposable address in the envelope "mail from".
> The recipient's challenge goes to the disposable address which
> bypasses the senders own C/R system. Some mailservers already do this
> because it eliminates almost all backscatter while allowing remotely
> generated legitimate DSNs to pass.
>
> Infuriating advocates of C/R pretty much have an answer for
that should be "Infuriatingly"
> everything. If a benign dictator imposed a well thought-out scheme on
> everyone, it would probably work very well.
>
> At the moment though spam isn't that much of a problem, and C/R is
> more trouble than it's worth.
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
Posted by jdow <jd...@earthlink.net>.
Sorry bubbie, send me a challenge and you go into the evil list, which
tends to be a permanent /dev/null redirect. This is iron clad on a
mailing list. Direct I may or may not consign. C/R is plain evil as I
have encountered it in the past. On mailing lists it's beyond evil as
it generates challenges from every message sent to the list as the
list server never responds to the challenges.
I'm rather inflexible on Challenge/(lack of) Response because of my
experience on the wrong end of it.
{','} C/R sucks dead bunnies through garden hoses.
----- Original Message -----
From: "RW" <rw...@googlemail.com>
Sent: Saturday, 2010/December/04 08:08
> On Sat, 04 Dec 2010 12:44:37 +0100
> Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote:
>
>
>> C/R is only means to make it move your own effort over to others.
>>
>> The really "interesting" case is if both sides choose to require C/R
>> to get the first mail delivered.
>> Which should be a clear sign to everyone that C/R is basically a bad
>> idea.
>
> That's only a problem in very naive C/R systems. It can be solved by
> using a time-limited disposable address in the envelope "mail from".
> The recipient's challenge goes to the disposable address which bypasses
> the senders own C/R system. Some mailservers already do this because it
> eliminates almost all backscatter while allowing remotely generated
> legitimate DSNs to pass.
>
> Infuriating advocates of C/R pretty much have an answer for everything.
> If a benign dictator imposed a well thought-out scheme on everyone, it
> would probably work very well.
>
> At the moment though spam isn't that much of a problem, and C/R is more
> trouble than it's worth.
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
Posted by RW <rw...@googlemail.com>.
On Sat, 04 Dec 2010 12:44:37 +0100
Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote:
> C/R is only means to make it move your own effort over to others.
>
> The really "interesting" case is if both sides choose to require C/R
> to get the first mail delivered.
> Which should be a clear sign to everyone that C/R is basically a bad
> idea.
That's only a problem in very naive C/R systems. It can be solved by
using a time-limited disposable address in the envelope "mail from".
The recipient's challenge goes to the disposable address which bypasses
the senders own C/R system. Some mailservers already do this because it
eliminates almost all backscatter while allowing remotely generated
legitimate DSNs to pass.
Infuriating advocates of C/R pretty much have an answer for everything.
If a benign dictator imposed a well thought-out scheme on everyone, it
would probably work very well.
At the moment though spam isn't that much of a problem, and C/R is more
trouble than it's worth.
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.
On Mit, 2010-12-01 at 16:17 -0500, David F. Skoll wrote:
> On Wed, 1 Dec 2010 16:02:03 -0500
> Michael Grant <mg...@grant.org> wrote:
>
> > The main problem with this approach is how does
> > someone send you mail if they're not on your contact list? I don't
> > have any magic answers how to solve that beyond what's already out
> > there as in return messages with captchas in them or things like Blue
Some people (including me) do not like to be Turing-tested. And if you
Turing-test me, why shouldn't I require the same in the other direction
before?
Apart from the obvious misuses of captchas.
> > Bottle seem to be quite effective.
>
> Challenge-Response systems are evil. I never reply to challenges and I
> typically blacklist systems that send them.
C/R is only means to make it move your own effort over to others.
The really "interesting" case is if both sides choose to require C/R to
get the first mail delivered.
Which should be a clear sign to everyone that C/R is basically a bad
idea.
> There's a fundamental economic principle at play: If you make it harder
> for spammers to send spam, then you make it less convenient to send email
> to someone you've never written to before. There is simply no way around
> that.
Even worse, the professional spammers adapt faster to such new stuff
than the average admin or user.
[...]
Bernd
--
Bernd Petrovitsch Email : bernd@petrovitsch.priv.at
LUGA : http://www.luga.at
Re: Misguided energy
Posted by John Wilcock <jo...@tradoc.fr>.
Le 02/12/2010 01:02, Karsten Bräckelmann a écrit :
> Personally, I have *never* received a legit C/R. Every single one that
> ended up on my machines have been in response to spam sent with a forged
> sender address.
I wish I could say the same - at work we have at least a dozen clients
who use challenge/response, and when it's for business you can't just
ignore the challenges, let alone blacklist your clients.
Mailinblack in particular seem to have been quite successful in selling
their C/R system to companies here in France... who seem to have totally
overlooked the very real business risk of other anti-spam systems
classifying their challenges as spam.
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
Re: Misguided energy
Posted by Michael Scheidell <mi...@secnap.com>.
On 12/1/10 10:37 PM, Karsten Bräckelmann wrote:
> On Wed, 2010-12-01 at 20:38 -0500, Michael Scheidell wrote:
>> On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
>>> Personally, I have *never* received a legit C/R. Every single one that
>>> ended up on my machines have been in response to spam sent with a forged
>>> sender address.
>> I had a legit one.
>>
>> I was stupid enough to answer a question on this list directly to a poster.
>>
>> Guess what? I got a CR.
> I would have appreciated to know about that. In particular, considering
> what this list is about. If not publicly shaming, lest so I won't
> contribute to such behavior by answering.
>
@putercom.com
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Misguided energy
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-12-01 at 20:38 -0500, Michael Scheidell wrote:
> On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
> > Personally, I have *never* received a legit C/R. Every single one that
> > ended up on my machines have been in response to spam sent with a forged
> > sender address.
>
> I had a legit one.
>
> I was stupid enough to answer a question on this list directly to a poster.
>
> Guess what? I got a CR.
I would have appreciated to know about that. In particular, considering
what this list is about. If not publicly shaming, lest so I won't
contribute to such behavior by answering.
> Guess what? luser got blacklisted.
Guess what? I can sympathize with that...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Misguided energy
Posted by Michael Scheidell <mi...@secnap.com>.
On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
> Personally, I have*never* received a legit C/R. Every single one that
> ended up on my machines have been in response to spam sent with a forged
> sender address.
>
I had a legit one.
I was stupid enough to answer a question on this list directly to a poster.
Guess what? I got a CR.
Guess what? luser got blacklisted.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: Misguided energy
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-12-01 at 16:17 -0500, David F. Skoll wrote:
> Challenge-Response systems are evil. I never reply to challenges and I
> typically blacklist systems that send them.
Personally, I have *never* received a legit C/R. Every single one that
ended up on my machines have been in response to spam sent with a forged
sender address.
Hardly distinguishable from backscatter. And in fact, all samples I have
are dating back from times when certain addresses have received quite a
lot of that blow-back spam.
> There's a fundamental economic principle at play: If you make it harder
> for spammers to send spam, then you make it less convenient to send email
> to someone you've never written to before. There is simply no way around
> that.
>
> Rather than destroying email (its killer feature is *precisely* the
> ability to dash off a note to someone new) by making it harder to send
> spam, viable anti-spam solutions make it less likely that spam will be
> received. Yes, this is costly and annoying, but it's the price we pay
> for the convenience of email.
Very true, David. Spam filtering helps. Which, coincidentally, probably
is what we all are here for. ;)
Both, backscatter as well as C/R as a specific form of backscatter [1]
are evil. I have refused to answer questions on this very list before,
when it became obvious the OP uses or considers C/R -- unless he thought
about that a second time. I will continue to do so.
[1] Its stated purpose is to reduce spam, by sending out a challenge to
legit first-time senders -- as well as forged addresses, mind you!
That is *deliberately* spamming [2] innocent bystanders.
[2] I don't use that term lightly. Anyone who has sufficient knowledge
of the problem to create such beast, also knows about address
forgery. He knows, he turns the recipient's problem into a
bystander's problem.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 1 Dec 2010 16:02:03 -0500
Michael Grant <mg...@grant.org> wrote:
> The main problem with this approach is how does
> someone send you mail if they're not on your contact list? I don't
> have any magic answers how to solve that beyond what's already out
> there as in return messages with captchas in them or things like Blue
> Bottle seem to be quite effective.
Challenge-Response systems are evil. I never reply to challenges and I
typically blacklist systems that send them.
There's a fundamental economic principle at play: If you make it harder
for spammers to send spam, then you make it less convenient to send email
to someone you've never written to before. There is simply no way around
that.
Rather than destroying email (its killer feature is *precisely* the
ability to dash off a note to someone new) by making it harder to send
spam, viable anti-spam solutions make it less likely that spam will be
received. Yes, this is costly and annoying, but it's the price we pay
for the convenience of email.
Regards,
David.
Re: Do we need a new SMTP protocol? (OT)
Posted by Michael Grant <mg...@grant.org>.
I do find this topic interesting, perhaps this isn't the most
appropriate place to discuss it, if not here though, where?
I'd like to make an observation. More and more people are using
"social network" systems like Facebook in place of email. Also IM
chatting is replacing a lot of person-to-person email.
I actually get precious little spam through these alternatives to smtp
email. This is primarily because in order to send me a message
through one of these systems, you have to be on my contact list.
Of course, this only moves the problem one layer up. In order to set
up that reciprocal agreement, some exchange has to take place, either
out of band, or via an invite (which could be spam).
There are many different IM systems out there now. It annoys me that
I have to get on lots of different systems just to communicate with
everyone. I'd prefer to see one unified messaging system.
SMTP email is going to be hard to replace. It would seem like our
best bet is to bolt something on to it like an IM style contact list
manager where you have to be on someone's contact list to be able to
send them mail. The main problem with this approach is how does
someone send you mail if they're not on your contact list? I don't
have any magic answers how to solve that beyond what's already out
there as in return messages with captchas in them or things like Blue
Bottle seem to be quite effective.
Michael Grant
Re: Do we need a new SMTP protocol? (OT)
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Dec 2010, Martin Gregorie wrote:
> IMO the best solution would have been a charge per e-mail provided it
> was universally enforced.
http://www.rhyolite.com/anti-spam/you-might-be.html#e-postage
http://www.rhyolite.com/anti-spam/you-might-be.html#senior-IETF-member
+1 to moving this dead horse out of our house. Jeeze, Marc, you just
_love_ opening cans of worms, don't you? :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
14 days until Bill of Rights day
Re: Do we need a new SMTP protocol? (OT)
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 2010-12-01 17:13, Martin Gregorie wrote:
> On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote:
>> I've been thinking about what it would take to actually eliminate spam
>> or reduce it to less than 10% of what it is now. One of the problems is
>> the SMTP protocol itself. And a big problem with that is that mail
>> servers talk to each other using the same protocol as users use to talk
>> to servers.
>>
> I don't think that would help at all. Bots would just pretend to be mail
> servers and use SMTP. Any other form of spam could be circumvented by
> setting up spammer-owned MTAs that spammers would use to inject spam.
>
> IMO the best solution would have been a charge per e-mail provided it
> was universally enforced. A small charge, e.g. $0.001 to $0.01 per
> addressee per message would be almost unnoticable to a normal user or
> business while still being enough to discourage volume spammers by
> wiping out their profits. Another benefit would be that the bill
> received by a bot-infected user would serve as a powerful wake-up call
> to get disinfected.
could we move this dead horse out of the house?
the SDLU list may be a better place for this topic
RE: Do we need a new SMTP protocol? (OT)
Posted by Gabriel <ga...@impactteachers.com>.
-----Original Message-----
From: Martin Gregorie [mailto:martin@gregorie.org]
Sent: 01 December 2010 16:13
To: users@spamassassin.apache.org
Subject: Re: Do we need a new SMTP protocol? (OT)
On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote:
> I've been thinking about what it would take to actually eliminate spam
> or reduce it to less than 10% of what it is now. One of the problems is
> the SMTP protocol itself. And a big problem with that is that mail
> servers talk to each other using the same protocol as users use to talk
> to servers.
>
I don't think that would help at all. Bots would just pretend to be mail
servers and use SMTP. Any other form of spam could be circumvented by
setting up spammer-owned MTAs that spammers would use to inject spam.
IMO the best solution would have been a charge per e-mail provided it
was universally enforced. A small charge, e.g. $0.001 to $0.01 per
addressee per message would be almost unnoticable to a normal user or
business while still being enough to discourage volume spammers by
wiping out their profits. Another benefit would be that the bill
received by a bot-infected user would serve as a powerful wake-up call
to get disinfected.
Martin
--------------------
I think the SMTP protocol should stay. We seem to live in an age where we change the rules to suit those the rules are suppose to protect, rather than teaching the importance of rules in the first place. (read between the lines to understand that last statement :) )
Charging, for any email sent, is a 100% no no. Implementing a new protocol to solve the same problem, and do the same job, that we already have a protocol/solution for? I'm not 100% sure that's a good idea, because the ultimate goal of the spammers will remain the same.
I truly fear for the day when phone calls become pretty much free, because the reason that system isn't abused as much as it could be, (numbers are WAY more predictable than letters! And end users have very little choice over the number he gets), is because it generally costs, and also goes through a third party mediator, (telco).
The mechanism by which we exchange email addresses will not change, on a web site, advertising, business cards. We generally have very little control over who can get our email addresses, once we let them loose into the wild - If I send an email to anyone who is reading this directly, they can't classify that message as spam until they have already seen the contents of the message. The point is we only want messages that we want, and we can't tell that until we read it! Which leaves us with really one option, and that is to use whitelisting, and to manage that list manually using a set of rules. (remember rules, I mentioned them earlier :) )
If we wish to get rid of the spam problem for ever, we will have to relinquish the freedoms that we currently have when it comes to SMTP. People can't be trusted to act right, and will always try to find shortcuts. Using a third party will help, but will also cost. Which is a shame.
Re: Do we need a new SMTP protocol? (OT)
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote:
> I've been thinking about what it would take to actually eliminate spam
> or reduce it to less than 10% of what it is now. One of the problems is
> the SMTP protocol itself. And a big problem with that is that mail
> servers talk to each other using the same protocol as users use to talk
> to servers.
>
I don't think that would help at all. Bots would just pretend to be mail
servers and use SMTP. Any other form of spam could be circumvented by
setting up spammer-owned MTAs that spammers would use to inject spam.
IMO the best solution would have been a charge per e-mail provided it
was universally enforced. A small charge, e.g. $0.001 to $0.01 per
addressee per message would be almost unnoticable to a normal user or
business while still being enough to discourage volume spammers by
wiping out their profits. Another benefit would be that the bill
received by a bot-infected user would serve as a powerful wake-up call
to get disinfected.
Martin
Re: Do we need a new SMTP protocol? (OT)
Posted by João Gouveia <jo...@anubisnetworks.com>.
----- "Marc Perkel" <ma...@perkel.com> wrote:
> I've been thinking about what it would take to actually eliminate spam
>
> or reduce it to less than 10% of what it is now. One of the problems
> is
> the SMTP protocol itself. And a big problem with that is that mail
> servers talk to each other using the same protocol as users use to
> talk
> to servers.
>
> Rather than get all users to change maybe it would be easier to get
> server software to change. This transition can be done by making
> server
> software that can do both protocols to maintain compatibility but will
>
> use the new protocol if both sides are capable of talking at that
> level.
>
> I'm not sure what the specification of the new protocol should be but
> it
> should at least be different than what email clients use so that
> server
> to server communication isn't the same as client to server
> communication. Perhaps server protocols can have more authentication
> information that would protect them from being spoofed. But having
> something different - even if it's just a port change - is better than
>
> what we have now.
>
> Thoughts?
>
> (sorry about posting the same message to the dev list. My mistake)
There was a very interesting idea by Bernstein (creator of Qmail).
Time flies. It's now 10 years old... http://cr.yp.to/im2000.html
--
João Gouveia
http://mailspike.org/