ISP signatures on outgoing mail
Anyone heard of a proposal for ISPs to automatically sign outgoing mail headers? Problem has been that spammers send email by one path but forge a reply-to or from address at another location. Most recent case is hotmail, which got blocked by netcom over a spam attack. Actually mail didn't come from hotmail, was forged to look like it came from there. Same thing has happened to remailers. They need a standard for which headers to sign, then a dig sig can be included in the headers to check that a message came from where it claims.
At 06:14 PM 7/3/97 +0200, Anonymous wrote:
Anyone heard of a proposal for ISPs to automatically sign outgoing mail headers? Problem has been that spammers send email by one path but forge a reply-to or from address at another location.
Flat-out can't work. The problem is that you can send SMTP directly from your machine to its destination, so the ISP only routes the IP packets and doesn't read them. It's popular for mail clients like Eudora and Netscape to send all their mail to an SMTP forwarder, but the main reasons to do that are to move the complicated work to a machine that's on line all the time and smart enough to deal with problems like retrying mail to systems that don't answer, generating meaningful error messages when the destination can't accept the mail, forwarding to systems off in uucp-space, etc. So it's perfectly reasonable for mail from joeuser@aol.com to originate on Joe's PC, with no way for AOL to sign it. There's also the problem of misconfigured Win95 machines, where either the operating system or the operator aren't bright enough to send the correct machine name. For instance, this mail comes from ca07b8bl.bns.att.com, as any system that records the HELO messages will tell you, because when my laptop is at work, that's it's name on the LAN. Netcom's SMTP forwarder only identifies it by IP and DNS pax-ca8-10.ix.netcom.com(204.30.66.74) address of the dialup port it connected to, though other servers I've used have also passed along, or at least recorded, the ca07b8bl. Digital signatures take a lot of calculation, and while CPUs keep getting cheaper, mail volume keeps getting larger. It's difficult to make server-based signing scale well, especially for the bigger ISPs. Netcom's farm of mail servers is large and slow enough already. You could try to force the user to sign the mail, using a signature certified by the ISP, and only forward email that's from or to your subscribers - but checking signatures still requires about as much calculation, and the cheaper approach of looking at the signature key without really checking the signature is easily forged. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
-----BEGIN PGP SIGNED MESSAGE-----
Bill Stewart writes:
BS> At 06:14 PM 7/3/97 +0200, Anonymous wrote:
Anyone heard of a proposal for ISPs to automatically sign outgoing mail headers? Problem has been that spammers send email by one path but forge a reply-to or from address at another location.
BS> Flat-out can't work. The problem is that you can send SMTP BS> directly from your machine to its destination, so the ISP only BS> routes the IP packets and doesn't read them. But it could - it's simple firewall technology. There's no MX record for sten.tivoli.com, but any incoming email to me is intercepted by proxy.tivoli.com, as is all other incoming traffic to the internal tivoli.com network on port 25. Since 'incoming' is only a matter of definition, it would be trivial for an ISP to set up a firewall that passed all other ports through transparently, but redirected connections with a destination of port 25 to their own SMTP server. I don't want them to, and I _certainly_ don't want the government goons requiring ISPs to do this, but don't sit back and relax with the notion that 'it can't be done'. - -- #include <disclaimer.h> /* Sten Drescher */ Unsolicited bulk email will be stored and handled for a US$500/KB fee. It is by caffeine alone I set my mind in motion, it is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning, it is by caffeine alone I set my mind in motion. -- Carlos Nunes-Ueno, 3/29/95 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQBVAwUBM8HOXPCBWKvC9LiRAQH9UgH9FfIuo+i1ms0DRI/dZC9goTlULgY+HnnR oxeAFmvAvLNBxjXGVZhQinZJs7yTob7x1ZGPIDZzaGV9FXwauBIdRA== =lZvI -----END PGP SIGNATURE-----
On 8 Jul 1997, Firebeard wrote:
But it could - it's simple firewall technology. There's no MX record for sten.tivoli.com, but any incoming email to me is intercepted by proxy.tivoli.com, as is all other incoming traffic to the internal tivoli.com network on port 25. Since 'incoming' is only a matter of definition, it would be trivial for an ISP to set up a firewall that passed all other ports through transparently, but redirected connections with a destination of port 25 to their own SMTP server.
Very much depends on how `ISP' is defined. All my mail now comes in via UUCP, which is another port (540, I think). Outgoing mail goes to another system which is run from a friend's house, and therefore probably doesn't count as an ISP (again, UUCP).
I don't want them to, and I _certainly_ don't want the government goons requiring ISPs to do this, but don't sit back and relax with the notion that 'it can't be done'.
It certainly _can_ be done. Almost anything _can_ be done. Whether it should (and in this case, it shouldn't!) be done is another issue. dave -- David E. Smith, P O Box 324, Cape Girardeau MO 63702 (573)334-0950 dave@[clas.net | linuxware.com | ml.org] 1000s of Magic:The Gathering cards 4 sale! Info on req. Keywords: CPSR EFF ACLU DS6724 Delphi SF bureau42 Wicca HWG Dilbert crypto Millennium Linux YDKJ PGP single! ;)
participants (4)
-
Bill Stewart -
David E. Smith -
Firebeard -
nobody@REPLAY.COM