E-Mail Authentication Will Not End Spam, Panelists Say
<http://www.washingtonpost.com/ac2/wp-dyn/A41460-2004Nov10?language=printer> The Washington Post washingtonpost.com E-Mail Authentication Will Not End Spam, Panelists Say By Jonathan Krim Washington Post Staff Writer Thursday, November 11, 2004; Page E01 For consumers and businesses increasingly shaken by the growing onslaught of unwanted e-mail and the computer viruses and other nefarious hacking spam can bring, any hope for quick relief was soundly dashed yesterday during a government-hosted gathering of technology experts. Several executives and academics speaking at a forum sponsored by the Federal Trade Commission said criminals are already steps ahead of a major initiative by e-mail providers to counter those problems by creating a system to verify senders of e-mail. In theory, such an authentication system would make it harder for spammers to disguise their identities and locations in an attempt to avoid being shut down or prosecuted. But a majority of spam is launched by "zombies," or infected personal computers that are controlled by remote spammers. E-mail from a zombie looks as if it is coming from a legitimate source -- because it is. The owner of that source is simply unaware that his or her computer has been commandeered. "We'll be lucky if we solve 50 percent of the problem" with e-mail authentication, said Pavni Diwanji, chairman of MailFrontier Inc., a Silicon Valley provider of e-mail security systems. By some estimates, the problem is rapidly becoming a crisis. In the first half of this year, an average of 30,000 computers a day were turned into zombies, according to the computer security firm Symantec Corp. In addition to serving up unwanted or fraudulent messages, spam is used to deliver viruses and other malicious software code that can allow hackers to capture private data such as credit card or bank account numbers from personal computers. Hackers and spammers also have been able to exploit a lack of awareness among many computer users, tricking them into providing their passwords or account information in response to e-mails that appear to be coming from legitimate financial institutions or retailers, a tactic known as phishing. The information is then rapidly sold on a black market heavily populated by elements of organized crime in Eastern Europe, Asia and elsewhere. As incidents of the resulting identity fraud mount, "we're losing consumer confidence in this medium," said R. David Lewis, vice president of Digital Impact Inc., which provides bulk e-mail marketing services to large companies. Lewis and others said that if the public reaches a tipping point at which Internet commerce is no longer trusted, the economic consequences will be severe. Despite the authentication effort's shortcomings, none of yesterday's speakers suggested abandoning it, because it is seen as an essential building block for other solutions. But the forum demonstrated in stark terms the depth and complexity of the problem. Any e-mail authentication system, for example, would check that the block of Internet addresses assigned to an e-mail provider includes the specific numeric address of a sender of a piece of e-mail. Thus, a red flag would go up if a message seeming to come from bob@xyz-123.net is actually not coming from a computer that uses the xyz-123.net mail service. But Scott Chasin, chief technology officer of e-mail security firm MX Logic Inc., said the underlying Internet system that houses the necessary data is insecure and can be tricked by hackers. Chasin said the problem has been known for 10 years, but industry and Internet standard-setters have been unable or unwilling to fix the problem by encrypting the data. Getting agreement on an authentication system has been similarly difficult and is partly why the FTC held the summit. The major e-mail providers, America Online Inc., Microsoft Corp., Yahoo Inc. and EarthLink Inc., are still testing and pushing various plans. The Internet group assigned to endorse a standard disbanded recently, unable to resolve discord and uncertainty over whether licensing rights asserted by Microsoft would cut out a broad swath of organizations that use so-called open-source software. Chasin and other panelists also said the basic operating systems that power computers -- the most dominant of which is Microsoft Windows -- remain too vulnerable to hackers. He said a worm was recently discovered that lodges itself in Windows files and goes to work when a computer user tries to access the Web site of his or her bank. The malicious code automatically redirects the Web browser to a fake page that looks like the real thing. In this scenario, the user has not been duped by a fake phishing e-mail. Instead, the vulnerability in the operating system has allowed the code to redirect the user's browser to a phony page where a hacker can capture the user's name and password. Still, panelists insisted authentication is a vital first step. After that, they said, could come a system that evaluates the "reputation" of senders, perhaps using a process that marks good e-mail with an electronic seal of approval. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Thus spake R.A. Hettinga (rah@shipwright.com) [11/11/04 16:29]: : Several executives and academics speaking at a forum sponsored by the : Federal Trade Commission said criminals are already steps ahead of a major : initiative by e-mail providers to counter those problems by creating a : system to verify senders of e-mail. : : In theory, such an authentication system would make it harder for spammers : to disguise their identities and locations in an attempt to avoid being : shut down or prosecuted. (Having watched the IETF group for a while, and spent much time fighting spam...) No person who is pushing for SPF believes that it will reduce the volume of spam.[1] What SPF *does* do is make it easier to track it down -- the From address will actually match the domain it was sent from. This makes the Abuse department's job *much* easier, as in theory, any spam complaint you receive about your domain will be *from* your domain. While this doesn't always mean you have a spammer in your midst, it /does/ mean that the piece of mail in question /did/ come from your networks, hence it is something you can track down without worry about wasting time that would be better spent elsewhere. Arguably, this doesn't gain the anti-spam fighters anything, as the spam still comes from somewhere. But if you lay out the seriousness of the problem to your subscriber, the chances of a repeat offense (which, ideally, would result in account termination) drop to very close to zero. This is also something that ISPs can combat internally, such as forcing SMTP authentication (which, granted, opens up a whole other bucket of worms), not allowing outbound SMTP connections (unless explicitly granted), or having only a web interface to e-mail (thus blocking all outbound SMTP connects, even to their own mail servers, period). The 'criminals' aren't necessarily 'steps ahead' -- they're just working within the SPF framework, and doing exactly what SPF wanted them to do. SPF is *one* step towards limiting the volume of spam, but it in and of itself does not. There are a great number of other tools that, when combined with SPF, can and do make a difference in the spam volume being sent. Yes, each tool has drawbacks, and I'm not going to claim otherwise. But for the 95th percentile, they won't really notice a difference. Until their account is cut off, that is. [1] Any person who claims otherwise just plain doesn't understand SPF or its goals. Unfortunately, a few people have claimed that SPF will cut down on the spam volume, and this take was snapped up by the media and subsequently pushed out as the primary goal of SPF. It is, AFAIK, generally agreed that to cut down on spam volume, we need a whole different protocol from SMTP.
R.A. Hettinga writes:
Any e-mail authentication system, for example, would check that the block of Internet addresses assigned to an e-mail provider includes the specific numeric address of a sender of a piece of e-mail.
Huh? Somebody is confused here. DomainKeys is 1) an e-mail authentication system, and 2) it doesn't check IP addresses. Instead, it uses cryptographic signing using public/private keys which have the potential of being assigned down to the individual level.
Still, panelists insisted authentication is a vital first step. After that, they said, could come a system that evaluates the "reputation" of senders, perhaps using a process that marks good e-mail with an electronic seal of approval.
Yes, this is true. John Gilmore is a pain in the ass for standing on his rights (some government types might say *fucking* pain in the ass), but he is correct. ALL of the effort spent to secure open relays was basically wasted effort, because spammers just moved on to insecure client machines. The proper route to control spam is to involve users in prioritizing their email, so that their friend's email comes first, followed by anybody they've sent mail to, followed by people they've gotten email from before, followed by mailing list mail, followed by email from strangers (which is where all the spam is). All of that relies on email authentication to work. Why the heck can't we just shortcut all this pain, and just listen to John in the first place? I vote to elect John to the post of Benevolent Dictator For Life. -- --My blog is at angry-economist.russnelson.com | Violence never solves Crynwr sells support for free software | PGPok | problems, it just changes 521 Pleasant Valley Rd. | +1 212-202-2318 voice | them into more subtle Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | problems.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:15 PM -0500 11/18/04, Russell Nelson wrote:
The proper route to control spam is to involve users in prioritizing their email, so that their friend's email comes first, followed by anybody they've sent mail to, followed by people they've gotten email from before, followed by mailing list mail, followed by email from strangers (which is where all the spam is).
A whitelist for my friends, all others pay... oh, forget it. Cheers, RAH - -- - ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' -----BEGIN PGP SIGNATURE----- Version: 1308 iQA/AwUBQZ1ZdsPxH8jf3ohaEQI8pwCdEVgdIUVYiPzmdWqm9riXjm1OD5AAn2C1 +6/yamOaGMicjTxWwfk0LhgJ =c5c6 -----END PGP SIGNATURE-----
R.A. Hettinga writes:
mail, followed by email from strangers (which is where all the spam is).
A whitelist for my friends, all others pay...
oh, forget it.
Anybody can pay to send email right now. You just go to paypal, type in the person's email, enter the amount of money you think is necessary to persuade them to read the email, and put the text of your message in the comment box. My email is paypal.com@russnelson.com; feel free to send me as much email as you want, ca-ching! But anyway, that's not what I propose. I suggest that email from strangers needs to come with an introducer of some sort to convince you to read it. There's a dozen different kind of introducers which could be used, some of them using cryptography, only one or two of which involve payment. The days when all email was treated equally by an email client are long past, or at least, should be if you're running a decent email client. Maybe the level of spam complaints is caused by the low quality of email clients? -- --My blog is at angry-economist.russnelson.com | Violence never solves Crynwr sells support for free software | PGPok | problems, it just changes 521 Pleasant Valley Rd. | +1 212-202-2318 voice | them into more subtle Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | problems.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 11:19 AM -0500 11/19/04, Russell Nelson wrote:
Anybody can pay to send email right now.
:-). Of course, I'm talking about something like postage, at the $MTP level. Again, forget it. Cheers, RAH - -- - ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' -----BEGIN PGP SIGNATURE----- Version: 1308 iQA/AwUBQZ5zz8PxH8jf3ohaEQK4MQCfd7YBxFvOj47uNi+9t5pWTA7jY5gAn1fa krefkKpnmULmZCGENB2F6dnZ =JbZZ -----END PGP SIGNATURE-----
On Thu, Nov 11, 2004 at 04:20:59PM -0500, R.A. Hettinga wrote:
Still, panelists insisted authentication is a vital first step. After that, they said, could come a system that evaluates the "reputation" of senders, perhaps using a process that marks good e-mail with an electronic seal of approval.
which is, btw, not really correct. I was one of those panelists, and I explicitely stated that authentication is only the first step, but an important step, which requires a second step (literally in my slides). So the first statement seems to be a quote of my talk. But my statement about the second step was that "reputation" does not work on an international scale, this works in the U.S. only. It might even be unlawful in Europe. My proposal was to do the second step individually for each country. regards Hadmut
Russell Nelson writes:
Yes, this is true. John Gilmore is a pain in the ass for standing on his rights (some government types might say *fucking* pain in the ass), but he is correct. ALL of the effort spent to secure open relays was basically wasted effort, because spammers just moved on to insecure client machines. The proper route to control spam is to involve users in prioritizing their email, so that their friend's email comes first, followed by anybody they've sent mail to, followed by people they've gotten email from before, followed by mailing list mail, followed by email from strangers (which is where all the spam is). All of that relies on email authentication to work.
Spammers will start hijacking authenticated servers. The solution is to automatically classify messages according to user preference. Good software to do this is already in mainstream MUAs, and even better software to do it is open source (google for "weka machine learning" as an example). Someday (hopefully soon), MUAs will be able to automatically classify messages into more than two categories. There is already phenomenal software (reeltwo.com; commercial but based on Weka) to do this very quickly and accurately. -- Chris Palmer Staff Technologist, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell) 81C0 E11D CE73 4390 B6C7 3415 B286 CD8F 68E4 09CD [demime 1.01d removed an attachment of type application/pgp-signature]
participants (5)
-
Chris Palmer -
Damian Gerow -
Hadmut Danisch -
R.A. Hettinga -
Russell Nelson