Personally I think that spam will not go away with new laws. Certainly some laws could be enhanced to give them scope to cover spam type acts but ultimately the problem is with technology not law. Certain things should be made illegal. Ie, domain or email forging. If you don't have permission from the domain or email owner to use an email address the address owner should be able to sue/prosecute. However the problem really is technological. SMTP is too trusting. We need ways of verifying the authenticity of sender addresses and their sources. If methods like SPF were universally adopted and turned on by default much of the problem with spam would go away. People could still send spam. But they would have to do it via "legitimate" servers. Ie, ones they owned. It would then be a case of blocking those servers/networks that repeatedly offended. People will argue that they shouldn't need to block servers. People should just stop sending spam. This however is more problematic than you might think. The problem with spam is not that it is unsolicited or commercial or bulk but rather that it is unwanted. The problem however is that you don't know it is unwanted until you read it. For example, say someone was overtly generous and very rich (and perhaps slightly crazy). If they send 2 million email messages to randomly harvested addresses giving them information on how to get a $100 would this mail necessarily be unwanted by the recipients. In today's environment people would be highly suspicious of this email but for the sake of argument imagine that the offer was legit. Why should this behaviour be illegal? Similarly would it be illegal to send 2 million snail mail envelopes to randomly selected addresses with $100 stuffed into each? People would be falling over themselves to get on this mailing list. I believe all we need is good law regarding fraud, false advertising, pornography and commercial entity identification accompanied by good user driven technology that enables network administrators to lock the bad guys out. So, everyone should configure their mail server with SPF immediately! Regards -- Oliver Jones » Director » oliver.jones(a)deeperdesign.com » +64 (21) 41 2238 Deeper Design Limited » +64 (7) 377 3328 » www.deeperdesign.com
Oliver Jones wrote: I really should reply to this on the wiki page; I might cut-and-pase some of it later if I can find a point where it's appropriate..
Certain things should be made illegal. Ie, domain or email forging. If you don't have permission from the domain or email owner to use an email
Many of these things are already illegal; using hacked computers that you have no authority for, sending pornographic email to persons of unconfirmed age, selling prescription drugs without a prescription, selling medication to purchasers in the USA that does not have FDA approval or even passes basic food hygene standards, selling pirated copies of copyright software. I doubt there's a single spam in my Junk folder that doesn't break at least one existing law.
People could still send spam. But they would have to do it via "legitimate" servers. Ie, ones they owned. It would then be a case of blocking those servers/networks that repeatedly offended.
Most of the spam being sent now is via hacked home computers. If the end user can send mail, so can the spammer that has administrator access to their home computer. The real answer to spam, and viruses, and DDoS attacks, and many other problems on the intarweb right now, is to improve the general security of home computers. This would force the spammers back to using the much smaller set of mailservers that they actually OWN, and deny them the resources that they currently have for DoSing blacklist servers and anti-spam sites.
I doubt there's a single spam in my Junk folder that doesn't break at least one existing law.
This is true. The problem is identification of the mail source.
Most of the spam being sent now is via hacked home computers. If the end user can send mail, so can the spammer that has administrator access to
Hmmm. I thought the vast majority is coming out of Russia and China these days. But I would imagine that heaps of end users have spam relays and don't know it. Of course with SPF and the like this would be avoided. The end users don't have the right IP or DNS entries to get past SPF or similarly configured mail servers.
improve the general security of home computers. This would force the spammers back to using the much smaller set of mailservers that they actually OWN, and deny them the resources that they currently have for DoSing blacklist servers and anti-spam sites.
Improving end user security isn't going to happen overnight with Windows as entrenched as it is and it is also too far out on the edge of the network. Better to attack the problem at the mail server rather than be concerned with end user systems. Regards -- Oliver Jones » Director » oliver.jones(a)deeperdesign.com » +64 (21) 41 2238 Deeper Design Limited » +64 (7) 377 3328 » www.deeperdesign.com
* Oliver Jones <oliver(a)deeper.co.nz> [2004-05-28 09:57]:
However the problem really is technological.
No, it is not.
We need ways of verifying the authenticity of sender addresses and their sources. If methods like SPF were universally adopted and turned on by default much of the problem with spam would go away.
No, it would not.
I thought the vast majority is coming out of Russia and China these days.
No, it does not.
So, everyone should configure their mail server with SPF immediately!
That is desirable of course. The problem with spam is neither necessarily solely legal nor necessarily solely technological. The problem is that it is far too cheap to send mail. If even one in 100,000 recipients takes the bait, the spammer is probably making a positive bottom line. So long as that doesn't change, spamming will continue to be a problem. SPF is no real help; domains can be bought and cancelled in bulk amounts very cheaply. SPF will initially slow down the spam rate, possibly dramatically. But you're a fool if you think it will effectively muzzle spam indefinitely. See http://cr.yp.to/qmail/antispam.html In this light, passing laws to battle spam is at least as useful as establishing technical hurdles: it helps increase the cost of spam for the spammer, at least in a roundabout way. If nothing else, it prevents companies in the country in question from getting any ideas. As for where the spam is coming from, currently over half of it originates in the US, according to several sources, as of two months or so ago. Bot networks are probably the primary means of distribution there, so Windows security is indeed an issue. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
A. Pagaltzis wrote:
* Oliver Jones <oliver(a)deeper.co.nz> [2004-05-28 09:57]:
However the problem really is technological.
No, it is not.
The problem with spam is neither necessarily solely legal nor necessarily solely technological.
The problem is that it is far too cheap to send mail. If even one in 100,000 recipients takes the bait, the spammer is probably making a positive bottom line. So long as that doesn't change, spamming will continue to be a problem.]
Well said. The problem is actually related human nature. As long as there is a profit to be made and it's easy, like clicking a button and having your spam software do the work, then people will do it. The most effective way to fix it is therefore to prevent it from being profitable. In this respect law would probably be more effective than technology. g -- Glenn Ramsey <glenn(a)componic.co.nz> 07 8627077 http://www.componic.co.nz
So, everyone should configure their mail server with SPF immediately!
I've been thinking over this for a while, and I'm still undecided. While some of the practical reasons SPF might be a pain in the ass for some people don't apply to me (most of my mail is run through servers I control and can use SMTP AUTH on, so the issue of sending mail from networks not 'allowed' to send mail for a given domain isn't an issue), there are other problems with its current implementation http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html Outlines some of the problems with it, and the most important ones (IMO) I'll summarise here: It uses TXT records for it's database. This is a bad implementation choice, and may cause problems later on. Use of TXT records makes it seem like yet-another-hack-to-get-around-spam. It relies on DNS for security and propagation. DNS in its current state isn't overly secure, although it has the ability to be. We've all seen DNS propagation problems. Maybe these are social problems that can be overcome with better education - maybe we'll still have people not caring and not implementing things properly, and it'll just make everything worse. SPF doesn't actually address unsolicited bulk email. It won't stop mail being sent by machines infected with viruses or worms - they will be sending mail using their legitimate domain. It won't stop the big spammers who spam with their ISPs consent (perhaps anecdotal, I've heard this from a few people though). All it does is stop other people using your domain to send spam from. Maybe that's good enough on it's own merits, but it's not the spam killer you might think it is. The May Linux Journal had an article on SPF as well, although I didn't read it well enough at the time to discuss. They were very much in favour of it, from what I remember. I'm all in favour of technical solutions that will make this harder for spammers, but I'm not sure SPF is going to help a hell of a lot. That said, I don't have a better answer.
* Daniel Lawson <daniel(a)meta.net.nz> [2004-05-30 16:09]:
I'm all in favour of technical solutions that will make this harder for spammers, but I'm not sure SPF is going to help a hell of a lot. That said, I don't have a better answer.
Have you (or anyone else) seen CAMRAM[1] or Hashcash[2]? These might actually help. [1] http://www.camram.org/ [2] http://www.hashcash.org/ -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
A. Pagaltzis wrote:
* Daniel Lawson <daniel(a)meta.net.nz> [2004-05-30 16:09]:
I'm all in favour of technical solutions that will make this harder for spammers, but I'm not sure SPF is going to help a hell of a lot. That said, I don't have a better answer.
Have you (or anyone else) seen CAMRAM[1] or Hashcash[2]? These might actually help.
Hashcash is useful when it acheives a certain level of penetration. Until then it's not really useful - one of the authors says except 10 years before you can use it to filter mail reliably!. It seems like a good idea, but I don't know how well it will work. My understanding is that it is an MTA-side addon that slows the sender down. It protects me slightly against an infected internal machine sending zillions of spam - or maybe it just renders my MTA unusable while it deals with the processing load. Or, the trojan/worm has it's own SMTP engine and bypasses my MTA completely, and I get no protection from that anyway. If lots of remote MTAs also have it enabled, it might start being useful. Or you might find that spammers just increase their bot network and you end up with more MTAs crawling to a halt as they get hit with a ten or hundred fold increase in spam rates, and have to perform these hash calculations on every connection - tying up CPU, memory, file descriptors, and so on. My thoughts, after a 10 minute perusal of hashcash :)
My thoughts, after a 10 minute perusal of hashcash :)
Hashcash is (imho) a stupid waste of time. It unfairly penalises people with slow computers who might want to run a mailing list (me!) while barely slowing any spammer who happens to control a vast network of virus-infected home computers (most of them). And, like most spam 'solutions' it requires a complete reimplimentation of the entire mailsystem. If you think that 'raising the cost of mail' is the right approach, tiergrube(sp?) would be a much fairer (and more transparent) way of doing it.
Hashcash is (imho) a stupid waste of time. It unfairly penalises people with slow computers who might want to run a mailing list (me!) while barely slowing any spammer who happens to control a vast network of virus-infected home computers (most of them). And, like most spam 'solutions' it requires a complete reimplimentation of the entire mailsystem.
What? Please read about it first. In the case of a mailing list, the mailing list computer itself doesn't need to do much extra work, it certainly doesn't need to generate hashcash headers. It doesn't require a complete reimplementation at all - it is a plugin in your mail client and a plugin in the ISP's MTA. The hashcash computing should be done by the user sending the mail. Only verification (which is apparently VERY quick) is done on the server side of things. Having said all of this, I still don't see it as a very good option myself. But that is just my opinion...
It doesn't require a complete reimplementation at all - it is a plugin in your mail client and a plugin in the ISP's MTA.
If it is a plugin to your mail client then it is even less use. Until the scheme reaches sufficient penetration (estimate of 10 years according to one of the authors) that you can require mail senders to use it, spammers will simply use clients that don't implement it.
Daniel Lawson wrote:
It doesn't require a complete reimplementation at all - it is a plugin in your mail client and a plugin in the ISP's MTA.
If it is a plugin to your mail client then it is even less use. Until the scheme reaches sufficient penetration (estimate of 10 years according to one of the authors) that you can require mail senders to use it, spammers will simply use clients that don't implement it.
Spamassassin already uses hashcash for verifying email, so if you send mail with hashcash then it greatly reduces the chance that it's flagged as spam. As sammy was saying to me (in person), if you could get hotmail or gmail to adopt a scheme like this, then you suddenly have an assurance that thousands of people are not spammers, and spam suddenly becomes a lot more obvious. I personally think that something has to be done about the "spam problem" within the next 18 months or email is going to become useless to the average user. And while none of the solutions I've seen are anything like a "spam killer", I can see how many of them fit together to significantly reduce the level of spam that I receive on the Internet.
What? Please read about it first.
I guess it's evolved somewhat since the last time I read about it. OTOH I still see it as a 'kludge', not a solution. The permanent long-term solution would involve a significant improvement in end-user security (which is probably never going to happen) and some laws against unauthorised use of other people's computers particularly when that unauthorised use involves spam, denial of service, or other antisocial activities. However, those laws are useless if not enforced. A large percentage of the spam I get now is already in flagrant violation of one or more existing laws. Will more laws make the slightest difference?
zcat wrote:
My thoughts, after a 10 minute perusal of hashcash :)
Hashcash is (imho) a stupid waste of time. It unfairly penalises people with slow computers who might want to run a mailing list (me!) while barely slowing any spammer who happens to control a vast network of virus-infected home computers (most of them). And, like most spam 'solutions' it requires a complete reimplimentation of the entire mailsystem.
If you think that 'raising the cost of mail' is the right approach, tiergrube(sp?) would be a much fairer (and more transparent) way of doing it.
To send to a mailing list you only have to hashcash it once (to the mailing list) not once per recipient. Each recipient is expected to accept mail that is correctly hashcash'd to the list. camram suggests that you white list addresses that have previously authenticated. camram also seems to support hashcash. Both systems seem to be improved if you can be sure that the email comes from the person that they claim to, (preferably by GPG or S/MIME, but SPF would also work). While people with older machines may not be able to generate hashcash signatures as fast as someone with a faster computer, how many unique emails do you send? (Remember, with solicited bulk email you only need to generate one code). Even if it took 1s on an older computer, thats still only 3 or 4 emails a second with a top of the line computer. While spam armies can be used against this system for distributed computing, it certainly raises the costs of spamming, when combined with GPG, S/MIME or SPF and perhaps legislation it may raise the cost of spamming to the point that the amount of spam delivered is at manageable levels for most users. And the spam that is delivered will have to be more carefully targeted. (ie, spammers will have to choose which email addresses to spam for the most profit), which means that you should only get spam for products or services you actually care about :)
* Perry Lorier <perry(a)coders.net> [2004-05-31 01:19]:
And while none of the solutions I've seen are anything like a "spam killer", I can see how many of them fit together to significantly reduce the level of spam that I receive on the Internet.
I was just thinking, as I was writing the other mails, that SPF would probably increase the effectiveness of hashcash, if it means that bot networks become useless. It seems "the technical solution" will really have to be composed of a myriad of singular puzzle pieces in order to be an effective deterrent.
which means that you should only get spam for products or services you actually care about :)
What if I don't care about any products that need to be advertised? ;) -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
* zcat <zcat(a)wired.net.nz> [2004-05-31 00:21]:
It unfairly penalises people with slow computers who might want to run a mailing list (me!)
No. Read harder.
while barely slowing any spammer who happens to control a vast network of virus-infected home computers (most of them).
Point conceded, as I've written in my mail to Daniel.
And, like most spam 'solutions' it requires a complete reimplimentation of the entire mailsystem.
You must have read a different site than I did.
If you think that 'raising the cost of mail' is the right approach, tiergrube(sp?) would be a much fairer (and more transparent) way of doing it.
"Teergrube". That does have the huge advantage that already it works with any RFC compliant client today and so can help before it has achieved deep penetration. But you lost me there. You don't like hashcash because you run a mailinglist hub, but you like teergrubing? Can you explain how that goes together? Hashcash and teergrube are basically identical concepts, besides the fact they raise the cost in terms of CPU vs time, respectively. As a mailinglist hub, encountering a teergrubing SMTP server will inevitably be painful at the time you send out those mails, whereas with hashcash, you can choose not to verify hashes at the time you receive them, and leave that up to the recipients or intervening MTAs. But teergrubing is as useless in the face of bot networks as hashcash. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
zcat wrote:
My thoughts, after a 10 minute perusal of hashcash :)
Hashcash is (imho) a stupid waste of time. It unfairly penalises people with slow computers who might want to run a mailing list (me!) while barely slowing any spammer who happens to control a vast network of virus-infected home computers (most of them). And, like most spam 'solutions' it requires a complete reimplimentation of the entire mailsystem.
If you think that 'raising the cost of mail' is the right approach, tiergrube(sp?) would be a much fairer (and more transparent) way of doing it.
Tiergrube really doesn't work that well when you realise that: A) SMTP servers have pipelining, so you can send "ahead of time" B) SMTP works over TCP which has a window of 32k to 64k depending on the implementation. C) Spammers use their own SMTP clients. This means you can send up to about 32k of data to an SMTP server and then "forget" about it. You'll note that you can easily fit your spam into this limit. Tiergrube is nice that it doesn't change anything today, however it's as much of a kludge as anything else. This is a reciever-side solution. SPF is nice, and supports saying "emails from this domain must be signed by GPG" (rather than must arrive directly from this address) which gets around the major problem of SPF (you can't use mail forwarders). SPF presumably can also say that email must be hashcode'd. This is a legitimate-sender-side solution combined with a reciever-side solution. Hashcode is a nice legitimate-sender-side solution. You can say a mail is more important based on how much CPU time you spend on sending it, combined with a reciever-side solution. Hashcode doesn't have irritating problems with overloading the meaning of DNS records, or with forwarding email. Spamassasin is a reciever-side solution that supports hashcode and SPF. The thing to notice here is that reciever side solutions get better traction, and sender side solutions tend to be what everyone wishes were used. This could be flipped around in a hurry if someone like gmail decided to sign all email that comes from gmail, and/or use hashcode, and perhaps SPF. (hey! gmail DO use SPF!) The problem here is that someone like gmail will need a LOT of cpu to do proper hashcode, and this is perhaps one place where the model falls down. Perhaps the solution here is to use a java applet to do the hashcode calculation so they can "farm" it out to their users. In general I think the answer is to the spam problem is not any one solution, but a lot of solutions working in tandem. Have some tiergrubes around the internet, everyone using SPF, hashcode, GPG, have good laws protecting people from spam.
* Daniel Lawson <daniel(a)meta.net.nz> [2004-05-30 23:59]:
Hashcash is useful when it acheives a certain level of penetration. Until then it's not really useful - one of the authors says except 10 years before you can use it to filter mail reliably!
The same goes for SPF, though.
It protects me slightly against an infected internal machine sending zillions of spam - or maybe it just renders my MTA unusable while it deals with the processing load.
Verification is very cheap, only generation is costly.
Or, the trojan/worm has it's own SMTP engine and bypasses my MTA completely, and I get no protection from that anyway.
Any of the hops along the way and the recipient himself can verify or reject the hash.
Or you might find that spammers just increase their bot network and you end up with more MTAs crawling to a halt as they get hit with a ten or hundred fold increase in spam rates, and have to perform these hash calculations on every connection - tying up CPU, memory, file descriptors, and so on.
Actually, while you miss the real point here (because verification is almost free, while generation is costly), you raise an issue I had not thought of: sending a million mails might be prohibitively costly in terms of CPU if you only unloaded them from a single machine, but hardly noticable if you're in control of a bot network.. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
I've been thinking over this for a while, and I'm still undecided. While some of the practical reasons SPF might be a pain in the ass for some people don't apply to me (most of my mail is run through servers I control and can use SMTP AUTH on, so the issue of sending mail from networks not 'allowed' to send mail for a given domain isn't an issue), there are other problems with its current implementation
http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html
Indeed there are problems with SPF. SMTP is a very flexible and relaxed system. SPF is not a "solution" it is merely a kludge. A way for trying to stem the tied of SPAM to give us more time to find a real solution. This kludge should be fairly good at helping defend against spam if it is adopted widely. However JBP is much like many other nay sayers. He provides many reasons not to adopt a system, gives you all the flaws in it but doesn't provide a decent practical alternative. I think we all know SPF isn't perfect so his arguments add nothing new. I did a little reading on IM2000 while I was at that site and it certainly sounds like it could be a much better solution in the long run. However adopting such a system will require us to throw away IMAP, POP and SMTP and all of the software that has been written to work with those protocols. It means re-wiring the Internet. This isn't going to happen over night. It will take 10 years (or more). It will require the participation of a major ISP (eg AOL) and a major software vendor (Microsoft) to even get off the ground. Certainly the free software world could potentially move a lot faster than that. If there was an implementation of a free software IM2000 server and say a Mozilla.org client for it that would be a good start. AOL has a fairly good relationship with Mozilla/Netscape and may be willing to listen. Note that one of the main proponents of IM2000 is DJB (of qmail) fame. AFAIK qmail has never been "Free Software". In fact DJB seems to rather against OSS/FS. He seems to be a bit of an egotist. Which is why I've never had the desire to run qmail.
The May Linux Journal had an article on SPF as well, although I didn't read it well enough at the time to discuss. They were very much in favour of it, from what I remember.
That article was written by the guy who came up with SPF, the founder of pobox.com, a major mail-forwarding service. Hence it was very pro SPF. Regards -- Oliver Jones » Director » oliver.jones(a)deeperdesign.com » +64 (21) 41 2238 Deeper Design Limited » +64 (7) 377 3328 » www.deeperdesign.com
On Fri, May 28, 2004 at 07:31:01PM +1200, Oliver Jones wrote:
For example, say someone was overtly generous and very rich (and perhaps slightly crazy). If they send 2 million email messages to randomly harvested addresses giving them information on how to get a $100 would this mail necessarily be unwanted by the recipients. In today's environment people would be highly suspicious of this email but for the sake of argument imagine that the offer was legit. Why should this behaviour be illegal?
because the recipient has no means of deciding wether it is legitimate or not. if only one such offer was made, then thousends of other fake offers will imitate it, and because there was a legitimate one many people will fall for the fake ones.
[ ... ] People would be falling over themselves to get on this mailing list.
and hurt each other in the process. greetings, martin. -- looking for a job doing pike programming, sTeam/caudium/pike/roxen training, sTeam/caudium/roxen and/or unix system administration anywhere in the world. -- pike programmer travelling and working in europe open-steam.org unix system- bahai.or.at iaeste.(tuwien.ac|or).at administrator (stuts|black.linux-m68k).org is.schon.org Martin Bähr http://www.iaeste.or.at/~mbaehr/
participants (8)
-
A. Pagaltzis -
Daniel Lawson -
Glenn Ramsey -
Martin Bähr -
Oliver Jones -
Perry Lorier -
Sam Jansen -
zcat