E-Mail Authentication Will Not End Spam, Panelists Say

[R.A. Hettinga]

<http://www.washingtonpost.com/ac2/wp-dyn/A41460-2004Nov10?language=printer>

The Washington Post

washingtonpost.com
E-Mail Authentication Will Not End Spam, Panelists Say


By Jonathan Krim
 Washington Post Staff Writer
 Thursday, November 11, 2004; Page E01

 For consumers and businesses increasingly shaken by the growing onslaught
of unwanted e-mail and the computer viruses and other nefarious hacking
spam can bring, any hope for quick relief was soundly dashed yesterday
during a government-hosted gathering of technology experts.

Several executives and academics speaking at a forum sponsored by the
Federal Trade Commission said criminals are already steps ahead of a major
initiative by e-mail providers to counter those problems by creating a
system to verify senders of e-mail.

 In theory, such an authentication system would make it harder for spammers
to disguise their identities and locations in an attempt to avoid being
shut down or prosecuted.

 But a majority of spam is launched by "zombies," or infected personal
computers that are controlled by remote spammers. E-mail from a zombie
looks as if it is coming from a legitimate source -- because it is. The
owner of that source is simply unaware that his or her computer has been
commandeered.

"We'll be lucky if we solve 50 percent of the problem" with e-mail
authentication, said Pavni Diwanji, chairman of MailFrontier Inc., a
Silicon Valley provider of e-mail security systems.

 By some estimates, the problem is rapidly becoming a crisis. In the first
half of this year, an average of 30,000 computers a day were turned into
zombies, according to the computer security firm Symantec Corp. In addition
to serving up unwanted or fraudulent messages, spam is used to deliver
viruses and other malicious software code that can allow hackers to capture
private data such as credit card or bank account numbers from personal
computers.

Hackers and spammers also have been able to exploit a lack of awareness
among many computer users, tricking them into providing their passwords or
account information in response to e-mails that appear to be coming from
legitimate financial institutions or retailers, a tactic known as phishing.

 The information is then rapidly sold on a black market heavily populated
by elements of organized crime in Eastern Europe, Asia and elsewhere.

 As incidents of the resulting identity fraud mount, "we're losing consumer
confidence in this medium," said R. David Lewis, vice president of Digital
Impact Inc., which provides bulk e-mail marketing services to large
companies.

 Lewis and others said that if the public reaches a tipping point at which
Internet commerce is no longer trusted, the economic consequences will be
severe.

Despite the authentication effort's shortcomings, none of yesterday's
speakers suggested abandoning it, because it is seen as an essential
building block for other solutions.

 But the forum demonstrated in stark terms the depth and complexity of the
problem.

Any e-mail authentication system, for example, would check that the block
of Internet addresses assigned to an e-mail provider includes the specific
numeric address of a sender of a piece of e-mail.

Thus, a red flag would go up if a message seeming to come from
[EMAIL PROTECTED] is actually not coming from a computer that uses the
xyz-123.net mail service.

 But Scott Chasin, chief technology officer of e-mail security firm MX
Logic Inc., said the underlying Internet system that houses the necessary
data is insecure and can be tricked by hackers. Chasin said the problem has
been known for 10 years, but industry and Internet standard-setters have
been unable or unwilling to fix the problem by encrypting the data.

 Getting agreement on an authentication system has been similarly difficult
and is partly why the FTC held the summit.

 The major e-mail providers, America Online Inc., Microsoft Corp., Yahoo
Inc. and EarthLink Inc., are still testing and pushing various plans. The
Internet group assigned to endorse a standard disbanded recently, unable to
resolve discord and uncertainty over whether licensing rights asserted by
Microsoft would cut out a broad swath of organizations that use so-called
open-source software.

 Chasin and other panelists also said the basic operating systems that
power computers -- the most dominant of which is Microsoft Windows --
remain too vulnerable to hackers.

He said a worm was recently discovered that lodges itself in Windows files
and goes to work when a computer user tries to access the Web site of his
or her bank. The malicious code automatically redirects the Web browser to
a fake page that looks like the real thing.

In this scenario, the user has not been duped by a fake phishing e-mail.
Instead, the vulnerability in the operating system has allowed the code to
redirect the user's browser to a phony page where a hacker can capture the
user's name and pa

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[Damian Gerow]

Thus spake R.A. Hettinga ([EMAIL PROTECTED]) [11/11/04 16:29]:
: Several executives and academics speaking at a forum sponsored by the
: Federal Trade Commission said criminals are already steps ahead of a major
: initiative by e-mail providers to counter those problems by creating a
: system to verify senders of e-mail.
: 
:  In theory, such an authentication system would make it harder for spammers
: to disguise their identities and locations in an attempt to avoid being
: shut down or prosecuted.

(Having watched the IETF group for a while, and spent much time fighting
spam...)

No person who is pushing for SPF believes that it will reduce the volume of
spam.[1]  What SPF *does* do is make it easier to track it down -- the From
address will actually match the domain it was sent from.  This makes the
Abuse department's job *much* easier, as in theory, any spam complaint you
receive about your domain will be *from* your domain.

While this doesn't always mean you have a spammer in your midst, it /does/
mean that the piece of mail in question /did/ come from your networks, hence
it is something you can track down without worry about wasting time that
would be better spent elsewhere.

Arguably, this doesn't gain the anti-spam fighters anything, as the spam
still comes from somewhere.  But if you lay out the seriousness of the
problem to your subscriber, the chances of a repeat offense (which, ideally,
would result in account termination) drop to very close to zero.  This is
also something that ISPs can combat internally, such as forcing SMTP
authentication (which, granted, opens up a whole other bucket of worms), not
allowing outbound SMTP connections (unless explicitly granted), or having
only a web interface to e-mail (thus blocking all outbound SMTP connects,
even to their own mail servers, period).

The 'criminals' aren't necessarily 'steps ahead' -- they're just working
within the SPF framework, and doing exactly what SPF wanted them to do.  SPF
is *one* step towards limiting the volume of spam, but it in and of itself
does not.  There are a great number of other tools that, when combined with
SPF, can and do make a difference in the spam volume being sent.  Yes, each
tool has drawbacks, and I'm not going to claim otherwise.  But for the 95th
percentile, they won't really notice a difference.  Until their account is
cut off, that is.

[1] Any person who claims otherwise just plain doesn't understand SPF or its
goals.  Unfortunately, a few people have claimed that SPF will cut down on
the spam volume, and this take was snapped up by the media and subsequently
pushed out as the primary goal of SPF.  It is, AFAIK, generally agreed that
to cut down on spam volume, we need a whole different protocol from SMTP.

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[Russell Nelson]

R.A. Hettinga writes:
 > Any e-mail authentication system, for example, would check that the block
 > of Internet addresses assigned to an e-mail provider includes the specific
 > numeric address of a sender of a piece of e-mail.

Huh?  Somebody is confused here.  DomainKeys is 1) an e-mail
authentication system, and 2) it doesn't check IP addresses.  Instead,
it uses cryptographic signing using public/private keys which have the
potential of being assigned down to the individual level.

 > Still, panelists insisted authentication is a vital first step. After that,
 > they said, could come a system that evaluates the "reputation" of senders,
 > perhaps using a process that marks good e-mail with an electronic seal of
 > approval.

Yes, this is true.  John Gilmore is a pain in the ass for standing on
his rights (some government types might say *fucking* pain in the
ass), but he is correct.  ALL of the effort spent to secure open
relays was basically wasted effort, because spammers just moved on to
insecure client machines.  The proper route to control spam is to
involve users in prioritizing their email, so that their friend's
email comes first, followed by anybody they've sent mail to, followed
by people they've gotten email from before, followed by mailing list
mail, followed by email from strangers (which is where all the spam
is).  All of that relies on email authentication to work.

Why the heck can't we just shortcut all this pain, and just listen to
John in the first place?  I vote to elect John to the post of
Benevolent Dictator For Life.

-- 
--My blog is at angry-economist.russnelson.com  | Violence never solves
Crynwr sells support for free software  | PGPok | problems, it just changes
521 Pleasant Valley Rd. | +1 212-202-2318 voice | them into more subtle
Potsdam, NY 13676-3213  | FWD# 404529 via VOIP  | problems.

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[R.A. Hettinga]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 9:15 PM -0500 11/18/04, Russell Nelson wrote:
>The proper route to control spam is to
>involve users in prioritizing their email, so that their friend's
>email comes first, followed by anybody they've sent mail to, followed
>by people they've gotten email from before, followed by mailing list
>mail, followed by email from strangers (which is where all the spam
>is).

A whitelist for my friends, all others pay...

oh, forget it.

Cheers,
RAH

- -- 
- -
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-BEGIN PGP SIGNATURE-
Version: 1308

iQA/AwUBQZ1ZdsPxH8jf3ohaEQI8pwCdEVgdIUVYiPzmdWqm9riXjm1OD5AAn2C1
+6/yamOaGMicjTxWwfk0LhgJ
=c5c6
-END PGP SIGNATURE-

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[Russell Nelson]

R.A. Hettinga writes:
 > >mail, followed by email from strangers (which is where all the spam
 > >is).
 > 
 > A whitelist for my friends, all others pay...
 > 
 > oh, forget it.

Anybody can pay to send email right now.  You just go to paypal, type
in the person's email, enter the amount of money you think is
necessary to persuade them to read the email, and put the text of your
message in the comment box.  My email is [EMAIL PROTECTED];
feel free to send me as much email as you want, ca-ching!

But anyway, that's not what I propose.  I suggest that email from
strangers needs to come with an introducer of some sort to convince
you to read it.  There's a dozen different kind of introducers which
could be used, some of them using cryptography, only one or two of
which involve payment.  The days when all email was treated equally by
an email client are long past, or at least, should be if you're
running a decent email client.  Maybe the level of spam complaints is
caused by the low quality of email clients?

-- 
--My blog is at angry-economist.russnelson.com  | Violence never solves
Crynwr sells support for free software  | PGPok | problems, it just changes
521 Pleasant Valley Rd. | +1 212-202-2318 voice | them into more subtle
Potsdam, NY 13676-3213  | FWD# 404529 via VOIP  | problems.

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[R.A. Hettinga]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 11:19 AM -0500 11/19/04, Russell Nelson wrote:
>Anybody can pay to send email right now.

:-).

Of course, I'm talking about something like postage, at the $MTP level.

Again, forget it.

Cheers,
RAH

- -- 
- -
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-BEGIN PGP SIGNATURE-
Version: 1308

iQA/AwUBQZ5zz8PxH8jf3ohaEQK4MQCfd7YBxFvOj47uNi+9t5pWTA7jY5gAn1fa
krefkKpnmULmZCGENB2F6dnZ
=JbZZ
-END PGP SIGNATURE-

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[Hadmut Danisch]

On Thu, Nov 11, 2004 at 04:20:59PM -0500, R.A. Hettinga wrote:
> 
> Still, panelists insisted authentication is a vital first step. After that,
> they said, could come a system that evaluates the "reputation" of senders,
> perhaps using a process that marks good e-mail with an electronic seal of
> approval.


which is, btw, not really correct.

I was one of those panelists, and I explicitely stated that
authentication is only the first step, but an important step, which 
requires a second step (literally in my slides). So the
first statement seems to be a quote of my talk.

But my statement about the second step was that "reputation" does not
work on an international scale, this works in the U.S. only. It might
even be unlawful in Europe. My proposal was to do the second step
individually for each country.

regards
Hadmut

Re: E-Mail Authentication Will Not End Spam, Panelists Say

[Chris Palmer]

Russell Nelson writes:

> Yes, this is true.  John Gilmore is a pain in the ass for standing on
> his rights (some government types might say *fucking* pain in the
> ass), but he is correct.  ALL of the effort spent to secure open
> relays was basically wasted effort, because spammers just moved on to
> insecure client machines.  The proper route to control spam is to
> involve users in prioritizing their email, so that their friend's
> email comes first, followed by anybody they've sent mail to, followed
> by people they've gotten email from before, followed by mailing list
> mail, followed by email from strangers (which is where all the spam
> is).  All of that relies on email authentication to work.

Spammers will start hijacking authenticated servers.

The solution is to automatically classify messages according to user 
preference. Good software to do this is already in mainstream MUAs, and 
even better software to do it is open source (google for "weka machine 
learning" as an example). Someday (hopefully soon), MUAs will be able to 
automatically classify messages into more than two categories. There is 
already phenomenal software (reeltwo.com; commercial but based on Weka) 
to do this very quickly and accurately.


-- 
Chris Palmer
Staff Technologist, Electronic Frontier Foundation
415 436 9333 x124 (desk), 415 305 5842 (cell)

81C0 E11D CE73 4390 B6C7  3415 B286 CD8F 68E4 09CD



pgpIMDPC2V5Gp.pgp
Description: PGP signature