Re: Proposal For Token-Based Authentication In Mail Submission As Anti-Forgery Effort
From: Sabahattin Gucukoglu ... and important catch in this proposal, that being a modification to all MUAs and MTAs to allow the acceptance and carrying of a password token which should persist throughout the entire mail delivery, ... My proposal is a scheme for anti-forgery, which makes use of a non-blank token, or password, which can be verified by a recipient system ... How does your scheme prevent forgery better than SMTP-AUTH, SMTP-TLS, S/MIME, or PGP? Most MTAs support SMTP-AUTH and SMTP-TLS. The difficulties in preventing spam sender forgery are not in defining token protocols but in - defining forgery in a way that excludes common, legitimate practices. Why isn't sending mail with your Hotmail account as sender while sitting at your desk at work or with your work sender address while in a customer site, hotel room, or airplane forgery that would be prevented by the proposed sender-verifying mechanism? - key distribution. Verisign/Microsoft would be happy become the toll collecter for all Internet mail using the current or a variation of the current commercial PKI. Some of us are not keen on that idea. All other key distribution mechansims have their own substantial problems, including those that would use the DNS. - preventing spammers from buying as many tokens as they need. The major spammer that currently calls itself Zhang Jun and Qing Zhang has been burning several new domain names per day for the last 2 or 3 months. Why won't it be able to make or buy tokens to go with each of its domain names? Why won't domain2004.com, managernic.com, namelite.com, nicsimple.com, sitesadmin.com, and the rest of its DNS servers serve its SPF RRs or your password tokens as readily as they serve NS, MX, and A RRs? Why can't it replace those DNS servers as they become recognized with new DNS servers, as it has been doing for years? 1. Sender MUA submits message through some host X, indicating token to X using the stok extension to be defined in SMTP as an extention to its mail from: command: mail from:[EMAIL PROTECTED] stok=blorb ... 4. MX begins a password query. It must connect to some kind of password query resource. The MX may connect to a designated MTA for a domain and use the stok keyword to query for a password (stok blorb 250 Token is tasty!) or some other simplified database query. ... 5. Authenticated submitters are welcome, unauthenticated submitters aren't, policy-dependent. ... Have you looked at SMTP-AUTH? What about SMTP-TLS with verified certs required? I hope you won't be too offended if someone points out http://www.rhyolite.com/anti-spam/you-might-be.html I wrote it during the first months of the ASRG mailing list. Vernon Schryver[EMAIL PROTECTED]
Mailing list created for IETF broadcast issue.
I have created a mailing list for the purpose of discussing the future of uni/multicast/recording at the IETF. The list is: [EMAIL PROTECTED] you may subscribe by send mail with the command: subscribe ietf-broadcast to: [EMAIL PROTECTED] I am in transit for the next couple of days. so an online archive will probably have to wait till I get back. but anything sent will be captured. joelja -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
paralysis
Vernon Schryver writes:
[]
You know, it's quite elucidating seeing the banter
about the subject of spam, especially between you
and Paul but what strikes me more is the
overarching dynamic going on:
for (;;) {
1) proposal is made
2) proposal is classified into one of several
general buckets
3) proposal is deconstructed by those who've seen
this many many times
4) no silver bullet is uncovered
}
In the mean time, the exponential curve of spam
keeps on moving along the X axis for ever greater
values of X.
So... instead of pointing out the obvious that
there is no silver bullet, wouldn't it be a lot
more productive to frame this debate in terms of
what incremental steps could be taken to at least
try to change the overall climate? To perhaps move
things in a direction that might be in our favor?
To perhaps be open to making some mistakes and/or
no-ops?
We know spammers are smart and adaptable. The
problem is that in our paralysis, we are not.
Mike
Re: paralysis
From: Michael Thomas [EMAIL PROTECTED] ... So... instead of pointing out the obvious that there is no silver bullet, wouldn't it be a lot more productive to frame this debate in terms of what incremental steps could be taken to at least try to change the overall climate? To perhaps move things in a direction that might be in our favor? To perhaps be open to making some mistakes and/or no-ops? Am I interfering with incremental debate framing, climate changing, or designing, implementing, testing, and deploying possible solutions that might be mistakes and no-ops? I hope not and I don't think so. In about 1997 Paul Vixie mentioned the notion of spam checksum clearinghouses. I pointed out the obvious problems, but 6 or 9 months later hacked a form of the idea into sendmail. The DCC is now resisting about 350,000,000 spam/week. When I heard about greylisting, I pointed out some obvious problems, but worked hard to add it to the DCC client code. That a problem seriously wants a solution does not imply that it has one. That personal immortality, matter transmission, and communicating consent to receive mail sound nice does not imply that they are possible or that they would solve more problems than they would create. Either way, lists of problems from wet bankets like me should not stop anyone from designing, implementing, testing and deploying, unless they need to sell a lot of stock beforehand. We know spammers are smart and adaptable. The problem is that in our paralysis, we are not. Whose paralysis do you mean, Kemo Sabe? Outside the mass media, mailing lists, and usenet, plenty is being done about spam. Some efforts have been more effective than others. Others such as laws have more future hope than past performance. Filter effectiveness above 95% is common. Reasonably spam free mailboxes that are open to mail from perfect strangers are more readily available today then they were 3 years ago. Nothing so far have been or will be a silver bullet. Unless you believe vague handwaving or swallow any of several brands of patent medicine, there is no prospect of a FUSSP (Final Ultimate Solution to the Spam Problem). By itself, framing debates is not productive unless you're only interested in debates. Few of those who do more talking and writing about spam than administrating anti-spam mechanisms, designing, writing or deploying code, enforcing laws, or anything else that directly affects spam in more than their personal mailboxes are contributing to solutions. Vernon Schryver[EMAIL PROTECTED]
