Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
Sorry bubbie, send me a challenge and you go into the evil list, which
tends to be a permanent /dev/null redirect. This is iron clad on a
mailing list. Direct I may or may not consign. C/R is plain evil as I
have encountered it in the past. On mailing lists it's beyond evil as
it generates challenges from every message sent to the list as the
list server never responds to the challenges.
I'm rather inflexible on Challenge/(lack of) Response because of my
experience on the wrong end of it.
{','} C/R sucks dead bunnies through garden hoses.
- Original Message -
From: RW rwmailli...@googlemail.com
Sent: Saturday, 2010/December/04 08:08
On Sat, 04 Dec 2010 12:44:37 +0100
Bernd Petrovitsch be...@petrovitsch.priv.at wrote:
C/R is only means to make it move your own effort over to others.
The really interesting case is if both sides choose to require C/R
to get the first mail delivered.
Which should be a clear sign to everyone that C/R is basically a bad
idea.
That's only a problem in very naive C/R systems. It can be solved by
using a time-limited disposable address in the envelope mail from.
The recipient's challenge goes to the disposable address which bypasses
the senders own C/R system. Some mailservers already do this because it
eliminates almost all backscatter while allowing remotely generated
legitimate DSNs to pass.
Infuriating advocates of C/R pretty much have an answer for everything.
If a benign dictator imposed a well thought-out scheme on everyone, it
would probably work very well.
At the moment though spam isn't that much of a problem, and C/R is more
trouble than it's worth.
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
On Mit, 2010-12-01 at 16:17 -0500, David F. Skoll wrote: On Wed, 1 Dec 2010 16:02:03 -0500 Michael Grant mgr...@grant.org wrote: The main problem with this approach is how does someone send you mail if they're not on your contact list? I don't have any magic answers how to solve that beyond what's already out there as in return messages with captchas in them or things like Blue Some people (including me) do not like to be Turing-tested. And if you Turing-test me, why shouldn't I require the same in the other direction before? Apart from the obvious misuses of captchas. Bottle seem to be quite effective. Challenge-Response systems are evil. I never reply to challenges and I typically blacklist systems that send them. C/R is only means to make it move your own effort over to others. The really interesting case is if both sides choose to require C/R to get the first mail delivered. Which should be a clear sign to everyone that C/R is basically a bad idea. There's a fundamental economic principle at play: If you make it harder for spammers to send spam, then you make it less convenient to send email to someone you've never written to before. There is simply no way around that. Even worse, the professional spammers adapt faster to such new stuff than the average admin or user. [...] Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
On Sat, 04 Dec 2010 12:44:37 +0100 Bernd Petrovitsch be...@petrovitsch.priv.at wrote: C/R is only means to make it move your own effort over to others. The really interesting case is if both sides choose to require C/R to get the first mail delivered. Which should be a clear sign to everyone that C/R is basically a bad idea. That's only a problem in very naive C/R systems. It can be solved by using a time-limited disposable address in the envelope mail from. The recipient's challenge goes to the disposable address which bypasses the senders own C/R system. Some mailservers already do this because it eliminates almost all backscatter while allowing remotely generated legitimate DSNs to pass. Infuriating advocates of C/R pretty much have an answer for everything. If a benign dictator imposed a well thought-out scheme on everyone, it would probably work very well. At the moment though spam isn't that much of a problem, and C/R is more trouble than it's worth.
Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
On Sat, 4 Dec 2010 16:08:36 + RW rwmailli...@googlemail.com wrote: On Sat, 04 Dec 2010 12:44:37 +0100 Bernd Petrovitsch be...@petrovitsch.priv.at wrote: C/R is only means to make it move your own effort over to others. The really interesting case is if both sides choose to require C/R to get the first mail delivered. Which should be a clear sign to everyone that C/R is basically a bad idea. That's only a problem in very naive C/R systems. It can be solved by using a time-limited disposable address in the envelope mail from. The recipient's challenge goes to the disposable address which bypasses the senders own C/R system. Some mailservers already do this because it eliminates almost all backscatter while allowing remotely generated legitimate DSNs to pass. Infuriating advocates of C/R pretty much have an answer for that should be Infuriatingly everything. If a benign dictator imposed a well thought-out scheme on everyone, it would probably work very well. At the moment though spam isn't that much of a problem, and C/R is more trouble than it's worth.
Re: Do we need a new SMTP protocol? (OT)
- Marc Perkel m...@perkel.com wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. Rather than get all users to change maybe it would be easier to get server software to change. This transition can be done by making server software that can do both protocols to maintain compatibility but will use the new protocol if both sides are capable of talking at that level. I'm not sure what the specification of the new protocol should be but it should at least be different than what email clients use so that server to server communication isn't the same as client to server communication. Perhaps server protocols can have more authentication information that would protect them from being spoofed. But having something different - even if it's just a port change - is better than what we have now. Thoughts? (sorry about posting the same message to the dev list. My mistake) There was a very interesting idea by Bernstein (creator of Qmail). Time flies. It's now 10 years old... http://cr.yp.to/im2000.html -- João Gouveia http://mailspike.org/
Do we need a new SMTP protocol? (OT)
I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. Rather than get all users to change maybe it would be easier to get server software to change. This transition can be done by making server software that can do both protocols to maintain compatibility but will use the new protocol if both sides are capable of talking at that level. I'm not sure what the specification of the new protocol should be but it should at least be different than what email clients use so that server to server communication isn't the same as client to server communication. Perhaps server protocols can have more authentication information that would protect them from being spoofed. But having something different - even if it's just a port change - is better than what we have now. Thoughts? (sorry about posting the same message to the dev list. My mistake)
Re: Do we need a new SMTP protocol? (OT)
On Wed, 01 Dec 2010 07:27:13 -0800 Marc Perkel m...@perkel.com wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. http://www.rhyolite.com/anti-spam/you-might-be.html#senior-IETF-member-5 http://www.rhyolite.com/anti-spam/you-might-be.html#spammers-are-stupid-3 http://www.rhyolite.com/anti-spam/you-might-be.html#knows-SMTP-4 http://www.rhyolite.com/anti-spam/you-might-be.html#knows-SMTP-5 http://www.rhyolite.com/anti-spam/you-might-be.html#programmer-11 Rather than get all users to change maybe it would be easier to get server software to change. This transition can be done by making server software that can do both protocols to maintain compatibility but will use the new protocol if both sides are capable of talking at that level. And spammers' incentive not to force a downgrade to SMTP will be... what? I'm not sure what the specification of the new protocol should be but it should at least be different than what email clients use so that server to server communication isn't the same as client to server communication. Perhaps server protocols can have more authentication information that would protect them from being spoofed. And authentication will stop spam... how? Thoughts? You're wasting your time. Regards, David.
Re: Do we need a new SMTP protocol? (OT)
On 12/1/10 10:33 AM, David F. Skoll wrote: And authentication will stop spam... how? Thoughts? You're wasting your time. Regards, David. Ditto. we can't even get big providers (Microsoft/blackberry) or ISP's to adhere to current RFC's. If you enforce ALL the RFC's in a pre-queue filter, you would reduce your spam. Go head. Set up your mail server to only accept email from RFC complaint senders. 1) FQDN for (e)helo / domain, hostname, with full path RDNS 2) not on RFC ignorant list (must have working postmaster,abuse, whois address. yes, its in the RFC's) 3) SPF (IF IT USES SPF) must follow spec, including SRS. if it doesn't publish SPF, then don't worry about this (I put this in for all of you to argue back and forth about SPF. but it is in the RFC's) 4) DNS/NDR's . (guess what!!) the RFC's say you MUST reject the email if you can't deliver it.. 5) only accept email from hostname/domains that block outbound port 25 from workstations (RBL's for that) 6) block email from ip's that are zombots, open relays, have broken, abuseable web email forms. As the links above mention, we have fought this battle since 1994. I have personally fought this battle since 1994. How much email do you think you will get if you follow ALL the RFC's? Oh, lets start a NEW spec that no one will follow. Considering how easy it is to force senders to follow the current specs. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Do we need a new SMTP protocol? (OT)
Hi, On Wed, 01.12.2010 at 10:50:49 -0500, Michael Scheidell michael.scheid...@secnap.com wrote: On 12/1/10 10:33 AM, David F. Skoll wrote: And authentication will stop spam... how? Thoughts? You're wasting your time. Ditto. we can't even get big providers (Microsoft/blackberry) or ISP's to adhere to current RFC's. :) while I fully agree that it's impossible to really fix the spam problem within the SMTP protocol, I think that it's almost easy to fix the spam problem if we are prepared to abandon the SMTP protocol. Solution: Just switch exclusively to X.400 email, and be done with spam. :} Ok, now let's be serious, there *must* be a reason why this didn't happen long ago, right? Kind regards, --Toni++
Re: Do we need a new SMTP protocol? (OT)
On 12/1/10 10:56 AM, Toni Mueller wrote: Ok, now let's be serious, there*must* be a reason why this didn't happen long ago, right? Kind regards, --Toni++ Because the internet 'must be free'. as in accessable, not as in free beer. Because like I said, all the BIG guys decided not to follow the specs anyway. Because if aol/hotmail/comcast/ (youname it.net) wanted to stop zombot spam, they could. New specs only work if you can REGULATE THE WHOLE WORLD WIDE INTERNET. (remember, the internet 'must be free') never gonaa happen see those links at rhyolite. ps, I have a new email spec, and if anyone wants to send me email they have to adhere to this new spec. ITS CALLED THE CURRENT RFC'S. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Do we need a new SMTP protocol? (OT)
On 12/1/10 10:56 AM, Toni Mueller wrote: I think that it's almost easy to fix the spam problem if we are prepared to abandon the SMTP protocol. Actually, published research seems to indicate spam isn't all that much of a problem anymore. Yes, 95% of all email is spam, but currently (commercially) available anti-spam engines are doing a pretty good job of sifting through spam/ham, and SA does a reasonable job itself. so, even if 95% of all email is spam, there really is only a small percentage (very small) getting through to users. Its so small, that if a user gets ONE SPAM per week, they are likely to complain about it. With zero day malware detection, and rules against accepting 'one click execute' attachments, you have to work pretty hard to get infected via email now.(unless you work at google, it seems), but then again, we don't know how hard those individual users worked to open up that malware that infected their workstations a while back. Is it a constant battle of wits between the spammers, hackers, phishers? yes. But the technology has matured enough in the last couple of years that its a win able battle. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Do we need a new SMTP protocol? (OT)
On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. I don't think that would help at all. Bots would just pretend to be mail servers and use SMTP. Any other form of spam could be circumvented by setting up spammer-owned MTAs that spammers would use to inject spam. IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. Another benefit would be that the bill received by a bot-infected user would serve as a powerful wake-up call to get disinfected. Martin
Re: Do we need a new SMTP protocol? (OT)
On 2010-12-01 17:13, Martin Gregorie wrote: On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. I don't think that would help at all. Bots would just pretend to be mail servers and use SMTP. Any other form of spam could be circumvented by setting up spammer-owned MTAs that spammers would use to inject spam. IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. Another benefit would be that the bill received by a bot-infected user would serve as a powerful wake-up call to get disinfected. could we move this dead horse out of the house? the SDLU list may be a better place for this topic
Re: Do we need a new SMTP protocol? (OT)
Hi, On Wed, 01.12.2010 at 11:02:54 -0500, Michael Scheidell michael.scheid...@secnap.com wrote: On 12/1/10 10:56 AM, Toni Mueller wrote: Ok, now let's be serious, there*must* be a reason why this didn't happen long ago, right? Because the internet 'must be free'. as in accessable, not as in free beer. you are preaching to the choir. ;) I only wanted to illustrate that there *are* means, but it should be obvious why (almost) nobody wants to use them. Eg. there's the virtual poststamp method, as suggested by Microsoft, and it's patented, thus protected from abuse, too... Kind regards, --Toni++
Re: Do we need a new SMTP protocol? (OT)
Hi, On Wed, 01.12.2010 at 16:13:06 +, Martin Gregorie mar...@gregorie.org wrote: I don't think that would help at all. Bots would just pretend to be mail servers and use SMTP. Any other form of spam could be circumvented by setting up spammer-owned MTAs that spammers would use to inject spam. nothing new so far. IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. Another benefit would be that the bill received by a bot-infected user would serve as a powerful wake-up call to get disinfected. This is imho a very bad idea, as it would destroy much of the freedom of the Internet in one go, since it would then be impossible to send anonymous emails. Although not very much people make use of this feature, I find it MUCH too valuable to abandon and have the Internet policed by those who would want to cash you, and/or prevent you from sending email in the first place. It's quite sad to find the ugly joke with X.400, which would be mostly just that, electronic postage per email, to be taken for real... Kind regards, --Toni++
Re: Do we need a new SMTP protocol? (OT)
On Wed, 1 Dec 2010, Martin Gregorie wrote: IMO the best solution would have been a charge per e-mail provided it was universally enforced. http://www.rhyolite.com/anti-spam/you-might-be.html#e-postage http://www.rhyolite.com/anti-spam/you-might-be.html#senior-IETF-member +1 to moving this dead horse out of our house. Jeeze, Marc, you just _love_ opening cans of worms, don't you? :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 14 days until Bill of Rights day
RE: Do we need a new SMTP protocol? (OT)
-Original Message- From: Martin Gregorie [mailto:mar...@gregorie.org] Sent: 01 December 2010 16:13 To: users@spamassassin.apache.org Subject: Re: Do we need a new SMTP protocol? (OT) On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. I don't think that would help at all. Bots would just pretend to be mail servers and use SMTP. Any other form of spam could be circumvented by setting up spammer-owned MTAs that spammers would use to inject spam. IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. Another benefit would be that the bill received by a bot-infected user would serve as a powerful wake-up call to get disinfected. Martin I think the SMTP protocol should stay. We seem to live in an age where we change the rules to suit those the rules are suppose to protect, rather than teaching the importance of rules in the first place. (read between the lines to understand that last statement :) ) Charging, for any email sent, is a 100% no no. Implementing a new protocol to solve the same problem, and do the same job, that we already have a protocol/solution for? I'm not 100% sure that's a good idea, because the ultimate goal of the spammers will remain the same. I truly fear for the day when phone calls become pretty much free, because the reason that system isn't abused as much as it could be, (numbers are WAY more predictable than letters! And end users have very little choice over the number he gets), is because it generally costs, and also goes through a third party mediator, (telco). The mechanism by which we exchange email addresses will not change, on a web site, advertising, business cards. We generally have very little control over who can get our email addresses, once we let them loose into the wild - If I send an email to anyone who is reading this directly, they can't classify that message as spam until they have already seen the contents of the message. The point is we only want messages that we want, and we can't tell that until we read it! Which leaves us with really one option, and that is to use whitelisting, and to manage that list manually using a set of rules. (remember rules, I mentioned them earlier :) ) If we wish to get rid of the spam problem for ever, we will have to relinquish the freedoms that we currently have when it comes to SMTP. People can't be trusted to act right, and will always try to find shortcuts. Using a third party will help, but will also cost. Which is a shame.
Re: Do we need a new SMTP protocol? (OT)
On Wed, 2010-12-01 at 17:29 +0100, Toni Mueller wrote: Hi, On Wed, 01.12.2010 at 16:13:06 +, Martin Gregorie mar...@gregorie.org wrote: . IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. Another benefit would be that the bill received by a bot-infected user would serve as a powerful wake-up call to get disinfected. This is imho a very bad idea, as it would destroy much of the freedom of the Internet in one go, since it would then be impossible to send anonymous emails. How, exactly do you work that out? Send through your ISP, ISP knows who you are anyway and collects. Send through, say, TOR and either you use a wrapper (your ISP collects that and TOR strips the wrapper and sends the actual message, or you use a browser to connect to Tor and they collect. Either way, since I believe a mail can't be tracked through Tor, the result is anonymity. Besides, I seem to remember hearing that IPV6 is never anonymous and we're all going to be on that as soon as IPV4 address space is exhausted, and there are only two /8 chunks left unassigned. OT comment 1: if IPV6 is indeed never anonymous, where does *that* leave spammers and botnets. OT comment 2: another major source of spam is web forums, yet I seldom hear anything about controlling those sources. Martin
IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On Wed, 01 Dec 2010 16:55:17 + Martin Gregorie mar...@gregorie.org wrote: Besides, I seem to remember hearing that IPV6 is never anonymous Where did you hear that? I can't imagine that IPv6 is any less (or any more) anonymous than IPv4. OT comment 1: if IPV6 is indeed never anonymous, where does *that* leave spammers and botnets. Spammers and botnets *do not care* about anonymity. Why should they when they can easily steal someone's identity by subverting his or her computer? That is why pretending that strong authentication will affect spam is fantasyland. [Well, the botnet operators care about personal anonymity, I guess, so they cover their tracks. But they don't care about anonymity as far as interacting with SMTP servers goes.] Regards, David.
Re: Do we need a new SMTP protocol? (OT)
On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote:
I've been thinking about what it would take to actually eliminate spam
or reduce it to less than 10% of what it is now. [...]
The FUSSP! Hooray!
I'm not sure what the specification of the new protocol should be [...]
Oh, no, it is not. You did not offer a solution.
Thoughts?
(sorry about posting the same message to the dev list. My mistake)
Yes. Thoughts. This is off-topic.
Please go find a better audience to rehash this subject yet again. This
horse has been beaten to death many times before.
Neither SA list would have been appropriate to raise that topic.
guenther -- your friendly moderator
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Do we need a new SMTP protocol? (OT)
On 12/01/2010 02:13 PM, Martin Gregorie wrote: On Wed, 2010-12-01 at 07:27 -0800, Marc Perkel wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. I don't think that would help at all. Bots would just pretend to be mail servers and use SMTP. Any other form of spam could be circumvented by setting up spammer-owned MTAs that spammers would use to inject spam. IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. Another benefit would be that the bill received by a bot-infected user would serve as a powerful wake-up call to get disinfected. Much simpler is to have a per user whitelist. There are a few projects for this and even SA can be used to do it. The problem is that the spam problem is thrown at the user rather than the admin. There is no need to an extra RFC for this. The server returns a 5xx/4xx error for non-whitelisted mails. For the lazy ones, managing the whitelist from the mail client is very important. Even a period of transition can be easily setup. a - the users are aware of the change and how to manage this. b - users start to setup their whitelists (specially for maillists). c - post spam filtered messages are automatically replied about the need - if not already in the whitelist. this would let the known sender to poke the lazy contact. d - whitelist in effect returning a 5[4]xx error with some explaniation message. Then we got the point on how to know the addresses to whitelist it in the first place (first contacts). A first time sender could have its message reformated in a way to let the user know about it and white/blacklist (e.g. links to the admin site - GUI action). Somewhat like an IM works (or should). -rsd
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On 12/1/2010 12:05 PM, David F. Skoll wrote: Where did you hear that? I can't imagine that IPv6 is any less (or any more) anonymous than IPv4. One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's nightmare. A spammers (and blackhat ESPs) would potentially send out each spam from a different IP and then not use each IP again for YEARS! This will make DNSBLs much less effective.. and it will bloat their file sizes and memory/resource requirements exponentially. The DNSBLs will have no choice but to make their entire DNSBL the equivalent of a /24 list today... except painting with a much broader stroke, and many will complain about unfair collateral damage. Even then, the bloat will STILL be out of control. SOLUTIONS? Personally, I prefer everyone everywhere agree that, unless the e-mail is password authenticated to one's own mail server, all mail be rejected unless the mail server had IPv4. But purists won't like that because their goal is to eventually *end* IPv4. So what else could be done? If we must receive mail from IPv6 IPs, then I recommend doing the equivalent of the following (put in IPv4 terms for simplicity): (A) All other non-authenticated mail rejected... unless the message came from a XXX.XXX.XXX.0 IP (this is in IPv4 terms... translate this into some equivalent IPv6 standard... but case a super wide net!) That will greatly reduces the number of possible valid mail sending IP. (again, auth mail to one's own server need not fulfill this standard) (b) industry wide, agree that mail is NOT accepted from IPv6 unless it does Forward Confirmed reverse DNS FCrDNS If one or both of those were agreed upon up front--this would go a long way towards preventing the coming nightmare. (and forgive me of RFCs have already established those as absolute standards for IPv6... I haven't kept up with all the RFC for IPv6!) -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On Wed, 01 Dec 2010 12:47:16 -0500 Rob McEwen r...@invaluement.com wrote: One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's nightmare. A spammers (and blackhat ESPs) would potentially send out each spam from a different IP and then not use each IP again for YEARS! Actually, since the smallest allocation unit is a /64, you could switch IP addresses once per nanosecond and not run out for almost 585 years. If you have a /48, you could last for about 38 million years. So at a minimium, an IPv6 DNSBL will have to list a /64, not individual IPv6 addresses. That's fine. Most botnet nodes are individual home PCs and they won't be able to pick an address outside their /64 allocation (assuming a competent ISP... a big assumption!) Also, DNSWLs will start becoming more important as we concentrate on listing known-good machines. Personally, I prefer everyone everywhere agree that, unless the e-mail is password authenticated to one's own mail server, all mail be rejected unless the mail server had IPv4. But purists won't like that because their goal is to eventually *end* IPv4. It's not just purists who won't like that. At some point, you won't be able to *get* an IPv4 address. [...] If one or both of those were agreed upon up front--this would go a long way towards preventing the coming nightmare. (and forgive me of RFCs have already established those as absolute standards for IPv6... I haven't kept up with all the RFC for IPv6!) I don't see any nightmare. DNSBLs are a useful anti-spam tool that will be made somewhat less effective with the advent of IPv6, but they're by no means the only or most effective anti-spam tool we have. Regards, David.
Re: Do we need a new SMTP protocol? (OT)
On Wed, 1 Dec 2010, Martin Gregorie wrote: On Wed, 01.12.2010 at 16:13:06 +, Martin Gregorie mar...@gregorie.org wrote: IMO the best solution would have been a charge per e-mail provided it was universally enforced. A small charge, e.g. $0.001 to $0.01 per addressee per message would be almost unnoticable to a normal user or business while still being enough to discourage volume spammers by wiping out their profits. How, exactly do you work that out? Send through your ISP, ISP knows who you are anyway and collects. I own my own domain and send all my mail via a hosted server that I administer. I _don't trust_ someone else to handle my email on my behalf. Who do I pay? My ISP at home? My hosting provider? Myself? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 14 days until Bill of Rights day
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On 12/1/2010 12:55 PM, David F. Skoll wrote: I don't see any nightmare. When DNSBL resources are order of magnitudes higher... when the largest data files for DNSBLs go from 100MB to probably Terabytes... and then trying to transfer that via rsync... and getting all the mirrors to handle loading that much data into rbldnsd... THAT will be a nightmare. (will Terabytes of RAM be affordable anytime soon?) DNSBLs are a useful anti-spam tool that will be made somewhat less effective with the advent of IPv6, but they're by no means the only or most effective anti-spam tool we have. Not the only tool... but (particularly for IP DNSBLs worthy of blocking at the MTA...) they are the BEST tool from a price/performance perspective. In contrast, content scanning messages is comparatively resource expensive. I suppose a nation's military *could* fight a war without airplanes, without ships, and without missiles.. and just depend on the foot soldiers and tanks to do *all* the work. But is that wise? Does that happen without a steep price? We have a chance to impose some strict standards for mail sending on IPv6 that will lessen these problems. Why wait until its too late? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On Wed, 01 Dec 2010 13:29:28 -0500 Rob McEwen r...@invaluement.com wrote: When DNSBL resources are order of magnitudes higher... when the largest data files for DNSBLs go from 100MB to probably Terabytes... and then trying to transfer that via rsync... and getting all the mirrors to handle loading that much data into rbldnsd... THAT will be a nightmare. (will Terabytes of RAM be affordable anytime soon?) I don't follow you. DNSBLs will only list addresses (actually, /64s) that have been seen to be abusive. That number is limited not by the number of possible IPv6 addresses, but by the number of actual /64 allocations. [...] We have a chance to impose some strict standards for mail sending on IPv6 that will lessen these problems. Why wait until its too late? Because those strict standards all make sending mail less convenient without affecting spam. Regards, David.
Re: Do we need a new SMTP protocol? (OT)
Marc, This is like solving the Suzuki Samauri rollover problem by making a newer, wider standard for road widths so that the automakers can make wider cars. After all the current road width standard is set the way it is because of Roman chariots which specified that the road needed to be wide enough for 2 horses. If you think about it, if we added a few feet in width to semi trucks we would save millions of gallons of diesel fuel every year, reduce many thousands of trucks on the road, and reduce the chance of a truck rollover. It is an engineering solution that is utterly practical, and would work perfectly - from an engineering standpoint. But it is completely impractical and impossible from a common sense standpoint. Just like your suggestion of changing the SMTP standard. Eric Allman himself, inventor of the SMTP standard, has repeatedly said that what happened with SMTP was predictable. SMTP -HAD- to be open and flexible to work in the first place, and that flexibility caused it to be widely adopted - then once widely adopted, that flexibility itself is now a problem. If the SMTP standard had been tighter in the beginning so that people would like it today, then it never would have been adopted, and instead some other, flexible and open standard would have been adopted - and we would be exactly where we are now. I submit that many things in life are like this and you can't do anything about it other than to just shrug your shoulders and let it be. Ultimately, in the far future, e-mail itself will become obsolete by something else, just as e-mail today is obsoleting paper mail. Maybe at that time we will have a chance to do it right. Ted On 12/1/2010 7:27 AM, Marc Perkel wrote: I've been thinking about what it would take to actually eliminate spam or reduce it to less than 10% of what it is now. One of the problems is the SMTP protocol itself. And a big problem with that is that mail servers talk to each other using the same protocol as users use to talk to servers. Rather than get all users to change maybe it would be easier to get server software to change. This transition can be done by making server software that can do both protocols to maintain compatibility but will use the new protocol if both sides are capable of talking at that level. I'm not sure what the specification of the new protocol should be but it should at least be different than what email clients use so that server to server communication isn't the same as client to server communication. Perhaps server protocols can have more authentication information that would protect them from being spoofed. But having something different - even if it's just a port change - is better than what we have now. Thoughts? (sorry about posting the same message to the dev list. My mistake)
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On 2010/12/01 12:55 PM, David F. Skoll wrote: Actually, since the smallest allocation unit is a /64, you could switch IP addresses once per nanosecond and not run out for almost 585 years. If you have a /48, you could last for about 38 million years. So at a minimium, an IPv6 DNSBL will have to list a /64, not individual IPv6 addresses. That's fine. Most botnet nodes are individual home PCs and they won't be able to pick an address outside their /64 allocation (assuming a competent ISP... a big assumption!) For what it's worth, the recommended allocation to end users is a /56 to the home and a /48 to small businesses, though many are suggesting a /48 to everyone to keep routing simpler. Also, DNSWLs will start becoming more important as we concentrate on listing known-good machines. +1 blacklists simply won't be able to maintain unless they list the entire prefix, and even that won't last forever. Rob McEwen wrote: If one or both of those were agreed upon up front--this would go a long way towards preventing the coming nightmare. E-mail is already being sent on IPv6. Better hurry up on writing those RFC's! -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Do we need a new SMTP protocol? (OT)
I do find this topic interesting, perhaps this isn't the most appropriate place to discuss it, if not here though, where? I'd like to make an observation. More and more people are using social network systems like Facebook in place of email. Also IM chatting is replacing a lot of person-to-person email. I actually get precious little spam through these alternatives to smtp email. This is primarily because in order to send me a message through one of these systems, you have to be on my contact list. Of course, this only moves the problem one layer up. In order to set up that reciprocal agreement, some exchange has to take place, either out of band, or via an invite (which could be spam). There are many different IM systems out there now. It annoys me that I have to get on lots of different systems just to communicate with everyone. I'd prefer to see one unified messaging system. SMTP email is going to be hard to replace. It would seem like our best bet is to bolt something on to it like an IM style contact list manager where you have to be on someone's contact list to be able to send them mail. The main problem with this approach is how does someone send you mail if they're not on your contact list? I don't have any magic answers how to solve that beyond what's already out there as in return messages with captchas in them or things like Blue Bottle seem to be quite effective. Michael Grant
Misguided energy (was Re: Do we need a new SMTP protocol? (OT))
On Wed, 1 Dec 2010 16:02:03 -0500 Michael Grant mgr...@grant.org wrote: The main problem with this approach is how does someone send you mail if they're not on your contact list? I don't have any magic answers how to solve that beyond what's already out there as in return messages with captchas in them or things like Blue Bottle seem to be quite effective. Challenge-Response systems are evil. I never reply to challenges and I typically blacklist systems that send them. There's a fundamental economic principle at play: If you make it harder for spammers to send spam, then you make it less convenient to send email to someone you've never written to before. There is simply no way around that. Rather than destroying email (its killer feature is *precisely* the ability to dash off a note to someone new) by making it harder to send spam, viable anti-spam solutions make it less likely that spam will be received. Yes, this is costly and annoying, but it's the price we pay for the convenience of email. Regards, David.
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On 12/1/2010 10:29 AM, Rob McEwen wrote: On 12/1/2010 12:55 PM, David F. Skoll wrote: I don't see any nightmare. When DNSBL resources are order of magnitudes higher... when the largest data files for DNSBLs go from 100MB to probably Terabytes... and then trying to transfer that via rsync... and getting all the mirrors to handle loading that much data into rbldnsd... THAT will be a nightmare. (will Terabytes of RAM be affordable anytime soon?) DNSBLs are a useful anti-spam tool that will be made somewhat less effective with the advent of IPv6, but they're by no means the only or most effective anti-spam tool we have. Not the only tool... but (particularly for IP DNSBLs worthy of blocking at the MTA...) they are the BEST tool from a price/performance perspective. In contrast, content scanning messages is comparatively resource expensive. which we currently are doing. If Wonkulating Gronkulator ISP Inc. has 2000 customers on their mailserver in an IPv4 world, they will have 2000 customers on their IPv6-enabled mailserver. They will thus be doing the same amount of work content scanning on the IPv6-enabled mailserver as they are now doing on the IPv4-enabled mailserver. Adding more IP addresses into the market isn't going to increase the amount of spam being sent. What really increases the amount of spam being sent (IMHO) is increasing the number of HOSTS that can directly send out via port 25. Without question the real driver of IPv6 is stuff like cell phones, blue ray players, and so on that need more IP addresses. Do these devices need unrestricted port 25 access? Absolutely not. So it seems that the organizations constructing the IPv6 networks that these devices need, have every incentive to be responsible and block such access. If for example your an ISP managing a FIOS network who is looking into going to IPv6 you know your going to either have to replace firmware in your customer's CPEs or provide them with new CPEs. And the new CPE cannot depend on NAT it will need to have a real firewall in it. Why would you NOT set an outbound port25 block as a DEFAULT? Today, Comcast blocks SMB ports, I have run tests with techs here and I can guarantee that it is impossible to map a drive over Comcast, unless you either use nonstandard ports or put it in a VPN. Yet does the average customer notice? NO. So then why would it be so difficult for them to block port 25? it WOULDN'T. We know that with the newer broadband networks - wiMax, cable, fios and FTTN, that in the US at any rate we are heading into a monopoly age where the wire carrier will be the ISP. Thus there will not be many ISPs out there and those that will be out there will be gigantic. We know that for these megaliths to go to IPv6 they will need to forklift upgrade their CPE's. We also know these CPEs will not be NAT devices and thus will need stateful firewalls to do IPv6. So the opportunity is to have the ISPs today that will be doing this set the defaults in these CPE devices to block things like outbound SMTP. If the customer is clueful they can login and turn off the block, if they are clueless they should definitely not be turning off any SMTP blocks. Problem solved. Ted I suppose a nation's military *could* fight a war without airplanes, without ships, and without missiles.. and just depend on the foot soldiers and tanks to do *all* the work. But is that wise? Does that happen without a steep price? We have a chance to impose some strict standards for mail sending on IPv6 that will lessen these problems. Why wait until its too late?
Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))
On 12/1/2010 11:47 AM, Rob McEwen wrote: On 12/1/2010 12:05 PM, David F. Skoll wrote: Where did you hear that? I can't imagine that IPv6 is any less (or any more) anonymous than IPv4. One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's nightmare. A spammers (and blackhat ESPs) would potentially send out each spam from a different IP and then not use each IP again for YEARS! This will make DNSBLs much less effective.. and it will bloat their file sizes and memory/resource requirements exponentially. The DNSBLs will have no choice but to make their entire DNSBL the equivalent of a /24 list today... except painting with a much broader stroke, and many will complain about unfair collateral damage. Even then, the bloat will STILL be out of control. SOLUTIONS? Personally, I prefer everyone everywhere agree that, unless the e-mail is password authenticated to one's own mail server, all mail be rejected unless the mail server had IPv4. But purists won't like that because their goal is to eventually *end* IPv4. So what else could be done? v6 is now at the core and at the edge, and much of the server-to-server talking in the middle is going to remain v4 for a while. Significant numbers of smtp servers will remain v4 only, and so v6 only servers will need to use a v4 gateway to be of any real use to their customers. I think we can safely firewall, or whitelist v6 on port 25 until we have a useful whitelist, and probably a large droplist. Greylisting and watching for IPv6 hopping would probably be useful too.. Ken If we must receive mail from IPv6 IPs, then I recommend doing the equivalent of the following (put in IPv4 terms for simplicity): (A) All other non-authenticated mail rejected... unless the message came from a XXX.XXX.XXX.0 IP (this is in IPv4 terms... translate this into some equivalent IPv6 standard... but case a super wide net!) That will greatly reduces the number of possible valid mail sending IP. (again, auth mail to one's own server need not fulfill this standard) (b) industry wide, agree that mail is NOT accepted from IPv6 unless it does Forward Confirmed reverse DNS FCrDNS If one or both of those were agreed upon up front--this would go a long way towards preventing the coming nightmare. (and forgive me of RFCs have already established those as absolute standards for IPv6... I haven't kept up with all the RFC for IPv6!) -- Ken Anderson Pacific Internet - http://www.pacific.net
