From: Hadmut Danisch <hadmut(_at_)danisch(_dot_)de>
- text filtering can give failure indications during SMTP transactions.
There are many examples of such systems, including some installations
of SpamAssassin, the DCC, and many uses of the sendmail milter
mechanism.
I don't know of any text filtering that works reliably and reasonable.
Do you know about the DCC, SpamAssassin, Brightmail, or Postini? I
may be somewhat biased, but I think all of those are reasonably reliable
and reasonable. (I've some reservations about SpamAssassin, but only
because I wonder about Perl for filtering more than 50,000 messages/day.)
That's a kind of content security that just reduces the channel
bandwith (seen from an information theory point of view).
You and I apparently do not agree on the definition of "information
theory point of view."
And, I believe that is is a bad idea to perfom text analyse _while_
receiving the message. Message transfer should be as fast as possible
and should not suffer from any external delay. And it is not always
possible because some formats can be decoded/uncompressed only when
they are complete.
I don't like text analysis while receiving the message. And I am
not really convinced about such content methods.
Do you know how many CPU cycles are required to perform some text
analysis? It is possible to analyze text as fast as all but the fastest
networks, at many MBytes/second. Essentially no SMTP servers are
significantly affected by the costs of running the DCC client code.
There are many organizations that are using text analysis to reject
more than 90% of incoming spam 100,000 millions of mail messages
per day sent to their SMTP servers.
...
- most talk of "header forgery" is confused. The best demonstration
of that fact was a recent message to this mailing list that talked about
people "forging" their own addresses. That makes no sense given
the English definition of the verb "to forge." You cannot "forge"
your own name or address.
Sure you can. Don't use the "English definition". Use the "Security
definition".
It means that you can just insert any address without any
authorization step. If you can do it, so anyone else can do it as
well. There must be some technical difference introduced between the
one who is allowed to use an address, and all others. That's the point.
That is a misuse of the word "forge." You can also use word "apple"
when you are talking an orangebut it is a bad idea.
The problem is that many and perhaps most so called "forged" mail
From addresses in spam are no more "forged" than the home return
address you put on picture postcards while on vacation.
I've never received a postcard asking me to buy any nonsense and
labeled with a wrong sender address. I received hundreds of such e-mails.
That's irrelevant to whether the return address was forged.
Besides, in almost all cases, you have no idea whether the sender
address is in fact wrong by any sane and honest definition of "wrong."
It is perfectly reasonable and quite common for paper mail to have
postmarks, envelope return addresses, and inside addresses that all
differ. The same applies to email. Whether the email or paper mail
is otherwise objectionable is independent.
That the free mail provder of the mailbox has cancelled a spammer's
account does not make the use of the mailbox "forgery" any more
than your use of a hotel's address is forgery the day before you
arrive or the day after you leave.
I can't follow you. Many spam messages I've received had sender
addresses which _never_ existed. I know that a little bit more than
a year ago millions of mails have been sent with several sender
addresses (_dot_)(_dot_)(_dot_)(_dot_)(_at_)danisch(_dot_)de Since this is
my own domain, I'm pretty
sure that these accounts never existed. Spam sender addresses are not
cancelled accounts, they are just random addresses.
Some spam does in fact carry forged SMTP envelope Mail_From or
header From:, Reply-to:, Return-Path: or Sender: values. However, many
other cases are not really "forged."
- PKI, X.500, PGP, SMIME, and all other authentication mechanisms
are irrelevant to stopping spam. It is not only that the amazing
story in http://www.cert.org/advisories/CA-2001-04.html demonstrates
that it is impossible for $350/certificate to check the identity
of certificate holders. It is that a fundamentail design goal of
SMTP is to allow strangers to send each other mail.
That's the problem we're here to solve. It's our job to change it,
not to accept it.
You can't wave a magic wand and ignore the design goals. As long as
you accept the design goal of accepting mail from strangers, you are
stuck with the fact that authentication is irrelevant to stopping spam.
If you are willing to accept a message from a complete stranger, then
it makes no sense to talk about authenticating the stranger. Strangers
are people you don't know and cannot trust to not be sending you and
500,000,000 of your closest friends the same message.
That's a cultural dependant point of view. The european approach is
that you can identify everybody, even a complete stranger, and that
you know who was sending you rubbish. If 1% of the recipients complain
or get into legal steps, the sender faces 5,000,000 opponents. But
you need to know the identity of the sender before.
No, you are confusing figuring out the perpetrator of a crime with
preventing crime. Being able to know who sent you rubish is just as
irrelevant to stopping that same rubbish as knowing who robbed a bank
is for preventing that robbery.
In fact it is no more difficult in principle to determine the identity
of spammers in the U.S. than in Europe. On both continents, if the
ISP has reasonable records, the perpetrator is known. PKI, X.509,
PGP, SMIME, and even SMTP-AUTH and SMTP-TLS are irrelevant.
- There is a single, common definition of spam that works. It is
"unsolicited bulk mail." "Unsolicited" is determined by the target
unless the sender has creditable evidence that the target asked for the
mail. "Bulk" is some number of substantially identical messages usually
more than a dozen.
How do you want to detect whether a mail was sent to at least 10,000
other people without violating their privacy? And if you are one of
the unlucky first 10,000 receivers, then it is not yet spam?
You are confusing detecting a crime with preventing crime and punishing
criminals.
In practice, you are right more than 99.9% of the time when you see
a single bulk message and guess it is bulk. In practice you do not
need to see 10,000 copies to know that bulk mail is bulk. When you
as an individual user receive spam, you do not need to receive 9,9999
copes to know with better than 99.9% accuracy whether it is bulk.
When you see someone lurking behind your neighbor's house, you do not
need to investigate to see if the prowler is authorized. You should
call the police and let them sort it out.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg