[Top] [All Lists]

[Asrg] Re: 03.1 Re: Forgery in SMTP

2003-12-26 14:35:25
There are two problems caused by the potential forgery that is possible in 
1. Filtering by sender's address is hard when someone could forge a friend's

 Which is where accountability comes in.

Walt: I think Alan is implicitly referring to the LMAP technology, which 
WILL allow the victim to prevent abuse of their name.
Of course, it doesn't work IRL yet, and I can see how you wouldn't 
realise he was referring to it. 
Flamewar quenched, I hope.  Chill, guys.

To begin with, spam volumes become far less of a problem (inboxes overflowing, 
byte volumes, spool space, bandwidth, etc etc) when the spams are simply 

I've previously suggested as a BEGINNING to the solution that recipients be 
to whitelist "authorized" senders to send them "special" type posts.

By default, an unrecognized or unauthorized person would be able to send the 
recipient a "simple", small post... no attachments, no HTML-burdened content 
(including NO embedded images, no scripting, etc)!, maybe with an upper-bound 
size of 10K or 50K or something.

Note that this no-images, no-attachments, no-HTML-burdened rule immediately 
squashes the GREAT majority of tricks that spammers employ to obscure their 
message or hide their content from filters and keyword scanners and the like.  
It also virtually eliminates in one fell swoop the great majority of viruses 

This approach is simple, straightforward, easily implemented at the recipients 
end (or their ISP) and immediately effective.  It doesn't require any great 
global redesign of the Internet.

While it is POSSIBLE to get past it (if for example the virus gets lucky and 
manages to forge a From address which just happens to be authorized to send 
attachments (and moreover, EXECUTABLE attachments) to the recipient, the 
are still WAY smaller than they are now... perhaps small enough that the 
resulting success rate will be too small for the virus or worm to end up being 

Now, I have lately been getting "junk" spam messages which contain NO visible 
purpose whatsoever... they don't point at any Web site, they don't have any 
apparent return receipt requested, they just contain a bunch of random words.  
Perhaps these are ONLY being sent to see if they bounce back as 
hard to say!  Perhaps their "real" content is in an HTML-burdened alternative 
version (which gets stripped out of all E-mail upon arrival here).  I don't 
that much of any spam filter is likely to end up blocking mail like this (but 
then again, it's not clear what other benefit there would be for spammers to 
send it, either).  Certainly if this were to get widespread, it would be almost 
as annoying as the familiar commercial-type spam shilling for porn sites or 
hawking herbal penis enlargement.

2. One can't hold the victim of the forgery accountable for the junk

 Why not?  If they haven't done anything to prevent the (ab)use of
their name, how can the recipient tell if a message is real, or

 A spammer sends out a viagra spam "From: "Alan DeKok" 
How are the 20 million strangers it's addressed to going to *REJECT* it?
At these volumes, merely accepting the email and storing it in
recipients' "spam folders" will cause smaller ISPs to run out of
mailspool space.  

That's pretty much an oxymoron... if they're getting 20 million copies of it, 
then they're probably not a "smaller" ISP.  

Certainly it WOULD be possible to "mailbomb" a given target (maybe smaller) ISP 
(e.g. a virus or worm which would commandeer victim computers and cause them to 
each send thousands and thousands of E-mail messages to target ISPs or users) 
but that's going to be possible anyhow, and is really pretty much outside the 
topic that WE are tasked with dealing with.  That's really more of a Denial of 
Service attack.

What actions can *YOU* take that would allow
verification/authentication of the "From:" during the SMTP transaction ?

I'm not convinced that it's necessarily practical and maybe not even desirable 
to even try.

First of all, there are many legitimate reasons for people to send E-mails 
through relays, foreign ISPs, or other services not usually associated with 
their From: address.  They might be travelling (perhaps even internationally) 
an Internet cafe, airport waiting lounge E-mail kiosk, cruise ship Internet 
access lounge, in-airplane E-mail service, public library, or post office.  In 
each of these cases, they clearly want the replies to come to their own 
"vanity") domain, and maybe they never will ever again even be at the point 
where the prior E-mail message was actually sent from.  

What's more, consider the case of mailing lists (Yahoogroups is a good example) 
as "anonymizers" of sorts of messages.  They forward messages (as individual 
messages or perhaps as digests) and these sorts of mailing lists are terribly 
important to large classes of internet users.  Sometimes these messages bear 
original sender's From address, sometimes they bear the list's From address.

Gordon Peterson        
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.

Asrg mailing list

<Prev in Thread] Current Thread [Next in Thread>