ietf-asrg
[Top] [All Lists]

[Asrg] [IP] CNN covers Meng's SPF

2004-03-01 11:58:28


NEW YORK (AP) -- With a simple adjustment in your e-mail software, you can
pretend to be anyone. You can send messages marked as coming from
BillGates(_at_)microsoft(_dot_)com(_dot_)

Surprise surprise!!!  This should have been common knowledge for a long time.

The trick, known as spoofing, is a popular method for spammers to hide
their tracks -- you'd blame Microsoft Corp. chairman Bill Gates and not
the actual perpetrator of junk mail.

To close that loophole, Microsoft and Yahoo! Inc. are each developing
systems aimed at authenticating senders of e-mail. America Online Inc. is
testing a third.

Funny thing that each of these folks are ISPs... and each is trying to make 
sure 
you use THEM for everything you do. :-((  

"Having e-mail come in, and not really being able to identify where it
comes from, this is a huge security hole," Gates said this week in
announcing specifications for his proposal.

Actually, the "Received" headers give one a pretty decent trace of "where it 
comes from", at least once it leaves the hands of those who counterfeit headers 
or otherwise attempt to deceive.  And one could certainly imagine a system 
whereby mail recipients systems could go back to the claimed originating system 
of the E-mail message and ask for confirmation that the specific E-mail message 
actually originated at that system.

Many software engineers are concerned, however, that these systems could
end up causing more problems than they solve.

And, in fact, that is precisely the problem.  Many of these systems, 
SPECFICALLY 
INCLUDING Wong's SPF (and as a member of the IETF's Anti-Spam Research Group 
was 
on Wong's SPF mailing list for a while, before I concluded that it was probably 
fatally flawed), have a number of very serious problems in them if they were 
ever to be widely adopted.

Microsoft's proposal, known as Caller ID for E-mail, calls for Internet
service providers to submit lists of unique numeric addresses for their
mail servers. On the receiving end, software would check a database to
verify that a message said to come from an e-mail provider actually
originated at one of its registered machines.

The problem with this one of course is that not all E-mail messages originate 
at 
mail servers run by ISPs.  Some of the more sophisticated business customers 
(and indeed, some of the more sophisticated USERS, myself among them) actually 
use their own outgoing E-mail servers... for a whole variety of perfectly valid 
reasons.  It's outrageous and offensive that ISPs are trying to prevent users 
from being able to bypass the ISP's (hoped-for) monopoly provision of 
(sometimes 
unwanted and often gotcha-laden) "ISP services".

In January, AOL began testing a similar system called Sender Policy
Framework, or SPF, which checks a different part of the message.

Yahoo's proposed solution is a different animal. It would use encryption
to digitally sign messages. If the sender or message content is altered,
the signature gets rejected. Yahoo announced its proposal, DomainKeys, in
December but has yet to make details public.

There are a lot of such systems and most of them work at least in the scenario 
they are designed for.  Unfortunately, when you start looking at the less 
obvious but still HIGHLY important situations... such as personally-owned 
domains, mailing lists, corporate "vanity domains", roaming use (mailing from 
cruise ships, airport waiting lounge kiosks, etc)... not even to mention 
"anonymous remailers" required by whistleblowers etc... you usually find that 
these proposals have very serious flaws that have terrible implications to many 
customers with legitimate needs and concerns.

The big three e-mail providers are not alone in trying to tackle address
spoofing. Leading e-mail software vendor Sendmail Inc., spam-filtering
company Brightmail Inc. and frequent e-mailer Amazon.com are also at it,
each planning to test one or more systems.

All these competing proposals are enough to get the Internet's
standards-setting bodies in a lather.

One of them, the Internet Engineering Task Force, has scheduled a session
on authentication next Thursday in South Korea. Experts predict some
combination of the techniques will be ready for use later this year,
though formal standards will take longer.

There's much work to be done in the meantime, including proving the
systems can actually work beyond controlled, laboratory environments.

Caller ID and SPF, at least, are likely to disrupt mail-forwarding
services that colleges and companies offer to let alumni and subscribers
route e-mail through a domain name other than their own service
provider's.

They also could break "send to a friend" features in which someone clicks
on a Web link to pass an interesting item to someone else.

THOSE *need* to be broken.  They are often more just a pleasant-looking ruse to 
collect an E-mail address of the "someone else" victim and later use that for 
spamming or other unwelcome purpose.  (Electronic "greeting cards" of course 
suffer from the same fault.)

Issues to be worked out for all three systems include how to properly send
e-mail from cybercafes, hotels and public Wi-Fi hotspots...

Indeed, and (as mentioned) airport waiting lounge kiosks, cruise ships, and 
other "temporary/away" situations.  Mailing lists are another such serious 
problem.

and how to preserve privacy when using anonymous re-mailers, which are used by
whistleblowers and others to intentionally mask the origin of messages.

Absolutely.

"A lot of people have said that e-mail today is broken, and now we're
going to break it a little more," Meng Weng Wong, lead developer of SPF,
acknowledged. "Some of the things people are used to doing, they won't be
able to do it in quite the same way."

In fact, Wong (based on E-mail exchanges he and I have had) basically just 
doesn't care about the important flaws in his approach, he is fully aware of 
them and has been forging ahead with it regardless.  I consider his approach 
and 
attitude to be irresponsible and objectionable.

But the gain in fighting spam outweighs any pain from change, Wong argues.

Except that it doesn't.  NOTHING in SPF in any way prevents spam whatsoever... 
all it does is to authenticate the sender.  Spammer-friendly ISPs, new "vanity" 
domains (and spammers are creating "disposable" vanity domains with seemingly 
randomly generated domain names at a breathtaking rate... sometimes using the 
domain name just once for a single mass mailing and figuring the less-than-$50 
domain registration fee just a small part of the cost of doing their spamming 
business.)

Spammers can also continue hijacking (with viruses and worms) the systems of 
legitimate (if naive or careless) users and use those to generate spam E-mails 
using absolutely "legitimate" (if inadvertent) and authenticated users and 
valid 
sender ISPs.  This of course is one of the problems with the "cyberpayments" 
schemes for E-mails, too (quite apart from that being a slippery slope to the 
"pay for each E-mail" scheme that monopoly ISPs would LOVE to see become the 
norm).  In each case, the spammer simply shifts the costs to an inadvertent 
third-party victim.

So in fact, Wong's system creates MUCH pain, requires changes to systems 
literally everywhere in the world, hugely inconveniences (or even disables 
entirely) many types of users with highly legitimate needs, and still doesn't 
really do much of anything to actually solve the problem.  It still leaves 
people sending and receiving spam, with about the only improvement being that 
you maybe know who to send complaints about it to (usually an ISP, whose user 
is 
themself an unwitting and usually unwilling victim).  So what is the ISP 
supposed to do, punish the victim?  And even if they throw the victimized user 
off their system, eventually ALL such users will have been victimized, and 
NOBODY is left still on the Net.  :-(

Authentication also can help limit the spread of e-mail viruses...

Again, NO IT DOESN'T.  It only helps identify where they actually came from.  
Maybe.  (And often, that trail will end up leading back to someone who is a 
pathetic and beleaguered victim themselves).  This ultimately is NOT very 
helpful.

A **far** better approach... simpler, easier, rapid to implement, hard to 
disable or to evade... and one which IMMEDIATELY benefits the folks who 
INDIVIDUALLY put it in place, without requiring literally worldwide changes and 
consensus to be effective... is for E-mail client software companies to simply 
discard ALL incoming attachments (including alternative HTML-burdened ones) 
unless the recipient had previously whitelisted the sender and authorized THAT 
sender to send THAT recipient attachments of THAT specified type.  (Example:  
Your Aunt Gertrude *might* actually send you an electronic photo JPG of her 
adorable poodle Fifi, but she probably NEVER needs to send you an .EXE, script, 
PIF, or other type of executable file.)  Likewise, even if you're some kind of 
consumer products company (say, Proctor and Gamble) that needs to receive 
unsolicited messages from previously-unknown users, it's very hard to argue 
that 
people need to send *attachments* (at least not as an initial contact message) 
rather than simply safe, plain ASCII text.

So E-MAIL CLIENT SOFTWARE SHOULD STRIP ALL ATTACHMENTS UNLESS THE RECIPIENT HAS 
SPECIFICALLY WHITELISTED THE INDIVIDUAL SENDER TO SEND THEM THAT SPECIFIC TYPE 
OR CLASS OF ATTACHMENT.

That single, simple, highly effective strategy would OVERNIGHT result in a 
near-total-elimination of 85-95% (maybe more) of all viruses and worms.  The 
GREAT majority of them would find their propagation rate reduced to well below 
the minimum "survival" rate.

and, with Caller ID and DomainKeys, help flag fraudulent "phishing" messages 
that try to trick people into revealing passwords and credit card information.

A far more effective strategy THERE, TOO, is to STRIP ALL HTML CONTENT OUT OF 
MESSAGES unless the recipient has specifically authorized (by whitelisting) the 
specific sender in question to send the recipient HTML-burdened E-mail.

The great majority of spam and fraudulent "phishing" messages use tricks based 
on HTML to deceive, obscure, and defraud.  This can include obscured URLs, 
links 
that claim to be one thing but in fact point somewhere else (e.g. claim to be 
"http://security.ebay.com"; but in fact when you click on them they point to a 
rogue server in Romania or somewhere), Web bugs, malicious scripting, malicious 
ActiveX content, text-as-image in order to evade antispam content filters, and 
so forth.  

If ONLY AUTHORIZED WHITELISTED-BY-EACH-RECIPIENT SENDERS were able to send them 
HTML-burdened E-mail content, then (and in conjunction with good antispam 
content filters, which would then be HUGELY more effective) we'd also get rid 
of 
the great majority of spam and other fraudulent E-mail, too.

Again, this doesn't require any great worldwide consensus, doesn't require any 
sweeping and disruptive change to the world's online systems, and doesn't 
needlessly or seriously disrupt legitimate users.  Moreover, IT IS EFFECTIVE 
FROM DAY ONE AND TO THE VERY FIRST ADOPTERS, which means that people are 
immediately gratified by the change they make to THEIR systems.  This ought to 
result in a rapid adoption rate, and minimize the long time it takes to move 
complex and ultimately unsatisfactory standards through worldwide standards 
organizations.

Note also that BOTH the changes I propose... simply whitelisting attachments 
and 
HTML at the recipient end, on a sender-by-sender basis... are SINGLE-ENDED 
schemes which do not require ANY changes at the sender ends at all (other than 
implying that they cannot send attachments or HTML-burdened mail unsolicited or 
unwanted, and expect to actually get it through!).  And, once whitelisted, 
EVERYTHING we can do today (vanity domains, roaming, mailing lists, 
send-from-cruise-ship, and so forth) all still work, too.

The proposals require no changes to existing protocols for e-mail or the
domain name system, and developers of all three pledge to eventually seek
standards status (Wong has already submitted SPF for review).

Actually, almost all of these other approaches (INCLUDING Wong's) DO involve 
the 
need for worldwide changes and consensus, they prevent legitimate users from 
doing things they sometimes truly NEED to do, most DO involve changes to the 
DNS 
system (or else the construction of a wasteful parallel to it), and in fact 
NONE 
of them seem to ACTUALLY solve the problem.  They do NOT prevent the sending of 
Spam, they do NOT prevent the propagation of viruses, they do NOT prevent 
"phishing" and similar deceptions.  They only inconvenience people everywhere 
and disable exceedingly useful and important features.

For now, the three can coexist, although adoption could be limited until a
consensus emerges around one or a combination.

The reason there has not been (and is not LIKELY to be) a consensus around 
these 
proposals anytime soon is because they each have very nasty problems that many 
people strongly dislike, and generally the payback even upon widespread 
implementation simply isn't worth the implmentation costs and other 
disadvantages.

But these solutions alone will not stop spammers.

ABSOLUTELY, and that is at the root of the delay and dissatisfaction with all 
of 
them.  Nobody that seriously looks at these proposals is truly convinced that 
any of them ACTUALLY solve the problem.  It only makes folks (arguably) 
identifiable or traceable, and while that sounds good on the surface, it simply 
doesn't achieve much in the end analysis.  I don't think it makes much sense to 
uproot and mess up the entire Internet worldwide, just to give the bogus 
APPEARANCE of "we have to [appear to] do SOMETHING".

Meanwhile, the simple single-ended solution I propose (in conjunction with a 
suitable content filter at the recipient end) would be cheap and fast, HIGHLY 
effective against worms, viruses, spams, and "phishing" spoofs, is rapidly 
implementable, and would have negligible negative impact on legitimate, 
responsible users (both senders and recipients).  It moreover requires **no** 
changes whatsoever to the critical underlying Internet infrastructure.

Systems will have to be established to evaluate the reputation of domains
that relay e-mail, and that raises questions about who would develop such
lists and who would arbitrate disputes.

Again, that's simply NOT NECESSARY.  All that does is to establish 
trackability, 
it does **nothing** to actually prevent the sending (or receipt!) of spam, 
viruses, worms, and the like.

In the short term, authentication will be useful mostly for verifying
newsletters and other bulk mailings that are often misidentified as spam
today, said Margaret Olson, co-chairman of the Email Service Provider
Coalition's technology committee.

This can easily enough be handled, if necessary, with normal public-key 
signature technology.  Again, no infrastructure changes are required or even 
indicated.

Once enough service and software providers adopt the technology, "getting
unauthenticated mail delivered will be extremely difficult," she said.

And that's part of the problem with such changes.  They require worldwide 
consensus to work effectively, and the earliest adopters gain little or nothing 
from making the changes.  They are expensive (because they have to be done 
EVERYWHERE) and in the end, when all is said and done, THEY DON'T SOLVE THE 
PROBLEM!

And that could hurt e-mailers in other countries where adoption of
English-language specifications tend to lag, and smaller service providers
may be forced to accept whatever the giants decide, critics warn.

Right, it could take years or even decades, and many Net users (including 
businesses with embedded mail handlers built into their related applications) 
might in some cases not even *ever* be able to adhere to the changed 
specifications.

At EarthLink Inc., which is experimenting with authentication, chief
architect Robert Sanders said no service provider wants to suddenly stop
e-mail from non-participants.

Right.  The authentication approach isn't really very effective unless and 
until 
EVERYONE is "authenticated", and the way the schemes are generally conceived, 
that mythical state of eternal bliss is NEVER in practice achieved.  And again, 
even after EVERYONE is authenticated, that STILL doesn't prevent them being a 
victim and sending out "fully authenticated" viruses, worms, and "my system was 
hijacked" spams!

But he likened the technology to telephone's caller ID: "You may still get
a phone call with caller ID, but you may not choose to answer it."

There are a LOT of ways we can potentially "break" the world's E-mail system.  
My position is that we shouldn't do that unless the actual payback we'd achieve 
by doing so is truly compelling.  I still feel that the approach I'm proposing 
has the fastest payback to adopters, the lowest worldwide cost, the best 
effectiveness against worms, viruses, spams, spoofing, and "phishing", and the 
least unwanted and undesired downside costs to existing users, systems and 
applications.

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!  http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>