[Top] [All Lists]

Re: Introduction and query

2003-02-10 02:22:03
On Sun, 09 Feb 2003 23:08:10 PST, Adonis El Fakih said:

(OK, so it's insomnia time again..;)

In SMTP you actually have to receive the message in its entirety before
you can apply any of spam filters, unless you have a filter on email.

Quite correct.. However...

In AMDP you do not have to do that at all, becuase the sender MUST keep
the mail message on their OWN server, and send you an envelope
describing its contents.

Notice that you still have to download the entire message to tell if the
other end is telling the truth regarding its contents.  And I've seen
enough Murkowski-compliant "Under S.1618, this message isn't spam if it
includes a remove link" spam to not believe that spammers will tell the
truth in the envelope.  As you yourself note - a big problem is that they
lie in the MAIL FROM - why would APMD-MAIL-CLASS contain truth?

If anything, this is actually doing the spammer a favor - it means that he
can save bandwidth.  Sites that have blacklisted them won't call back to
pick up the spam.

On the other hand, sites that have blacklisted the spammer already are free
to issue a 550 on the MAIL FROM or RCPT TO and thus skip the DATA phase, so
you're not actually providing any benefit here.

                         Then they have to autheticate themselves so you
know that a mail message is actually residing where the spammer/or non
spammer says. Most of the spam today uses fake FROM, so this will stop
this kind of abuse.

Actually, if you think really hard about it, you'll realize that this doesn't
*really* stop fake FROM - all it does is make the spammer use a throw-away
FROM address that happens to point to a server he controls.

There is a general failure throughout the draft to distinguish between 
the concepts of "authentication" (proving who the sender of an e-mail is) 
and "authorization" (whether I want to accept mail from this source). 
Ok I should take than into consideraion when wording changes to document. 

It's more than just wording - it's a way of thinking.  It's even possible
to conceive and design authorization systems that don't involve any actual
authentication at all.  In this class fall proposals such as the "I don't
care who you are, but if you send me e-mail you first have to perform
such-and-such complex computation that will chew several seconds of CPU - this
won't matter to any legitimate one-off mail, but will matter to a spammer".

Another example of anonymous authorization would be a rate-limiting system,
where a mail server would say "I don't care WHO you are, you're only allowed X
msgs/hour per /24 of source address space without prior arrangement" - this is
already implemented in some systems, and deals nicely with the "one-off
anonymous personal mail" problem while drastically limiting what a spammer can

AMDP will enforce that mail received has to be from an explicitly assigned 
by the domain admin. This is not available in SMTP anyone can do it, and if 
do lie it will not accept the mail.

No - they merely can't use an existing domain.  All this forces is that the
spammer also has to get a DNS entry updated at the same time he buys his
network connectivity.

And if an ISP will sell bandwidth, they will likely sell DNS on the same
whack-a-mole contract.

                                     They can make domains for that purpose, 
becuase at this point the source of spam is known, which can not be traced at 
all in smtp.

Umm.. It's traceable.

Received: from ( [])
  by (Mirapoint Messaging Server MOS 3.3.2-CR)  with ESMTP id
  BAS07392; Mon, 10 Feb 2003 02:07:59 -0500 (EST)

Interesting that your mailserver said 'npsmtp02la' but the PTR says 'mw27'.
Reverse DNS for the 66.28.189/24 is provided by, and the IP address
block is owned by:

descr:      Mail2World Network
origin:     AS26254
remarks:    this is non-portable space, no exceptions
notify:     wkim(_at_)mail2world(_dot_)net
mnt-by:     MAINT-MAIL2WORLD
changed:    wkim(_at_)mail2world(_dot_)net 20030110
source:     VERIO

I'm too lazy to go poke a BGP looking-glass to see who AS26254 is getting
transit from, but I'd start by asking Verio. ;)

A bigger problem here is that although open SMTP relays are fast becoming
rarer (I've seen one reliable statistic that open SMTP relays have fallen from
60% down to about 1% of the problem), there are signs that spammers are
starting to abuse open proxy servers (many older HTTP proxies would quite
happily accept 'CONNECT 25').

Sure why not. there is not need to reinvent the wheel. the difference here
is that 20 is not used to email the outside world but to enforce outgoing 
rules. you can not do this in SMTP today. You can not enforce outgoing mail
size, language, etc.. that is what [20] is there for..

Given the number of ISPs that currently block outbound port 25, this seems
to be an "already done".  All you need is a firewall that blocks outbound
SYN packets on port 25 from everything from the mail server, and filtering
software on the mail server.  Given the number of e-mail a day I receive with
silly "This e-mail is proprietary" banners, I have to assume that most sites
who wish to do this already know how to do so.

Once you know that an email is coming from domain A and no one else, then we 
can go to a third party (that is paid by domain A to be their certificate 
manager) and 
check if they are within the category they claim to be. So if domain A claims 
to be 
XY category and ends up being ZZ using some smart filters, then we can report 
the abuse to the manager of the certificate and they update the category 
based on 
feedback not only from me, but based on reports received from other AMDP 
Domain A can not deny that mail is not from his domain, since the design 
that the host must be explicitly authroized to mail. All mail from A to other 
servers will autmoatically be converted to the new classification since the 
third party
job is to provide the realtime classification of the domain.

Nothing here that ORBS and MAPS haven't been doing for years already.

yes I agree see above, the three way handshake is just one of many conditions
that play together to close the wholes available in SMTP.

You missed the point - if you don't trust the spammer to tell the truth
about "this is not spam" when he contacts you, why do you expect a truthful
answer when you spend the extra effort to contact a server *the spammer runs*?

I agree again, this may be difficuly to implement (at the least the thread 
but the idea here is to create an automatic schema that allows certain email 
to be autmoatically saved to tape in antipicpation to some ruling by SEC 
where companies
must backup all communication relating to certain business practices. 

This is so totally outside of the scope of SMTP that I'm not going to delve
further into it, other than to comment that every current MTA that I'm aware
of already has the ability to either archive a copy of everything, or can be
modified to do so.  Also, most of the most incriminating documents will be
intra-office memos - remember that Oliver North was convicted in the Iran/Contra
scandal largely on the contents of backed-up memos of the PROFS message system
that was in use at the time.  These likely never hit SMTP *at all*.

The idea is to automate the system so reports are sent and received in 
real-time, so if you have
a virus in your network it will automatically alert the external network, and 
other AMDP servers
will know of this before the mail admin does!!

Security-wise, this is a Very Risky Idea.  Consider what happens to your
network e-mail connectivity if a number of sites submit "we're getting virus
spam from Mail2World".  All it takes is one script kiddy with 10K zombie
hosts (and there's lots of them out there), and you're suddenly off the air.

:) I do know a few. Working on we had unforunatly been on few lists
and I had to go and explain what happen to be taken off the list. Spammers
put a return address of, and how can I explain to few thousand angry 
people it is not us!!!

Your proposal may deal with preventing a "joe-job" (at the price of vastly
complicating things) while doing absolutely nothing new to stop spam from whack-a-moles or entrenched spamhauses
that have been using the same domains and IP addresses for years, and who
thus have been in blacklists for years....


Attachment: pgpWD25K7Cdic.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>