Hello everyone,
It seems to me if the mail server administrators would make the decision to
require people that send emails from their servers to log into a valid
account on that server and use the same valid account on the server as a
return address it would negate the ability of a large percentage of the
spamers to send the spam anon. This would allow easier filtering of many of
the offending messages by domain. Additionally, the sending account field
and the reply to field should be equal and clients should be required to use
an email address that is associated with the account used to log into the
server in the first place. This will need to be implemented in the beginning
by administrators who run software capable of it, and it would be
implemented later as part of the email client and/or server software using
new software releases, patches, and individual customizations of existing
software. I know that there are many people who will scream and gnash their
teeth at this suggestion as it will force them to identify themselves to
anon mailing lists but I think it would be an acceptable compromise if we
could eliminate a major portion of the spam clogging our inboxes. Clients
need to be identified by ISP based email servers using their DNS and IP
address footprints and clients attempting to send email with improper
footprints should be disregarded (making it very difficult to send email
from the server if you truly are not a valid subscriber to the service, much
like many of the current news servers do). Then to deal with the anonymous
email servers out there (hotmail, yahoo, etc...) the operators of those
services should require clients logging into those accounts to send email
from a valid IP address with no unsecured proxy services running on them
(much like many IRC servers are doing) and transmit this IP information
along with the email being sent. This would allow for pinpoint
identification of the senders of spam using IP addresses MAC addresses and
time stamped logs for the specific purposes of taking legal action against
these network abuses. I know it will be argued that this will require
cooperation between ISPs and that some systems are already implementing
these measures but if all administrators as a single body insist that
everyone adhere to these rules or be excluded from sending email to clients
of their services and enforced this through IP block and domain blocking the
stragglers would be forced to adhere to these rules. Further, if a body such
as the IETF stood behind this and perhaps drafted specifications for
administrators, and software developers to follow when making new
clients/servers and updating existing clients/servers it would hold added
weight in the market place. The extra cost associated with such actions
could be offset by saved resources, and additional revenues made as a result
of higher subscription rates justified by superior spam filtering techniques
and a greater number of subscribers to the service due to better service
quality. I would also like to suggest that the California law that requires
all unsolicited emails be appended with adv: in the subject line be expanded
to a federal law and additionally require emails that are solicited by
signing up for a service include exact information about who the sender
bought your email address from in the email.
These are just some ideas I have had on eliminating spam and should in no
way be considered a flame against anyone. I know there is no way that this
will stop all unsolicited email from being sent or received. I just thought
they might help to get some people rolling on a solution and that it would
be better than complaining about it. After all doesn't a global solution
make more sense than venting about what should be done to keep it out of
this mailing list.
Thank you for your time and attention,
Douglas Huyler
Dougxx2(_at_)carolina(_dot_)rr(_dot_)com
704-721-0212
P.S. I am sorry this email comes so long after the original post was made
but I don't read the list very often and after reading this thread from the
begining to December 6th I thought I would reply. If someone else has
brought these things up after this point I am sorry, but I haven't caught up
with the list yet.
----- Original Message -----
From: "Fred Baker" <fred(_at_)cisco(_dot_)com>
To: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
Cc: <ietf(_at_)ietf(_dot_)org>; <namedroppers(_at_)ops(_dot_)ietf(_dot_)org>;
<iesg(_at_)ietf(_dot_)org>
Sent: Friday, December 06, 2002 4:41 PM
Subject: RE: namedroppers, continued
At 08:28 AM 12/2/2002 -0800, Hallam-Baker, Phillip wrote:
The only way to resolve this issue properly would be to require every
submission to an IETF mailing list to be cryptographically signed (PGP
or S/MIME), to require the subscribers to register their signing key and
to then filter the mail sent out on the list so that only signed mail
gets through.
I would be in favor of that, personally, as long as we can ensure that the
appropriate signature facility (be it RSA, PGP, or whatever) is freely
available to all who need to use it. The issue here is not us corporate
types who have a business reason to buy the software, it is the students
who often lack the funds. The big issue would be the procedures for
posting
one's key to the appropriate place - what is to stop a spammer from
posting
a key and sending the spam anyway? I'm not proposing a mechanism, but
someone who is good at such things might well find it of value.
It doesn't address the "off topic" issue. As you say, that could be left
to
a working group chair equiped with formal procedures developed by
consensus
within the work group or adopted by the working group from a more general
place (ie, the IETF could suggest a procedure, and the WG could adopt it
if
it didn't feel another procedure would be better).
I have had a private exchange, over the past few days, with someone who
wished that the IETF would please document some good spam-elimination
procedure, so that it could be used world-wide to completely eliminate
spam. I think that boils down to "provide a global PKI" in this solution,
and presumes that spammers are incapable of using one. That might be a
great research topic. Too bad nobody has ever thought of it before; we
could really use the outcome of that research. (OK, so it's a lame attempt
at humor...)
I think it was Steve Bellovin that suggested a procedure for reducing the
utility of spoofing source addresses in emails; if not, it was me and I
happened to suggest something his favorite algorithm fit into, by having a
host in each mail domain (mailid.example.com) be able to assert that its
domain had or had not sent an email within a given recent time period
whose MD5 hash, when divided by <vector of prime numbers> resulted in
<vector of remainders>. I could write that up in an internet draft if
folks
think it makes sense. That would be a more global procedure that didn't
require a PKI and only addressed spoofed addresses.