On dinsdag, sep 9, 2003, at 19:41 Europe/Amsterdam, Dean Anderson wrote:
Let's first define our goal before declaring it impossible to reach.
Well, I think the goal has been stated: Create an abuse-free email
protocol. That goal is impossible. Thus, we have abusable protocols.
Ok, not going to argue on that point (not necessarily agreeing, though).
Perhaps you have a different goal in mind, but it doesn't sound like
you
accept the premise that it impossible to create an abuse-free protocol.
My goal is to drastically lower unsullicited bulk mail. It's not the
occasional message that bothers me, but the dozens each day that try to
exploit human kind's lowest common denominator. I believe bulk and
unsollicited can both be determined objectively, so there should be
ample avenues to explore here.
The NCSC's definition refers to ANY communication not authorized by the
security model. Note that the term "Covert Channel" is frequently
associated with Multilevel Secure Operating Systems. The liturature
uses
other terms to describe the same concept: "information leakage",
"sneaky
signalling", "hidden data flows", "side channels". So you must not get
too
caught up in the peculiarities of operating systems. The concept is
quite
general.
It is immediately obvious that covert channels have 3 characteristics:
It
is a CHANNEL, it is COVERT, and it VIOLATES SECURITY POLICY. (Caps for
emphasis of definition, not loudness.)
Ok.
CHANNEL: Spam is a type of Email. Email is a channel transfering
signals
from A to B.
Ok.
COVERT: Spam is hidden in so far as possible from the system
operators. It
is an unintended communication in that the system operators intended
that
only non-broadcast, solicited commercial communication flow. This not
an
exclusive list of what is permitted, but illustrates that spam isn't
permitted.
Hm, is it? In most cases spamminess is pretty obvious, but I've both
received and sent out complaints about spam which turned out to be
fairly legitimate communication that just wasn't all that welcome any
more. (But hard to tell when businesses change their (domain) name.)
This stuff is hard to determine on a per-message basis.
The part that I care about is that spam is unwelcome in two ways: each
individual spam message is unwanted by the recipient, and the generated
system load is unwanted by the service provider.
VIOLATES SECURITY POLICY: System Operators specified an acceptable use
policy that outlines what is permitted and what is not permitted. UCE
is
not permitted. Various methods have been implemented to enforce this
policy.
Again, too hard to determine by just looking at a message somewhere in
the middle of the path. Now if we define that a single user may only
send 1000 messages a day, that's something we can work with.
If you can detect abuse on input rather than on output, detecting
abuse
is exactly what enables you to make an abuse-free protocol.
Input to the first mailserver is output to the mail client. There may
be
many input/output connections. For every input, there is an equal and
opposite output. (Seems that perpetual motion may have some analog
after
all ;-)
Yes, this makes the whole thing somewhat harder...
We are already "only allowing known bulk emailers".
Untrue.
Speak for yourself.
You are the one who said "we". :-)
I do think Shelby was on the right track with the idea of separating
mailinglists from regular one-to-few email. (Not quite sold on the pop
thing, though, that would be going 8 years back in time for me.)
Mailinglists usually already have reasonable access controls and a
single or very limited number of sources, so those shouldn't be a huge
problem. With the sollicited bulk email out of the way, any bulk email
that's left is automatically unsollicited (or a corner case that we can
ignore at the price of some inconvenience) so this can be stopped or
slowed down.
Spammers can _always_ do whatever regular users can do. There is no
way to
authenticate regular users and not authenticate spammers. This is why
SMTP
AUTH has no effect on spam.
If I know who sent something I can filter so I don't have to receive
any future filth from the same source. And if spammers are forced to
use their real identity then finally they'll get at least some of what
they have coming.
If regular users can inject arbitrary
addresses, then so can spammers. Regular users can always inject
arbitrary addresses. Ordinarilly, this is desired.
Disagree.
The point being?
The point being that the persons sending most of the spam will do
anything
to annoy people. It has no grounding in commercial motivation, nor can
regulation of commercial activity have any effect. In other words,
protocols that require cooperation of the spammer aren't likely to
succeed.
What we need is a system where the only action that has any result is a
valid action. Then either spammers have to spew out their filth out in
the open without being able to hide, and bear the consequences (I don't
normally condone violence but for spammers I'll make an exception) or
slither back under the rock they came from.
You miss the point. Most of the "little" spam is sent by virus infected
computers as well as email containing the virus itself.
We have to fix this at some point, not just for spam, but also for
DDOS. (Compared to which spam is a minor annoyance.)
It is when they lose their accounts faster than they can acquire new
ones.
Has this ever happened in 8+ years? No. Will it ever happen? No
That's the great thing about authentication: I can blacklist someone's
credentials on _my_ system so they don't get to send email to me or my
customers anymore. No need to wait for lazy ISPs anymore.
The spammer already has authentication, however it was acquired:
Stolen,
disposable, etc. Email authentication will always be equivalent to that
authentication.
No. A proxy service wouldn't normally have access to an email identity.
On MacOS the user even has to specifically allow applications to use
passwords, so unless a worm manages to get root access or take over an
application that can already send email, it wouldn't have access to the
email authentication data.
Also, you can force the outgoing mail through an ISP which can then do
bulk detection.
The notion of authentication in email comes from the fallacy that
spammers
are somehow outsiders getting in.
No, that's not the point. The point is: fool me once, shame on you.
Fool me twice, shame on me. I don't want the same bad guy to fool me
twice.
I find it unacceptable that my email software lets people bombard me
with crap while at the same time faking the headers such that said
crap
seems to come from an innocent bystander. I can't understand how any
reasonable person can think this is ok.
People find it unacceptable that fertilizer explodes. However, it is
impossible to make fertilizer that doesn't explode. Only those
ignorant of
chemistry call for such things.
At the very least we get to make sure the blame isn't shifted to
innocent bystanders.
Or maybe we should just go ahead and move the "From: " header to
historic and be done with it.
Might as well add all the other headers than can be forged as well.
Might
as well take the From Address off postal mail as well, since that can
be
forged, too. It is a mistake to think that just because something can
be
abused, that it should be removed.
Again, not the point. The point is that people think that the From:
line indicates where the message comes from. This is a broken
assumption. So remove the line and people will realize than anyone can
put any name at the bottom of a message and there is no longer any
half-baked trust of something that is fake 37.5% of the time. (Assuming
50% spam and 75% forged From: which are both reasonably in line with
what many people see.)
Also, "forge" implies some kind of effort to pull of the deception. But
with email no effort of any kind is required: just say whatever you
want and the other side takes your word for it. And then to think email
has been used as evidence in court. Insane is the only word I have for
it.