Spam Control Considered Harmful

Scott_Hazen_Mueller · October 28, 1997, 6:14pm

I am worried about the tools we are developing and deploying to control spam.

Fundamentally, we are no smarter than anyone else. Competent engineers are
not uniformly "good", heck we can't even all agree on what constitutes "good".
Creating the tools ourselves does not create the demand for those tools - if
some party (a totalitarian government of whatever stripe, for example) wants
them badly enough, they will create them, or dangle enough money in front of
someone who can to entice them to do so.

That said, I feel that the only technological solution to the spam problem is
a large-scale re-structuring of Internet mail to provide for secure
authentication and cost sharing for received e-mail. The scale and cost of
such a deployment makes something like that a political and social problem,
however.

Other technological solutions are holding actions only.

Phil_Lawlor · October 28, 1997, 7:05pm

What if the equivalent of "caller ID" was built into sendmail? Making sure
that the sender is a valid email address.

AGIS is looking for viable solutions to the overall problem. We have moved
any customers that we receive UBE complaints into AS 3830 (which is
getting emptier), making them even more visible. This assists in blocking
SPAM domains at the router level. For those using the Vixie like
approaches, this works. Notwithstanding, this thread focuses on the threat
of such efforts.

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

Jay_R_Ashworth · October 28, 1997, 7:34pm

>That said, I feel that the only technological solution to the spam problem is
>a large-scale re-structuring of Internet mail to provide for secure
>authentication and cost sharing for received e-mail. The scale and cost of
>such a deployment makes something like that a political and social problem,
>however.

What if the equivalent of "caller ID" was built into sendmail? Making sure
that the sender is a valid email address.

Similar to source address validation on dialup connections, another
topic that has been bandied about here in the past.

Properly configured sendmail's do this, mostly. My local one,
certainly, correctly identifies the actual sender even when the HELO is
forged.

AGIS is looking for viable solutions to the overall problem. We have moved
any customers that we receive UBE complaints into AS 3830 (which is
getting emptier), making them even more visible. This assists in blocking
SPAM domains at the router level. For those using the Vixie like
approaches, this works. Notwithstanding, this thread focuses on the threat
of such efforts.

Phil Lawlor
President
AGIS

In light of the recent disconnection of CyberPromo and litigation, I
guess we'll tentatively believe this. Of course, you realize that
you're not going to get treatment as generous as mine from many of the
members of this list, who consider you as a major contributor to the
problem. One section from my personal anti-spam reply form letter
might be indicative, and it's last paragraph in particular:

Phil_Lawlor · October 28, 1997, 8:41pm

^^^^^^

I am not a sendmail expert, but I am told that it is in the forgery area
that it could be improved. Forgery and relay hijacking seem to be the
largest areas of abuse. If these areas could be improved, it could go a
long way to solving the problem.

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

David_Bowie · October 28, 1997, 9:05pm

Phil Lawlor wrote:

I am not a sendmail expert, but I am told that it is in the forgery area
that it could be improved. Forgery and relay hijacking seem to be the
largest areas of abuse. If these areas could be improved, it could go a
long way to solving the problem.

I tend to agree with Phil - to a point. Nip it in the bud. Everyone could
use some strengthening in their AUP and it is up to each ISP to come down
hard on those who abuse the net.

Ease of use, and the free flow of information must be maintained. Fraud,
unrepentant misuse, and theft-of-services should result in loss of access.
Zero-tolerance, and/or a charge structure (fines?) can be levied by ISPs to
combat the scourge.

Jay_R_Ashworth · October 28, 1997, 11:32pm

Phil Lawlor wrote:
> I am not a sendmail expert, but I am told that it is in the forgery area
> that it could be improved. Forgery and relay hijacking seem to be the
> largest areas of abuse. If these areas could be improved, it could go a
> long way to solving the problem.
>

I tend to agree with Phil - to a point. Nip it in the bud. Everyone could
use some strengthening in their AUP and it is up to each ISP to come down
hard on those who abuse the net.

Indeed. As we noted last month on the topic of ingress filtering, you
have to catch this stuff on the _intake_ side, to have any real hope of
spotting the offenders.

Personally, if the spam isn't forged, and is for a real product, and
doesn't include a stupid bulkmail software ad at the top, I no longer
chase it, I just delete it.

Ease of use, and the free flow of information must be maintained. Fraud,
unrepentant misuse, and theft-of-services should result in loss of access.
Zero-tolerance, and/or a charge structure (fines?) can be levied by ISPs to
combat the scourge.

Fines on whom? How would you implement this?

Cheers,
-- jra

Phil_Lawlor · October 29, 1997, 12:27am

Back to sender verification (equivalent of caller ID).

This would allow better reporting of AUP violations to the sending domain
from the receiving domain. Logs could be used to document the violation.

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

Richard_Welty3 · October 29, 1997, 10:52am

there is provision for sender verification in the exim MTA (a drop in
sendmail replacement that a lot of people are starting to switch to.)
i used it for a while, but it's overly sensitive to sluggish and/or
malconfigured DNS in its current form, so i had to turn it off to
avoid complaints about legitmate business related email getting
canned by administrative prohibition.

the verification only assured that the domain in the helo was legit,
and the domain in the mail from: was legit; it didn't do anything
useful for spammers with addresses like 12345678@aol.com,
unfortunately.

sigh,
richard

John_A_Tamplin1 · October 29, 1997, 8:37pm

Even if AOL allowed VRFY so you could connect back to them and verify
that the given address was valid, you still have the problem of what if
the message being sent isn't sent by the owner of that address. I could
easily send mail that had postmaster@aol.com as the from address, and that
is certainly a valid from address, but it isn't the correct one.

The problem is that fundamentally you can verify that the supplied from
address is "correct" based soley on what is supplied in the message. The
only way I know to do this is to also require something that is not sent
in the message, but is reflected in the message, such as a digital signature.

If every MTA signed outgoing messages, the receiving MTA could then decide
whether to accept that message based on the certifying autority chain.
You can then rely on CA's policies to base your acceptance of incoming
mail. If you get spammed, you know who did it by the signature, you
report it to their CA (assuming the CA's policy says you can't send out
unsolicited email), they investigate it and revoke their certificate if
they broke the rules. If say, an ISP has a dialup customer send spam, they
should be able to demonstrate the user that sent it has been terminated
and avoid being decertified. Of course, some CA's could require proactive
policies (require correct from address at that ISP, limit the number of
outgoing messages, block connections to third-party MTAs, etc) in the ISP,
and someone that wanted to make sure they didn't get any spam would only
accept messages signed by those CA's with that policy.

I'm not naive enough to think this (or any similarly effective
implementation) will actually be done any time soon. There are simply too
many MTAs out there, many of which are never upgraded. I do think that
something along these lines which allow the technology to enforce policy
automatically is the only way to truly eliminate spam.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

Justin_Newton · October 30, 1997, 10:54pm

I would like to point out, after much thought and discussion, I believe
that completely blocking outgoing SMTP to be a bad idea. Here's the
reasoning.

I may be foo.com, a mail hosting service. My customers send and receive
mail via me, but do not connect via me. I set up a system whereby only my
users can send mail via me (magic elves or something, thats not important).
In this instance, it makes sense to allow your users to send mail via me,
if they are also my users.

By blocking outgoing SMTP you are disallowing the possibility for someone
to use my service, and not necessarily getting the gain that you wanted
anyway.

Its that nose face thing (watch what you cut off).

Justin "No, I don't do mail" Newton

woods · October 31, 1997, 7:19am

[ On Thu, October 30, 1997 at 14:54:50 (-0800), Justin W. Newton wrote: ]

Subject: Re: Spam Control Considered Harmful

I would like to point out, after much thought and discussion, I believe
that completely blocking outgoing SMTP to be a bad idea. Here's the
reasoning.

I may be foo.com, a mail hosting service. My customers send and receive
mail via me, but do not connect via me. I set up a system whereby only my
users can send mail via me (magic elves or something, thats not important).
In this instance, it makes sense to allow your users to send mail via me,
if they are also my users.

In that case you'll have to establish relationships that transfer the
responsibility for managing and controlling the users from the
connectivity ISP to you, the e-mail service provider.