The Anti-Spam Research Group's Plan for Spam

egoff writes "Speaking of standards, the ASRG, a member of the IETF, has a plan for "consent-based communications." Among the suggestions, according to Internet Week, are authentication services for falsified addresses, trusted senders, reputation systems (karma?), opt-out tools, best practices for challenge/response, and even a proposal for micropayments on unwanted mail. Instead of defining spam, the ASRG wants to provide administrators and users the tools necessary to avoid what they consider to be unwanted. One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."

THAT would be very useful...

"One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."

This would more or less force spammers to send from their own domains... Or from ISP's that are spam friendly.

It might not STOP spam (though blacklisting would be easier), but it'd make it traceable...

Which would make it easier to file complaints under the anti spam laws.

Re:THAT would be very useful...

Checking the MX record of the domain in question would just be an extra step.

If you actually read the internet draft in question, you would realize that checking the RMX record (not MX) is an extra step that could be much more effective than the sorts of checks that are done today.

The reason it works better than existing checks is that it doesn't just verify that the sender's claimed domain exists (has an SOA or maybe MX record), but also if the new RMX record exists, it can verify that the IP address of the initiator of the SMTP connection is authorized to transfer email on behalf of that domain.

This is a great idea, because it can be phased in gradually. Owners of domain names that are commonly used fraudulently (e.g., hotmail.com) can add the RMX and APL records to their DNS, and then any MTAs that use RMX verification can determine whether the machine sending the mail is authorized. MTAs that don't use RMX are unaffected and will still receive mail regardless of RMX records. If a domain doesn't have an RMX record, a spammer can still forge mail from that domain, because even an RMX-enabled MTA will accept mail from that domain (though if RMX catches on, someday that may change).

If new versions of MTAs have RMX enabled by default, eventually more and more domain owners will respond to complaints about spam forged from their address by adding RMX records to their DNS.

Let's hope that sendmail, qmail, postfix, exchange, etc. implement this soon!

Re:THAT would be very useful...

I do like it as a partial solution (there aren't going to be any good total solutions in this affair). The benefits would probably accrue mainly to the big email services (Yahoo, Hotmail) whose domains are most often forged onto spam. Many people arbitrarily thow away mail purporting to come from there, which must be hurting them in some fashion. Since no one's going to reject mail on the basis of a missing RMX record, spammers will start forging mail from domains having no RMX records at all (or possibly a few serving 0.0.0.0/0 records). So probably not a strong benefit, but it'd help restore the viability of the major email services somewhat.

I do rather suspect that if RMX authentication were widely deployed we'll see DNS cache poisoning attacks come into vogue again. And if there's a set-in-stone system with an even larger deployed base than SMTP, it's DNS.

Re:THAT would be very useful...

This is where SMTP Auth comes in handy. Have your smtp server authenticate you and allow you to send e-mail from wherever.

Re:THAT would be very useful...

... but how would you tell the difference? And you would still be able to use your email address as an identifier from anywhere, provided that you use the correct mail server.

It would also be very convenient if you could change the caller-ID of the phone you are dialling from to your home phone number, when dialling from a friend's house or from work...

Reverse MX possible problems?

Many if not most ISPs have very odd setups for e-mail for load-balancing purposes where outgoing e-mail does not go through the same SMTP server that incoming mail heads into. I wonder how that will affect this system?

This new mechanism will help eliminate forged e-mail from-fields though, and allow for easier message filtering.

RMX is designed to take care of that

The RMX record can return any IP addresses that it wants, the receiving machine just does a DNS lookup on the originating address and makes sure that IP is authorized to send mail. Read the RFC for more details.

Re:RMX is designed to take care of that

So the onus is upon the individual domain owners who would not wish people to spoof using their domains?

Sounds like adoption rates will be high and this plan will take off like a rocket.

Re:RMX is designed to take care of that

makes sure that IP is authorized to send mail

Who "authorizes" my machine to send mail? DHCP on cable modems is evil enough. What new hoops are people thinking of to enforce the "client" nature of all but comerical machines?

Cooperate and I'll Read

You know, I wouldn't mind receiving advertisements in email if:

1. They were about things I gave a damn about
2. They were marked (like ADV:) for easy filtering

What bothers me about spam are the violations of those two. I don't want emails about printer toner, or bigger schlongs. And I don't like having ads clutter up my inbox, where email from people I know and such belongs.

But if I could filter it all into an "Ads" mailbox, just like I have mailboxes for various mailing lists, I would scan the offers about stuff I might actually want. I'd be much more inclined to "click through" then, while my all-time number of click-throughs of spam email to date totals 0.

Re:Cooperate and I'll Read

But if I could filter it all into an "Ads" mailbox, just like I have mailboxes for various mailing lists, I would scan the offers about stuff I might actually want. I'd be much more inclined to "click through" then, while my all-time number of click-throughs of spam email to date totals 0.

Why not just be honest. Didn't you really mean to say /dev/null? Ads mailbox my ass. IF I WANT IT IN MY MAILBOX, I'LL SIGN UP TO IT. OTHERWISE, KEEP THE FUCK OUT. Marketers don't realize that I'll allow free access to friends, relatives and anyone else I've had an existing business relationship with. All others can pay ME to use it or subsidize my ridiculously expensive internet bill, which their current efforts are what keeps it so friggin' high in the first place.

Christ, who do you think is paying for any of this shit? US!!

Re:Cooperate and I'll Read

I don't want emails about printer toner, or bigger schlongs.

I thought I was getting 50 spam messages a day before I found out that it was just my wife trying to get me a bigger dingus.

anything is better than the toll methods

I have a real aversion to the idea of paying to send email of any type, so any method that is not in that vein is progress in my opinion.

Paying to send e-mail is not the solution

Right now, part of the problem is that ISPs and users are bearing the cost of spam. In the end, any of the costs to the ISPs are passed on to their customers. Making us pay to send, is going to cut down on the usefulness of e-mail to legitimate users. If I have to pay by the message, I'm going to think twice about a quick note to a friend asking if he wants to meet for lunch. I'll pass along fewer cool URLs.

On the flip side, spammers will still send from addresses that can't be collected from. Many spammers are willing to harass people, steal the bandwidth they've paid for, and lie to people about everything from the return address on the e-mail to the fact that the opt-out procedure is actually just a verification that they have a live address. We won't even go into their claims about the efficacy of the products they sell. Is it even a stretch to believe that they will continue to lie to ISPs and defraud them of payments for the e-mail they send?

Micropayments for e-mail would kill it.

good incremental approach

I like the idea; the problem is getting uptake on it. You need to encourage a lot of people. The way to do this is to get the "big" ISPs in on the scheme immediately. Participants should alter their mail transfer programs to tag the SUBJECT line of the messages with the word Untrusted. This will cause receivers to know, and significant embarrassment for those not participating...which will cause their mail system to be upgraded to participating status.

Unless the bad effects of not participating are directly visible (as in subject line), it's gonna take too long.

inevitable

It's inevitable. E-mail as we know it is going away.

Spam is now the enemy. It must be destroyed. Here comes the IETF to solve the problem.

SMTP Next Generation is on its way. The only question is the exact design. The general outline is already known. First, there will be real-world verification of identity tied to every account capable of sending SMTP NG e-mail. There will be a transition period where people can sign up for "upgraded" (NG) e-mail accounts; then, a period where these "upgraded" accounts can receive e-mail from other NG accounts as well as from old, potentially anonymous accounts. Business and government users will transition to NG.

Then, there will be an Internet-wide deadline, upon which all NG e-mail addresses will be unable to receive e-mail except from other NG addresses. All SMTP old generation traffic will be blocked. The old base of mail users will be forced to transition to SMTP NG. At this point, if there is ever a complaint about spam, the spammer can be tracked down and booted off Internet e-mail forever. As a result, spam will cease to exist.

The day the Internet died. Sure, it will be more "efficient" then. No spam. But it won't be free.

Don't cry about it. It happens to all technology. Those who need anonymous communications will just move to something else. Maybe web-based discussion, for example. Just no more truly private, truly anonymous, or truly free e-mail.

Coming soon to your neighborhood.

Re:inevitable

Just no more truly private, truly anonymous, or truly free e-mail.

E-Mail isn't anonymous, and never has been, (your IP is traceable back to you) unless you use an anonymous remailer.

If SMTP2 or whatever is successfull, then people will make anonymous remailers for it.

Great article on RMX

Great write-up on RMX [mikerubel.org], brought to you by the same guy who came up with an easy way [mikerubel.org] to snapshot [slashdot.org].

Short lived phenomenon

Spam is simply not profitable enough to last much longer. It is the last of a dying breed of pioneering Internet money-making schemes like the pyramid scheme emails and banner ads. Eventually the spammers will move on to other means of money making because their revenue is guaranteed to drop off as their tactics turn more and more people off.

Instead of fighting the good fight here, the best thing to do is let this dying ember peter out on its own. Forcing spammers to use more drastic tactics just results in them doing more harm in the long run. If there had been no resistance at all, we'd probably be seeing a much more mature and respectable online advertising industry instead of the random, haphazard, and very annoying multitude of spam king wannabes downloading their spam kits and setting up shop.

RMX sounds kewl, but...

Here's your fly in the soup:

It only works when receiving mail with an forged and uncooperative sender-address. Nothing will prevent a spammer listing 0.0.0.0/0 as authorized sender addresses provided he controls the DNS for the envelope-sender. /me sees domains like a cat walking on your keyboard being used as throw-away domain for spamming. (lkjshret.com IN RMX 0/0)

It will increase the cost of a spam-run, and that's good news. On second thought: I like it.

Re:RMX sounds kewl, but...

No you miss the point, the point is to check the from/sender address is valid. Yes a spammer can use THEIR domain from any machine, so what? They have to identify their domain. Not my domain for the receiver to accept their email. Yes they can set it up and I will get the spam but for the first time I will be able to trace where it came from. Ah but you say they just bought the domain on a stolen CC card yes perhaps they did but we are starting to get a paper trail to the spammer who would also be a criminal if they did that.

This is a first step to fighting spam "knowing your enemy", war will continue.

James

James

ugh...

...reputation systems (karma?)
Oh god, Karma-whoring email... what'll they think of next?

Go abroad, lose e-mail address

One of the tools, Reverse MX [ietf.org], is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf.

According to the linked draft, this is supposed to be a "protection against e-mail fraud, especially spam". No mention is made of legitimate uses that are also killed.

When I travel abroad, I send e-mail with my own home e-mail address as the sender through the foreign ISP's SMTP server (and collect mail with POP3 from my home ISP as usual). This has several advantages such as not needing another e-mail account and still being able to post to mailing lists. This plan will lump that in with "fraud" and make it impossible. With whitelisting on private e-mail becoming more and more common, this will be even more of an issue.

If the spammers do not make e-mail as we know it unusable, trust clueless antispammers to do that job more thoroughly.

(Another sign of their cluelessness in that draft is their statement that "spam is not yet exactly defined". The definition is, and always has been, unsolicited bulk e-mail. You can't get more exact than that.)

Re:Go abroad, lose e-mail address

When I travel abroad, I send e-mail with my own home e-mail address as the sender through the foreign ISP's SMTP server (and collect mail with POP3 from my home ISP as usual). This has several advantages such as not needing another e-mail account and still being able to post to mailing lists. This plan will lump that in with "fraud" and make it impossible. With whitelisting on private e-mail becoming more and more common, this will be even more of an issue.

This is a really weak argument to continue to allow anyone to impersonate me (well, to pretend to be allowed to send mail for my domain). There are two simple reasons why:

• Your ISP does not have to implement restrictive RMX, they can allow any IP address to send mail on their behalf. If you don't like your ISP, switch to a more permissive one.
• You can use authenticated SMTP or POP3 before SMTP to send mail from your ISP mail server. Authentication exists for a reason!

Basically, if you aren't happy with RMX, just find a different ISP (probably one that is spammer friendly, go figure) or set up your own domain. I like this solution because the market can decide whether or not it will be useful and user choice (in spam filters) can be preserved.

I hope we'll be able to add this useful tool to SpamAssassin soon.

(I agree with you entirely about "spam" already having a perfectly good definition: UBE. I suspect their weasel-words are due to the influence of the DMA and their allies who claim that spam is only a problem because of fraud and scams. No, spam is a problem because I'm being flooded by UBE. I don't care if it's fraudulent or not.)

The Solution to Spam Is Obvious

We already know who some of the spammers are. Heck, some of them have admitted it! What we need is good old-fashioned mob justice. If we all have a hand in the lynching, how are the coppers supposed to know who exactly did the killing? I suggest that we rename Saturday Spamurday. Every Spamurday we all mob the home of a spammer and lynch them in a very public manner. Soon, the spam should start dropping off, because who would dare risk their lives to mob justice to make a few bucks selling penis enlargers?

spam sucks...

Anything that can stop or slow down spam before getting to the client has my vote. Right now about 80-90% of my mail is spam. I read my mail with 3-4 different computers and email clients(including internet/html) and most of them dont have spam filters of any kind(the only one is mail on osx) so i end up getting most of my spam and having to sort through it.

So getting the spam stopped before the client even gets it is basicly the only way to rid myself of it.

Paul Vixie proposed something like this

The original discussion on Nanog can be found here [cctec.com] or perhaps here [dragoninc.on.ca]. He originally had the proposal on his site [vix.com] (dead link) but he seems to have taken the page down, and I don't see any reference to him contributing to this draft.

Hidden Features

Mail agents like Mozilla will have to become more sophisticated about what mail relays they use when sending mail. Suddenly it's not okay to send both your personal e-mail and your work-from-home e-mail through your DSL ISP's mail server since your work domain DNS will claim no relationship with your DSL ISP's server.

Could Mozilla use RMX to determine on the fly what relay to use? It sees that you're sending from a @slashdot.org address, so it does an RMX lookup on slashdot.org and discovers the IP of all the relays for that address. Ah, a nice clean new standard... the desire to abuse it is overwhelming. :-)

An ironic side effect is that mail administrators are going to have to open up more holes in their relays. Your users can't just bounce mail off their random ISPs anymore. They have to use the real corporate mailserver now, which means you can't just lock things down by IP address such that only internal corporate users can use the relay.

Pay a deposit to send a spam.

Here is what I think. Forget all the complicated stuff. At the ISP, give every email account a whitelist, containing email addresses to be let through. Each email that is sent is checked against the whitelist. If the sender is not included on the whitelist, the email is automatically rejected. Users can optionally set up their account to accept any emails.

But here's the fun part: As a recipient, each user sets up their account with a "deposit price" for bypassing the whitelist. You can set that price to any amount in your currency of choice. As a sender, you can set the maximum amount that you're willing to pay, so that you don't suddenly get billed/debited/charged some outrageous fee. If someone who is not on your whitelist needs to send you an email, they pay a deposit. When you receive the email, you either accept it or reject it. If you accept it, you do not get paid; the sender keeps the deposit. If you reject it (meaning you've read the email and decided it was spam), the deposit paid by the sender is paid to you. It's enough to set the deposit to something like 50 cents. You'll probably get highly targeted emails at this price. I wouldn't mind risking 50 cents to send someone an email that I think they'll accept. You could set it to a few dollars to reduce the noise even further. But you could set it to any price you want. If you REALLY don't want email from sources not included in your whitelist, you could set the deposit to thousands of dollars. With this system, you'll be HAPPY to receive spam! And spammers either won't be able to afford it, or recipients will start making some money.

RMX does nothing to solve what it breaks

Any server that has a RMX record, should also have a compulsory, authenticated way of sending email from an unauthorized address. For instance, I'm now at home, and I would like to send mail with my University address. I can not do that, because the University blocks relaying from external IPs. So I send mail with my ISP account, but with the headers of my University account. If my University implemented a RMX record, I could no longer to that. And unless I can authenticate with the University servers to send mail through them, I can't send mail with my own mail address on it! If I can authenticate and send with my Uni account then it is fine, if not this will cause a big stink and RBX being dropped. Really.

Kjella

Monster.com and intermediaries

The RMX approach is certainly very interesting. Although not based on DNS I had previously asked an AOL postmaster for similar information about what servers could legitimately send mail from any aol.com domains. That simple step has allowed me to block almost 100% of all spam reporting to come from joerandomuser@aol.com. I've been looking for similar information from the other big ISPs that spammers love to forge but with little luck.

Of course there may be a few things that this breaks (not that they shouldn't be fixed to work a different way). One is email intermediaries. SMTP was originally designed to be store and forward, and it used to be quite common that mail took many sometimes unpredictable hops along its way...direct end-to-end connections were not nearly as unbiqutious as they are now. But there still are cases where an SMTP intermediate hop may exist for legitimate reasons, but which may be unknown to the sender; thus they would not be listed in the RMX access list.

Another "questionable" practice that would be affected are services like monster.com, which send mail (usually resumes) to subscribers (companies hunting employees), but forge the sender address as being the real address of the individual, not of monster.com itself. Thus monster.com forges mail from almost any domain all the time; even though that mail can hardly be described as "spam" since the individual being forged has authorized monster to do it, and the recipient is paying monster to recieve them... But that kind of practice would still be affected without some workaround.

Oh, and if you want end-to-end authentication why don't more SMTP servers use the STARTTLS (aka SSL) mechanism with REAL certificates just like web servers do? If this became standard practice then it would be much easier to do SMTP server authentication with existing technology, and in a way that is completely transparent to the users (MTAs).

I wonder if it's to little to late...

Really, this stuff should have been done years ago.

I doubt it will help all that much though, for one thing spammers could forge headers for any of the huge number of domains with lazy admins that do not use reverse MX. The vast majority of admins can't be bothered to close their relays, so I doubt this will help to much.

Even when the vast majority of sites out there implement it, a spammer can simply buy a domain name, and setup a DNS server with entries for all of the open relays they find, or used a hacked DNS server that simply says any IP address is a valid sender.

So this won't stop spam, but it will probably prevent people from using email address of people who don't have anything to do with the spam, however, which is a good thing. And we'll be able to track down spammers via their DNS servers.

These are all bad ideas

These plans are awful. Authentication services and trusted senders are a way for the certificate authorities to decide who can or cannot send mail (be it spam or political speech) [1]. Micropayments are a tax on speech. Challenge/response is patented. Opt-out tools depend on a centralized database from which spammers will harvest addresses. Reputation systems are an invasion of privacy.

Most of the proposals are probably patented (as ridiculous as that may sound). No doubt the recent spam proposals are being pushed by folks with an agenda totally unrelated to spam. There is no way they would get this much media attention without a commercial PR department. Which begs the question, who is behind ASRG? The guy in charge [irtf.org] has six pending patents [ciphertrust.com] on this very subject.

To stop spam, we should use less invasive approaches such as bayesian filtering and common sense legislation (mandatory headers and spam-hunting boundies aren't a bad idea). We do not need privacy-invading, censorship centers which outlaw open-source solutions.

-----

[1] I fully expect that if we adopt authentication systems, the certificate authorities will permit paying marketeers to spam anyone they choose.

Let's find a cure, not a treatment.

The spam issue has some interesting parallels in the models of the new economy. Just like in other industries like healthcare and pharmacuticals, the major players are not interested in a "cure". That's not profitable for them. A more appealing approach for them is some method of "treatment", preferably something that obligates the user to continually do business with them in perpetuity in order to maintain their spam-free condition.

Efforts to regulate the content of spam messages, inconsequential civil penalties, client side filtering, and any system which filters mail based on content caters to this impotent approach to addressing the spam problem. It offers no cure. It does nothing to reduce spam; it does nothing to discourage spammers; it does nothing to address the most serious problem of spam, which involves unfair and often illegal exploitation of resources.

Maybe this is the new way. We don't actually solve any problems. We just put bandaids on them and allow them to consume more wasted resources, and the demand for more resources, hardware and bandwith is what drives the new economy.

Call me idealistic, but I think it sucks. I am appalled that so many people will settle for such shallow and ineffective approaches to these problems. But I guess I shouldn't be surprised. Most of these people profit from the existence of spam so why bite the hand that feeds them on a major artery when you can collect some bucks and merely trim their nails?

The Internet was Founded on Trust. Do This.

The internet started on a model of trust. We know we can't trust the spammers and we knock ourselves out trying to implement that distrust. All the while we operate in a manner the spammers can fully trust: if a system says it's an open relay it really is, if a system is secured against being an open relay it proudly proclaims as much. We're just as honest about open proxies. We assist the spammers thousands of times a day by being trustworthy. Isn't that exactly why why they find it so easy to commit abuse? We keep being honest and trustworthy with the spammers - we help them. Stop doing things that lead to our being hurt, start doing things that hurt the spammers. It's an easy and logical progression to make.

It's time to destroy the spammers' trust in us. This should have no impact on anything legitimate: it's targeted on the spammers. Those who never go looking for open relays will never be deceived by fakes - it's only the spammers who fall victim to the deceit. Same for open proxies - who goes looking for them other than abusers? Doesn't that seem to be exactly right - harm those who would do harm, don't touch the rest? There are behaviors that only spammers exhibit. Target those, make life miserable for the spammers.

The ASRG methods, all of them, are designed to be the same for everyone - they are targeted on what spammers and non-spammers do in common and then are supposed to make use by the non-spammers impossible. To do that everything will have to be changed. That will take years and it will take nearly full compliance to be effective. It will be like the "secure open relays" campaign of a few years ago. To actually stop spam that had to be universal, or very nearly so. Instead there are still hundreds of thousands of open relays, more pop up every day. How many years for full compliance? Alternately there may have to be a D-day for a total switchover - a source of huge complexity and disruption. Before commiting to that isn't it necessary to make sure there is not something less drastic which will work to end spam?

If instead people opposed to spam change their behavior toward the things spammers and only spammers do then ordinary email can be left as it is - if those behavior changes end spam. Foremost of the behavior changes would be stop ignoring spammer abuse. Spammer abuse is an easy target, an easy path to hitting spammers and completely missing non-spammers. Spammers have two choices: spam direct or spam via abuse. If you knock down spam via abuse then they're left with direct spam. That you can hit adequately using blocklists. ASRG wants to make spam impossible by making every single spam message imposible. That's overkill - it's only necessary to make spam cost more than it returns. That can be done - without a total reengineering of the system.

The big question is: are anti-spammers smart enough to stop spammers by going after the abuse? I say they are, when you include in "anti-spammers" all the people that do not like spam. The alternative position would seem to be that anti-spammers are smart enough to stop spam by changing the entire internet but not by doing anything lesser. I can't agree to that - not unless those limited-intelligence people explain why that is. Isn't there the roots of a paradox in that?

Disrupting email will backfire.

There are several good scenarios which depend upon the way the SMTP system works currently that will break as a result of a change like this.

What do we do for the millions and millions of users who currently send mail via older software from their home system, tell them that they are screwed out of sending email? The beauty of SMTP is that it works. Assuming that this change is implemented, it will probably cause millions of users pain, and those users won't put up with it.

Once those users switch to a different email system, say for example, Microsoft Exchange. The damage to SMTP will be complete. Then again, what am I saying... I have stock in M$... Bring it on. :P

Seriously, though. Filtering is the responsibility of the client, not the server. Why do we need to impose new rules, which are just as easy to fake, rather than working on making the system work better for the user.

SPAM@Home

Most of the SPAM that comes to my site is currently of the SPAM@Home variety, i.e. the same message comes from hundreds or thousands of compromised hosts, from thousands of different addresses, to thousands of my users. As far as I can tell, rMX won't have any effect on these distributed SPAM networks.

:w

I don't care if you think it's "fair", etc...

My organization has roughly 120 Internet email users and a quick grep -c of the logs reveals that in the last week my server has denied 700 messages from open relays or known sources of UCE. In spite of this I have to wade through around ten spam emails each morning before I can get to work and I regularly get questioned by vice presidents and the CEO about why I'm "not blocking pornographic emails". RMX, micropayments, filtering, and other solutions may not be ideal. They may, to some degree, restrict free speech. They could require extra effort on the part of legitimate senders or admins of spam-unfriendly ISPs. It's possible that such schemes may do away with Internet email as we know it... but after deleting the fourth email this week (each from different network) containing an animated GIF of a woman sucking a horse's penis I don't give a crap. The problem has to be dealt with and if that means that you have to change email clients, switch to a email service that supports authentication, use a web-based service when traveling, update your DNS records, or close your open relay that is fine by me.

Force closure of open relays...

I wonder how hard it would be to create some code to close open relays on popular mail servers such as MS Exchange?

Assuming this code could be written, one would then write a selection of Viruses and/or worms which would carry this application as the payload.

It would be all the more amusing if this were an email virus. Then we could very easily purchase a CD containing millions of fresh names for only $19.95.

Make Your Own Spam Arrest

My article for building this got denied last night so I'll post it here instead. To create a list of authenticated users automatically that allows people to enter their address etc.. via a web form (much like Spam Arrest [spamarrest.com] visit this how-to [xombo.com]. It requires only a web server, php interpreter and Mercury e-mail server.

why not authenticate to mail server to send mail

I authenticate to check mail, so what is wrong with authenticating to send mail ? Then I could use the intended relay for any account from anywhere on the internet.

Seems obvious enough, I must be missing something. Why wouldn't this work ?

RMX-plus

Here are some ideas I came up with that build on RMX to help prevent, and prosecute spam.

The first involves anonymous domain names. The author of the draft suggests simply not accepting mail from annon domains. I don't know if I really like this idea. A better system might be a RTBL type list of anon domains known to vouch for spam. That way someone could get a domain name without giving up personal info, and still be able to send mail.

Another usefull feature would be to sue non-forging spammers. Everyone could upload their spams to a group server. Since most states have laws that allow you to sue spammers for small amounts of money per message, once enough are collected from a single domain a lawsuit with enough of a financial incentive to actualy go through could be undertaken.

RMX draft's author's worries

It's interesting to read the RMX draft's author's concerns that RMX would never be deployed:

10. Deployment Considerations

Is there a concise technical solution against Spam? Yes.

Will it be deployed? Certainly not.

Why not? Because of the strong non-technical interests of several parties against a solution to the problem, as described below. Since these are non-technical reasons, they might be beyond the scope of such a draft. But since they are the main problems that prevent fighting spam, it is unavoidable to address them. This chapter exists temporarily only and should support the discussion of solutions. It is not supposed to be included in a later RFC.

10.1. The economical problem

As has been recently illustrated in the initial session of the IRTF's Anti Spam Research Group (ASRG) on the 56th IETF meeting, sending Spam is a business with significant revenues.

But a much bigger business is selling Anti-Spam software. This is a billion dollar market, and it is rapidly growing. Any simple and effective solution against Spam would defeat revenues and drive several companies into bankrupt, would make consultants jobless.

Therefore, Spam is essential for the Anti-Spam business. If there is no spam, then no Anti-Spam software can be sold, similar to the Anti-Virus business. There are extremely strong efforts to keep this market growing. Viruses, Worms, and now Spam are just perfect to keep this market alive: It is not sufficient to just buy a software. Databases need to be updated continuously, thus making the cash flow continuously. Have a single, simple, and permanent solution to the problem and - boom - this billion dollar market is dead.

This stops mass mailing worms too (only partially)

Most mass mailing worms send infected email with forged sender address. This technique seems can stop large number of these emails too (except when the domain of the forged address is the same as the domain of the real one). This reduces the number of complaints against the wrong person of sending virus.

Erm...

"the ASRG wants to provide administrators and users the tools necessary"

Are they going to e-mail everyone with an offer to sign up? Oops! ;-)

What's wrong with using the law for this one?

Slashdot is for geeks so I guess a technical solution to spam seems logical. However, is fixing this legally really that hard? First, it is a problem that has governments and corporations and users - in fact everyone except the spammers - are all on one side. It should be possible to get an international agreement to ban spam in this case. International agreements can/do work if they have support and they are realistic (for example banning CFCs worked). So the support is there - is it realistic? One of the things this group avoided is to try to define spam. But why do you need to have a precise definition? Something simple should work like:

For any mass email that is sent, the sender must be able to prove that the receieve gave his/her permission. Certain standards could be set here (eg. this permission must be opt-in for example). All bulk email must contain the details of the sending company and the option to ask said company to remove your details. Any company violating any of these rules or *aiding* a company to conceal this information (eg running an open gateway) should be fined heavily. Any country not signing up should be suject to sanctions (eg they cannot receieve international internet access or IT services from any signing country until they enforce these laws).

Now there are probably places where suggesting like this could be refined - but why is a legal solution to this problem such a wrong idea in general?!

This article is bogus

The ASRG seems to have trouble figuring out a plan for lunch, let alone agreeing on a plan for spam. There are some indviduals who have proposed their particular spam, but it's wrong to say the ASRG has come to any conclusions.

Denied :P

I think it's rather fitting that my new spamassassin installation blocked my slashdot news letter containing this article.

Re:Isn't it obvious what the plan is for?

I like spam. Hearing the "You've got mail" message all day long makes my coworkers think I'm doing actual work. Seriously.

Dragon Action Figures [mibglobal.com.au]

The real ASRG: Research Group

Are these guys supposed to be actually implementing anything or just doing research? The entanglement of the IRFT [irtf.org] and (one of their sponsors) the IEFT [ietf.org] in the stories make it unclear, but the group's charter [irtf.org] make it clear that they have to define a lot of terms first.

Re:Well, well.

These people can't even work out an org chart for their tangle. Strictly speaking, the ASRG is an IRTF group, not an IETF one.

rfc2014 [rfc.net] The IRTF focuses on longer term research issues related to the Internet while the parallel organization, the Internet Engineering Task Force (IETF), focuses on the shorter term issues of engineering and standards making.

It'll be interesting to see what short-term solutions to spam they can come up with.

Re:Attach a brick, or a picture of one

When spammers provide a legitimate unsubscribe address

Yes, when. (Besides, it's usually a web link.)

Re:SPAM blocking is SIMPLE and EASY dammit!!

Whatever. His basic statement is to ditch your existing email, get a new one, get a couple of others for misc purposes, and never give out your email address.

Go Hide.

Bad answer to spam my friend. And frankly, it IS bullshit. I have had my email since 1992. It is me @ my domain. I absolutely possitively REFUSE to give it up.

IT IS MINE.

I won't jump through hoops and do this and that for the spammers to hide from them. I also just happen to have hundreds of spam trap addresses and they silently eat the spam and block the IP subnets. No questions asked. Hoops like this I'll jump through -- because logically it is more fun than "just hit delete". I personally like a good challenge.

The only way to get unblocked is a phone call to me. I have been doing it this way for a while (years) and have gotten now four (4) such calls across a half a dozen domains I manage. I see maybe 1 spam a week now.

There are, however, THOUSANDS of attempts daily and ~100 new subnets being added daily (recently). Shortly I'll have ALL the dialup & dsl lines identified across the entire Internet. Sad really.

I personally like the RMX record setup myself. I've always questioned why it isn't like this already. Can the spammers themselves properly setup a mail server and spam away? Sure. I can also block them that much easier. It's going to be a LOT harder for them to move around all the time. Hi-jacking dialup's and just using them will no longer work (and this has been their #1 method to date). The #2 method, hi-jacking mail servers themselves, will continue, but their numbers are limited (if not already all blocked :).

This won't mean one more bit of work for the end dialup user moving from ISP to ISP (legit). It will mean another configuration for the domains, but if it works as planned? Problem seriously cut back if not solved.

Re:Well, well.

"One of the advantages we have is that the entire community is involved," said Judge
No comment. None at all. :)

Ah, maybe you are another of the people Paul has identified as a competative threat and ejected from the group.

Basically the ASRG has become just a PR machine for Ciphertrust. All but one of the competing anti-spam vendors found that their email was being 'moderated'. As a result the ASRG now consists of essentially five people.

One of the members of the group basically set out from the start to make sure it would fail. He is well known in the anti-spam world and does not want a rival to his own scheme. So every proposal that anyone made was attacked on any and all grounds, repeatedly in pretty unpleasant terms. People were called liars and worse. So Judge decided to moderate the folk who were being attacked but not the person deliberately trolling, why?

ASRG does not have the whole community involved, it does not even have a single one of the major ISPs, let alone a major software vendor involved at this point.

The ASRG has from start to finish been nothing but a vehicle for ciphertrust's publicity interests. No research has been allowed, that would risk an idea being proposed that competed with ciphertrust's product.

The IRTF chair is aware of the situation and the group is probably going to be terminated or radically re-organized in the near future.

Re:SPAM blocking is SIMPLE and EASY dammit!!

Avoiding war is SIMPLE and EASY dammit -- if some other country wants your land, just roll over and give it to them.