The Case for Rebuilding The Internet From Scratch 443
dotnothing writes "I just caught a column on a security site advocating for a total start from scratch as far as certain internet protocols like SMTP. It's an interesting idea and there are some ideas on how to conduct the transition... if everyone would agree on something like this it would definitely reduce the spam (among other things)."
Get real (Score:5, Insightful)
Re:Get real (Score:3, Interesting)
Looking at other progressive moves to improve Internet technology is probably the best bet.
Re:Get real (Score:3, Informative)
Re:Get real (Score:5, Insightful)
Re:Get real (Score:3, Insightful)
It's simple! (Score:2, Funny)
Dude, it's easy. You just download the source and:
make
make install
Works every time, er... unless you're missing some dependancies... but apparently Gentoo and the BSD portage system fixes the dependancy problem.
Re:It's simple! (Score:2, Funny)
Not on my system it isn't that easy... Oh well
Re:It's simple! (Score:5, Funny)
I don't think the problem is with your system. :-)
Re:It's simple! (Score:3, Funny)
This says it all... (Score:5, Insightful)
There are some very powerful entities that have a vested interest in keeping things they way they are today. I agree that many of these protocols are being used in ways and volumes never intended by their creators, and a redesign would be highly desirable. But with so many interests involved, how would such an endeavor ever get off the ground???
Re:This says it all... (Score:5, Interesting)
For those interested in higher accuracy and more speed, you can write your own filtering program that analyzes the headers and responds to your unique name and email address.
I just uploaded my version written in Borland Pascal running in DOS.
My spam program filters valid messages at up to 3,000 msg/sec, detects spam messages and decodes base64 at 200 to 300 msg/sec, and has no false positives or false negatives.
The nice thing is it is easy to update when spammers change their tactics. If you are interested in seeing how I do it, download the source file at
http://www3.sympatico.ca/add.automation/misc/spa2
Best Regards,
Mike Monett
(Who tried to re-register but cannot get SlashDot to remember my name and password:)
Re:This says it all... (Score:3, Informative)
This guy has a spam filter that gets zero false pos/negs.
One of the important tests is the spammers do not know your identity, but your friends do. If I find my name in the body of the message, it is not from a spammer. But if a message Cc's several messages to the same isp, I know it is dictionary spam.
I looked at your program, and it does not work as advertised. I get spam with my name in the body. You may not be so unlucky yet.
Second, you filter on things that will trivially return false positives,
Re:This says it all... (Score:2, Insightful)
This is no reason to keep things the way they are. As the world changes, so must industry. Companies that become obsolete adapt or die. If you make software that filters spam and then spam is eliminated, tough cookies, find a new job.
Something like this would g
Re:This says it all... (Score:5, Insightful)
Reading this article, I recalled that the ones that probably would gain the most financially from an increase in spam would be spam filtering companies.
Also, the idea of individuals having certificates was pretty funny. Good way to increase certificate sales without addressing the underlying SPAM problem at all.
Re:This says it all... (Score:3, Insightful)
I complete disagree with that:
First, spam is not the only important problem with SMTP. There's also identity theft. I just finished reading this article [cnn.com] about email identity theft on CNN. When a technology problem hits CNN, you know it's not rare. If people expected email to be digitally signed, this would not have happened.
Second, individual
Re:This says it all... (Score:5, Informative)
But I don't see the spam filtering and security companies as the main obstruction. I see millions of users and companies who would have to change applications as the real problem. Whatever the benefits, this would be highly disruptive. As others have pointed out, look at how long it's taken to get almost nowhere with IPv6.
Re:This says it all... (Score:5, Informative)
Reading the RFCs is a very good start to understanding how to solve this sort of problem. Giving everyone on the Internet (or at least all of the SMTP-sources) an Identity and then actually attaching a record of trust to those identities would be a wonderful idea, and does NOT require replacing SMTP. In fact, if you do it very, very carefully, it probably doesn't even require writing any (or at least very little) new code.
Re:This says it all... (Score:3, Interesting)
Re:This says it all... (Score:3, Interesting)
Highly disruptive, expensive and undesired.
Having a central authority for tying identity to e-mail not only concentrates power and points of failure, but also adds unneeded hasle and real dollar cost.
What you really want is to charge hash cash. The hash cash means the reciever uses just a few cycles to generate a challange and the sender must expend many cycles to create the response. You could set this up so the first time someone sends you a messa
Re:This says it all... (Score:3, Insightful)
If the concern is that current mail clients won't support improved protocols, what's to stop someone from writing an 'email proxy server' which automagically sets itself to handle communications under whatever shiny new protocol (or better use of the old ones) we're talking about, and then sets the user's client to contact it at 127.0.0.1?
Re:This says it all... (Score:3, Interesting)
So how do you see the idea of a parallel system? Without even touching current email systems, someone could implement an "e-squared-mail" system with postage costs, certificates, etc. Getting too much spam in your email inbox? Simply direct your friends and family to use e2mail to contact you. No gateways or entry-points needed; if you want to contact someone without an e2mail address, you can just load your email program and use that. While you're there,
my picks (Score:5, Funny)
Re:my picks (Score:3, Interesting)
So why use DHCP to do something new when DNS can already handle it? Even if itsn ot fully realized in all DNS servers, it's still closer than DHCPs are, sin't it?
Or does DHCP have this inate ability too?
Re:my picks (Score:3, Insightful)
Agreed mostly - but I think it would be a great boon if encryption started being on by default instead of off. Mail clients should default to secure smtp/imap/whatever, and show a security warning if you disable to work with a braindead mail provider. Web browsers should start defaulting to https if no protocol is specified. You get the idea. When *everything* is well-encrypted, privacy is much easier to secure.
The question is... (Score:5, Funny)
Make it worth my while. (Score:5, Funny)
Re:Make it worth my while. (Score:5, Funny)
Just have a new system concurrently (Score:5, Insightful)
Something like IP, otoh, would be best if the new version could coexist with the old version.
SMTP is not bad, broken standards are (Score:5, Insightful)
The main problem does not consist in trying to stop spam in general (that would be impossible), but in making *anonymous* spamming *very* difficult. Standards are there - but many legitimate operators don't care about a standards-compliant infrastructure, stifling security efforts that would be good enough to keep a lot of spam out.
For example, each IP address should have a DNS reverse record pointing to a valid hostname, which resolves to the same IP address. HELO strings and message ID domainparts should be FQDN and not only "office" or "workstation", the sender's host should be an official Mail Exchange (MX) for the envelope-from domainpart, and so on. This way you could easily - using *existing* standards - make sure that the sender is authentic. Anonymous spamming via open proxies or open relays would be impossible, and spammers using their own infrastructure can be RBLd.
So why invent new standards with millions of people having to switch on, which would take 10 or 20 years? Why not use and push existing standards not only as "nice option" for email communication, but as requirements?
Re:SMTP is not bad, broken standards are (Score:4, Funny)
This isn't exactly a new theory... (Score:2, Insightful)
If you want to change the standard, you first must convince people to use your new standard. Now if someone comes up with a shiny new email feature that everyone thinks they *must* have, and it happens to be based on an existing protocol, and there's no way it will work with SMTP, well...
no it wouldn't (Score:4, Insightful)
the only update the internet needs is more IP space and faster connections and Internet2 is already doing that.
Re:no it wouldn't (Score:5, Insightful)
The sick thing about spam is that most of it isn't about selling you anything. Most of it is about creating huge lists of email addresses and selling those lists to the next layer of stupid suckers trying to make money the Don LaPre way.
Re:no it wouldn't (Score:5, Insightful)
I don't know what you're thinking, but making it impossible to forge headers would be a HUGE step in stopping spam. RBL's would become far more useful. Prosecuting spammers would be far easier (since it becomes easier to tell where the spam really comes from).
The protocol is broken in that headers are not really verified.
Re:no it wouldn't (Score:3, Insightful)
automate purchasing domains such as
myspamdomain0001.com
myspamdomain0002.com
m y spamdomain0003.com
myspamdomain0004.com
the same why they automate buying yahoo addresses.
the RBL's would become far LESS useful. because domains have so much value, spammers are going to do everything they can to send email through domains that are not blocked... and in doing that block everyones domain.
verifying headers is damn near impossible unless you have each server log every transact
Re:no it wouldn't (Score:3, Interesting)
the same why they automate buying yahoo addresses.
Buying domains is not free. Setting up yahoo addresses is. That puts a price on SPAM, which would instantly reduce it.
the RBL's would become far LESS useful. because domains have so much value, spammers are going to do everything they can to send email through domains that are not blocked... and in doing that block everyones domain.
Domains should not relay - that's the whole point. That's what RBLs are for, a
unfortunatly (Score:5, Insightful)
A redesign would be forceed to the best interests of conducting business, not sharing information.
It would not cut down spam, only change the form it takes. SPAM can only be slowed via eduacation. People must learn that SPAM is not the way to buy things.
If business don't like the way the internet works, then they can get together and build there own, down to, and including, laying there own backbone.
Re:unfortunatly (Score:2, Interesting)
Who's to say that a redesign would take away? When people banned together to
Bingo (Score:2)
Exactly. Anybody's who's been around Slashdot for more than five minutes should know enough to be terrified of the very idea.
A new design would inevitably reflect business motivations over technical ones at every turn. Say goodbye to the end-to-end concept, get ready for trivially-encrypted protocols just so that the DMCA can be used to force you to use 'authorized' clients that make you view advertisements left and right, expec
Re:unfortunatly (Score:5, Interesting)
Unfortunately, you're wrong about this. SPAM works because the vanishingly small amount of money it generates per message is still greater than the cost of the message. The people who get taken by spam are the same people that get taken by psychics that advertise on cardboard signs. These people will always exist - no matter how much effort is made to educate them.
Two quotes come to mind:
"There's a sucker born every minute" - P.T. Barnum
and
"Knowledge is realizing that the street is one-way, wisdom is looking both directions anyway" - unknown
How History will see it (Score:2, Insightful)
The "net" fell, first one computer, then another, and another.
The web was being taken down, ripped as if it was a spider's web that a clumsy person had walked through.
A few rebels called "Spammers" held out, but they were soon slienced, then, and forever.
But, then a light shined, a new web was forming, first one computer, then another, and another.
And so the story ends, with a new beginni
Re:How History will see it (Score:5, Funny)
Yet rejoice ye not, rather saddend be
for 'tis Windows running, on every damned PC
It seems that while the web was down
MS finished buying off Washing-town.
HAHA... (Score:5, Interesting)
(someday, i will make FP)
Re:HAHA... (Score:5, Funny)
Have you ever seen a mexican bus?
They have 2x the internal capacity filled up AND people hanging off the sides! All the while running at about 1/5 the spped of light on narrow winding mountain roads...
Its efficient? Its also the scariest thing ever!
Can We At Least Agree... (Score:5, Funny)
The old network only consisting of AOlers.
The new network consisting of everyone else.
If this isn't acceptable, could we try just not telling Microsoft?
Re:Can We At Least Agree... (Score:2)
Re:Can We At Least Agree... (Score:3, Funny)
Re:Can We At Least Agree... (Score:2)
1. Get M$ to install ipV6 in Windoze XXP
2. M$ pushes for the adoption of ipV6
3. We all get to switch to ipV6 == profit.
Why would M$ do this favour for us? Simple, Windows 95, 98, ME, NT, ETC, all become useless overnight. (OK more useless.) Forced upgrades baby.
Re:Can We At Least Agree... (Score:3, Informative)
Windows XP already has a IPv6 stack included. Granted all the tools are command line only, but its there and its actually a damn fine implentation. All you have to do now is get MS to push for it.
Disclaimer: I help run ipng.org.uk, a uk IPv6 tunnel broker with /64 delegation and full rdns control.
Agreement? (Score:5, Insightful)
The only way we ended up with something as good as we have was due to the fact that it was created by a small group of very intelligent men with much foresight.
With that in mind I suggest we form a task force to look into this matter. That way we can sleep soundly at night knowing nothing will ever actually happen.
100 per second? (Score:5, Funny)
Hm... At a limit of 100 per second that only means I can send out 100x60x60x24 = 8,640,000 e-mails per day. How am I going to be able to talk to all of my friends now?
Mail servers? (Score:2)
You want to obsolete SMTP entirely? Get real.
imap is a hog (Score:2)
Imap can bring a server to a crawl, espcially if your lusers er clients are trying to sync every porn spam they've recieved in the last 10 years with the latest bug ridden copy of outlook they insist on running.
Re:imap is a hog (Score:3, Interesting)
Nice timing. I am just retrieving the 5345th message from my ISP inbox, which contains a password recovery code. I couldn't care less for the other 5344 messages in there (one year spam collection). Yay! 20min overhead.
It does not classify as little overhead. I could get the message in 2s using IMAP, but nooooo! That'd qualify as Good Service(tm).
Email != internet (Score:5, Interesting)
- Scrapping the Internet is a good idea because spammers have used email to annoy everyone.
- Under this new, hypothetical email system, Verisign would require everyone to buy a secure ID to ensure they are who their messages say they are.
- The columnist is willing to spend more money and lose his privacy in exchange for these conveniences, so we should be, too.
Please. The problem with spammers isn't because SMTP is so weak. The primary cause of the modern deluge of spam is unsecured email servers around the world, allowing senders to spoof their identity and auto-email anyone they happen to have an address for. And no new system, no matter how rigidly secured, will make up for admins who don't do their job; if it did, it would be prohibitively expensive or complicated and thus be impossible to implement as widely as email is now.
The writer, Larry Seltzer, complains about spammers abusing his account, and yet his online publisher sticks a link to his email address right at the bottom of everything he writes. I would suggest that if he wants to reduce the flow of junk to his inbox, he start with his own managers.
See also: (Score:2)
Re:Email != internet (Score:5, Interesting)
and if I may add, also the number of ISPs who don't Give A Shit. Seems from my reading that most within the US and Europe are at least making a start at implementing some decent spam solutions ( complaint monitoring and the actions taken/not taken is really the biggest problem) but from the steadily growing amount of spam I've seen in the last few months, not enough are doing their jobs.
I don't think we need legislation to solve this. I think we need more education and public denial solutions (blacklisting till they've cleaned up their act - and possibly some standard rule set as to how to go about this). There are a lot of spam sites, but I haven't seen any yet who have a really comprehensive list of what should be "kosher" in anti-spam activism. Can anyone point me to a link?
SB
Re:Email != internet (Score:3, Interesting)
You might as well sing the "se
No Way. (Score:2, Interesting)
I don't want MSInternet.
BC
Intel.... (Score:2)
If the Internet has protocol problems then fix the protocols, it didn't take that long for most of the web to adopt http resume.
Fickle Programmers Sickness (Score:5, Insightful)
Same thing here.
The fallacy comes in the notion that something can be perfectly engineered. Nature teaches us that a vulnerability will be found, the weakest link will break, and that the internet will have problems in it.
Just cuz you don't like SMTP doesn't mean you should try to take it away from everybody.
Re:Fickle Programmers Sickness (Score:3, Insightful)
It doesn't have to be that. Every time you rewrite, you make mistakes. Later, you find them and learn so that the next rewrite will have less significant mistakes.
If the internet were to be redesigned, I'd recommend designing it so that the underlying protocols could be changed again later as easily as possible. (while staying secure, of course)
The trick is doing that perfectly...
Evolution not Revolution (Score:3, Interesting)
I can understand the author's frusteration with the current infrastructure, and it might be nice if we could chuck all of the bad at once.
BUT, this is completely impractical and would never happen. The current installed base and backwards compatibility always have and always will act as insurmountable intertia to sudden and drastic changes. The innovators will keep on innovating while the rest of user base slowly upgrades their most woefully inadequate equipment/software to the new standards.
Let's face it: once the internet moved out of the realm of hobbyists and academia and into the commercial sphere it lost the willingness to accept drastic changes. While it continually evolves (the emergence of ipv6, internet2, etc), I don't think we will be seeing a real, identifiable revolution anytime soon.
Brilliant! (Score:3, Interesting)
Try SMTP AUTH [google.com]. Any respectable MTA implements it.
This would take a centralized authority -- without one, enforcement is left to the commons, and we all know what happens then [sciencemag.org].
I'm sure we'd have no trouble finding a decent, well-respected, centralized authority to control all of the world's email. After all, no one has any cause to complain about the Internet's existing centralized authorities [icann.org]!
Might be good in theory (Score:5, Insightful)
Pipe dreams and wishes (Score:5, Interesting)
Last time I checked, actions speak louder than words.
I'd love to see some action to seriously combat spam because, frankly, I think it's going to do some serious damage over the next few years if the current situation is allowed to continue unchecked.
When people stop checking their inboxes because finding genuine messages is like finding a needle in a haystack, and when 25 or even 50 percent of all internet traffic becomes spam, thus slowing down the entire system for everyone and (more importantly) costing infrastructure providers, ISPs and ultimately the end-user serious money, it'll be a bit late to address the problem.
Better that it's done today - I'd rather deal with the disease now rather than treat the symptoms later.
Re:Pipe dreams and wishes (Score:3, Informative)
Won't happen. Blue Mountain Arts had their eCards dumped into the trash by the junkmail filter in OE. Blue Mountain Arts complained to a cou
The most telling line of the article (Score:5, Insightful)
"The Internet was designed to be secure from nuclear attack, not its own users."
The problem is, it's very difficult to protect all of a technology's users from harming themselves with the technology or destroying it all together. Just look at virtually all of our inventions and discoveries: nuclear reactions, cars, CFCs, weapons...you can't generally save people from a technology if a substantial proportion of its users are hellbent on using it to annoy everybody else. I think even an "Internet2" would be unsuccessful unless it was so advanced it could somehow protect itself from its own administrators. But even that has its problems. (Insert Terminator reference here.)
Not going to happen (Score:5, Informative)
The people at PlanetJailbreak [planetjailbreak.com] have designed, from scratch, on paper, the UT2003 version and the work has appeared to have paid off - an incredibly low number of bugs from their alpha testers have been reported. Where there have been many flaws in a package based on a fundamentally old codebase it should be rewritten totally, regardless of it being server or client software. The problem would be getting people to adopt - many people never patch a thing.
Evil Bit (Score:2, Funny)
What we really need (Score:2)
New electical, plumbing, telephone, fiber, roads, everything. Technology has advanced so much over the past 100 years that the infrastructure, in the USA in particular, is a patchwork of "legacy" and new technologies. You can see just driving around places where shitty old telephone poles head underground. Places where you'll see new fancy street lights, with old crappy lights at the next intersection. Of course, it'
Please return to reality and fasten your seatbelt (Score:5, Insightful)
I would even go far to say that even if you COULD rebuild the Internet from scratch, the effort would be useless. The Internet has been an evolutionary system, adapting to the demands users place on it with ever changing requirements. The changes you would make would be accurate for 0.001 seconds, then would start on its own road to obsolesence. You would see this very same article posted on Slashdot about Re-Redesigning the Internet in 2008.
So have fun with the mental exercise, but this beast will always grow on its own.
Porotol upgrade = trash the net? (Score:3, Interesting)
Frankly, I'm surprised more people haven't ditched email for Instant Messaging. Spam just doesn't work on it anymore because permission has to be granted before anybody can contact you. Etc etc.
Re:Porotol upgrade = trash the net? (Score:3, Insightful)
Frankly, I'm surprised more people haven't ditched postal mail for telephones.
That's right, very different purposes. Besides, do you want the majority of all the internet communication in the world to depend on AOL's servers. I thought we all already understood the need to decentralize important services...
Might I point out that you can have a whitelist for you email as well.
Not the *whole* internet... (Score:4, Interesting)
I've been arguing for years that the only way to fix the spam problem is with some kind of certified-user infrastructure. And I doubt that I'm the first person to see this. Filtering simply does not work, as the current volume of spam (60% of all mail traffic, I'm told) indicates. The only question is, how do you make everybody switch over?
Seltzer's idea of SMTP gateways is ridiculous. Its just another filtering solution. Nor does it make sense to wait for Internet2 to roll out -- that technology will probably exist side-by-side with the current Internet for decades.
Not that I have any better ideas. Perhaps users who go to the new protocol could bounce SMTP email with the appropriate "please change" message. Whatever.
In any case, I don't think the answer will come from the standards wonks. More likely the major ISPs will get together and invent something.
Easier Solution (Score:2)
Nice Idea but you've got a lot of machines... (Score:2, Insightful)
Before you say "just get with the program," think of 3rd world countries non-profit organizations and schools who don't have the money for the new hardware and associated software AND licensing for the related necessary upgrades... ("think of the children ca
starting all over from scratch... (Score:5, Interesting)
1) let's clean up ftp. real security options, performance options, etc.
2) smtp. as in the article, smtp needs work, at the protocol level and implementation of mail programs and their handing of information. i really believe that a little key management at the isp level (if enough isp participated) could really make a difference.
3) dns. i would drop
4) more ip addresses. ip6 would be nice, but if i'm starting over from scratch, just increasing the ip address from 32 to 48 or to 64 would help.
5) the ability to do a number of things in a slow, throttled-back fashion to run nicely in the background.
6) better printing protocols. lpd is a mess and the other printing protocols seem to problematic.
7) snmp. this seems to be getting better via v3. the real problem seems to be the software, not the protocol.
just my $0.02
eric
The main source of spam currently is (Score:2)
Adventures of (fanfare) Problem & Answer! (Score:3, Funny)
Answer: Compeletely remake the internet.
Problem: The cost would be prohibitive.
Answer: It'd trigger another tech boom and everyone would have jobs and even dumb people with marginal skills would be paid like chemical engineers.
Problem: The switch over would require eveyone to run parallel systems.
Answer: See above.
Problem: Current security depends more on exclusion than inclusion.
Answer: See above.
Problem: Who are you going to trust to write that security model? A wise collective endorsing open standards, an oligarchy of businesses vying for proprietary standards or the government?
Answer: Oh, the wise collective, for sure.
Problem: But do you honestly believe they'd be allowed to?
Answer: Uh, no ...
Problem: So what do you see?
Answer: A problem.
Already doable with existing stds (Score:4, Interesting)
The author isn't very knowledgable. Quota's for email can be implemented without breaking existng email clients. SMTP allows Authentication via certificates to be layered on top or, most email clients allow SMTP send with authentication.
asked a few people involved in solving the problems of e-mail what would be involved in fixing it. This put them in an awkward position of conflict; after all, spam-filtering vendors and other security companies make their living because these problems exist
Bollocks - the mail guru's who maintain this stuff are mostly volunteers and are not interested in making money off spam/protection. Thats an insult to them.
PKI is the answer - not rebuilding from scratch (Score:5, Insightful)
The argument in a nutshell is that if everybody were using authentication (and encryption would be nice), then everybody could filter spam at the gateway by simply saying, "I don't want to see any un-authenticated mail".
Ok, fine then. Let's all authenticate our email. There are loads of PKI based SMTP gateways. If you're an MS shop, you could even implement this on a per-user basis. There's a lot of security technology out there that isn't being used.
Ask your favourite Win2K network admin this: do they use L2TP and IPSec on all connections between all machines on their network? Probably not. It's kinda crazy that nobody does since this has got to be one of the most sure fire way to improve your security posture because it prevents all passive network scanning from seeing any data of importance.
Similarly, why aren't we all using PKI to sign and encrypt our email. It's nuts that confidential legal and personal messages are sent around the 'net everyday with no encryption whatsoever. When was the last time your mailclient had to use it's S/MIME capability to decrypt a message from anyone? Would your lawyer send you those important documents on the back of a postcard? How about that multi-million dollar deal your company is working on? Would your CEO be happy mailing the paperwork in a clear-plastic envelope that anyone could see?
Seems to me that we need to be smarter and more consistent in using the technology that we have today before we rush out and architect a new solution that will no doubt be full of holes that we can't forsee at the moment. The open standards of the Internet make it both strong and weak. But as they say, "guns don't kill people, I kill people."
How nifty (Score:4, Insightful)
I'll take a pass on this 'solution', thanks. I'd rather deal with spam than make it any easier for anyone to track every single thing I do on the net. Hell, it's too easy as it is, hence the development of things like Freenet....
Max
Lets start over (Score:3)
Then lets redo http, to be more efficient, use a PCI card to do compression... we could make it much more efficient.
Replace all HTML with XHTML
Replace POP3 with IMAP all around
Replace All file sharing with WebDAV, perhaps enhance it a bit.
Then a standard IM Protocol.
Ah life would be good.
Follow the current rules (Score:5, Insightful)
For example one requirement of the SMTP RFCs is that everywhere a domain appears in an SMTP conversation it must be fully qualified AND it must resolve. Unfortunately that requirement is rather widely ignored. Just set your mailserver to reject EHLO/HELO greetings that don't conform and you will bounce lots of spam as well as tons of legit email.
Like the cockroaches they are, spammers rely on hiding in shadows. If legit mail-server operators stuck to the RFCs detecting, filtering and tracking the shady ones out would be easier.
No, it's not perfect, but at least I could do things like check the EHLO against the connecting IP to see if the other server is lying.
I would be absolutely delighted if AOL, Earthlink, Hotmail, Yahoo, MSN and other large mail handlers started being very RFC picky in what they allow. This would force a mass cleanup of non-compliant servers and would make my job a lot easier.
A terrible idea (Score:5, Insightful)
The internet is as flexible and free today as it is simply because it grew up before it was on the radar of the marketing and legal arms of corporate America, and the legislators they send campaign donations to. We're very fortunate about this; an open architecture is what the Internet is "stuck" with, and it's proving difficult for those who would replace it with a closed arcitecture to work against that history.
You had better believe that if we rebuilt the information superhighway from scratch, it would have in place all the controls and restrictions that the various entertainment industry wants, and would be run on standards and protocols which are closed and proprietary. (Many likely from Microsoft, but they would probably be "magnanimous" and licence other proprietary protocols from other companies who have influence with legislators from other states.) In the end, you would not have nearly the flexible and open Internet we have today, but rather something much closer to the one-way "content delivery" system that the entertainment first thought the Internet was, and is now trying to legislate the Internet to be (once they realized that it wasn't naturally that).
-Rob
Already done (Score:3, Funny)
I've already written my own protocol to replace SMTP. I set up three servers to send mail to each other. They've been busy at it all weekend testing it out. It looks like a great success. There's been no spam at all :-)
No Way!!! (Score:4, Insightful)
Of course, copyright proponents would love to inspect the contents of Internet traffic as well, and they would put huge money into getting these provisions into the specs.
Unfortunately the things I mention are not the stuff of crappy science fiction, but rather what has been going on so far wherever certain interests can have an influence. Thanks but no thanks. I'd rather keep hitting the delete key more than a hundred times a day and keep my spam and my privacy wherever I can.
Re:No Way!!! (Score:3, Interesting)
1) Microsoft would offer its "solutions" to the government. As a result, MS would own all of the major protocols of the new net.
2) The DOJ/Dept. of Homeland Security/Schutzstaffeln... err Secret Service/etc. will make sure all these protocols are snoop friendly.
3) The RIAA and MPAA would get in on the mess and lobby for SSSCA/CBDTPA-lik
No more anonymous email? (Score:3, Insightful)
Of course, it was never really supposed to be anonymous, and real e-mail anonymity is only possible if you forge headers and if your mail-server admin doesn't care. Speaking of not caring, I don't care about the anonymity problem.
Sure, your IP address may be in the headers, but to resolve it to an identity still takes the cooperation of your ISP. People use webmail accounts all the time with the expectation of anonymity. People use email to leak rumors and expose secrets, like with the Halloween documents. A friend of mine uses her Hotmail account on a mailing list for domestic abuse victims. There's lots of good reasons to hide your identity online, and I won't give them up just as a quick fix to the spam problem.
Oh, no, not again.. (Score:3, Interesting)
Right -- and guess who's going to make money off of charging 'email taxes' for everybody who wants to send a message? This is like the big kerflufle over the (false) claims that Canada was going to charge a $.05/email tax to help cover the losses to Canada Post.
So now we're going to pay more money to NSI/Verisign for an email cert when they're refusing to deny DNS to prolific spammers? We'd still need a grey-market method of keeping track of which of those certs were sold to spammers.
Before we get too deep into the idea of using PKI to 'secure' email, I'd suggest that people look at the rather interesting article pointed to by the GnuPrivacyGuard [gnupg.org] site about The Ten Risks of PKI [counterpane.com].
A more interesting question is whether this could be done in an open-source manner, with peer-to-peer authentication servers, webs of trust etc.
The protocol wouldn't be so much a drop-in replacement for sendmail as it would be a parallel delivery mechanism. As (and if) it became proven and trusted, I expect that such a system would slowly overtake SMTP as the preferred method of accepting email (with the 'old' method being less and less trusted). Once 'enough' people started using such a system, the critical mass would result in a flip-over in emphasis by the bigger players.
Guaranteed method of fighting SPAM (Score:4, Informative)
If you need to give a site your email addy, leave in a reference to that site. eg slashdot@myname.ath.cx. That way if someone sells your address, an address leaks, or whatver, you know EXACTLY who is responsible, and you can block junk mail without affecting legitimate email.
Ive been using this technique for quite a while. I can check my email and be confident I have no spam whatsoever. At times when I got spam, it always turned out it was a single site that leaked my addy, and I easilly identified and blocked it.
dangerous power grab (Score:4, Insightful)
Yes, just like what Verisign would want: $100/year from anybody who wants to send or receive mail. Thanks, but I'll stick with unauthenticated mail and spam.
If that's the sort of thing you want, you can already run SMTP over SSL--you don't need a new protocol for that. Operating systems terminally incapable of building services out of modular building blocks can hard-code SSL into their mail servers. Reasonable operating systems can use something like stunnel [stunnel.org] for wrapping SMTP [octaldream.com]. Either way, you get authentication. There doesn't even need to be any complex interaction between the SSL authentication and the SMTP server because SSL can simply verify the identity of the connecting host, and SMTP can continue to use its regular host-based identification.
The other important requirement, according to Yu, is a system for tracking resource usage per sender. Basically this means that profiles should be established for normal amounts of mail sending from different types of users. If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder.
We don't need a new protocol for this. Per-user throttling of outgoing SMTP connections could be implemented by ISPs at the TCP level, and per-user throttling of incoming SMTP connections can be implemented by the SMTP server. The reason why this isn't done is because it's largely ineffective: many spammers are beyond such controls for outgoing connections anyway, and limits on incoming connections can be circumvented simply by posing as hundreds of different users.
Solutions to the spam problem are things like CAPTCHAs [captcha.net], intelligent text analysis, and communications pattern analysis. Restrictions on who can send what to whom at the ISP level, or the imposition of authentication fees by ISPs or companies like Verisign, however, are thinly disguised attempts at squeezing money out of users. In addition to being ineffective and increasing the cost of E-mail, they also just threaten the openness of the Internet that has made it so successful in the first place.
Won't happen (Score:5, Insightful)
SMTP should be replaced by a protocol that requires authentication. That's the biggest probley (open relays) really. Going any further than that will be more of a pain than its worth.
As for everything else (including IPv4), there are too many old clients out there (old meaning unsupported by the vendor). There are enough Windows 95 clients out there, not to mention other systems where upgrades are simply unnecessary otherwise, to where changing the underlying protocol simply won't happen.
Incremental upgrates, sure. We'll probably end up replacing SMTP -- or updating it -- to support, or even require, authentication. In a few years. We may even supplant FTP with SFTP or some other more secure variant.
But to try and simply replace a major, established protocol -- with no backward compatibility -- simply will not happen. There will be enough resistance and reluctance to make it infeasible; then the upgraders will have to begin supporting both "legacy" and new protocols, and we'll be in a bigger mess than before.
So, my opinion is this: we'll slowly, with full backward compatibility, supplant older protocols with updated ones -- perhaps via adding extensions to them (like SMTP Authentication), allowing slow upgraders to catch up as needed. No revolutionary changes will happen, no forced upgrades...
Well, uh, why not analyze the problem first? (Score:3, Interesting)
Let's take DNSBLs. They stop much spam but they don't end the spam problem. Why not?
Possible answers:
(1) Not enough mailboxes are protected by DNSBL
(2) too many spam-source IPs escape listing for too long
For (1) the answer would seem to be: get more mailboxes protected. Get enough protected so that the amount of spam that gets through is too little for the spammer to earn the cost of sending the spam.
For (2) the answer would seem to be: recognize spam faster, get IPs listed faster. Automated recognition might be ideal. Razor, perhaps, feeding back to a good DNSBL?
If it's filters then the problems include:
(1) Not enough mailboxes protected by filters
(2) Too much spam slip sthrough the filters
For DCC and Razor:
(1) Not enough mailboxes are protected.
See a pattern here? I'd say there are solutions, they just aren't used widely enough. With the recent inititive at AOL to block spam there's been a big change: that's one whale of a lot of mailboxes at least partially protected by something that works. Those AOL lawsuits may do a lot as well.
I favor relay spam honeypots and open proxy honeypots - throw them into the mix, too. To some extent these would help compensate for the "not enough mailboxes" problems - the honeypots might end up trapping spam for those unprotected mailboxes anyway (trapping spam that would be DNSBL blocked only helps in that it reduces some bandwidth costs - the spam is doomed form the start if the mailbox has good DNSBL protection.) But if we had universal (which might really mean 85 - 90%) usage of a good DNSBL then spam might die just from that. No change in protocol, just a bigger effort to use what already exists.
Same for any really effective filter - get it used widely enough and the delivered spam falls below the self-sustaining level.
Why not?
All we need is better VRFY (Score:4, Informative)
-
In order to send mail as "foo@bar.com" and get it delivered, there must be a mail agent for "bar.com" that knows enough about you to answer an SMTP VRFY.
-
Each message sent contains some random ID or digital signature, chosen by the sender.
-
Any mail agent wishing to verify the source of a message can query the senders's mail agent with SMTP and a VRFY, and obtain a reply that verifies the message, using a challenge/response or digital signature system.
-
Ultimately, mail messages that cannot be verified are bounced. During a transition period, some manual authentication scheme involving replying to a message is used.
This is backwards-compatible, easy to implement, and implementable in stages. It would be implemeted primarily in ISP mail transfer agents, so deployment doesn't require end user software.Spammers can still spam, but at least they have to have a real domain name to send from.
We Can Put A Man On The Moon But We Can't... (Score:4, Funny)
Just the other day, there was a big article on the Security Supersite about how the internet might have to be rebuilt to save our children from pornographic spam. And then I read in USA Today how the government is spending $40 billion on outer-space surveillance satellites. Couldn't they put some of that satellite money to better use by constructing space-based laser cannons in geocentric orbit above all the ISPs to make sure our children are safe?
And for a fraction of what NASA spends on all that Mars rover monkey business, I could have a radio-wave-controlled stun gun that would finally stop anyone I thought might be spamming from ever thinking about looking at me wrong again.
It is painfully obvious that the government has the money and resources to build a high-energy force field around every single American, yet it doesn't. I mean, when I'm chasing after spammers with my stun gun it's darn near impossible to ensure my personal safety. Are a few measly cameras in the corners of the Foodland really going to deter an angry man who looks sort of like Alan Ralsky? What about my laptop? The pictures on my screen saver of little Kevin and Annie are irreplaceable! (I'm only going to be a grandmother once, you know! Unless, of course, the government finally gets on the ball with those cryogenic pods.)
And that Hubble telescope, there's a real beaut. Who needs to know if there's life out in space trillions of light years away, anyway? As long as the spacemen don't start sending me special business deals, making me wonder when they will deposit the gold bars in my savings account like that nice man Chavez from Boca Raton, I don't care who they are! If only NASA had aimed that telescope at Boca Raton instead of Pluto, you can bet I'd know what Chavez had for breakfast this morning.
It's shameful the way the internet has been allowed to degenerate, what with unsecure servers and protocols strewn everywhere. Just thinking about all the millions spent on that Mir station gets me in a dither when I check my e-mail and see donkey porn everywhere, with no donkey-porn-sensitive sunglasses to save my poor eyes.
And it sure would cut down on those ill-mannered spammers who keep on spamming despite the ISP's strict anti-spam terms of service if their computers were destroyed by spam-sensitive cybernetic space bees. I only have time to write so many complaints, you know!
If I can't demand killer robot police, then the least I can expect is a laser-powered servo-motored patrol-bot for my yard. How else will I know if it's a that Ralsky look-alike's lawyer trying to serve me court documents or just a raccoon rustling around out there late at night? I understand that in Sweden, every citizen is guaranteed a patrol-bot. But here in the world's richest nation, we go without! The sheer wastefulness of our government makes me sick!
We don't need to kill SMTP to beat spam. (Score:3, Interesting)
If we don't know who they are, we cannot chase them with legal action. If they can be found, then laws stand a chance and the threat of legal action will reduce the numbers. Those who remain can be made an example of.
You can argue that legal options are limited as spam is sent from outside of the country, and that filtering is the only real option. However, even filtering becomes more effective if you can identify where the spam is really coming from. To avoid being blacklisted the multi-million message spammer would have to keep moving domain name and that would prove expensive.
Here is my solution to "Who sent the spam?".
I originally thought that we should ditch SMTP. But now I don't think that is really the case. Besides that would be such a major change that it would probably stop the change happening. SMTP works, it gets the mail there, the only problem is you only have the sender's word for who sent it. We just need to extend the idea a little bit to check who sent the mail, and then wait until the whole world has adopted the extension.
I suggest a new header which indicates that the sender's mail server supports verification. A receiver's mail server that also supports verification then has the option of sending a checksum of the mail (or some token sent with the header) back to the sending server, to ask "did you really send this mail?". Upon no reply or a denial the user settings can elect not to have the mail delivered.
At first only some of your mail will be verified, but you will be certain who sent the verified ones. Later as most of the world begins to use the system, people will elect not to receive unverified mail.
I like this idea because it does not break the existing infrastructure, it does not demand big new central servers, nor does it demand everyone gets a new mail reader. It's just the mail servers that need extending, and they can be done one at a time (or may be not at all) without anything breaking. Also there is nothing about it that will stop people receiving the unsolicited porn spam if they want it, they only have elect to receive unverified mail.
Dejavu (Score:3, Interesting)
How hard could it be to setup a few servers (just like the current DNS Root Servers, which seem to run just fine) to handle keys/certs to validate emails.
It wouldn't be rocket science to get something like this running
- User sends email
- Client looks up keyservers, requests a new message ID, keyserver logs user key with new message id
- mail gets sent, with key and id info
And upon receiving, the client does the same in return. This is a very basic way of detailing it, but i'm sure you all know where i'm coming from. I'm suprised nothing like this already exists in the open sauce community (it probably does, i've just not checked).
Hoorah.
nb: if it's flawed, i don't care.
Re:Rebuild the Internet? (Score:4, Informative)
And to test your IPv6 connectivity - http://ipv6.umtstrial.co.uk/ [umtstrial.co.uk]