My proposed solution to SPAM

[Shamshir]

This whole spam issue is so silly. In fact it could be a non-issue within 1yr.

Think about the root of the problem. What allows spam to be sent, and why can't spam be stopped?

The inherent flaw to internet mail, SMTP, is that there are no controls over who can setup a server and send mail. No authentication, no limits, and certainly no accountability for what is sent. Your SMTP passport is a simple IP address.

Current proposed solutions:

1- Spam Filters?
- false positives are a major issue

2- Is legislation the answer?
- Only on paper to the non-technically inclined law makers who don't understand the root cause of the problem

3- Bill Gate's 'Charge the Sender' plan?
- Too complex to implement and enforce

4- Random logic puzzles that you have to solve per message sent
- Too complex to implement, and too time consuming for the sender

5- Black listing domains?
- Too many IP’s to blacklist as new ones pop up every few seconds. Actually, the solution is exact opposite of a black list

Solution: There should be 1 master SMTP white list run by a central body (ex ICANN). This list would contain both DNS and IP information of legitimate mail servers.

Similar to the current process of buying and registering a new domain, any organization wishing to send SMTP mail would need to pay an annual fee ($5, $10, whatever) to be placed on the SMTP white list. In addition to the fee, each domain/IP admin would be required to digitally sign a document indicating their compliance the unsolicited email policy. This would earn them a place on the SMTP white list.

Any organization wanting to avoid spam would subscribe to this list. Similar to the current simple process of subscribing to domain/IP blacklists (ORDB, SORBS, etc) mail server admins would add the white list to their mail server gateways. Subscribing mail servers would reject all SMTP traffic originating from domains and/or IP address not listed in the SMTP white list.

A domain/IP suspected of sending unsolicited emails would be given a warning and eventually removed from the master SMTP white list.

Domains such as Hotmail, Yahoo, and AOL would be treated differently than say HOCP.com. The free webmail providers already have good measures in place to limit dummy accounts created to send spam, (ie. anti-bot account creation filters, outbound SMTP limitations, enter the word shown in a graphic, etc. Spam originating from Hotmail, GMail etc would be treated on a per account basis).

This SMTP white list solution address many issues plaguing SMTP, and the internet in general
- cheap fly by night servers in China and Russia would be eliminated as a spam source because of the costs and accountability associated with getting your IP on the white list
- the issue of hijacked zombie PCs sending out 60% of all spam would become be a non-issue because the IP would not be on the white list
- open relay servers would easily be addressed
- the inability to authenticate email, ie phishing, would be all but eliminated
- virus infected mail would be drastically reduced, with onboard SMTP engines having being neutered

I left out some details. But if you stop and think about what inherently is wrong with SMTP email, you realize that this solution, although far from perfect, is the only feasible option. It offers the fewest impediments to implementation and the least amount of administration required to keep it viable.

- P Delshad

 

[Syn.]

i think thats a great idea and its simple enough, but you gota remember that one of most sensetive subjects to people is money. I think that as the domain is the basic identification of email senders that when you purchase a domain your smtp server is registerd as well. That way you dont pay extra for what you would already have but it keeps people from getting a new ip every few minutes becouse it takes 24hours for DNS to update on a domain. So if you would change the IP which should be restricted or monitered for any spam-type activity it would take a day for change to take effect.

 

[Primus]

No, that won't work at all.

For starters, you're centralizing all logic. What happens if the place with the master list goes down or is DoS'd off the face of the earth (as it will be nearly immediately)? Now no legitimate mail server on the planet can send e-mail. Ok, so we get around that by having multiple SMTP "root" servers like we do with DNS. Well, those are still vulnerable to attack as was shown last year when several of the DNS root servers came under DoS, destabilizing the Internet for a day or two. Not to mention we've added a layer of complexity, with list synchronization being needed between root servers.

How about syncing the lists down to individual mail servers? Makes the situation almost unkillable, but once the list resides on a local server you're free to edit it at will, thus breaking the line of trust.

The political aspects are equally troublesome. Who decides who is the keeper of the list? Who decides exactly what constitutes "spam", and what the threshold is for being kicked off? (And having worked in several ISPs, you'd be surprised at the variations in definitions for what users consider "spam". I've known folks who consider failed or bounced messages spam, and marketing firms who consider certain types of ads ok, but others not.) And what happens when all of a sudden your users stop receiving legitimate e-mail from servers in foreign countries that don't participate in the program? Users don't care about "they aren't on the server white list", they care about "where's my important e-mail from Singapore?" Verizon tried a global white list earlier this year, and had to drop it after a week because of the outcry from their customers.

And to answer your points you end with:

- cheap fly by night servers in China and Russia would be eliminated as a spam source because of the costs and accountability associated with getting your IP on the white list

First off, studies have shown that the majority of spam is sourced in the US right now. Like 26% the last article I saw. And speaking of costs and accountability, a sign-up-and-pay list is insane paperwork for co-los and other hosting companies. Can you imagine having 1000 customers in a facility you now have to get signatures and money for? And then when a customer leaves and a new one steps in? Bueraucratic nightmare.

- the issue of hijacked zombie PCs sending out 60% of all spam would become be a non-issue because the IP would not be on the white list

This is a combination problem for users and ISPs. Users need to get better about keeping their systems clean. It's a chore and is hard, but you've gotta do it. On the ISP end, ISPs need to get into the habit of filtering TCP port 25 outbound, restricting users to the ISPs mail host for relaying and using SMTP AUTH to allow authenticated users to relay from anywhere. Zombie spam dies at that point, because even if a trojan/backdoor is smart enough to use the ISP's smart relay host for bouncing its e-mail, that activity can very easily be traced back to the user and steps taken. Road Runner in my area has gotten extremely pro-active about this in the past year, giving users phone calls when they're spamming/virussed and then shutting them down if they don't fix things.

- open relay servers would easily be addressed

Now this one I give you. My blacklists do a pretty good job of taking care of open relays, and sendmail shipping with open relaying turned off as of the 8.11 tree helped bring that down as well, but open relays are definitely a serious problem.

- the inability to authenticate email, ie phishing, would be all but eliminated

Phishing e-mails and web pages are client-based issues, not server-based. I use mutt to read my e-mail, and since it doesn't fully render web page e-mail I'm totally immune to phishing. E-mail clients have to be fixed so that phishers can't use URL encoding and other tricks to mask what they're actually doing.

- virus infected mail would be drastically reduced, with onboard SMTP engines having being neutered

Yes it would, until the virus writers figure out other ways of sending their payloads out, like surreptitiously attaching themselves to legit outgoing e-mails.


Now don't get me completely wrong. You are absolutely right in that SMTP cannot handle spam, viruses, trojans and worms. It wasn't designed to, and extending it after-the-fact doesn't completely work. SMTP's a 20 year old protocol and acts like it. To fix the problem requires a complete redesign of SMTP, or a brand new replacement protocol. Trouble is, EVERYONE uses SMTP, and no one is really willing to set up a replacement that doesn't have backwards compatibility, and once you've got that you're right back to the same problems we've got now. Look how long it's taking for IPv6 to get implemented.

The anti-spam tools we have right now work good if you've got your own mail server. I run a combination of blacklists, certain tricks in sendmail 8.13, and spamassassin w/Vipul's Razor. I see maybe 2 or 3 spams a week, out of the hundreds a day that hit my mail server. Unfortunately most of the major ISPs have very rudimentary or non-existent spam protection, which leaves a lot of users out in the cold.

 

[namatad]

Um I use cloumark with outlook
I havent had spam for over a year.

so why are we fixing a now existant problem?
sure let's create another bureaucracy to help get in the way
I am sure that that will IMPROVE our email

/a few heads-on-spikes would go much further to ending spam

 

[jcthornton]

Primus said

Now don't get me completely wrong. You are absolutely right in that SMTP cannot handle spam, viruses, trojans and worms. It wasn't designed to, and extending it after-the-fact doesn't completely work. SMTP's a 20 year old protocol and acts like it. To fix the problem requires a complete redesign of SMTP, or a brand new replacement protocol. Trouble is, EVERYONE uses SMTP, and no one is really willing to set up a replacement that doesn't have backwards compatibility, and once you've got that you're right back to the same problems we've got now. Look how long it's taking for IPv6 to get implemented.

Very true. Why not create a new, secure protocol that does eliminate the issues we see with spam/viruses/trojans/worms? During the ramp up phase, it will add some complexity, as user-friendly ISPs (or users of user-unfriendly ISPs) will have to combine messages coming in from both protocols. This is a solvable problem.

Then, when critical mass for the new protocol is reached, ISPs can begin to remove the old SMTP protocol from service. This would be easier than the IPv6 cutover (which IMHO should already have been done) since it would be easier for two messaging protocols to co-exist.

This new protocol could be easily pushed by getting several of the biggest ISPs to adopt it and provide incentives (faster message delivery for the new protocol?) for other ISPs to do the same. Especially if the new protocol is intelligently enough specified to actually cut down the work the ISPs have to do to support it compared to SMTP.

Primus added

The anti-spam tools we have right now work good if you've got your own mail server. I run a combination of blacklists, certain tricks in sendmail 8.13, and spamassassin w/Vipul's Razor. I see maybe 2 or 3 spams a week, out of the hundreds a day that hit my mail server. Unfortunately most of the major ISPs have very rudimentary or non-existent spam protection, which leaves a lot of users out in the cold.

That's the problem - 99.9999% of the people out there are not [H]ard enough to do that, nor do they want to be. As much as we would like every user to secure their system and keep from adding to the problem, it isn't easy enough.

The internet we use is not the same one originally envisioned, and a default response of trust is no longer the right way - instead we need to change things to a default level of mistrust. This extends beyond just SMTP. Once everybody from protocol designers to programmers, administrators and users get that point, things will quickly improve.

I'm just not holding my breath for that to happen.

 

[tdg]

Lots of good ideas, but IMO the best way to stop spam is by education. You can think of spam like a retail store, if nobody goes there and buys the product, the store folds and is a memory. The reason spam is still around is some people simply buy the product they are selling.

There are various ways to help curb it, but spammers are of the not-so-ethical bunch and will find means to get around whatever measures are put in place. But if the market is not there, they'll have to pack up and move onto the next scheme.

 

[Primus]

Very true. Why not create a new, secure protocol that does eliminate the issues we see with spam/viruses/trojans/worms? During the ramp up phase, it will add some complexity, as user-friendly ISPs (or users of user-unfriendly ISPs) will have to combine messages coming in from both protocols. This is a solvable problem.

The problem here now is that the protocol process has been irrevocably politicized. That's what brought us the whole Sender ID/SPF fiasco. In order for a new protocol to gain acceptance and wide use, the big boys (Microsoft, AOL, Google, Yahoo, etc) have to jump on the bandwagon. Each player is going to want things done their way with their little extras, and if they can't get it they'll either take their ball and leave, or we'll end up with a fragmented, useless result. (Again, see Sender ID/SPF.)

 

[Christopher1]

Very true. Why not create a new, secure protocol that does eliminate the issues we see with spam/viruses/trojans/worms? During the ramp up phase, it will add some complexity, as user-friendly ISPs (or users of user-unfriendly ISPs) will have to combine messages coming in from both protocols. This is a solvable problem.

Then, when critical mass for the new protocol is reached, ISPs can begin to remove the old SMTP protocol from service. This would be easier than the IPv6 cutover (which IMHO should already have been done) since it would be easier for two messaging protocols to co-exist.

STMP is secure, if the servers are doing what they are supposed to do, and are asking for the username and password of the person sending the mail before allowing it to go through. The problem is, Microsoft Outlook Express saves the passwords in an easy-to-get-at place, so zombies can cut and paste from that list until they find the password for your SMTP server.
Thunderbird has the same problem, though it hasn't had much attack-code written for it because it is still a margin product.

The big thing is that Microsoft Outlook has so many things wrong with it, that Microsoft should start over and make SURE that it can't be used by a spammer, by trying every sneaky coding trick they can think of during the testing phase, and fixing any holes that they find.

As another poster said, we also need to go from a default trust on the internet, to a default dis-trust on the internet. Namely, only letting certain websites that are trustworthy use advanced functions of browsers, i.e. Javascript, Active Scripting. There should also be a central whitelist of banking, movie, game, retail sites, etc. that a person can download, say "Update", and the whitelist on their computer is updated instantly.
This would need to be done by a multi-national group somewhere, but it would be MORE than worth it, since most viruses and spyware come from certain known illegal or infested websites. We would also have to be careful that the whitelist is not siezed by someone trying to delete sites off the list just because they do not agree with what the site is hosting, i.e porn, racist literature, etc.

Third, we have to get on Microsoft's case about releasing products with as many unfixed security and other flaws as they do. There have been INFINITE numbers of security patches for Windows XP, and I am sure that the same thing will be true for Vista and Microsoft's latest, greatest operating system, unless we really start putting the hammer down and pass laws saying that companies that make software ARE responsible for virus and other damage to computers, if the viruses are coming in and doing their vile duty through a fixable flaw or hole.

 

[Primus]

Some comments...

STMP is secure, if the servers are doing what they are supposed to do, and are asking for the username and password of the person sending the mail before allowing it to go through.

SMTP AUTH is an extension of the SMTP protocol, put forward in RFC 2554 dated March 1999. It's not part of the original SMTP spec. It's also a writhing bitch-and-a-half to set up, especially if you don't have a user database in one of the formats SASL natively talks to (generally RADIUS, LDAP and local passwd). Learned this the hard way with an ISP whose user database was in NIS. Only attempted solution was via PAM, and it never worked properly. But I digress. All SMTP AUTH accomplishes is an authenticated user, and perhaps some TLS on the u/p transmission if so supported. An authenticated user alone does not a secure system make.

There should also be a central whitelist of banking, movie, game, retail sites, etc. that a person can download, say "Update", and the whitelist on their computer is updated instantly.

As I mentioned in my first post, centralized = single point of failure. A central whitelist WILL, ABSOLUTELY, come under attack almost immediately. The various business concerns (legitimate and not) behind most spam, virii and spyware will DDoS the thing into next millennium since it directly threatens their business models. Smaller operations like the anti-spam SMTP blacklists come under DoS attack all the time right now, and they're not universally used.

This would need to be done by a multi-national group somewhere, but it would be MORE than worth it, since most viruses and spyware come from certain known illegal or infested websites.

Actually, virus, spyware and phishing writers are getting pretty damn sophisticated in how they set things up. Randomized domain names are getting quite common, as are rotating lists of places the payloads get downloaded from. Updating the list is going to be an administrative nightmare, plus its size will balloon quite quickly. Not going to be fun when you're downloading a multi-megabyte whitelist on a regular basis, plus the computer overhead of having to work through the list every time you go somewhere.

We would also have to be careful that the whitelist is not siezed by someone trying to delete sites off the list just because they do not agree with what the site is hosting, i.e porn, racist literature, etc.

And what happens if it does? Everyone's hooked into this list and it just got hijacked. So now either you have to un-hijack it, or you end up with a group splintering off and forming their own list. There's a ton of that in the SMTP blacklist relay database world.

You bring up trust a lot. That's a really good concept to talk about here. But how do we determine a trusted authority for this information? And what happens to us, as end-users, if that trust is broken? The problem isn't as simple as "set up a central whitelist and all our problems go away".

 

[BombrMan]

Um I use cloumark with outlook
I havent had spam for over a year.

so why are we fixing a now existant problem?
sure let's create another bureaucracy to help get in the way
I am sure that that will IMPROVE our email

/a few heads-on-spikes would go much further to ending spam

I have to agree 100% here. I think that blacklisting on an e-mail to e-mail basis is the only real way to go, since it doesn't require any infrastructure changes, making implementation instantaneous. Also, it doesn't suffer from false posotives really.

-BombrMan

 

[MorfiusX]

If you take a step back to security basics, the best security practice is a default deny and to explicitly define your trusted processes. Any other approach (blacklist) leaves you constantly reacting. The only way to stay ahead of the threats is a proactive approach. That's why a "whitelist" is more effective than a "blacklist"

But, we also have to consider why SMTP is the primary protocol used fot email. SMTP has done so well because it's efficient and easy to implement. But, the strengths that have made SMTP the standard are also the weaknesses that the spammers are exploiting. In order for a solution to be widely accepted, it will require the same strengths of SMTP, but add security. Complex, difficult to manage, or propietary solutions won't become widely accepted.

a few heads-on-spikes would go much further to ending spam

The real problem with spam is that it is actually profitable. Until you remove that factor of the equation, stopping it will be incredibly difficult. Drug dealer's "heads roll" on a daily basis. But, has anything really put a dent in illegal drug trade? Not really. That's because there is always the modivation of money.

 

[XOR != OR]

But, we also have to consider why SMTP is the primary protocol used fot email. SMTP has done so well because it's efficient and easy to implement.

I actually giggled when I read this. It may be easy to implement ( and you'll have to tell me what software you use. Sendmail/qmail, two two of the best smtp servers out there, are bitches to setup ), but it's anything but efficient.

No, the real reason smtp is as popular as it is, is due to the fact that the big boys can't play nice nice with each other ( as someone else has mentioned ). If AOL, Google, MS, IBM and a few others got together to work out the details of a new protocol, and actually played nice with each other, it'd be the new standard in under a year.

Best we can hope for from that situation, in reality, is a useless protocol so badly designed no one would use it.

And I take issues with saying spamassassin has too many false positives. A well trained SA is a beautiful thing. When combine with spamhaus, well, I haven't seen a spam in my inbox in over three months ( and that's saying a lot ).

 

[MorfiusX]

I actually giggled when I read this. It may be easy to implement ( and you'll have to tell me what software you use.

Well, after you've set one up a time or two, it becomes a lot easier. But, that's not limited to just SMTP. That's with anything. There will always be a learning curve.

When you compare setting up an SMTP email system to setting up PKI, SMTP seems easy.

And I take issues with saying spamassassin has too many false positives. A well trained SA is a beautiful thing. When combine with spamhaus, well, I haven't seen a spam in my inbox in over three months ( and that's saying a lot ).

Agreed.

 

[MScrip]

You can think of spam like a retail store, if nobody goes there and buys the product, the store folds and is a memory. The reason spam is still around is some people simply buy the product they are selling.

Really? How much Viagra is purchased through these e-mails? How many people get mortgages from these e-mails?

Spam sucks, and it sucks even more that people make money typing these bogus e-mails.

Spammers should get a real job. They have been posing as "marketing companies" for too long. All they do is clog inboxes with shit.

 

[Town_Girl]

Any organization wanting to avoid spam would subscribe to this list. Similar to the current simple process of subscribing to domain/IP blacklists (ORDB, SORBS, etc)

Since you mention SORBS, would anyone know this?..

My ISP, Cogeco, tells me I have trouble receiving mail from 2 friends on Yahoo accounts because the mail server they are on, is on the blacklist at SORBS & Cogeco blocks those blacklisted servers. The majority of mail goes through, both ways. The odd one bounces back. I sent them the bounce back & they told me it's because the Yahoo server is currently blacklisted & Yahoo has no interested in getting itself delisted.

So if they are blacklisting that mail server, why are some emails getting through & only a few bouncing back? Both Yahoo people are on dial-up, does that make a difference?

Thanks!

 

[thespymaster]

Well, until there is a real good answer...I'd like to see someone that can write a nice little program that can be used as an extension of whatever client you are using to:

1. Highlight unwanted e-mails

2. Package them up unopened

3. Return to sender (as well as send a copy of all of the other e-mails in the package to each of the other spammers in the package, thus flooding them with their own crap)

 

[_Durandal_]

Since you mention SORBS, would anyone know this?..

My ISP, Cogeco, tells me I have trouble receiving mail from 2 friends on Yahoo accounts because the mail server they are on, is on the blacklist at SORBS & Cogeco blocks those blacklisted servers. The majority of mail goes through, both ways. The odd one bounces back. I sent them the bounce back & they told me it's because the Yahoo server is currently blacklisted & Yahoo has no interested in getting itself delisted.

So if they are blacklisting that mail server, why are some emails getting through & only a few bouncing back? Both Yahoo people are on dial-up, does that make a difference?

Thanks!

Sorry to bring back kind of an old thread, but I'm in the same boat with a client of mine. They too have several Yahoo! accounts that can't get through reliably because of the SORBS list.

What options are there regarding the SORBS list?

 

[Town_Girl]

Sorry to bring back kind of an old thread, but I'm in the same boat with a client of mine. They too have several Yahoo! accounts that can't get through reliably because of the SORBS list.

What options are there regarding the SORBS list?

A bit late in replying but.. there are no options. Yahoo has to pay SORBS to get its server taken off the blacklist. Eventually they will do it, but it takes a while. Until then, there's nothing you can do.

And I found the answer to my own question as to why some mail gets through & others don't. Because each time the Yahoo person sends a mail, it gets sent off the first available server (Yahoo has more than one mail server). So mail will periodically get sent off one of the blacklisted server & thus, not go through.

 

[ksar123]

Well, until there is a real good answer...I'd like to see someone that can write a nice little program that can be used as an extension of whatever client you are using to:

1. Highlight unwanted e-mails

2. Package them up unopened

3. Return to sender (as well as send a copy of all of the other e-mails in the package to each of the other spammers in the package, thus flooding them with their own crap)

Except you're forgetting the major flaw in SMTP that does not require the spammer to use a legitimate FROM address, so either it is fake or a different person's actual email address.

Also, even if the spammer was using an actual email address you would never want to reply to it. All you are doing is verifying that your email address is valid and therefore making it more valuable to spammers.


But at least your heart's in the right place