I have been reading lots of articles recently about how to combat spam. One thing some of the articles have touched on is the problem of authentication. Email doesn't authenticate where the email comes from or is going. It is trivial for spammers or viruses to fake the From address and the return path. It is trivial for them to send their email through open relays or blast it directly to the victim mail servers.
One possible solution is to introduce authentication into the SMTP protocol. This wouldn't protect the From: header in mail messages. But it would protect the return path that is used for bounce messages. It can also be used for access control. This is the difference between knowing the message came from your friend Bob, and knowing that some bob@example.com sent the message.
Introducing public-key cryptography into the protocol would not be too hard. SMTP has a mechanism for extensions and adding commands. However, any public-key signature system would depend on distributing the keys and enabling the access control. This requires infrastructure to regulate the sending of email. It requires more centralization in deciding who can send email. It also requires organizations to buy into the system before it helps in limiting the spread of email.
One way to help with the infrastructure problem is to have companies that provide the authentication services. They would run relays that sign messages for its customers. The customers would sign up for accounts, with either monthly or per-email fees to limit the amount of email that could be sent through the system. The relay companies need to be able to authenticate its customers but existing SMTP authentication or SSL cliet certificates are widely supported by email clients.
There would also need to be a mechanism for ISPs to join the system. They would need to get certificates that could be used for signing messages. And even become CAs for creating new certificates for servers and clients.
Authentication would be used to create a group of mail servers that can trust where email is coming from. They can send bounce messages. The postmaster and abuse email works and is answered.
It also helps tie the email system into the legal system. If a spammer breaks into an account and sends a million email that should normally cost $10,000 to send through a commercial relay, that is much more serious offense using some unkown number of open relays. Or forging a cryptographic signature is much more serious than just putting some characters in an email.
I remember hearing
[i]ntroducing public-key cryptography into the protocol would not be too hard...
several years ago, so I think it might be more difficult than you imagine.
The important thing to me is not making sure that a spammer can never send a message. The important thing is that he can be found and punished for theft and trespass.
... because there are perfectly legitimate reasons to want to send mail anonymously or from a throw-away account. For example, I might want to send mail to a corporation criticising their customer service, but not want them to have my real address anywhere on file. Or I might want to ask a question about my embarrassing disease on a mailing list. Or a question about an area I'm meant to be an expert in, and I'm afraid my employer might fire me if they find my post in the list archives.
No, the way to stop spam seems to me to be to make it too expensive to send. I don't mean too expensive in terms of money, but in terms of computer resources and time. Which, of course, boils down to money really. Using a scheme like hash-cash, senders' machines can be made to solve a puzzle involving some Hard Sums before they are permitted to send mail. If the puzzle takes 30 seconds to solve, that's sufficient. I don't care if my individual messages are delayed that long. A spammer will care though, because if it takes 30 seconds to solve the puzzle required for each recipient, they're limited to sending just 2800 messages a day, rather than the tens of thousands they send an hour now.
This won't break mailing lists either, because all legitimate mailing lists are opt-in. So the user knows to expect bulk email (SOLICITED bulk email) from that source, and can exempt it from having to do the Hard Sums. Because all legitimate mailing lists are *confirmed* opt-in, the confirmation message could say something like "you need to add FOO to your whitelist. When you've done that, do BAR to confirm your subscription". People who don't exempt the list from the challenge/response system should get a single message telling them that they've screwed up, and then have their list membership suspended.
This does of course require support in software - on the server and in clients - for it to gain mass acceptance, but while that's a big problem, it's not insurmountable.
There's still the issue of spammers using hordes of zombie machines to send their spam, rather than bulk-mailing it themselves. Spammers won't care about the victims of their worms and viruses having to expend cycles. I favour making it illegal to use a computer in an irresponsible manner, just like it's illegal to use a car or a gun irresponsibly. Once a few hundred ignorant users have been locked up to become Bubba's Prison Fucktoy pour encourager les autres expect to see the number of virus and worm infestations plummet.
Re:Authentication is bad ...
iburrell on 2003-10-16T20:19:47
Calculating the signature wouldn't be a difficult problem that takes 30 seconds to calculate. But it would slow sending email down a little. An important feature of the system would have to be that something is calculated for every single recipient address. Also, there would have to be a mechanism that prevents calculating the signatures in advance. Perhaps the receiving servers sends a nonce that must be included in the signature.Re:Authentication is bad ...
drhyde on 2003-10-16T20:28:51
The hashcash FAQ is here.Re:Authentication is bad ...
iburrell on 2003-10-16T20:44:04
I was thinking about using something similar for the authentication of sending to recipients. One lack of that scheme is that it doesn't include the sender in the calculation. It still allows forging the sender address. I was also thinking about having the receiving server send a nonce that need to be included in the calculation. This makes it difficult to precomputerOne reason to put the authentication in the SMTP protcol is that the sender and recipient addresses are well defined there. Email clients have a harder time knowing what addresses was sent to and which address to look at. Not to mention the problem of exposing the email addresses that were sent to.
I think anonymous email is important. The problem with the current mail system is that anyone can forge any other email address. In an authenticated system, you couldn't send anonymous email as any other user, but you could use a random address from a special domain. The servers for anonymous email would have severe restrictions on how much email could go through them so they couldn't be abused by spammers.
Re:Authentication is bad ...
Louis_Wu on 2003-10-16T21:08:19
And if I fake being the mailing list sender?This won't break mailing lists either, because all legitimate mailing lists are opt-in. So the user knows to expect bulk email (SOLICITED bulk email) from that source, and can exempt it from having to do the Hard Sums.I don't know what the answer is (I'm not sure if there is "an answer" or even a set of services which together might be "the answer") to fixing email, but for a Hard Sum to work, those machines/addresses which are exempted need to be authenticated in some way.
So maybe we combine some methods. We require personal users of email to do Hard Math, and we authenticate large users of email. So the PumpKing would likely want to go the authentication route, but an anonymous emailer could do Hard Math.
Combine these with some other methods of communication (journals, wikis, RSS feeds, IM, IRC) and there might actually be a chance of a high Signal to Noise ratio in the future. Or maybe I'm just fooling myself.
Re:Authentication is bad ...
drhyde on 2003-10-16T21:31:37
Not sure how you'd authenticate listservs - by ensuring that the sender is one of a known set of IPs, perhaps.
I don't have a problem with authentication if there is an anonymous alternative which is at least as widely available. However, getting Hard Sums widely implemented strikes me as being easier than getting a world-wide trust relationship and authentication scheme working. For one reason why that's such a difficult problem, look at who is one of the supposedly trustworthy CAs for SSL certificates. Vericrime. Hah!
Re:Auth won't work
iburrell on 2003-10-16T20:32:21
Bad security on user computers is one reason I think authenticating the servers is more important than clients.Not to mention that is easier to deploy to the servers instead of forcing every client to upgrade their software.
When money is involved, the users would have an incentive to keep their accounts secure. If a breakin into an account results in a $100 charge and email being disabled for the rest of the month, then people might take the security seriously.
The involvement of money and more robust security means that it is easier to show what spammers are doing is illegal and illegitimate. Spammers try to claim that they are providing legitimate marketing tools. If the only way they can send email is to break into people's computers and steal their money, their claim are more obviously bogus. And the law can get involved.
Re:Auth won't work
Matts on 2003-10-17T08:19:56
It all comes down to cost at the end of the day.
Make sure all servers are authenticated. Great. No problem.
Make sure all clients are neither spammers, nor insecure. Not an easy problem.
It takes large amounts of resources in terms of abuse desk costs, and support costs (if you shut down 200,000 users at an ISP because they run infected versions of windows, how much do you think that will cost in terms of support? Think 1 hour on the phone to each customer). And you have to offer that support because people simply aren't technical enough to secure their computers.
On the margins that ISPs run at, this is simply impossible.
Want to change the margins? Fine, but who's going to do that first and see all his customers run to the next ISP?
I'm not saying this is impossible - MessageLabs handles this pretty well. But we only sell to businesses and we *still* get spam emanating from our network due to insecurities on our customers networks, despite a huge amount of effort put into stopping this. And if we see this occurring the first thing we do is shut down email for that customer (which has a much larger than $100 cost to them I assure you), yet it still occurs.
