comment from AirScreen?

Discussion:

(too old to reply)

Jer

2003-12-07 00:00:26 UTC

Permalink

http://www.usatoday.com/tech/news/techinnovations/2003-12-05-yahoo-spam-switch_x.htm

--
jer email reply - I am not a 'ten'

Gordon Burditt

2003-12-07 22:16:35 UTC

Permalink

Post by Jer
http://www.usatoday.com/tech/news/techinnovations/2003-12-05-yahoo-spam-switch_x.htm

I am speaking only for myself.

The details of this proposal are vague. Yahoo is proposing that
email be digitally signed, making forged return addresses harder
to do. (How many disgusting spams have you received, apparently
FROM YOUR OWN ADDRESS? The postal service (paper mail) has much
the same problem. There is little to prevent someone from faking
your USA return address, although the Chinese stamps and Peking
postmark will give a hint to someone that examines it closely that
something funny is going on.)

If spammers can't easily fake return addresses, it makes personal
white lists work better. It also makes black lists work better,
as the chances that you shut off mail from someone you WANT to
receive mail from when you add the return address from that Nigerian
bank fraud spam to your black list are greatly reduced. This is a
GOOD thing. It does not prevent spammers from getting hundreds of
their own legitimate domains, but domains cost money, so they won't
go completely nuts like they do generating random user names. It
is unclear from the Yahoo proposal whether keys will cost money or
not. However, setting up a key infrastructure takes work.

Now, *WHO* signs the email? It sounds like, from the name "Domain
Keys", that airmail.net, not individual customers, do. This also
means that airmail.net has a reputation as a whole, and your mail
is accepted or rejected based on its reputation (which is not that
different from the way it is now, except that, say, AOL's reputation
won't be tarnished by the spammers who keep faking AOL addresses
when they have nothing to do with AOL). Anyone selling accounts
is going to have at least a little spam, as there is little to
prevent someone from signing up and then spamming until they get
caught, even if that's only a few hours. This still doesn't rule
out rogue ISPs ("bulk-friendly hosting") signing spam.

HOW does the email get signed? Software for this doesn't exist yet.
Yahoo talks about making this available to open-source developers but
with no details. There would be several types of software: mail signing
software (which might be needed only by the ISP), and signature-checking
software (which would be needed by anyone wanting to filter their mail),
and key generation software (which might be kept by Yahoo or might come
with the signing software).

It is unclear to me whether this will protect against spam generated
by or relayed by systems infected with a virus written to make them
act as a relay. The virus may be able to use the user's credentials
to get the spam signed as though it came from the user.

What does this mean for customers? This is pure speculation, BUT:
- Anonymous email gets much harder to send and have it accepted anywhere.
- Sending *EMAIL* with "spam blockers" gets your email rejected.
This probably won't affect USENET news. How it affects submissions
to USENET moderators may be up to the moderator.
- If the ISP signs the email, then you MUST send mail from, say airmail.net
THROUGH airmail.net's mail servers, or it won't be signed, and it
will get harder and harder to have it accepted.
- If you have your own domain name, something would have to
be set up between you and the ISP to get your mail signed. Even
if you sign the mail yourself, you need your public key to appear
in DNS for it to be recognized. Getting a key might require payment
(those of you who know about web site secure certificates should
be familiar with this) and not necessarily to the ISP.
- It may be that you need to authenticate with your ISP to SEND mail.
Your current mail software may or may not know how to do this.
- It may get harder to send email "on the road". To send mail from
airmail.net and have it signed, you have to send it through airmail.net.
But the local ISP you're connected to may not let you use anything but
its own mail servers.

Signing mail will certainly be optional at first. It is likely
that at first *IF* you set up your system to authenticate sending
mail, you can get your mail signed when it is sent that way.

It is also possible that this idea will never get off the ground.

Gordon L. Burditt

Jer

2003-12-08 00:26:16 UTC

Permalink

Post by Gordon Burditt

Post by Jer
http://www.usatoday.com/tech/news/techinnovations/2003-12-05-yahoo-spam-switch_x.htm

I am speaking only for myself.
The details of this proposal are vague. Yahoo is proposing that
email be digitally signed, making forged return addresses harder
to do. (How many disgusting spams have you received, apparently
FROM YOUR OWN ADDRESS? The postal service (paper mail) has much
the same problem. There is little to prevent someone from faking
your USA return address, although the Chinese stamps and Peking
postmark will give a hint to someone that examines it closely that
something funny is going on.)
If spammers can't easily fake return addresses, it makes personal
white lists work better. It also makes black lists work better,
as the chances that you shut off mail from someone you WANT to
receive mail from when you add the return address from that Nigerian
bank fraud spam to your black list are greatly reduced. This is a
GOOD thing. It does not prevent spammers from getting hundreds of
their own legitimate domains, but domains cost money, so they won't
go completely nuts like they do generating random user names. It
is unclear from the Yahoo proposal whether keys will cost money or
not. However, setting up a key infrastructure takes work.
Now, *WHO* signs the email? It sounds like, from the name "Domain
Keys", that airmail.net, not individual customers, do. This also
means that airmail.net has a reputation as a whole, and your mail
is accepted or rejected based on its reputation (which is not that
different from the way it is now, except that, say, AOL's reputation
won't be tarnished by the spammers who keep faking AOL addresses
when they have nothing to do with AOL). Anyone selling accounts
is going to have at least a little spam, as there is little to
prevent someone from signing up and then spamming until they get
caught, even if that's only a few hours. This still doesn't rule
out rogue ISPs ("bulk-friendly hosting") signing spam.
HOW does the email get signed? Software for this doesn't exist yet.
Yahoo talks about making this available to open-source developers but
with no details. There would be several types of software: mail signing
software (which might be needed only by the ISP), and signature-checking
software (which would be needed by anyone wanting to filter their mail),
and key generation software (which might be kept by Yahoo or might come
with the signing software).
It is unclear to me whether this will protect against spam generated
by or relayed by systems infected with a virus written to make them
act as a relay. The virus may be able to use the user's credentials
to get the spam signed as though it came from the user.
- Anonymous email gets much harder to send and have it accepted anywhere.
- Sending *EMAIL* with "spam blockers" gets your email rejected.
This probably won't affect USENET news. How it affects submissions
to USENET moderators may be up to the moderator.
- If the ISP signs the email, then you MUST send mail from, say airmail.net
THROUGH airmail.net's mail servers, or it won't be signed, and it
will get harder and harder to have it accepted.
- If you have your own domain name, something would have to
be set up between you and the ISP to get your mail signed. Even
if you sign the mail yourself, you need your public key to appear
in DNS for it to be recognized. Getting a key might require payment
(those of you who know about web site secure certificates should
be familiar with this) and not necessarily to the ISP.
- It may be that you need to authenticate with your ISP to SEND mail.
Your current mail software may or may not know how to do this.
- It may get harder to send email "on the road". To send mail from
airmail.net and have it signed, you have to send it through airmail.net.
But the local ISP you're connected to may not let you use anything but
its own mail servers.
Signing mail will certainly be optional at first. It is likely
that at first *IF* you set up your system to authenticate sending
mail, you can get your mail signed when it is sent that way.
It is also possible that this idea will never get off the ground.
Gordon L. Burditt

Yes, Gordon, all good postulations. I'd also like to add another
wrinkle in getting mail signed. Would it work whether the sender is
using a local PC client and/or a web-based server to send? I would
presume the ISP server would do the signing so both methods would
benefit together.

If it ever did get off the ground, and ISPs bought into it, their
reputations would be on the line along with their clients. And that may
be the deal killer for them.

--
jer email reply - I am not a 'ten' ICQ = 35253273
"All that we do is touched with ocean, yet we remain on the shore of
what we know." -- Richard Wilbur

Gordon Burditt

2003-12-08 04:03:25 UTC

Permalink

Post by Jer
Yes, Gordon, all good postulations. I'd also like to add another
wrinkle in getting mail signed. Would it work whether the sender is
using a local PC client and/or a web-based server to send? I would
presume the ISP server would do the signing so both methods would
benefit together.

All mail clients would need to be modified in some way. The minimal
change would be turning on a particular method of authenticated
SMTP (one mouse click in preferences, perhaps), and perhaps entering
info to use with it. (airmail.net servers do not currently do
authenticated SMTP. There's no need for it now). A larger change
would be a version upgrade, or changing clients entirely. This
applies to webmail clients (run by an ISP) as well as clients on a
PC. I would *NOT* expect to see mail derived from a form on a web
site to send a comment to the webmaster signed. Forms like that
generally don't let you specify who to send to and permit anonymous
mailbombing of the webmaster.

One problem with authenticated SMTP is with the clients. If a
server says it can do authenticated SMTP, some clients will demand
a password and try authenticated SMTP whether the customer wants
to or not and whether the server insists on authentication or not
- this can be very confusing. Other clients won't try to do
authenticated SMTP unless the server announces that it can.
Hopefully future clients will deal with this better.

Expect to have to enter a username/password (or have your client
do it for you) in order to have your email signed (You already do
this for webmail clients that also let you read your mail). The
signature, I expect, not only says "this is genuine airmail.net
email", but it also says "this is genuine ***@airmail.net email
(or at least someone using his password)". That means it is practical
for someone to ban some users and not others. Due to the massive
forgery of email addresses by spammers, banning email by return
address or even by domain is currently pretty useless, as is making
exceptions for certain email addresses. (Heck, if I banned everything
but my own email address, I'd *STILL* get a lot of SPAM!) Bans are
primarily done by IP address of who's sending it to us.

Post by Jer
If it ever did get off the ground, and ISPs bought into it, their
reputations would be on the line along with their clients. And that may
be the deal killer for them.

Their reputations already ARE on the line. People do ban airmail.net
or some of the servers occasionally. Having a responsive abuse
department helps in getting bans removed. The "bulk-friendly
hosting" ISPs and those who just don't care will hate it. If someone
is willing to trust airmail.net but not necessarily its customers,
they can ban some customers and not others, trusting airmail.net
to not let customer A pretend to be customer B.

Gordon L. Burditt