NoFatChicks
No, I'M The Exon And You're The Intron
join:2002-06-15
Blountsville, AL
2 edits | First!
Just like with other schemes to stop malicious/fake emails, two things will happen 1. You will block valid emails and 2. The hackers will get around it. |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| STARTTLS anyone?
Isn't this exactly what STARTTLS is for, re: certificate-based authentication using standard OpenSSL certificates and CAs? It sure isn't DNS-based (and I'm thankful for that; using DNS for this isn't a good idea, IMHO) either...
About 7-8 months ago, I posted something about STARTTLS in reference to a spam-oriented news post here on the forums. Some company was yapping and blabbing about a certificate-based method and calling it "revolutionary technology." STARTTLS had been around for a good 11-12 months prior to that.
Anyways, I congratulate Yahoo! in trying to do something about spam, but I must side with the bloggers -- so what? This isn't going to accomplish anything other than provide Yahoo! a way to make money off of something Verisign-style (re: signed CA/certs). It sounds to me like Yahoo! is slowly going down the same road as all the rest-of the "dot-com" ventures -- questionable motives. Sad too, since Yahoo! has been around since 1996 or so.
I think a much more effective method -- albeit not as immediately effective -- is something like this. Maybe it'll make adolescent DDoS-spammer kids change their minds and become real members of the working-class society. Get real jobs and contribute to the economy, you bastards...
--
Making life hard for others since 1977. |
|
GameCube Boy
join:2003-12-12
10321 | Bravo Yahoo!
When spammers themselves were asked what would stifle their work their answer was "authentication."
Bravo Yahoo! |
|
Jim Gurd
Premium
join:2000-07-08
Plymouth, MI
 ·Comcast
| said by GameCube Boy  :
When spammers themselves were asked what would stifle their work their answer was "authentication."
Bravo Yahoo!
I agree. Authentication is the only way to make a real dent in the spam problem. If you eliminate address spoofing then you force spammers into the open and they are easier to stop. Any message which can't be properly authenticated would be black-holed.
The hardest part of this will be getting a critical mass of ISP's to implement the system. |
|
desdog
@cox.net |  It will take a company of yahoo's size....
to make this work correctly. Small companies dont have the push to intigrate an authintication system, yahoo has the best chance so far. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to koitsu
Re: STARTTLS anyone?
with huge volumes of mail pouring into yahoo each from a different IP, and claiming to be from a certain server, don't you need the existing scaled DNS infrastructure to cope with efficient local lookups and propagation of changes? |
|
GameCube Boy
join:2003-12-12
10321
| reply to desdog
Re: It will take a company of yahoo's size....
said by desdog:
to make this work correctly. Small companies dont have the push to intigrate an authintication system, yahoo has the best chance so far.
I think the push should and will be from every legitimate business. It's not just where the email originates but who receives it. Say a mom and pop shop is a host, why wouldn't they want authentication from other ISP's in order to ensure that the emails their small customer base is receiving are authenticated. |
|
desdog
@cox.net
|  Thats not my point, everyone should adopt this technology. I just was making a statement that for the technology to get off the cutting room floor, there needs a big backer to do so. If yahoo wants to attempt to initiate a new standard they actually have the ability to do so.
If I were trying to push a new technology I though should be a standard it wouldn't go anywhere. |
|
Talis
join:2001-06-21
Houston, TX | reply to NoFatChicks
Re: First!
So your solution is to what - just quit trying? Whats your point? |
|
morbo
Complete Your Transaction
join:2002-01-22
00000
clubs:
·Charter Pipeline
 ·AT&T Southwest
| reply to desdog
Re: It will take a company of yahoo's size....
said by desdog:
If I were trying to push a new technology I though should be a standard it wouldn't go anywhere.
unless it was freaking amazing. then, people would realize it and big companies would pick it up. you would be our hero ferris bueler. |
|
keyboard5684
join:2001-08-01
Youngsville, PA
 ·Teliax VOIP
 ·WestPAnet Inc.
·WestPAnet Inc. CA..
| reply to desdog
It does not take big guys to get things moving. Open source small time programmers can get wide adoption. Look at Qmail, TMDA, Apache, Bind, FreeBSD and all the others. People use the technology and it did not take Microsoft to do it (Or Yahoo). Some of the above did get some nice funding but some did not. Many true open source developers come up with some pretty nice stuff with little or no funding and no press.
If it is a good idea it will be adopted, just like many other things. |
|
ArkiMage
join:2001-06-30
Kingsport, TN
| Stopping SPAM
How will this cut down on SPAM?
Easy... When this comes about I'll probably install a newer version of SPAM Assassin which will add a ruleset for authenticated mail. Something like:
score DOMAIN_VALIDATED -5
score DOMAIN_NOT_VALIDATED 5
If the mail comes from a domain that has been cryptographically determined to be correct, the spam score will decrement by some amount. Same in reverse if it supposedly comes from @yahoo.com but is forged. |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to justin
Re: STARTTLS anyone?
Depends on how it's done. I was considering it TXT record per zone which contained a MD5 or Base64 version of a public key.
After thinking about it for awhile, I really don't see what this is going to do for people. I mean, we already have certificates available to sendmail and qmail via STARTTLS; why do we need one per zone?
It's possible I'm misunderstanding how Yahoo! wants to implement it, but of course the details are still kinda sketchy at this point.
--
Making life hard for others since 1977. |
|
NoFatChicks
No, I'M The Exon And You're The Intron
join:2002-06-15
Blountsville, AL
| reply to Talis
Re: First!
Adding complex schemes like this does nothing to get at the root of the problem. This is like putting locks on your door, but then not having laws or a police force (or not much of one) to stop the criminals outside. Guess what happens in a situation like I just described? That’s right, the criminals find a way to force themselves in.
The root of advertising spam, for the most part, is the desire to make money and thus the ONLY thing that will stop it is to make it INCREASE the risk and DECREASE the benefit of the activity. The purveyors MUST be pursued and prosecuted, the government MUST provide a framework for reporting spammers, the companies that use unsolicited emails MUST be fined, the ISP’s MUST go after those sending spam, and foreign countries (i.e. South Korea, China, ect…) MUST go after spammers in their regions.
Do you see my point? Until the root of the problem is seriously addressed (and not just some ‘show cases’ like in Virginia recently), then what is the point of adding extra locks? |
|
SanJoseNerd
Premium
join:2002-07-24
San Jose, CA
| Legal Responsibility
I think this might be a good step. Let me suggest one addition: when email originates from an authenticated server, then whoever runs that server should be legally responsible for it.
That means the person running that server must implement an effective opt-out mechanism, including the ability to opt-out of all email from that server, and adherence to any do-not-spam lists. If large amounts of unsolicited or fraudulent email comes from that server, then the person can be sued. If email from that server violates anti-spam laws, then that person can be fined and jailed.
And if the person is beyond the reach of the law -- say, in China or the Caribbean -- then the authentication should be revoked. |
|
joesplifnik
join:2002-10-09
Lees Summit, MO
| Making Spam Unprofitable
The real reason spam exists is that it appears to be a way for the spammer to make money. Apparently, it takes a miniscule response rate to make spamming profitable. The only real way to defeat it is to never, never, never buy anything being promoted via spam. I'm sure that the readers of this forum are intelligent enough to ignore spam pitches, but apparently there is a large enough segment of ignorant Internet users making spam purchases that the spamming strategy is profitable. Therefore, there has to be a goal of educating the Internet public to ignore this crap. Until spamming ceases to generate a return, the war will go on. We've got to spread the word to all web users to ignore all spam sales pitches. Easier said than done. |
|
linicx
Caveat Emptor
Premium
join:2002-12-03
United State
·CenturyLink
| Blessed Mail?
Personally I think the idea of spam coming from a blessed server is too funny for words. I'd rather see Yahoo try to put lipstick on that fat bloated hog they call Yahoo-SBC mail.
If we really wanted to stop spam we would flip the switch on the mail server; do things the old fashioned way. Snail mail isn't such an outdated mode, you know.
Of course we all know pigs will fly before we deprive granny of a baby picture or a spammer of a new score.
--
Be careful what you ask for - you just might get it. |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| reply to justin
Re: STARTTLS anyone?
said by justin :
with huge volumes of mail pouring into yahoo each from a different IP, and claiming to be from a certain server, don't you need the existing scaled DNS infrastructure to cope with efficient local lookups and propagation of changes?
It would probably be possible to use the same key-propagation mechanism used in "standard" DNS signed zones. Of course, the only thing I've ever done even remotely close to that is setting up signature keyed remote zone updates. And, even if I did bother the secure my zone, unless the holders of .com were o set up a trust relation ship with me, my zone would only be locally secure. Given who holds .Com, I'm guessing the only way that's going to happen is if I buy SSL certificates for my DNS servers from Verisign (which sorta smacks of conflict of interest?).
And that's the real problem with this whole scheme: SSL certificates don't come cheap and only come through a few, select places. So, to fully secure email or to fully secure DNS, etc., someone like Verisign (ECH!) would be in a good position to make an awful lot more money than they already do just for secured web sites.
Unless GPG-style keyring servers were used, it's going to suck for small mail/DNS operators. It overall seems to be a way to eliminate use of personal mail servers and DNS servers, thus guaranteeing that every aspect of the Internet would become commercialized.
Is it necessarily a bad thing to be forced to rely on professional DNS and email services? It kind of depends on how good of a job you think they are or would likely do. I run my own DNS and SMTP servers because I have yet to find a provider that meets my needs for speed, flexibility and freedom from hassles like SPAM. My fear is, given a Yahoo scenario, I'd have to pay somebody to relay my emails.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| reply to GameCube Boy
Re: It will take a company of yahoo's size....
said by GameCube Boy :
said by desdog:
to make this work correctly. Small companies dont have the push to intigrate an authintication system, yahoo has the best chance so far.
I think the push should and will be from every legitimate business. It's not just where the email originates but who receives it. Say a mom and pop shop is a host, why wouldn't they want authentication from other ISP's in order to ensure that the emails their small customer base is receiving are authenticated.
Such a system would probably have to rely on third-party signed keys to work (otherwise, how do you know you can trust the "authenticated" emails?). Have you ever priced third-party signed keys for servers? They ain't cheap, for the most part (and you can expect that the ones that are will somehow end up not being sufficient to participate). They especially aren't cheap when you have to buy one per entity (this could be a zone, or hopefully just per zone server). This certainly sets up a couple groups to make a bucket-load of new money: the third-party trusted signers (e.g., Verisign) and companies that would provide such trusted DNS zones (because a significant number of current DNS zone owners are not going to be able to afford to run their own after implementation of this). The third-party signers will get their new money from all the new keys they'd be selling. The DNS services would get their money from: A) hosting the DNS zones of people who can't afford their own keys; and B) fees associated with any and all updates.
So, now you're small entity and you've become tired of your ISP (because of price, service, etc.). You want to move to a new ISP. You have to contact your DNS provider (assuming it wasn't your old ISP) and send a list of updates. "Sure thing, that will be $X per A/CNAME/PTR" change. Whereas, right now, if the small entity is half-clued, they can run their own DNS servers. When they go to change ISPs, they just send a registry update for their DNS servers to the InterNIC database. Blammo: one IP or a million IPs, the externalized administrative workload and expenses are the same: essentially zero.
Personally, before I'd get on board with Yahoo's scheme, I'd be checking to see what their investments in current PKI and DNS infrastructures are. They could be looking to make a LOT of money with this "open" standard.
Remember, when companies start talking about "on-ramps" they are usually envisioning themselves sitting as toll-collector, somewhere on one of them.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to nixen
Re: STARTTLS anyone?
This is one of the most educational and thumbs-up-worthy posts I've seen on BBR in awhile (maybe I'm just not looking in the right places).
Incredibly useful, FO.
And likewise, I'm in the exact same boat you are. I too have the same qualms with coughing up large sums of money for SSL certs -- which would most definitely apply to Yahoo!'s new idea, albeit for a different technology -- and likewise have no desire to pay big bucks for CA-signed certs. I guess it depends on how much it costs.
Although nothing is going to stop a spammer from paying for a CA-signed cert. Even if it was US$1000, they'd pay it to continue to spam. You know how it goes... so really, what is Yahoo!s idea going to truly get us?
--
Making life hard for others since 1977. |
|
