Craig points to a K5 article about SPAM DoS Attacks, or what happens if a spammer forges your address on thousands or millions of mail messages.
The result is that you'll get a ton of bounces, complaints, and a gernal flood of e-mail traffic. It's a flood you may not be able or willing to deal with.
I find this rather timely. Just last week, several of us were having a discussion at work about the SPAM problem. One of the ideas tossed about was to implement a system that would make it easy for any MTA (Mail Transfer Agent--the programs that deliver e-mail on the Internet) to verify that a message that claims to be from somebody@yahoo.com really is from a yahoo.com user.
This is technically doable. And it might be a good idea. Especially, as I argued, if one of the other big players (AOL or MSN/Hotmail) jumps on board and uses the same technique. If either one began to do the same, I expect that a domino effect would follow. Boom. Instant adoption.
That'd go a long way toward ending the perception that Yahoo Mail accounts generate lots of SPAM. (Yes, they'd still attract SPAM, but that's a different problem.) However, one interesting objection was raised during the debate...
Wouldn't that just cause spammers to prey on domains that are less equipped to "swallow a few million bounces per hour without breaking a sweat"? (To paraphrase a co-worker.)
Maybe it would. But maybe that would simply be necessary (in the very short term) while other ISPs and companies worked to adopt the same techniques that we'd use? (They're not difficult at all.) Or maybe when Yahoo was no longer "shielding" the small guys, users would truly be outraged by the sheer size of the SPAM problem and finally motivate the govenment to do something about it?
You can argue either way, but the core issue seems to be one of corporate responsibility vs. technological evolution.
What's Yahoo's responsibility? Or MSN/Hotmail's? Or AOL's?
What would you do? What do you think?
Posted by jzawodn at February 03, 2003 08:45 PM
As someone both involved in that brief discussion as well as someone who enjoys fecal aggitation, I agree that the big guys should start implementing a validation system.
On the other hand, having seen websites "farked", "slashdotted" and other wise made the target of considerable bandwidth usage, I'd also very much like to avoid getting a several thousand dollar bill from my hosting service because of the unexpected flood of traffic.
It's not like I could successfully sue the off-shore spammer.
If this were a perfect world, I'd love for some system to be set up that would detect a spam, isolate the source and have all the major recipients of spam simply redirect to that address for an hour or two. See how they like watching their bandwidth evaporate...
Government!? What are you thinking? Do you really want to get the government involved in this, too?
I implemented a system just like that in a public webmail I run.
Each outgoing message has a header attached to it, X-Originator-Signature, with an internal identifier for the person who sent it (could use the email address), a timestamp, and a MD5 of those two fields and a third secret passphrase I keep.
Whenever a mail hit's the abuse mailbox, I scan all the message for that header and verify it.
If the header is not present or valid, I send (checking for common Precedence and stuff, as any auto-reply'er should do) a message stating that the message was not originated on my server. I also include a URL with more information. I also suggest that the person should send the entire message, headers and all.
It works. It keep's my abuse mailbox in good shape, and it educates people.
I would love to see this on Hotmail and Yahoo. We have *a lot* of bounces for those two domains, and if we extend the ideia even further and create a public accessible URL (a web service if you will) that I coul GET your X-Originator-Signature (to validate that the email really came from you), I would not even let you in... Or if the message did came in, our bounce program could check and not bounce it to you.
Everybody wins.
The only downside I can think of is that this forces every one of your custumers who uses SMTP to deliver mail to:
1. use your mailhost;
2. use authenticated SMTP.
I'm all forward those two. But is it something you can push into your customers? Or is it something you would "sell" to your customers as a premium? or the other way around:those who dont use it, pay more.
I implemented a system just like that in a public webmail I run.
Each outgoing message has a header attached to it, X-Originator-Signature, with an internal identifier for the person who sent it (could use the email address), a timestamp, and a MD5 of those two fields and a third secret passphrase I keep.
Whenever a mail hit's the abuse mailbox, I scan all the message for that header and verify it.
If the header is not present or valid, I send (checking for common Precedence and stuff, as any auto-reply'er should do) a message stating that the message was not originated on my server. I also include a URL with more information. I also suggest that the person should send the entire message, headers and all.
It works. It keep's my abuse mailbox in good shape, and it educates people.
I would love to see this on Hotmail and Yahoo. We have *a lot* of bounces for those two domains, and if we extend the ideia even further and create a public accessible URL (a web service if you will) that I coul GET your X-Originator-Signature (to validate that the email really came from you), I would not even let you in... Or if the message did came in, our bounce program could check and not bounce it to you.
Everybody wins.
The only downside I can think of is that this forces every one of your custumers who uses SMTP to deliver mail to:
1. use your mailhost;
2. use authenticated SMTP.
I'm all forward those two. But is it something you can push into your customers? Or is it something you would "sell" to your customers as a premium? or the other way around:those who dont use it, pay more.
More important would be to ensure that mail servers enforce identification from senders so it's not as easy to spoof mail headers and email becomes more traceable.
I believe there's already talk of that.
This way you curtail some of the problem (spoofed headers and lack of traceability) but don't punish regular users.
I seriously dislike the idea of mapping identification to a server..
I was working on a draft RFC spec for something to solve this. Just as there was an MX for "inbound mail exchanger", the idea was to create "OX" rr's, for "outbound exchangers".
The principle being if you had something like
YAHOO.COM IN OX "192.168.0.0/24"
it would be yahoo.com saying "if it comes from this network, we're willing to say it's valid"
If a recipient got mail from *@yahoo.com, and it was not in a network listed in an OX, the recipient could then make their own decision about how they wanted to handle it.
The LACK of an OX would be construed, for backward compatibility as "OX 0.0.0.0/0" (the entire net).
There would also be a special OX "NULL", implying that this domain should NEVER appear on e-mail.
I ran into grief from anyone I talked to about DNS issues with inasmuch as the DNS folks really don't want to add more RRs.
> 2. use authenticated SMTP
When i first came involved in pop and smtp technology I wondered about the asymetrie related to authentication. But would authenticated smtp solve the problems if it would become a must? Would it hinder spammers, or is it a great dream to hope that everybody would join.
I am writing to inform you of a Spam solution that has worked wonders for our company. I’m currently running an exchange 2000 server with about 180 users. We were getting pounded by Spam, about 4500 messages a month and it seemed it was primary management that was getting the lion share. We decided to go with the Electric Mail Company. They use a combination of four different methods to determine whether or not a message is Spam, they are: Heuristics, Distributed Checksum Clearinghouse, Bayes, and RBLs. I am please to report we now have a 99% success rate with zero false positives! I make no updates to the service, and yet I stay in complete control. Just to show my appreciation for the salesman that helped me out, I have included his contact information (Jeremy Meindl 1-800-419-7462)
Warm regards,
Bill