METROCAST BLOCKS RESIDENTIAL E-MAIL

Jason Stephenson jason at sigio.com
Tue Mar 14 20:01:01 EST 2006 

Bill McGonigle wrote:
> On Mar 13, 2006, at 18:20, aluminumsulfate at earthlink.net wrote:
> 
>> That's just it.  It's NOT a valid way to reduce spam.  Just like killing
>> junkies is not a valid way to fight AIDS...
> 
> 
> The trouble is the valid ways to reduce spam (like DomainKeys and SPF 
> records) are very very lightly deployed and the IETF is trying to see to 
> it that even they don't get accepted.  In the meantime any 
> countermeasure is a hack.

They're actually not ways to reduce spam. There are many, many analyses 
available on the web that show exactly how these two systems are not 
going to prevent spam. What they may reduce, but only if mail admins are 
serious about using "-all" (in the case of SPF), is Joe jobs, where 
someone "forges" mail from your domain.

There's absolutely nothing to prevent spammers from using spf with a 
+all entry that allows any site to send email for that domain. Also, 
when AOL uses ?all, that's no help.

For domain keys, a spammer can easily send the key out to his bots and 
have the mail user agent sign all outgoing messages. So, now, they're 
signed with a valid key for the sending domain....

What do the above buy you? Very little. You're still going to have to 
filter on IP addresses, sending domains, etc. Sure, you could block all 
"bad" keys and you could block all mail from sites with spf records that 
don't end in -all, but you'd be cutting off a good bit of ham that way, 
or you'd still be stuck with blacklists (for the bad keys).

There are also a whole host of other issues involved in using domain 
keys and SPF, such as breakage of some very common email practices. They 
may be bad habits, but they're things that have been accepted and 
expected for years.

You'll notice, if you look, that I have spf version 1 records for my 
domains. They end in -all. I set them up in a moment of weakness. 
However, when I set them up, I knew they were of limited use and I knew 
what problem spf was designed to solve, whether it's pushers knew it or not.

What is actually needed is an entirely new email protocol that cannot be 
"abused" and doesn't cost too much on its users. "In the meantime any 
countermeasure is a hack."

However, it ain't happenin' any time soon. I'm on another list called 
IM2000 where such issues are discussed ad nauseam. The consensus there 
is that an entierly new email architecture needs to be built, one that 
puts the cost of sending email on the sender, but getting people to 
switch to it...."Aye, there's the rub."

> 
>>    use, then you can run a mail server on an alternate port.  Lots
>>    don't block 465 (ssmtp) or 587 (alternate smtp).  In my case, since
>>    I can never remember
>>
>> Clever.  I'll have to look into that.  And then tell all the 
>> spamsters. :)
> 
> 
> Fortunately for us most submission ports require SMTP AUTH which is less 
> useful for spammers.  Maybe once all traffic is forced there we'll see 
> Outlook worms spamming through valid accounts.

Could be, but I've seen a lot of spam coming from poorly written web 
form processor programs lately. I've even been playing cat and mouse 
with one spammer who has been trying to abuse one of mine. I've got it 
locked up now where I know that even if he managed to get a mail 
through, I'm the only person in the world that will see it. He keeps 
trying, and it's not a completely automated script on one of his bots 
that he's running, 'cause its only four or five attempts in a row, a 
couple days a week, always with a bcc: to the same couple of aol 
accounts. He's trying to see what he needs to put in to get his messages 
through. I figure he'll give up in a few days when he finds someone's 
webform processor that he can exploit.

Just wait until the virus writers discover this trick!

I don't see any solution in the near term. I don't like some of the 
alternatives, either. If PKI becomes required for email, then it becomes 
much easier to track who is emailing whom. What little bit of 
libertarian that is still breathing within me, doesn't like that.

I'm also thinking that I might as well get rid of the mail form and just 
put a mailto link on my site. It's actually safer, and my address is 
already in whois, anyway.

Cheers,
Jason

More information about the gnhlug-discuss mailing list