|
|
|
The Spammers Have Won, but We'll Survive
By: Larry Seltzer
2009-03-18
Article Rating:  / 5
There are 16 user comments on this Network Security & Hardware story.
The tools have been here for years now to address the root of the spam problem, but we're not using them. It seems it's not compelling enough.The reason there is spam is because there's money in it, or at least
spammers think so. The technical reason there is spam is that the SMTP
protocol used to transport e-mail on the Internet is unauthenticated. A
few years ago a solution to this problem was put in place, but it
doesn't seem to have made a difference.
DKIM (DomainKeys Identified Mail) emerged from a battle several
years ago as the leading standard for SMTP domain authentication. It
uses public key encryption to sign messages with a domain's private
keys and stores the public keys for domains in the DNS. Receiving
e-mail servers can use that public key and the digital signature in the
message to confirm that a message does indeed come from the domain it
purports to come from. This doesn't prove that the domain it comes from
is trustworthy. For that, you need reputation data, which you either
gather and manage internally, or acquire from a public reputation
service.
Click here for a more detailed paper from the Messaging Anti-Abuse Working Group on authentication and trust. I've also been inspired to this by a recent series of articles on DKIM on CircleID.
This is the way it was all supposed to work. It's years now since DKIM was effectively finalized and almost two years since the DKIM standard
was published. DKIM is definitely out there, but not in the way I had
hoped. It's implemented and used by several large e-mail providers,
such as Gmail and Yahoo Mail. Many bulk e-mail senders, both large and
small, sign their e-mail because it helps to get their mail into the
inbox of users on those systems, But DKIM in the real world so far
seems to be much more about preventing false positives than blocking
spam.
To use DKIM to allow a good sender in, you merely have to have some
reputation data about them and track abuse complaints to keep that data
current. Then new mail comes in, the signature matches, and zoom, it's
in (you might still want to spam-filter it and certainly you should
malware-scan it). To use it to prevent spam you have to deal with
senders who either have no signature or who have no reputation, and
both these questions are difficult ones. If you're Gmail you can, over
time, develop a pretty extensive reputation database, especially since
you also own Postini which hosts enterprise e-mail security. If you're
Acme Average Enterprise and you're doing your own e-mail you need
access to a public e-mail reputation service.
This service business hasn't developed in the way it might have, and
even to the extent that it has, you can't always use the reputation in
the way it's intended. If verizon.net has a lousy reputation are you
going to block e-mail coming from it? This is one reason why domain
reputation can't displace IP-based reputation systems such as Spamhaus any time soon.
Perhaps the answer is to push more e-mail processing into the cloud.
It's seemed to me for a while that large, institutional e-mail
processors such as Google were in a better position to implement
solutions such as DKIM for large numbers of users, and indeed GMail
does this.
Cloud-based e-mail security is increasingly in style, too, as evidenced by Sendmail's recent announcement of cloud-based e-mail services. Sendmail has long been a proponent of authentication and has long-supported DKIM, so you can use their products to sign your outbound mail as well.
Sendmail argues that cloud-based e-mail security has become
commoditized, but the actual catch and false positive rates are
probably still more important to customers than price. So if DKIM
positively affects catch rates it's a winning strategy. I just doubt
that it's much of a factor in catching spam, even in the large clouds.
So unfortunately, it seems that this is as good as e-mail is going
to get. It's disappointing, but it gets enough of the job done, and
that's why it's not going to get any better. I mean, how much more time
and money were you really willing to take it to the next level anyway?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
| | Reader Comments: The Spammers Have Won - But We'll Survive | | >>> Post your comment now!
| | Stop the anonimityYou should not be able to send e-mail unless you are a registered(dns) host on the Internet. This stops bots on unregistered machines. If I do not... Posted At: 03-20-09
By: Victor | | | | | | should have been labeled "advertising""I mean, how much more time and money were you really willing to take it to the next level anyway?"
That terminal sentence pretty much sums up my... Posted At: 03-19-09
By: bob | | | | | | Spam is actually good for youI'll suggest an alternative view. Spam is good. In the old days of email, I might go days at a time without getting email, thinking that no one was... Posted At: 03-19-09
By: Anonymous | | | | | | what's wrongWhat's wrong? You've already come up with an unsolvable problem with it. It would be a support nightmare because everyone needs to receive e-mails... Posted At: 03-19-09
By: Larry Seltzer | | | | | | practical?I know that e-mails can be spoofed, so I suppose a white-list would have weaknesses, but I don't really want challenge-response, I want to white-list... Posted At: 03-19-09
By: forester1 | | | | | | not practicalYou can in effect get whitelists today with challenge-response products, but everyone hates them. I know I do. Posted At: 03-19-09
By: Larry Seltzer | | | | | | White list?I DON'T understand why major e-mail programs like Outlook/Outlook Express/Windows Mail and others can't just update their software with... Posted At: 03-19-09
By: Forester1 | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}r㶲s\@♵MR-ƶ,xMT(��S$�I~u~|�.d8�["�h4�Aȹ3&�9)ٝ O,z��Ij|ݻP�BeFAU�M7
J�Զ�O7�RM3i��/4�w8�7wGlJ{'AT�G��j"�hK&�O|gM$ƮlM1
d��ckdp��,Fc�wO�d{=B �~5;�6m��(GJ��{8�K���E!@�C�շ(>rP
ߨ�U�aNé-}!*{�> e%ӈu�E�hDd |xB'g�xd�#B�E#:(M+l�m�ڮ�Uq�X'�[~R4�䅰Q(0F.Č��/t0"7J;vz�q$M�� �f��]ÑcWPpmׇɩVsTq7#}j0�ݷt{�#�ԷF@:S�1)��æ�'I/#!_TBRp`�F�GJ
V�#vR �ס"�'�_|��uv3< 3~3 CoqZzeNDj%o�~�cnć!Lj�Z�E&>�5
8�Y͢`E3l˸-:4
PS+}(Z�E}`[¥;ho>;W)EsvU !GA
�m+h[I#ZIۇ�_w{>~j�>�r �>
� N7Rߘ�0QR�&jt8M3Q�I�1q`,{/B��^qW-hZIAv��ina�[�E�4bEU}dN"?[ڗu&u}Y6f0Zi�C�A+Wt?#;ˠrqszr|qӹ�]Q4{3B�ɝ`g@IC�!\J�!=!
g�|�8$;Ju0p~�e-}4zhNԖڂ1W|g?/1e�ޡ:ix>!e.ڽ^}�8^%g�5F
i�e4?$!�V5MGVOLM*P\?,CCe_U�X@8ʍ81m!SG�ñA
�S&�3;,,��0��@>O;SjZic;Ni$|N���I�cѦM�ޣ0OPVTyq%tY`9䐎3uuf3x��7H�O︐'Æןkk|{4��6Z|'1[V-T�2q�),n!t�$WXl?�X�Т,ql`![ѧ�KhzT(f3ᠺN�4S�}�52{B[`a3sՐmbҳ%}?h)J/C_jUzq}n7MAV?�R�xx
[�z�pG��9#rUϺX� 5<9.�&B#=7�:�Q)OjBaixʸ*2$,T4��pt�r�K�ݼ~h��";hqNNSНF#D9z�Q=/ORb-xhV^KՕË�$/gsPo�u�JiO[�%��9ނyey_x�ui8He�="�r"`c.-y�6O�h 2�0��O�o�C��pZ#�{��+%UV�L`LYV[)ZPr= X?l�� �xfJY
Yj6<}>]�ȃ`��![O\?C���|<^Rf�&n�\�t+@9Z'UmRHb|PF�ȸi�FqmX@XĞ?z�\78,ݙX�6➲+]5�&@nE��ʵ��{Luh<
VȲi@�X*¿uouj�)ՃUk;+H
� �Ӵ�cw@M$ {n�v24��˧6Wȵm>2躢G�ű<��bj\X,��~�)©5r1|��jj�0!B,W�ũ��(^p�T~��V�4;M�80�G/�騫VIۜa2&(�ʇF�s�uuUs�lʬ.n>�~�
=o!U�:@�y�g|/�DV;I�9dYa:5°Cfꡏ�.�r�ubGymbrrɼðN;�#GlG4�l�
"�K,�0h#2"^G=%��BMV\�7@aOo[\JEVK`qՁDZ%i��]f.g�|]٘zֱ4�>�ʀkG�2cFTY��hV�mZ�`�wmo�LJ.=rD��e�e�O.;�lWJ_�0]H���X9H(P+8�Y�x#L!6xLR�),9~J`!gP5({xre, ,"F��ȭJ3)#2��'ZTe�W3O991u?|{qqwo�FՕݷ K(
̯��$:T��)IG ;{郝@�Ώb�.}绛I쀔4v�{ڽK�|�Ƅs�N�~u�a�a=$g~ ^x�;,t.��L�~:'�!ɇݏ'R_qr`�R=h3 J@�c$b2v}WszV^NN:kކa�=;o(�F�����usѺ~߹�_>wjsٖңNW֓ ��R�!h!DHv:z�i)q�fڌ7�MJ,!L_>d�Ȱ��V �Z(Xĥ{}Ҿ̂qsŜ4�"1zz��M3bnX
q���F_aߪ�,d<0�.��)tz�Z��E9��p��ǀzB�,2�q]>o,gu�n/�l 08%�S*Q�W<2�Eh�i�A%-��5[�E_ѫ�ſ�s�}YVST
�t6~OW�0bIbKf+ƭN:H|�I�NAN�:>os_,C�9�n3�~HP -]u?So�2MĜ�y{�NEh #O��?G
�cd�ш�(Sq�t�$-FbeنnKl�x0e9R蔈'=
8
z>SB'Դ�ۓ4/iY(yqjhd�ꒈ~�~H`&'ءX��].7'8
$OMkzsy
^_ҹxu؈`�߳`m�\d(�`�q��Σ@P�)V�-<(ma}ki-�jݷʫ^X>o�>lj9l0��!l�Qڑ�rVT��~Mbݩc;x{�EroȍƓp'u"��eީӊY>f}m��m{ѺB���?݁C5^3�ᛷ
6�2'|2KO$בּ�~QO��tGov/zfC��f=foݷvcW}�;Ǎ>͝8��QC�Ҁ+fc:��M"�IQU֭��UdU)I=Y)oF'e�
%��,f}��d3D�Ӽ0iɜAh��7B_7n�C]�`l]s!T ��ǖt?h2i�~�J�SݹmJ+.{%nw^Zh�r;Tʜ%%դy6/IQ�)"{�"F%{two��Bu�U6�}t_c��yi�襶;zo
:�l0̠@ b@V��V7�vf\#9S��@(4T�h�\v�p71%pQx656�y�( h4RwV`0�lf4�w
�~�@�k§!��qZ�KIj��wl['/G'?[7�ur�p:i��p*௹;_�����P�E?\@Ӟ݊�|ߐ�FЗqk+BqLT�8O|j�S&��K*��/xNKUJ㩒:(,ג�rgLeId�_:D& ^\U�+G�+Ji6SJ�h"V�cDH`7.(�Axt]8h/9({(R��߬Wmy�?ׇQ4u�&.z8IW,M77iDkJ-Xʩ�z䜎P�!`cPMQ���hά�@<��*P�XU�0XC%1د7E4"G9bƪhZޔ�K/Ό7Os#7EE� = qq�Ia�x���H' ��� 6F;>��UY6sI_�зn)#X�[�\[&�_��F,i%�U%[*�US[y���l2/I!�gf�,~�Dz-t��w�Ǐs#?9`{K8=ўDW0M65T2�3H~C�Wݐ�^r >@7I,X/t˖@%^Ί�7+Q�Q�Hr�jfqB�y��qp�ᑤ;r��E$�C_EI� �+�ٗ'pD�i!nfet
�3;8U���a
R~~ArF|Y
6_�܆\\~m.�+�Kf-]{C3*
�qIC�X,L:�8KmWt�[�kb`@��3S4oM��n]/]�ׅ"L^�JQZV!QN|Pa�J%,�2Hm
Y=-�SF .�Jゟ��5�]Z�5־o�nn�:͜
'd�3�6>V/>~��<�X!:y��|� B�!��� H�݊�2*iS�OP�Wy_K_y�7777UfklM
zwqKԛ3۔bRkBv7l*ܼ5Ŕf'v �-p�&k5FX�}ݾ1xG�d�NMXѱ
6D'7y͙7i.{}�P�(=�bƈ+IAl˧v/Z=}Abދ�=��U5W�s̰\ \1^T\
+b�~;=0:)Ķ௶auu]LW�;2(Po$|fA
qi/2.mq){�% d^�칖m'�I,b8&r�X,hAL�Lm�9(; e9L�s�"&�Jf��id7|$ƽJl�E߽gL��h�G6_�/Z���aY�@�[3r�d! `,%7��4XB04�.
dR����/)_V6T�PE}㜙MEfIȢD��E\b9�]�Ք}u8 @�
tNk-b0"K]ɖ1xy��[/Oz'5aL�5^P;IU&�a|Q�"�@*VHui�3kvMqu3gü�Z�a�nBZ]~�u7}MY<�7Sz�Z<1xfU'j*]ja0uvY
1^��n�9�H
,4I'Kt S����lYk'3"UXOmt��{JVa6
1jU9JJEV^�S~TqqݗǮ5*>5BYQev��ߐ�%~rs|�偽�v��/}sY$XkO:Vga^N0w`^hR#i�<[��XS(q�J:<}Q-mEJ)!g'B"+�9 ����v�|{\�ۍ�9�QH` ϔ8h�@J(�{{i �~Hk+o~�̉� 0ۉ�J J��?3RmF�Ν�z_ayZܾ\`{|oyZd3+nsl+ZKɶ<+YlwNQgg)q8
@�ə莥��r;�@$=�/Hk�D�~x#nϪ5AU5�Tbub
bY*f&3Zˮi+xw4�:4F| E�Ú��b52E
\��Ѝ�B9ϪͲ;I�P}sY?e=a��'�2u?|{q�BJ�=L�~#�ѕ�+�4�'S\_}aHe� �t0��83�*�)�ӊF��2*m&~��^I79mOR-i`KkH���J��K��bZ�Ř!b`2^r�{VĔy^�%6:�Cȧn犉1J�s\-"@e#D�q��E�䜽D�"�H'�U,R��S�
"P�F:�
�Ƃ![C P/DF�>�c3�p���"(3G��]ă0>]S0lOT'ACj[ S+|�g)�u
9
:j�eOLg�>�{t�
S��2S´vD^^?').yci�� 8�^yNt_Zf:߰|ce|?뽉e�2'���{x���bRWkJ%z�u���_3ʰ�LXU+ϕ/=?�(^�;oU�e5zs#M镬B*9^���Ȉ}��w�3@�0>v#�Dwn�נuuuvI^ۤw|ݹw}%c&ZώGj8Gݓݫϧu_ht�|5<חv�xteAN/[�mf(NT3\h�^EqɃw�g�飱8?�/�&՝'Q韯�XC�ĸҫSe�Ll�NN۽OֆS^CVՉx]by5sλ��mzV�x9��0CP܄q�P��b>^�ȤRE9yN�(S�S~
ˏ[.wsʑO�'c(?^]~
9͡{���Wu
ͳI9)urƇeN93�BC/3^]~�sjș�"����{C�E�}.��/?/r�"?QF/s�rϠ,�P�()̙K�̙.3.n~+�W9s�r����#���O9}�}ʡ
�
M�:IY#g+8=J��W
ͣ�~TA_䵯<�4|�sYU�~vïU^йZ*4�ˑ*s2w2~62A\�wO
aq�ʍz�^S_xrw4�~kYA�m<���{}�y�s`˼t4���_AQF3l?V][[lOнغ{'JJݓs+z`~H뀏\]N9bs+r>V#ןbM�edGE⬏G\%�[n3'r�7�U?�QGЬ���]#=D)�s җ�e.o� ��pjy@ @9z_p�C��G0�/:)7X.{ZӇ��?ڎO;ZtieD8�O6?�K^a#^*��B8D�#w_a��1z�I�<�0��bx�ꑜ~54]N4pڜ�;cv+@7�ma�I�P5ZUj;�'װj���G0q]HMjJ]N��lժ~\��,)g
�/(�@'ػ7M{%}C7"z͐g�a�:�0V1;BH"O�ӱ��;fCdsW1f�dy7s�p8cKx;r$�I �?,�(�s0��ܙFd�lO]�BfCV��yx';��V�h0�c��6�z�[0gWډ�e:`�ټI8�i[Lr,�eށzxM&V=�ȁF=8�Jᩋ7Tced`
NuOЫ�ȅ�`"�9�oޔߺgC�n�΅�*˗ XV2W��k`Verm�c6Om�5Ul%OlB;Ц@��`{slgm��X)43oX�( �8�[]^L�:χAK�-Zh��"�n#qbeLZ�Aۀ3AZ�/`9q>~�3TЗ�_601y�}vjtSL�i�$G��D{=4&NӴo"9ݜ We�z�Q�aq�ef~W̦I�mXnbP;�}�_��g�A�nӥs�X00wP�-qAjKu D =c�SZ1LZ�Y
x�Ō.\~-�pIi
��)&L|95)B��nbZ(>/I>�g�{}C͞c�fsHBz�Ş� [Zo.Ts7Y���}ס)e4p}~_ y9��#,zHVKPsXOmM\�-On*t+f��S�
>%/m��cT��f\�gȌQ)x���t(E,�Ma-ă��v,='�IDπl���e]$f@g^l(V�;j�KQRJ��Vr.U
?�`nz ,���`+/2^�;'���g
�_H6Gd!᳤c9*=>S�l)yǝ.r�};�[�|A^[Qؗ�G@1aХ_!8F1^d���\*�IxrHI@>��~�EE�`C�0^m�D$uЧ�
�FϨn�vk��KAm'{;*l9�˜2J1Д8ٶ2#OA3r
ۧuHO(#o݂�k\�+<>a쎸2�/�[/uԝ8G�
Pr��3қ![1�ue|�n|�?���7ك|2p�c�π!XwCQ%7`
�}[���=ȶg%�\!dN�3@WD0;"6�����ic.�KE|0��(Xp^'AVفr&gw>G]�:�H��xkY�oc3gz ��?;���<�v;�fC
&K_2uy��D��#VJr}P?)���OtLg�sZ�n��H�ʶ�!�!�,�{��QFb�VB�8u
vKѲ�v��"ְ0ޏq۷�PT�|@��xS�a
\bX%eNܔ�UF.Dm�hT4X %*l+�7�WM��/v�7qrg¶"y\�
A\XNڙF
X�<��>�|p+��o5ȉe6�뙣\g4^n,eH}Kqd.5"�$$r嵖I�6;;Q0��&iE-ȓl`C�v�_)qph[?�҈Y�A� wvǰ�>BLN7�S
+pRaL �;(b[и�aH�b�V3zwz�О3q7C'
Sg�a+cPMYjcL1G�<,@}��&
#`#xb
"��nh1)�d'k%I������0���Ä
"5roq#}e��יJ؍�R04xq�BQ��əȩ8v�}_|I�Ѭd�;j�+�3GOg |>&��xqeQ���Vt*,z텋vV?Pv/isTO7uG�~v�~vu~iG a�
ӸT\Ɠ�ߴ;�K�,�mݸG�ﯻ�/OHђ�u',��!ջjt.ߧ+e=;T7 r�̳��ś|G`bhPlyPVK�Gb06HZ�\6}\/mt;Ǎo=��F姰a9TU\J�\WK4%WY/VWЧTN�&/��Kq�>`Lt�-�eRZ`_�l� &��
|
Network Security & Hardware 
