LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

That much trouble?

That much trouble?

Posted Sep 5, 2004 21:32 UTC (Sun) by khim (subscriber, #9252)
In reply to: That much trouble? by philips
Parent article: Debian rejects Sender ID

ssh did not need years to come up with ways to detect identity forgery - why it takes that much time to implement it for e-mail?

Hmm... Good question... Especially since we had a solution for this problem for almost 10 years: RFC1847, RFC2015, etc. Way before spam become real problem. Yet... there are still this nasty spam problem and nothing is solved.

Why so ? Easy. Problem is with users, not with SMTP. What mail users demand is the following:
1. I do no want to get spam (== mail from unknown anonymous recepients).
2. I must be able to send spam (== anonymous mail via unregistered ISP).

That's all. Since there are no sane way to implement both 1. and 2. simultaneously we end up with all this mess like SenderID and such. That's all.

As usual there are no technical solution for social problems: people should either accept spam and live with it or they should accept lack of anonymity. You can not have both.

(Log in to post comments)

That much trouble?

Posted Sep 5, 2004 22:17 UTC (Sun) by doogie (subscriber, #2445) [Link]

pgp-mime has nothing to with allowing one to send mail. It's only for making sure it isn't modified in transit, can't be read by unknown third parties, and that the sender is who they say they are. It has no bearing on mail routers in the middle, nor the mail routers on each end point.

That much trouble?

Posted Sep 5, 2004 22:36 UTC (Sun) by khim (subscriber, #9252) [Link]

And what SPF/SenderID is ? Easy: it's try to reject mail from someone who's pretending he/she is now what he/she is. pgp-mail does is way better then any patented scheme. Yes, it needs some changes in end-user agents, but SPF/SenderID needs these changes as well! Of you can add proxy in the process. The same as with pgp.

If you say: "SenderID is different solution" I'll agree. If you say: "SenderID is better solution" then I want clarifications. It's pretty easy to add "reject non-pgp signed mail" rule to senmail or other MTA - it's just deemed "too intrusive". Thus instead of good and tested solution we're stuck with bunch of half-backed "extensions" and stupid "authentification schemes".

That much trouble?

Posted Sep 6, 2004 16:03 UTC (Mon) by TwoTimeGrime (guest, #11688) [Link]

> Easy: it's try to reject mail from someone who's pretending he/she
> is now what he/she is. pgp-mail does is way better then any
> patented scheme.

pgp-mail requires you to receive the entire email before making a decision. SPF does not. That saves bandwidth.

SPF isn't covered by a patent. You can use it. It's working now to stop joe-jobs. See this link for a good overview: http://yro.slashdot.org/comments.pl?sid=119211&cid=10...

> Yes, it needs some changes in end-user agents, but SPF/SenderID
> needs these changes as well!

SPF does not require a change in end-user agents. It can and does work at the MTA level.

"It's not a bug ... it's a feature"

Posted Sep 6, 2004 18:42 UTC (Mon) by freemars (subscriber, #4235) [Link]

pgp-mail requires you to receive the entire email before making a decision. SPF does not. That saves bandwidth.

The bandwidth costs the spammer (or the major ISP which doesn't block mail from zombied computers) as much as it costs you. You can do your part to drive the cost of spam up.

Think of it as a tarpit.

Further downthread people are saying how PGP'd spam would do more to hurt encryption than spam; they're probably right (imho).

That much trouble?

Posted Sep 5, 2004 23:02 UTC (Sun) by Russell (guest, #1453) [Link]

It may be possible to satisfy both 1 and 2.

1. Satisfied by only accepting mail from a list of authorised. Use signatures to do this. We then need only protect the keys from viruses. That is a problem programmers can solve ( not a social issue ).

2. Allow people to send spam. ( Nobody will be listening anymore )

That much trouble?

Posted Sep 6, 2004 1:36 UTC (Mon) by khim (subscriber, #9252) [Link]

Right, but... Try to think about it again. When I talk about 2) I do not talk about professional spammers! I talk about normal lawful internet citiziens. They do want to send anonymous mail to this or that website and/or to this or that mailing list. All the time. It's not some obscure twist - a lot of peoples become very nervous if you'll suggest some theme when mail can be easily tracked to physical person.

This is good and all, but... if you can not trace back "normal" sender (who never even seriusly attempted to to cover tracks!) how the hell can you ever hope to trace back professional spammer ?

This is what I meant above: people somehow think magic SenderID or something can make spammers easily trackeable but still will not affect anonymity of "lawful citiziens". It's impossible.

And if you'll trink about it pgp-mail does exactly what you're proposing. It was around for more the 10 years. It's still not widely used. Why ? Since pgp-mail (once you'll demand correct signatures with keys registered on few well-controlled key-servers) will "greatly affect privacy - and we do not want it". But if you got privacy then why can not spammers get privacy the same way (no matter what authentification scheme is in use) ?

Think about it...

The expectation of anonymity issue

Posted Sep 6, 2004 5:33 UTC (Mon) by eru (subscriber, #2753) [Link]

Why so ? Easy. Problem is with users, not with SMTP. What mail users demand is the following:
1. I do no want to get spam (== mail from unknown anonymous recepients).
2. I must be able to send spam (== anonymous mail via unregistered ISP).

I'm certain most users would be very happy to compromise on 2 if it would ensure 1. Until some years ago, most ordinary users actually assumed that "from" e-mail addresses are reliable and messages are traceable. It did not deter them from using e-mail. Only the spam catastrophe has made people more widely aware that the "from" field is just an arbitrary text that may have no relation to reality.

Set up an alternate e-mail system that has no anonymity, but no spam or viruses either, and I think a lot of users would be interested.

That much trouble?

Posted Sep 6, 2004 10:23 UTC (Mon) by ikm (subscriber, #493) [Link]

The truth is, people WANT to live with spam. Because they tend to accept the offers from the spam letters. No one would ever send a spam otherwise, because it just would not help advertising.

So, it is actually a possible scenario, where people can both 1) have a possibility to send the spam and 2) never receive any spam at the same time... but not on that planet, or at least not today or tomorrow. The possible social solution against the spam in that manner would be for the mail filters to get each detected spam message through, but with the banner attached to each message explaining why all the spam should be ignored regardless of the offering in it. But it is really hard to change people that way.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds