Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
The group's short history has been fraught with controversy. The most recent crisis was over intellectual property claims by Microsoft over technologies in some of standards under consideration, and the Microsoft license to those claims. Open source advocates and many others rejected the terms as burdensome and incompatible with their own licensing practices."
Posted Sep 23, 2004 18:30 UTC (Thu)
by marduk (subscriber, #3831)
[Link] (13 responses)
Posted Sep 23, 2004 19:01 UTC (Thu)
by csm1975 (guest, #15864)
[Link] (11 responses)
Posted Sep 23, 2004 19:28 UTC (Thu)
by rcbixler (guest, #11917)
[Link] (10 responses)
Posted Sep 23, 2004 19:49 UTC (Thu)
by csm1975 (guest, #15864)
[Link] (6 responses)
You have misunderstood SPF. I won't speak for Sender-ID because it wasn't going to work at the MTA level anyway (M$ appeared to be pointing it at some sort of eventual anti-spam algorithm they planned to build into their client and it used 2822 headers instead of 2821... basically not very useful for an MTA which was all I was ever interested in).
SPF was never intended to be directly an anti-spam tool though it did help a bit indirectly with that. It's purpose was to simply establish that an email did, in fact, originate from an MTA authorized to send email for the domain in the mailfrom. The domain owner specified the authorized points of origin in his dns records and then the receiving MTA could query the domain owners DNS records and if the sending host was not authorized the mail could be bounced. This would help a great deal with joe-jobs and phishing and would help stop forgery at the MTA level as well as prevent all those worms and viruses flying around which forge their from addresses too.
As far as spammers using it I say great... let them. If I've got to play "whack-a-mole" it will be much easier if they're no longer able to use forged headers and zombified PC's to send their spew.
Though I have been speaking about SPF here in the past tense I suspect that some form of SPF will be in one of the experimental RFC's we see happen now.
There is a lot more to this story than any one person knows and there is a big post-mortem being done on the SPF mailing lists right now.
Posted Sep 23, 2004 19:52 UTC (Thu)
by csm1975 (guest, #15864)
[Link]
I should not have said bounced. The proper outcome is reject.
Sorry for the error.
Posted Sep 23, 2004 21:26 UTC (Thu)
by rcbixler (guest, #11917)
[Link] (3 responses)
Posted Sep 23, 2004 21:53 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link] (1 responses)
I have spam filters that work reasonably well, as well as virus blockers. By far the largest source of virus-related mail I'm getting these days is bounces caused by spam and virus related mail that pretends to come from me (I've had the same e-mail address for ten years and have been active on mailing lists, so there's quite a lot of that).
If SPF or Sender-ID helps with that, terrific. It's a piece of the solution.
Posted Sep 24, 2004 10:59 UTC (Fri)
by macc (guest, #510)
[Link]
Posted Sep 26, 2004 21:51 UTC (Sun)
by rickmoen (subscriber, #6943)
[Link]
My objection is to people who claim that SPF will solve the problem of
spam.
Anyone who claims SPF will "solve the problem of spam" has not bothered to comprehend the spec or any of innumerable related technical articles, doesn't understand joe-jobs and how they work, and thus is wasting everyone's time. The same can generally also be said of those "objecting" to the former group -- since usually it turns out they're fundamentally misunderstood the entire topic, and are punching away at a mirage of their own devising.
It's probably time to newgroup net.admin.net-abuse.email.advocacy, banish^W encourage all such people into it, and throw away the key -- so the rest of us can resume serious discussion without ongoing interruption by the terminally misinformed.
Rick Moen
Posted Sep 24, 2004 4:12 UTC (Fri)
by Ross (guest, #4065)
[Link]
Another aspect of SPF is that you can whitelist domains you frequently
Posted Sep 23, 2004 21:06 UTC (Thu)
by khim (subscriber, #9252)
[Link] (2 responses)
No. It's politics indeed. For example here (in Russia) ISP can not just say "you're spammer and I do not like to have you as my client". You need court order first - and since there are NO really applicable law against spam it's VERY hard to do. If ISP will just throw spammer away it can easily find itself in court! Courts are not sympatetic to spammers though so some ISPs do it anyway but can you honestly say in such situation "it's pure ISPs greed and deceipt" ? Some ISPs just are not ready to play with law in such a way...
Posted Sep 23, 2004 22:20 UTC (Thu)
by stephenjudd (guest, #3227)
[Link] (1 responses)
Posted Sep 24, 2004 7:37 UTC (Fri)
by khim (subscriber, #9252)
[Link]
Of course they do. But you can not legally write in contract: "you can not help spammers, or we'll disconnect you". And you can not refer to some web-page as well. You must list all possible offenses in advance. And real problem with spam is that it has no finite difinition. What is exactly ? Unsolicited commercial mail ? Yes, it's in ISP contract. DNS server for web server advertised in unsolicited commercial mail ? Hardly - yet this is exactly what spam fighters request to stop. And even in first place you can not just take spammer and disconnect him - you need undeniable proof suitable for court. Courts are generally clueless about computers and spam so it can be tricky to even explain what's wrong with spam in first place: there are no law in Russia against commercial mail send via old-fashioned mail system and generally it's percieved as perfectly legal way to advertise something - and since most judges never use Internel at all it's hard for them to see what's wrong with computer analog. And so on. It's not that ISPs can not do anything against spam. It's just very often "quite simple" change in anti-spam strategy becomes tricky in situation where 90% of general population do not know what spam is in first place...
Posted Sep 23, 2004 19:02 UTC (Thu)
by clugstj (subscriber, #4020)
[Link]
Posted Sep 23, 2004 21:17 UTC (Thu)
by proski (subscriber, #104)
[Link]
Posted Sep 23, 2004 21:30 UTC (Thu)
by dbwilson (guest, #24947)
[Link] (1 responses)
The IETF group which has been closed down is the MARID group (MTA Authorization Records In DNS). As others have commented this is only indirectly anti-SPAM.
The IRTF sponsored Anti Spam Research Group (ASRG) is still up and running, c.f. http://asrg.sp.am/
Posted Sep 23, 2004 22:01 UTC (Thu)
by dwmw2 (subscriber, #2063)
[Link]
SPF and SenderID, as covered by MARID, were fundamentally flawed ideas. They made incorrect assumptions about the way the world works, and their 'fix' for those assumptions was some kind of rewriting which they needed everyone out there to implement on their mail server, to 'take responsibility' for mail they forward.
Not only that, but this rewriting turned each scheme into nothing more than a way of assigning a trust metric to the individual mail server which is offering you the mail. We could have done that just on the HELO, without requiring the world to 'upgrade'.
STRIVERS is looking for true end-to-end solutions using signatures, which should be a lot more technically viable than SPF, without requiring the whole world to implement some new hairbrained scheme. Stuff like Yahoo's DomainKeys and Cisco's Indentified Internet Mail scheme are what's being looked at.
It all looks a whole lot more sensible than SPF.
Posted Sep 24, 2004 5:32 UTC (Fri)
by agapecs (guest, #24844)
[Link] (3 responses)
Posted Sep 24, 2004 10:23 UTC (Fri)
by nix (subscriber, #2304)
[Link] (2 responses)
The mails it turns out look *disgusting* to any recipient not using an HTML-wizz-bang mail client.
(Was this a troll? I ask because I don't know *anyone* who likes it... but most of them are on the receiving end of Incredimail's output, not the sendig end).
Posted Sep 24, 2004 15:14 UTC (Fri)
by Duncan (guest, #6647)
[Link] (1 responses)
Posted Sep 26, 2004 0:55 UTC (Sun)
by man_ls (guest, #15091)
[Link]
Maybe you don't want to get mails from employees of clueless companies, and maybe you are right. But I assure you sometimes it's not people's fault.
Posted Sep 24, 2004 9:33 UTC (Fri)
by edmundo (guest, #616)
[Link]
It's a shame. It seems that defeating spam would be a relatively easy thing to do if everyone just worked together. But, alas, politics.Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
Politics? It was not politics. It was greed and deceipt!
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
Indeed. But the greed and deceit starts with the ISPs who willingly Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
provide spammers with safe harbour. The whole affair of SPF/Sender ID is
not so much greed and deceit as it is conceit on the part of the would-be
standards authors. They think that their proposals will solve the
technical problem of spam, but all it really does is provide better
authentication for domain holders. From what I understand, the spammers
are already using SPF to get their mail around filters. This brings the
problem right back round to the ISPs that willingly harbour spammers.
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
I said that SPF really only helps domain owners authenticate their Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
e-mails better (i.e. it is harder to forge their domain in e-mails.) Is
that not a good summary of the problem that SPF purports to solve? If
not, please let me know what's missing.
My objection is to people who claim that SPF will solve the problem of
spam. It may help somewhat by making e-mail a bit more accountable, but
that's not what I call a solution. A good part of the problem is social
in that there are greedy ISPs who see no problem with hosting spammers.
The problem of spam won't be solved until either the social element is
solved or mooted.
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
At the moment 50% of Spam i receive are emails thatInternet Task Force Shuts Down Anti-Spam Working Group (eWeek)
_pretend_ to be bounces/rejects/overquota/whatever
but carry a virus payload.
rcbixler wrote:
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
rick@linuxmafia.com
You know, the ones that clog your mailbox with forged messages from peopleIt would help with email worms and trojans too
in other people's address books and sometimes even claiming to have come
from you. And the bounces and "virus notifications" from other people's
mail servers who are receiving mail forged to look like it came from your
account.
receive mail from without worry that forged email will bypass your spam
filters.
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
khim, don't Russian ISPs use contracts to specify what their customers may do on their networks? ISPs don't need anti-spam laws to kick off their customers if they have watertight contracts. Or do Russian courts take a different approach to interpreting contracts? I'm genuinely curious.Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
Defeating spam is easy - just don't use e-mail. Completely replacing e-mail with something that will defeat spam without sacrificing useful features of it ISN'T easy. Having Microsoft meddling with a group trying to solve this problem is even worse.Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
The link to Unified SPF in the article is worth checking. It's a presentation that explains different techniques proposed so far.
Unified SPF presentation
It is always worrying when the headline is at odds from the message of the body of the article being referred to.Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
The IETF group which has been closed down is the MARID group (MTA Authorization Records In DNS). As others have commented this is only indirectly anti-SPAM.
The IRTF sponsored Anti Spam Research Group (ASRG) is still up and running, c.f. http://asrg.sp.am/
Not only that, but the STRIVERS working group is also still alive. Still in the throes of starting up, in fact.
why not just use incredimail? it eliminates the spam issue and so does i Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
hate spam....two great products...
then there is the filtering that just gets rid of all mail from those who
are not in the address book...hmmmm
I know of no email client that turns out legitimate mail looking more like spam than does Incredimail.Internet Task Force Shuts Down Anti-Spam Working Group (eWeek)
HTML formatted mail? Here, I dump any mail that's HTML formatted. HTML mail (Incredimail)
I contend that content worth reading is worth reading in plain text, and
that therefore, the only folks using HTML formatted mail are either (1)
deliberate crackers, (2) spammers trying to make worthless content look
impressive, or get it past spam filters, or (3) technical illiterates that
know no better and are thus not a very productive use of my time anyway.
I have instructions in both my mailing list sig and newsgroup sig (and
custom headers) saying no HTML mail, it's trashed. All friends and
relatives corresponding with me know they can't use HTML format as well.
When most of the desired stuff you get is known not to be HTML, just the
fact that something /is/ HTML becomes a good anti-spam filter in itself.
As I said, HTML mail is used to good effect by the crackers and spammers,
so forcing them to use plain text (not just a plain text version and an
HTML version, but /only/ a plain text version) seriously screws their
current operating methods.
Thus, if Incredimail includes HTML, it'd be filtered off the top. Even if
there are a few false positives by this method, they by definition are of
low enough value, due to the class of people using HTML and their effect
on my time vs the chance it might be a false positive, I don't care if I
don't see them.
Again, think about it. If the content is worth reading, it's worth
reading in plain text. If not, putting it in HTML won't /make/ it worth
reading, and given all the cruft that /is/ HTML mail, it's not worth the
trouble making the distinction between the cruft and not. Consider how
many vulns Outlook and OE have been exposed to, and how many they /would/
have been exposed to if they had stuck to plain text. That's enough of a
security argument right there.
I have no problem with HTML on the web, where it belongs. Just don't put
it in my mail, if you want me to read it, because IMO that's /not/ where
it belongs.
Duncan
HTML mail (Incredimail)
I have no problem with HTML on the web, where it belongs. Just don't put
it in my mail, if you want me to read it, because IMO that's /not/ where
it belongs.
Some of us work at companies with Outlook servers, which force us to use the incredibly stupid Outlook client. It is quite difficult to make it understand that you want to send plain-text mail. Since I installed Linux at my desktop computer, I have to use the web client, which is even more stupid and will /not/ let me send plain-text. Thanks Novell for evolution connector, have to try to install it sometime (even if I would very much prefer mutt).
I think what I would like to have would be a permanent e-mail addressI'd like more control over my SMTP server
that only accepts messages from whitelisted people (who would ideally
identify themselves cryptographically but I can make do with just looking
at their e-mail address for now) and a series of temporary e-mail addresses
that accept messages from anyone. The problem is how to send back
a helpful error to people who are not whitelisted or use an old
temporary e-mail address. With my current ISP the only way I can do that
is by sending an e-mail response to the envelope sender, which in the
case of spam/viruses is often a valid e-mail address of an unrelated
person who doesn't appreciate yet more rubbish arriving. Also, there's
a danger that my automatic response will itself be stopped by spam
filters and never be seen. Obviously the solution is to send back a
helpful error during the SMTP session, but apart from getting my own
dedicated (virtual) server how can I implement that?
Also, how can I make sure that automatic responses to my messages get through
while automatic responses to messages I didn't sent don't get through,
when there doesn't seem to be a standard for how automatic responses
should be formatted (they don't always quote the message-id in a standard
way, for example)?