% fortune -ae paul murphy

SPAM, Phishing, and other trash transmissions

One Nick FitzGerald, a long time PC security researcher, has been making the news lately with a paper dedicated to the proposition that user authentication isn't all that effective as a means of stopping spam, phishing, and other forms of junk TCP/IP transmissions.

Here's the summary provided by Virus Bulletin:

SPF, Caller-ID, Sender ID and DomainKeys are all, to varying degrees, user authentication schemes being actively pushed as anti-spam measures - things that will slightly change how we do email but significantly reduce, if not eliminate, spam and keep it down. All such claims are based on a naive belief in the power of user authentication to beat the spam problem.

Sadly, the common claim that these approaches will greatly reduce spam is not only a misguided idealisation of what may be achievable, but it is downright wrong-headed. The chance to make a buck may be behind one or two of the major players pushing for such solutions, but mainly the inability of these approaches to deliver what is so often promised is apparently due to abject ignorance of how the world is already really working in ways that render these proposals useless. This paper will point out a few nasty facts about spam and spamming that the SPF, etc. folk have either entirely missed or chosen to ignore, then proceeds to explain why these realities not only make SPF, etc. irrelevant as anti-spam approaches, but also all but entirely remove the real, but very small, advantages the more conservative sometimes claim for these approaches.

I haven't been able to get the full paper yet, but other things he's said suggest that the core objections come down to how easy it is to spoof all forms of Sender ID, how enforcement assumptions violate the realities of ISP economics, and how resistant the PC community is to security motivated procedural change.

As I've said elsewhere fixing the inappropriate internet use problem is easy: all it requires is the will to do it and some minor changes in router and email software.

Specifically what needs to be done is:

  1. The software on at least one major company's router products to needs to change to incorporate strong device authentication such that each router inside the trusted community this creates can "know" with certainty which other member was the first one in the community to process an arriving message.

    The point here is simple: there is no such thing as free internet access - for every access, there is someone who pays. Putting internet edge routers inside a trusted community allows co-operating ISPs to securely embed and verify sender account information in every message at the point where that message is first placed on the internet.

  2. Some major mail clients and some major mail transfer agents will need to be modified to display sender account information.

  3. Some sample code should be provided to enable a multiple-to-one email response to an inappropriate transmission from a known sender by sending back a much larger number of responses.

Thus, for example, a phishing attack, originating on bot-ed PCs on a dozen local networks would draw a flood of emails arriving at the network gateways for the originating PCs. The PC operators, whether professionals or home users, would therefore quickly become aware of the problem and face a continued denial of service until they take remedial action - at which point the sending stops, and the denial of service therefore does too.

Notice that the source information is added to all packets by the first ISP owned router to handle them. As a result spoofing this (for example to create denial of service attacks on third parties) would be extremely difficult since the technology needed to secure router identification is well known and understood.

Basically two things happen: first whoever pays for the internet access being abused, intentionally or otherwise, faces the penalty and gets forced to take action. Secondly: phishers, spammers, and others maintaining their own offshore access accounts to receive responses -whether html page requests or email - get flooded by false responses and become unable to winnow the chaff from the paydirt: basically transferring the SPAM problem to its originators.

Put this structure in place using just one major company's router products and that company will have a significant short term market advantage - bringing the current flood of SPAM and other inappropriate network transmissions to a crashing halt.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.