% fortune -ae paul murphy

Killing off SPAM

Number five in my top five VC proposals I'd like to write blog from a few weeks ago was a proposal on ending SPAM.

Frequent contributor CobraA1 challenged me on this:

You'll have to explain this in detail - I'm not sure I see exactly what you are proposing, or how it solves the problem.

So, since this is unofficially follow-up week, I thought I'd follow-up by reproducing, with only very minor change, my blog entry from October 11, 2005 under the title SPAM, Phishing, and other trash transmissions.

----put time shift here-- ;-)

One Nick FitzGerald, a long time PC security researcher, has been making the news lately with a paper dedicated to the proposition that user authentication isn't all that effective as a means of stopping spam, phishing, and other forms of junk TCP/IP transmissions.

Here's the summary provided by Virus Bulletin:

SPF, Caller-ID, Sender ID and DomainKeys are all, to varying degrees, user authentication schemes being actively pushed as anti-spam measures - things that will slightly change how we do email but significantly reduce, if not eliminate, spam and keep it down. All such claims are based on a naive belief in the power of user authentication to beat the spam problem.

Sadly, the common claim that these approaches will greatly reduce spam is not only a misguided idealisation of what may be achievable, but it is downright wrong-headed. The chance to make a buck may be behind one or two of the major players pushing for such solutions, but mainly the inability of these approaches to deliver what is so often promised is apparently due to abject ignorance of how the world is already really working in ways that render these proposals useless. This paper will point out a few nasty facts about spam and spamming that the SPF, etc. folk have either entirely missed or chosen to ignore, then proceeds to explain why these realities not only make SPF, etc. irrelevant as anti-spam approaches, but also all but entirely remove the real, but very small, advantages the more conservative sometimes claim for these approaches.

I haven't been able to get the full paper yet, but other things he's said suggest that the core objections come down to how easy it is to spoof all forms of Sender ID, how enforcement assumptions violate the realities of ISP economics, and how resistant the PC community is to security motivated procedural change.

As I've said elsewhere fixing the inappropriate internet use problem is easy: all it requires is the will to do it and some minor changes in router and email software.

Specifically what needs to be done is:

  1. The software on at least one major company's router products to needs to change to incorporate strong device authentication such that each router inside the trusted community this creates can "know" with certainty which other member was the first one in the community to process an arriving message.

    The point here is simple: there is no such thing as free internet access - for every access, there is someone who pays. Putting internet edge routers inside a trusted community allows co-operating ISPs to securely embed and verify sender account information in every message at the point where that message is first placed on the internet.

  2. Some major mail clients and some major mail transfer agents will need to be modified to display sender account information.

  3. Some sample code should be provided to enable a multiple-to-one email response to an inappropriate transmission from a known sender by sending back a much larger number of responses.

Thus, for example, a phishing attack, originating on bot-ed PCs on a dozen local networks would draw a flood of emails arriving at the network gateways for the originating PCs. The PC operators, whether professionals or home users, would therefore quickly become aware of the problem and face a continued denial of service until they take remedial action - at which point the sending stops, and the denial of service therefore does too.

Notice that the source information is added to all packets by the first ISP owned router to handle them - and the first and last routers to handle a packet authenticate to each other. As a result spoofing this (for example to create denial of service attacks on third parties) would be extremely difficult since the technology needed to provide secure router identification is well known and understood.

Basically two things would happen: first whoever pays for the internet access being abused, intentionally or otherwise, faces the penalty and gets forced to take action. Secondly: phishers, spammers, and others maintaining their own offshore access accounts to receive responses -whether html page requests or email - would get flooded by false responses and become unable to winnow the chaff from the paydirt: basically transferring the SPAM problem to its originators.

Put this structure in place using just one major company's router products and that company will have a significant short term market advantage - bringing the current flood of SPAM and other inappropriate network transmissions to a crashing halt.

----pop back to the present here --

Since that was published Microsoft has announced its intention to detox sender-id from a legal perspective, but I see that as irrelevant because FitzGerald was right - it's too easy to spoof and will create at least as many problems as it addresses.

Consider, however, what happens with my approach. Lets say the City of Toronto establishes a free WiFi service for its downtown and a PC with access to that service gets "botted." It starts to spew SPAM and for every message it sends out, the account owner gets ten back. Now, even if all such mail is automatically directed to bit heaven, how long do you think it will take them to notice that a lot of services are slowing down, and therefore to figure out what's going on and take remedial action?

My guess is that the first time this happens it will take something in the range of half a day to notice - and then another day for them to make the decisions needed to to track down and shutdown the offending device. The second time it happens, however, that reaction delay will be down to a few hours - and it will just keep getting shorter after that, ultimately eliminating the spammer's bot advantage.

Alternatively, consider Joe Average: he's paying for his teenager's internet account and doesn't have clue one that the PC is being used to SPAM thousands - but the teenager involved will be denied internet service by the response and can either accept responsibility for his own inaction or stay off the net. Either way, the spam stops.

Basically, all the system has to do is ensure that the response is always correctly tied to spam generation -i.e. it stops as soon as the spam does- and exceeds the typical account holder's pain threshold. Really, there's nothing to making this work - all it takes is the will to make it happen and one router manufacturor to lead the way.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.