From: Leon S. <lp...@cw...> - 2003-12-13 18:31:20
|
Ok, slightly off-topic, but spam and filtering has been an issue on this list as of late. It's not hard to notice that the vast majority of spam "comes" from totally ficticious addresses. Why not have a simple protocol so that a filter could ask a server if a particular account exists or not? If it doesn't, then the email is obviously either spam, or somebody's client is badly misconfigured. This would enable simple, conservative spam filters. I'll call this protocol "finger", even though it probably wouldn't be the same as RFC 1196. I'll refer to using finger for these types of filters as "canning." I average about 30-35 spam emails a day now, not counting spam that sneaks through on mailing lists that I don't read or notice. Judging from my recent trash box, canning on just the domains "hotmail.com", "yahoo.com", "msn.com", and "microsoft.com" would get rid of a little less than half of my spam! The rest could be caught using other filtering techniques. Do these domains have something that might work for a canner? Yahoo has profiles. For example, you can check out http://profiles.yahoo.com/user for any particular user. At first glance this might appear to work for our purposes, but careful observation and experimentation with reveal that there are valid email addresses that do not have a Yahoo Profile, and that there are Yahoo Profiles that are not valid email addresses. I know a lot less about Hotmail. Hotmail does have a directory, but not every user name is listed in that directory. I think this protocol should be a very simple UDP protocol. The requested email address would be stuffed into a single udp packet, and and the reply would be a single udp packet containing the email address along with a yes or no. Faked replies would be a major security issue here. In an extremely simple-minded canner implementation, a cracker could have all the email from a particular account deleted by simply forging an UDP packet. Fortunately, it is increasingly common that routers are properly configured for ingress and egress filtering, but it only takes a few misconfigured routers to create problems. Would padding the rest of the packet with a secure random number that would need to be echoed back in the reply be secure enough for this kind of application? Another downside would be that spammers would be able to use finger to search for email addresses to spam. I'll call this use of finger "probing". Since finger is not a directory, they would have to randomly probe until they find an email address. In order for probing to become a problem in reality, it would have to net sufficient returns on the effort. Theoretically, it would be impossible to distinguish sophisticated probers from legitimate canners. I can think of two lines of defense against unsophisticated probing: 1. Stochastic Analysis. I don't know what kind(s) of stochastic distribution(s) canning would typically generate, but certainly they would differ from unsophisticated probing. 2. Occasionally issuing false positives. If email is then later sent to this address, then you know that the request was a probe. This would allow a small amount of spam through the canners, but it would assist in the identification of probers. It would be possible to adjust the probability of a false postive based on other information about the finger request. Of course, the real solution is to authenticate the sender via Public Key Infrastructure, but PKI has been very slow to come. Plus, you couldn't really use it to fix the spam problem on email. I'm pretty sure that spam is endemic to this obsolete protocol. (I'm not saying that it isn't important, indeed, it's my most valuable means of communication on internet. Cobol is very obsolete, yet it would be foolish to deny it's importance or value, as much as I hate to attach those words to Cobol. :-) best, leon |
From: Carsten S. <ca...@gn...> - 2003-12-13 19:03:11
|
Hi Leon! On Sat, Dec 13, 2003 at 01:48:51PM -0500, Leon Smith wrote: > It's not hard to notice that the vast majority of spam "comes" from > totally ficticious addresses. Why not have a simple protocol so > that a filter could ask a server if a particular account exists or > not? I am not at all knowledgable in this field, but afaik the SMTP command VRFY was defined for that purpose but is not popular. Regarding spam in general: I have started using SpamAssassin a few days ago (ok, at the moment it is more `playing with' than `using' :-), and it seems to work very well. It uses a combination of ad hoc rules and statistical analysis (requiring training, but offering automatic training). I am confident that this will make spam a non-issue for me. Greetings, Carsten --=20 Carsten Schultz (2:38, 33:47), FB Mathematik, FU Berlin http://carsten.fu-mathe-team.de/ PGP/GPG key on the pgp.net key servers,=20 fingerprint on my home page. |