Sean’s Obsessions

Sean Walberg’s blog

What’s the Solution to Spam?

“Solution” is a strong word, but what can we do to reduce spam? Craig from Securely Speaking asked if using a public list of open relays as input to a firewall ACL was a good idea? I think not, but what is?

One of the problems with reducing spam is determining the identity of the sender. SMTP provides no security, the message from president@whitehouse.gov could just as easily be coming from the president as it could be from a viagra dealer.

Most spam is sent through open relays, that is, a mail server that is misconfigured such that anyone can send email through it. This makes it more difficult to trace the source of spam. There are various projects to track these things, but ultimately, it doesn’t solve the problem.

No, the solution resides either with the recipients of the email, or their email server.

Fax effect: The value of a technology/item becomes greater as more people adopt it.

The idea here is to make the solution work only when both sides implement the technology. Just like the humble fax machine, if you want to receive faxes, you must have a fax machine yourself.

So, I present two possible solutions:

The first is to authenticate the MTA-MTA communication. Each MTA has a certificate signed by a Certificate Authority that states the name of the operator. Messages from a signed MTA are not spam. Anything else is suspect.

Here’s how sendmail does it

Certificates can either be issued by the existing CAs, or by a new CA for this specific purpose. ISPs can then sign customer certificates with their keys, which would help to reducing the cost.

The idea behind certificates is to assign responsibility of an MTA to a person or business. If spam is received from an MTA, there is someone that can be held accountable.

The second idea is simpler, but not as effective. Encrypt and sign your email using something like GnuPG. (I gave a presentation on this a while ago)

As more people encrypt their email, anything that isn’t encrypted can be considered suspect (the side effect of privacy is of course, a bonus). With the web of trust, there is no need for a CA, so this option is free. However, this only works per user, rather than per site as the first option.

Stopping spam will only happen when we become more careful about who we communicate with, and establish a system for verifying identities.

Sean

Comments

I’m trying something new here. Talk to me on Twitter with the button above, please.