Re: UCE - a simpler approach using just digital signing?
>One idea I have not seen mentioned here (and which I have not yet >encountered in RL, but only weird people send me email these days) is >for the sending MTA to use pgp to encrypt mail using the recipient's >public key, available on one of the key servers near you. I don't understand what problem this is intended to solve. Bad guys can look up PGP keys just like good guys, so all this would accomplish would be to fill your inbox with signed spam. Perhaps it would be useful to make a section of the ASRG wiki in which we describe the difference between the spam problem and the other problems that people confuse with the spam problem, such as the introduction problem and (more familiar to cryptographers) the authentication problem, the interception problem, the non-repudiation problem, and doubtless others that I can't think of just now. R's, John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
[Sorry for ummm spamming John, my third attempt to send mail to the whole list, caused by vanity email domains not playing well with fascist majordomo settings - agc] On Sat, Jan 31, 2009 at 07:55:50PM -, John Levine wrote: > The ASRG is still eager to hear from people who want to do just about > anything related to spam other than hash over known-ineffective old > ideas. See http://wiki.asrg.sp.am. One idea I have not seen mentioned here (and which I have not yet encountered in RL, but only weird people send me email these days) is for the sending MTA to use pgp to encrypt mail using the recipient's public key, available on one of the key servers near you. Leaving out everyone's discomfort with their least favourite privacy software, the sending MTA would then have significant work to do in order to convince the receiving MTA to accept the mail. Mailing list managers would have to do non-trivial amounts of work when exploding to various list members, admittedly; but we now have a use for all the computing horsepower that is coming down the line. But all in all, the onus would be back on sending MTA to do non-trivial work to convey stuff to my email address. Regards, Alistair - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
RE: UCE - a simpler approach using just digital signing?
On Saturday, January 31, 2009 6:36 AM, Sascha Silbe wrote: > Another scheme (that could be combined with the above one to solve only the > CC party problem) would be accepting only PGP mail and use a manually updated > whitelist / web of trust of PGP keys. Unfortunately, PGP still isn't widespread > enough to reject non-PGP mails and the ones not using it are often far more > susceptible to address harvesting malware, limiting the usefulness of such a filter. On Saturday, January 31, 2009 2:56 PM, John Levin wrote: > This has the same fundamental problem as Zoemail and any other white list system. > It's really easy to implement a white list. Unless your name is Paypal, the amount > of mail forging your address is vanishingly small, and the utterly insecure From: line > address works just fine for practical purposes. I use that to manage my 12 year old > daughter's mail. On Saturday, January 30, 2009 6:17 PM, John Levin wrote: > This is the wrong place to go into detail about its limitations, although it should be > self-evident that if it were effective, sometime in the past 13 years we'd have started > using it. Though John's January 30th note was about Zoemail, I am reacting to the words "PGP still isn't widespread" in Sascha's post about PGP. I also was once under the assumption that I should always have PGP installed. I was able to verify signatures, and I thought that one day, most people would gravitate to PGP in some form. However, losing a fight with PGP Support over whether the enterprise plug-ins I was requesting for a corporation would reduce the security level of their product (long story about trying to integrate it with single sign on), and also spending many hours over three months trying to install the commercial version on Vista, only to have the PGP engineers tell me that I would have to uninstall all my other Outlook plug-ins for them to continue working on the problem (e.g. card scanner), I realize that it will never be the solution of choice for either commercial enterprise or home office given its current support model. I have not used it since July and have not missed it a bit. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
>That's basically what I'm using, just without the digital signature >part: each person/organisation/website/whatever gets a different email >address for communicating with me (qmail makes this easy to implement) I do that too -- I bet half the people on this list do, and there's lots of free and commercial services like Yahoo and Spamex who will let you do it. But it's not much of a solution to spam because it requires significant manual work to maintain the addresses, and only deals with places where you individually give them the address to send mail to. >Another scheme (that could be combined with the above one to solve only >the CC party problem) would be accepting only PGP mail and use a >manually updated white list This has the same fundamental problem as Zoemail and any other white list system. It's really easy to implement a white list. Unless your name is Paypal, the amount of mail forging your address is vanishingly small, and the utterly insecure From: line address works just fine for practical purposes. I use that to manage my 12 year old daughter's mail. But whitelists replace the spam problem with the equally intractable introduction problem, deciding whether to accept the first message from someone you don't know. People have been thinking about that for a long time (indeed, for millenia in contexts other than e-mail) and the snarky comments I made yesterday about wonderful anti-spam ideas apply here, too. The ASRG is still eager to hear from people who want to do just about anything related to spam other than hash over known-ineffective old ideas. See http://wiki.asrg.sp.am. R's, John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
On Fri, Jan 30, 2009 at 01:47:23PM -0800, Ray Dillinger wrote: Each time Fred gives out his email address to a new sender, he creates a trust token for that sender. They must use it when they send him mail. That's basically what I'm using, just without the digital signature part: each person/organisation/website/whatever gets a different email address for communicating with me (qmail makes this easy to implement); mailing list and bugtracker addresses are filtered to accept only mail with the correct headers. It works much better than content filters, but it's basically limited to 1:1 communication (with a mailing list looking like a single entity as it forwards traffic both ways). Most importantly, it breaks for CC parties (*). Address lists on paper given out to a large number of participants are problematic as well (those utilizing paper lists are mostly non-tech-savvy - thus prone to attacks - and changing the address is hard due to the long update interval of the list). To get on-topic again: Another scheme (that could be combined with the above one to solve only the CC party problem) would be accepting only PGP mail and use a manually updated whitelist / web of trust of PGP keys. Unfortunately, PGP still isn't widespread enough to reject non-PGP mails and the ones not using it are often far more susceptible to address harvesting malware, limiting the usefulness of such a filter. (*) CC party: group discussion without predetermined participants (so no mailing list could be set up in advance) CU Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ signature.asc Description: Digital signature
Re: UCE - a simpler approach using just digital signing?
On Fri, Jan 30, 2009 at 1:47 PM, Ray Dillinger wrote: > This is basic digital signatures; it would work. What's your transition plan? How do you deal with stolen "trust tokens"? (Think trojans/worms.) Also see: http://craphound.com/spamsolutions.txt -- Taral "Please let me know if there's any further trouble I can give you." -- Unknown - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
Hi. One of the hats I wear is the chair of the Anti-Spam Research Group of the Internet Research Task Force, which is down the virtual hall from the IETF. You know how you all feel when someone shows up with his super duper new unbreakable crypto scheme? Well, that's kind of how I feel here. Dealing with spam is surprisingly subtle, a lot of smart people have been thinking about it for a long time, and most new ideas turn out to be old ideas with well known flaws or limitations. > Consider the implications of a third field, or "trust token," which > works like a "password" to fred's mail box. Your mailer's copy of > fred's email address would look like "fred#to...@example.com" where > "token" was a field that was your own personal password to fred's > mailbox. It's not a bad idea. Its best known implementation was done in 1996 by Robert Hall of AT&T Labs who called it Zoemail. You can learn all about it in US Patent 5,930,479. This is the wrong place to go into detail about its limitations, although it should be self-evident that if it were effective, sometime in the past 13 years we'd have started using it. You're all welcome in the ASRG, which has a wiki at http://wiki.asrg.sp.am with pointers to the mailing list and other resources. One of our slow moving projects is a taxonomy of anti-spam techniques, both ones that work and ones that don't work. If you'd like to contribute, drop me a note and I'll give you a password so you can edit it. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: UCE - a simpler approach using just digital signing?
On Jan 30, 2009, at 4:47 PM, Ray Dillinger wrote: I have a disgustingly simple proposal. [Basically, always include a cryptographic token when you send mail; always require it when you receive mail.] There is little effective difference between this an whitelists. If I only accept mail from people on my whitelist, spammers can only send me mail through three modes of failure: 1. They randomly pick a return address that happens to match someone on my whitelist. I think we can agree that this is rare enough that it isn't worth worrying about. 2. A spammer somehow finds pairs of people S and R, where S sends to R, and fakes S as the sender for spam directed to R. This would be a new mode of attack - spammers today just spurt out millions of messages based on very little information. Sure, someone *could* start this kind of attack - but it's difficult to get the necessary information to mount it, and it seems unlikely that it would make economic sense to spammers, who can live with tiny response rates because they can so cheaply generate targets. 3. This is a variant of (2) that actually does occur today: The spammer takes over S's machine and sends to the same people S sends to. Viruses try to spread by this mechanism; they often succeed. In principle, a spammer could write a virus that simply sent the (S,R) information from the infected machine, though I don't know that they've ever bothered. Either a type 3 attack, or a type 2 attack where the information comes from invading S's, machine, can of course just as easily grab all the tokens on S's machine. The solution proposed is that this will be noticed quickly, and the tokens will be marked as no longer valid. But that's really no different from R simply removing S from his whitelist. Really, cryptography is a non-issue here. As long as S and R share some information - even S's address will do - that R can use to filter messages; and there is no cheap way to get large amounts of (S,R)-pair information; that information can be the key to a whitelist. (Some mailing lists do this: E.g., if you want to post to RISKS, you're asked to include the string "notsp" at the beginning or end of the subject line. This is public information, so a spammer could easily do this *if he chose to specifically target the RISKS mailing list*; but there's no way he can do this automatically on a mass scale. An individual could easily reach a similar agreement with anyone sending him mail. Of course, the downside is that you can now *only* receive mail from those on your (logical) whitelist. That's fine in some cases, unacceptable in others. You can semi- automatically grow your whitelist by sending using some kind of challenge/response. For example, if you could send back the message with a note saying: "You're not on my whitelist, if you want to reach me resend this message with 'xyzzy' in the subject line." Spammers don't bother to look for such messages right now (though if you made this automatic enough, and enough people adopted it, they would have a reason to!) so they won't be able to sneak on your whitelist that way. However, many people writing to you won't want to be bothered - and automated mailings that you *do* want to receive and don't know the details of ahead of time (e.g., approval messages for mailing list requests you make) won't get through either. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com