Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Crime Spam The Internet

Could We Eliminate Spam With DMARC? (zdnet.com) 124

An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
This discussion has been archived. No new comments can be posted.

Could We Eliminate Spam With DMARC?

Comments Filter:
  • Nonsense (Score:1, Insightful)

    by NeoStrider ( 709049 )
    I have both DMARC and SPF installed and configured correctly... I still get spam! All the spammer has to do is also set up SPF and DMARC.
    • Re:Nonsense (Score:5, Informative)

      by QuietLagoon ( 813062 ) on Saturday March 18, 2017 @11:53AM (#54065851)

      I have both DMARC and SPF installed and configured correctly... I still get spam! ...

      DMARC and SPF are for senders, not recipients. You can set up DMARC and SPF all you want for your domains, but if the senders who send you mail do not set it up for *their* domains, and you do not reject emails that DMARC flags for you, then you're going to continue getting spam.

      .
      And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.

      All the spammer has to do is also set up SPF and DMARC.

      With the authenticated sender (via DMARC and SPF) you would know it is a spammer. That's the point

      • Only if the spammer doesn't use the same server/service as your sender or hasn't set up DMARC/SPF themselves. E-mail was built to be decentralized and robust, there are two problems with the current approaches:

        DMARC/SPF - pretty much any anti-spam - relies on the cooperation of both senders and/or receivers and making things less robust so you can "break" the robustness for bad people and keep it in tact for good people. You require the cooperation of a significant number of people to keep sort of trust up

      • Just look at the scores that Spamassassin applies to DKIM. They are so low that DKIM makes no significant difference.
      • And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.

        DMARC isn't really a spam filtering system (nor are its components SPF and DKIM), just an "is this email from foo@bar.com actually from bar.com". If I'm getting spam from ilovespam.com it's not going to do much good.

        • In theory, it's a lot easier to sue ilovespam.com and get it shut down and that should eventually result in less spam.

      • Apart from the fact that spammers are increasingly using legitimate email services for spam (which means, regardless of DMARC and SPF, means you're right back to Bayesian filters), the fundamental problem with DMARC, SPF or any other kind of email "authentication" system is that it fundamentally constitutes a chicken-and-egg problem. Without widescale adoption, you can't really use these techniques as a binary deliver/drop test, but so long as you can't filter email on the presence of an SPF or DMARC header

      • by mwvdlee ( 775178 )

        DMARC can only ever block fake mail pretending to be sent from legit domain names.
        It's mostly to prevent phishing, not spam.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        With the authenticated sender (via DMARC and SPF) you would know it is a spammer. That's the point.

        My what a rose-colored world you live in.

        Our domain receives about 1,500 mails per day that pass SPF validation. There's a cartel of spammers that are registering throw-away domains with SPF records that include their zombie senders' IP addresses. Thankfully we have other techniques to filter out those 1,500 messages with around 0.5% false positives. Since spammers have full control over their zombie network I

      • by ebvwfbw ( 864834 )

        Google seems to make this work. I didn't used to have SPF and such set up. I tried to send a friend an e-mail. It went directly to his spam folder. I checked it out with my own google account, same thing. It had a little message why. So I put the whole framework in and google will happily take my e-mail.

        Still like to see these people go to jail. It's a business. Organized crime. They have campaigns. Ransomware, Spam, Phishing, Malware, etc.

    • Spam has economic, legal, technical and psycological causes. That suggests that if you try and treat it as a technical problemalone, you're going to wonder why it isn't fixed already.

      I live in Canada, where spammers get fined, over the loud objections of the sleasy side of the business community, and it's having an effect in tle legal and pyscological domains. This summer, the law will also allow suing spammers, which takes it into the ecomomic dimain as well.

      If this, along with technical solutions like spa

      • Spam has economic, legal, technical and psychological causes.

        Apparently, so does Twitter ... :-)

      • by rtb61 ( 674572 )

        The next step is then obvious, fine those companies that pay for that spam as well. Catch a spammer, go through his spam history and fine those companies that paid them.

        • by davecb ( 6526 )

          ... Catch a spammer, go through his spam history and fine those companies that paid them.

          Follows naturally from opening it up to lawsuits: "if you were paid to do this, testify against the payer and we'll let you off easy".

          Thanks, that's a good arguement for opening it up ti suits.

  • Human caused problems generally are easy to solve but are not because established interests prevent them.

    Email spam is entirely due to the total absence of sender verification. Require some form of sender verification with the ability to complain (and block those with excessive complaints) and you solve the issue.

    • by Fly Swatter ( 30498 ) on Saturday March 18, 2017 @12:04PM (#54065919) Homepage
      The same problem exists for fixing caller id.
    • What if someone gets control over your computer, and sends out spam using your credentials ?

      • First you have to fix it. If you don't, then you don't deserve to send out email. Because right now, many criminals take over computers and use them to send out spam and the computer's owner does not fix it.

        Second, you have to drop that email account and use another one. Not that hard, they are free from gmail, prrotonmail, outlook, yahoo etc. If your entire email server is pawned, then you have to change the domain. Consider it the appropriate punishment for failing to maintain proper security - it's

  • by rainwalker ( 174354 ) on Saturday March 18, 2017 @11:44AM (#54065809)

    "No."

    See, that was easy! Technological solution to a sociological problem, and so on.

  • Barracuda (Score:5, Interesting)

    by darkpixel2k ( 623900 ) on Saturday March 18, 2017 @11:45AM (#54065811)
    I'm not impressed with Barracuda. A client made a decision to buy a Barracuda against my recommendations. I installed it and couldn't find DMARC settings anywhere. It turns out they support validating inbound DMARC, but they won't sign anything outbound. I had to set up an external Haraka mail server that blindly accepted all mail from the IP of their Barracuda, signed it, and attempted to deliver it. It's such a pile of garbage.

    On another note, if you send a ~45 MB attachment to the device, apparently it clogs up and refuses to deliver. Other mail will go through without problems, but you have to call their tech support to 'force' it through.

    Barracuda is a terrible, over-priced, barely-functional product.
    • I thought it was just a repackaged derivative of SpamAssassin.

      • Re:Barracuda (Score:4, Interesting)

        by darkpixel2k ( 623900 ) on Saturday March 18, 2017 @02:28PM (#54066501)

        I thought it was just a repackaged derivative of SpamAssassin.

        Yeah, that's basically it in a nutshell.

        Nothing you can't rapidly duplicate with a Debian install and a few salt or puppet scripts. I tested it against the previous Haraka install with spamassassin, dspam, clamav, and their 'karma' plugin, and the accuracy of the Barracuda sucked in comparison.

      • It is but the configuration isn't directly editable and seems to be both made by and targeted towards the clueless end user. (TiVo-ization)

  • Clueless idiot (Score:5, Informative)

    by mrsam ( 12205 ) on Saturday March 18, 2017 @11:49AM (#54065829) Homepage

    Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.

    There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that those technologies do is establish, in varying degrees of certainty, that the purported sender of the email is who it claims to be. Which, obviously, has nothing to do with spam.

    As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...

    More than half of the crap in my spam folder has DKIM headers. I have SPF validation turned on. More than three quarters of the spam in my folder passes SPF checks. That pretty much there makes Mr. Edmunds look like a bloody moron. The only fact that they establish is its proven sender's domain name.

    SO FUCKING WHAT? Did someone drop this moron in his head, as a child, or what? Is it too much for that knucklehead to comprehend that anyone can register a new domain, establish valid DKIM and SPF keys, to authenticate the domain, that start spewing spam, non-stop, from it? And every last drop of that spam will pass every SPF, DKIM, and alphabet soup that he throws at it. It is true that some portion of the spam from hijacked and hacked zombies will fail SPF/DKIM validation. But this will fail, by far, to be the complete solution for spam, unlike what that knucklehead claims. Is this really so complicated to understand?

    • As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...

      I first thought that was some sort of progress bar and thought, "Cool. How'd he do *that* on /." but, sadly, there's no "I" in progress bar.

  • by Anonymous Coward on Saturday March 18, 2017 @11:50AM (#54065831)

    Your post advocates a

    (x) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (x) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    (x) Requires too much cooperation from spammers
    ( ) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (x) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (x) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    (x) Bandwidth costs that are unaffected by client filtering
    (x) Outlook

    and the following philosophical objections may also apply:

    (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    (x) Blacklists suck
    (x) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    (x) Sending email should be free
    (x) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (x) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    • by MightyMartian ( 840721 ) on Saturday March 18, 2017 @11:55AM (#54065867) Journal

      Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.

      It boils down to this. If you want your MTA to function as a general open email transport system, you cannot kill messages based upon whether they pass or fail solutions like DMARC. There's some logic to weighting failures of SPF checks and the like to make it more likely that a failed message will be rejected, but to actual use SPF and its kin as a sort of yes/no logic gate would lead to an unbelievable number of false positives, and I question the legitimacy of anyone claiming to be some sort of cybersecurity expert who claims such solutions are the be-all and end-all.

      • by Megane ( 129182 )

        Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.

        It was already old on Usenet before it reached Slashdot.

    • Yeah! Its been so long, I'm glad this story came along.

    • Comment removed based on user account deletion
  • by Anonymous Coward

    OR!
    Every time you positively IDs someone running a big spam operation, raid their residence and shoot them in both kneecaps.
    After it happens four or five times the rest of the spammers will probably find another hobby.

  • by 0ryn ( 471109 ) on Saturday March 18, 2017 @11:53AM (#54065843) Homepage

    Most of the spam that I get comes from hacked accounts where people have used crap passwords that are easily guessed.

  • Email outsourcing companies don't seem to place much value on following rules like SPF and DMARC. A lot of the false positives we get in quarantine are from senders using email outsourcing or "relationship management" companies. After all, the company gets paid by their customer for sending the mail, and has no real accountability whether the customer's email is properly formatted and delivered.

    And with large institutions (particularly universities) moving to outsource email and other IT services, this pr

  • by bferrell ( 253291 ) on Saturday March 18, 2017 @11:55AM (#54065865) Homepage Journal

    it doesn't eliminate all, but it's cut my span significantly

  • by eneville ( 745111 ) on Saturday March 18, 2017 @12:01PM (#54065891) Homepage

    The majority of malware and spam come from botnet controlled accounts on valid domains. Most of the 419 spam originates at gmail. Not because gmail is worst, but it's because it's a trusted source of mail.

    The reason I say this is not going to work is that you will get spam on any popular communication mechanism. Facebook gets quite a bit now, that's not email, and they control both the sender and the receiver, the spam could be zapped before you know about it, you're just seeing that which got through the filters from a sender that has not been reported.

    • No free-email account system should be considered a trusted source of email, nor a primary account for anyone with half a brain.

      You use free-email account systems for throw-away crap and as such any legitimate email service should be scoring emails from them lower.
      • That simply isn't the case. Countless numbers use gmail and outlook for their primary email as they use the biggest providers as they are unable to set their own up. This type of person would only add to the spam problem as they would be unlikely to maintain their private SMTP service.

        • by tepples ( 727027 )

          I assume that a "legitimate email service" refers to the one provided by the same ISP that the user pays for routing messages to and from the Internet. For example, if you subscribe to Xfinity Internet at home, your "legitimate email service" has an address ending in @comcast.net.

          • For example, if you subscribe to Xfinity Internet at home, your "legitimate email service" has an address ending in @comcast.net.

            Sadly ISPs don't let you take your email address when you switch provider, hence anyone who needs to remain in contact with people will have to use something independent, such as outlook or gmail. They could set their own up at cost of course and hope they don't forget to renew their own domain. The easiest and most natural solution is to use a free provider who has been in the business for decades.

        • Nice opposite-extreme strawman, but no where did I suggest they setup their own email systems.

          I stated that email addresses from free-email accounts should never be trusted (and should be automatically scored worse by anti-spam systems) and that anyone that wants a trusted email account for their primary email address should pay for it on a non-free-email account domain.

          You want to eliminate spam, you get people away from using free-email systems where the majority of spammers hide now.
  • by ilsaloving ( 1534307 ) on Saturday March 18, 2017 @12:10PM (#54065953)

    There are a number of problems with email security that all feed back on themselves. One problem is that a shocking number of major corporations don't bother with these measures, making it pointless for anyone else to. If I set up SPF on my mail server, and a test email from none other than Google fails to arrive because their SPF records are wonky, so as a small two-bit operator I need to either disable all this nice security, or maintain an extensive whitelist for all the companies who don't do things properly. And SPF is trivial to implement compared to domainkeys.

    And meanwhile, these same companies may block MY email for ridiculously arbitrary reasons. One time I had to troubleshoot why an email sent through my server didn't arrive, and it turned out that the recipient was using some kind of idiotic filter that insisted the EHLO have some kind of ridiculous format that has nothing to do with any security recommendation or in the RFC.

    These wonderful doodads like DMARC are useless if nobody can be bothered to implement them, and really, why SHOULD people bother to implement them if nobody else does?

    This requires everyone agreeing to work together to get this implemented, which basically guarantees that it never will.

  • by Anonymous Coward on Saturday March 18, 2017 @12:25PM (#54066043)

    DMARC was created by PayPal in conjunction with Google, Microsoft and Yahoo! as a way to stop spam and, more importantly, phishing emails from _their_ domains. If you have DMARC setup properly on your MX you mostly likely have zero spam in your user's mailboxes from any domains owned by those companies and to that end, DMARC is 100% successful.

    But the entire process is setup to validate the sender's domain, not the trustworthiness of that domain. As many have pointed out, as long as I setup the proper SPF and DKIM records for iamsp.am, DMARC is going to happily accept it. My servers implement DMARC but I still had to specifically blacklist care.com [care.com] because they were spamming us from properly validated servers (we had canceled our subscription and had all communications options turned off and they were still regularly sending us emails with no opt-out link claiming they were for "admin" purposes).

    The one nice feature that DMARC does bring is that you have the option to get notifications from other MX's that use DMARC detailing what traffic they've received claiming to be from your domain and how that traffic scored. It assists in debugging setup problems and identifying servers trying to spoof your domain. We recently caught one server in Germany trying to send a lot of email as one of our domains (Google, Microsoft, and Yahoo all sent DMARC reports listing it). We contacted their ISP and it stopped a couple of days later. Being proactive about that helps keep your domain(s) off shared blacklists but it's a manual/proactive process and it's not going to catch everything.

  • Given that AI can catch 99.9% of spam [wired.com], the spam problem has largely been solved.

    DMARC isn't even an anti-spam protocol, it's simply a protocol that prevents E-mail addresses from getting forged. But given the huge number of E-mail providers out there, spammers don't need to bother forging the source of E-mails. In addition, spammers can always corrupt and subvert domain registrars. So, DMARC is likely to be of negligible effectiveness compared to existing AI techniques.

    DMARC and similar systems would mainly

  • Shaka, when the walls fell.
  • I already get spam -- and even phishing -- email from domain names that have proper DKIM and SPF records. Sometimes it's though easy cheap email services or mailing list services like emalia.be or wecall101.fr , sometimes is from hosts and domain names that were purchased just to blast out email, and 48 hours later I get the same advertisements from a fresh new domain names change with fresh new valid DMARC records.

    More paperwork isn't the solution.

  • by Anonymous Coward

    Why doesn't the U.K.'s National Crime Agency spend a crap ton of money prosecuting spammers off the face of the earth instead? Spam is a crime like any other. It has a source and it makes criminals money. Do something about that and stop wasting time and money on bandaid fixes that will never work.

    If ISPs and big mail services like gmail "stopped" filtering spam then we'd all see just how bad the problem really is. Then, maybe, just maybe we'd all get collectively mad enough about it to send a message t

  • >"The spam problem would [...] probably almost go away, [...] if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors"

    Except we can already deal with that type of spam using RBL and other methods. The majority of spam that remains is the worst kind- from businesses sending us endless marketing crap from legitimate domains, claiming we "opted in", which of course we did not. Every single place we interact with demands

  • The only thing it will do is to increase the motivation of spamers to hack machines to send SPAM. Filtering works pretty well, use it.

  • It's hard for me not to dismiss it as a troll article when it mentions "eliminate" and "spam" in the headline. The answer is "No, no, NO, you're NEVER going to eliminate every annoying email message that someone doesn't regard as spam."

    Yeah, the article clarifies that it's really another reduction strategy, but I still feel the best one is to go after the spammers' business models. The most persistent and annoying spammers have business models, and as long as the business models keep working, then those spa

  • capitalism requires people to make money to live and survive. to acquire their basic needs such as education, shelter, healthcare, and whatnot, and most never make enough to obtain these things entirely, you have to get money from somewhere. in this case spam generates enough revenue for many that they keep on doing it.

    spam is not normally done as a cyber assault, but once people no longer were required to get money, perhaps the only 'spam' we'd be seeing was assault based, psychological warfare, and crimin

  • This has like many things like cracking DRM become an arms race between spammers and anti-spam technologies.

    I run a small ISP that was established in 1995. Spam was non-existent when we started our company. Since then many anti-spam measures have been implemented. All are effective when deployed. They get less effective over time as spammer find ways around them.

    Most of the spam that leaves our network results from infections people get on their computers. These send through our servers and leave with corre

    • Why not filter outgoing mail through Spamassassin? I've been doing that for many years, Postfix-Spamassassin-ClamAV with Postgrey is about as good as it gets, and since I don't want my servers puking spam and malware, I treat all messages with suspicion.

  • There is an old form used to evaluate anti-spam solutions, at https://craphound.com/spamsolu... [craphound.com]. It's a useful tool to evaluate spam solutions and can even be applied to various security software practices.

    In this case, I see a number of issues.

    ( ) Users of email will not put up with it
    ( ) Many email users cannot afford to lose business or alienate potential employers

    ( ) Open relays in foreign countries
    ( ) Huge existing software investment in SMTP
    ( ) Willingness of users to install OS patches received by em

  • There are some things that will work.
    A major provider carries email for a lot of people and can tell if mail is spam if
    - the people have no intersecting interests
    - they mostly receive it at the same time
    - a number of users mark it as spam (nearly all users who regularly mark anything as spam)
    Google is obviously doing this and some other for-pay providers too, is my guess. I'd pay for a way to be able to test my email headers against such a service without actually running my email through their servers.

    Also

    • by Anonymous Coward

      I work in a data recovery company. So one day we have this harddrive completely recovered and are filtering for the directories that need to be sent to the client and which ones are "not interesting". So we scan what's in there and find lots of images. Lots of PORN images. So we delete that sub directory (= mark as "do not send to client"). We go on to find some more porn delete that too and end up with nothing. Some research learned that our client was in the porn business. The images we found are the stu

  • I would split it with the tax man. Problem solved.
  • Just a couple of weeks ago I asked my colleague if he got an Email I knew he was CC-ed on. "Nope didn't see it".

    On inspection we found that the sending company had installed DKIM and SPF and set them to "don't warn, simply refuse the mail".

    This was something like paypal or ebay where this came from. Sure, they have big infrastructure which is difficult to get right, but also they should have a big team capable of getting things right.....

    it is difficult to get things right. Lots of stuff is being sent autom

  • That is the key. There are many, many technologies that, if they could be rolled out everywhere, would solve the spam problem. Come up with something that would solve the problem if rolled out in a minority of hosts, and I will be impressed.

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...