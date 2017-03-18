Could We Eliminate Spam With DMARC? (zdnet.com) 39
An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
And then you're blocking pretty much any corporate user of O365 or any number of Microsoft "server" product users or anyone using built-by-stupid products like MailChimp, or similar "cloudy" "service as a service" providers you see advertised.
DMARC has been around for pretty much 2 decades, if it hasn't been picked up now, it never will.
DMARC has been around for pretty much 2 decades, if it hasn't been picked up now, it never will.
I had been around for pretty much 2 decades before I got picked up. Got married a few years later.
Nonsense (Score:2)
I have both DMARC and SPF installed and configured correctly... I still get spam!
DMARC and SPF are for senders, not recipients. You can set up DMARC and SPF all you want for your domains, but if the senders who send you mail do not set it up for *their* domains, and you do not reject emails that DMARC flags for you, then you're going to continue getting spam.
And that's the point of TFA. More email senders have to set up DMARC, et al. When enough have set up DMARC, then it will be possible for your server to reject most spam.
All the spammer has to do is also set up SPF and DMARC.
Only if the spammer doesn't use the same server/service as your sender or hasn't set up DMARC/SPF themselves. E-mail was built to be decentralized and robust, there are two problems with the current approaches:
DMARC/SPF - pretty much any anti-spam - relies on the cooperation of both senders and/or receivers and making things less robust so you can "break" the robustness for bad people and keep it in tact for good people. You require the cooperation of a significant number of people to keep sort of trust up
Spam has economic, legal, technical and psycological causes. That suggests that if you try and treat it as a technical problemalone, you're going to wonder why it isn't fixed already.
I live in Canada, where spammers get fined, over the loud objections of the sleasy side of the business community, and it's having an effect in tle legal and pyscological domains. This summer, the law will also allow suing spammers, which takes it into the ecomomic dimain as well.
If this, along with technical solutions like spa
Spam has economic, legal, technical and psychological causes.
Apparently, so does Twitter
... :-)
Where I come from, "twit" is by no means a compliment (;-))
Yes we can, but we won't (Score:2)
Human caused problems generally are easy to solve but are not because established interests prevent them.
Email spam is entirely due to the total absence of sender verification. Require some form of sender verification with the ability to complain (and block those with excessive complaints) and you solve the issue.
"Could We Eliminate Spam With DMARC?" (Score:3)
"No."
See, that was easy! Technological solution to a sociological problem, and so on.
Barracuda (Score:2)
The email microtax idea (a 0.001 USD per email, except within an organization) was floated 15 years ago, and still seems to be a pretty decent idea. That won't "eliminate" anything bad, but it might help mitigate the problem.
Completely unenforceable. SMTP works with end-to-end encryption now, so there's no way of knowing how many e-mails were sent and received from listening to traffic. Unless you put a government snooping e-mail server in every home and business and make it a felony to route around them. I don't want to live in that society.
Clueless idiot (Score:2)
Thank you Mr. Edmunds, "the head of technology from the cybercrimes division of the U.K.'s National Crime Agency" for informing the citizens of the U.K. that their "head of technology from the cybercrimes of the U.K.'s National Crime Agency" is technically incompetent, and is utterly clueless on the subject matter he's blathering about.
There's nothing about SPF, Dmarc, or DKIM, that magically identifies the attached email as spam or not. There is no such tag in the email that identifies it as such. All that
As Benny Hill would've said: BIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIG deal...
I first thought that was some sort of progress bar and thought, "Cool. How'd he do *that* on
/." but, sadly, there's no "I" in progress bar.
Your post advocates a... (Score:5, Insightful)
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Thank you. It's good to see the ol' "your anti-spam technique is a fail" form. Christ, I bet you can go back 11 or 12 years and see this exact same story on Slashdot.
It boils down to this. If you want your MTA to function as a general open email transport system, you cannot kill messages based upon whether they pass or fail solutions like DMARC. There's some logic to weighting failures of SPF checks and the like to make it more likely that a failed message will be rejected, but to actual use SPF and its kin
Five-dollar wrench solution (Score:1)
OR!
Every time you positively IDs someone running a big spam operation, raid their residence and shoot them in both kneecaps.
After it happens four or five times the rest of the spammers will probably find another hobby.
I'm pleased to say we're doing this in Soviet Canuckistan. We're only fining them, though (;-))
I think that's bolocks! (Score:3, Interesting)
Most of the spam that I get comes from hacked accounts where people have used crap passwords that are easily guessed.
Email outsourcing companies have to play along (Score:2)
Email outsourcing companies don't seem to place much value on following rules like SPF and DMARC. A lot of the false positives we get in quarantine are from senders using email outsourcing or "relationship management" companies. After all, the company gets paid by their customer for sending the mail, and has no real accountability whether the customer's email is properly formatted and delivered.
And with large institutions (particularly universities) moving to outsource email and other IT services, this pr
gray listing works (Score:3)
it doesn't eliminate all, but it's cut my span significantly
How big was your span originally?
I've found greylisting to certainly cut down a lot. It's effectiveness as decreased over time as spammers switch to using proper mail servers instead of PHP or COM SMTP classes, but it still nails the bulk of spam.
This is only half the problem (Score:2)
The majority of malware and spam come from botnet controlled accounts on valid domains. Most of the 419 spam originates at gmail. Not because gmail is worst, but it's because it's a trusted source of mail.
The reason I say this is not going to work is that you will get spam on any popular communication mechanism. Facebook gets quite a bit now, that's not email, and they control both the sender and the receiver, the spam could be zapped before you know about it, you're just seeing that which got through the f
Something must be done! This is something... (Score:1)
Therefor it must be done
Email is bullshit (Score:2)
There are a number of problems with email security that all feed back on themselves. One problem is that a shocking number of major corporations don't bother with these measures, making it pointless for anyone else to. If I set up SPF on my mail server, and a test email from none other than Google fails to arrive because their SPF records are wonky, so as a small two-bit operator I need to either disable all this nice security, or maintain an extensive whitelist for all the companies who don't do things p