Firewall Wizards mailing list archives

Re: Spam (or, how to buy Cheap Korean Cellphones :-)

From: Chris Blask <blask () protegonetworks com>
Date: Fri, 06 Feb 2004 10:07:38 -0800

At 10:54 PM 2/5/2004 -0500, Rod Gilchrist wrote:

On Thursday, February 5, 2004, at 07:28  PM, Chris Blask wrote:

.d.

Cmail was a good shot and a year later it still seems to address all theissues.
(If you want to read the white paper, I can email it to you.)
Its primary problem I think is that the audience needs to get up to speeda bitat a time and it is quite a big first bite. No point in solving secureopt-out in step
one.

(BTW, JamSpam was stunningly good at illuminating the spam problem
from all of email's participant's points of view. I think a lot of theconversations
happening between the big guys today started at those meetings.)

It was (is?) a productive forum in many ways, I suppose I just bear someguilt that it'd couldn't have been made to do more.'

If you are going to start at the beginning and do things in tiny bites youneed to
start with identity. People kind of 'get' that.

Then you need to add two tweaks....

        1) Relax identity far enough to make it practical
        2) Fix revocation

1) is the main point, imho. My earlier comment about "boiling the ocean"refers to the resistance by the PKI community to focus on anything that isless than "protect me from the NSA" level identity. That's not the focusthat solves this problem, as Rod explains.

There are a couple of straight forward fixes for revocation.
You only get into deep trouble if you adopt the whole set of assumptionsbehind PKI. PKI is ageneral solution that is intended to work over long (i.e. infinite)periods of time. Relax that set
of assumptions and revocation is solvable.
For email identity all you need is a key pair that's valid long enough foremail to arrive at itsdestination. A much easier problem than what PKI's revocation attempts tosolve.

> Anyone else see - if in fact this is the right forum - any solutionto spam that doesn't involve fixing the identity problem?
There's the actual question for the list: If it ain't ID, what *is* theshape of the solution?
Yes identity is the first and most basic issue. But almost everyone getshung up on perfectidentity as per PKI (i.e. individual identity right down to name, addressand social insurance number).
You don't really need that at all to fix spam.
For spam its enough to be labeled as 'an AOL user whose mail mail issubject to AOL's terms of use thatrequire that the user never send more that 100 emails in an hour and thatAOL has taken effective
action to enforce that behavior'.
From an email MTA's point of view that translates to 'a message that issigned by the mail source thathas public key 'X' and whose past behavior I see from reputation store 'Y'rarely includes spamming
should be passed on without passing though my aggressive spam filter'.
So what's going to do spam in? I think a solution is coming. There are atleast three separate solutionsout there that have relaxed identity into the practical realm; SMPTi,'Sender Permitted From' and 'DomainKeys' (Google can fill in the details of all of these). The first two useIP addresses as identity,which has serious limitations when messages are relayed (which is kind ofbasic in SMTP). Domain Keys
(from Yahoo) on the other hand is a home run.
With Domain Keys, the owner of a DNS domain generates a public/private keypair, signs all emailmessages originating (via SMTP extension headers) in that domain with theprivate key and publishesthe public key via DNS. Since the publishing mechanism is out of band withrespect to SMPT, no
changes are required to the SMPT protocol.
Details haven't been published yet, but revocation could be handled bypublishing two public keysvia DNS (old and new) and a few days after the last email signed with theold key was sent, trashing
the old key.
So basically, Chris's grandmother doesn't need to get a certificate; herISP worries about the key pairand bounces all the email she sends that's addressed to all 115 of hergrandchildren at thesame time. People publishing news letters need to be savvy enough togenerate a public/private key
pair for their own mailer. And nobody pays Verisign...
If your private key gets stolen, your reputation (as measured by aDCC-like reputation server)gets trashed and you need to make a new key pair and start building areputation again.
So, we're winning I think. Much further ahead than last year.

- Rod



BTW, I'm not on this list. Hopefully Chris will relay as required.


Chris Blask
Vice President, Business Development
Protego Networks Inc.

(1) 416-358-9885 - Direct/Mobile
(1) 408 262 5220 - HQ
(1) 408 262 5280 - Fax

blask () protegonetworks com
www.protegonetworks.com

"The first purpose-built appliance for Real-Time Security Threat Mitigation"




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 05)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 05)
  - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 06)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 06)
  - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 07)
    - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 07)
    - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 07)
    - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 07)
    - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 07)
  - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 07)
  - Re: Spam (or, how to buy Cheap Korean Cellphones :-) Devdas Bhagat (Feb 07)
- <Possible follow-ups>
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 06)