SMTP & TLS [was Re:someone is using my email address to spam, is there a way to stop this ?]

Sun Aug 10 06:34:13 UTC 2008

On Sat, 9 Aug 2008, Marc Lanctot wrote:

> Someone brought up net neutrality. It's interesting because I'm against 
> traffic-shaping but in this respect it makes complete sense to disallow 
> outgoing port 25 to arbitrary MTAs. Is it a hindrance to the client's right 
> to a free Internet? Well, yes, technically. Does it cause any major problems?

I've wrestled with the same philosophical arguments.  Technically it is a 
violation of net neutrality, but perhaps it is one we must accept for 
practical reasons.

> Not sure. The only hindrance I can think of is to someone experimenting with 
> SMTP using telnet for the first time to see how it works. :)

One possible issue relates to reliability.  The same argument can be 
levelled against transparent web proxies: If you are going to make someone 
use your service then it damn well better work all the time :)

> It's funny because I've often considered how to "fix" the problems with

Yes so have I.

Dan Bernstein came up with an alternative called "Internet Mail 2000" 
designed to fix many of SMTPs short comings.  Dan should get a gold star 
for the name alone.

> email. Spamming is one big issue. Email has to be the second-most used 
> service on the Internet, yet it's still mostly insecure and can go across 
> networks in plain text. How is this possible? I'm kind of surprised that the 
> current technology has not been replaced. Is there really no secure way to do 
> what we want to achieve that is spam-free?

Sure there is.  Encryption has been available for use with SMTP for a very 
long time.  Email can be encrypted server to server (TLS), user to user 
(GPG) or both if you want.

TLS with properly signed certs will also allow you to authenticate the 
originator (organisation or server) of the message which while not 
actually blocking spam would make it a lot more difficult for spammers to 
hide.  They'd get a few good spamming sessions in and then they'd be 
blocked because RBLs would just need to keep a list of the fingerprints of 
spammer certs for clients to check[1].  Commercial CAs normally charge to 
reissue certs so this would drive up the costs of spamming.

Encryption (as part of Public key infrastructure, PKI) is also widely 
available for DNS (it would completely prevent some of the recent 
attacks), IP itself, and pretty much everything else.

PKI requires effort to setup and manage.  Despite mature 
standards-compliant OSS & commercial encryption software being readily 
available for all major platforms and most minor ones it has failed to 
catch on.

Did I mention PKI takes effort to setup and manage? :)

Over the years I have managed many private root Certificate Authorities 
(CAs) for organisations (used to generate VPN keys, or whatever).  There 
is effort involved but more than that, it takes discipline and an 
understanding of the concepts.

Despite being a huge fan of encryption in many situations I normally 
recommend _against_ the use of encrypted filesystems.  I am not convinced 
that most organisations have the level of technological maturity to handle 
the risks associated with encrypting important filesystems.  If you don't 
have a rock solid backup strategy[2] & DR plan with key escrow then 
encrypted filesystems are potentially very risky.

Or to put it another way:

User: "I've lost my private key.  Can you recover my encrypted 
filesystem for me?"

Sysadmin answer #1: "No."

Sysadmin answer #2: "Come back in 800 years."

Ok this turned into a long email :)

Rob

[1] This is not a revocation.  Arranging a revocation would probably be 
too slow.  Additionally, revocation is normally a response to events 
surrounding the cert itself (it gets lost or compromised) not merely how 
one uses the cert.

[2] Are the backups encrypted too?

> Does anybody know of a software (preferably that runs as a Thunderbird 
> plugin) which assumes spam if it's never heard from that user before, sends 
> them a standard response with a CAPTCHA asking the sender to respond with the 
> correct letters to be whitelisted? Do these programs typically have to be run 
> on the mail server?

TDMA is the closest I can think of off the top of my head.  It doesn't 
actually use a CAPTCHA.

http://en.wikipedia.org/wiki/Tagged_Message_Delivery_Agent

"Challenge/response for SMTP considered harmful" as it can cause 
backscatter.

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists