Comment Re:Good job Microsoft! (Score 1) 471
Your "grand scheme" has some serious flaws.
1. You mention in your other post that "There would be absolutely no point in spammers taking over people's machines with viruses in order to send email if email must be sent through a qualified mail server." This is flat-out wrong. If I want to send spam under your scheme, here's what I do:
- Register a domain name for $5
- Create a public/private keypair, and place the public key on the MX for that domain so that it's available for verification
- Sign the spam once with the private key
- Use my legion of compromised machines to deliver that signed spam
Your error is in assuming that the signing must occur at the mail server. I can sign the message at any point, presuming I have the private key, and then inject it into the system by any means I choose. If you are in possession of the private key then adding a valid signature is just as trivial as forging a header. Regardless of how it was sent, when the recipient goes to check the signature it will pass since the public key on record for the domain matches the private key I used to sign all my spam.
2. It puts a tremendous load on the MX servers for each domain. Under your scheme, a MX must be contacted for EVERY mail received from that domain. Do you really think Yahoo wants to support the load of a seperate key-request every time a mail from yahoo.com is moved from one SMTP host to another? You can somewhat abate this by just putting the key in DNS, so that it can be efficiently cached.
3. It breaks the ability to send mail unless you relay through the corporate/official mail server. This is also a fault of SPF. There are a lot of people that legitimately want to send email as "foo@example.com" without having to use example.com's mail relay. For example, the example.com CIO is on the road with his laptop and wants to send mail. Now every organization out there must configure some form of authentication for their smarthost so that anyone that needs to send mail and is not within the firewall can do so. Some might argue that this is a good thing (and I tend to agree), but regardless of your feelings in that regard it's a HUGE change that will break many, many setups, and will piss off a lot of people. For example, home broadband users will be forced to relay through their ISP's mail server -- some of which don't support sending mail for any domain other than the ISP's domain. Now those people can't send mail at all, period. So for example, they can't read work email at home and reply, because the ISP won't let them relay and the work network doesn't support SMTP authentication outside of the firewall.
4. It means that all of an organization's mail must be sent through a central choke-point. Since everything has to be signed using the domain's key, it means that either you have to distribute this precious private key to every host that wants to send mail (thus risking its compromise) or it means you have to set up a large, beefy cluster that can handle the entire volume of your organization's outgoing mail. Large organizations don't like anything that adds such a central point of failure and that requires more resources than previously. Remember that cryptographic operations such as message signing are not trivial in terms of CPU or resources.
5. So, finally, after all of these significant changes and major breakage, what does it provide? Well it means that spammers now have to register a $5 domain for each spam-run. At the end of the day all that's guaranteed is that the message originated from someone who has control over the domain that it purports to be from. Sure, you can blacklist the domain once its found that it's a spammer domain, but they can just buy another. Remember, one domain is sufficient for an entire run (million of messages) so it's not like they'd have to pay per-message. Domains are cheap and can be registered in bulk. It would be an inconvenience to them, but hardly a significant one.
Summary: I don't think this is such a great idea at all, really. Sorry.
Anyone that thinks they've found the ultimate weapon against spam really needs to read You Might Be An Anti-Spam Kook If....
1. You mention in your other post that "There would be absolutely no point in spammers taking over people's machines with viruses in order to send email if email must be sent through a qualified mail server." This is flat-out wrong. If I want to send spam under your scheme, here's what I do:
- Register a domain name for $5
- Create a public/private keypair, and place the public key on the MX for that domain so that it's available for verification
- Sign the spam once with the private key
- Use my legion of compromised machines to deliver that signed spam
Your error is in assuming that the signing must occur at the mail server. I can sign the message at any point, presuming I have the private key, and then inject it into the system by any means I choose. If you are in possession of the private key then adding a valid signature is just as trivial as forging a header. Regardless of how it was sent, when the recipient goes to check the signature it will pass since the public key on record for the domain matches the private key I used to sign all my spam.
2. It puts a tremendous load on the MX servers for each domain. Under your scheme, a MX must be contacted for EVERY mail received from that domain. Do you really think Yahoo wants to support the load of a seperate key-request every time a mail from yahoo.com is moved from one SMTP host to another? You can somewhat abate this by just putting the key in DNS, so that it can be efficiently cached.
3. It breaks the ability to send mail unless you relay through the corporate/official mail server. This is also a fault of SPF. There are a lot of people that legitimately want to send email as "foo@example.com" without having to use example.com's mail relay. For example, the example.com CIO is on the road with his laptop and wants to send mail. Now every organization out there must configure some form of authentication for their smarthost so that anyone that needs to send mail and is not within the firewall can do so. Some might argue that this is a good thing (and I tend to agree), but regardless of your feelings in that regard it's a HUGE change that will break many, many setups, and will piss off a lot of people. For example, home broadband users will be forced to relay through their ISP's mail server -- some of which don't support sending mail for any domain other than the ISP's domain. Now those people can't send mail at all, period. So for example, they can't read work email at home and reply, because the ISP won't let them relay and the work network doesn't support SMTP authentication outside of the firewall.
4. It means that all of an organization's mail must be sent through a central choke-point. Since everything has to be signed using the domain's key, it means that either you have to distribute this precious private key to every host that wants to send mail (thus risking its compromise) or it means you have to set up a large, beefy cluster that can handle the entire volume of your organization's outgoing mail. Large organizations don't like anything that adds such a central point of failure and that requires more resources than previously. Remember that cryptographic operations such as message signing are not trivial in terms of CPU or resources.
5. So, finally, after all of these significant changes and major breakage, what does it provide? Well it means that spammers now have to register a $5 domain for each spam-run. At the end of the day all that's guaranteed is that the message originated from someone who has control over the domain that it purports to be from. Sure, you can blacklist the domain once its found that it's a spammer domain, but they can just buy another. Remember, one domain is sufficient for an entire run (million of messages) so it's not like they'd have to pay per-message. Domains are cheap and can be registered in bulk. It would be an inconvenience to them, but hardly a significant one.
Summary: I don't think this is such a great idea at all, really. Sorry.
Anyone that thinks they've found the ultimate weapon against spam really needs to read You Might Be An Anti-Spam Kook If....
