2008/01/01

Solving 'Spam'

It never ceases to amaze me, the Politician attitude to Porn and 'Spam' & it's friend, malware.

Porn is "bad, bad, bad" and Pollies show very high interest - including policy & legislation.

Lots of angst & trashing around about eradicating something that 2,000+ years of writing/publishing shows can't be controlled/legislated away. The physical publishing world & (cable) TV show that the only effective is means of control is to allow-but-license.

Same as tobacco. Never going to eradicate it, only control it.

'Restricted Content' access can only be controlled iff:
  • every page is 'classified' at source (meta-tags),
  • an unforgeable Internet 'proof-of-age' card/system is created,
  • there are criminal penalties for subverting the system, forging identities or misclassifying pages,
  • there are no legal jurisdictions outside 'the system' [e.g. on the high-seas],
  • all browsers enforce 'the rules',
  • and browsers can't be built/written to ignore 'the rules'.
i.e. It is impossible to eliminate 'restricted content', and possibly provably so...


Meanwhile, Spam & malware that rides on it, consumes vast amounts of resource and via malware, damage.
Spam is a quadruple whammy:
  • uses capacity of links & servers
  • consumes PC resources in bot-nets
  • wastes admin & firewall time/resources
  • wastes recipients time/resources

Nobody has ever made a public case that 'spam' is beneficial to anyone but the organised crime rings that enable it.
I'm even unconvinced that the suckers who try to peddle their wares through spam make anything.
I'd also guess many sales are with card-fraud... [no information on that]

For me, this is a classic case of 'inversion' - the Pollies rail against that which can't be controlled and is of limited impact, and ignore a high-impact problem that could be controlled.

In the late-80's, "junk fax" was a real and growing problem.
It almost completely evaporated after a British case where the plaintiff sued for the cost of the paper used... [can't find the reference]
There are now strong "junk fax" laws in the UK and USA and the problem is not entirely eradicated, but very well controlled.

'spam' could be eliminated via technical means, and in a reasonably short time despite the many previous attempts/programmes..
Or perhaps, because of them - what won't work is getting more clear.

Some reasons 'spam' continues to be a problem:
  • "Walled gardens" don't work.
  • No single approach is going to work.
  • Like 'art', there is no universal definition and not everyone considers all spam to be evil...
  • SMTP over port 25 can never be 'spam free', even with schemes like DomainKeys etc ... because:
  • the sender identity can be spoofed trivially. it can't be positively authenticated/certified.
  • any IP number can act as an MTA
  • message headers can be spoofed trivially
  • the original message content can't be verified.
  • but probably because it is not illegal everywhere and perpetrators are difficult to bring to book.
'spam' exists solely because of tacit assumptions made in 1980 (RFC 772)
X.400 1984/88 made the same assumptions. They both followed on from years of uucp & Usenet experience:
  • hosts' are controlled, and by responsible administrators
  • Only trustworthy/certified UA & MTA programs are used.
  • Only MTA's assign message headers. Spoofed headers from a malicious UA will be discarded.
  • All MTA's can be trusted. [Hosts that are MTA's can be authenticated]
  • user identities cannot be forged. (breaking into an account is different)
  • rogue users cannot access privileged functions - like send/receive on port 25.
These assumptions were all invalidated when the first DOS PC was connected to the Internet.

The characteristics of any 'solution' to spam:
  • there will always be unverified port 25 traffic.
    This traffic cannot be eliminated, but can be dropped by firewalls.
  • An End-to-End solution is required for verified/authenticated messages.
  • these two goals are incompatible.
  • verified messages can be sent out to the 'port 25' addressees
  • no perfect scheme exists to 'untaint' inbound 'port 25' messages
  • The following are needed:
    • positive user authentication - by UA and 1st-MTA
    • non-spoofable message headers & verifiable content.
    • only known/trusted MTA's allowed. e.g. issued X.509 certs
    • 1st-MTA rejection of invalid messages
    • global identity revocation of rogue MTA's and users
    • selectable sender identities
    • - user selectable network - trusted messaging or wild-wild-web
If all the elements in "junk e-mail" - originating machine, user identify, 1st-MTA - can be definitively identified & owners traced, then existing "spam" laws could be enforceable in the same way that "junk fax" legislation has been highly successful.

And the results will be the same, even in a 'trusted messaging' world:
Good, but never perfect.

In Real Life, people are devious and always testing ways to make a quick buck.

Caveat: There are already many tightly controlled messaging environments.
The rate of "junk messages" reduces with the tightness of control, the severity of penalties and the formality of usage rules.

No comments: