the death of e-mail?

A friend of mine who runs his own personal .com domain is currently exasperated by the spamming and virus issues. He's got spammers forging messages "from" his domain, generating huge amounts of back-scatter (bounced messages and the like). Add on the volume of crap generated by e-mail viruses, and he's seriously considering pulling the plug. As in "if you want to contact me, call me on the phone".

Are we truly doomed? Is there a hope? Will we be forced to go back to "closed" e-mail systems like Prodigy originally was, where the only way to contact somebody on the inside will be to be an insider yourself? Will DNSSEC, S/MIME and other crypto technologies come to the rescue? Can you imagine yourself configuring your mailer to reject all unsigned messages?

As in "if you want to contact me, call me on the phone".

It will take a lot more than Sobig to make me do that. However, becuase of shit like this, I decided to outsource me and my office's webhosting a couple months ago. What a relief it is to not have to worry about servers getting hacked, spam relays, etc.

PS- I got infected with Sobig. Thankfully, nobody else in the office did.

He's got spammers forging messages "from" his domain, generating huge amounts of back-scatter (bounced messages and the like).

Same here, the double bounces are annoying (3740 bounces over the past 12 days). But what really gets to me is the fact that my domain got blacklisted about three times already, even though the Received: headers clearly show that the spam emails did not originate from or were relayed by any of my machines.

The worst of all was the father of a 5 year old that started filling my inbox with hatemail after his daughter got porn spam with a faked from address that made it look like it was coming from my domain.

What's a 5 year old doing unattended with her own email account anyway? Anybody who's used the internet for any period of time knows that you'll always get spam and 90% of it is porn.

Surely 5 year olds have a major requirement for Toner cartridges and viagra like the rest of us??

text messaging is the wave of the future

Yep. She must be trying to get her accredited diploma from a renown college as well!

When I was 5 I didn't need my hair back.

She may have also accumulated a large amount of debt in those 5 years, and be looking for some way to reduce it.

It's never too early to start finding financial independence by working from home . . .

Many young girls keep pen-pals. There are lots of people in Nigeria who would like to write to her.

messaging is the wave of the future

Nope I've already gotten span on my phone 4 times.

Ditto on the SMS spam. I was f'n ANGRY when i got them too... i had believed my cell phone was the one last bastion of non-advertisement ladden communication. Nope.

I'm about to give up email myself. Even with spamcop and spamassassin i still get over 100 spams a day. Having the same email for close to 7 years will do that to ya. I just can't make myself change the address though... it'd be like letting them win.

Hey, I didn't say that

us flat mode viewers are always screwing up the threads =]

Yeah

I wish you could do the nested-mode that slashcode has. You can see all the posts in full, yet still have thread context.

the one last bastion of non-advertisement ladden communication.

The Empeg bbs? (except for the VERY rare occurrence)

I view in flat mode

YES! THAT would be excellent. I wonder if UBBThreads has any plans for that...

I just can't make myself change the address though... it'd be like letting them win.

As I've moved from undergraduate to graduate school to my current job, I've left .forward files pointing on to my new address. About two years ago, I killed them because all I was getting through them was spam. Now if you e-mail an old address of mine you get an automatic message telling you to find my new address. That helped a lot, as I used to maintain an FAQ that was widely mirrored through the Usenet FAQ archives, and thus widely spidered by evil spammers.

My frustrated friend is particularly concerned about the brand value he built behind his domain name as a consulting organization. He's actually posted a US$1000 bounty for information leading to successful prosecution of the guy using his domain name. Heaven only knows, the guy may not be specifically picking on him, but might be doing this to everybody's domain names.

So, back to my original question. To all you sysadms out there, if you had a switch you could throw that would make your server reject all e-mail that did not contain a digital signature that correctly tied the e-mail message back to its source DNS domain (perhaps through the use of DNSSEC), and if a simple patch was available for your MTA of choice to sign its outgoing mail in such a fashion... would you be willing to throw the switch?

So, back to my original question. To all you sysadms out there, if you had a switch you could throw that would make your server reject all e-mail that did not contain a digital signature that correctly tied the e-mail message back to its source DNS domain (perhaps through the use of DNSSEC), and if a simple patch was available for your MTA of choice to sign its outgoing mail in such a fashion... would you be willing to throw the switch?

Absolutely. But a harder question is "Would you accept mail from AOL"?

if you had a switch you could throw that would make your server reject all e-mail that did not contain a digital signature that correctly tied the e-mail message back to its source DNS domain (perhaps through the use of DNSSEC), and if a simple patch was available for your MTA of choice to sign its outgoing mail in such a fashion... would you be willing to throw the switch?

No. Incoming mail is more important than outgoing mail, and we have to expect poor support from other users.

In other words, be strict in what you send and lenient in what you receive. (Or whatever words that was originally stated with.)

In addition, I might legitimately send mail from one domain via another domain's server. I, in fact, do that regularly right now, when sending mail from my personal domain address from work.

There are conceivably other options, though, even ones that involve crypto. I just don't think that that's the right solution.

Nope. It would prevent a lot of email coming in. If everybody else out there installed the patches however then it would be fine to flick the switch.
At the moment most of the people out there aren't technical enough to care or even know about the problem and how to fix it.

If everybody else out there installed the patches however then it would be fine to flick the switch.

Okay, now how high a percentage would be enough that you'd stop accepting e-mail from unpatched systems? Keep in mind here that these hypothetical signatures would only amount to a guarantee that the domain in the "from" line was legit. You'd have no guarantee that the user within wasn't forged. However, if you did get spam from one of these things, you'd have some proof of who really sent the spam.

Somehow, the whole world rapidly dropped telnet and rsh and moved quickly to ssh / OpenSSH. As far as I can tell, the big difference is that, if our organization dropped telnet, it only realistically effected our own users. External people were never really counting on telnet to actually log in here. If we dropped traditional e-mail support, then you're breaking things for people who might have legitimately expected to be able to send you mail.

More food for thought: consider the ratio of legit e-mail to spam that you get, either in terms of bytes or number of messages. How low must the signal-to-noise ratio be where it's no longer cost-effective to find the signal among the noise?

Just knowing that the domain is legit is way better than what we've got now. If they're excessive then you can just block the entire domain and just have exceptions for people you want.

The switch over from telnet/rsh to ssh happened reasonably quickly and without incident because as you said it only affected your own users. If they wanted to connect then they would have to get a client or just not connect anymore. Also people that would be using telnet/rsh with your hosts would be authorised users and you'd know who was who and who should have access.

As to the ratio it depends really. For my personal email then an occasional blocked email isn't that important so about 80%-90% correctly delivered really. You could log attempts but you're still wasting time looking through the list to make sure you've not lost anything important.
The difference between personal where lost email isn't major against business where lost email could be lost income is the big point here. I know people that use Hotmail and have the exclusive option set in their spam filter which only allows addresses from the address book to be delivered.

It's an interesting point to make. How much lost email are you willing to put up with to ensure that your spam fighting works?

I'm sure she also needs penis enlargement like I do

I think they're betting on wives being the decision-makers on that one.

Hey, we're getting into a pretty weird area here.

The difference between personal where lost email isn't major against business where lost email could be lost income is the big point here.

I'd tend to agree, but the other way round. Lost income is no biggie, a company goes down and people move on. And an unanswered business email is usually chased-up anyway. But I've got several valued friendships that narrowed in the past to a single email or snail-mail before expanding again.

It's an interesting point to make. How much lost email are you willing to put up with to ensure that your spam fighting works?

Nil.

Peter

Spambayes. I used to use cloudmark (and even subscribed at $2/month) but it was still letting some through. After a week of training, I maybe get 2 a day which it doesn't filter out.

Yes, I still have to check the "possible spam" folder, but after the first week of training I've not found anything non-spam in there.

Strongly, strongly recommended. spambayes.sourceforge.net I think.

Hugo

Thanks Hugo, I've been wanting to dump spamnet for a while now.

I second using bayes! It works like a charm in most cases.

I host my mail on my personal mailserver and use spamassassin with bayes and network (rbl/checksum) lookups. I'm down to maybe 1 false negative per week.

I've set up exim to use rbls also, which returns a "user not here, go away" result code to the sending mail server that was found in the rbl. With rbl checks, 80% of the spam doesn't even make it to spamassassin. Another 19.9% is easily handled by heuristic checks, checksums and bayes.

I have, however, begun to see attempts to poison the bayes databases by including many random words that aren't typically associated with spam. This is where the heuristics come into play. Usually these emails are a bunch of random words (bayes doesn't think its spam), and a single image, which is an ad. Spamassassin detects most of these, especially when you have the distributed checksum tests like pyzor and dcc turned on.