Email Security Wanking
In a TechRepublic blog, Andy Moon wrote an entry on reducing spam by verifying people as real and whitelisting them based on identy. He says,
The central authority could be managed by the FCC and people who wanted to restrict their e-mail to only those who verified their identity could subscribe to this whitelist.
The part that really struck me was in his comment:
My email could be treated differently once I am verified, based on what each individual or company decides. If you only want to hear from people who have verified their name, address, and banking information, you can have it that way.
Now, I know I am still just dabbling in the problems of email security, but this seems like a monumentally bad idea to me. Or possibly it's just that it changes the rules in a way that I am uncomfortable with. Proving who I am to get mail through to people seems like punishing me for other people's bad behavior. I am against that. I am against a central repository of data that makes me vulnerable. I am against global authoritative whitelists, because I think it would be too tempting a target to stand untouched for long. Anonymous and semi-anonymous email and an assumption of trust have been abused and will continue to be abused. That doesn't mean they're bad, just vulnerable.
I think one part of the solution for spam is better outbound mail monitoring. This works better for companies than individuals, but it could possibly be implemented on an ISP basis, too. Imagine software that sits and watches the outbound email. Any account sending 500 messages a day would get tagged and then investigated as a possible zombie. Any account sending words on the banned list would get tagged (how many ways to spell viagra?). It requires a certain level of adjustment, but it does not require some master FCC clearing house. It does not require me to verify my bank account information (WTF?!) with some hackable third party.
That still leaves spammers who own their own machines, and false bounce messages and the vast vast majority of spam out there. Did you know that something like 90% of the spam in the world is a directory harvest attack? That is, spammers get a domain name and in front of the @sign, they try every single permutation of names they can? Almost all of it bounces, but a tiny percentage "sticks". That is, someone just happened to get the right combination of letters that is my legitimate @work address. When an email fails to bounce, the spammer notes that as a 'good' address. These good addresses are compiled and sold to other spammers. So that's 90% of the traffic right now. Another 7-9% is "real" spam -- a mass emailed message that you didn't want. Only 1-3% of the email out there, and 10-30% of the mail you get is email you wanted.
If you didn't know that, it's because there is a spam filter somewhere in your email chain. You have your own server and you installed it yourself. You use gmail and they do it for you. You are behind a corporate wall. Your ISP is taking care of it. It's big business, email security -- not as big as some others, but lookit me, making a living writing instruction guides for admins who set it up and maintain it.
That's not to say I don't think verification is a totally corrupt system. I have a Thawte certificate, and had to trot around to actual people to have them actually look at me and my ID. I use it for exchanging keys with people who care a lot about their privacy. But if everyone who emailed me had to be pre-approved, I would not get email from random clan members, old boyfriends, or anonymous crushes. I like the internet. I like email. I don't want to see them locked up for their own good.
The central authority could be managed by the FCC and people who wanted to restrict their e-mail to only those who verified their identity could subscribe to this whitelist.
The part that really struck me was in his comment:
My email could be treated differently once I am verified, based on what each individual or company decides. If you only want to hear from people who have verified their name, address, and banking information, you can have it that way.
Now, I know I am still just dabbling in the problems of email security, but this seems like a monumentally bad idea to me. Or possibly it's just that it changes the rules in a way that I am uncomfortable with. Proving who I am to get mail through to people seems like punishing me for other people's bad behavior. I am against that. I am against a central repository of data that makes me vulnerable. I am against global authoritative whitelists, because I think it would be too tempting a target to stand untouched for long. Anonymous and semi-anonymous email and an assumption of trust have been abused and will continue to be abused. That doesn't mean they're bad, just vulnerable.
I think one part of the solution for spam is better outbound mail monitoring. This works better for companies than individuals, but it could possibly be implemented on an ISP basis, too. Imagine software that sits and watches the outbound email. Any account sending 500 messages a day would get tagged and then investigated as a possible zombie. Any account sending words on the banned list would get tagged (how many ways to spell viagra?). It requires a certain level of adjustment, but it does not require some master FCC clearing house. It does not require me to verify my bank account information (WTF?!) with some hackable third party.
That still leaves spammers who own their own machines, and false bounce messages and the vast vast majority of spam out there. Did you know that something like 90% of the spam in the world is a directory harvest attack? That is, spammers get a domain name and in front of the @sign, they try every single permutation of names they can? Almost all of it bounces, but a tiny percentage "sticks". That is, someone just happened to get the right combination of letters that is my legitimate @work address. When an email fails to bounce, the spammer notes that as a 'good' address. These good addresses are compiled and sold to other spammers. So that's 90% of the traffic right now. Another 7-9% is "real" spam -- a mass emailed message that you didn't want. Only 1-3% of the email out there, and 10-30% of the mail you get is email you wanted.
If you didn't know that, it's because there is a spam filter somewhere in your email chain. You have your own server and you installed it yourself. You use gmail and they do it for you. You are behind a corporate wall. Your ISP is taking care of it. It's big business, email security -- not as big as some others, but lookit me, making a living writing instruction guides for admins who set it up and maintain it.
That's not to say I don't think verification is a totally corrupt system. I have a Thawte certificate, and had to trot around to actual people to have them actually look at me and my ID. I use it for exchanging keys with people who care a lot about their privacy. But if everyone who emailed me had to be pre-approved, I would not get email from random clan members, old boyfriends, or anonymous crushes. I like the internet. I like email. I don't want to see them locked up for their own good.