Been thinking about a distributed ‘web of trust’ approach
to fighting spam.
Combine those with another key point — that we do not need PKI, crypto,
or any other changes to identify senders in current SMTP — and it
could be done today, I think.
Why we don’t need crypto to identify an SMTP sender
Every email message delivered via SMTP across the internet will contain
these headers:
-
the From line
-
one or more Received headers
Traditionally, whitelisting uses just the From line, which is vulnerable
to spoofing. SpamAssassin used this up to version 2.3x. Spammers started
spoofing mails where ‘From’ was the same as ‘To’, and since most people
had themselves in the whitelist, that worked. boo.
In 2.3x or 2.4x, we added code to extract the IP addresses from the
Received headers, and use a combined token — ( from_address, ip_address
)
— as the sender’s address.
(In fact, we use just the top 24 bits of each IP to deal with situations
like DHCP or dialup pools, where a relay may get a different IP every now
and again. That’s close enough, at least.)
This is much harder to forge without doing a full-scale TCP spoofing attack;
which is why the SpamAssassin auto-whitelist generally works well.
So basically, to identify someone strongly enough to provide a spam fix in
plain old vanilla current SMTP, gen up a string containing their
‘From’ address, along with all the /24 masks of the IP addresses found in
the ‘Received’ headers.
Remove your relays’ IP addresses, and you have an unspoofable ID for
that person’s SMTP traffic. Any spammer who wants to spoof that, will
have to compromise their mail server (or a server in the same /24).
That’s not cost-effective for spamming.
Note that whitelisting based on that is effectively what the SpamAssassin
auto-whitelist does. But for that to be more useful than the AWL, it
has to extend over the internet to those people your friends haven’t
corresponded with yet; ie. it’s got to be distributed.
(If you would like to comment on this scheme, I’d prefer if you could
post comments
at this QuickTopic forum.)