For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. ...Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. ...So the question is, is it worth the effort to make all of the senders and URLs match up?
A recent study conducted by Blue Security reports how Internet users can unknowingly expose their contacts' emails addresses to Spammers while sharing files, music, games and DVDs over Peer-to-Peer (P2P) networks. The study has uncovered hundreds of incidents where files containing email addresses were made accessible in P2P networks.
Larry Seltzer wrote an interesting article for eWeek, on port 25 blocking, the reasons why it was being advocated, and how it would stop spam. This quoted an excellent paper by Joe St.Sauver, that raised several technically valid and true corollaries that have to be kept in mind when blocking port 25 -- "cough syrup for lung cancer" would be a key phrase... Now, George Ou has just posted an article on ZDNET that disagrees with Larry's article, makes several points that are commonly cited when criticizing port 25 blocking, but then puts forward the astonishing, and completely wrong, suggestion, that worldwide SPF records are going to be a cure all for this problem. Here is my reply to him...
Just in case you've been out of the country for the last 12 months, a new scourge is hitting the Internet and the world of email and it's called phishing. The Anti-Phishing Working Group defines phishing as identity theft "attacks using 'spoofed' e-mails and fraudulent Websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords..." According to various experts, the incidents of phishing are rising at an alarming rate: there were 13,000 unique phishing attacks in January alone - that's a 42 percent surge over the previous month. The real problem is that phishing works.
As a daily and enthusiastic reader of The New York Times, I was disappointed to read their February 1 article on CAN-SPAM entitled, "Law Barring Junk E-Mail Allows a Flood Instead" (subscription required). The theme of the article was, as the title suggests, that enacting CAN-SPAM was worse than having no laws at all. The article really missed the point on several fronts.
The following excerpt is from the Free Software Magazine, March 2005 Issue, written by Kirk Strauser. To read the entire article, you may download the magazine here [PDF]. Also thanks to Yakov Shafranovich for making us aware of this publication. "Spam has existed since at least 1978, when an eager DEC sales representative sent an announcement of a product demonstration to a couple hundred recipients. The resulting outcry was sufficient to dissuade most users from repeating the experiment. This changed in the late 1990s: millions of individuals discovered the internet and signed up for inexpensive personal accounts and advertisers found a large and willing audience in this new medium."
Now, I don't like the word "whither" any more than you do. But this Reuters article was circulating yesterday and it seemed to call for a "whither." It's a short story, so let's do a close reading. "A U.N.-sponsored panel aims to settle a long-running tug of war for control of the Internet by July and propose solutions to problems such as cyber crime and email spam, panel leaders said on Monday." We're going to decide what "internet governance" is by July?
Several anti-spam companies talk about spam volumes in terms of a percentage of all inbound mail. Outsourced anti-spam services such as BlackSpider and Postini are currently quoting spam volumes in the 70%-85% range, having steadily grown over the last two+ years. That's nice, but it's actually hard to grasp what that means in absolute terms.
I got a letter the other day from AOL postmaster Carl Hutzler, about how the Internet community could get rid of spam, if it really wanted to. With his permission, here are some excerpts. "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution)."
A few months ago, Ted Hardie (AD of Applications for the IETF) informed the MARID WG in the closure announcement as follows: "Given the importance of the world-wide email and DNS systems, it is critical that IETF-sponsored experimental proposals likely to see broad deployment contain no mechanisms that would have deleterious effects on the overall system. The Area Directors intend, therefore, to request that the experimental proposals be reviewed by a focused technology directorate..."