I've recently been catching up slowly but steadily with a lot of threads I'd put on the back burner, and just read Enough is Enough - Taking the fight back to the Internet scammers. Both the discussion on that thread and its subject in the broader sense reminded me of a number of observations, ideas, and concepts I've seen lately regarding that subject. While this node is not exactly on topic for the monastery, both automated sending and automated filtering of mail is an issue at PerlMonks frequently enough that I believe the following items are of general interest.
First off is something I first saw on Andy Lester's weblog (alias petdance), in an entry titled Content-based spam filtering is a dead-end path. It ties in with the observations in brother tachyon's post on aforementioned thread. The fact is that spammers are starting to fill their mails with innocent and/or random text while avoiding to directly mention their advertised goods(?) at all, instead circumphrasing them. Consequently, in the mid- to long-term, content based filters will become useless until artificial intelligence makes a significant breakthrough (ahem).
The only way to effectively uproot the problem is to fix it at protocol level once and for all. The most promising new concept in that direction and a highly intriguing one at that is described in an experimental IETF draft. It entails the introduction of a new resource record in DNS servers called RMX, Reverse Mail Exchange, to aid the recognition of forged sender addresses. The idea is brilliantly simple: the RMX DNS RR lists legit sender's IPs for mail being sent from this domain. When a mail server receives a connection, it compares the originating IP with the list given by the RMX RR for the MAIL FROM domain of delivered mail. Mail that fails this check is discarded as illegitimate.
The extent of this scheme's brilliance is hard to summarize. In one simple step, forged sender addresses become a thing of the past. It is much simpler than any cryptographical authentication scheme proposed to date and at least as robust as any of them. Unlike them it retains much of the anonymity of mail as we know it. All the necessary infrastructure already exists (a huge bonus).
But in the meantime, we have to find ways to keep spam out of the inbox without any support on the technical level. Half a dozen years' worth of experience in this area suggests that the only viable approach is to win without fighting. The approach is to take the route known as the only sensible one in security: deny by default, permit explicitly. Obviously using a whitelist is no new idea. Innovation comes into play by adding flexible recognition for solicited bulk email such as mailinglist traffic, and use of a spam filter's scoring mechanism to rank the the rejects. They're put in a grey (as in, almost black) box sorted by ascending spam score so that legitimate mail sorts to the top. The whitelist is updated by bouncing legitimate rejected mail to a special address, or by using a special bind in your mailer. All you need to do then, is skim the top of the greybox once in a while for legitimate mail and bounce out the keepers.
Makeshifts last the longest.
In reply to (OT) Fighting spam by Aristotle
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |