SMTP on its last legs?
Spinner
Birmingham, UK
It seems the current problems with SPAM emails are thankfully starting to make people think. It seems many of the people that helped write and construct the original email protocols, which for the most part we still use today, have stated that the foundation of our current email system just can't cut it in the modern computing world.
It seems the SMTP email protocol in particular, which has un-deniably defined e-mail and its functionalilty for more than 20 years, hasn't got much of a future, simply because, it is too trusting and wasn't really built to accomodate the security functionalilty which the modern day computer user demands.
The full report:
http://zdnet.com.com/2100-1105_2-5058610.html
It seems the SMTP email protocol in particular, which has un-deniably defined e-mail and its functionalilty for more than 20 years, hasn't got much of a future, simply because, it is too trusting and wasn't really built to accomodate the security functionalilty which the modern day computer user demands.
Developed when the Internet was used almost exclusively by academics, the Simple Mail Transfer Protocol, or SMTP, assumes that you are who you say you are.
SMTP makes that assumption because it doesn't suspect that you're sending a Trojan horse virus, that you're making fraudulent pleas for money from the relations of deposed African dictators, or that you're hijacking somebody else's computer to send tens of millions of ads for herbal Viagra.
In other words, SMTP trusts too much--and that has spam foes, security mavens and even an original architect of today's e-mail system agitating for an overhaul, if not an outright replacement, of the omnipresent protocol.
"I would suggest they just write a new protocol from the beginning," Suzanne Sluizer, a co-author of SMTP's immediate predecessor and a visiting lecturer at the University of New Mexico, said in an interview.
"In my experience in computers--which at this point, is quite extensive--trying to fix problems in the existing thing is almost always more difficult than just sitting down and thinking about what you want and coming up with something new," she added.
The full report:
http://zdnet.com.com/2100-1105_2-5058610.html
0
Comments
## EDIT:
To clear up, I mean it's cool that they're doing something at the source. Either if they build on to SMTP or replace it, the whole idea will enable for tighter authorization.
What's _not_ cool: Having to replace something that's used by MILLIONS of people. Some of the ideas on how to add on to SMTP aren't cool either...
It's a real challenge on how to move forward. Nothing I can think of is practical
Anyone have any _good_ ideas? PM me if you want to talk
How you replace a protocol the entire internet uses?
But additionally, look at something as simple as gaming online. People are, on the whole, clueless as to when patches come out, AND where to get them.
The spread of viruses is an additional testament to the laissez faire approach people take to maintaining patches and updates on their computers.
The AOL users might get it because AOL could update their homepage and spam AIM, but a good portion of the eudora and MSO users would be left in the dark...
User ignorance is going to beat this initiative up and steal its lunch money.
How to stop worthless.com from giving me 5 emails a day, but allow someone from here email me with a question?
An allowed list wouldn't do it, and neither would doing something like PGP keys. Last night I spent 15 minutes running through PHP code to figure out what header was stopping emails from reaching my Hotmail account.
"Envelope-to:" wasn't making it past Hotmail filters... it's getting to a point where legitimate attempts are being shot down. I could solve this problem, but what about others beyond my control?
The protocol editing/replacement has my interest.
And as Thrax said, user ignorance is going to make this movement a large one. I could go ask 10 people what SMTP is and what it stands for... probably 1 or 2 could answer
Here, probably 80% could answer. Out in Best Buy, or some other similarly uneducated establishment, 2 in 150 is more realistic.
And you're right Park. There is no particular way I can conceive that the new protocol would employ to cull bogus email and keep the real stuff.
The national Do-Not-Email listings could prove a start to this, but it's not the only thing that could safeguard us from unwanted emails.
The sheer volume of methods available for a spammer to reach us (Address spoofing, massmailing, etc.) is astounding, and makes it that much harder to write an acceptable algorithm. Unfortunately I think it'll once again boil down to the ignorant user.
With no way out... what will happen to email in 5 years? Will it die because people cannot have some respect??
:banghead:
/me remembers he gets 0 spam at all and is happy again
There would need to be an overlap period so that SMTP and the new protocol--which I'll just refer to as ngMP--can be phased out and phased in, respectively.
I agree that it will make it easier on most people because of the clients/servers used for e-mail, but that's also what will make it more difficult to trace certain glitches because there are users (myself included) that do not use the clients, or perhaps the servers, mentioned.
I also agree that IPv6 is much more difficult to roll-out, primarily because of the hardware issues, but we will get there eventually; perhaps a few years later than desired, but better late than never, I guess.
Keeping it on port 110 is not an option as that's that POP port. SMTP is port 25. However, even using the correct SMTP port is not necessarily the best solution. If the same port is used, the ISP needs to have different IPs bound to the different mail processes while SMTP is phased out and ngMP is phased in. Not a large problem, but what if the user keys in the wrong IP/hostname? Perhaps using a different port, so that the client also knows--for certain--which protocol it is going to use, rather than having to switch to ngMP once the protocol has been determined. Either way can work, but I think another port would be a better solution.
Yep, port 110 would be illogical
Port 25 would also not be the wisest choice, in my estimation, but not because SMTP would serve as the foundation, but because of protocol assumption, and because of spam attacks.
Totally depends on what they do for a new protocol...
The fact that SMTP was so open is why there is so many Email clients (Web & Non-web based). The protocol was a snap to support. A new protocol's point would to be more closed, and not so trusting. Will this limit the email hosts that support it? Will it limit the email clients? That's not what I want, but it's possible.
A little off topic, but same line. AOL Instant Messenger (AIM) Protocol. A friend and I read how it works and made some little exploits for it. Why? Because the protocol is given to the public (and we were bored). Got old quick and we deleted the progress into digital oblivion.
The "ngMP" will HAVE to be so tightly coded, or the protocol kept hidden of everyone's best interest. That is of course if someone can think up an ingenious idea to base the protocol on. In turn, how to replace SMTP would then be thought of.
I think a PGP type solution will be my road if this attempt fails. Forward non-PGP encrypted messages to a folder or 2. I could further sort by sender or subject line.
Also, if the admin is crooked, then he can allow the username to be mapped to many different addresses be they legit addresses or not, thus defeating the authentication mechanism. Also, the issue of trust arises again. Should servers trust other servers? If ServerA has a corrupt admin should ServerB discard ServerA's mail or what? Unfortunately the true solution isn't cut-and-dry.
I really like the way <a href="http://www.rosecitysoftware.com/courier/">Courier</a> attempts to limit spam by using a "white-list." Basically, if the incoming mail is not recognized by an address in the address book, it is put into a folder of your chosing. Obviously this isn't the best solution, as e-mail in that folder still has to be gone through to see if a legit e-mail that wasn't in your address book was put there, but it's a solution I feel is more acceptable than having so much garbage fill my inbox every day. I've had the same e-mail address since 1996 or so, and changing it is not something I find very appealing, but the amount of spam I get every day measures well past 100 messages a day, and sometimes 200 messages a day. The only spam I've had appear in my inbox since using the white-list feature is spam spoofed to use my address.
we were used as a spam host once. They kept there cat5 peged at 100M for 3 months. They made a serious amount of money off it, as paying there bill was never a question. How they were caught was one of our class C's ended up in a spammer blacklist for mail relays. We pulled there connection faster than you could delete that email for penis pills. Currently, afaik, they moved there 60+ dell machines to XO's network under a new company name. Yes, thats over 60 brand new dell machines, mostly dual xeon, sending spam 24/7. I always wondered WTF they did with all that bandwidth.
Don't get too parinoid just yet. Yes, the basic SMTP proticals are very very liberal and will take just about anything sent to them> BUT alot of newer MTA's (Mail Transport Agents i.e. courier, sendmail) have new and unique ways to block problems. Most ISP's maintain blacklists of open relays. Also, try sending mail to AOL without a proper PTR records (reversed DNS lookups to auth your machine). If a machine can't authenticate who it is, AOL spits it out faster than you can say droped connection. Once it does authenticate, its only a matter of time before the machines are marked as spammers, and they have to pull up roots and move to a new ISP.
The war will never end. I do strongly believe we need to keep fighting, and that spam is a serious problem, but if you think it can be stoped your living in a dream world
The certificates would also ensure that each piece of E-mail as a valid "from" entry, and any user will be able to find out exaclty who has what addresses registered. Just like phone numbers and addresses, these certificates would have to be a matter of public record.
There would need to be a transition period, say about a year, during which time users could choose wheather they will continue to recieve all mail that is sent to them, or they will download the new version of their e-mail client (supporting the new protocol and certificate system only). During this transition period, the government could give tax breaks, and credits to major corporations who switch to the new system. Consumers would not be able to communicate with these corporations until they upgrade as well. by the time the year deadline runs out, everyone will have been forced to switch, because their company or friends already did.
IMHO, that's the only way to signifigantly deminish spam. Spammers will continue to find ways to spam until it is made financialy unsound to do so.
Is junk mail a problem in other countries too? I know here in the good Ol' U. S. of A. everyone and their dog (no, I'm not kidding, my dog gets mail too) get it!
An example, a machine I installed, OpenBSD client, Redhat server with courier MTA.
Since the machine does not have a valid A record it just bounces and is never delivered.
The problem is most ISP's don't implement the very basic tools we do have. For example, my mail will not accept from an invalid A record, but I do not check PTR records because 99% of the mail server in use do not have proper reverse records.
AOL is one that does have a very strict mailing system. They probably are the butt of many spam jokes, but anyone with a improper mail server sending mail to them knows better by now.
ISP's have to buck up and get serious about spam. even the most basic tools that are in place are not utilized.
And spammers can easily bypass any safe guards with the present protocal. Therin lies the reason for replacing the protocal. I mean, if I really wanted to, I could open up Eudora's options menu, change my "from" and "reply-to" addresses to whatever I damn well please. I could even make my mail look like it's comming from the office of The President of the United States, and if anyone replied to the e-mail, that's where the reply would go.
The only thing that you could do about that is track the mail back through the ISPs. A simple solution, but the message might have done it's intended damage by then.
I think that that is the kind of problem that useing a better protocal would fix, but I don't think it will work nearly as well without a good certificate system.
Maybe they could have the first couple of E-mail addresses that each person registers be free, and only charge if the person starts registering lots of them. The more addtresses activated the higher the expence per address becomes. That way we wouldn't be punishing the valid consumer, just to weed out the spammers. does that sound like a better idea?
Although I personally tend to favor the death-to-spammers idea...
Another two years have gone by and there is still not even a slight approach to seeing something being done in the distance... on a clear day...
I stand by my origonal quotes. A lot has changed in the last two years, and it will always be a battle regardless of the protocol used.