HackerMoJo.com
Ceci n'est pas une blog
by Glenn Franxman, Django Developer / Stunt Programmer.
posted: 2003-11-21 04:38:13 perma-link, RSS comments feed
So I woke up tonight like I always do, but this time with a possible solution for the growing spam problem.
It occurs to me that we don't really need to build any new technology if we leverage the existing protocols. The concept is simple, require that all SMTP communications be either :
a) authenticated ( like your isp already requires ), or
b) tunneled over SSL ( like https ).
That's it.
By moving SMTP to SSL, we require the internet's email infrastructure to use Digitial Certificates that are tied to the originating machine and the company's D&B; number.
The reason that spam continues to build steam is that spammers have been branching out. Originally they sent the spam from machines at various ISP's. As their volume grew, they had to buy dedicated machinery. Then the internet responded with blacklists. Suddenly their boxes were worthless and their ISP's wanted to cut their contracts.
In order to keep their volume up, they had to decentralize. First they built worms and viruses ( actually just hacked existing ones ) to run DDOS attacks against the blacklist servers. More recently they are spreading viruses and worms that convert unsuspecting work and home pc's with broadband connections into anonymous SMTP relays. Now blacklists are worthless.
So here's why this solution works: When the upstream email infrastructure refuses to talk to these pc's, they'll be left with three options:
1) hack the already secured and well protected/managed email inftastructure -- good luck! This option is always available for all possible solutions, but since they'll be targeting a much smaller set of machines that are generally managed by professionals, the odds tilt back in our favor.
2) rework their virus/worms to use valid isp accounts to send the email -- but this will give away exactly which accounts and which machines are infected. Also, most isp's have volume limits on the amount of mail a single account can send, in addtion to restrictions on where an account can be used from.
3) include a mechanism for installing certificates in the virus/worm -- but that would involve getting a new certificate for each infected machine. Certificates cost money, generally around 250 USD. This is not only costly, but involves a fraus against verisign. THey could avoid the costly part by using stolen credit cards, but then they are talking about leaving a trail of fraud against verisign and VISA/MC/etc. This would also make the development of such a worm/virus diffucult to do without detection. THe credit card companies and verisign pretty much control commerce on the net if not in the real world. The certificate would be good for at best one billing cycle, but now there would be a real trail. The spams all end up with unforgable pointers to the infected boxes, and because of the amount of money used in a mass infection, the FBI/Homeland Sec/etc will be quite incented. Spammer freindly ISP's with mass would loose their ability to take money via the credit system. Are there any cash driven isps?
Blacklists would come back into vogue, only instead of blacklisting ip addresses or hostnames that can be dynamically generated, we'd blacklist certificates/companies. If sears.com wants to send me spam, they'd better make sure it is something I want, because once I black list their Dunn&Bradstreet; number tied to their certificate, they'll never be able to reach me again, no matter how many servers, how many new certificates they get, they'll never reach me again. I think that might make them think twice before sending spamming the public.
Feel free to poke holes in this.
Oh yeah, I almost forgot, -- I believe servercertificates are also tied to the server's ip address, so systems with dynamic ip's will only enjoy temporary use of fraudulently purchased certificates. Using DHCP, isp's could change subscriber addresses every 24 hours.
Howard Owens said on 2003-12-10 03:13:04:
How do you get all of the legitimate server administrators to buy certificates?
It would have been great if this had been part of e-mail from the beginning, but I'm not sure it's backward compatible. There would be a huge transition time where a lot of servers wouldn't have certificates. Plus, as you point out, they're expensive. Small ISPs and other small, but legtimate businesses that run their own servers, might not be able to afford them.
Otherwise, great idea. I would like to see some way for it to happen.
Dejuan Stokes said on 2003-12-09 14:41:14:
That would be a huge success, but is there a way that a company or a user could do this automatically? Because that is the biggest problem right now the ease of use, that is why it's not being done. But I think that you have a hot idea that could put a lot of stake on your plate for many nights to come.
|
Based upon your reading habits, might I recommend: Or, you might like: |
hosting: slicehost.com.
powered by: django.
written in: python.
controlled by: bzr.
monsters by: monsterID.
You've been exposed to: {'The Net': 1}
Meysha commented, on August 21, 2012 at 12:36 p.m.:
Your posts are funny and amusing. You ask they post upeadts when the servers are being re-wired and set up. the point of the blog is so they let us in on the progess using their personal laptops. They are very busy trying to get the games up they cant spend time posing here every 10 min than the servers wold take longer to get up anyone look at the amount of re-wiring they need to do? Technically this should take more than 2 day, but these guys are up 3 A.M just so we can play later. Give them a break for those who are complaining. they announced the server change a month ago and said it could take 2-3 days. Its very kind that they put up the blog in first place and post when they have free time. And the gravity games are fun too.P.Spokes Heim in arm elven ears <_< looks under server for lost ears hmmm dang hamster has it! Heim catch that hamster! It has my ears from last update!!!