Wandering Thoughts: Recent Entries For 2009/03

Why 'sender stores message' schemes won't cure phish spams

A commentator on my recent entry brought up D. J. Bernstein's Internet Mail 2000 as a possible cure for phish spam. The defining characteristic of IM2000 is that the sender, not the recipient, stores the message; the recipient merely retrieves it when they want to read it. Let's set aside all of the practical issues with sender storage schemes and ask a simple question: will they actually work to stop phish spam? Unfortunately, the answer is no. If anything, they might make it easier.

The belief that such schemes can do anything about phish spam (and spam in general) assume that spammers will have problems finding capable hosts to hold their spam or keeping the hosts available. In the case of phish spammers, this is demonstrably false; much phish spam today is sent from compromised servers (ones that already send legitimate email) and we know that they often go unfixed for significant periods of time. Nor will the spamming be any more noticable; an ISP or company that fails to notice the volume of outgoing SMTP messages now is not likely to notice the same network volume from notifications and message retrievals.

(Since the compromised servers are legitimate email senders to start with, their 'mail access' is not going to be blocked by firewalls and the like any more than firewalls are blocking their outbound SMTP traffic today.)

Nor will the load of people retrieving their phish spam crush the server; these days it is almost trivially easy to make highly scalable software that serves static or mostly static content, especially when the content is small enough to fit into RAM. (The web server world provides you with lots of examples to steal from.)

Principles of email in the modern age

This is not the Internet that we used to have, and so email is not what it used to be; now it is less. So I think that we need (or could do with) some principles of email for the modern age of the Internet, things that can guide people writing applications that might use email as part of their interactions with the world.

Now, a disclaimer: people are going to have different views of this. My view is a tired and somewhat cynical anti-spam biased one, added to sysadmin caution; optimists will be, well, more optimistic.

So, in my view, here are some principles of email in the modern age:

• email can only be sent to people who've already registered with you; among other consequences, you can never send email to person B just because person A said it was okay.

• email is not reliable; there are too many spam filters and people hitting delete really fast because your subject lines looked suspect or they've never heard of you or whatever.

• email is not trustable, or at least you should not train your users that it is, because your users are generally incapable of correctly judging whether or not they should trust a specific piece of email.

The last principle is a bit subtle. If your users get specific trustable information in email, you are training them to trust the information that they read in 'your' email. Phishers and other malicious parties love that, because they can forge your email and most people, who are not suspicious, will believe it.

There are probably more sensible principles that I am not thinking of right now. Suggestions are welcome.

(Note that I am skipping operational issues.)