Thursday, May 15, 2008

How change avoidance can hurt everyone...

In the last half hour I have received over 1000 emails. All of them Non-Delivery Reports (NDRs). Fortunately the email service provider I chose for my domain has an amazing spam filter. :-) They all went there. Just a couple made it to my inbox. What is a Non-Delivery Report?

An NDR is a something an email servers sends back to the address listed in the from: field of an email when it cannot deliver the message it received. It is a kind of neighborly thing to do right? The problem is that there is no real authentication done on the email to ensure it was me (or you) that sent it. It's called spoofing.

Starting back in 2002/2003 I configured email servers I worked on not to send NDRs. It was being used as a way of enumerating users of the email server and there was some of what I'm currently seeing going on. Not many people agreed, but maybe they might start doing it now. I'm starting to see this on my account, but I see it at work too. Massive amounts of NDRs pouring in. Get it yet? Ok, hang on.

If I can send a spam message to an email server addressed to a non-existent user and the email server sends back the message to the sender listed in an NDR, then the spammer can send 10 million emails that way. Getting clearer? Users open the NDRs because they may be curious why an email came back undelivered. Spammer mission accomplished, target opened email.

The problem in the past has been that a spammer would need to send these out from their IP address or someone else's, but the volume would be quickly noticed and probably shutdown. With botnets that changes some. Now, spammers can send out a few emails from hundreds of thousands of systems. Getting clearer yet? Keep going...

Any time that someone can get your computer (server or workstation) to send out packets that you didn't intend, then they can use your computer in a network based attack. If I can get 10,000 systems to send out 10000 emails to thousands of email servers that send NDRs and direct them at one recipient, then I've got a bit of a Distributed Denial of Service (DDOS) action going on. This has been done before with pings. It is hard to stop because people treat email as holy oxygen they cannot live without and it comes from hundreds or thousands of sources.

Besides, what is your boss going to say when he cannot get confirmation that an email went through or got rejected? Is anyone going to stand up and say that the email system in use for the past couple of decades was never designed to be reliable in this environment? Is anyone going to say enough with the 90% of all email being spam? Are we ever going to stop ignoring the problem and do something about it?

There are some solutions being worked on. The problem is that there are, of course, two factions that are so diametrically opposed that they will never cooperate. It is worse than Bluray and HD DVD. As for me I see a much simpler solution.

SSL.

The code is available, tested, and reliable. We use it for web browsing. Why not email? It can authenticate the remote web server the same way our browsers authenticate secure sites we do business with. It will encrypt all data in transit. EASY.

What's the problem? SSL certificates cost over $100 dollars a year (sometimes much more) to obtain and maintain. Why? A trusted certificate authority needs to validate your identity before issuing one. Certificates are tied to host names, so organizations with many mail servers may need to buy multiple certificates. If it was changed to just the domain name then that might be a viable work around. Many individuals run their own mail servers and they don't want to fork over the money, or possibly don't want to go through the hassle.

My spam filter catches them. Not many others do. And apparently most system admins don't really care that their bandwidth, processing, and storage is being used by someone else.

No comments:

Post a Comment

I will not accept advertising in the body of comments. If you leave links to spam, goods, or services it will be deleted. If you embed HTML it will be deleted. For any number of other reasons I may delete the comment. I do this for the safety and well being of the readers of the blog.