Been thinking about a distributed ‘web of trust’ approach to fighting spam.
- Kevin Burton conversing with Raph about a web-based trust metric.
- Bram writes about using (non-distributed) trust metrics against spam. With code ;)
- Trust Management on the WWW, by none other than Rohit Khare and Adam Rifkin!
- Trust Networks on the Semantic Web, a paper.
Combine those with another key point — that we do not need PKI, crypto, or any other changes to identify senders in current SMTP — and it could be done today, I think.
Why we don’t need crypto to identify an SMTP sender
Every email message delivered via SMTP across the internet will contain these headers:
- the From line
- one or more Received headers
Traditionally, whitelisting uses just the From line, which is vulnerable to spoofing. SpamAssassin used this up to version 2.3x. Spammers started spoofing mails where ‘From’ was the same as ‘To’, and since most people had themselves in the whitelist, that worked. boo.
In 2.3x or 2.4x, we added code to extract the IP addresses from the
Received headers, and use a combined token — ( from_address, ip_address
)
— as the sender’s address.
(In fact, we use just the top 24 bits of each IP to deal with situations like DHCP or dialup pools, where a relay may get a different IP every now and again. That’s close enough, at least.)
This is much harder to forge without doing a full-scale TCP spoofing attack; which is why the SpamAssassin auto-whitelist generally works well.
So basically, to identify someone strongly enough to provide a spam fix in plain old vanilla current SMTP, gen up a string containing their ‘From’ address, along with all the /24 masks of the IP addresses found in the ‘Received’ headers.
Remove your relays’ IP addresses, and you have an unspoofable ID for that person’s SMTP traffic. Any spammer who wants to spoof that, will have to compromise their mail server (or a server in the same /24). That’s not cost-effective for spamming.
Note that whitelisting based on that is effectively what the SpamAssassin auto-whitelist does. But for that to be more useful than the AWL, it has to extend over the internet to those people your friends haven’t corresponded with yet; ie. it’s got to be distributed.
(If you would like to comment on this scheme, I’d prefer if you could post comments at this QuickTopic forum.)