Verizon is also allowing spammers to abuse Vtext, their email-to-SMS gateway with spoofed domains. No SPF/DKIM checks so they can forge email From headers and send out tens of thousands of spam text messages: http://blog.unto.net/a-bug-in-the-system-or-why-isps-should-...
I started checking SPF records on my mail server. All spam that makes it through the other checks also has correct SPF records. Presumably if spammers control DNS for a bunch of crappy domains they can dynamically add the zombie machines to the SPF records on the fly and just get on with their day. Very disheartening.
SPF isn't really an anti-spam tool, it's just a way to verify that the sender ___domain isn't being spoofed. For instance, it stops spammers from sending mail with a paypal.com email address.
Exactly. Spammers can use any email address they'd like and Verizon simply passes it on to the recipient. A spammer used one of my domains (with valid SPF records added years ago) and texted thousands of Verizon customers. I intercepted all replies to the texts with a catch-all email and found hundreds of complaints including several death threats and a father who told me his young daughter received a porn text from my ___domain. After 3-4 days, their spam filter finally kicked in. My ___domain was blacklisted and I basically had no control over it.
Interesting. I found that my custom-___domain Fastmail address went from spam to the inbox in GMail the moment both SPF and DKIM were set up correctly.
I think the presence makes a difference, and SPF is often at least partially respected. But I think DKIM is so often incorrectly configured that most major mail carriers just decide they have to let it through anyway.
Yup, I've watched mail that I send be delivered directly to Gmail inboxes even if I spoof the From address to be from a Gmail account. (Admittedly, the rest of the headers show it correctly coming from the uwaterloo.ca mailservers, which are perhaps whitelisted, and the content of the email is never obviously spammy.)
Starving spammers of IPs is not really a solution to spam anyway. Reforming smtp is. And it is long long long overdue...
What I don't understand is that pretty much everyone has an incentive to eliminate spam. ISPs to reduce traffic, emails providers to produce a better service and spend less time dealing with spam. Users for obvious reasons. Only the NSA enjoys the current unencrypted status quo. Why doesn't it happen? Why are we stuck with a 30y protocol?
The incentives aren't aligned right. Every business will still need SMTP to receive email from outsiders, and through that SMTP will come spam. Even if two businesses decide to switch to a better protocol between them, they're still running SMTP to reach anyone else.
And unless you permit sending a single message to both SMTP and better-than-SMTP recipients without any UI awareness, you've built a product that's strictly worse than SMTP for end users.
You could add features to email to make a more compelling product, and then kill seamless integration with other SMTP users and still have a better product. (See e.g. Slack. Or Facebook, for personal email.) And then maybe in many many years nobody will want email any more. But that won't be quick.
The market is very concentrated. If gmail, yahoo, microsoft and comcast announce that they will gradually increase the spam level on non-"new smtp" traffic, you can bet that adoption rate will stellar. Yes smtp will have to be around for a while but if you treat any legacy mail traffic as suspicious once it becomes <10%, I think it will go away within 3-5 years.
Most of those providers already enforce DMARC between themselves, which provides all the anti-spam benefit you could hope for from a new protocol. (In terms of protocol beauty, it's awful, but in terms of functionality it does what you want.)
If Gmail, Yahoo, Microsoft, and Comcast announced that they are making it more likely that outside email (from online stores, from individual Exchange installations, etc.) will be marked as spam when it's not actually spam, people will find new email hosts. Somehow.
If they just want to mark traffic as spam when it is, they're already doing that.
I am not so sure. Senders are more concerned about their emails not appearing as spam in gmail than the other way round. If all it takes is to update their software, I believe they will do.
Probably because very little innovation happens to any long-standing protocol until it becomes a primary business concern.
Almost every business relies on OpenSSL or some equivalent, but how many actually learn enough about SSL to contribute back to the codebase? Not many, because despite the need there's little acclaim or funding to be had pursuing things that won't make direct revenues, regardless of their importance.
Protocols like this generally don't get updated until it becomes a matter of necessity -- either by public awareness (we're far from that point) or someone designing the "next big thing" needs an un-implemented feature and contributes.
My point though, is that it's always a "secondary" or "tertiary" business concern... a point emboldened by the number and frequency of data breaches -- always followed of course, by the email newsletter follow-up & mea culpa. "We care about the security of your data, we swear. We regret to inform you that ..."
Sadly things are not always as they should be, friend...
A new smtp protocol with:
- mandatory encryption, mandatory validation of certificates
- certainty on the sender (effectively a mandatory hardfail spf)
- ideally decoupling the email address from the provider running the mail server (users shouldn't be prisonners of a gmail or a yahoo)
[edit] also a system of extended validation for signatures like for ssl certificates would be useful. I would end up expecting a nice green logo in my mail client for emails from citibank.com, something cit1bank.com could not achieve.
[edit2] also a modern design would require emails to be instantaneous. All these messenger apps would become redundant and we would revert to a common standard.
That's quite the low effort response. You could've at least mentioned a point or two that applies to this situation. The list you linked to is not a check list, it only lists ways to shoot ideas down. Although I don't necessarily disagree with the skepticism in this case, consider for a second that a very similar list could have been written up until right before the Wright brothers took off with their plane, supposedly proving manned flight impossible.
Manned flight was a new technology. The proposal to build a new SMTP with [...] requires abandoning SMTP as it is now and convincing everyone to switch.
If the Wright Brothers wanted to eliminate auto accidents by flying, anyone at the time could have told them they were doomed to failure, and history would have proven them right, even though air travel is safer than road travel. That's because getting people to stop using cars isn't simply a matter of inventing an airplane.
a very similar list could have been written up until right before the Wright brothers took off with their plane, supposedly proving manned flight impossible
Someone should write up such a list along with a bot that replies to any post that cites the craphound link linked above. I think it's a valid counterpoint.
Nevertheless, whenever someone offers up a cure-all for SMTP, that craphound list is the first thing that comes to mind.
Actually, it's not really that surprising that the top host for spammers would (a) be bad at distinguishing spammers from non-spammers; and (b) know it has a problem and flail around aggressively trying to shut down spammers.
Try and locate high-level contact email addresses, or even better, phone numbers.
This might be a long shot, but when I'm trying to solve difficult problems like these, I just call Sales. And Sales might have these phone numbers!
Sure, they're probably not even in the same state (:P) as the department you really need to speak with, but they're constantly trained to be driven and achieve customer satisfaction - and they all have that after-conversation rating thing they're working for (btw, max everything out on that, most of them are graded exponentially toward maximum, something insane like: 0..n-2 usually means 10-20%, n-1 is 50% and n is 100%).
After enough convincing (the magic, arbitrary protocol is always different) they'll try and figure Something(TM) out. Especially if you repeatedly, patiently call them.
It's not a net neutrality issue, these are bogons. A bogon is a block of IP addresses being announced by a network that shouldn't be announcing them. For instance, if you own the IP block 192.0.2.0/24, and then I announce a route to 192.0.2.0/24 from my network, my announcement is a bogon.
Bogons are unacceptable regardless of what they're being used for, because the announcer is essentially hijacking those IP addresses. In this case the addresses being hijacked aren't being used, but they still don't belong to the group using them.
Any ISP that propagates BGP announcements from their customers should have filters in place to prevent this from happening. Verizon isn't doing their due diligence.
It doesn't seems like they would need to decide who is and isn't a "cybercrime gang", just whether or not their customer actually owns the IP blocks that they're asking to be routed.
In another universe, a "cybercrme gang" lost it's /16 today due to a xyz regulatory body's decision deeming it as such.
"In addition, spamming from these stolen IP addresses is a felony under the US CAN-SPAM Act."
said another way....
"In addition, sending information in a unauthorized fashion is a felony under the US CAN-SPAM Act."
Should we really be cheerleading more rules and tighter restrictions on comms? Uh. Lets require biometrics to xmit!
The problem is not their distasteful use of IP addresses, but that they are committing the IP-address equivalent of identity theft: doing business under identifiers which are not theirs.
BGP is a trusting protocol, with expectations enforced by social contract rather than cryptography. Part of the social contract among ISPs is that only competent, legitimate entities get to participate in BGP, and Verizon is violating that.
"competent, legitimate entities" aka whatever that's decided to mean at the moment. BGP is trivially broken, but that's not what's happening here, and even if it was it's a proto flaw, not something that we should be "fixing" with more prior restraint.
It's too easy to restrict people by 'fixing' a non-problem (junk mail from 'gangs' in this case).
It is simply not your right advertise routes that aren't yours. Doing so intentionally is solid proof that you have no business participating in BGP, gang or not.
