Skip to main content
Welcome guest. | Register | Login | Post

On eMail

Just like probably most people on the Internet I receive a lot of spam, especially on my very first eMail-address I ever registered. Yes, I still use that, even though I have mostly transitioned away from it by now.Now the problem is that spam is annoying, and can easily become the majority of mails in your inbox, as is the case with my old eMail.

Of course, you can argue, that I should use a spam-filter, and I actually do. But spam-filters can only do so much for you. They often work with wordlists, IP-based blacklists and other nifty tricks to detect spam. This of course does not work all the time, especially because spammers then come up with words like viagara, that can still be understood, but are not detected by the spam-filter, at least until the next update of the wordlist.
Aside from this need for frequent updates, which already is a problem in itself, but one I do not intend to cover here, there is the problem of false positives, wanted eMails that, for some reason, get marked as spam.

Another annoying fact about spam is, that it usually comes from a false email-address, often it even seems as if you sent the spam to yourself. eMail is very old. It actually was one of the first applications on the Internet, and it hasn't changed much since. Thus eMail offers ways for spammers to easily manipulate an eMail in a way to make it harder for him to be traced and possibly prosecuted. It is, for example, very easy to send an eMail from any random eMail-address.

Now over the years there have been a lot of good ideas that can actually help stop the flow of spam. An older example possibly might be digital signatures and eMail-encryption, for example through PGP. The question arises why does nobody use it? Not even companies seem to be interested in PGP. A minute of Google shows that at least some companies use PGP for their security-related eMail-addresses, among the ones I could find were Microsoft, Intel and Sun, but you have to actually look for those entries, they are not on top of the list when searching for PGP.
In addition to PGP not being widely adopted by the big players in the business, it also isn't the big hit for the enduser. First of all, you need to set it up. For an IT-person like me this may not be witchcraft, but for the millions of regular computer-users out there, it actually is. Second, you need to exchange PGP-keys with the people you want to securely mail with, which also poses a problem in the regard that this key-exchange cannot be done with an already encrypted eMail. And physically exchanging the key, for example on a USB-stick, is too cumbersome for all but the most paranoid of geeks.
Even though I still encourage and advocate the use of PGP for encryption and digital signatures, I have by now accepted that I'm fighting a forest fire with a waterpistol here.

But there are other ways to prevent users from getting spam, ways that are transparent to the enduser, and thus are available to even those users who are do not have the knowledge or permissions to set up additional software for the protection of their eMails.
The methods I am talking about are SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). In short, SPF provides a way to specify which servers are allowed to send eMail for a specific domain-name, while DKIM uses digital signatures to authenticate the sender of an eMail.
For more detailed information please check the following links:
http://www.openspf.org/
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.dkim.org/
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

Both solutions are set up in the mail-server and the DNS-server. As said before, absolutely transparent to the enduser.

So why are these solutions not widely adopted yet, even though their respective RFCs (4408, SPF & 4871, DKIM) are already a few years (3 for DKIM, 4 for SPF) old?
One reason may be the old saying "Never touch a running system.", which often enough freezes sysadmins into uselessness instead of working on implementing solutions that make sense. Another of course is that many people who are working as sysadmins aren't actually qualified to do so.
Another reason of course is that in many companies the IT department is underfunded and thus often understaffed, aside from staff not always being suitable for the tasks at hand.
Adding to this problem is the aforementioned transparency. The regular user doesn't really notice it's there, and thus doesn't know about it. And what he doesn't know about he cannot request. I am sure that adoption of certain technologies would go a lot quicker if people would demand it.

It is the same with web-hosting companies that still run their servers with PHP4, or that one company we found that was using a 7 year old version of Apache... Both are not supported anymore, and have to be replaced. Not only because the newer versions have more and flashier features, but for security reasons. Software, just like pretty much everything else, has an end of life, at which point it needs to be replaced with an updated version.

The old way to send eMail, without any verification of the sender and the sending server, has now, in my opinion, reached its end of life.

Especially with SPF I think a lot of spam could be prevented from even being delivered, without even having to get to the spam-filter and your mailbox, be it your inbox or your spam-box. The reason for that is that with general use of SPF some whizkid in Russia won't be able to send you all those exciting offers on Viagra which strangely enough seem to be sent from your own eMail-address.

Some of the big mail-providers, for example Google and Yahoo, do use SPF and DKIM. But it won't be of much use if not other mail-providers, companies and pretty much everybody who wants to send out non-spam emails adopts these, actually quite simple techniques.
Only then we can hope to be able to get away from being spammed to death.

To come to an end I would like to mention that I can't see anything replace eMail in the near future. If users were flexible enough for a change like this, they would certainly be willing to use PGP.

Dennis Wronka, August 16th, 2010 (Posted originally on Facebook, but I decided it actually belongs here)