Tuesday, November 30, 2010

Spam

I can’t believe that people still actually eat that stuff. Anyways, our class has moved onto discussions of network security. This is closer to my field of study. Our first topic was on spam. Spam accounts for a large chunk of the available bandwidth on the internet. Because of this, lots of research has gone into the detection and prevention of spam. Lots of companies like Google, Microsoft and Yahoo have proprietary spams filtering systems that are pretty effective. They don’t stop spam from being sent, they just prevent it from getting into your inbox. In addition to what these companies have created, there are other standards such as DKIM and SPF that help with spam detection. I have a couple thoughts regarding spam detection and prevent that add a little overhead, but won’t bother those that send legitimate email.

First, I think that all major email providers should start generating email certificates for each of their users and automatically signing all out going email. Email providers can then check the signature to make sure that the identity and issuer are valid. This would prevent email address spoofing—unless your account gets hacked, but that’s another issue altogether. Second, I think large email providers should start enforcing the presence of DKIM signatures—anything not signed is thrown out. According to the spec, DKIM public keys are distributed through DNS. Instead of that, I think that there should be a central repository of DKIM public keys that requires human interaction (CAPTCHA is an effective human interaction enforcement tool) to register keys. Other email providers can then query this repository for keys that have been submitted. The only ones that would be bothered by the inconvenience of human interaction would be those that create and destroy lots of domains. The whole purpose of the human interaction is to make it expensive for spammers to automatically create throw away domains. You might think that this might be a lot of overhead for a startup or family to setup in order to send email from these personal domains. In a way it is, but products like Google Apps (which is free) and BPOS make email setup for any size organization a breeze. I think the extra initial overhead is worth it in order to make it harder for spammers. These are just some initial thoughts. Comment on any holes you see.

No comments:

Post a Comment