Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday February 19 2018, @05:54AM   Printer-friendly
from the mail-only-accepted-from-ourselves dept.

On his blog, Peter N. M. Hansteen sometimes writes about the problems with getting certain mail service providers to up their game. This time his post provides the details on how a particularly large service not only fails at SMTP sender verification but also at many other tasks necessary for professional mail hosting.

Whenever I encounter incredibly stupid and functionally destructive configuration errors like this I tend to believe they're down to simple incompetence and not malice.

But this one has me wondering. If you essentially require incoming mail to include the contents of spf.outlook.com (currently no less than 81 subnets) as valid senders for the domain, you are essentially saying that only outlook.com customers are allowed to communicate.

If that restriction is a result of a deliberate choice rather than a simple configuration error, the problem moves out of the technical sphere and could conceivably become a legal matter, depending on what outlook.com have specified in their contracts that they are selling to their customers.

One takeaway is that spam-fighting decisions from decades past have left us with technologies that have led to the centralization of mail on fewer and fewer providers. As such it is increasingly difficult for even skilled professionals to operate their own mail hosting smoothly.

Source : A Life Lesson in Mishandling SMTP Sender Verification


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Monday February 19 2018, @06:19AM (25 children)

    by Anonymous Coward on Monday February 19 2018, @06:19AM (#639986)

    Is that it was mostly vulnerable windoze boxes that lead to the whole spam issue and the mostly retarded methods to fight it. If you were into conspiracy theories, you could even think M$ was playing the long game here. And this current behavior is no less than one would expect from a convicted monopolist.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Disagree=1, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   1  
  • (Score: 4, Informative) by frojack on Monday February 19 2018, @06:43AM (24 children)

    by frojack (1554) on Monday February 19 2018, @06:43AM (#639991) Journal

    While windows played a part, the real problem with email was that it's usefulness and popularity exploded in the world before the system was even half baked. The design was incompetent, the protocol pathetic, and the security model non existent.

    None of that was Microsoft's fault. The idea that you could send mail to any address in the world with absolutely no way for the recipient to know for sure who sent it, or from wence it came is absurd.

    The fact that world plus dog accepted this situation shows how desperately such a digital mail system was needed.

    Expecting Microsoft to fix this mess, which they didn't design, and were late to embrace, is silly.
    (Perhaps you were too young to remember that Microsoft was caught flat footed by this whole internet thingie).

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 3, Informative) by Anonymous Coward on Monday February 19 2018, @06:47AM (15 children)

      by Anonymous Coward on Monday February 19 2018, @06:47AM (#639994)

      > The idea that you could send mail to any address in the world with absolutely no way for the recipient to know for sure who sent it, or from wence it came is absurd.

      I wouldn't call it "absurd" -- AFAIK, you can do the exact same thing with physical mail.

      • (Score: 2) by Apparition on Monday February 19 2018, @06:57AM (13 children)

        by Apparition (6835) on Monday February 19 2018, @06:57AM (#640001) Journal

        Yes, but it's far easier and much less costly to send out an e-mail. Thus there's more of it, and no financial discouragement to prevent abuse.

        • (Score: 4, Informative) by c0lo on Monday February 19 2018, @07:05AM (9 children)

          by c0lo (156) Subscriber Badge on Monday February 19 2018, @07:05AM (#640005) Journal

          Yes, but it's far easier and much less costly to send out an e-mail today.

          FTFY.
          At the time SMTP was specified [ietf.org] (1982), sending an email was way more expensive than sending snail-mails.

          (just from curiosity: where you born at that time?)

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
          • (Score: 2) by c0lo on Monday February 19 2018, @07:19AM (8 children)

            by c0lo (156) Subscriber Badge on Monday February 19 2018, @07:19AM (#640008) Journal

            (sorry for the typo. Q: were you born at that time?)

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
            • (Score: 2) by Apparition on Monday February 19 2018, @07:50AM (7 children)

              by Apparition (6835) on Monday February 19 2018, @07:50AM (#640017) Journal

              I was born in the late 1970s, so yes, although I was a wee lad at the time. Yes, I am aware that at the time SMTP was designed through the early 1990s, sending e-mails was expensive, but the ubiquity of the Internet in the '00s and '10s has broken SMTP completely. It needs to be replaced.

              • (Score: 2, Touché) by Anonymous Coward on Monday February 19 2018, @08:21AM

                by Anonymous Coward on Monday February 19 2018, @08:21AM (#640021)

                So far, the only alternative the "e-mail must be replaced" club has come up with is Facebook.

                Not exactly an improvement.

              • (Score: 2, Touché) by Anonymous Coward on Monday February 19 2018, @09:57AM

                by Anonymous Coward on Monday February 19 2018, @09:57AM (#640040)

                It needs to be replaced.

                If you propose a replacement that includes a blockchain, you might even get money for that.

              • (Score: 2) by sjames on Monday February 19 2018, @02:37PM (4 children)

                by sjames (2882) on Monday February 19 2018, @02:37PM (#640097) Journal

                So what's your proposal? Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it? How much will they charge you? Who will keep them honest?

                Now, why will that very special stamp of approval from whoever require a replacement to smtp rather than just another header?

                • (Score: 3, Informative) by c0lo on Monday February 19 2018, @02:50PM (3 children)

                  by c0lo (156) Subscriber Badge on Monday February 19 2018, @02:50PM (#640102) Journal

                  Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it?

                  GPG with a public key I handed to you personally in a key signing party [archive.org]. Trusting anything else is delusion.

                  --
                  https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
                  • (Score: 1, Interesting) by Anonymous Coward on Monday February 19 2018, @03:17PM

                    by Anonymous Coward on Monday February 19 2018, @03:17PM (#640110)

                    I've always felt that blockchain would work fairly well to validate public keys in a distributed way.

                    Sign up for service, generate keys/username, post username and keys, validators incorporate those into the blockchain.

                    You send a message to a new person, query the chain, save the public key. Periodically compare the chain and personal key lists. Publicly post about discrepancies (could be automated even).

                  • (Score: 2) by sjames on Monday February 19 2018, @03:19PM

                    by sjames (2882) on Monday February 19 2018, @03:19PM (#640112) Journal

                    That's a great way to make sure emails from my friends are really from my friends, but what about the zillion other people that might (or might not) have a legitimate reason to email me?

                    And, of course, that works just fine over SMTP.

                    But note, it's 20 years old and freely available but it hasn't solved the problem yet.

                  • (Score: 0) by Anonymous Coward on Monday February 19 2018, @08:14PM

                    by Anonymous Coward on Monday February 19 2018, @08:14PM (#640245)

                    Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it?

                    My schlong in your tight litttle...you picked my key out of a bowl at a key party [wikipedia.org] . Trusting anything else is way less fun!

                    There. FTFY.

        • (Score: 0) by Anonymous Coward on Monday February 19 2018, @08:28AM (2 children)

          by Anonymous Coward on Monday February 19 2018, @08:28AM (#640024)

          Greylisting poses a burden on the spam sending bot in term of resources. It can choose to send less mail (and fight the sending by retrying to send the spam that was greylisted, but it needs to keep track of resending)... or just ignore it, send more, but the greylist-using servers effectively rejected the spam.

          • (Score: 0) by Anonymous Coward on Monday February 19 2018, @03:10PM (1 child)

            by Anonymous Coward on Monday February 19 2018, @03:10PM (#640108)

            Greylisting worked 10 years ago. Now the armies of windoze boxes send mail via their gmail or outlook servers, who will make repeat attempts.

            • (Score: 2) by frojack on Monday February 19 2018, @07:48PM

              by frojack (1554) on Monday February 19 2018, @07:48PM (#640229) Journal

              Hundreds of attempts? So what?

              Gray listing means none of those attempts get through.
              Spam has to work (even at a tiny fraction of attempts) or there is simply no point.

              --
              No, you are mistaken. I've always had this sig.
      • (Score: 0) by Anonymous Coward on Tuesday February 20 2018, @03:13AM

        by Anonymous Coward on Tuesday February 20 2018, @03:13AM (#640423)

        If you needed authentication, then you really were expected to include a signature/return contact address, or later on, use cryptographic signatures that would verify your identity.

        Email, Instant Messaging, etc are all compromised due to their server based nature, so the only way for the client endpoints to know they are really interacting with the authentic party is by verifying them with secrets only each endpoint knows. Not by relying on the server as the authenticating medium (where corporate players, government agents, or hackers could compromise it in order to spoof the identity of either the send or recieving email account in a manner that appears legitimate.)

        The problem is really the post-Eternal September plebs cluttering up the internet with idiocy and the sort of absentminded centralization that is making the world into an even bigger shithole than it already was.

    • (Score: 2) by c0lo on Monday February 19 2018, @07:01AM (5 children)

      by c0lo (156) Subscriber Badge on Monday February 19 2018, @07:01AM (#640003) Journal

      Expecting Microsoft to fix this mess, which they didn't design, and were late to embrace, is silly.

      Really, frojack... slow down, mate! At this rate, you'll make the prices of straw go.... mmm... haywire!

      Just exactly who asked Microsoft to clean the SMTP design?
      Or did the common-sense of "do the best you can to play nice for your users" reached the level of heresy today and it can no longer be considered an idea any sane person can have? (today = a day post "customer era" and deep into the "consumer" territory).

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2) by frojack on Monday February 19 2018, @07:48AM (2 children)

        by frojack (1554) on Monday February 19 2018, @07:48AM (#640016) Journal

        The first post by the AC implicitly laid blame at Microsoft's door for spam and the absurd tools used to fight it.

        Perhaps you missed that by never viewing AC posts. A wise choice.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 1, Insightful) by Anonymous Coward on Monday February 19 2018, @08:16AM

          by Anonymous Coward on Monday February 19 2018, @08:16AM (#640019)

          Yes, and the reason for the blame was "vulnerable windows boxes".

          Going from there to expecting Microsoft to fix SMTP design is a huge leap, which can only be based on the idea that it's the rest of the worlds responsibility to be compatible with Microsoft bugs, not Microsofts responsibility to fix those bugs.

        • (Score: 4, Informative) by c0lo on Monday February 19 2018, @10:40AM

          by c0lo (156) Subscriber Badge on Monday February 19 2018, @10:40AM (#640045) Journal

          The first post by the AC implicitly laid blame at Microsoft's door for spam and the absurd tools used to fight it.

          Have you RTFA? It's not the "absurd tools" it is the "absurd configuration of the tools" the story is about. TFS quote:

          Whenever I encounter incredibly stupid and functionally destructive configuration errors like this I tend to believe they're down to simple incompetence and not malice.

          The abusrd configuration:
          - allows spam be send outside outlook.com
          - does not allow abuses to be reported if using an email address outside outlook.com

          The result of that absurd configuration?
          1. outlook.com starts to be intensively used as a source for spam...
          2. ... all the while, I assume, Microsoft does the needed to keep the outlook.com mailboxes free of spam.

          If that's not incompetence, the only interpretation is "Microsoft plays the long extortion game of letting spam go outside and protecting their consumers inside".
          Which, I suppose is a possible interpretation of:

          If you were into conspiracy theories, you could even think M$ was playing the long game here. And this current behavior is no less than one would expect from a convicted monopolist.

          Yes, I admit, the AC may be right for the wrong reason; I do find the "vulnerable windoze boxes that lead to the whole spam issue and the mostly retarded methods to fight it." a bit of a... (mmm, to use some pretentiously exaggerated terminology...) poetic hyperbole.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2) by TheRaven on Monday February 19 2018, @09:38AM (1 child)

        by TheRaven (270) on Monday February 19 2018, @09:38AM (#640037) Journal

        Just exactly who asked Microsoft to clean the SMTP design?

        Just in case that was a serious question, Microsoft was one of the contributors to DMARC and has implemented support for it in their products [wikipedia.org].

        --
        sudo mod me up
        • (Score: 2) by c0lo on Monday February 19 2018, @10:44AM

          by c0lo (156) Subscriber Badge on Monday February 19 2018, @10:44AM (#640046) Journal

          Just in case that was a serious question, Microsoft was one of the contributors to DMARC and has implemented support for it in their products

          That wasn't the point.
          The point was "what are you debating, frojack? I haven't seen anyone asking that MSFT should fix SMTP".
          And frojack clarified what he though can be interpreted as such.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 3, Informative) by TheRaven on Monday February 19 2018, @09:41AM

      by TheRaven (270) on Monday February 19 2018, @09:41AM (#640038) Journal

      The design was incompetent, the protocol pathetic, and the security model non existent.

      SMTP was created in 1982 (a decade before commercial entities were allowed on the Internet). The security model was fine for the imagined deployment model: you had a few dozen, maybe a few hundred, (large, multi-user) computers on a network. Users could log into one and send mail from them. If a computer was sending email without correctly authenticating its users, or claiming to send email from someone else then you'd have a chat with their administrator and if they didn't fix it then you'd just reject email coming from their computer. The problem was trying to use SMTP on a large Internet where it wasn't possible to maintain a list of known-good email servers (or a list of known-bad ones).

      --
      sudo mod me up
    • (Score: 2) by sjames on Monday February 19 2018, @02:55PM

      by sjames (2882) on Monday February 19 2018, @02:55PM (#640104) Journal

      Agreed MS can't fix this. What's your proposal? I think you'll find that the more you think about the problem, the more you realize that an answer isn't really forthcoming. For the partial answers you might come up with, ask why SMTP wouldn't be the right transport protocol.

      As for MS, they didn't cause the spam problem. They did, however make email and document viruses an actual thing. Before MS came along, the email virus was a recurring joke. The noobs feared the "Good Times" virus. Everyone else laughed because the idea of getting a virus from an email was absurd. Then Microsoft, in spite of many warnings from people they should have listened to, made the email virus a reality.