Stories
Slash Boxes
Comments

SoylentNews is people

SMTP Sender Verification - Incompetence is Sometimes Indistinguishable from Malice

posted by Fnord666 on Monday February 19 2018, @05:54AM   Printer-friendly
from the mail-only-accepted-from-ourselves dept.

canopic jug writes:

On his blog, Peter N. M. Hansteen sometimes writes about the problems with getting certain mail service providers to up their game. This time his post provides the details on how a particularly large service not only fails at SMTP sender verification but also at many other tasks necessary for professional mail hosting.

Whenever I encounter incredibly stupid and functionally destructive configuration errors like this I tend to believe they're down to simple incompetence and not malice.

But this one has me wondering. If you essentially require incoming mail to include the contents of spf.outlook.com (currently no less than 81 subnets) as valid senders for the domain, you are essentially saying that only outlook.com customers are allowed to communicate.

If that restriction is a result of a deliberate choice rather than a simple configuration error, the problem moves out of the technical sphere and could conceivably become a legal matter, depending on what outlook.com have specified in their contracts that they are selling to their customers.

One takeaway is that spam-fighting decisions from decades past have left us with technologies that have led to the centralization of mail on fewer and fewer providers. As such it is increasingly difficult for even skilled professionals to operate their own mail hosting smoothly.

Source : A Life Lesson in Mishandling SMTP Sender Verification

Original Submission

 
This discussion has been archived. No new comments can be posted.
SMTP Sender Verification - Incompetence is Sometimes Indistinguishable from Malice | Log In/Create an Account | Top | 43 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by Anonymous Coward on Monday February 19 2018, @06:47AM (15 children)

    by Anonymous Coward on Monday February 19 2018, @06:47AM (#639994)

    > The idea that you could send mail to any address in the world with absolutely no way for the recipient to know for sure who sent it, or from wence it came is absurd.

    I wouldn't call it "absurd" -- AFAIK, you can do the exact same thing with physical mail.

    Starting Score:    0  points
    Moderation   +3  
       Interesting=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Total Score:   3  

  • (Score: 2) by Apparition on Monday February 19 2018, @06:57AM (13 children)

    by Apparition (6835) on Monday February 19 2018, @06:57AM (#640001) Journal

    Yes, but it's far easier and much less costly to send out an e-mail. Thus there's more of it, and no financial discouragement to prevent abuse.

    • (Score: 4, Informative) by c0lo on Monday February 19 2018, @07:05AM (9 children)

      by c0lo (156) Subscriber Badge on Monday February 19 2018, @07:05AM (#640005) Journal

      Yes, but it's far easier and much less costly to send out an e-mail today.

      FTFY.
      At the time SMTP was specified [ietf.org] (1982), sending an email was way more expensive than sending snail-mails.

      (just from curiosity: where you born at that time?)

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

      • (Score: 2) by c0lo on Monday February 19 2018, @07:19AM (8 children)

        by c0lo (156) Subscriber Badge on Monday February 19 2018, @07:19AM (#640008) Journal

        (sorry for the typo. Q: were you born at that time?)

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

        • (Score: 2) by Apparition on Monday February 19 2018, @07:50AM (7 children)

          by Apparition (6835) on Monday February 19 2018, @07:50AM (#640017) Journal

          I was born in the late 1970s, so yes, although I was a wee lad at the time. Yes, I am aware that at the time SMTP was designed through the early 1990s, sending e-mails was expensive, but the ubiquity of the Internet in the '00s and '10s has broken SMTP completely. It needs to be replaced.

          • (Score: 2, Touché) by Anonymous Coward on Monday February 19 2018, @08:21AM

            by Anonymous Coward on Monday February 19 2018, @08:21AM (#640021)

            So far, the only alternative the "e-mail must be replaced" club has come up with is Facebook.

            Not exactly an improvement.

          • (Score: 2, Touché) by Anonymous Coward on Monday February 19 2018, @09:57AM

            by Anonymous Coward on Monday February 19 2018, @09:57AM (#640040)

            It needs to be replaced.

            If you propose a replacement that includes a blockchain, you might even get money for that.

          • (Score: 2) by sjames on Monday February 19 2018, @02:37PM (4 children)

            by sjames (2882) on Monday February 19 2018, @02:37PM (#640097) Journal

            So what's your proposal? Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it? How much will they charge you? Who will keep them honest?

            Now, why will that very special stamp of approval from whoever require a replacement to smtp rather than just another header?

            • (Score: 3, Informative) by c0lo on Monday February 19 2018, @02:50PM (3 children)

              by c0lo (156) Subscriber Badge on Monday February 19 2018, @02:50PM (#640102) Journal

              Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it?

              GPG with a public key I handed to you personally in a key signing party [archive.org]. Trusting anything else is delusion.

              --
              https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

              • (Score: 1, Interesting) by Anonymous Coward on Monday February 19 2018, @03:17PM

                by Anonymous Coward on Monday February 19 2018, @03:17PM (#640110)

                I've always felt that blockchain would work fairly well to validate public keys in a distributed way.

                Sign up for service, generate keys/username, post username and keys, validators incorporate those into the blockchain.

                You send a message to a new person, query the chain, save the public key. Periodically compare the chain and personal key lists. Publicly post about discrepancies (could be automated even).

              • (Score: 2) by sjames on Monday February 19 2018, @03:19PM

                by sjames (2882) on Monday February 19 2018, @03:19PM (#640112) Journal

                That's a great way to make sure emails from my friends are really from my friends, but what about the zillion other people that might (or might not) have a legitimate reason to email me?

                And, of course, that works just fine over SMTP.

                But note, it's 20 years old and freely available but it hasn't solved the problem yet.

              • (Score: 0) by Anonymous Coward on Monday February 19 2018, @08:14PM

                by Anonymous Coward on Monday February 19 2018, @08:14PM (#640245)

                Who will validate that you are who you say you are and how many hoops will you have to jump through to get them to do it?

                My schlong in your tight litttle...you picked my key out of a bowl at a key party [wikipedia.org] . Trusting anything else is way less fun!

                There. FTFY.

    • (Score: 0) by Anonymous Coward on Monday February 19 2018, @08:28AM (2 children)

      by Anonymous Coward on Monday February 19 2018, @08:28AM (#640024)

      Greylisting poses a burden on the spam sending bot in term of resources. It can choose to send less mail (and fight the sending by retrying to send the spam that was greylisted, but it needs to keep track of resending)... or just ignore it, send more, but the greylist-using servers effectively rejected the spam.

      • (Score: 0) by Anonymous Coward on Monday February 19 2018, @03:10PM (1 child)

        by Anonymous Coward on Monday February 19 2018, @03:10PM (#640108)

        Greylisting worked 10 years ago. Now the armies of windoze boxes send mail via their gmail or outlook servers, who will make repeat attempts.

        • (Score: 2) by frojack on Monday February 19 2018, @07:48PM

          by frojack (1554) on Monday February 19 2018, @07:48PM (#640229) Journal

          Hundreds of attempts? So what?

          Gray listing means none of those attempts get through.
          Spam has to work (even at a tiny fraction of attempts) or there is simply no point.

          --
          No, you are mistaken. I've always had this sig.

  • (Score: 0) by Anonymous Coward on Tuesday February 20 2018, @03:13AM

    by Anonymous Coward on Tuesday February 20 2018, @03:13AM (#640423)

    If you needed authentication, then you really were expected to include a signature/return contact address, or later on, use cryptographic signatures that would verify your identity.

    Email, Instant Messaging, etc are all compromised due to their server based nature, so the only way for the client endpoints to know they are really interacting with the authentic party is by verifying them with secrets only each endpoint knows. Not by relying on the server as the authenticating medium (where corporate players, government agents, or hackers could compromise it in order to spoof the identity of either the send or recieving email account in a manner that appears legitimate.)

    The problem is really the post-Eternal September plebs cluttering up the internet with idiocy and the sort of absentminded centralization that is making the world into an even bigger shithole than it already was.