ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Social networks have taught us cryptography (probably) won't stop spam

By | February 8, 2009, 8:57pm PST

On a regular basis I receive blog comments and suggestions on what magical technologies will put spam out of business. There are many valid techniques for stopping spam, but signing e-mails and e-mail senders is not one of them.

After my recent post on the impact of false positives, I received a comment from a reader who suggested that public key cryptography would eliminate the spam problem. The basic idea is that complex mathematics would guarantee knowledge of the originator of an e-mail, eliminate the anonymity of the sender, and unmask the spammer.

I have heard this suggestion several times before, and while it definitely sounds like a sexy solution to stopping spam, it is unworkable for several reasons.

Signing e-mails requires a technology known as “Public Key Cryptography”. I am going to assume that most of you know what this is. An essential element to public key cryptography is an infrastructure component known as a “web of trust”, or a connected network of individuals who guarantee the validity of a user’s key within their local view of the community. Any pair of users on the network can then validate each other’s public key by examining the chain of individuals that separates them in the web of trust.

(Yes, public key cryptography can be performed between two individuals without a full-blown web of trust, but it would not scale to incorporate every person on the planet.)

If this concept sounds familiar to those of you who have never heard of public key crypto, that is because it is also how individuals vet each other in our society. We trust those whom have been introduced to us by a trusted friend or family member. The act of exploring the set of those close to us to discover connections to new individuals and sharing our connections with our friends is so important to our society that we have created some of the most valuable properties on the Internet to codify the act. Facebook, MySpace, and LinkedIn did not become so popular because they introduced a new means of interaction; they only made a means of interaction that is essential to society far more efficient.

Here is the rub: if public key cryptography, which is a means of impressing an identity onto digital content, were able to stop spam, then there should be no spam on the massive webs of trust that are social networks. The reality is that spam inside social networks is a major problem. Most individuals will accept spammers as friends willingly, as the definitions of “trust” and “friend” have changed heavily. Spammers also attack the authentication mechanism for the social network, compromising the accounts of well-connected individuals with weak passwords using either dictionary attacks or post-compromise keyboard sniffing. There is no reason to assume that cryptographic webs of trust applied to the e-mail community would be treated any differently.

There are many technologies out there that reduce the spam problem, and there are a few more that can be introduced to clamp down further. Public key cryptography for signing e-mails and e-mail senders isn’t one of them.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Social Networking, Web, Network, Cryptography, Public-Key Cryptography, E-mail, Cyberthreats, Spam, Online Communications, Security, Spam And Phishing, Adam O'Donnell

Adam J. O'Donnell, Ph.D. is an R&D engineer who has focused on computer security since 2000.

Disclosure

Adam O'Donnell

Adam J. O’Donnell currently works for Cloudmark, a messaging security company whose clients include the majority of the Tier 1 customer-facing service providers as well as mobile carriers and social networks. He serves on the advisory committee for the SOURCE Security Conference, as well as several conference technical program committees. Many of his close friends work in the security industry, and he will disclose those relationships as he deems it necessary.

Biography

Adam O'Donnell

Adam J. O'Donnell, Ph.D. is an R&D engineer who has focused on computer security since 2000. He currently is the Director of Emerging Technologies at Cloudmark, a messaging security company located in San Francisco.

Adam early on mastered the art of writing in complete sentences, using both hands and one foot. Later, he learned to do so with each individually. After fourteen years of apprenticeship in the mist-covered hills of central Nepal, Dr. O'Donnell emerged an unparalleled digital warrior and in desperate need of a anti-fungal wash.

Approaching both life and enterprise security with the verve of a particular capuchin, he is respected the world over as an observer of all he sees. Adam's dry blade of analysis will sever the hard candy shell surrounding most technical security concepts, and significantly goo-ify the remaining so as to be consumable in small bites with sufficiently large servings of digestive aids. Just what the doctor ordered.

10
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Social networks have taught us cryptography (probably) won
birumut Updated - 4th May 2011
Great!!! thanks for sharing this information to us !
seslisohbet seslichat
View in thread
0 Votes
+ -
You don't get it
no_zd_user_name 9th Feb 2009
What you are missing is that if a mandate were applied that caused all emails to have signed keys, that would require the bots to follow suit or simply get shunted by ISPs that could follow guidelines for handling mail which doesn't have signed cryptographic enclosures.

Moreover, a bot cannot sign your email for you, which defeats the bot's ability to forge the sender's email address. Get it? Come on. Have you used GnuPG?

Cryptographic measures such as PGP, GnuPG work.

Add to that the fact that everyone is entitled to the basic right to privacy and you kill two birds with one stone.

Dietrich T. Schmitz
http://www.dtschmitz.com

0 Votes
+ -
How do you
mtgarden 9th Feb 2009
How do you prevent a bot from using the currently installed software suite (Outlook, Thunderbird, eudora ad nuaseum) from send emails through the program? It would seem that these programs would autosign the emails for ease of use. So, if the bot can script the use of the program, then your public key crypto is useless. Same goes for users who have weak webmail passwords which would be even easier.

Not sure how any of this will work as long as trusted users continue to be breached.
0 Votes
+ -
Bot won't have your signing password!
no_zd_user_name 9th Feb 2009
Have you used GnuPG or GPG????
0 Votes
+ -
Keychains
mtgarden 9th Feb 2009
You assume people won't save their password. At the end of the day, they will automate this. And that will doom the tech.
0 Votes
+ -
People like you
no_zd_user_name Updated - 9th Feb 2009
have an answer to not address the issue.

The smtp protocol leaves everything, including the sender address in 'clear text'.

The solution is academic. Encrypt the entire message with signed certificates.

The bots can't sign if they don't meet the 'I am a human or better I am the signer' minimum threshold of authentication required by the mandate.

The fact that a machine/device has a bot on it is another issue that also has a solution but isn't what I am addressing here.

Making it a mandate with a reasonable amount of time for vendors and isps to prepare, including providing financial offsets to make using PGP/GnuPG practicable will foster a support industry around it.

HIPPA, Sarbanes-Oxley--Email-Privacy-Protocol could become a reality with not alot of cost to get this going. The parts are already made and just need a bit of tweaking for integration, usability and ultimate personal/business adoption.

Multi-Factor authentication methods are 'options' that run on top of the standard, two passwords, captcha, fingerprint, card.

The point is it can be done.
But everybody has to be a part of the solution.

It's like seat-belts.

Once in place, messages without signed certificates get shunted and handled according to mandated policy.

Thanks.
0 Votes
+ -
RE: Social networks have taught us cryptography (probably) won
dcleblanc 9th Feb 2009
Actually, the bot will have everything you do - password, private key, etc. The first level attack is for the bot to steal and distribute your private key, causing you to revoke the certificate, which in turn causes the CRL system to get overloaded and fall apart.

Response to that is to put something like an nCipher device on the motherboard, or even stick a smart card on a USB device that will prevent the private key from taking a hike.

Once you get to that level, you know that either myself, or some process pretending to be me on my machine sent the mail, not some random person on some other machine. Not perfect, but we know more than we do now.

We shouldn't make perfection the enemy of good enough. We might not be able to solve the entire problem right now, but we can solve part of it.
0 Votes
+ -
You are talking about a compromised machine
no_zd_user_name Updated - 9th Feb 2009
That is off topic.
The issue is does encryption, e.g, PGP, GnuPG offer a remedy to spam.

I say, with some modifications and mandated use, the answer is yes.

How machines become infected with trojans, bots, malware, what have you, is a separate topic.

But let's suppose aside from those who crawl out from under their rocks at night, that everyone is running with public/private key cryptographic email.

The bots lose because they aren't *human* and can't sign when multi-factor authentication is employed.

ISPs inspect the message header and if a valid signed message doesn't exist, then it diverts the email off to /dev/null or whereever the mandate policy guidelines require it go, but it doesn't get to the recipient target victim. No spam.

Simple protect the email's sender address and you force spammers out of business real fast.

Thanks

0 Votes
+ -
RE: Social networks have taught us cryptography (probably) won
twaynesdomain 11th Feb 2009
It sems to me ISPs could do a lot to stop it by simply checking each transaction they accept as being from where the trace says it's from. If not, if it's a forgery, then the mail simply stops and is dropped during the initial connection. They obviously don't check for forgeries or we wouldn't see so much forgery in the Headers that we receive. Many won't even check to see if it's on a blocklist and tag it so, which about 99% of them are.
It's just software so the only "expense" is in developing it; and it exists in many forms already that are useful. My ISP claims to keep a blacklist and has an address to send the stuff to but to date I've never seen it stop anything. why not just stop it at the source? ISPs could do it if they were so inclined. At least then the nacks would go to the spammer but I'm not even sure a nack is necessary for forged mail headers. ISPs DO have the ability.
0 Votes
+ -
crypto?
twaynesdomain 11th Feb 2009
It's just another level of complexity to frustrate the inexperienced users.
0 Votes
+ -
RE: Social networks have taught us cryptography (probably) won
birumut Updated - 4th May 2011
Great!!! thanks for sharing this information to us !
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix