Jonathan David Page talks about whatever he happens to be thinking about. Sometimes other people join in.
A collection of cool people and projects.
In which the author talks about dogs, guitars, and off-brand prescription drugs, while explaining how email security sucks and keeps ruining his day.
One of the hazards of being on the Internet is that it is full of terrible people. Some of these terrible people are spammers, and what they do is send email that nobody wants to random strangers. For some unfathomable reason this is actually a profitable tactic. If you have the misfortune of owning a domain name, you get to experience a slightly wider spectrum of this particular brand of terrible people. If you make the mistake of being so bold as to send or receive mail from that domain name, your life is basically going to become an unending war with this kind of nonsense.
This is a story about the latest round of my personal instance of this war.
I noticed that something was up when I began to receive, over the past few days, emails saying that my mail that I had sent could not be delivered. A lot of these emails ended up in spam, but a few of them arrived in my inbox, for reasons which we will explore later. This is normal if you deal with email; sometimes, mail cannot be delivered, and we move on with our lives. The problem is that the offending pieces of mail being returned to me are written entirely in Chinese and comes from an email address that has never existed. I don’t know Chinese. Also, I don’t remember sending them.
One of the problems with email is that it was designed back when the Internet was called ARPANET, and was populated entirely by Department of Defence researchers. This meant that everyone on the network trusted everyone else on the network, and that if Alice at UCLA got email that claimed it was from Bob at Stanford, she would be justified in assuming that it was actually from Stanford and the Bob therein. And so ARPANET turned into the Internet, email got popular, and general assumption that “this thing claims that it’s from this person so that must be the case” got propagated. The issue is, of course, that while I’m sure there were plenty of terrible people with access to ARPANET, they had better things to do than send mail to people who didn’t want it. These people were in academia, mostly, and academicians have their own special brand of terrible that involves giving undergrads short-answer pop quizzes on Friday afternoons. However, the new influx of people did not have undergrads to give short-answer pop quizzes to, and so some of them came up with something even worse: spam email.
Now, sending spam email used to be easy. You’d set up your address, something like email@example.com, find some unsuspecting people to send mail to, and then just wait for the off-brand Viagra orders to roll in. The problem for spammers came when some killjoys got fed up with this situation and started blocking addresses like drUg5@medz-cool.net. There are a variety of ways to get around this, but one of them is to just straight-up lie about who you are. Don’t say you’re Ted the Spammer. Say that you’re Elaine. Elaine is a nice person who owns a dog and plays guitar and writes songs about how great dogs are. Everybody likes getting mail from Elaine. So all Ted has to do is mark his emails so that they look like they came from Elaine, and they’ll get through. And of course, he can do this because the people who designed email assumed that it’d only be used by nice people.
Okay, so I don’t have a dog, I’m crap at guitar, my name isn’t Elaine, and most people are ambivalent at best about getting mail from me. However, I don’t send people emails about how to increase their size using herbal remedies, and so I get to remain in the group of people who aren’t especially terrible, meaning that people who don’t get to be in that group because they send emails about herbal remedies want to pretend to be me so that they can hawk their dubious wares to the
unsuspecting suspecting public.
That’s what’s been happening here. I was able to recover the full text of the spam message from one of the bounce emails, and based on the output of Google Translate, the guy is trying to sell swordfighting lessons as a team-building exercise for companies. Which is confusing, because I’m pretty sure that that’s something that you can just sell to people without having to resort to underhanded tactics. All you’ve done, Spammer Person, is alert people to the fact that this exists, while guaranteeing that they will go somewhere more reputable to purchase it.
Anyway, back to Elaine. She’s not happy about this situation, because now people are scared that mail from her is going to be advertisements for mail-order brides instead of happy dog songs and heartfelt letters about how great pizza is. And her friends aren’t happy about the situation for the exact same reason. Bad time all around.
As you may have noticed, (unless you have never, ever seen an email address anywhere, in which case, can I join you under your spam-free rock?) email addresses are divided into two parts, separated by an @-symbol: the user name and the host name. The host is in charge of receiving incoming mail and relaying it to the user, or taking outgoing mail and forwarding it to the appropriate host. The user is in charge of reading the mail and responding to it in a timely fashion. Now, the host knows who all of its users are, so if firstname.lastname@example.org tries to pretend to be email@example.com,
dogsrock.com can cry foul and tell Ted to get lost. Also, it can ban Ted, because screw that guy.
The problem with hosts is that there are a lot of them, and they come and go all the time, so it’s impossible for everyone to have a list of who everyone else is. To make things words, names for hosts like
sleepingcyb.org aren’t the real names of the computers. Computers have unfriendly names like
2606:a000:110e:8153:eda9:7b53:d06d:398a, and a system called DNS is used to work out that
dogsrock.com is actually called
126.96.36.199. It’s more likely, though, that the friendly name is shared by several different computers, which all do different things. One computer might send mail; two might receive mail; and there might be five which provide pictures of dogs and recordings of songs about them.
So the new tactic is for Ted the Spammer to have a new computer which just pretends to be in charge of sending mail for
dogsrock.com, and hope that nobody notices. The solution to this is for
dogsrock.com to announce which computers it uses to send mail. Then everyone knows that mail from other computers is sent by terrible people like Ted the Spammer, and should be ignored.
Of course, I don’t send mail with
jd-page.com any more. It was a domain that I purchased in the folly of my youth, and proceeded to use an email address hosted there on a bunch of important things. I’ve been switching them over to my current address, but I keep finding new things, so the address stays around for a bit longer. Since I don’t send mail from there, I have it set up to announce that
v=spf1 -all, which translates to “I don’t send mail, any mail that claims to be coming from me is sent by terrible people”.
This would be great, except for the fact that some irresponsible people run mailservers which don’t bother to check whether or not
v=spf1 -all, and so Ted the Spammer can send them spam. It’s hard to tell which mailservers do that, though, so Ted just starts emailing as many people as possible, claiming to be Elaine, and hopes that some of them believe him.
The problem is that the ones that don’t often send back messages saying things like “HA, YOU’RE LYING”. Of course, the mail claims to be from Elaine, and since they don’t really have anywhere else to send these messages, they send them back to Elaine. This sucks for her, because now her inbox is full of messages from mailservers saying distressing and morbid things like “The following addresses had permanent fatal errors”, instead of messages about how “Ode to Roxy-May’s Tail (Acoustic)” was fantastic, and is she releasing an album. And that’s about where I’m at now, though instead of accolades, my mail tends to mostly be things like “you have a test tomorrow, don’t forget” and “you have an electricity bill due in three days” and “hi, this is college, you need to give us all your money, kthxbai”, so while still distressing, the returned-message messages provide a bloggable distraction from an even-more distressing reality.
This isn’t the first time this has happened; it usually blows over in a couple of days. I’m not sure how to stop it happening; I’ve done my due diligence in setting my SPF records, so I guess all I can do is hunker down, study for that test, and wait for people to start configuring their mailservers correctly.