Google Wave and SPAM

Do I have permission to Wave at you?

Google announced Wave just a couple days ago and I’ve been poring over documentation and reading the development community blogs to get up-to-speed on the technologies and implementation. Some of the biggest issues under debate are focused around whether Wave federation will be the demise of email and SMTP… and if so, how do we fix the SPAM problem now?

As a psuedo-security guy who has also spent enough time working with a large-volume email marketing system to understand the complexities of the issue, my gut reaction is that SPAM and viruses and malware are inevitable. Any cunning technologist who has money on the line will find a way to subvert any system. However, upon reading deeper into XMPP and Google’s implementation documents, I’m actually feeling something I don’t often feel–that is a tiny glimmer of hope for digital communication.

Before I go any further I want to give some perspective for the uninitiated. Hopefully, you understood from the Google IO demonstration that Wave is, at its core, a messaging system. The Wave messaging protocol is based on a 5-year-old protocol upon which Google placed a really slick user interface. Wave is not the interface. Yes, Google has offered up some API’s for extension of a very engaging XMPP client, but the big news here is really that Google has brought XMPP into the mainstream and said, “try this and see how far you can take it.”

What Google refers to as a Wave federation is a world full of Wave discussion servers (speaking a dialect of XMPP) that may displace many email (SMTP) servers. I’m not saying that it will for certain. Even if it does, it would take many years to do it. In fact, the capability of Wavelets to contain email messages means that these systems could co-exist for a very long time. The latter has been around for decades, so I don’t see it disappearing overnight.

So picture this: Your employer has exchanged their email servers (pun intended) for one or more Wave (or similar XMPP) discussion servers and they install the brand new version of MS Outlook that includes a discussion viewer window onto your laptop. Your me@here.com email address is the same, but incoming XMPP messages to that address get parsed by a different service than the one that is parsing the old SMTP messages.

Now how do you complete this picture? Are you getting all the SPAM like you used to get? Is 90% of XMPP traffic still SPAM just like it was with those old-fashioned SMTP emails?

Peter St. Andre, author of XMPP: The Definitive Guide, wrote this Jabber forum entry last summer regarding the safety that XMPP offers over SMTP. At first I was skeptical, but by the time I reached the bottom of his entry I was, at least partially, convinced that XMPP–although not the answer to all SPAM problems–does offer some extra protection against malevolent elements.

Briefly here are some of the arguments he makes regarding how XMPP is superior to SMTP in preventing SPAM, followed by some notes of my own (keeping in mind that Peter’s comments were written before the Wave announcement):

“a client can’t fake the ‘from’ address”

“if I run a server at jabber.org I can’t send messages putatively ‘from’ microsoft.com or whitehouse.gov or whatever”

Sounds great so far …

“server dialback has been sufficient to prevent most address spoofing on the network, but we have a certificate authority in place … and we could fairly easily upgrade the network to certificate-based authentication between servers if needed”

… so for true protection from server domain spoofing we need to fold certificates into our communications. This could definitely slow adoption. Last summer also saw the exposure of a zero-day DNS Bind vulnerability that would allow a malicious server to rewrite the DNS entries for a victim machine, thus making any server on the internet look like whatever server the attacker wished it to look like …

“XMPP is pure XML, and attackers can’t easily attach malware like scripts and viruses to Jabber messages”

… until a company like Google comes along and creates API extensions that allow the embedding of richer media. Let’s face it, regular SMTP mail was equally harmless when all the clients were simple text parsers. Then we started demanding HTML formatted email and richer media. Fortunately most clients and servers have been resistent to allowing rich media and script files. But, an XMPP client that is forced, by convention and public sentiment, to support OpenSocial gadgets and other rich media is now allowing the very thing that SMTP servers and clients have been protecting us from for many years …

“A great deal of email spam (or spam+malware) is directed against a single platform: Outlook running on Windows. In the XMPP world we have a much more diverse software ecosystem.”

… until Microsoft creates XMPP extensions for Exchange and Outlook. And, honestly, spam is not targeted at any particular client. And most malware isn’t necessarily any more or less effective in an Outlook viewer than any other. But, now that XMPP may be demanded from the public, Microsoft may be forced to support the new protocol and content. Or they may just decide to compete with a new standard of their own …

“In IM systems, people are accustomed to sharing presence / adding someone to their buddy list. There’s less of a culture of ‘I must be able to accept messages from anyone in the world’ as in email.”

… I think it’s safe to say that Google is taking this far beyond an IM paradigm. If people are going to start handing out business cards with their wave server ids, then, basically, everyone will need to be able to start a discussion. The same methods of harvesting email addresses for SPAM lists will be used for these new ids (which may still be the email addresses themselves, anyway) …

“All XMPP server codebases have rate limiting in place to prevent a single client from sending a large number of messages… in a short period of time”

“we are actively planning for the arrival of spam and have designed some spam-fighting measures such as challenge-response (CAPTCHA) forms to join groupchat rooms or add someone to your contact list”

… He’s discussing the Jabber implementation here. I haven’t seen anything to indicate that Google is taking ownership of user creation with Wave. In fact, the documentation suggests the opposite. The document states that one of the purposes of federation is so that Wave servers can be responsible for their own user bases …

“IM systems have traditionally been quite fragmented … so there isn’t the expectation that you’ll necessarily be able to send a message to any random person on the Internet. This probably makes IM less appealing to spammers than email is. (Remember, spam is a matter of economics, and there may simply not be enough money to be made via IM.)”

… XMPP, meet Google. The game has changed …

Peter did a great job of giving an overview of how XMPP addresses some of the issues. And I want to make it clear that it is not the purpose of this post to slight Peter, his work, or his acheivements in any way. I have great respect for the work that has been done with the XMPP working group. But I think it’s clear that XMPP was not initially designed to be an SMTP replacement. However, a company like Google (which is an official supporter of the XMPP WG) may have enough clout and momentum to make it exactly that.

Let’s just hope they put enough thought into how they can improve the protocol to make a brighter tomorrow. The initial responses on the user groups would indicate that they haven’t. But they are definitely aware of the issues and they have a few more months before release.

Let me know your thoughts. If my facts are wrong, please let me know and I’ll be happy to fix it.