SkyNet Is Coming For Email First... Thankfully!

Out Of Control Inboxes!

How many unread messages are in your Inbox right now? If you're going to say 'zero,' you are one of the VERY few people that can keep up with the mess. How about the inboxes of your 'dummy' mail accounts? You might not know it, but the effectiveness of email has been debated by technologists for a LONG time. Thankfully, AI is here to help!

I can remember hearing debates on its longevity potential as far back as 2000, when I was a Sendmail, POP and IMAP admin. For the 7 years I spent at that company as an Internet Systems & Services Architect, I continued to hear this debate, not just in my office or with the other Service Providers I interacted with on a daily basis, but also via LISA.

It was clear that the SMTP protocol was largely considered a mess. The handling of it was greatly splintered, even back then. You had camps of Sendmail purists arguing with the Postfiix people... milters, filters... how do you get your milter to work in your new Postfix implementation (which did not support milters at first)? As an email admin, it seemed like I'd be cursed to support a billion technologies for the rest of time. 

When I moved on to the next job, mail servers were outsourced (thankfully). Interesting Side Note: Our Broadband over Power Lines (BPL was the industry acronym) company only lasted long enough to prove that the shielding on powerlines is so poor that a <40% delta in humidity can cause SIGNIFICANT signal loss in repeated networks, requiring full platform reboot from the inside out, making them a poor ISP technology.

After two years, I jumped back into the debate while dealing with Postfix, POP and IMAP. But in that span of time, SPAM had become an absolute nightmare. In 2008, my fulltime job became managing SPAM queues... and handling recursive NXDOMAIN attacks on my DNS servers that came from effective SPAM bombs on my mail delivery Postfix servers.

In all that time, I came to learn that 99+% of all email is garbage. Complete junk. We all complain about the SPAM in our inbox, but know that you don't even see the 98+% of it that gets filtered out BEFORE it hits your Inbox.  The percentage of packets on the internet backbone that this mess takes up is astounding. We have a completely overbuilt router construct now that is polluted by a technology whose sole purpose for many bad actors is to cause or obfuscate attacks on individuals and organizations alike.

What does AI have to do with this? 

All that SPAM is controlled (sorta) by filters, milters, advanced protocol firewalls like F5 BIG-IP Advanced Firewall Manager (AFM), deterministic routing, feedback loops... there are slews of vendors dedicated to stopping the SPAM problem. This is like treating extreme asthma with a fast-acting inhaler. It helps only for a little bit, but it is the only treatment we have. Communities and industry have focused on keeping this tech usable over the past 20+ years.

Most of this technology relies on constant sampling of inbound mails, comparing bodies of suspected spam, queuing for further assessment, feedback loops sharing their knowledge and site reliabilities with other peer providers, IP address deny-listing... It is daunting, endless labor.

Meanwhile, on the Red Team side, the main game is getting your SPAM's headers, titles and body to be as unique as possible by using books of phrases, conversation templates and relying on randomization in the Linux kernel as your scripts batched mail jobs for a constant drip release. This makes the individual e-mails appear human and not a bulky mailbomb. Usually, the top dollar mail filters can get these ones, too and using human farms to mail everything is too expensive.

Have you used ChatGPT yet? Really, if not, please go do it after you've finished this article. Using it for the first time is a profound thing. The first time I was able to make it show bias in conversation was scary.

If we can imagine, not ChatGPT, but an internet-resident SPAMGPT self-replicated via virus, bootkits and cloud serverless processes... all over the internet. All of them capable of sending REALLY human-like emails at a human-like rate from an ever-shifting and quite massive list of IP addresses globally. No SMTP filter can stop that. 

The 99%+ mail flood that we are stopping today becomes your inbox reality. And this can happen overnight. The hard disks in all the mail servers fill up faster than you can expand. Every mail queue is filled up. Even if you could read your mail, you wouldn't be able to trust it anymore. It'd be impossible for the end-user to tell SPAM from human.

What about using AI to combat the AI SPAM? Sure! Have you, perchance reviewed the OWASP Top 10 for Large Language Model Applications? Unfortunately, there are already attack surfaces and threat vectors, so using AI to combat AI SPAM would require you to hire some VERY expensive talent to help with your AI cybersecurity needs. But the option is there if you feel that this is a good long term solution for your organization.

What do we do now?

This catastrophe can be avoided and the solution is obvious: stop using email to communicate and collaborate.

I know I said I was a Linux person, but I really admire the potential of Microsoft Teams as a successor for corporate collaborative process. I use it to plan "This Month In Security" with F5 Labs and F5 SIRT... not just chat, but to take notes, share files and to build a wiki.

But there are other ways, as well Slack, Discord and even some social media can be used for this type of thing. Meaningful work has been done on Reddit and GitHub for a while, now.

We're starting to use non-email communication mechanisms with more fluidity. We document in more proper locations for our various circles of work. We set up processes for our various circles of work. And while I'm certainly married to O365, its calendar function is the main event. In my organization, everyone can reach me effectively. They get me on teams, they have my phone. We communicate and set Zoom meetings with calendar invites. All without sending a traditional email.

What about people outside my organization, though? This isn't quite baked yet. We could have gateways implemented for various corporate channels - slack to teams messaging proxies with OAuth, maybe? Some sort of Global Unified Auth Mechanism (GUAM! Patent pending!)? Octo? We have tools that could aid with corporate intercommunication soon.

Imagine signing up for Twitter with a biometric based auth app that allows you to communicate with a predetermined set of options for a reply-type authentication factor, as email has been. Maybe a 6-digit code could be DM'd to me on Twitter? Or TikTok? (YIKES!) What's stopping me from authenticating my Facebook password reset request via my Mastodon account? It is an API call as a reply! Instantaneous and secured by TLS with a rock-hard cipher. If you think about how many mail relays those same authentication bits travel through via SMTP, there is always a weakest link. Someone gets owned, your mail is visible and able to be intercepted.

So, I propose beginning the massive multi-year plan to shut down the mail servers with your organization now. Let's switch to using communication mechanisms based on our relationships. There are better, more secure ways to chat or plan or keep documents and code repositories than e-mail. We can use a conglomeration of these resources to be effective interpersonally. But I don't need an email from you. As an example, you can reach me here:

Twitter:  @AubreyKingF5 

Linkedin: aubreyking

Updated Jul 06, 2023
Version 2.0
No CommentsBe the first to comment