[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] Willfull and intentional misunderstandings

To: Asrg@ietf.org
Subject: RE: [Asrg] Willfull and intentional misunderstandings
From: Yakov Shafranovich <research@solidmatrix.com>
Date: Thu, 08 May 2003 23:00:49 -0400
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-admin@ietf.org

From: Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>

> Spoofed spam is harder to trace, and thus harder to shut down.

This assumes a few things I don't know:

        o what does "harder to trace" refer to, what is the technical
          capability of the entity performing the tracing function?
        o what does "trace" actually mean?

I personally use the SpamCop reporting service and by trace I will be using the example of what SpamCop does - parse the headers and the message in order to ascertain:
1. The path of transmission including the originator's IP address, and the IP addresses of any of the MTA or gateways in between.
2. The IP addresses of the sites and email accounts mentioned in the message.
3. Finding out who the owner of those IPs is, or if that fails their upstream provider, or their upstream provider, etc.

By "trace" I mean finding out who the entities responsible for the IP addresses are. This is accomplished using WHOIS lookups on domain name records and IP blocks, as well as tracert commands. This also includes maintaining the contact information for different ISPs like SpamCop and abuse.net do.

The "entity" doing this process would either be an actual human being like a law enforcement agent or an ISP admin, or it maybe an automatic software system like SpamCop.

"Harder to trace" means that it is impossible to do tracert or WHOIS looks when the "From" and "Received" headers are false. As the result the "tracing entity" ends up reporting and accusing the wrong people.This accomplishes two things:
1. It throws off the ISPs and law authorities that are trying to find out the sender by leading them down the wrong path.
2. It causes ISPs to ignore spam reports since so many are triggered by false information.

An additional benefit to spammers also is the fact that the spam filters will have a harder job detecting them.

        o what does "harder to shut down" refer to
        o what is actually being "shut down"?
and finally, if it were easier and well-defined and easier and well-defined

It means getting in touch with their ISP and make the ISP shut down their site or email address. It also means alerting the admins of the hacked computers and open relays to fix their problems. It also means getting the FTC or FBI to prosecute them. And under the slowly increasing number of spam laws, it means having the ability for the recipients to sue the senders directly.

        o would it matter?

If every spam message sent would be easily traced or come directly from spammer@CyberPromotions.Biz then ISPs can easily sue the senders, the LAE can easier prosecute "Nigerian" scam people, and spam filters can easily block spam.

Isn't every overt source an expendable asset with a finite TTL and a finite
delivery queue?

There is a famous quote from an old NY Times article: "On the Internet no one knows if you are a dog". But in reality, every single spam message has a physical person behind it who is sending it. Everything is logged somewhere even if for a limited time. Even though they might be switching from site to site, and from domain to domain, if we can get to the ISP logs in time before they are deleted even though the original domain name or site might no longer be there, the information gathered can still help us somewhat.

But then of course, all the spammers can move to China or some other country where the ISPs will not care about the spam issues. If that happens I wonder how long will it take until the country's uplink is shut off?

---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research@solidmatrix.com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Willfull and intentional misunderstandings
  - From: Eric Brunner-Williams in Portland Maine

Prev by Date: Re: [Asrg] Re: Washington Post: Earthlink to Deploy a Challenge-Response System for Fightin
Next by Date: Re: [Asrg] Assume perfect knowledge by domain registry provisioners, so what?
Previous by thread: Re: Fwd: RE: [Asrg] Willfull and intentional misunderstandings
Next by thread: Re: [Asrg] Willfull and intentional misunderstandings
Index(es):
- Date
- Thread