[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] 4. Survey of Solutions - Methods of Authentication -Trojans

To: "Yakov Shafranovich" <research@solidmatrix.com>, "ASRG" <asrg@ietf.org>
Subject: RE: [Asrg] 4. Survey of Solutions - Methods of Authentication -Trojans
From: "Chris" <asrg@rebel.com.au>
Date: Mon, 1 Dec 2003 11:20:03 +1030
Importance: Normal
In-reply-to: <3FC9A6FE.3080209@solidmatrix.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-admin@ietf.org

I have written about this in another thread, but I think it is worthy of
repeating.

>
> 1. Verifying that the sending IP address is a legit MTA.
> PROBLEM: Spammers use hacked or virus infected machines to send spam.

Re: Trojans, hacked machines, broken formmails etc....

All areas of the internet must be tightened to minimise the impact of such
attacks, we cannot do that alone!

Most (not all) spammers are laymen, they rely on other peoples software to
do the job for them.

If anyone think spammers will move en masse to trojan systems to continue
their habit, I believe they are sadly mistaken.

They spam currently because they can. But if it means becoming technically
savy, and deliberately hacking into other peoples machines. I doubt many
will follow this path.

How many trojan writers will advertise their wares on a commercial
basis?

Some I am sure. but not enough to return the Internet to the bad old days
err... today!

IN SUMMATION

This is a problem that will continue ad infinitum but not on the scale that
we see Spam today.


Regards
Chris



> -----Original Message-----
> From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org]On Behalf Of Yakov
> Shafranovich
> Sent: Sunday, November 30, 2003 6:45 PM
> To: ASRG
> Subject: [Asrg] 4. Survey of Solutions - Methods of Authentication
>
>
> I wanted to start this thread to discuss different methods of
> authentication in email. All of these simply prove that the sender is
> authentic increasing traceability and reducing forgery, they do not stop
> spam by themselves. However, they force spammers into a corner, where
> they can be dealt with easier.
>
> It seems to me that we have the following (this will hopefully become a
> draft):
>
> 1. Verifying that the sending IP address is a legit MTA.
> PROBLEM: Spammers use hacked or virus infected machines to send spam.
> SOLUTION: Allow the owner of the IP address to indicate that this
> specific address cannot be used for sending email.
> EXAMPLES: MTA Mark, centralized white lists for IP addresses (carrot and
> stick), digital certificates,
> ISSUES: Many users are not necessarily the real IP address owners.
> Centralized systems have DDOS and power-grab issues. DNS-based solutions
> have security issues.
> SPAMMER WORKAROUNDS: Having a spammer friendly ISP, hacking DNS servers,
> cache poisoning. Use a hacked computer that is legit.
>
> 2. Verifying that the sending IP address has permission to send email
> for the domain that it used in HELO and MAIL FROM commands.
> PROBLEM: Spammers tend to use return addresses of other valid domains in
> order for their email to appear legitimate OR on purpose in order to
> cause problems to the domain owner ("joe-job").
> SOLUTION: Allow the owner of the domain, or a trusted third part to
> specify which IP addresses are authorized to send email for that domain.
> EXAMPLES: LMAP, DRIP, digital signatures and certificates, manual white
> listing
> ISSUES: Centralized systems have DDOS and power-grab issues. DNS-based
> solutions have security issues.
> SPAMMER WORKAROUNDS: Owning their own domains. Stealing someone else's
> DNS, cache poisoning. Use a hacked computer that is legit.
>
> 3. Verifying that the sender's email address used in MAIL FROM is valid.
> PROBLEM: Many times the spammers forge the originator's email address in
> order to avoid bounces, to avoid detection, or for "joe-jobbing".
> SOLUTION: Have the sender's MTA or the sender himself verify his
> validity, use a centralized system for verification.
> EXAMPLES: C/R and CRI, RCPT TO callback, digital signatures
> ISSUES: Centralized systems have DDOS and power-grab issues. Existing
> MTAs tend not to cooperate with callbacks. Users do not want to answer
> C/R challenges. Anonymous email is killed.
> SPAMMER WORKAROUNDS: Using someone else's valid email address, use their
> own domains that answer "yes" to all callbacks and C/R challenges.
>
> 4. Verifying that the sender actually sent this specific email message.
> PROBLEM: Many times the spammers forge the originator's email address in
> order to avoid bounces, to avoid detection, or for "joe-jobbing".
> SOLUTION: Have the sender's MTA or MUA verify that the sender actually
> sent the message in question. Have the sender digital sign each message
> or provide an e-postage token in each message, with verification via a
> centralized system
> EXAMPLES: CRI, MSG-TRACK, digital signatures, e-postage
> ISSUES: Centralized systems have DDOS and power-grab issues. Existing
> MTAs have no support for this ability. This increases traffic and opens
> a possibility for DDOS attacks. Anonymous email is killed.
> SPAMMER WORKAROUNDS: Operating their own email server, steal someone
> else's account or falsely register in a centralized database. Use a
> hacked computer that is legit.
>
> 5. Verifying that the sender is actually human and not a machine.
> PROBLEM: The inherent issue with email is that it is generated by
> machines which can pump out bulk email very fast.
> SOLUTION: Force senders to verify their "humanity" every so often OR for
> every message, or use a centralized system.
> SOLUTIONS: C/R and CRI with Turing tests, digital signatures and e-postage
> ISSUES: Centralized systems have DDOS and power-grab issues. Turing
> tests do not work for disabled. This increases traffic and opens a
> possibility for DDOS attacks. Anonymous email is killed. Users do not
> like go through verification. Mailing lists have big problems.
> SPAMMER WORKAROUNDS: Hire cheap humans (developed countries) or tricks
> humans (free porn sites with Turing tests). Develop software to go
> around Turing tests. Steal someone else's account or falsely register in
> a centralized database.
>
> 6. Verifying that the sender is a legit human, and not a spammer.
> PROBLEM: Even verifying that the sender is human does not mean he is not
> a spammer.
> SOLUTION: Use a reputation system or a centralized database.
> SOLUTIONS: Digital signatures and certificates, "Internet license"
> ISSUES: Centralized systems have DDOS and power-grab issues.
> SPAMMER WORKAROUNDS: Steal someone else's account or falsely register in
> a centralized database. Use a hacked computer.
>
> Comments?
>
> Yakov
> -------
> Yakov Shafranovich / asrg <at> shaftek.org
> SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
> "And this too shall come to pass"
> -------
>
>
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- [Asrg] 4. Survey of Solutions - Methods of Authentication
  - From: Yakov Shafranovich

Prev by Date: RE: [Asrg] Re: 6. Proposals - Pull System (revisited)
Next by Date: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Previous by thread: [Asrg] 4. Survey of Solutions - Methods of Authentication
Next by thread: [Asrg] 0. General - Guts of spammers
Index(es):
- Date
- Thread