[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] [IP] do-not-email list canned

To: asrg at ietf.org
Subject: Re: [Asrg] [IP] do-not-email list canned
From: "william(at)elan.net" <william at elan.net>
Date: Wed, 16 Jun 2004 22:12:20 -0700 (PDT)
In-reply-to: <004f01c453d5$27bbb910$fa4b10ac@fpcad.fujitsupc.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-bounces at ietf.org

On Wed, 16 Jun 2004, George Ou wrote:

> I'm curious to know how a zombie machine will have a legitimate SPF,
> CallerID, or Domain Key.  Are you suggesting each worm/virus infected zombie
> will somehow register it's own legitimate domain and authoritative DNS
> server?  Seems a bit stretched wouldn't you say?  I've heard a lot of
> skepticism (some well founded) on authentication before, but this argument
> is ridiculous.

Hardly ridiculous, its actually something to be expected if SPF becomes popular
Various snenarios on how spammers may do it:
1. There is no need for them to have SPF record, they can just use domains 
that dont support SPF.
2. They can specifically enter SPF domain that is authorizing entire world 
or possibly one that provides several includes to ISP's own record of its 
valid user ips (i.e. if ISP or somebody else who is on dynamic ip from ISP 
and needs to send email from there, they would have to publish domain with 
SPF record authorizing all dialup ips, the spammer will just include that 
record).
3. They can use complex reference to dns record in ip.in-addr.arpa.example.com
and set in-addr.arpa.example.com to confirm for large set of ip addresses
(but because they are entered individually it would not be possible to 
 tell how large the set is).

> Actually, Windows XP SP2 (due out in a few months) will solve most of these
> problems when everyone installs it. 

Based on previous experiences with Microsoft operating systems, I have 
serious doubts that there would not be found new exploits in their OS.
In fact just recently an exploit program was shown that will automaticly 
download and install its code to user machine when he is just browsing 
the web.(I don't remember article URL, but this was pretty interesting 
code that used exploit microsoft had known about it for at least 6 months 
and done nothing about together with very unusual javascript and another 
exploit help system that all made it to work so that file is added to the 
system and executed). 

The point is that Microsoft has serious security issues that they continue 
to fix with patches and service packs but its not always on time and with 
every new OS release, new exploits are found. I have no doubt that holes 
in their OS will continue to be used to make ordinary computers into zombies.
In fact even if we switch to different OS, the  likely case is that bad 
guys would switch their efforts together with us and for example linux has 
quite a few holes too and unpatches servers get hacked all the time 
(although mostly by irc fanatics that use these zombies for DoS attacks).

Its not even as much about the OS, its how technically efficient and good
the person who ownes the computer is (I for one had used windows for long 
time and hever had a virus onit or had computer become a zombie) and most
users are not good enough with technology to install every patch and to 
make sure the software they use is ok, even worth are children who are by 
their nature more careless and don't think ahead into the future about 
what may happen.  Add to that that bad guys are pretty efficient at exploring
people's carelessness and stupidity... so think, how many of you know 
people who dont read warning popups and just click ok? What do you think 
will happen if that popup is actually an ebedded code that installs zombie
virus? And do you really think there can't be other social+technical 
issues to exploit?

In conclusion, the zombie problem will continue to exist. The way to deal
with it is to change mail delivery path so that end-user machines can't 
pretend to be a servers any more and that involves allowing ISPs to mark 
their ips as such and so as to force end-users to use SUBMIT protocol or 
SMTP with authentication for initial step in sending mail out through 
intermediate relay run either by their direct ISP or by their mail 
hosting provider.

-- 
William Leibzon
Elan Networks
william at elan.net

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] [IP] do-not-email list canned
  - From: George Ou

References:
- Re: [Asrg] [IP] do-not-email list canned
  - From: George Ou

Prev by Date: RE: [Asrg] [IP] do-not-email list canned
Next by Date: Re: [Asrg] [IP] do-not-email list canned
Previous by thread: Re: [Asrg] [IP] do-not-email list canned
Next by thread: Re: [Asrg] [IP] do-not-email list canned
Index(es):
- Date
- Thread