Re: [Asrg] [IP] do-not-email list canned

["George Ou" <george_ou at netzero.com>]

---- Original Message ----- 
From: "william(at)elan.net" <william at elan.net>
To: <asrg at ietf.org>
Sent: Wednesday, June 16, 2004 10:12 PM
Subject: Re: [Asrg] [IP] do-not-email list canned


> Hardly ridiculous, its actually something to be expected if SPF becomes
popular
> Various snenarios on how spammers may do it:
> 1. There is no need for them to have SPF record, they can just use domains
> that dont support SPF.

The idea behind any of the authentication mechanisms is that it must pass
the point of critical mass.  At that point, if we can get the big boys (AOL,
MSN, Yahoo, Earthlink, Netzero, etc) to reject any non-authenticated SMTP
servers outright, then you will see people jumping to implement SPF,
CallerID, or Domain Keys.  By that time, spammers will more and more move to
domains that have not implemented authentication forcing people to blacklist
them left and right.

> 2. They can specifically enter SPF domain that is authorizing entire world
> or possibly one that provides several includes to ISP's own record of its
> valid user ips (i.e. if ISP or somebody else who is on dynamic ip from ISP
> and needs to send email from there, they would have to publish domain with
> SPF record authorizing all dialup ips, the spammer will just include that
> record).
> 3. They can use complex reference to dns record in
ip.in-addr.arpa.example.com
> and set in-addr.arpa.example.com to confirm for large set of ip addresses
> (but because they are entered individually it would not be possible to
>  tell how large the set is).

Any domain that abuses SPF, CallerID, or Domain Keys can be effectively
blacklisted.  That domain becomes tainted unless they clean up their act.
If they continue to abuse or revert to abusive use of domain level
authentication, then people will just permanently blacklist them.  This type
of abuse should be treated even more severely than not using authentication.

> > Actually, Windows XP SP2 (due out in a few months) will solve most of
these
> > problems when everyone installs it.
>
> Based on previous experiences with Microsoft operating systems, I have
> serious doubts that there would not be found new exploits in their OS.
> In fact just recently an exploit program was shown that will automaticly
> download and install its code to user machine when he is just browsing
> the web.(I don't remember article URL, but this was pretty interesting
> code that used exploit microsoft had known about it for at least 6 months
> and done nothing about together with very unusual javascript and another
> exploit help system that all made it to work so that file is added to the
> system and executed).

You totally missed the point of SP2.  It is widely accepted by security
experts as a huge step in security.  Even a devout anti-MS guy like Bruce
Schneier implies in his latest rant that SP2 is important although he is
whining big time that MS won't give it to people whole stole XP.

There are three major factors that make SP2 a huge jump in security.
1.  Default on Firewall.  If a user is too ignorant to turn the firewall
off, they shouldn't have inbound ports open to begin with.
2.  Authenticode restritions on email attachments.  You can't easily run any
type of executable you receive in email.  Even if you copy that file to a
normal folder, it will still retain it's state so that you still can't
accidentally execute it.
3.  Recompile of the entire OS with a compiler that catches most if the
silly vulnerabilities.

Does this make Windows XP SP2 unbreakable?  Hardly.  Is it a massive
improvement, definitely.

The fact is, this does exactly what you say it won't do.  It does improve
security for novice users because of factors 1 and 2.  The recompile should
cut the number of updates down significantly.


George Ou


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg