[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] [IP] do-not-email list canned

To: asrg at ietf.org
Subject: Re: [Asrg] [IP] do-not-email list canned
From: "william(at)elan.net" <william at elan.net>
Date: Thu, 17 Jun 2004 01:03:03 -0700 (PDT)
In-reply-to: <014501c45437$8a6bc6b0$fa4b10ac@fpcad.fujitsupc.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-bounces at ietf.org

 
> The idea behind any of the authentication mechanisms is that it must pass
> the point of critical mass.  At that point, if we can get the big boys (AOL,
> MSN, Yahoo, Earthlink, Netzero, etc) to reject any non-authenticated SMTP
> servers outright, then you will see people jumping to implement SPF,
> CallerID, or Domain Keys. 
Read technology papers first and dont mix it all up just because you hear 
a name. SPF, CallerID, DomainKeys are all different things and you should 
not put them all in one bag. Hope that people will jump to implement 
something that is specifically not designed to stop spam but to stop 
forgery is unfounded, although SPF does amazingly good marketing, a lot 
more is needed before we can even dream of situation where everybody is 
to be required to follow it.

> By that time, spammers will more and more move to
> domains that have not implemented authentication forcing people to blacklist
> them left and right.
The number of registered domains is tens of millions. The number of those 
that can upgraded to spf within year period is at best hundreds of 
thousands. No matter if you like it or not, most domains will be left
with no spf records even at the time when most mail is flowing between 
servers that do check spf (which is far far future). This is very much 
unlike in-addr tree records, where only dozen large ISPs need to participate 
to achive critical mass in the ip blocks actively used for zombie spam.
 
> Any domain that abuses SPF, CallerID, or Domain Keys can be effectively
> blacklisted.  That domain becomes tainted unless they clean up their act.
> If they continue to abuse or revert to abusive use of domain level
> authentication, then people will just permanently blacklist them.  This type
> of abuse should be treated even more severely than not using authentication.
Spammers can register new domain for $6 or less, its likely that through away 
domains become a norm. Its likely that we'll see move from ip-based
blacklists to domain-based blacklists, but they'll all be too late in 
catching spammer initial run. The long-term solutions to this require 
reputation services for any new domain entering the system.

But in any case, the initial thread was on zombies. And the answer is that
zombie use by spammers is unrelated to athentication and is simular to use 
of internet ips that spammers get directly from isp when they buy services.
Its simply that zombies are individual ips and the isp allocations and 
netblocks and dealing with multitude of individual ips is more difficult.
The use of zombies will continue because it makes technological sense
to distribute application load of sending millions of email from one 
or two central servers into multiple ones distributes across whole net.

One possibility if SPF or similar records appear that tie in domain to 
specicic zombie ip (which is unlikely, more likely are that larger blocks
will be whilelisted by spf domain record) is that government will take 
actions to try to locate them and file charges of criminal tresspass and 
hacking, but dont get your hopes up for government to take this issue 
soon unless we give them a lot better tracking tools.

> You totally missed the point of SP2.  It is widely accepted by security
> experts as a huge step in security.  Even a devout anti-MS guy like Bruce
> Schneier implies in his latest rant that SP2 is important although he is
> whining big time that MS won't give it to people whole stole XP.
If you steal our technology, we'll make sure you computer is  stolen by 
somebody else :)
 
> There are three major factors that make SP2 a huge jump in security.
> 1.  Default on Firewall.  If a user is too ignorant to turn the firewall
> off, they shouldn't have inbound ports open to begin with.
And there would be software that people will want to install that will 
disable this and people will not even realize it. I already commented
on several social-engineering schemes to do it, expect to see more of 
those. Personal hardware firewalls have also been getting very wide use
by dsl customers already and because they are not controlled directly
from the computer, they are slightly less likely to be bypassed. Now,
I'm not saying its bad to have firewall, even software based, in fact its 
best thing to come out from Microsoft for long time...

> 2.  Authenticode restritions on email attachments.  You can't easily run any
> type of executable you receive in email.  Even if you copy that file to 
> a normal folder, it will still retain it's  state so that you still 
> can't accidentally execute it.
I have certain predictions that ways will be found to bypass this (how 
about running file from .zip file? or file that is created by script run 
by email as in the way I've read about vulnerability I mentioned) and 
there would be future patches to close vulnerabilities in this particular 
feature. Although initially this should provide certain protection for 
common viruses we've all come to love so much.

> 3.  Recompile of the entire OS with a compiler that catches most if the
> silly vulnerabilities.
I have serious doubts that this was really done beyound couple dlls. 
Microsoft can't do this in the service pack, it is a matter of software
release engineering which you might not be familiar with if you're not 
programmer. Basicly it requires different kind of testing if you recompile
entire OS differently and that requires going through normal OS alpha & 
beta testing with multiple release candidates, etc. And having recently 
dealt with Microsoft people at the MARID, that they have shown their
company view on changes to existing software they released which makes it 
clear to me that what you described above came from Microsoft marketing 
but may not be representative of the real technological changes made for 
which microsoft has always been quite conservitive in its service packs.

---

This will be my last reply on this thread. Its clear to me that new people
who have not done enough research in anti-spam area misunderstand SPF and
DK and simular technologies because in part that they had been incorrectly
marketed to them as solution to spam and then ordinary people try to fit 
them as solution into every spammer-used hole, while in fact the technologies
are being done to address specific holes in the email that had been abused
by most criminal of spammers.

-- 
William Leibzon
Elan Networks
william at elan.net


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] [IP] do-not-email list canned
  - From: George Ou

References:
- Re: [Asrg] [IP] do-not-email list canned
  - From: George Ou

Prev by Date: Re: [Asrg] [IP] do-not-email list canned
Next by Date: Re: [Asrg] [IP] do-not-email list canned
Previous by thread: Re: [Asrg] [IP] do-not-email list canned
Next by thread: Re: [Asrg] [IP] do-not-email list canned
Index(es):
- Date
- Thread