[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] [IP] do-not-email list canned

To: "william\(at\)elan.net" <william at elan.net>, <asrg at ietf.org>
Subject: Re: [Asrg] [IP] do-not-email list canned
From: "George Ou" <george_ou at netzero.com>
Date: Thu, 17 Jun 2004 14:13:21 -0700
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <Pine.LNX.4.44.0406170000520.28325-100000@sokol.elan.net>
Sender: asrg-bounces at ietf.org

----- Original Message ----- 
From: "william(at)elan.net" <william at elan.net>
To: <asrg at ietf.org>
Sent: Thursday, June 17, 2004 1:03 AM
Subject: Re: [Asrg] [IP] do-not-email list canned

> > Any domain that abuses SPF, CallerID, or Domain Keys can be effectively
> > blacklisted.  That domain becomes tainted unless they clean up their
act.
> > If they continue to abuse or revert to abusive use of domain level
> > authentication, then people will just permanently blacklist them.  This
type
> > of abuse should be treated even more severely than not using
authentication.
> Spammers can register new domain for $6 or less, its likely that through
away
> domains become a norm. Its likely that we'll see move from ip-based
> blacklists to domain-based blacklists, but they'll all be too late in
> catching spammer initial run. The long-term solutions to this require
> reputation services for any new domain entering the system.

Yes, this is one of the very legitimate concerns.  My point was that the
zombies would not attempt to spoof the SPF/CallerID/DomainKey enabled
domains.  At least this gives us the ability to have a reliable white list
of reputable domains.  As the ratio of authenticated to non-authentication
enabled domains increases, the source of spam will be pushed over to
non-authenticated side.  People will begin to more aggressively blacklist
non-authenticated domains and the pressure will mount.  After all, it
doesn't take much to comply with SPF, CallerID, or Domain Keys if you're a
legitimate domain.  It's a hell of a lot easier than trying to get reverse
lookup records in when you don't own your own IP block.

As for the $6 domains, I agree that a reputation service is what's needed
for new domains.  I'm not under the illusion that this will end spam, it's
just that it gives us more tools to combat it.

> And there would be software that people will want to install that will
> disable this and people will not even realize it.

Actually, MS has gone out of their way to make sure that it not break too
many applications.  They've also put in an API for programs to dynamically
open up the ports they need on the fly.  I've seen several implementations
of applications that already do this now.

>I already commented
> on several social-engineering schemes to do it, expect to see more of
> those. Personal hardware firewalls have also been getting very wide use
> by dsl customers already and because they are not controlled directly
> from the computer, they are slightly less likely to be bypassed. Now,
> I'm not saying its bad to have firewall, even software based, in fact its
> best thing to come out from Microsoft for long time...

I'm not saying it's full proof.  Just that having all inbound ports blocked
by default is just plain sanity and it will take a big swipe out of the
existing zombie mess.  I garantee you that almost all of the zombies out
there didn't have inbound firewall protection or the user clicked on a nasty
attachment.

> > 2.  Authenticode restritions on email attachments.  You can't easily run
any
> > type of executable you receive in email.  Even if you copy that file to
> > a normal folder, it will still retain it's  state so that you still
> > can't accidentally execute it.
> I have certain predictions that ways will be found to bypass this (how
> about running file from .zip file? or file that is created by script run
> by email as in the way I've read about vulnerability I mentioned) and
> there would be future patches to close vulnerabilities in this particular
> feature. Although initially this should provide certain protection for
> common viruses we've all come to love so much.

Ah, but you're mistaken.  Zips have managed to get past anti-virus defenses
at the gateway level and it have been an escalation in
measure-countermeasure.  However, SP2 will protect you here.  Once the file
is unzipped to your normal folder, it will remain an untrusted file.  If a
user double clicks that file, it will not run.  Only if the user goes
through an manual right click procedure and wade through some warnings will
they be able to run it.  I'm not saying that there aren't dumb users that
won't still go out of their way to infect themselves, but it will cut down a
lot.

> > 3.  Recompile of the entire OS with a compiler that catches most if the
> > silly vulnerabilities.
> I have serious doubts that this was really done beyound couple dlls.
> Microsoft can't do this in the service pack, it is a matter of software
> release engineering which you might not be familiar with if you're not
> programmer. Basicly it requires different kind of testing if you recompile
> entire OS differently and that requires going through normal OS alpha &
> beta testing with multiple release candidates, etc.

Ah, but they have.  This is why MS is over a year late in delivering SP2.
They're already up to RC2 now.  MS is even boasting that SP2 will break a
lot of legacy applications, but that it is nessessary because those
applications are fundamentally insecure.  This is the most aggressive SP
that Microsoft has ever produced.  SP2 is in fact a recompile of the bulk of
the OS.

>And having recently
> dealt with Microsoft people at the MARID, that they have shown their
> company view on changes to existing software they released which makes it
> clear to me that what you described above came from Microsoft marketing
> but may not be representative of the real technological changes made for
> which microsoft has always been quite conservitive in its service packs.

I think you're mistaken here.

> This will be my last reply on this thread. Its clear to me that new people
> who have not done enough research in anti-spam area misunderstand SPF and
> DK and simular technologies because in part that they had been incorrectly
> marketed to them as solution to spam and then ordinary people try to fit
> them as solution into every spammer-used hole, while in fact the
technologies
> are being done to address specific holes in the email that had been abused
> by most criminal of spammers.

Like I said, I have no illusions that SPF, CallerID, Domain Keys are silver
bullets.  All I'm saying is that they will be an essential component in
combating spam.  Just a mere component.  The fight will go on.

George Ou

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] [IP] do-not-email list canned
  - From: william(at)elan.net

Prev by Date: Re: [Asrg] [IP] do-not-email list canned
Next by Date: Re: [Asrg] [IP] do-not-email list canned
Previous by thread: Re: [Asrg] [IP] do-not-email list canned
Next by thread: Re: [Asrg] [IP] do-not-email list canned
Index(es):
- Date
- Thread