[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] [IP] do-not-email list canned

To: "Kee Hinckley" <nazgul at somewhere.com>
Subject: Re: [Asrg] [IP] do-not-email list canned
From: "George Ou" <george_ou at netzero.com>
Date: Mon, 21 Jun 2004 00:34:52 -0700
Cc: asrg at ietf.org
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <Pine.LNX.4.44.0406161643010.28325-100000@sokol.elan.net> <014501c45437$8a6bc6b0$fa4b10ac@fpcad.fujitsupc.com> <p06101015bcfbad70a2b9@[4.156.48.64]>
Sender: asrg-bounces at ietf.org

----- Original Message ----- 
From: "Kee Hinckley" <nazgul at somewhere.com>
To: "George Ou" <george_ou at netzero.com>
Cc: <asrg at ietf.org>
Sent: Sunday, June 20, 2004 2:24 PM
Subject: Re: [Asrg] [IP] do-not-email list canned

> At 11:51 PM -0700 6/16/04, George Ou wrote:
> >Any domain that abuses SPF, CallerID, or Domain Keys can be effectively
> >blacklisted.  That domain becomes tainted unless they clean up their act.
>
> Sure.  But we've already seen spammers rotating through domains every
> few weeks.  I like the bounce back protection.  I *love* the fact
> that I won't have so many viruses sending "from" my domain (that
> would probably cut my inbound traffic by half a million messages a
> day).  But I don't see authentication doing anything but shifting the
> battle sideways a bit.  Not a bad thing at all--the available space
> gets smaller and smaller.  We've already shifted things enough that
> it's virtually impossible to send spam without breaking existing
> (non-spam-related) laws.  But it's a shift, that's all.  By no means
> the end of the battle, or even necessarily a reduction in the amount
> of spam.

I NEVER said it was the end of the battle.  I only said that it was an
essential tool for an ongoing battle.  Just an essential step forward in
measure-countermeasure.

> And BTW.  When you blacklist a domain for abusing domain
> authentication, when do you unblacklist it?  My domain is still
> blacklisted at some sites, and spammers haven't been using it as a
> fake return address for at least five years.  There are IP address
> spaces out there right now that legitimate businesses can't use
> because they are on too many blacklists, even though the spammer long
> since abandoned them.  How often do people take things *out* of their
> blacklist?

It's not really possible to reliably blacklist a domain today since there is
no widely implemented domain level authentication.  You can somewhat
reliably black list IP addresses that misbehave, but I don't see how you can
responsibly blacklist a domain when you aren't even sure the message came
from that domain in the first place.  Once domain level authentication
becomes wide spread among legitimate businesses, it is their responsibility
to keep a snow white record.  The fact of the matter is, domain level
blacklisting will be even more accurate than IP based blacklisting because
IPs can change from business to business but domains really don't.  You
would be pretty stupid to buy a domain from a spammer who trashed that
domain's reputation.  Of course, black listing of domains should only be
done if that spam comes from a verified SMTP server of that domain either by
SPF, CallerID, or Domain Keys or all of the above.  No respectable
blacklisting service should be blacklisting a domain based on purported
"from" fields.  Another possibility is that we can leverage the existing DCC
servers to collect these types of statistics on Domain Level abuse.  I have
a feeling that it would be much simpler if the spammers would simply resort
to domains that don't use any of the authentication standards but like you
said, it will be a shrinking pool.

If DCC can track domain level abuse statistics of authentication compliant
domains, then a spammer will only be able to use a domain to send a couple
thousand pieces of spam before all DCC client SMTP servers start rejecting
that domain outright within a matter of hours, especially if that domain is
brand spanking new off some $7 registry service.  That new domain would
statistically be sending 100% spam with 0% legitimate email and would have
very little leeway to misbehave.  If a new domain gets registered and they
send a couple 100 legitimate emails with zero spam, they would have a very
clean record but the minute they misbehave they would have a dirty record.
On the other hand, a large ISP such as AOL could probably survive if a
hacked account sends 10,000 pieces of spam before its caught because 10,000
spams in the context of a million pieces of email is nothing statistically.
All of this could happen in real time, but the DCC clients would have to
proxy the complaints from their users to the DCC servers in real time.  The
complaints from the users could simply be in the form of a user hitting a
button to "block this domain" from that point on, and that action alone
should trigger a negative vote to their local SMTP server which will in turn
send the complaint to the DCC server.

I realize that a spammer could essentially purchase 1000 domains for $7000
to last them for a year under this cat and mouse game.  But, this is where
the law needs to step in and really go after those people who buy those
batches of domains for the sole purpose of spamming.  If you are a
legitimate marketer, there is absolutely no reason that you should ever need
more than a single domain to send email blasts.  I realize that this will
take effort from the domain registries and the Government, but clearly the
Government has shown a willingness to act.  Obviously, they're not going to
buy a thousand domains with cash, and surely they will be traceable by their
credit card.

One thing for sure however, it will be very easy to have a pure as snow
white list of domains that do abide by domain authentication and never
abuses it.  What I would start doing is automatically drop all
unauthenticated domain emails in a "questionable" box.  Then I'd go in there
at the end of the day and just glance at the senders and subject lines of
100 messages and probably just wipe the entire folder unless something stuck
out.  All authenticated email would get my attention in an "authenticated"
folder.  Within the "authenticated folder, messages from borderline domains
will go in to a "questionable" sub folder.  Within that folder, I'll glance
through and pick out anything legitimate and move it to the parent folder.
Then I'll hit a button that will send a complaint ultimately to DCC for all
the remaining messages in that folder.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] [IP] do-not-email list canned
  - From: william(at)elan.net
- Re: [Asrg] [IP] do-not-email list canned
  - From: George Ou

Prev by Date: [Asrg] 0: A Midrange-technical Look At The Underworld's Vectors
Next by Date: [Asrg] deloyment speed
Previous by thread: Re: [Asrg] [IP] do-not-email list canned
Next by thread: Re: [Asrg] [IP] do-not-email list canned
Index(es):
- Date
- Thread