Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam

["George Ou" <george_ou at netzero.com>]

Responses below....

----- Original Message ----- 
From: <gep2 at terabites.com>
To: <letters at nytimes.com>; <dfarber at cs.cmu.edu>; <mswish at microsoft.com>;
<asrg at ietf.org>; <charlesv at microsoft.com>; <sballmer at microsoft.com>;
<bsullivan at aol.com>
Cc: <gep2 at terabites.com>
Sent: Wednesday, June 23, 2004 12:03 PM
Subject: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam


>  1)  There is NOTHING that requires that spam be sent with fake return
> addresses... spammers use phoney return addresses largely AS A KINDNESS so
that
> complaints and bounces don't converge back on some poor victim's E-mail
inbox.

Kindness?  More like they don't want to hear the complaints themselves on
their own spammer equipment.  If you're careless enough to let a spammer
zombie your computer, maybe getting an earful of complaints is whats going
to make you wake up and patch your system and upgrade to WinXP SP2 as soon
as it's out.

>  2)  Requiring the use of "real" return addresses, besides not preventing
the
> sending of spam, makes the spam problem WORSE instead of better...
suddenly,
> victimized ISPs will have to DELIVER (and store!) all these bounce
messages and
> complaint messages.

Worse?  I've heard of a lot of valid criticisms on why authentication may
not work, but make things worse?  You've got to be joking.  You're assuming
that all spam in the post authentication world will be sent on hijacked
valid email accounts.  If that problem begins to surface, ISPs will begin to
rate limit all users by default to something like 100 messages a day, which
the vast majority of people will not mind.  If you need more, do a special
agreement with the ISP or run your own mail servers.  If you abuse email
whether intentionally or unintentionally, you deserve all the flack for it.

>These worms can be
> reprogrammed, LITERALLY overnight, to use "real" return addresses and
> authorizations belonging to the infected machine's legitimate owner.  Once
> that's been done, sender authorization is *useless* other than (hopefully)
> rapidly identifying the infected machine.

See rate limitting above, and motivation to patch yourself.

> Those "experts" are blowing smoke.  I don't know why they're so fixated on
these
> misguided and ill-conceived "authentication/authorization" approaches, but
> ultimately these approaches mostly just hurt numerous legitimate users,
and do
> not really solve the problem.

Those "legitimate" users need a nice flame in their rear for leaving
themselves wide open.  If this gets their email account shut down for
spamming, then let that be a lesson to them.  Right now, they just spew and
spew out spam until the ISP shuts off their port 25 access.  The post
authentication world will have a much more granular and pin point way to
combat them on the application layer and not just the network layer of
source IPs.  You can now track the zombie by legitimate email accounts
rather than a source IP addresses that were acquired via DHCP.

> > "The biggest thing we can do to reduce spam is sender
> authentication," said Brian Sullivan, the senior director
> for mail operations at America Online.
>
> That's simply *rubbish*.  Unless and until they get the spambot zombie
problem
> under control, they cannot solve the spam problem.  And it's relatively
easy to
> solve the spambot zombie problem by using a finely-grained permissions
system,
> where each recipient authorizes senders to send them familiar and trusted
types
> of material.

Your vision of a "finely-grained" permission system is a grand illusion that
everyone will update their email client software which wouldn't work anyways
without some form of sender authentication.  All the proposed authentication
schemes only require action on the part of the SMTP servers and the addition
of a few DNS records.  You're proposal requires that all the email clients
of the world be updated which is a pipe dream.

> For example, I might grant my Aunt Gertrude the right to use fonts and
> bold/underline in her E-mails to me, or JPGs of her poodle Fifi, but I
wouldn't
> grant her the right to send me Javascript, ActiveX, or executable
attachments.
> E-mails that LOOK like the sort of things I'd expect to get from Gerty
would be
> delivered to me;  even if her machine got turned into a zombie spambot.
Stuff
> that DOESN'T look like what I expect to receive from Gerty would be
summarily
> t-canned, even if it (actually and truly) came from her machine and with
her
> return address.  (In practice, most people wouldn't allow ANYBODY AT ALL
to send
> them executables, PIF files, SCR files, CPL files, VBS files, and the
like...
> even ZIP files... which would essentially eliminate the ability of
infecting
> those user machines with zombie spambots!  You don't require daily updates
of
> virus/worm signatures (which, of course, also inevitably LAG the problem)
for
> that!)
> Once HTML is denied in E-mails of unapproved senders, most of the tricks
and
> deceptions that spammers and phishers use are also prevented.  This allows
a
> good content-based antispam filter to very effectively deal with the spam
that's
> left.

There is an even better approach for combating unintentional malware
execution due out in a few months.  It's called Windows XP Service Pack 2,
and it doesn't need your misguided "finely-grained" permission system which
wouldn't work without some form of sender authentication anyways.  After
all, what good is sender permissions if you can't verify it's really the
sender?

> The nice thing about a permissions-based system controlled by a recipient
is
> that it requires NO complex re-engineering of the world's E-mail
infrastructure,
> can be implemented IMMEDIATELY, is easy to understand and use, and
immediately
> benefits those users as soon as they install it.

It would require action on a billion users (when pigs fly), rather than the
just the action of the top 500 ISPs to adopt Sender ID and/or Domain Keys
and flat out reject any unauthenticated SMTP.  No Gordon, people are not
going to "install" your scheme.

> So they require that the zombie spambot software sends the message using
the
> victim machine's real E-mail address (or, perhaps, the E-mail address of a
> different user who happens to use the same ISP domain name).  And there
the SPF
> solution reaches "end of road".  You've adopted this grand scheme, and
suddenly
> you've reached the end of your rope and you've still got the
spam/virus/worm
> problem.  NOW WHAT?   Duh!

Spam is an ongoing fight even with SMTP authentication, but SMTP
authentication will be a sanity check that we cannot aford to ignore.  No
body is suggesting that SMTP authentication is the silver bullet or a cure
all.

>   1)  You're a travelling salesperson or executive and occasionally need
to use
> Internet cafes, airport waiting lounge kiosks, cruise ship internet cafes,
or
> other such places to send your important E-mail.  Clearly you want to (and
NEED
> to) send it using your own company's E-mail address, since you won't be at
that
> location long enough to receive the needed replies at the temporary
location
> E-mail address.  But you won't be (and often can not be) sending via your
> habitual SMTP server associated with your domain name.

Says who, you can email all you like through your own SMTP server so long as
you authenticate, or via HTTPS Webmail so long as you authenticate.  What
are you smoking?

> All of these authentication/authorization approaches (like the
micropayments
> schemes too, for that matter) simply don't work when zombie spambots
commandeer
> authorized/authenticated machines and send out spams using a victim's
legitimate
> authorizations.

You talk about zombies a lot, but what happens to your grand
"finely-grained" scheme when one of your "installed" user base gets
infected?

> But bigger organizations (say, Comcast.com/.net, or Earthlink, or AOL)
which
> have many millions of users and at the very least probably HUNDREDS of
mail
> servers mean that if a given E-mail comes from a valid ISP E-mail user
name and
> through ANY of that ISP's mail servers, it will still be "approved" (as
indeed,
> it would NEED to be... an Earthlink user might be travelling and call in
to the
> Earthlink access number in a distant city, during a trip).  User A's
Comcast
> E-mail address could be forged by any of six or ten million
zombie-infected
> Comcast-connected machines in other cities, and still pass these misguided
and
> ineffective "authorized mail servers for the user's domain" tests with
flying
> colors.  :-(

Will this ever end?  Bottom line, if you're careless with your computer or
SMTP credentials, only your email will be bombed with complaints and be shut
down.  It's a hell of a lot easier to track a compromised SMTP account that
is spamming than trying to track down some DHCP IP address of a zombie.  Ok,
this is where I have to say enough is enough.  I'll just cut the rest of
your nonsensical post.



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg