Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam

["George Ou" <george_ou at netzero.com>]

----- Original Message ----- 
From: "Andreas Saurwein" <saurwein at uniwares.com>
To: <asrg at ietf.org>
Sent: Thursday, June 24, 2004 4:46 PM
Subject: Re: [Asrg] [IP] 4 Rivals Almost United on Ways to Fight Spam

> As long as the user CAN send and receive this type of content by mail,
they
> will do so and it will be abused. Remove the features from all mail
clients
> to solve this problem. Declare MIME dead. Plain text is the only valid
mail
> format.
> Then you might have a chance to solve these problems.

Killing MIME is not the answer, because they will simply send plain text
clickable URLs to the executables hosted by some 3rd party service via FTP
such as ftp://ftp.MyAttachments.com/my.exe.  Even if you change the default
behavior of email to not have clickable URLs, users will simply learn to
cut-paste the URL in to their web browser.  Case in point in a recent
example, people are obviously dumb enough to open up a password protected
zip called "InfectMe.zip" with the password "IAmSuchAnIdiot" because the
text based email told them to do so.

The better solution is to restrict file execution based on Authenticode
signatures.  Windows XP Service Pack 2 does the best job I've ever seen of
addressing this.  Even if the attachment is saved to the hard drive, it
retains "memory" of the fact that it came from an untrusted place so that
you cannot execute the file by accident.  Of course, you can manually open
it by force if you really wanted to but at least the percentage of
infections will go down.

The bottom line is, the zombie phenomenon will be easier to manage in a post
SMTP authentication world.  Instead of receiving spam from a Dynamic IP
address (possibly NATed as well), you will potentially receive spambot
messages from a legitimate email account.  Obviously that is a much more
granular situation where you can rate limit user accounts on the SMTP server
and/or shut down that email account.  That is a hell of a lot more accurate
and less likely to cause collateral damage than blacklisting the IP address
or blocking outbound port 25 by default.

A much larger problem I predict will be the spammer that buys 1000 domain
names for $7000 and changes their domain name everyday to keep ahead of the
blacklisting game.  Since it will only cost $7 a day to operate like this,
it will probably be a much larger problem than the hijacked SMTP accounts.

One possibility that might address this larger issue is if the owner of the
domain will voluntarily register their name, photo, and fingerprint in a
private and secure format and certifiably tie it to their domain.  The name
and photo could be encrypted such that only law enforcement off a court
order can decrypt that information for the purpose of tracking spammers or
fraud.  Of course, the only way this scheme would work is if the 500 top
ISPs in the world will flat out reject any communications from any SMTP
server whose domain is not certified in this manner.  It's all a question of
how badly to you want (need) to fight off the spam problem.  Some might say
that it is already possible to track a spammer down and that is true, but
this just makes it really easy and undisputable in a court of law.  All I'm
suggesting is that we make the owner of a domain accountable and make it
easy for law enforcement to track down the owner.


George Ou


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg