[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Anti-spam laws do work, FYI. There's proof.

On July 27, 2004 at 21:08 george_ou at netzero.com (George Ou) wrote:
 > I believe the two of you are talking about 2 different things here.  This

I don't think so.

 > too has been gone over many times.  You're talking about malware (or a
 > unscrupulous person) using his legitimate SMTP account to send spam.  Larry

Ok.

 > is talking about armies of broadband enabled zombies that send direct SMTP
 > spam from their IP addresses over port 25 with it's own SMTP engine (which
 > make up the bulk of spam right now).  The issue is if and when the malware

I don't see any inherent difference except in the microscopic details.

A computer uses software to send spam in each case.

 > (worm/virus/Trojan) harvests the cached SMTP password and uses the
 > legitimate SMTP account to send SPAM from the SenderID approved SMTP server,
 > what will stop that.  I think we're beating a dead horse on this issue and

I don't think so.

I think it's at the heart of the issue.

SPF and related will likely have zero effect on spam, other than some
details of how it's formatted.

But that's reminiscent of when we started checking that from hosts
actually existed, spammers at that point could no longer randomly
generate hosts, they had to use an existing host name in
addresses. Big deal, they continued to grow exponentially.

 > Larry has even gone as far as writing an article about rate limiting normal
 > SMTP accounts to something like 100 an hour or no more than 200 a day (what

Ok but that's nothing to do with SPF et al.

Unless your argument is that we do SPF, which does nothing, and we
rate-limit all potential zombies (by what force? goodness of the ISPs'
hearts?)), which oughta have some effect (no argument), so add zero to
some effect and you get...well, more than zero!

 > ever the numbers are).  Then if that is still being abused, it will be
 > easier to ask the ISP to block that account than to track down it's DHCP IP
 > address.  Not to mention that the account can be externally blacklisted.

How is that any different than right now?

Why can't we solve the problem by just blocking accts and tracking
down DHCP addresses right now?

The machine the spam came from is accurately reflected in the Received
line of every single spam.

SPF (ET AL) don't help or hinder that.

 > It's obvious that in a post SenderID world, this will be one of the main
 > issues along with the cheap $8 a year domain names that spammers will buy

No, nothing you've said makes any of this in the slightest bit obvious.

Why not address the issue directly, how does SPF stop a zombie'd
machine which can otherwise send email from sending spam?

 > 1000 at a time.  But lets get to that world first and deal with the
 > remaining issues, rather than beating a dead horse and making zero progress.

No, let's make sure SPF et al aren't total, worthless crap (which I
suspect they are, at least for spam) before they're endorsed as some
sort of effort to stop spam when we know damn well they're not.

Or are we now at the point that it'd be just rude to point out that
the emperor has no clothes and what you're actually saying is that
it's rude of me to say so?

 > The question is not whether SenderID is the ultimate cure-all, but is it a

No, the question is whether it will do anything at all for spam,
anything worth the trouble of adopting it.

Otherwise we've done the public a serious disservice.

 > huge step forward.  Although the size of the step forward is debatable, I
 > think most of us agree that it is an important step forward worth taking.

And I suppose if the majority voted that 1+1=3 that'd make it so.

It's amazing how no one can technically defend SPF, but we get lots of
this sort of content-free patter derived from "better than nothing!",
"not a panacea but progress!", "surely there can't be this much
support for something worthless!" (hey ask all the guys that slaved
for years over the OSI standards.)

As far as spam goes, SPF et al seem to me like worthless crap.

They may have some value as weak authentication systems to help
with phishing but even that's questionable.

They might prevent a phisher from sending email purporting to be from
(e.g.) service at citibank.com but there are a thousand variations on
that which would fool many people just as well (service at citi-bank.com,
service at citibanks.com, service at service-citibank.com,
service at cit1bank.com, service at the-citibank.com, etc etc etc etc etc.)

But this isn't the anti-phish research group.

I think it'd be worthwhile for someone to lay out a reasonably
rigorous explanation of how SPF et al are going to stop spam, not just
egregious versions of minor forgery, but spam.

Because every time I point out that it won't I get the old "emperor
has no clothes" run around (boo, hiss, how rude to point it out!)

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989     *oo*

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg