[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] Unique innovations made to anti-spam system
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In article <cb84d2fe0601231942y293d98bejd7077b6c9c04df98 at mail.gmail.com>
, Michael Kaplan <michaelkaplanasrg at gmail.com> writes
> On 1/23/06, Richard Clayton <richard at highwayman.com> wrote:
>
>> I've never tried solving CAPTCHAs at speed, so I couldn't
>> predict how
>> fast I could do them for hours on end. But it looks to me that
>> the cost
>> is definitely going to be in fractions of a cent/solution.
>
> Try solving a few of the Microsoft CAPTCHA. An experienced person
> should take about 3 seconds. Working nonstop 12 hours a day would
> get you 14,400 solved CAPTCHA.
Whether it is 1 second or 3 is to some extent in the noise compared with
the other assumptions
>I'll use my figure of 80 million
> CAPTCHA solved in order to deliver one million spam.
hmm... I did try to explain that 4 million might be wiser :(
> That means
> that every day the spammer is employing 5,556 workers using 5,556
> computers that use electricity and may need air conditioning.
http://laptop.media.mit.edu/
>And
> the third world owner of this business needs a cut and you'll need
> security guards so that the computers won't get stolen and...
>
> However you crunch the numbers this is a major expense.
I agree it is an expense. It's just that you think it is 20 x what I do.
Unfortunately for the scheme design, that 20 moves it into an area where
spammers could continue to operate efficiently.
For major disruption I'd like to see schemes where spammers had to
achieve savings of 100 or 1000 times what legitimate businesses had to.
Sadly, proof-of-work (however dressed up) does not have that property :(
Hence the only way to get it into the ballpark is to tack onto it some
sort of whitelisting scheme [or an equivalent blacklisting one]
The sub-addresses in the Kaplan scheme are whitelisting. However, I
don't think (hence my sums) that this proposal has a sufficient
multiplier effect to quite make it :( [there are other issues as well,
but that's sufficient to kill it in my mind]
>> Why does the filter suddenly improve when the email is sent for
>> the
>> second time (viz: it starts to discard 95% of the email that it
>> approved
>> earlier ?). Or -- same idea but different: why does the spammer
>> send
>> something that is filterable at the first stage ?
>
>> >> Further, I'd dispute that applying two 95%-effective
>> spam
>> >> filters has
>> >> a net 99.75% success rate.
>> >
>> > Very well
>
>> hmm... I think it needs more than that as a reply :(
>
> During the harvesting phase the spammer must do what spammers never
> do: use a real and functional return address.
they "never do" it because it isn't necessary in 2006
Once upon a time spammers did have return addresses ... which is why
"public.com" is nailed into codebases all over the planet :(
>We can speculate
> about how crippling this would be for the spammer.
I'd prefer some figures based on analysis. I'd note that receiving 4
million emails a day is less than a rack of kit... think of it as being
equivalent to handling the incoming email for an ISP with about 50K
customers -- so not trivial, but not rocket science either
>I'll assume
> that spammers will be forced to send poorly filterable material
> during the first round but the incredible burden of using a real
> return address may still allow for a degree of filtering.
I don't see that -- the "real return address" will continue to function
just fine until it gets onto a blacklist. That will not happen until the
spam is sent -- which can be a long time after the sub-address was
handed out.
> So we will say that it is on the second round that real spam is
> sent and that 95% of this will be filtered.
I'm accepting your figure there. Over time I expect that to get worse
rather than better (as spam morphs to be more like real email) but at
the moment that's realistic.
>Almost every commonly
> used domain is trusted, but this spam is using a sub-address that
> was sent to an untrusted domain; a stronger filter can be applied
> to sub-addresses sent to untrusted domain.
Unless that stronger filter is "drop all" then I don't accept that
somehow there are better filters :( Leastwise not if they don't use
humans in the loop [which might be a better use of cheap labour than
solving CAPTCHAs -- the Good Guys can hire them to clean mailboxes]
> But also remember that it is very obvious which domains are sending
> harvest spam.
I don't see that at all -- you specifically make the point right at the
start of the explanation of the scheme that sub-addresses are entirely
transferrable. You even put "used by anyone" into italics to emphasise
this point :(
>An ISACS utilizing email service provider may
> normally get only 50 bounce generating emails a day from the little
> known untrusted domain Sleazy.com. Now over the last 30 minutes
> 100,000 bounce generating emails come in from Sleazy.com.
Spammers aren't that dumb -- the emails will be a wide range of
addresses...
For example sleazy-example at yahoo.com, sleazy-example at msn.com and so on.
If you're relying on Yahoo! and MSN to weed out Mr Sleazy (and I cannot
quite understand why you assume that) then the emails will come from
fred at sleazy1.plausible.com, bill at sleazy2.plausible.com etc
I don't accept the need for the spammer to set up all the sub-addresses
over "30 minutes" or to be consistent in their return addresses.
I also don't accept that it is easy to tell the difference between
plausible.com (apologies to the owner of that domain, but there is just
one) and uk.com (who sell example.uk.com domains to thousands of
distinct businesses) -- hence sub-domains will work well.
> Now the second round of spam comes in using real sub-address but
> spoofed "From" fields. The email service provider can reject and
> send ISACS bounces to all of these extremely suspicious
> sub-addresses if they do not use the Sleazy.com domain.
You seem to be redesigning your system :( Your webpage specifically
says (in fact it puts it into italics) "These addresses can be used by
anyone." but you now seem to be associating sub-addresses with
particular sources of email.
That puts your scheme right into the horrible mess that is forwarding
and is therefore unwise. I suggest you redesign it back again :(
>Legitimate
> correspondents usually would resend the bounce from the same domain
> but ISACS usually allows them to use any domain. Extra
> restrictions can be placed on these extraordinarily suspicious
> sub-address. Or this extra-suspicious sub-addresses can just have
> a ridiculously strong filter applied to them.
I'm sorry, it's not possible to critique a system that is changing under
ones' feet (or one that uses mythical filters with mutable qualities).
Set out more clearly what "extra restrictions" are.
Set out more clearly how you deal with forwarding.
Set out more clearly why you believe no damage is done to legitimate
emails by "ridiculously strong filters"
> There are endless ways to play with the numbers, but I'll stick
> with the estimate of 1.6 billion spam emails with real return
> addresses sent in order to deliver one million spam (And I repeat
> the question - Is this even possible?)
The "Dutch botnet" discovered last Autumn is reported to have 1.6
million machines in it (off-the-record reports say that there were a lot
more). If each machine sends 1000 emails a day (which is a factor of 50
or so less than can be easily achieved) then you have the volume desired
So the answer to "is this even possible" is "regrettably, yes"
- --
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBQ9X9NZoAxkTY1oPiEQKmbwCfVATRkpTGfGiwGoHfzEewidxyefwAoJMN
dUbjqgn1KF/Iwc6DnruLAQAf
=8ZaK
-----END PGP SIGNATURE-----
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg