Re: [Asrg] Unique innovations made to anti-spam system

[Michael Kaplan <michaelkaplanasrg at gmail.com>]

On 1/24/06, Bart Schaefer <schaefer at brasslantern.com> wrote:

> On Jan 24,  1:12am, Michael Kaplan wrote:
> }
> } A single zombie spam sender can send out multiples of thousands of
> } spams a day. A zombie bounce collector can only spam the small number
> } of people who correspond with the owner of the hijacked PC.
>
> You miss the point.  The bounce collector isn't spamming the people who
> correspond with the hijacked PC -- in fact, it isn't necessary for it
> to spam anyone.  All it's doing is filtering the [forged] reply mailbox
> for an ordinary spam run, or more likely for a special harvesting run
> that doesn't [other than the forgery] appear to be spam.  The victims
> of the harvesting don't have to be existing correspondents of anyone, as
> the whole point is to induce their ISACS system to emit a challenge.
>
> The bounce collector then phones home and drops off the ISACS bounces
> for decoding, and a second spam run later ensues using the harvested
> addresses, possibly with different and this time likely undeliverable
> return addresses.  And remember that this is initially occurring from
> to-this-point trusted domains, so there aren't any CAPTCHAs to decode.

 

I will concede that you can describe a mechanism whereby bots can be used to attack ISACS, and I have no doubt that this will happen, but I think that the impact is greatly exaggerated.  This is the myth of the spam zombie's omnipotence/omnipresence/infinite ease of deployment.  I say this because even today under the current email system many users have little or no spam while others who use the identical email system get flooded.  If spammers had limitless access to every ones email address then everyone would get flooded.  The currently existing sub-address email systems would be of no benefit whatsoever (even the head of our group has stated that one of the sub-address email systems "apparently has lots of happy users").

 

These bots are a problem but their ability to snoop is still limited.

The problems involved in snooping ISACS sub-address can only be more difficult.

The damage done to these accounts is reversible, and the sub-address helps in tracking down the zombie.

 

 

With ISACS, the harvester can, in an automated fashion, "grow" (by
inducing challenges) an unlimited number of subaddresses to target,
and (by direct infection) create a nearly unlimited number of them to
use as bounce traps; and can efficiently filter for known-good base
addresses.  One could even, with the appearance of innocence, collect
several subaddresses for each known-good target before beginning the
first real spam run against any of them, then continue the harvesting
process while rolling over to the next such subaddress when the first
becomes disabled.  It'd be a long time before he ran out of ammo; the
registry of trusted domains would be emptied first, except for a few
one-user vanity domains who could carry on their private conversations.

 

What you describe can happen but it is treatable.  The spam bot will reveal itself as soon as some of those collected sub-addresses are used; the spam bot can then be killed. 

 

But what if this bounce trap collected an unlimited number of CAPTCHA-free bounces?  A time limit can be placed on sub-addresses during which they must be used at least once or they will expire.  I'll say seven days.  This means that an ISACS user who fell victim to this spam bot would get as much spam for seven days as a normal email user.  After that the "limitless" number of bounces collected will be garbage.

 

 

And now to respond to another poster:

 

>    On 1/23/06, Richard Clayton < richard at highwayman.com> wrote:

>I'll use my figure of 80 million
>    CAPTCHA solved in order to deliver one million spam.

hmm... I did try to explain that 4 million might be wiser :(

I think you miscalculated.  How about I say the spammer harvests bounces by sending 80 million emails using a real return address.  I'll be generous and say that the spammer has a 100% return because he sent the mail without any kind of filterable material.

 

Now the spammer has 80 million CAPTCHA that he pays people to solve.  He now sends 80 million pieces of good old-fashioned spam with spoofed addresses.  95% of this is filtered and 4 million gets through.  75% of these addresses are bogus accounts so only one million pieces of spam has hit its target.

 

The spammer has paid to decode 80 million CAPTCHA.

But there is another big expense:  The spammer has sent 80 million email with a real return address.  The spammer may have registered a bunch of personal domains for this purpose.  Honeypots can be used to detect these newly created spammer domains. Lets say that the spammer can use each domain 100,000 times before this untrusted domain actually makes it onto a blacklist and becomes useless to the spammer.  At just $5 to register a domain this single mailing has cost the spammer $4,000.

 

>Almost every commonly
>    used domain is trusted, but this spam is using a sub-address that
>    was sent to an untrusted domain; a stronger filter can be applied
>    to sub-addresses sent to untrusted domain.

Unless that stronger filter is "drop all" then I don't accept that
somehow there are better filters :(  

 

 

By "stronger" I meant one with a greater true positive rate but worse false positive rate compared to what would usually be tolerated.

 

You seem to be redesigning your system :(  

 

Yes, constantly.  The interaction on this board has been invaluable.  I appreciate the criticism because after a while I use this criticism to improve this system.

 

I believe that have found a way around a certain MAJOR criticism that has come up over the past few days.  As soon as I get some time I am going to completely redo my site to reflect the solution.

 

Thank you all for your input,

Michael Kaplan

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg