[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Asrg] Solving spam == Solving zombies/botnets
On Sat, Nov 29, 2008 at 09:50:55PM -0600, mathew wrote
> On Sat, Nov 29, 2008 at 18:29, Rich Kulawiec <rsk at gsp.org> wrote:
>
> > Yes. I have spam-in-hand from multiple incidents. And it is of course
> > not necessary for them to guess, since they could (a) subscribe to those
> > lists and harvest part of the subscriber list (b) grab the archives of
> > [some] lists and harvest part of the subscriber list (c) go through the
> > "address books" and stored mail on any zombied system and note any mailing
> > list which any mail address in use on that system is subscribed to
> > (d) go through any zombie which happens to be a mailing list server (e)
> > etc.
> >
> > So why don't we see more of it? I suspect because it's not worth
> > their trouble -- yet.
>
>
> Then perhaps we should consider a side-discussion of ways to combat the
> problem?
Here's an opportunity to discuss the FUSSP-killer. Email is really
machine-to-machine, which is assumed to be a "reasonable facsimile" of
person-to-person. If a machine can be zombied, then, with the aid of a
key-logger, any certificate/password/jumping-through-flaming-hoops that
a person can supply can also be supplied by his machine. This is what's
known in crime-fighting circles as "an inside job".
Botnets have evolved. Instead of trying to send a million emailsFrom asrg-bounces at irtf.org Mon Dec 1 22:08:07 2008
Return-Path: <asrg-bounces at irtf.org>
X-Original-To: asrg-archive at optimus.ietf.org
Delivered-To: ietfarch-asrg-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
by core3.amsl.com (Postfix) with ESMTP id 59D573A688C;
Mon, 1 Dec 2008 22:08:07 -0800 (PST)
X-Original-To: asrg at core3.amsl.com
Delivered-To: asrg at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
by core3.amsl.com (Postfix) with ESMTP id AED423A688C
for <asrg at core3.amsl.com>; Mon, 1 Dec 2008 22:08:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32])
by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RQG+w+gdXg-7 for <asrg at core3.amsl.com>;
Mon, 1 Dec 2008 22:08:06 -0800 (PST)
Received: from ironport2-out.teksavvy.com (ironport2-out.pppoe.ca
[206.248.154.182])
by core3.amsl.com (Postfix) with ESMTP id CC6473A67EE
for <asrg at irtf.org>; Mon, 1 Dec 2008 22:08:05 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ar0EAFhfNElLd+SC/2dsb2JhbACBbcNziy+CAnuBIw
X-IronPort-AV: E=Sophos;i="4.33,700,1220241600"; d="scan'208";a="30525772"
Received: from 75-119-228-130.dsl.teksavvy.com (HELO waltdnes.org)
([75.119.228.130])
by ironport2-out.teksavvy.com with SMTP; 02 Dec 2008 01:07:58 -0500
Received: by waltdnes.org (sSMTP sendmail emulation);
Tue, 02 Dec 2008 00:25:37 -0500
From: "Walter Dnes" <waltdnes at waltdnes.org>
Date: Tue, 2 Dec 2008 00:25:37 -0500
To: ASRG list <asrg at irtf.org>
Message-ID: <20081202052537.GC29071 at waltdnes.org>
References: <7eeceb440811291950v3f094d8awbbe38c33f6a22624 at mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <7eeceb440811291950v3f094d8awbbe38c33f6a22624 at mail.gmail.com>
User-Agent: Mutt/1.5.16 (2007-06-09)
Subject: [Asrg] Solving spam == Solving zombies/botnets
X-BeenThere: asrg at irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/asrg>,
<mailto:asrg-request at irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/pipermail/asrg>
List-Post: <mailto:asrg at irtf.org>
List-Help: <mailto:asrg-request at irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/asrg>,
<mailto:asrg-request at irtf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: asrg-bounces at irtf.org
Errors-To: asrg-bounces at irtf.org
On Sat, Nov 29, 2008 at 09:50:55PM -0600, mathew wrote
> On Sat, Nov 29, 2008 at 18:29, Rich Kulawiec <rsk at gsp.org> wrote:
>
> > Yes. I have spam-in-hand from multiple incidents. And it is of course
> > not necessary for them to guess, since they could (a) subscribe to those
> > lists and harvest part of the subscriber list (b) grab the archives of
> > [some] lists and harvest part of the subscriber list (c) go through the
> > "address books" and stored mail on any zombied system and note any mailing
> > list which any mail address in use on that system is subscribed to
> > (d) go through any zombie which happens to be a mailing list server (e)
> > etc.
> >
> > So why don't we see more of it? I suspect because it's not worth
> > their trouble -- yet.
>
>
> Then perhaps we should consider a side-discussion of ways to combat the
> problem?
Here's an opportunity to discuss the FUSSP-killer. Email is really
machine-to-machine, which is assumed to be a "reasonable facsimile" of
person-to-person. If a machine can be zombied, then, with the aid of a
key-logger, any certificate/password/jumping-through-flaming-hoops that
a person can supply can also be supplied by his machine. This is what's
known in crime-fighting circles as "an inside job".
Botnets have evolved. Instead of trying to send a million emails a
night a
night through one zombied machine, botnets now send 4 emails a night
through each of 250,000 machines. The latter is almost impossible to
detect, versus the former.
What it boils down to is that to majorly reduce spam, we have to
majorly reduce botnets/zombies.
--
Walter Dnes <waltdnes at waltdnes.org>
_______________________________________________
Asrg mailing list
Asrg at irtf.org
https://www.irtf.org/mailman/listinfo/asrg
through one zombied machine, botnets now send 4 emails a night
through each of 250,000 machines. The latter is almost impossible to
detect, versus the former.
What it boils down to is that to majorly reduce spam, we have to
majorly reduce botnets/zombies.
--
Walter Dnes <waltdnes at waltdnes.org>
_______________________________________________
Asrg mailing list
Asrg at irtf.org
https://www.irtf.org/mailman/listinfo/asrg