[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] About that e-postage draft [POSTAGE]

To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Subject: Re: [Asrg] About that e-postage draft [POSTAGE]
From: Rich Kulawiec <rsk at gsp.org>
Date: Fri, 13 Feb 2009 08:40:25 -0500
Delivered-to: asrg at core3.amsl.com
In-reply-to: <20090212215841.11637.qmail at simone.iecc.com>
List-archive: <http://www.irtf.org/mail-archive/web/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
References: <20090212142133.GV52653 at verdi> <20090212215841.11637.qmail at simone.iecc.com>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>
User-agent: Mutt/1.5.18 (2008-05-17)

On Thu, Feb 12, 2009 at 09:58:41PM -0000, John Levine wrote:
> Indeed.  Now beef some of them up with some realistic estimates of
> transactions costs, and the costs of dealing with screwed up and
> fraudulent transactions.

Along those same lines, such an estimate must take into account a minimum
of 100M botted hosts, and correspondingly, a minimum of 100M compromised
sets of email credentials. [1]

Thus, such an estimate must be able to cope gracefully with the case
where (say) 1M systems simultaneously (or nearly so) present the same
token to (say) 100K mail systems -- and must do so without permitting on
an effective DoS on the transaction processor.  (And note that, modulo
the token, this is a routine occurence.  It could reasonably be expected
to become more so if abusers found it effective.)

---Rsk

[1] These estimates may be much too small to reflect reality; for example,
a compromise of my system would eventually expose over 30 sets of such
credentials, each picked up in turn as it was used.  Personally, I think
"250m" and "1.5B" are probably more realistic numbers.

Follow-Ups:
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: John Leslie

References:
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: John Leslie
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: John Levine

Prev by Date: Re: [Asrg] About that e-postage draft [POSTAGE]
Next by Date: Re: [Asrg] About that e-postage draft [POSTAGE]
Previous by thread: Re: [Asrg] About that e-postage draft [POSTAGE]
Next by thread: Re: [Asrg] About that e-postage draft [POSTAGE]
Index(es):
- Date
- Thread