On Wed, 5 Mar 2003, Vernon Schryver wrote:
However, please let's not talk about ways to defeat specific checksum
systems, unless you are a spammer, and in that case I trust you'll be
unsubscribed by the management. There's no profit in making more work
for those of us who tweak our checksums to counter the new tactics of
spammers. For example, as those who've been watching spam know, a
recent cycle of that involves <!--HTML comments-->.
There's a Catch-22 here. We don't want to aid spammers, but we want to be
able to combat them effectively. It's the same problem computer security
researchers deal with daily. We probably need to adopt a similar strategy
of open peer review, to establish faith in a technique by having many smart
people try to break it, with full knowledge of the technique.
To avoid discussions of how to defeat any particular technique may provide
some temporary security through obscurity, but it could backfire. We might
spend a lot of time and effort on a technique that turns out to be easily
subverted. It might work well as a niche effort, but if it ever becomes
mainstream, the spammers will take notice and work on countermeasures.
Security through obscurity is more effective for those who are agile enough
to change direction when that obscurity is pierced. The Internet email
infrastructure, as a whole, has the least agility of all. If we want to
find a way to save the world from spam, we need a solution that can be
entrenched, and that will take time. Spammers have the benefit of agility,
so obscurity plays to their advantage.
I believe we need to find a solution that can withstand intense scrutiny,
even if it imperils the current effectiveness of niche solutions. We need
a mainstream solution, and to know it will work, we need to try to think
like a spammer and look for every sneaky way to subvert the system. That's
the only realistic route to a long-term solution.
Personally, I believe an effective solution will probably require a massive
change in the email infrastructure. SMTP is just too easily abused, in its
current form. I'm thinking ESMTP extensions coupled with a PGP-style web
of trust (between servers and/or users) has real possibilities...
Deven
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg