At 10:53 AM -0500 3/6/03, Pierre Fortin wrote:
of control back very simply: enforce path verifiability. Once the path is
verifiable, much spam will crawl back into its hole, IMO.
I think it might be valuable to classify spam a bit here, so that we
can identify what kinds of solutions address what types of spam.
In particular, there are a growing number of spammers who are using
perfectly identifiable paths. Some of those paths lead to public
ISPs, such that blocking the spammer also results in blocking
legitimate users. The Chinese spam I get from 163.net certainly
doesn't hide the fact that it comes from 163.net. Nor do they care
if I block it. Because the people who can't block it are the people
who regularly communicate with people in China and can't afford to
block a Chinese ISP. And those of course are also the people who can
read the spam. I'm just collateral damage.
The bcc spammers who are using temporary webmail accounts are also
completely path verifiable. They simply don't care that the account
will be torn down in a number of hours. Much of the Spanish Prisoner
(aka Nigerian) seems to fall into that category.
So, how about a start on a taxonomy for spam. Not based on content,
but on the class of technique.
1. Open Relay
Uses an open relay to send spam. The relay is typically a loosely
configured, misconfigured, or buggy mail server. The server may or
may not normally send email. The sender typically attempts to
obscure the true source of the email via fake headers or other
information. But the original email account is probably throw-away.
There's no particular reason the spammer couldn't use the domain of
the relay in the sending email if an "authorized server only" system
was set up.
2. Open Proxy
Like an open-relay, except that the email arrives via a different
protocol, so there is usually no trace. HTTP/Socks proxies fit this
category. As do formmail exploits. Rooted servers can also be used
for this purpose.
3. BCC
Uses a throwaway email account sending multiple messages bcc'd to the
sender. Very difficult to tell from normal email use.
4. Viral
Uses a virus or trojan to send email using the machine owner's
account and/or identity. These appear to be on the rise. I've heard
of viral ones, but never seen it documented. Trojan ones are
definitely in use. In addition some of the trojan's (e.g. the latest
e-card one) are reported to have been snarfing the address book back
to the spammer--thus making hay of white-listing systems.
5. Spam Indifferent Host
Uses a paid account at a legitimate ISP for sending spam. Very
common in Chinese spam. No attempt to forge anything.
6. Spam Friendly Host
Major spammer with the infrastructure and pipes for sending bulk
email directly. They may or may not hide the domain. In one case
we've dealt with the spammer regularly registers new domains every
few weeks and uses those as the source of the email. The IPs keep
changing. The domains keep changing.
Any others?
Looking at these. You want to think on different spam solutions and
see where they have an impact and where they don't. For instance.
Blacklists help against open relays and open proxies. But there open
relay blacklists have false positives and considerable collateral
damage. Open proxy blacklists seem a bit safer, but still can have
collateral damage. Both systems might survive an "IP is authorized
to send mail for this domain" system, depending on the details and
how tightly they were applied.
BCC spam is very difficult to tell from legit email. Only by content
or "bulkness". It passes any authentication system just fine.
Volume limits and manual signup systems help limit this, but not
enough so far. And both rely on the goodness of the source site,
which is not sufficient.
Viral spam has even worse characteristics than BCC spam, since it
also can punch through whitelists, including auto-whitelisting
challenge-response systems.
Spam indifferent hosts are a real pain. You can't necessarily
blacklist them. You have very little power over them unless the
entire community bands together, and if that happens things could
spill over into diplomatic circles.
Spam friendly hosts are easier to block. But of course finding a
reliable RBL that doesn't generate false positives is tough. And if
it were that easy, you'd think they'd be gone by now, instead of
growing in number.
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg