ietf-asrg
[Top] [All Lists]

RE: [Asrg] How to defeat spam that uses encryption?

2003-04-02 14:13:30
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>

Please point out those measurements and statements of mine that show
that spam senders are shy about their identities.

You state that 8-% of spam comes from the free dialup account 
domains despite the fact that these all implement rate limiting.

I can't find any words among my web pages that say anything lkke that.
Could you point them out specifically?  `find ... | xargs grep 8.%`
fails to discover anything relevant in web pages starting at
http://www.rhyolite.com/anti-spam/ I'm extremely careful to say things
like "much unsolicited bulk mail bears return addresses pointing to
these free providers" instead of "spam comes from the free dialup
account domains.

I don't talk about "free dialup accounts domains," because I do not
like the idea of the DUL or similar lists.  That might explain why
`grep dialup`  cannot find a relevant use of "dialup" in any of those
web pages.  Other people might talk about shy spammers and dialup
accounts, but I don't think I do.

I also don't see how rate limiting is at all relevant to whether
spam senders are shy about their identities, but that seems irrelevant.


So how can so much spam come from those domains? Answer it 
does not, the From addresses and routing headers are fake.

It is true that a lot and probably most current spam has header and
envelope From addresses that do not match the IP address of the SMTP
client, but there is only religous conviction and no evidence that
they all or even most can honestly be called "fake."  Contributors to
this mailing list have pointed out that they use such "fake" headers."
Of course, some such spam headers are not just "fake" but forged and
so against various laws.

What does this have to do with whether spammers are shy about their
identities?  The answer is clearly that spammers are not shy about
their identities (since they are advertising), but they are shy about
some of their ISP accounts or they use ISP accounts that would be
given digital identities/certs/signatures just as "throw-away" as the
username and password they already get.


...
Telephone numbers and drop-boxes can be and are routinely connected
to the people responsible.

The success rate is not that high, the cost of the investigation
is high, unless you know the exact time the person is going to
collect the info the cost of a stakeout is prohibitive.

All of that would apply equally to any plausible sort of digital
authentication.  Possession of a public/private key pair does not keep
one from moving around nor using the old sources of practical anonymity.
In fact, one of the neat things about digital systems is that they
can allow more mobility and anonymity.

It is much harder for the bad guys to authenticate themselves
in advance to a specialist in the field with access to blacklists
of accomadation addresses, prisons etc. than it is to 'authenticate'
themselves to the customer.

I'm sorry, but I don't understand that.  It is certainly true that no
plausible mail authentication system will require more real world
authentication to get a cert or whatever than is now required to get
a ISP account, a telephone number, a web hosting account, or a post
office box.   If all of those are now insufficient to pin a spam
sender, then so will any new scheme based on the same foundations.
"Digital" is not magic pixie dust that changes the nature of this problem.


Your arguments on this point appear to be religious in nature
rather than based on empirical observations. 

As far as I can tell, the enthusiasm for digital authentication of
email is religious or an expression of another aspect of human nature.
People have the sense that if only they could put a name on a spammer,
they could speak it three times, ring a bell, light a candle, and make
the spammer go Poof!

In fact, spammer identities are already quite available to anyone who
cares to look or sometimes serve legal papers.  It's just that the
screaming epithets at "Ralsky" doesn't stop any spam.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>