ietf-asrg
[Top] [All Lists]

[Asrg] 1. inventory of problems draft 2

2003-04-11 04:45:37
This is the Inventory of Problems document that was originally started by
Liudvikas Bukys. I've made some changes based on feedback from others and
myself. I thought that I sent this to the list after I sent the list of work
items, but I could not find it to refer to it. Liudvikas will resume
ownership of this document.

Evading accountability
        - forging envelope sender
        - forging From header

Exploitation of weak systems
        - exploit open smtp relay
        - exploit insecure web services (cgi formmail)
        - exploit open proxies (HTTP CONNECT, HTTP)

Aggressive database generation
        - directory harvesting (web, LDAP)
        - name guessing & probing
        - name guessing without probing [selling bogus data to others]
        - inappropriate database sharing/selling

Inadequate opt-in
        - no actual opt-in
        - deceptive opt-in
        - single opt-in without confirmation

Inadequate opt-out
        - opt-out not implemented
        - opt-out ineffective (pro forma removal from one list not all)
        - opt-out untimely
        - opt-out difficult to execute
        - opt-out hostile (used only for address verification & enrollment
in even more databases)

Evasion of automated filters
        - content randomization
        - eyespace transformation
                - misspelling
                - punctuation and spacing
                - substitution of visually similar characters
                - html coding tricks
                        - slice&dice tables
                        - javascript-generated content
                        - font size/color/background
        - mime multipart encoding
        - inclusion of non-spam chaff (visible or invisible)
        - content in images, not text
        - content in other external links

Evasion of human caution
        - fake DSN
        - fake content resembling common cgi-to-mail
        - "returned your call", "your account has a credit", etc

Not a real business
        - spam as chain letter/pyramid, selling software and bogus data to
the naive
        - spam as DoS attack, no real solicitation in content

False claims
        - false claims regarding opt-in

Fraud & Crime
        - Nigerian 419
        - eBay password/credit card theft
        - payPal password/credit card theft
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>