At 10:42 PM 4/16/2003 +0100, Jon Kyme wrote:
> At 06:08 PM 4/16/2003 +0100, Jon Kyme wrote:
>
>
> >I don't see that there's what the charter calls "a realistic chance of
> >wide-scale deployment" for what you propose.
>
> What evaluation of the chances have you done?
I don't have to. You're proposing it. You should do the sums.
Then I get to pick the percentage, and I don't have to pick 99%.
But here goes...
Let's see, the ORDB.org database lists 183548 open relays
as of 16 April 2003. Based on this we'll need approaching 20 million
undetected honeypots to reduce spam received by one of my users to the
level that content-filters (or blists) can achieve now.
You claim 99% success FOR YOUR USERS. If you are going to make a
comparison (this is getting silly - anyone who says so has my agreement)
then you should compare the OVERALL spam-stopping for the entire net,
including domains that don't block and don't filter. Further, your
filtering is intended to protect your users from spam, so 100% is the goal
you should pursue. My action is intended to lower the amount of spam that
reaches users sufficiently so that the spammers no longer profit. that
number is unknown but I doubt it is 99%.
Or, we assume that maybe 1% of mail servers are open relays
(http://www.imc.org/ube-relay.html) we can see that we'll need
about about the same number of honeypots as there are mail servers
Now assuming that there are maybe 200 honeypots currently deployed
we need 5 orders of magnitude increase. Assuming that the honeypot
numbers grow at about the same rate that the number of internet hosts in
total have grown (an order of mag in 5 years
http://www.isc.org/ds/WWW-200301/index.html ) and that the absolute number
of open relays remains constant, we can see that we need something like 25
years to deploy the required honeypots.
I'd say more like 1000 years, given the starting point and the
assumptions. So what? You are using a growth rate without any concerteted
effort to promote honeypots and saying that would be the growth rate if
ASRG recommends honeypots. That's not likely to be true. In addition what
I propose is that ASRG consider all possible modes of defeating spammer
abuse, not just honeypots. Get ISPs acting and honeypots are a side joke.
Of course this may be speeded up somewhat if, after the first 5-10 years,
you find the absolute number of open relays has fallen due to your
reporting efforts.
> problem won't shrink to make up for your short-sightedness.
I'm not sure how the ability to perform simple arithmetic makes me
short-sighted.
It isn't the ability to do arithmetic, it's how you chose to use it. You
set out to prove that honeypots, and by extension the idea of fighting spam
by fighting spammer abuse, won't work. So every place there's an estimate
or a choice ot make you make the one that leads to the conclusion you wish
to reach. That isn't engineering.
With the best will in the world (and making some very kind assumptions)
No, they are not kind. Note that while I dispute the validity of your
assumptions I consider that to be beside the point, if you look at the real
point. The real point is that all spam that doesn't go direct from the
spammers' servers to the destination is sent using some form of abuse. It
is that abuse I propose be stopped. I've done it for years using honeypots
but honeypots are not the sole way to do it.
your plan seems to take decades to work. That's too slow. The spammers can
adapt quickly enough. The good guys won't wait that long for a return on
their investment.
That's not "my plan." I have no plan, I have proposed that ASRG consider
stopping spam by stopping spam sent using abuse. ASRG someday will have a
plan - my suggestion may or may not be part of it.
My subjective evaluation of the chances of deploying a system that takes
years (decades) to reduce my users spam to a level that I can achieve in a
matter of days or hours with other systems is about zero.
Yeah, right, and we have all the time in the world to devise, propose,
code, and distribute an entirely new protocol. Meanwhile my honeypot was
stopping actual spam Sunday. Honeypots are easy to write, there is already
a Windows-compatible honeypot that could be massively deployed any time. I
wouldn't - I'd want it polished more first, but it is an existing
tool. ISPs at the origin of the spam (even if it goes through an open
proxy in Brazil it could originate in Florida) and ISPs where the abuse is
committed can detect the abuse if they wish. They could start tomorrow,
ASRG or not. The problem is reaching them to educate them about what they
can do. There are also surely problems of violation of privacy. I suspect
these may be less severe in Brazil but I don't know. Knock a spammer down
10 times for abusing an open proxy in telesp.br and he may well decide to
not try the 11th time. That's one giant block of addresses denied to the
spammer without changing any configuration on any of the systems.
It's a weak idea, not made stronger by simply repeating it.
Not shown.
However, as a spam collection tool...
Whatever. I don't care if honeypots are in the final proposal. I do care
that full consideration be given to fighting the abuse instead of totally
and shamefully ignoring it. I can name a few spammer test message dropbox
addresses off the top of my head. Can you? Sending and receiving test
messages us the essential foundation of relay spam and nobody (other than a
very few) pay one bit of attention to it.
The first spam trapped by the Moscow honeypot came through open proxies in
Ireland and India (if I remember correctly.) totally
anonymous. Unfortunately the first test message delivered, the one that
led to the spam, went to an IP registered to Alan Ralsky. Sort of
destroyed all his cleverness, didn't it?
I've not yet learned if the series of relay tests sent from IPs in
Washington, D.C. are or are not ones sent by Dr. Fatburn. Nonetheless I
have them as evidence of his (whoever "he" is) use of the IPs to engage in
abuse (they're DSL addresses.) Very few people have such evidence but
millions could, trivially. It is folly to ignore the abuse when it is so
blatant and so easily detected. Tests are essential for the sending of
spam - ignoring the tests is unbelievable.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg