to quote my original response
"It is my firm belief that no single system will do the job, a toolkit is
required each tool tackling a different type of spam source."
Regards
Chris
-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of
Hallam-Baker, Phillip
Sent: Tuesday, 2 March 2004 9:53 AM
To: 'Larry Seltzer'; sami(_dot_)suomalainen(_at_)bigpond(_dot_)com; 'ASRG'
Subject: RE: [Asrg] Sendmail CEO Backs Yahoo DK and MS CID
Nothing in SPF, CID or DK would stop a legitimate marketer
from sending e-mail that
authenticates properly. Actually, nothing stops them from
sending it unsolicited either,
but since the addresses would be verifiable users would be
able to block them
effectively. If they didn't block you, they would get your mail.
I agree with the response to the specific issue, but I think
it misses the big picture here.
I think the problem here is that some people don't understand
engineering. The way you solve a big problem like spam is
you break it down into a collection of smaller problems and then
address those in turn.
Saying that SPF or Caller ID does not bring peace on earth
does not mean they have no value. They are not an end in
themselves, they are a starting point. Of course this type
of talk is being used in an attempt to talk the proposals out,
a strategy that assumes a veto power that does not exist.
Everyone understands that there has to be more than just
authentication to 'solve' the spam problem. But authentication
is the first step in any of the comprehensive strategies.
Once you know who sent the message you have a different
response depending on the type of spam it is.
Impersonation spam (aka joe job) - discard
Intentional spam - affects the reputation of the sender,
may lead to civil, criminal sanctions
Hijacked Machine spam - We locate the machine and shut it
down.
The different responses require different strategies but they
are all soluble. It is simply a matter of case analysis.
At a recent anti-phishing meeting we discussed a mechanism to
address the hijacked machine issue. Lets just define a simple
way that you can contact me when you think someone is using a
machine I am responsible for in a malicious fashion.
_contact.example.com TXT
"email:abuse.example.com tel:+44012440102031"
_contact.example.com SRV
"http://contact.example.com/";
_contact.1.0.0.10 TXT
"include:example.com"
So when someone launches a DDoS against my machines with source
address 10.0.0.1 I know where to go, I have an email address,
telephone number, more usefully though I have the address of
a web service I can connect to and send a report of the incident.
If I am operating an ISP I am not going to turn off users
automatically in response to unauthenticated requests from outside,
but I could easily automate much of the response loop:
* Report of spam or virus attack from IP address
AND IP address is making lots of connections to port 25
ACTION - warn operator, possibly shut down site.
* Report of DDoS from source address
AND IP address is engaged in objectionable activity
ACTION object
Spoofed IP addresses could be addressed by similar means but here
I need to connect via the contact addresses of my ISPs :-
Report of DDoS against IP address 10.9.9.9
AND abnormal activity connecting to 10.9.9.9
Respond
Response consists of tracking the attack back to the source, same
way a human operator would. For each router you look to see which
incomming ports have abnormal levels of packets routed to the
targetted address, if so you kick the contact report back down
to the next NOC in the chain. If the source is in your own network
you disable the machines behaving unacceptably (like SYN flooding).
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg