On Thu, 29 Apr 2004, Jonathan Morton
<chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk> wrote:
Hashcash and signatures are non-starters (or deserve to be) for the
simple and
immutable reason that compromised spambot zombies will pump out large
numbers of
hashcash-certified, signature-carrying spams.
AGAIN, THIS DOES NOT SOLVE THE PROBLEM. It only makes the system more
complicated and expensive.
I don't buy this argument,
Hey, suit yourself.
because the "large numbers" of mail will be
significantly smaller than the "massive numbers" we're seeing today.
I don't think that's assured.
Instead of each zombie being limited only by it's pipe, it'll be
limited by it's CPU, so the resource pool available to spammers will be
orders of magnitude smaller than it is today.
The statistics recently reported regarding spammer zombie recruitment pointed
out that spammers tend to favor using more recently recruited zombies, since
those are less likely to be filtered yet. But as the "burst rate" of each
zombie is reduced, it's likely to not be detected and filtered as quickly... so
spammers might find that they can use each recruited zombie longer.
Anyhow, the rate of recruitment continues to accelerate.
I really don't believe that the solution to the spam problem involves making
E-mail harder or more costly to send. I think a much better solution involves
making it (if unwanted) *far* less likely to actually be delivered... such that
the spammer realizes that the effort is probably futile.
Likewise, we HAVE to work on cutting down the ease of zombie recruitment, and I
believe that my attachments (and HTML!) permissions list idea (basically a
fine-resolution whitelist) is a *major* step in the right direction there.
Since when is that such a weak argument?
Well, maybe always, in part since it ignores the very legitimate needs of
organizations like Yahoogroups and other major outbound mailers to send
millions
and millions of pieces of mail a day.
What determines whether a piece of E-mail is wanted or not (and whether it's
spam or not) is NOT whether it got sent out in large quantities, or whether the
sender paid or not to send it, or even who sent it out. What determines
whether
it's spam or not is whether the RECIPIENT wants it and authorized the sender to
send it to them, and whether the content of the mail is remotely like what the
recipient(s) expect and want to receive from that sender.
I added the idea of a simple signature because it's clear that PGP and
S/MIME haven't taken off - so are they too complex and/or intrusive for
Joe User? We need *something* to whitelist against.
Why do you think that it's not enough to simply use the E-mail characteristics
(type of content, HTML classes used, type of attachments, size maybe) in
combination with the sender and the list of permissions granted to that sender
by the recipient? And if you DO want something more, why is a "passcode" or
something freely made available by the recipient (perhaps in large number of
variant forms, so to make life difficult for address harvesters) and included
in
(say) the Subject or a special header line perhaps, not enough?
Again, do note that unanticipated/unwhitelisted E-mail (presuming that it does
not include HTML or attachments, which would immediately t-can or at least
reroute it, for example during the breakin period) would also need to be vetted
by some kind of SpamAssassin-like antispam content filter prior to presentation
to the addressee.
Each signature,
incidentally, will be valuable only for the number of recipients who
have whitelisted it, which for Joe User will normally be quite a small
window.
So what happens if they HAVE NOT whitelisted it? I think that many (most if
not
all!) types of users NEED to have SOME kind of way to receive legitimate,
unanticipated E-mails (consumer feedback to manufacturers, people responding to
the business card they have from you, etc etc.) Obviously they don't want
those
to be spam. My solution to this is that those E-mails have to be plain ASCII
text (and therefore _much_ more effectively content-filtered, and much less
likely to contain malicious content).
The signature will not say anything about the contents of the
message, merely where it's stamp came from.
Again, I think this is fairly useless because when it comes to
spam/virus/worms,
the CONTENT of the mail (in conjunction with who it came from, perhaps, and the
express wishes of the recipient in that regard) is the ONLY thing which truly
guarantees whether it's spam/virus/worm or not.
Signatures, like E-postage, SPF, and all these other schemes, are really
solutions in search of a problem. THAT is the REAL reason why PGP never caught
on... it simply was too complicated and too much hassle to use it, and most
people simply didn't think it was worth it. To now try to pretend that each of
these "pet solutions in search of a problem" is the key to the spam problem is
like claiming that attacking Iraq is the key to the international war on
terrorism... in each case, someone with a vested interest is trying to impose
an
agenda on the rest of the world that has nothing to do with the problem they're
proposing it for, just because they're trying to twist strong concern over the
problem into support for something else that's truly unrelated.
Once a machine has been compromised, of course, it needs a new signing
key after being cleaned up, but that's easy to arrange.
I think my solution is better here, too.
If a machine is compromised and suddenly starts sending spam, the spam is most
likely **immediately** blocked simply because it no longer "looks" like what
the
recipient expects to receive from the sender it's coming from. Now it "looks"
like spam. You don't have to "arrange" anything new at all.
If I suddenly get an E-mail containing an executable attachment from one of the
newsletters or Yahoogroups discussion lists I subscribe to, it's virtually
GUARANTEED that it's bogus. I could care less whether it's got an E-stamp on
it, or has a "certificate", or whether the sender thought about it a long time
before sending it, or anything else. I can tell based on what it is and who it
claims to be from that it doesn't look like what that person sends to me.
Therefore, I don't want it.
If I get a message claiming to be from a newsletter company, and that I happen
to know includes HTML formatting codes in their messages, if I suddenly find
that it comes in and uses ActiveX or scripting, then that's clearly not within
the purview of what I expect from that sender.
If I get an E-mail from my clueless Aunt Millie (millie(_at_)aol(_dot_)com) I
might expect
it to have that stupid AOL-style formatting BS, and she might even send me a
JPG
now and again, but if suddenly I get a message from her containing a .PIF
attchment or that contains HTML hyperlinks, or something like that, I can be
pretty confident that my dear sweet aunt didn't originate it.
Or for that matter, maybe this is someone I gave a business card to on a cruise
ship several years back and they're finally getting back to me about something
they ran across that might be interesting. I'm probably glad to hear from
them,
but if I'm out of town this week (maybe on a cruise again) and their (inept?)
message is going to chew up 95% of my ISP-provided Inbox, then chances are
pretty good that I'd rather not receive it and have the rest of my E-mails
bounce all week long until I can get back.
Who really cares about signing keys, or certificates, or all these SPF-like
mods
to DNS which don't solve the problem, or E-postage and all the new
opportunities
for fraud, abuse, extra costs and hassles? I sure don't. All I'm concerned
about is dumping spam in the trash so I don't have to deal with it.
I don't see any point of E-mailing back (to who? AS IF there were a real
return
address!) and telling them what to do to get past my checks!!?? Riiiiiiiight.
No, a big part of the whole key to this thing is that the legitimate senders
know that their current behavior is acceptable (perhaps JUST!) and that they
may
run into problems if they stray too far from that standard (and different
recipients may have set their filters and permissions standards for the same
material VERY differently!). Even if one of those familiar senders WERE to get
zombie-ized, the fact that suddenly they're not behaving (SOMETIMES!) the way I
expect them to behave is enough to cause the irregular mail to be zapped, EVEN
THOUGH the real stuff they still occasionally send me legitimately will still
sail through to me just the way it always has.
A spambot zombie probably won't be able to guess what the rules are to get mail
through to given recipients, and just because the machine they've overtaken has
lots of permissions... for SOME folks... won't help at all for e-mailing to
other people, or for mailing (even to the SAME people!) different types of
stuff.
AND for the case (the typical case) where the sender is only sending plain
ASCII
text, without attachments, then NO amount of HTML-obscured deviousness or
scripted decryption or misrepresented hyperlinks or seductive ruses to try to
get the recipient to decode and launch some evil attachment is going to get the
spam or virus or worm stuff past my permissions list. It's simply as futile as
arguing with a vending machine about the change it gave you (or didn't). Those
bogus things simply disappear down a black hole, giving the spambot (or the
spammer controlling it) no indication at all about what it might more
profitably
try for the next time.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg