While I agree with you that "owned" machines is a security problem due
to the fact that it gives ability to fully impersonate that user, its also
that fact that makes it easy to tell which machine is "owned" and likely
embarasses user enough to clean it up quickly (rather then current zombie
emails coming from unknown joe user on dynamic ip).
Spammers actually already started using user settings setup in outlook
or mozilla on zombie computer to relay authenticated spam emails from
zombie infected machines though ISP mail server, but that does not seem
to provide good results because number of emails they can send is often
limited as ISPs would notice if thousands emails started showing up
and authenticated emails often lead to showing up identify of zombie user
and that leads to quicker repair or disconnection of the infected pc.
So current use of zombies is primarily based on the notion that you can
send 10,000 - 100,000 emails from that zombie pc in only few minutes and
then move on to another computer and primary there is ability to send very
high number of messages through that computer and avoid that being flagged
by ISP. Additionally the fact is while number of zombies seems too high,
if you count it as percent of total hosts it would be well less then
0.001%. As such using ONLY zombie PCs to send emails to whitelists users
will likely not provide any signifacant reach to spammers.
On Mon, 24 May 2004, Adam Back wrote:
I'm wondering about the zombie argument. So clearly it is valid,
spammers can and do obtain zombies through viruses etc. However it is
somewhat demanding of a threat model on any anti-spam system to say that
it should remain secure if the spammers 0wn some significant fraction of
user machines.
For example consider the following anti-spam systems and the effect of
owning the machines:
- signature based / verified sender -- broken, spammer just installs
malware on zombie which abuses the users credential
- white-list based -- broken (more limited perhaps can only reach the
set of users who have white-listed the zombie owners) spammer harvests
white-listed pairs of addresses and optionally sends from the same
zombie harvested from. (You see this with the virus payload that sends
from random pairs from address book -- where you frequently receive
virus propagation and/or spam mail from people who's email addresses
your recognize.)
likely similar problems apply to most other anti-spam approaches if the
person you are defending against 0wns lots of machines.
Adam
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg