ietf-asrg
[Top] [All Lists]

Re: [Asrg] SPF is only useful to dupe the ignorant...]

2004-09-11 19:40:59
I just want to address the points about zombies:

On Sep 11 2004, Bill Cole wrote:

machines.  However, in theory a spammer could send the mail through
the ISP, just as if it was the user actually hitting the buttons -
on a compromised machine anything is possible.  In those cases it
is possible to get the mail to pass an SPF check.

Yes, but this is a losing tactic. Spammers learned almost a decade 
ago that spamming through the mail servers of consumer ISP's was a 
swift path to disconnection because of how easy it is for an ISP to 
detect and respond to that sort of spamming. There may have been 
regression on the part of ISP's in the last few years in the area of 
keeping their legitimate outbound mail systems from being used to 
spam, but I suspect that Swen has managed to instruct the backsliders.

On the contrary, I believe this is a winning tactic. 

You're talking about historical cases where spammers signed up for an
account themselves, so that when the account was closed, they lost
their net connection, and ability to spam.

The winning tactic is that the spammers are being proxied by
legitimate users unaware of the fact. Who is the ISP going to shut
down? Some grandmother with an infected PC? I claim there is no way
this is going to happen in appreciable numbers.

Take an ISP with 50,000 users. Half or more of those users catch a
virus (not unheard of...) which installs a spamming proxy. In each
case, the proxy detects the ISP mail gateway, and uses it to send spam
on behalf of the user.  Eventually, the ISP detects that half its
customers are sending spam in rolling waves or bursts. None of the
owners of those PCs have any idea what's going on, or would even know
how to fix the problem when it's pointed out.

You are the ISP CEO. Your mission, should you choose to accept it, is
to close down 25,000 user accounts for the crime of spamming, while
keeping your shareholders happy.


However, any accurate detection of a domain that will allow a machine 
to pass SPF checks also affixes a truly responsible party to the 
mail. If one publishes an SPF record including a particular IP 
address, one is affirming responsibility for the use of that domain 
name from that IP address.

In the zombie scenario, the problem isn't who is ultimately
responsible.  The problem is whether the responsible party (the ISP)
can change its behaviour.  How does an ISP change the behaviour of
half its customers? It can't. So how does the ISP stop originating
spam?

It's one thing to pick a handful of customers and talk tough to them
if they don't clean up their PC. It's another thing to talk tough to
more than half your customers, offering them the choice of fixing
their PC, or being disconnected.

So we might soon see large ISPs which 1) acknowledge that a sizeable
fraction of their customers spam unwittingly, and 2) say: so what?


-- 
Laird Breyer.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg