At 12:27 PM +1000 9/12/04, Laird Breyer wrote:
I just want to address the points about zombies:
On Sep 11 2004, Bill Cole wrote:
>machines. However, in theory a spammer could send the mail through
>the ISP, just as if it was the user actually hitting the buttons -
>on a compromised machine anything is possible. In those cases it
>is possible to get the mail to pass an SPF check.
Yes, but this is a losing tactic. Spammers learned almost a decade
ago that spamming through the mail servers of consumer ISP's was a
swift path to disconnection because of how easy it is for an ISP to
detect and respond to that sort of spamming. There may have been
regression on the part of ISP's in the last few years in the area of
keeping their legitimate outbound mail systems from being used to
spam, but I suspect that Swen has managed to instruct the backsliders.
On the contrary, I believe this is a winning tactic.
You're talking about historical cases where spammers signed up for an
account themselves, so that when the account was closed, they lost
their net connection, and ability to spam.
The winning tactic is that the spammers are being proxied by
legitimate users unaware of the fact.
I think I neglected to give all the context. There's somewhat more
than disconnection keeping the spammers from spamming through ISP
mail servers, there are often rate limiters and similar measures
making it unworkable.
Who is the ISP going to shut
down? Some grandmother with an infected PC? I claim there is no way
this is going to happen in appreciable numbers.
It certainly is not happening now, but that situation looks quite
unsustainable to me and I'm starting to hear rumblings out of the big
broadband providers that some most definitely will be doing that in
the future. They certainly SHOULD be doing it.
Take an ISP with 50,000 users. Half or more of those users catch a
virus (not unheard of...) which installs a spamming proxy. In each
case, the proxy detects the ISP mail gateway, and uses it to send spam
on behalf of the user. Eventually, the ISP detects that half its
customers are sending spam in rolling waves or bursts. None of the
owners of those PCs have any idea what's going on, or would even know
how to fix the problem when it's pointed out.
You are the ISP CEO. Your mission, should you choose to accept it, is
to close down 25,000 user accounts for the crime of spamming, while
keeping your shareholders happy.
The entire ISP network unable to talk to significant parts of the
Internet in any way at all because of the problem machines, or an
outbound mail server that can't function because of the load or can't
get anyone to accept its mail because it mostly sends spam are all
worse than dropping half of the customers into a network jail where
they can't talk to anything (even the ISP's mail servers) other than
a single webserver that offers them no alternatives other than the
tools to clean their machines.
This sort of technology is not new. Hotels offering Internet access
were doing it 4 years ago.
However, any accurate detection of a domain that will allow a machine
to pass SPF checks also affixes a truly responsible party to the
mail. If one publishes an SPF record including a particular IP
address, one is affirming responsibility for the use of that domain
name from that IP address.
In the zombie scenario, the problem isn't who is ultimately
responsible. The problem is whether the responsible party (the ISP)
can change its behaviour. How does an ISP change the behaviour of
half its customers? It can't. So how does the ISP stop originating
spam?
Step one is to to mature in their understanding of their business. A
lot of non-ISP's operate networks connected to the Internet that
generate zero spam. A lot of ISP's who serve markets other than
consumer residential access manage it as well. There are some
consumer ISP's managing it. Even AOL comes very close.
It's one thing to pick a handful of customers and talk tough to them
if they don't clean up their PC. It's another thing to talk tough to
more than half your customers, offering them the choice of fixing
their PC, or being disconnected.
So we might soon see large ISPs which 1) acknowledge that a sizeable
fraction of their customers spam unwittingly, and 2) say: so what?
That's the current situation. It cannot last without all those
adult-run networks increasingly deciding that accepting any traffic
other than HTTP requests from mismanaged networks is more trouble
than it is worth.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg