On Sep 11 2004, Bill Cole wrote:
I think I neglected to give all the context. There's somewhat more
than disconnection keeping the spammers from spamming through ISP
mail servers, there are often rate limiters and similar measures
making it unworkable.
In the context of zombies, there's the effect on the single user,
and the effect on the spammer.
For the user: with a rate limit, it's a question of who uses up the
allowance first, spamming proxy or human. To the human, the end effect
is probably that their ISP is "unreliable" for email, because it might
reject around half the connection attempts. At best, it's likely to
increase complaints from clueless users to their ISP, or push
customers to rival ISPs with different limits.
For the spammer: with large zombie armies, a rate limit on each user
is not a major problem. Those blackhats who write zombie deployment
infrastructures aren't script kiddies, and can consolidate thousands
of accounts for simultaneous campaigns over 72 hours say, just below
each zombie's spamming limit. It's a matter of having enough zombies,
and zombie creation is subject to completely different rate limits
again (RPC, browser vulnerabilities, etc)
So the important question is probably: will comprehensive ISP
countermeasures be more expensive than the zombie attacks? I have no
idea, but if it's the case, then ISPs will simply learn to live with
the problem, rendering the particular reputation/whitelisting
solutions ineffective as a global force.
You are the ISP CEO. Your mission, should you choose to accept it, is
to close down 25,000 user accounts for the crime of spamming, while
keeping your shareholders happy.
The entire ISP network unable to talk to significant parts of the
Internet in any way at all because of the problem machines, or an
outbound mail server that can't function because of the load or can't
get anyone to accept its mail because it mostly sends spam are all
worse than dropping half of the customers into a network jail where
they can't talk to anything (even the ISP's mail servers) other than
a single webserver that offers them no alternatives other than the
tools to clean their machines.
Interesting idea. You want to set up an automated forced update system
for customers. Presumably, the ISP will pay a yearly fee to the
anti-virus companies to be able to distribute their cleaning software
free of charge to the customers.
I think the complexity of this solution for the ISP is good, because
they only have to handle a few operating system variations, and the
customers hitting each web page are self selecting.
What's the typical delay time between virus discovery and fix, for
major anti-virus companies? That's at least the downtime you'll impose
on each customer, and may be an achilles heel (e.g. Microsoft delay
between patches etc). This could do with some discussion.
Step one is to to mature in their understanding of their business. A
lot of non-ISP's operate networks connected to the Internet that
generate zero spam. A lot of ISP's who serve markets other than
consumer residential access manage it as well. There are some
consumer ISP's managing it. Even AOL comes very close.
The whole issue with spam is scale. If spam only affected a few
thousand machines on the internet, virtually any solution would work.
But large consumer ISPs exist because it makes financial sense to offer
cheap access to hordes of people. So the fact that some network operators
manage to be clean when offering (presumably) expensive service to a
small userbase isn't helpful unless their methods scale. AOL however is
a good case study.
So we might soon see large ISPs which 1) acknowledge that a sizeable
fraction of their customers spam unwittingly, and 2) say: so what?
That's the current situation. It cannot last without all those
adult-run networks increasingly deciding that accepting any traffic
other than HTTP requests from mismanaged networks is more trouble
than it is worth.
I don't know. Email is a killer app, the major reason why people get
an internet account. Dropping email and only offering web browsing is only
a temporary fix, and even webmail is dependent on mail protocols somewhere
along the way. So I'm not sure what this reduction of services would
accomplish for this ISP, over time.
--
Laird Breyer.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg