On Wed, 8 Dec 2004, "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
wrote:
Authentication proves NOTHING regarding legitimacy because a
zombie spambot can
trivially send what it sends using the authentication
belonging to the hijacked
system.
This is not true unless you insist on the myopic strategy of examining each
email independently with no ability to save state.
A long time ago it was fashionable to study 'game theory', in particular the
prisoner's dilema games that Axelrod used as a model for mutually assured
destruction strategy. The point missed by most (but not all) researchers
that continued after Axelrod was that in any situation other than nuclear
deterence the game is played repeatedly. Once the participants know that it
will be repeated their behaviors change and they no longer end up opting for
the worst case scenario every time.
It is the same here, if you have ONLY the email streams and NO external
accreditation data then you can soon start to identify patterns such as
'mail from example.com is consistently legitimate'. This is almost certainly
how most of the spam filtering vendors use SPF data today.
The problem with such "reputation" approaches is that they cut both ways. Aunt
Gertrude (presumably) HAD a good reputation, BEFORE her system got infected
with
a virus (in fact, spammers and worm authors probably COUNT on the fact that the
system they're infecting HAD a good reputation; that's part of what enables
them to wreak the havoc they do).
The fact that it IS infected today (and sending copies of itself like mad, and
she maybe doesn't even know yet) doesn't make her LEGITIMATE mail she
occasionally is still sending out less legitimate or important.
And of course, once her system is clean again, now she has a (probably GLOBAL)
"reputation" as a spammer/infected/deadbeat, which damage could take a lot of
time (and money) to undo.
The disadvantage to this scheme is that it depends on having previously
established a reputation. There is no way to break in unless a door is left
for the spammers.
Yes, and that's part of also what's wrong with SPF and similar type approaches.
They do little or nothing to prevent someone (who IS after all
"authenticated")
sending me a virus/worm that would turn my machine into a zombie spambot.
Antivirus programs generally only trigger on KNOWN exploits and KNOWN code; so
ALL viruses and worms are at their most virulent and most dangerous BEFORE
they're detected by ANY of the flock of A-V programs out there (not even
talking
about the delay between them being detected, and the time when users
periodically do their updates). My approach, unlike most of these others, goes
a VERY long way towards simply prohibiting the problem ENTIRELY, by creating a
VERY narrow and twisty gauntlet that a virus or worm would have to take to make
it even as far as the antispam content filter. (And indeed, for most users,
that narrow and twisty gauntlet would lead at the end to a reinforced concrete
wall, for the great majority of users who would leave the default so that
NOBODY
could send them executable attachments in E-mails at all!).
The downside of my approach is precisely that you ARE protected against
potentially dangerous E-mails from people you don't know, and against
suspicious
(because they're "unusual") ones coming (supposedly) from folks you DO know.
So
to the extent that you personally feel it necessary to open that window of
exposure a little wider, you are responsible for determining the level of risk
you're willing to assume, and (for the most part) on a sender-by-sender basis.
Is that a good bargain? *I* sure think it is.
(On the other hand, perhaps some people REALLY LIKE the fact that someone
they've never heard of can freely send them a 240Kbyte PIF file to click on, or
a 4Mb .EXE file out of the blue, go figure... but that's the sort of stupid
stuff that most all the other approaches we're talking about here do ABSOLUTELY
NOTHING AT ALL about!!!).
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg