Re: [Asrg] Spam, defined, and permissions

gep2(_at_)terabites(_dot_)com wrote:

> If you have 50 million zombies recruited, you can send a billion spam 
> E-mails daily by sending 20 E-mails per day per zombie.
>  
The figures I've heard are that there are somewhere around 5 million 
zombie hosts out there, and any one group has at most 500,000 hosts they 
control.  That's still a lot, but an order of magnitude or two below 
your scenario.
> ALL worms and viruses are at their MOST prolific and MOST dangerous 
> before they are recognized by ANY antivirus software.
>  
If most of them have to go through an authorized ISP's server that 
limits each machine to a certain number of emails, then viruses will 
become much less capable of spreading.  In addition, it is easier to 
install anti-virus software that is updated frequently on a small number 
of mail servers than on every individual computer.  I've seen reports 
that as many as half of the end-user computers have no or outdated virus 
protection.  Server anti-virus software can be updated hourly or even 
more frequently while end-user software is at best updated daily.  Most 
viruses continue to spread wildly even days after anti-virus updates are 
available.  It won't solve the problem entirely, but it will reduce the 
magnitude of the problem significantly.
> What nearly everybody is missing on the antivirus front is the simple fact that 
> if clueless, sweet old Aunt Gertrude suddenly starts sending E-mails containing 
> an ActiveX or a 180Kb .EXE file or 125Kb .PIF file, or with Javascript-encrypted 
> message bodies and obscured URLs, that is SO unlike her typical and familiar 
> behavior that it all by itself is 'a priori' evidence that ought to raise at 
> least SEVERAL red flags.
>  
Ah, but the most logical place to determine what Aunt Gertrude usually 
sends is by forcing her to use her ISP's mail server and to analyze it 
there.  You could also set it so that the limit of executable content is 
lower than other types of emails.  This still does not account for the 
fact that e.g. JPEGs, MP3s, Word DOCs and various other types of content 
can have security exploits in them. 

> So the current widespread dependence on antivirus scanning is really sort of 
> dumb, because you're racing to lock the doors AFTER the horses have escaped.  It 
> doesn't matter all that much how long they've been gone!
>  
Despite not being perfect, anti-virus scanning is effective in reducing 
the problem.  Putting up more roadblocks will only reduce the problem 
further.  Just because some of the horses have escaped doesn't mean you 
leave the door open for the rest to get out.
> On the other hand, if you simply block (or quarantine, or whatever) UNEXPECTED 
> executable (or other 'dangerous') attachments based on a sender-recipient pair, 
> you can eliminate VIRTUALLY ALL virus/worm E-mail propagation, and without 
> requiring constant updating of virus signature files (which, even updated DAILY, 
> will always lag new threats enough to allow INCREDIBLY wide malware propagation, 
> to tens or hundreds of millions of machines, within a matter of minutes or 
> hours).  Even TOTALLY NEW E-mailed viruses and worms don't get a 'free run' 
> before they're blocked.
>  
OK, do that TOO then.  The more impediments the better.  Note that even 
this proposal is not perfect, because you can't quarantine every JPEG, 
MP3, or Word DOC file because the average user would crucify whoever 
blocked some time-critical document or product sample photo because it 
might be dangerous.  And who knows what other file types we think of as 
innocuous turn out to be exploitable?  Still, there are certain emails 
that can probably be quarantined without most people complaining.  If 
that helps reduce the problem, let's give it a try.  But again, where's 
the best place to do this?  At the sender's ISP, before it gets out further.
> These approaches still generally have the problem that people with personal 
> domains (and who are blocked from sending through their domain provider's SMTP 
> servers by these port-25 blocks) have problems sending mail through their 
> ISP-provided mail servers.
Mail submission protocol, VPN, ssh tunneling, buying premium service 
with fixed ip and no filtering, and a variety of other possibilities 
exist.  Yes, it sucks that it is more difficult to send mail, but it 
sucked when we had to close down open relays too.  The vast majority of 
people have no desire to do what you want, and those that do should be 
able to figure out how to accomplish it.
> So dear aunt Gertrude suddenly finds she can't send legitimate E-mails anymore. 
> So what does she do?  She either gets frustrated and confused and just gets off 
> the net, or else she calls her ISP and burns through cu$tomer $upport time while 
> they try to help her.  Neither way is a happy solution, and both cost real money 
> to somebody.
>  
Well that's just too bad.  I'd rather have Aunt Gertrude pay the price 
of getting infected than for me to pay the price of dealing with 
receiving the sewage her computer is spewing.  ISPs can reduce such 
costs tremendously by doing agressive virus filtering both in and out.  
ISPs don't need to do anything more than tell Aunt Gertrude to get her 
computer cleaned of viruses and could either refer her to such a service 
or offer a paid service of their own.
> What's wrong with it NOT being content-neutral?
>  
I only mentioned that because others had mentioned that filtering by 
content would be a problematic in terms of customer relations or 
legally.  I don't completely share that concern, but it is much less 
subjective and much harder to argue over something content-neutral.
> What's wrong with having a filter which blocks strange/inhabitual mail sent by 
> Gertrude's machine, but lets her own normal E-mails through just fine?  To me, 
> *that* is an intelligent filter... or at least, more of one.
>  
Sounds like a good idea.  Would work pretty well if you did that 
analysis and filtering at her ISP.  Let us know when you have it working.
> Consumers have almost as much reason to want permanent, portable personal domain 
> names as anybody else.
>  
More than 99% of consumers have absolutely no desire for that, and those 
that do have many options of how to achieve that even in the face of 
port 25 filtering by default.  Experience has shown that every time a 
consumer level ISP has implemented port 25 filtering has seen spam and 
virus propagation from their networks drop dramatically.  Experience has 
shown that mail servers employing agressive, well-updated anti-virus 
filtering see greatly reduced virus propagation in their mail clients.  
It's not perfect, but it works much better than without it.  If most 
consumer ISPs did it, the problem would be reduced even further.
--
James Lick -- 黎建溥 -- jlick(_at_)jameslick(_dot_)com -- http://jameslick.com/

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg