[zombies]
In order for it to eliminate zombies, it has to be implemented by
_everybody else_. That's not going to happen.
Well, yes and no.
I agree that you probably won't eliminate 100% of the vulnerability, but at
some point the remainder doesn't much matter. The issue is whether the
vulnerability is widespread enough to ATTEMPT to exploit it.
And that doesn't take much.
I disagree. If the great majority of users are rejecting E-mail-borne zombie
attacks, then I think that hackers and spammers will move to greener pastures
(such as trying to infect via Web sites or whatever).
It also depends on how quickly such a fine-grained permissions list
approach is accepted and installed. Obviously, if Microsoft were to
include something like this in Outlook and Outlook Express by
default, it would be much more effective and much sooner than if
Infopoint or some other small software company were to try to market
it as an addon package.
You mean 5 years instead of 20?
I don't agree with your numbers, but the ratio might be about right. A small
software company is going to have a much harder time getting rapid worldwide
distribution.
Such an effort will be implemented worldwide by far more customers, faster, if
it's an upgrade to a program they already have and trust than if it's something
new and different.
You're assuming that you can tell whether or not the _recipient's_ MUA
will attempt to interpret a message as HTML.
It doesn't much matter. Most spammers don't know, either, what specific
E-mail client program a destination address is using. Nor do they care, in
fact.
Precisely. The spammers will attack a vulnerability that affects only
a small percentage.
True, but as it becomes a smaller and smaller percentage, their exploit becomes
less and less a matter of concern.
You have to defend against all such vulnerabilities.
Oh, if you can, I suppose. But if you're waiting to get 100% before getting
80%
that you can get sooner, I think that's a poor implementation choice.
That issue is already known in virus protection. Some email clients
were treating some messages as HTML that the anti-virus software
thought was (safe) plaintext. The spammer didn't care _which_ victim
he got, just _how many_.
At some point, the answer to "how many" will be "not enough"... just the same
way that spammers don't tend to go after Linux or Mac boxes, even though they
clearly could. The grass is greener elsewhere, so the minority situation can
be
pretty safely ignored.
For some spammers, maybe. Many others sell their services, and the
worldwide shortage of suckers is not expected soon.
It won't take long for the word to get around that spamming doesn't work
anymore, and that some types work dramatically less well than others.
And some spammers will just think it's good that the market is less
crowded, and spam more.
Sure, for a while. But the fine-grained permissions list is still the most
likely solution to yield a quick, lasting reduction in spam volume and
virus/worms too, and with a minimum impact on legitimate users.
Ultimately, the way to control spam is to make it less profitable and appealing
for the spammer. The profitability doesn't HAVE to go to zero... it only has
to
go low enough that a spammer or virus author will decide that other approaches
are more appealing.
Prove it. Come up with a reasonable implementation that my mother can
handle.
I'll be GLAD to do that, and I'll even bring it to release-ready, if
you'll fund the development. :-)
In other words, you're claiming something that doesn't exist and
offering no evidence.
Anyone who has spent any time working in R&D is quite used to designing
products
that don't exist yet. My professional record for conceiving, designing and
successfully implementing practical, usable, innovative products that are the
first-of-kind is pretty good. :-)
The point is that this is IMPLEMENTATION-DEPENDENT, and does not
need to be part of a "best practices" advisory. Some companies are
hugely better at "human-engineering" software products than others
are; given that, we don't have to concern ourselves HERE with the
fact that some of them might not do a terrific job of it.
However, it's close to necessary to demonstrate that it's _possible_
to do an acceptably-good job.
I think that's pretty evident. Certainly neither you nor anybody else here has
posted convincing evidence proving the inverse.
There are MUCH, MUCH harder problems of software engineering that have been
solved. This one is comparatively quite trivial.
Again, though, I'll point out that once you default to "no
attachments, no HTML" in E-mails from unlisted senders, you don't
leave the spammers much room to evade much of anything, at least as
far as their E-mail content goes.
As I've already pointed out, "no attachments, no HTML" isn't a
clear-cut decision,
It comes awfully close.
And if the implemention of the fine-grained permissions list is built into the
recipient's mail client software (say, Outlook/Outlook
Express/Pegasus/Eudora/etc) then it's possible to make it damned near
airtight... certainly something that a clueless user (the one most likely to be
fooled) isn't likely to be taken in by.
...and spammers will take advantage of every implementation difference of
opinion.
Sure. They are awfully determined, and devious. But (again) the *great*
majority of their tricks and deceptions are based on obscured URLs, scripting,
HTML, and attachments. Once you have denied them those, they're left with VERY
little wiggle room.
Likewise, if you don't allow HTML or attachments in mail from
unfamiliar/untrusted sources, and executable content (by HTML or attachment)
from fewer-to-NO sources, then virus/worm/zombie infestation (at least by
E-mail
transmission vectors) is essentially going to go away.
[That is SUCH an obvious conclusion that I'm astounded that we have to keep
bringing up the point!! You'd *think* that at least THAT part of my proposal
would receive pretty much universal agreement... especially when you compare
its
simple, logical basis with the outlandishly convoluted and complicated
Rube-Goldberg-esque schemes that others here seem to be so fond of!]
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg