Re: [Asrg] subverting ISACS
2005-01-14 06:30:06
At 10:07 PM -0500 1/12/05, Michael Kaplan imposed structure on a
stream of electrons, yielding:
[...]
Is there anyone out there who has ever had to abandon an email
account because the amount of spam became unbearable?
Yes. The address I used in the early 90's is probably still open to
me (it was about a year back...) but the spam level got so high by
1997 that there was no point in looking at the flow. The system it
resided on automatically expired mail, and while I've used other
functions of that system very occasionally since 1994, I have not
used the email address publicly since then and stopped even looking
at the mailbox after 1997 except for referencing how much spam lands
in ancient unpublicized mailboxes. (as of 2003: scores daily)
Is there anyone out there who has used the same email addresses
for, let's say 10 years or so?
Yes. The address in my .sig will hit 10 years in a few weeks. I've
posted literally thousands of messages to Usenet using it in that
time, and it has appeared in a variety of places on the web, some
that I do not control.
You have given this email address to everyone you have ever known.
Closer to everyone I don't know. People I know have mostly received
other addresses since about 1998. Publicly archived and
spammer-harvested mailing lists like this one get special addresses
that I burn regularly (despite appearances, the one I am currently
using here is #4, as the first 3 all became targets for daily+ spam.
Your spam burden is so enormous that you think about getting a new
account every day but you don't because you know that you would
loose contact with a large number of people.
That's not it at all.
Somewhere around 5,000 pieces of mail are aimed at my 'main' address
daily. I cannot say for sure, because to some extent I am guessing at
how many unanswered SYN's translate to a single attempt to mail me
and at how common it is for spam that I've rejected in SMTP to
actually get requeued and retried. The spammers who work for Network
Solutions and Amazon and Ebay probably retry, the ones who work for
Kraft and Goodyear and various sellers of snake oil and porn likely
do not, and the ones who abuse other people's quasi-legitimate mail
systems (mostly the 419'ers) certainly get retries from them but also
have a habit of sending precisely the same thing many times. And of
course there are fluctuations: for months around this time last year,
one spammer was bouncing hundreds of port 25 SYN's off my router
every minute. This week the rate is an order of magnitude lower than
that, and not very focused...
It is a rare day when more than 100 messages actually get accepted
and delivered to my mailbox, a rarer day when 10 of those are spam,
and so far in 2005 not a single spam has failed to be recognized as
such by my MUA's filters: 82 spams accepted for me by the server, 82
filtered into the junk box. Shockingly good performance considering
the amount of mail I get with quoted spam snippets and examples of
tricks and fingerprints etc...
4 times last year I learned of a message having been rejected by my
spam exclusion methods which was not spam. The analysis I do of my
SMTP reject logs gives me a pretty good sense that there were not
many more.
What does ISACS bring to the table? ISACS is the only practical
system that will allow you to paradoxically completely abandon your
old email address and yet keep it forever.
Not so. It is not practical (create a testable implementation, and
you might have a slim chance of convincing me otherwise) and there
are other practical approaches to handling the spam load on
widely-exposed addresses.
That 10 year old email
account will be completely spam free, and your long lost college
buddy can still contact you.
No filter can approach this.
If by 'filter' you mean a single product that looks at message
content to determine whether it is spam or not, you are correct, but
that is akin to stating that a rock drives nails better than a
screwdriver. Filters are useful, but they are not total solutions and
need not be used as total solutions.
ISACS is completely unlike any whitelist.
That's only true for very narrow definitions of 'whitelist.' Like all
tagged-address systems, ISACS shares a core feature of simplistic
whitelists: it defaults to rejecting mail. Unfortunately, it does so
asynchronously with mail transport, and generates bounces that are
likely to be sent to wrong places, and the brute-force response to
ISACS by the bottom-feeders of spam will only boost those misdirected
challenges. Like all C/R approaches to spam, ISACS is a form of
self-service whitelist, where most of the cost of maintenance is
exported to senders and forgery victims.
Some still believe that email addresses will become compromised at
such a fantastic rate that deactivating sub-addresses is
impractical. If so then why even bother trying to hide any email
address?
Indeed. Hiding addresses from spammers is a perfect solution for as
long as it works, but it cannot work indefinitely with any address
that has significant and varied use.
Given a standard form and widespread use, tagged addresses that act
as keys to get past hardened spam defenses will become a basis for
yet another flavor of dictionary attack. There has already been some
of that by spammers, but the fact that different systems and
individuals apply the basic concept differently fragments the target
so much that so far attacks trying user-* and user+* and user.*
addresses have been pretty sporadic and useless. Give the spammers
one target pattern and easy ways to detect that ISACS is in use, and
they will churn right through the namespace.
I activated this Lycos account just for this list more than a month
ago. I have not received any spam to date. You know what's even
crazier? About 7 years ago I activated a Hotmail account and
started using it for all of my family and personal acquaintances,
being careful never to use it for anything else. For years I never
received a single peice of spam, then a couple of years ago I
started receiving on average about one spam a day. I keep the
filter on the lowest setting. I assume that this trace amount of
spam was the result of a single unknown breach. If ISACS had been
in place I would have just deactivated that sub-address (which was
probably known by only a single one of my personal contacts). This
is a personal example, but I believe that MOST people are spammed as
a result of a finite number of security breaches.
Your analysis there is extremely weak, probably due to a lack of data
to inform it. If you want a sense of how fast systems are being taken
over by software that results in uncontrolled and unpredictable
spread of the addresses stored on them, try tracking the CBL contents
for a while. Another demonstration: create a few accounts at Hotmail,
with names ranging from the obvious (i.e. rooted in common names) to
the virtually unguessable (shove 5 random bytes into a base64
encoder...) and wait for the spam. The last test I heard of pegged
the name and initial style of account name as lasting less than 3
months before getting spammed, despite NO exposure of the account.
Spam may well eventually come to all accounts at Hotmail, but it
certainly hits the guessable ones faster. It does not take many
samples to estimate the rate of the brute force/dictionary pokes at
Hotmail, and the last analysis I saw of that (2003) indicated that
Hotmail was almost certainly seeing on the order of a full OC-3 of
traffic sucked up by address-guessers. The idea that an account which
has been used to send email to a 2-digit population of users subject
to Windows compromises and has been sitting there has only been found
by spammers once seems absurd to me.
I am pleased that the criticisms of ISACS seems to have died down to
minutia
Some of us are mostly not reading it, as you didn't actually address
any of the serious critiques, but rather pronounced them unimportant
based on your apparently extensive lack of experience with real mail
systems, existing spam control approaches, and the realities of how
change is done (or not done) to established technologies on the net.
Note that you would also get no serious debate if you proposed that a
race of genetically engineered hyperintelligent spider monkey be bred
and implanted with Wi-Fi chips in their brains, with each being
tasked to sort one mailbox.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|