ietf-asrg
[Top] [All Lists]

[Asrg] Trust relationships etc.

2005-07-19 11:25:58
[HIV analogy snipped]

These "house of cards" trust relationships in the E-mail sphere are
exactly
comparable... 


That's not exactly true of course - getting that first spam DOES NOT mean
that you now have spam for the rest of your life. If only HIV infection
could be eliminated by revoking trust after the fact.

Fine, but the same thing holds true in that you don't know how much of the 
"trust" you inherited from someone else was inherited from someone else which 
was inherited from someone else, and somewhere down the line there was someone 
whose "trust" was expressed prematurely or unwisely.  And usually there's no 
ready way for you to figure out what to revoke, such that you don't throw out 
the baby with the bath water.

The other point is that people very simply make mistakes.  Even sites which are 
normally well-administered and trustworthy still can be infected, or still 
compromised.

I simply believe it makes a LOT more sense to identify most spam by observing 
its variance from accepted and agreed form.  E-mail coming from a given 
correspondent which DOES NOT LOOK LIKE the mail you expect to get from that 
correspondent can, and probably should, be quarantined or even t-canned until a 
different treatment is indicated.

If I get a 170K-byte PIF file attachment from my dear old Aunt Mildred, it's a 
pretty safe bet that it's a virus or worm... she would simply never 
legitimately 
send me anything like that (nor, in fact, would probably anybody else).

If she sends me an ActiveX-based attachment or a Java-based decryption script, 
that also is pretty clearly outside of the technical capabilities I'd expect to 
see coming from her.

Meanwhile, the fact that I get illicit stuff CLAIMING to have been sent by her 
should not prevent the delivery of the stuff Aunt Mildred sent me that DOES 
look 
like the stuff she sends me.  It shouldn't be terribly difficult for software 
to 
differentiate (at least for such extreme cases, and probably for more nuanced 
cases as well) between the two.

Meanwhile, the stupidity of trusting SPF and such
"reputation/authentication"
approaches to control spam is evidenced by the following report that came
out
within the last week... (and please forgive me if this has already been > 
reported here)...


Neither *reputation* nor *authentication* schemes can have any real value
ON THEIR OWN. 

I'm not EVEN convinced that they have any really compelling value OTHERWISE, 
either.  The fact is that people move and travel, and sometimes legitimately 
send mail from unusual places (airport E-mail kiosks, cruise ship Internet 
cafes, etc etc) and while they still need to sign and return-address their mail 
as usual, they may not have ANY control whatsoever about the servers used to 
process the outgoing mail.

Only by using them _together_ might one hope to gain any real
benefit. Do not make the mistake of damning reputation schemes because of
the ineffectiveness of 'authentication'.

The fact remains that authentication and reputation schemes are broken as soon 
as the trusted system gets compromised by viruses or worms that turn them into 
zombie spambots.  

That said - I'm inclined to think that *reputation* established by a wider
audience with a good overview of subject behaviour is more likely to be
useful (and harder to break) than some transitive *trust* thing.

Perhaps, but IMHO it's still better to have the RECIPIENT control it, based on 
who THEY trust and what THEY expect to legitimately receive from each familiar 
and recognized sender.

I think it makes perfect sense to put a suitably restrictive set of 
acceptability rules on E-mails coming from previously unknown senders... loose 
enough to allow for initial contacts, but tight enough to trip up most spam 
(and, at a minimum, tight enough to ban the tricks that are commonly used to 
evade antispam content filtering).  And, of course, to virtually eliminate 
worms 
and viruses (the genesis of so many spambot zombies) arriving in E-mails.

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!  http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg