I simply believe it makes a LOT more sense to identify most spam by
observing its variance from accepted and agreed form.
E-mail coming from a given correspondent which DOES NOT LOOK LIKE the
mail you expect to get from that correspondent
can, and probably should, be quarantined or even t-canned until a
different treatment is indicated.
If I get a 170K-byte PIF file attachment from my dear old Aunt
Mildred, it's a pretty safe bet that
it's a virus or worm... she would simply never legitimately send me
anything like that (nor, in fact,
would probably anybody else).
You just described statistical filtering, a well-known variant being
Bayesian filtering. Later generation Bayesian filters can be very
effective and if Aunt Mildred gets zombied the filter will allow her
email through while still keeping the spam sent from her machine out.
SPF, reputation, et al can't do that.
The "problem" with bayesian filtering and other content checking methods
is that you need to work on at least a non-trivial part, say 4k, of the
message body. This is fine for most organisations and individuals, but
maybe too resource intensive for ISPs. Keeping the statistical data for
each recipient is expensive. In organisations it might be possible to
have keep statistical data on a per-department basis with a possible
loss of accuracy, but for ISPs this can't be done.
Has anyone looked at SURBL? My experience is that it works fine.
Ofcourse, SURBL too requires having the whole message but it does not
require per-user data.
Brian Azzopardi
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of
gep2(_at_)terabites(_dot_)com
Sent: Tuesday, July 19, 2005 8:26 PM
To: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] Trust relationships etc.
[HIV analogy snipped]
These "house of cards" trust relationships in the E-mail sphere are
exactly
comparable...
That's not exactly true of course - getting that first spam DOES NOT
mean
that you now have spam for the rest of your life. If only HIV infection
could be eliminated by revoking trust after the fact.
Fine, but the same thing holds true in that you don't know how much of
the "trust" you inherited from someone else was inherited from someone
else which was inherited from someone else, and somewhere down the line
there was someone whose "trust" was expressed prematurely or unwisely.
And usually there's no ready way for you to figure out what to revoke,
such that you don't throw out the baby with the bath water.
The other point is that people very simply make mistakes. Even sites
which are normally well-administered and trustworthy still can be
infected, or still compromised.
I simply believe it makes a LOT more sense to identify most spam by
observing its variance from accepted and agreed form. E-mail coming
from a given correspondent which DOES NOT LOOK LIKE the mail you expect
to get from that correspondent can, and probably should, be quarantined
or even t-canned until a different treatment is indicated.
If I get a 170K-byte PIF file attachment from my dear old Aunt Mildred,
it's a pretty safe bet that it's a virus or worm... she would simply
never legitimately send me anything like that (nor, in fact, would
probably anybody else).
If she sends me an ActiveX-based attachment or a Java-based decryption
script, that also is pretty clearly outside of the technical
capabilities I'd expect to see coming from her.
Meanwhile, the fact that I get illicit stuff CLAIMING to have been sent
by her should not prevent the delivery of the stuff Aunt Mildred sent me
that DOES look like the stuff she sends me. It shouldn't be terribly
difficult for software to differentiate (at least for such extreme
cases, and probably for more nuanced cases as well) between the two.
Meanwhile, the stupidity of trusting SPF and such
"reputation/authentication"
approaches to control spam is evidenced by the following report that
came out within the last week... (and please forgive me if this has
already been >
reported here)...
Neither *reputation* nor *authentication* schemes can have any real
value
ON THEIR OWN.
I'm not EVEN convinced that they have any really compelling value
OTHERWISE, either. The fact is that people move and travel, and
sometimes legitimately send mail from unusual places (airport E-mail
kiosks, cruise ship Internet cafes, etc etc) and while they still need
to sign and return-address their mail as usual, they may not have ANY
control whatsoever about the servers used to process the outgoing mail.
Only by using them _together_ might one hope to gain any real
benefit. Do not make the mistake of damning reputation schemes because
of the ineffectiveness of 'authentication'.
The fact remains that authentication and reputation schemes are broken
as soon as the trusted system gets compromised by viruses or worms that
turn them into zombie spambots.
That said - I'm inclined to think that *reputation* established by a
wider
audience with a good overview of subject behaviour is more likely to be
useful (and harder to break) than some transitive *trust* thing.
Perhaps, but IMHO it's still better to have the RECIPIENT control it,
based on who THEY trust and what THEY expect to legitimately receive
from each familiar and recognized sender.
I think it makes perfect sense to put a suitably restrictive set of
acceptability rules on E-mails coming from previously unknown senders...
loose enough to allow for initial contacts, but tight enough to trip up
most spam (and, at a minimum, tight enough to ban the tricks that are
commonly used to evade antispam content filtering). And, of course, to
virtually eliminate worms and viruses (the genesis of so many spambot
zombies) arriving in E-mails.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!
http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they
"represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
This mail was checked for viruses by GFI MailSecurity.
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI
FAXmaker), and network security and management software (GFI LANguard) -
www.gfi.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg