On Jan 24, 1:12am, Michael Kaplan wrote:
}
} A single zombie spam sender can send out multiples of thousands of
} spams a day. A zombie bounce collector can only spam the small number
} of people who correspond with the owner of the hijacked PC.
You miss the point. The bounce collector isn't spamming the people who
correspond with the hijacked PC -- in fact, it isn't necessary for it
to spam anyone. All it's doing is filtering the [forged] reply mailbox
for an ordinary spam run, or more likely for a special harvesting run
that doesn't [other than the forgery] appear to be spam. The victims
of the harvesting don't have to be existing correspondents of anyone, as
the whole point is to induce their ISACS system to emit a challenge.
The bounce collector then phones home and drops off the ISACS bounces
for decoding, and a second spam run later ensues using the harvested
addresses, possibly with different and this time likely undeliverable
return addresses. And remember that this is initially occurring from
to-this-point trusted domains, so there aren't any CAPTCHAs to decode.
} The owner of the zombie bounce collector PC will soon get a lot of
} angry emails
Which he'll never see, because the bounce collector is filtering out
the email that is sent to the ISACS-format subaddress that it created!
It can silently discard them (maybe after phoning home to report that
it has found a live person whose filters didn't block the spam).
} With ISACS these snooping zombies will be readily discovered, and the
} damage that they do will be readily repaired when the compromised
} sub-addresses are deactivated.
With ISACS, the harvester can, in an automated fashion, "grow" (by
inducing challenges) an unlimited number of subaddresses to target,
and (by direct infection) create a nearly unlimited number of them to
use as bounce traps; and can efficiently filter for known-good base
addresses. One could even, with the appearance of innocence, collect
several subaddresses for each known-good target before beginning the
first real spam run against any of them, then continue the harvesting
process while rolling over to the next such subaddress when the first
becomes disabled. It'd be a long time before he ran out of ammo; the
registry of trusted domains would be emptied first, except for a few
one-user vanity domains who could carry on their private conversations.
This imaginary arms race we're conducting is kind of amusing, but I
think it's time to stop.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg