On 1/24/06, Bart Schaefer <schaefer(_at_)brasslantern(_dot_)com> wrote:
On Jan 24, 1:12am, Michael Kaplan wrote:
}
} A single zombie spam sender can send out multiples of thousands of
} spams a day. A zombie bounce collector can only spam the small number
} of people who correspond with the owner of the hijacked PC.
You miss the point. The bounce collector isn't spamming the people who
correspond with the hijacked PC -- in fact, it isn't necessary for it
to spam anyone. All it's doing is filtering the [forged] reply mailbox
for an ordinary spam run, or more likely for a special harvesting run
that doesn't [other than the forgery] appear to be spam. The victims
of the harvesting don't have to be existing correspondents of anyone, as
the whole point is to induce their ISACS system to emit a challenge.
The bounce collector then phones home and drops off the ISACS bounces
for decoding, and a second spam run later ensues using the harvested
addresses, possibly with different and this time likely undeliverable
return addresses. And remember that this is initially occurring from
to-this-point trusted domains, so there aren't any CAPTCHAs to decode.
I will concede that you can describe a mechanism whereby bots can be used to
attack ISACS, and I have no doubt that this will happen, but I think that
the impact is greatly exaggerated. This is the myth of the spam zombie's
omnipotence/omnipresence/infinite ease of deployment. I say this because
even today under the current email system many users have little or no spam
while others who use the identical email system get flooded. If spammers
had limitless access to every ones email address then everyone would get
flooded. The currently existing sub-address email systems would be of no
benefit whatsoever (even the head of our group has stated that one of the
sub-address email systems "apparently has lots of happy users").
These bots are a problem but their ability to snoop is still limited.
The problems involved in snooping ISACS sub-address can *only *be more
difficult.
The damage done to these accounts is reversible, and the sub-address helps
in tracking down the zombie.
With ISACS, the harvester can, in an automated fashion, "grow" (by
inducing challenges) an unlimited number of subaddresses to target,
and (by direct infection) create a nearly unlimited number of them to
use as bounce traps; and can efficiently filter for known-good base
addresses. One could even, with the appearance of innocence, collect
several subaddresses for each known-good target before beginning the
first real spam run against any of them, then continue the harvesting
process while rolling over to the next such subaddress when the first
becomes disabled. It'd be a long time before he ran out of ammo; the
registry of trusted domains would be emptied first, except for a few
one-user vanity domains who could carry on their private conversations.
What you describe can happen but it is treatable. The spam bot will reveal
itself as soon as some of those collected sub-addresses are used; the spam
bot can then be killed.
But what if this bounce trap collected an unlimited number of CAPTCHA-free
bounces? A time limit can be placed on sub-addresses during which they must
be used at least once or they will expire. I'll say seven days. This means
that an ISACS user who fell victim to this spam bot would get as much spam
for seven days as a normal email user. After that the "limitless" number of
bounces collected will be garbage.
And now to respond to another poster:
On 1/23/06, Richard Clayton <richard(_at_)highwayman(_dot_)com> wrote:
I'll use my figure of 80 million
CAPTCHA solved in order to deliver one million spam.
hmm... I did try to explain that 4 million might be wiser :(
I think you miscalculated. How about I say the spammer harvests bounces by
sending 80 million emails using a real return address. I'll be generous and
say that the spammer has a 100% return because he sent the mail without any
kind of filterable material.
Now the spammer has 80 million CAPTCHA that he pays people to solve. He now
sends 80 million pieces of good old-fashioned spam with spoofed addresses.
95% of this is filtered and 4 million gets through. 75% of these addresses
are bogus accounts so only one million pieces of spam has hit its target.
The spammer has paid to decode 80 million CAPTCHA.
But there is another big expense: The spammer has sent 80 million email
with a real return address. The spammer may have registered a bunch of
personal domains for this purpose. Honeypots can be used to detect these
newly created spammer domains. Lets say that the spammer can use each domain
100,000 times before this untrusted domain actually makes it onto a
blacklist and becomes useless to the spammer. At just $5 to register a
domain this single mailing has cost the spammer $4,000.
Almost every commonly
used domain is trusted, but this spam is using a sub-address that
was sent to an untrusted domain; a stronger filter can be applied
to sub-addresses sent to untrusted domain.
Unless that stronger filter is "drop all" then I don't accept that
somehow there are better filters :(
By "stronger" I meant one with a greater true positive rate but worse false
positive rate compared to what would usually be tolerated.
You seem to be redesigning your system :(
Yes, constantly. The interaction on this board has been invaluable. I
appreciate the criticism because after a while I use this criticism to
improve this system.
I believe that have found a way around a certain MAJOR criticism that has
come up over the past few days. As soon as I get some time I am going to
completely redo my site to reflect the solution.
Thank you all for your input,
Michael Kaplan
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg