Re: [Asrg] Re: bounces, and anti-spam principles
2007-01-23 10:22:06
On Tue, 23 Jan 2007 11:54:53 +0000
Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
On Mon, 22 Jan 2007, gep2(_at_)terabites(_dot_)com wrote:
OK, so let's say Aunt Matilda's system gets a virus on
it, and starts sending
out spam (sooner or later, MOST machines will be
infected at least once...!)
Now what?
Her machine gets quarantined and her ISP helps her
(manually or via a
special web site) to fix her computer. This is not quite
a pipe dream -
see http://wesii.econinfosec.org/draft.php?paper_id=47
(You can Google for an HTML version.)
I agree that the zombie spambot problem is key (and it
might even be the case that ISPs will someday be
considered liable for allowing worm/virus messages to be
delivered to their customers, given the relative ease of
detecting those at their level...). One of the advantages
of my approach is that it virtually eliminates the
viruses/worms which infect machines and produce these
spambot armies (well, at least it virtually eliminates
their propagation by E-mail...!)
The paper ignores the fact that a lot of spam messages are
nearly impossible to detect using scanners, unless you
block images and other attachments, scripting, and HTML.
Their contention that zombie spambot networks can be dealt
with by their ISP help desks is ridiculous, given the
scope of the problem and the general incompetence of those
help desks. Their so-called "automated" approach strikes
me as little more than a nice fantasy, at least in the
general case.
In any case, I still contend that simplistic blocking by
IP address or domain name is a very poor approach, and for
a whole variety of reasons.
And what about the case where Aunt Matilda's system IS
NOT infected, never has
been, but where her mail services is impacted (as mine
has been) by SOMEONE
ELSE's machine being infected, and forging HER return
address on the e-mails?
The blacklists I'm talking about work on IP addresses
not email addresses.
Dialup machines, for example (and there are still a lot of
those) don't generally have fixed IP addresses.
> They also deal with the vast majority of spam very
cheaply.
"Cheaply" isn't necessarily "well".
It is if you use the right blacklists, e.g. the Spamhaus
ones.
I still consider the use of blacklists (either IP or
domain name or E-mail address based) as a poor solution,
due to the transient nature of dialup IP addresses, and
the difficulty of rehabilitating addresses. Also, very
large networks of computers (say, an entire large company,
or say a campus) operating using NAT could be compromised
because just one machine (even a "visiting" portable
notebook machine via a wireless connection) sent spam,
causing their router's IP address or mail server's IP
address to be blacklisted.
The problem with blacklists is that it is a wild goose
chase... and you're trying to lock the door AFTER the
horse has gotten out. The person pulling the wagon (in
this case the spammers) can pull it any direction they
like, and everyone else is in a crazy keystone-cops-like
race from behind. Spammers can (and do) generate an
infinite number of bogus E-mail addresses, user names,
subject lines, and even message contents. They can
eventually infect a large percentage of every machine on
the Net, worldwide.
The fact that a machine or IP address sent (once, twice,
some number of times) spam (at some point in the past) is
no guarantee that it will ever (or never!) send spam
again.
Simply blocking (as a default behavior) attachments and
HTML in messages from unfamiliar/untrusted senders (and on
a fine-grained basis, such that one can allow say JPGs but
block executable attachments, and different levels of HTML
too, and on a sender-by-sender basis) goes a LONG, LONG
way to stopping E-mail distribution of viruses and worms
and trojans (and thus the recruitment of spambot nets),
and at the same time is the single biggest step that can
be made to allowing SpamAssassin and similar content
filters to do their job far more effectively.
Gordon Peterson
http://personal.terabites.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
Re: [Asrg] Re: bounces, and anit-spam principles, Tony Finch
Re: [Asrg] Re: bounces, and anit-spam principles, Dave Crocker
Re: [Asrg] Re: bounces, and anit-spam principles, Daniel Feenberg
Re: [Asrg] Re: bounces, and anti-spam principles, gep2
Re: [Asrg] Re: bounces, and anti-spam principles, Seth Breidbart
Re: [Asrg] Re: bounces, and anit-spam principles, Barry Shein
Re: [Asrg] Re: bounces, and anit-spam principles, David Nicol
Re: [Asrg] Re: bounces, and anit-spam principles, Peter J. Holzer
|
|
|