ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: bounces, and anti-spam principles

2007-01-23 10:22:06
On Tue, 23 Jan 2007 11:54:53 +0000
 Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
On Mon, 22 Jan 2007, gep2(_at_)terabites(_dot_)com wrote:

OK, so let's say Aunt Matilda's system gets a virus on it, and starts sending out spam (sooner or later, MOST machines will be infected at least once...!)
Now what?

Her machine gets quarantined and her ISP helps her (manually or via a special web site) to fix her computer. This is not quite a pipe dream -
see http://wesii.econinfosec.org/draft.php?paper_id=47
(You can Google for an HTML version.)

I agree that the zombie spambot problem is key (and it might even be the case that ISPs will someday be considered liable for allowing worm/virus messages to be delivered to their customers, given the relative ease of detecting those at their level...). One of the advantages of my approach is that it virtually eliminates the viruses/worms which infect machines and produce these spambot armies (well, at least it virtually eliminates their propagation by E-mail...!)

The paper ignores the fact that a lot of spam messages are nearly impossible to detect using scanners, unless you block images and other attachments, scripting, and HTML.

Their contention that zombie spambot networks can be dealt with by their ISP help desks is ridiculous, given the scope of the problem and the general incompetence of those help desks. Their so-called "automated" approach strikes me as little more than a nice fantasy, at least in the general case.

In any case, I still contend that simplistic blocking by IP address or domain name is a very poor approach, and for a whole variety of reasons.

And what about the case where Aunt Matilda's system IS NOT infected, never has been, but where her mail services is impacted (as mine has been) by SOMEONE ELSE's machine being infected, and forging HER return address on the e-mails?

The blacklists I'm talking about work on IP addresses not email addresses.

Dialup machines, for example (and there are still a lot of those) don't generally have fixed IP addresses.

> They also deal with the vast majority of spam very cheaply.

"Cheaply" isn't necessarily "well".

It is if you use the right blacklists, e.g. the Spamhaus ones.

I still consider the use of blacklists (either IP or domain name or E-mail address based) as a poor solution, due to the transient nature of dialup IP addresses, and the difficulty of rehabilitating addresses. Also, very large networks of computers (say, an entire large company, or say a campus) operating using NAT could be compromised because just one machine (even a "visiting" portable notebook machine via a wireless connection) sent spam, causing their router's IP address or mail server's IP address to be blacklisted.

The problem with blacklists is that it is a wild goose chase... and you're trying to lock the door AFTER the horse has gotten out. The person pulling the wagon (in this case the spammers) can pull it any direction they like, and everyone else is in a crazy keystone-cops-like race from behind. Spammers can (and do) generate an infinite number of bogus E-mail addresses, user names, subject lines, and even message contents. They can eventually infect a large percentage of every machine on the Net, worldwide.

The fact that a machine or IP address sent (once, twice, some number of times) spam (at some point in the past) is no guarantee that it will ever (or never!) send spam again.

Simply blocking (as a default behavior) attachments and HTML in messages from unfamiliar/untrusted senders (and on a fine-grained basis, such that one can allow say JPGs but block executable attachments, and different levels of HTML too, and on a sender-by-sender basis) goes a LONG, LONG way to stopping E-mail distribution of viruses and worms and trojans (and thus the recruitment of spambot nets), and at the same time is the single biggest step that can be made to allowing SpamAssassin and similar content filters to do their job far more effectively.

Gordon Peterson
http://personal.terabites.com

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg