Re: [Asrg] Quarantines and block lists
2007-01-27 20:53:58
[On second thought, I DON'T want to define spam as UBE.
Labeling UBE
as spam labels the sender as a spammer which carries a
negative
connotation. I just want to block UBE without calling
anyone a
spammer and getting sued]
Again, all these problems are eliminated once you allow
the RECIPIENT to determine what they do and don't want to
receive and read.
I think it's also worth considering a subtle but perhaps
important distinction between recommending that the
recipient customer delegate the choice(s) to the ISP, as
compared to "suggesting" rules that the recipient customer
can choose to select (or not).
A litigious spammer could still sue an ISP for
implementing rules (especially if those rules change after
the customer recipient delegates the authority) which
disadvantage the spammer.
Here is my proposal. I'm sure I haven't thought of
everything so
please tell me where it breaks or how spammers are going
to game it.
The goal is to stop the majority of the spam while not
loosing ANY
legitimate email (broken MTAs don't count).
To begin with, crude IP blocks will ALWAYS lose legitimate
mail, because a single IP address can send both legitimate
and zombie-generated mail. I propose that NO ISP-based
software will be capable of differentiating one from the
other... but the recipient possibly will know how to do
that, at least for familiar senders.
This is not intended to
replace existing blocklists but to handle the initial
onslaught from
a spam source until the source can be properly
categorized and listed.
Proposal #1 is a quarantine for new sources:
Connections from unknown source addresses would be
initially rejected
by returning a temporary error code (4xx) for a
probation period. The
probation period could be as short as 5 minutes
depending on how fast
the blocklists can respond. The reject would occur after
the
recipient list is accepted so the recipients can be
checked against
local spamtraps and valid user lists. After the
probation period,
global blocklists would be queried to find the current
reputation of
the source.
While spamtraps and valid user lists are helpful
sometimes, they will not trigger if the spammer is using
"fresh" E-mail address lists which are also devoid of
spamtrap E-mail addresses.
Proposals #2 & #3 are for a fast global block advisory
and
distribution network
Any email addressed to a spamtrap would generate a
report to a local
trap handler. The local trap handler would forward
appropriate
reports to the regional or global blocklist managers.
The blocklist
managers would publish advisories based on the
reputations and counts
of the traps that were hit by the sending IP.
IP address blocking, again, is simply too crude. A
further and more serious problem is that you have
basically no way to be 100% sure of who the "sending IP"
actually is.
For just one example, Yahoogroups send millions of E-mail
messages per day, from (doubtless) a large server farm.
Different Yahoogroups vary dramatically in terms of how
attentively they are moderated. Some are moderated with
great care; other groups have been abandoned or stranded
by their owners and have been operating on autopilot, some
for many years, and many such groups have been
'discovered' and are heavily abused by spammers. (Indeed,
it seems that many Yahoogroups send very little OTHER than
spam). So what IP address(es) do you plan to block? All
of Yahoogroups? That's obviously a non-starter.
Or let's say that Aunt Gertrude's machine gets infected by
a worm, which starts sending out E-mails using Aunt
Gertrude's account at the ISP, via the ISP's mail server.
Are you going to block everything coming from that mail
server? What if it is a VERY large ISP? Obviously, it
would have been nice if that ISP's outgoing mail rules had
caught the messages, but in this case let's recognize that
they didn't.
If the source is
emitting a sufficient volume of spam this happens before
the initial probation period expires.
Again, that's part of what I said about spammers
engineering their mails so they squeak under whatever
threshold is established to trigger spam alarms. That can
be done on content, sending rate, or any other
generally/widely used criteria.
DNS is probably a poor choice for distribution of the
global fast
response block advisories.
Obviously, since a change in status doesn't propagate
quickly enough.
I think a form of flood
distribution
through a mesh of peer nodes would be more robust. The
distribution
would feed local databases that could be queried
directly or through
a DNS front end. The mesh can handle data from multiple
sources and
needs no central authority.
And how do you propose to prevent worms from targeting and
flooding or doing other Denial of Service attacks on that
mesh?
Proposal #4 is back reporting unsolicited email:
If email addressed to certain spamtraps is received from
a sender
that has registered to accept back reports,
Original sender? A forwarding sender? An aggregating
sender? How does the objecting MTA make sure?
accept the
mail but
return a specific code in the response that the sending
MTA can
interpret to make a determination if the sender is
spamming.
Alternatively, the site may register a different
protocol to use for
the back report. The spamtraps used for back reporting
should be
different from those reported to global blocklists to
prevent
disclosing the traps to rogue ISPs that would forward
them to
spammers. Only some of the traps would be used for back
reporting to
any given network or host.
I'm not convinced that returning ANY "spamming!" status to
any imagined source is really worthwhile. To begin with,
I think that most such reports will be discarded or
archived, and just create additional worthless traffic on
the Net. Secondly, if the "back reporting" can be
misdirected (by counterfeiting E-mail or ISP addresses)
then the creative spammer can induce the bounce message
MTA to effectively be the "proxy" "sending source" of the
spam, tricking it into sending the bounce message to the
third party. (I used to get a fair amount of such
apparently-intentional bogus bounces... and indeed, I
still get a lot of antispam bounces into my "catch-all"
E-mail account at a vanity domain, generally resulting
from spammers who are counterfeiting randomly generated
"From" addresses supposedly within my domain).
Proposal #5 is a quarantine while a site is listed in a
block advisory.
Established sources that get listed in local or global
block
advisories should have their mail quarantined while the
mail is
sorted out. The best place to quarantine the mail is on
the sending
server. It's already queued there and if it is
eventually determined
that it should be rejected,
And on what basis or set of rules do you propose that such
determination be made? I will suggest that (at least for
some non-obvious cases) that determination could be
difficult or even impossible to do accurately.
Apart from (as previously noted) the problem of
determining after the fact with any real accuracy just who
the "sending server" actually is, particularly for
multi-hop mail deliveries. It's easy enough to forget
that not all E-mail deliveries are simple
user->ISP->ISP->user transfers.
Vanity domains that provide mail forwarding are just one
example of a way that intermediaries enter into a mail
delivery chain. Aggregators/forwarders like Yahoogroups
are another.
that can be done with a 5xx
on the next
delivery attempt instead of sending a bounce.
And what if the next E-mail coming from that IP address is
legitimate, non-spam E-mail?
If the sending ISP is
on their toes an offending user or host will be shut
down quickly and
the remaining mail will be delivered when the block
advisory is
lifted or expires.
And what happens to their legitimate outgoing mail in the
meantime?
Local whitelists can be used to allow
mail to
bypass the quarantine.
That's fine, but (again) I believe that traditional,
simple "whitelists" are not nearly adequate. I believe
that a viable whitelist MUST comprise a recipient/sender
pair of addresses, AND additional criteria regarding what
the recipient expects to receive from the sender in
question.
More to the point, once THAT is done, I believe that IP
address blocking becomes essentially superfluous (and
indeed, COUNTER productive).
-- Dan Oetting
[comment #2]
Subject: HTML-burdened email (Re: [Asrg] Re: bounces,
and anti-spam principles)
} I don't consider that ANYBODY has the right to blindly
} haul off and presume that I'm willing to accept
} HTML-burdened E-mails from them.
You're welcome to take that position, but it doesn't
seem to fit with
the rest of your argument that what gets accepted should
be controlled
on a per-user basis.
Yes, it does.
Certainly a user COULD configure their default behavior to
allow HTML (perhaps a limited 'subset' of HTML) from
non-whitelisted senders. I wouldn't consider that
anything remotely like a "best practice", and one would
hope that the great majority of users would use the
recommended defaults if they wanted effective spam (and
virus/worm) blocking. Educating the users toward that end
would be to the ISP's advantage, obviously.
Elsewhere you wrote:
} Even 2% legitimate traffic is too much to block, if
that
} 2% is critically important stuff.
How is blocking legitmate email because it contains HTML
less wrong
than blocking it based on point of origin?
1) You in the general case will have difficulty
determining the REAL "point of origin". Whether a message
contains HTML or not is far less subjective.
2) If the sender has not previously been in contact with
the recipient, they can not be sure that the recipient is
capable of handling HTML-burdened E-mail (they might have,
for example, a text-only E-mail client). Sending
HTML-burdened E-mail BEFORE establishing that the
recipient is willing and able to handle it violates every
"best practice" for that area. (I have gotten HTML-only
mail from senders with "clickable links" to say I want
plain-text mail.... which obviously is laughable for the
great majority of less-tech-savvy users).
3) Content-based antispam determination can be FAR more
efficient and FAR more accurate if all the various
HTML-based ruses are simply banned from the get-go. Users
who suddenly see a great reduction in spam, pfishing,
viruses and worms (and with the explanation of why) are
likely to quickly become believers. :-)
} It doesn't matter. You simply block (by default) ALL
} images (whether embedded or attached) coming from
} unfamiliar/first time senders. If they want to send
} images, they first negotiate that permission with the
} intended recipient. (And that permission, of course,
can
} be revoked by the recipient if the privilege is
abused).
[...]
} There is NEVER the NEED to send
HTML/attachments/scripting
} to someone in an INTRODUCTORY E-mail. Not until
you've
} established that they are willing and able to receive
that
} kind of content from you.
This presumes a whole lot of effort on the part of the
recipient in a
variety of circumstances.
No. If the software is well-written, the effort required
by the recipient is relatively trivial.
It could be as simple as NO effort, if (for example) the
introductory E-mail from a not-previously-seen sender is
NOT marked as spam by the recipient upon reading it (which
might enable, for example, a slightly more liberal
filtering on subsequent mail from that same sender).
Again, that's a detail of the implementation of the
client software, where presumably clever programmers can
do good things. :-)
(1) I'm shopping at a major retailer's website and
decide to sign up
for their newsletter. What happens if the confirmation
message uses
HTML content (not uncommon)?
Obviously, it SHOULD NOT use HTML content, for the simple
reason that said retailer CAN NOT be certain that the
person asking to be on their newsletter list is able to
handle (or WANTS to receive) HTML-burdened mail messages.
The first such "welcome to our mailing list" message ought
to be sent in plain text, asking for permission to send
HTML (or, perhaps better, at the time the user requests to
be placed on the mailing list, they should be able to
specify HTML or plain text, and with the explicit mention
that if the HTML option is chosen, they might need to
enable that option from the sender in question).
But let's presume everyone
has bought
into your scheme, so a plain text confirmation arrives.
I now have
to take the additional step of confirming (where? has my
email client
but updated to include an interface for this?)
Ideally, yes, the client software ought to include
awareness of and support for this capability. I've been
trying to talk Microsoft into adding such a capability
into both Outlook and Outlook Express, for example. (Who
knows whether I've caught the ear of anybody worthwhile
with the concept yet, or not).
that I'll
accept HTML
from the same source in the future.
Hopefully that's capable. One approach would be for such
an "aware" client to pop up a box with a "this is the
first time you've gotten E-mail from this sender, what do
you want to do with mail from them in the future?" dialog
box. There could be a variety of options (discard,
forward, redirect, archive, I'll decide later/ask me again
for future nonconforming mail from this sender, whatever).
There could be different choices for "conforming" versus
"nonconforming" messages, perhaps. I don't think we have
to design the user interface to that level HERE, in any
case.
Assuming that the confirmation
and the newsletter come from the same source, that is,
which also is
not always the case.
True, although if that is recognized as important to
legitimate mailers, they can certainly correct such
questionable behavior.
(2) I'm working with an HTML design firm. They're doing
a rush job
for me, which has to be confirmed on Saturday so it can
be turned over
to my IT staff to be installed on the company website
before Monday
morning; but I'm going to be out of town, so I want a
copy of the work
sent to another address such as a freemail service so I
can easily
review it.
1) You can certainly simply have them post their work to
a Web site (theirs?) and send you an e-mail with the URL.
2) If you're working with an HTML design firm, obviously
you can whitemail their E-mail address to send you HTML.
The HTML contains images and scripts, but
the design firm
has never sent mail to that freemail service before, and
I don't know
which of their team of designers might be sending the
final product.
Either ask, or have them post the page to a (private) Web
site where you can go and review it.
Even if you don't know which specific designer might be
sending you the message, nothing in my proposal would
prevent (for example) the capability of the software
allowing you to whitelist by domain, regardless of what
user there sent the mail (you might have a different
"catch-all" default permissions list than the per-user
permissions list).
How much effort must I go to up front to be able to tell
them they can
send me an attachment that I know will reach me?
Again, I don't see a problem here.
(3) My biggest customer is a giant corporation which
requires its
employees to use Microsoft Outlook and to attach a
vCard-like signature
to every email, using a background stationery and having
an image of
the company's latest logo because they're engaged in a
major rebranding
initiative. Not surprisingly, they have massive
turnover, so the
people there who send email to a variety of people at my
company
changes every several weeks. Who's responsible for
upkeep of all of
those individual agreements to exhange HTML with each
other?
Again, the recipient could presumably set up a "catch-all"
whitelisting which would enable selected E-mail HTML
features and selected attachment types from any user at a
given company's domain. For example, allow (hell, even
REQUIRE) V-card attachments or JPGs for mail from that
domain, but (for example) not allowing scripting,
executable attachments, or ActiveX.
[comment #3]
Subject: Re: [Asrg] Re: bounces, and anti-spam
principles
Our overall system is designed towards _zero_ false
positives. In at
least one way, we're theoretically (and near
effectively) there. With
DNSBLs and other techniques.
Obviously, I'd have to reserve judgement until I've
experienced your
"zero false positives" idea. Let's just say that I've
got a healthy
degree of skepticism.
I have 10+ years worth of exposure to this model (I
built the thing)
with a user population of 60-120K and extreme FP
aversion all the way up
to the CEO, you're welcome to come visit and I'll
demonstrate it for you.
It only fails to be "zero false positive" when the
legitimate sender
fails to read/follow the rejection notice. Which
happens a lot more
than I'd like, but if the message isn't worth that much
to the sender,
it's probably not worth doing much about it on our end
either.
1) How do you determine who the actual "legitimate
sender" is?
2) How do you make sure they receive it?
Not everyone has that small a set of correspondents to
cope with, and
the "new correspondent" issue remains a big problem.
The total set of correspondents doesn't have to be
small. It just needs
to have a relatively small number of NEW correspondents
that NEED to use
"advanced"/riskier features and therefore require
whitelisting.
The question is how do you even know of the new
correspondents, when
you're being bombarded with dozens or hundreds of new
correspondents per
day.
To begin with, conforming E-mails from new correspondents
(no HTML, no attachments, size within limits, and passed
by SpamAssassin or similar) will sail right through. No
problem.
Presumably each recipient could configure the "what to do
with nonconforming e-amils from unknown senders" option as
the user wished. Discard mercilessly, allow me to look at
the text part, or whatever.
It's all well and good, if the spammers aren't forging
names, to allow
them one bite before you null the sender, but today's
reality isn't like
that. The "one bite" on sender, or even on url or
content, essentially
means you have to eat almost all spam. Because spammers
mutate their
content and senders that much.
Absolutely. They generate random From; addresses and
random Subject: information (and random other stuff too,
like Received: lines indicating bogus original senders).
But of course, we here all ought to know that full well.
That's why my personal recommendation for "best practice"
is to simply block -all- HTML messages from unfamiliar
senders, on the idea that they are trying to conceal
something, or at the very least are being inconsiderate
and clueless enough that I don't want to hear from them.
Others might well choose diffeently, of course.
We're tracking spammers
who use in
excess of 1000 different domains in urls. Can per-user
techniques cope
via whitelisting or blacklisting? Not a chance.
That's what makes blacklisting not work... there are
infinitely many E-mail addresses you need to blacklist.
A fine-grained whitelist (and one which allows mail from
reasonable but non-whitelisted users) DOES offer a finite
task, that can be relatively easily handled.
The only way your techniques can work effectively is if
you assume that
the recipient is getting very little spam.
I don't think it's particularly volume-sensitive... other
than the fact, of course, that ANY system could
conceivably be flooded by a sufficiently determined DoS
attack.
Well, 50% of our users are
being sent almost no spam.
Your users are very fortunate. Perhaps they haven't had
those E-mail addresses for very long, or don't do much
with them.
But that doesn't help with
the guy getting
sent 4000/day. Or even the hundreds getting 50 or more.
I don't see why my approach won't handle such cases with
ease.
The only way your technique works is if you're one user
with a limited
variety and volume of spam. But not everybody is in the
same situation
as you.
Again, I don't agree with your conclusion. My proposed
default rule and fine-grained whitelisting (combined with
SpamAssassin or similar content scanning on the remainder)
with have a VERY high efficacy at detecting and dealing
with spam.
Ideally, each such correspondent only requires ONE click
(one time) for
the user to agree to allowing them to use the more
advanced features.
That might be done following an initial negotiation
E-mail where the
sender introduces themself and requests the ability to
send more
elaborate mails.
You seem to be focussing on only blocking "advanced
features". A large
percentage of spammers don't use them anyway. If all
your spam consists
of mutating text-only spam with mutating headers, your
technique has no
effect.
That's true, if the SpamAssassin component is unable to
make a reasonable determination. On the other hand, mail
that has passed the initial fine-grained-whitelist
criteria is at least going to be devoid of most of the
tricks which make things VERY problematical for the
content scanners.
Some users COULD choose to ONLY allow E-mail from the
whitelisted E-mail addresses, if they decide that is the
approach that makes them happiest. (e.g. set the "default
maximum size accepted" to zero bytes).
Introductory E-mails should NOT automatically presume
the desire or
willingness of the recipient to receive HTML-burdened
E-mails.
But if all spam were indistinguishable from
"introductory e-mails",
where are you then?
No worse than at present.
And BETTER, since the "no attachment, no HTML" default
rule would seriously cripple zombie spambot army
recruitment.
And indeed, probably most spam isn't distinguishable
from some vague
notion of "introductory e-mails" by your technique.
That at least switches the problem to a relatively simpler
problem of improving the antispam content-based
detection... i.e. making a better version of SpamAssassin.
At least the future SpamAssassin is relieved of nearly all
of the nearly impossible cases it is forced to (not?) deal
with today.
The main problem with content filtering is caused by
ruses based on HTML
and attachments. These techniques serve to obscure the
content of the
E-mail, and ALL BY THEMSELVES the presence of such
content in E-mails
(at least in E-mails from unfamiliar senders) can be a
priori evidence
of hostile intent, or spamming.
If you can _detect_ those ruses.
Of course. Some of my filtering code I've written, for
example, looks for things like "obscured" URLs, or
obfuscated IP addresses in URLs.
You and I may be able
to detect it in
on a per-message basis with visual inspection, but
computers generally
can't, say, identify sentences generated using random
words. Try
building a filter for hipcrime some day... Plain text.
Random headers.
No "advanced features". Good luck.
You're also faced with things like foreign language
E-mails (Chinese, for example). Even using grammar tests,
E-mails might have a large amount of bogus
respectable-looking content (say, ten jokes followed by
the 'payload' spam). Again, at some point you're going to
see some spam slide through. I believe my approach would
take a BIG bite out of it, though.
Much of the recent evolution in spam content techniques
has been to get
away from ruses that are detectable as ruses. It used
to be a common
technique to insert random invalid html tags in spam.
Defeatable by
simply looking for invalid html tags or meta (eg:
tag)/content ratios.
But they don't do that anymore, do they?
I don't know... since the filters I most recently wrote
T-canned all that stuff anyhow. But I don't doubt that
spammers will eventually mutate to try to avoid schemes
that don't work anymore.
One of my goals is to HUGELY increase that set. :-)
And
meta/content ratios can be
_extremely_ high in legitimate email (just look at the
gunk that outlook
produces for simple emails some day).
Are you talking about HTML?
Look for identical gifs? Well, they stopped emitting
identical gifs
months ago.
I'd block ALL mail containing GIFs (or any other kind of
attachment) by default, from unknown senders. Such tricks
hit a solid brick, impenetrable wall.
I had some luck with looking for gif geometry (scan for
gif prefixes
containing identical image dimensions). That stopped
working too.
Yeah, I don't think such schemes have much potential.
Again, when you have a LOT of users (and possibly MANY
servers) behind a
NAT router, denying mail from that IP address results in
simply too much
collateral damage. More to the point, it's a very blunt
instrument for
the job, and it's relatively simple to do very much
better.
So far, there's no indication of the latter being true.
I do note you don't refute my objection on principle.
:-)
But in fact, I do.
Let's cut to the chase. Your argument about source IP
blocking being a
blunt instrument is well-taken and true. It _is_ a
blunt instrument.
So's a sledgehammer. You wouldn't use a sledgehammer to
install window
trim would you? But a carpenter probably still has and
uses a
sledgehammer for a different part of the same job of
building a house.
Your argument assumes that IP-blocking is the ONLY
technique being used
- - if all you have is IP-blocking, trying to
discriminate between good
and bad content from a given IP (say an ISPs MTA)
doesn't work.
Well, yeah, duh ;-)
Your argument assumes that the administrator hasn't made
any effort to
make an intelligent choice on which DNSBL to use - and
is hence at the
mercy of capricious listings of any old random IP.
Well, yeah, if you've chosen to use BLARS, you get what
you deserve.
Yup both true. But so what?
What's to prevent you from doing the intelligent thing
and using
multiple complementing techniques simultaneously?
Nothing at all, and in fact that's what I'm proposing.
I just happen to believe that IP address reputation is
neither necessary nor sufficient (and perhaps not even
particularly desirable) as a component in that.
The XBL, for example, is _extremely_ reliable at
detecting compromised
end-user machines. All by itself it will block 70-85%
of all spam.
Fine. But it also blocks LEGITIMATE mail coming from
those machines, right?
By it's very nature it doesn't list real MTAs (eg: ISP
smarthosts).
What if the spam is sent through ths "smarthost"? You
might claim that's not being done today, but nothing
prevents spammers from doing that.
It has
a false positive rate lower than virtually any content
filter.
Certainly _way_ lower than any notion of trying to block
spam based on
detecting "advanced features".
Fine, if you're a believer in IP address filtering, then
use that as a component. But I still believe that it's
not as good as a better differentiation technique, with
less collateral damage.
Why not let the users choose? How many of your users
know what the XBL
is? About 5 of mine _might_. I'm not even sure you do.
How many of
them have spent the manhours needing to learn what knobs
do a good job?
I think the nature of 'knobs' given to end users will OF
COURSE be different than the type of 'knobs' given to
IETF-types.
Less than that. How many of them would do nearly as a
good job at it?
Few, IF they were adjusting IETF-type knobs. That's NOT
what I'm proposing.
Even I, with over 10 years of experience in this game,
could not do an
acceptable job on email landing in my _own_ mailbox
using your
techniques.
I guess a lot depends on what you consider "acceptable",
and how good the content scanner is that you have.
[comment #4]
Subject: Re: [Asrg] Re: bounces, and anti-spam
principles
[how users configure their whitelist rules]
>The problem being that out of the 60,000 seats here,
perhaps less
>than 10 of them are able to competently configure a set
of rules like
>what you have.
That's a software implementation issue, not an inherent
problem in the approach. I envision a button to click
on
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I guess that's the main reason why your ideas aren't met
with wild
enthusiasm here. You "envision" that this would be
simple to build and
to use, but it's not even clear that you have even built
a prototype
which you use yourself, much less deployed the system
for "ordinary
users", which aren't quite sure what an "HTML mail" is,
and have never
heard about an "ActiveX component".
I've built and have used portions of what I propose.
Obviously it will work best if the proposed default rules
are widely used.
As for "deploying it for ordinary users", I think I could
make the same claim regarding all these DNS-based
proposals that y'all are so fixated on. Again, good
software implementation doesn't have to depend on users
understanding those details (but it COULD offer that level
of detail, for advanced users who cared). Since I don't
work at an ISP, and I'm not being paid to do this stuff,
what I build and use myself is more a function of what the
effort/payback looks like for ME as an individual user.
I don't think where things fall on that particular
equation are especially relevant to whether the approach
would be a good one for more widespread adoption. :-)
that simply says "allow E-mails like this from the same
sender in the future" and where the software will open
the
keyway JUST enough to allow that type of message if seen
again from that sender.
So Uncle Bob will see that a mail from Aunt Matilda was
blocked because
it contained an "executable attachment". Since he wants
to get mail from
Aunt Matilda (and Aunt Matilda is a nice lady, she
wouldn't send him
anything bad, would she?) he clicks on "allow E-mails
like this from the
same sender in the future". Oops!
Presumably he could tell from the rest of the content in
the mail message that it really didn't look like E-mail
from Aunt Matilda. And clicking on the option could be
followed by a suitably dire dialog box, explaining the
risks of executable attachments and asking if he is REALLY
REALLY sure that the mail in question is REALLY from who
it claims to be. It could even suggest that the user call
the sender on the phone to verify the legitimacy of the
E-mail message, if they are not 100% sure.
And, presumably if he later found that his faith was
misguided, he ought to be able to later revoke that
permission...!
How that recognition is accomplished, whether by
something crude like
simple GREP-type scanning, or something brain-damaged
like RegEx
pattern matching,
You know what the two middle characters in "grep" stand
for, do you?
Regular expressions.
Which can be used in more elaborate ways than a simple
pass with something like GREP normally allows, thus the
distinction I tried to (ineffectively, it seems) make.
Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area
networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|