Re: [Asrg] Quarantines and block lists
2007-01-29 05:42:10
[comment #1]
Subject: Re: [Asrg] Quarantines and block lists
Lost Email is any email that is sent but not presented
to the user
and does not generate a DSN to the sender.
The problem is, in the case of spam as in the case of
viruses or worms, determining WHO the TRUE sender actually
is. It is safe to presume that it often is NOT the person
listed in the From: header.
Therefore, I think we should note under "good practices"
that it is NOT "good practice" to return ANY indication
(after the original SMTP-time, and thus it's pretty much
limited anyhow to just going back 'one' level) regarding
mail blocked either as spam, or mail blocked because it
contains worms or viruses. In both cases, I believe we
MUST presume that the true sender will not be accurately
determinable. To send ANY kind of a bounce message back
is likely to create more harm than good, probably just
haranguing another innocent third party.
Spammers COULD even use the expectation of the generated
'bounce' message to reflect the bounce message, along with
the copy of the original message, on to the
always-intended third party, but this time the E-mail
"originating" at the system that bounced it.
When
referring to a
receiving system loosing email it is assumed that the
sending system
is following standard procedures.
It is a safe bet that spam and viruses/worms seldom IF
EVER "follow standard procedures".
While spamtraps and valid user lists are helpful
sometimes, they
will not trigger if the spammer is using "fresh" E-mail
address
lists which are also devoid of spamtrap E-mail
addresses.
Is there evidence that spammers have 100% spamtrap free
lists? Where
are they getting their addresses from and why can't we
seed spamtrap
addresses there?
Well, I believe that a lot of addresses are harvested from
active Yahoogroups and other such mailing lists. Trying
to "seed" spamtrap addresses there (via postings) would
probably also generate legitimate replies to such posts.
Certainly not all spammers use "fresh" and valid lists but
IMHO it's poor form to imagine that NONE do.
IP address blocking, again, is simply too crude. A
further and
more serious problem is that you have basically no way
to be 100%
sure of who the "sending IP" actually is.
For just one example, Yahoogroups
That's obviously a non-starter. Yahoogroups is a
subscription based
service. A valid spamtrap would not be subscribed to any
group
(unless it was designed to catch spammers harvisting
group addresses
in which case it would take special precautions to
exclude group
related emails from the spamtrap reports).
The point is that NON-spamtrap addresses get mail through
Yahoogroups, and where you can't tell much or anything
about where the E-mail actually originated. So do you
block Yahoogroups servers by IP address?
And if you don't do anything about Yahoogroups-forwarded
spam, then you're leaving a gaping hole through which a
large quantity of spam can be sent.
Let's DO agree that it's probably not feasible to do much
of anything about spam contained within a "digest" (and we
ought to recognize, at least, the problem of antispam
contact detection triggering based on one message within
an otherwise good digest of messages). But it would be
desirable to try to handle effective spam detection for
individually forwarded Yahoogroups messages.
Again, IP-based detection blocking is nowhere close to
viable for such cases.
Or let's say that Aunt Gertrude's machine gets infected
by a worm,
which starts sending out E-mails using Aunt Gertrude's
account at
the ISP, via the ISP's mail server. Are you going to
block
everything coming from that mail server? What if it is
a VERY
large ISP? Obviously, it would have been nice if that
ISP's
outgoing mail rules had caught the messages, but in this
case let's
recognize that they didn't.
Spam has to be stopped somewhere. But read the full set
of
proposals... If a site has never received email from
that IP before
it would quarantine the first emails from that IP as in
proposal #1.
The automatic spamtrap network would generate an
advisory that the IP
is sending UBE. Then depending on the reputation of that
IP from all
sources the site would choose to a: continue the
quarantine, b:
accept the email and possibly apply additional filtering
or c: reject
the email from that IP.
I know that a lot of folks here seem to have a strong
emotional commitment to the basic concept of IP-based
blocking, but as unpleasant as it is to accept, that is
simply NOT a very good approach.
If the source is emitting a sufficient volume of spam
this
happens before the initial probation period expires.
Again, that's part of what I said about spammers
engineering their
mails so they squeak under whatever threshold is
established to
trigger spam alarms. That can be done on content,
sending rate, or
any other generally/widely used criteria.
So I've forced the spammer to send less spam. This I
call progress.
No, you've only forced them to send it at a lower rate
from probably more different locations.
ULTIMATELY what convinces them to send less spam is
because it becomes unprofitable to do it, because
virtually none of it reaches its intended destination. As
long as it's profitable to try, they can be expected to
continue.
That's one reason why it's SO critical to put the kibosh
on viruses and worms that recruit the spambot armies...
that makes it harder to proxy the spam transmissions and
diversify the origin points. Slamming the door on HTML
and attachments from unknown senders puts a MAJOR brake on
that, literally overnight, and in a way that is very
difficult to circumvent in any widespread way.
I think a form of flood distribution through a mesh of
peer nodes
would be more robust. The distribution would feed local
databases
that could be queried directly or through a DNS front
end. The
mesh can handle data from multiple sources and needs no
central
authority.
And how do you propose to prevent worms from targeting
and flooding
or doing other Denial of Service attacks on that mesh?
What port and IP address is the worm going to target?
You won't know
unless you've talked with the admin of that node and
even then you
might have a private port that only you know about. And
even if you
do manage to take out one node (or a dozen) the mesh
survives and
routes around the damage.
That depends, of course, on how widespread the 'damage'
is. Again, I think that blocking spambot army recruiting
is critical to reducing the severity of DoS attacks like
this.
[snip]
2. Do you know what a response code in SMTP is?
Yes. But if the incoming SMTP transaction is coming from
an intermediary MTA, existing intermediaries frequently
will try to generate a bounce E-mail (to what they (often
wrongly) believe was the sender) based on their inability
to forward a mail message to its final destination, and
that frequently does more harm than good.
3. I never "bounce" anything.
Good, I wish that (at least for spam/worm cases) nobody
else did either.
The determination to quarantine email while waiting for
additional
information to become available or the possibility that
the sending
site will clean up the spam first should be easy to
make. Are you
perhaps referring to the rules for implementing proposal
#2?
Again, I don't consider IP address (at least not by
itself) a good basis for determining what is and is not
spam.
Apart from (as previously noted) the problem of
determining after
the fact with any real accuracy just who the "sending
server"
actually is, particularly for multi-hop mail deliveries.
It's
easy enough to forget that not all E-mail deliveries are
simple
user->ISP->ISP->user transfers.
First you have the intranet delivery on the sending side
user-> (users ISP internal servers) -> Sending MTA
Then you have the internet delivery
Sending MTA ----> Receiving MTA
or
Sending MTA ----> (open relay) ---> Receiving MTA
And finally the intranet delivery on the receiving side
Receiving MTA -> (receiving ISP internal servers) ->
destination
I am only concerned with the internet delivery. Anything
else the
ISPs can handle on their own. So all internet email
deliveries are
simple ISP->ISP transactions.
Let me give you an example of why that's overly
simplistic.
sender -> sender's ISP MTA -> recipient's vanity
domain's mail forwarding MTA -> recipient's "real" ISP
receiving MTA -> recipient
(and of course, there could be multiple such levels of
intermediary forwarding, or things like Majordomo servers
involved too).
Vanity domains that provide mail forwarding are just one
example of
a way that intermediaries enter into a mail delivery
chain.
Aggregators/forwarders like Yahoogroups are another.
If the vanity domain allows you to create hundreds or
thousands of
forwarders to addresses you don't own to make it look
like a spammer
site it deserves to be blocked.
That's not the question. The issue is that it forwards
the mail (and let's presume for now that there is only one
vanity domain forwarding taking place) to the receipient's
ISP's MTA, which doesn't like it for whatever reason and
sends back an SMTP rejection. Now, what does the vanity
domain mail server do with that? They can't (presumably)
send it back to the MTA *they* got the mail from; that
SMTP transaction is most likely long over. Generally what
happens (unfortunately) is they try to send back the
warning as an E-mail message, and that turns out to be a
Really Bad Idea.
Second point is that if the recipient ISP sees that it got
spam or a virus forwarded through the vanity domain
forwarding MTA, IP address blocking probably tries to
block the vanity domain forwarding agent, because the
receiving ISP's MTA can't reliably determine who the
original sender was.
that can be done with a 5xx on the next delivery
attempt instead
of sending a bounce.
And what if the next E-mail coming from that IP address
is
legitimate, non-spam E-mail?
If the decision is to reject all mail coming from that
IP
(which, again, I will insist is simply NOT practical).
then
returning the 5xx response will cause the sending MTA to
generate a
DSN that will be returned to the legitimate sender.
And, again, THEY cannot be 100% sure who that was, once
the original SMTP transaction they received is completed.
Most typically, they try to send an E-mail back to the
From: address, but for spam/virus rejections, that address
is almost never valid.
If the sending ISP is on their toes an offending user
or host
will be shut down quickly and the remaining mail will
be
delivered when the block advisory is lifted or expires.
And what happens to their legitimate outgoing mail in
the meantime?
It sits in the quarantine until the block advisory is
lifted and then
gets delivered normally. Nothing is lost except for some
sleep by the
admin on duty for the sending ISP.
If the "sending ISP" (or company) is huge, and the spam or
virus mail they occasionally send is frequent enough, the
result is that they have frequent major delays in mail
delivery, or even suffer serious and relatively permanent
"e-mail constipation".
Local whitelists can be used to allow mail to bypass
the quarantine.
That's fine, but (again) I believe that traditional,
simple
"whitelists" are not nearly adequate. I believe that a
viable
whitelist MUST comprise a recipient/sender pair of
addresses, AND
additional criteria regarding what the recipient expects
to receive
from the sender in question.
More to the point, once THAT is done, I believe that IP
address
blocking becomes essentially superfluous (and indeed,
COUNTER
productive).
None of my proposals say "block" anything. I say issue
advisories in
proposal #2, some users might want that information.
I claim that a user (or ISP) who did not actually send the
mail that is attributed (wrongly) to them virtually never
gets anything of value of receiving a lot of complaints
about the counterfeit use of their E-mail address.
I propose
quarantining email when it's looking suspicious. The
sending ISP
knows where the email came from which is something that
the receiver
cannot know in all cases.
The sending ISP only knows where it CLAIMS to have come
from, much of the time. And nothing absolutely guarantees
that that address is even still online. It's one thing to
catch a problem during the SMTP transaction, but much more
problematical to try to report it back after the fact.
If anybody is going to decide
that email is
spam it is the sending ISP that has the best information
to make that
decision.
I disagree. If the ultimate determination about whether
the mail is unwanted or not is made by the RECIPIENT (and
that's what I believe is the ONLY person who can decide
that) then the sending ISP is NOT in the position to
decide.
Proposal #4 provides the one key piece that
the sending ISP
doesn't have to determine that their user is sending UBE
(aka spam).
If you as an ISP are offered these free tools to help
control spam
emanating from your network are you going to say "no
thanks, we'll
just send the spam and let everybody else clean it up"?
So what do you propose they do with things that say "this
is spam, we won't accept it" that are bogus? That's what
I've seen happening here, where Yahoogroups gets a bogus
5xx message that mail to "me" hard bounced (because it
contained a virus, usually) and as a result, they block
ALL mail from getting sent out to me until I realize what
happened and manage to reset things. Of course, I have NO
control over the problem. (And they don't either,
really... but at least they shouldn't consider a mail
account hard bouncing just because of the CONTENT of ONE
message that 'hard' bounced).
[comment #2]
Subject: Re: [Asrg] Quarantines and block lists
To begin with, crude IP blocks will ALWAYS lose
legitimate
mail, because a single IP address can send both
legitimate
and zombie-generated mail.
We've been using the spamhaus dnsbls for several years
and I can't
remember a single false positive. IP adresses which send
legitimate
mails are simply not listed there (or if they are, there
are so few of
them that it's indetectable).
You're trying to pretend that a zombie prevents all
legitimate mail from being sent out from that same IP
address? So that it's a binary "spamming/not spamming"
machine?
If your argument is that the zombies are not using the
commandeered machine's habitual upstream MTA, then I'll
claim that spammers could trivially change their approach
to do that.
Then, IP-based blocking either blocks (or doesn't block)
ALL the E-mails originating from that MTA.
It is true that they aren't sufficient, but they reduce
spam by quite a
bit (they're by far the most frequent reason for a
permanent error) with
practically zero false positives.
I believe that a good sender/recipient pairing mapping to
a fine-grained permissions list is FAR more effective and
satisfactory, with FAR less collateral damage to
legitimate mail. And besides, it is FAR harder for
spammers and viruses/worms to circumvent and evade such a
robust restriction. I believe that to be SO effective
that IP-based blocking becomes (at least in most cases)
superfluous.
I don't know why you insist that they would have to list
a single IP
address which sends both legitimate and zombie-generated
mail. Just look
at spamhaus and you can see that this is false.
Are you claiming that both spam and non-spam can't be
funnelled through the same IP address?
Just one excellent counter-example is a small company that
has their inhouse outbound mail server behind a NAT router
(this is the case, in fact, for one of my consulting
client companies). If one of their other inhouse
workstations ends up being infected by a worm, that
infected machine could start to send either spam, or virus
propagation messages, and those messages will also carry
the IP address of the company's NAT router.
[comment #3]
Please don't answer mails from different people in
different subthreads
in the same mail. Your mails are already too long, and
an argument is
hard to follow if the answer the content of one mail is
in the answer to
a different mail.
I agree that it's suboptimal, but otherwise it is
cumbersome to split a large message digest into individual
fragments to allow quoting those messages for separate
replies.
I don't know of any GOOD solution for that problem, but am
open to ideas. (Approaches that I otherwise might find
practical are limited by the Webmail system I'm presently
using).
>(1) I'm shopping at a major retailer's website and
decide to sign up
>for their newsletter. What happens if the confirmation
message uses
>HTML content (not uncommon)?
Obviously, it SHOULD NOT use HTML content,
But it does. And if you're a small ISP or IT department
and your users
can't get their newsletter, guess who they'll blame?
Given a choice of controlling spam, or the irresponsible
use of HTML being sent to users who might not wish to deal
with it, I think that being a little more nuanced and
disciplined in the use of HTML is a small price to pay.
You or the major
retailer?
To some degree, it's obviously a problem of educating the
user of what you're doing, and (more importantly) WHY you
are doing it.
If enough users make the decision, the 'large retailer'
will clearly learn that they have to change their behavior
at least slightly. But that's not a bad thing.
And what's more likely to change? The way you
filter mail or
the way the major retailer sends their newsletter?
I guess it depends on whether you want to control spam
effectively, and how important that is to your users.
I happen to think that's pretty important to a large
percentage of users.
You can do that if you're the DoD. The DoD recently
banned HTML and they
can get away with it, because almost everyone they
exchange mail with
is more interested in talking to the DoD than the DoD is
talking to
them. If the DoD doesn't get your mails, that's your
problem, not
theirs.
I think that as more people become aware of the costs of
HTML (bulk, risk, etc), a lot fewer people will be willing
to pay the price of it.
for the simple reason that said retailer CAN NOT be
certain that the
person asking to be on their newsletter list is able to
handle (or
WANTS to receive) HTML-burdened mail messages.
He doesn't care. 99% of his prospective customers can
handle it, and
they will be enticed by the pretty pictures. He can
afford to lose 1%
(who are probably the more critical customers anyway).
I'm not suggesting that they can't use HTML in (at least
the 'pretty' version of) their newsletter. Just that they
need to send at least one plain-ASCII-text confirmation
mail to the user FIRST, to negotiate the agreement to
accept HTML in subsequent E-mail messages.
>Assuming that the confirmation and the newsletter come
from the same
>source, that is, which also is not always the case.
True, although if that is recognized as important to
legitimate mailers, they can certainly correct such
questionable behavior.
That "questionable behaviour" is pretty much standard,
and there are
good reasons for it.
Well, there are some "pretty good reasons" for greater
discipline.
If we are going to get a serious handle on spam, viruses,
and worms... then SOMEONE is going to have to change
behavior AT LEAST SOMEWHAT. The objective should be to
make that process as rational and painless as possible,
commensurate with efficacy.
>(3) My biggest customer is a giant corporation which
requires its
>employees to use Microsoft Outlook and to attach a
vCard-like
>signature to every email, using a background stationery
and having an
>image of the company's latest logo because they're
engaged in a major
>rebranding initiative. Not surprisingly, they have
massive turnover,
>so the people there who send email to a variety of
people at my
>company changes every several weeks. Who's responsible
for upkeep of
>all of those individual agreements to exhange HTML with
each other?
Again, the recipient could presumably set up a
"catch-all"
whitelisting which would enable selected E-mail HTML
features and selected attachment types from any user at
a
given company's domain. For example, allow (hell, even
REQUIRE) V-card attachments or JPGs for mail from that
domain, but (for example) not allowing scripting,
executable attachments, or ActiveX.
Yes, he could. But he doesn't want to.
Well, ultimately, it's all about choices, isn't it? You
can give people an effective spam filter, or you can allow
them to turn it completely off. At least if you OFFER it,
they can't then bitch about the spam load they're getting
if they CHOSE to not use it.
I've had some spam filters at some ISPs that were SO
terrible that I turned them off and decided to do the
filtering myself instead.
But you know the old adage about leading a horse to water.
At least this proposal WOULD BE EFFECTIVE (and with less
collateral damage than the IP-based solutions that so many
folks here seem to like) AND would block nearly all worms
and viruses (even new ones) which isn't the case for these
IP-based approaches. AND it's not got any huge "gotchas"
that force people to turn it off, like so many other
basically-unusable filtering schemes are afflicted with.
It's not his job to worry about
which types of content a certain user (which he not even
know) might
send to him in the future.
Fair enough. But spam has become annoying enough to
enough people by now that I don't think most of them would
be terribly averse to helping guide a "smart" filter so it
would effectively recognize and block spam... especially
if (as they do so) they see an immediate and very
noticeable payback for the investment.
>The only way your techniques can work effectively is if
>you assume that
>the recipient is getting very little spam.
I don't think it's particularly volume-sensitive...
other
than the fact, of course, that ANY system could
conceivably be flooded by a sufficiently determined DoS
attack.
It's a DoS attack on the user, not on the system. The
user has to look
at the mails, decide whether they are legitimate, which
of their
features he wants to accept from that sender (and
whether "that sender"
means only that particular address, or the whole domain
or something in
between).
Again, good software can determine what features need to
be accepted to allow "mail like this" to be added to the
allowable characteristics for the current sender.
Some users will tweak things more precisely than others
will.
A large subset of users will probably find that the
default filtering rules are perfectly acceptable for the
great majority of their incoming mail.
[users receiving large volumes of mail]
I don't see why my approach won't handle such cases with
ease.
That guy has to scan through 4000 messages each day to
check if there
wasn't one which he did want. Maybe not every day, but
at least every
time he suspects that a mail might have been blocked.
To some degree, that's going to be true for ANY filtering
scheme. At least he has the mail to look at... if it was
blocked by IP address, he can't go look for it, since it's
not on his (recipient) system at all.
Some people will look for false positives, some won't.
Some people will go to the effort to "tune" their filters
to the best and most effective degree of accuracy, and
others will run with the defaults. That's to be expected.
>>Introductory E-mails should NOT automatically presume
the desire or
>>willingness of the recipient to receive HTML-burdened
E-mails.
>
>But if all spam were indistinguishable from
>"introductory e-mails",
>where are you then?
No worse than at present.
Depends on what you define as "better" and "worse". You
will get less
spam (about 50% less, I would guess from looking through
my spambox),
but you will also get less legitimate mail (I don't know
how common HTML
mail is on average - that seems to vary a lot).
Yes, it does. And there's nothing inherently wrong with
HTML mail (other than its 3-5x greater bulk) IF you're
able and willing to deal with it. But senders ought not
to PRESUME that EVERYONE feels that way.
And BETTER, since the "no attachment, no HTML" default
rule would seriously cripple zombie spambot army
recruitment.
Only if it is widely adopted. Which it won't be, because
the early
adopters will have to deal with severe problems.
I don't consider that a fair or accurate statement. Early
adopters can phase in the filtering, perhaps by starting
with a relatively liberal default rule which is tightened
as the whitelist is developed. Again, that's an issue of
the implementing software. It doesn't invalidate the
principle.
>The XBL, for example, is _extremely_ reliable at
>detecting compromised
>end-user machines. All by itself it will block 70-85%
>of all spam.
Fine. But it also blocks LEGITIMATE mail coming from
those machines, right?
There is no legitimate mail coming from those machines.
Maybe a message
or two for every million messages being blocked.
Probably less.
I've already given a case earlier in this message of why
that can't be counted on, or at least why we shouldn't
base our antispam defenses on such 'lucky behavior' over
the long term. I won't repeat that example again here.
>By it's very nature it doesn't list real MTAs (eg: ISP
>smarthosts).
What if the spam is sent through ths "smarthost"? You
might claim that's not being done today, but nothing
prevents spammers from doing that.
Then there is an ISP to complain to and the ISP knows
which of their
users has a compromised machine and can do somthing
about it.
And that's fine for small ISPs who can call a user
(maybe). Bigger ISPs with millions of users (especially
where thousands or tens of thousands of their users could
be infected) will find that kind of detailed
followup/uninfection to be an extremely costly and
time-consuming problem.
Big dot-com companies (Yahoo, Ebay/paypal, etc) almost
universally have terrible customer service if you ever
have to talk to a real HUMAN there. And that's not only
just demonstrating that they don't CARE... it's a huge
problem for them.
If the ISP
doesn't do something about it, he may find that some may
refuse to
accept mail from him or apply more stringent filters to
it. But that
doesn't have anything to do with the XBL.
Again, it's a very blunt instrument to do IP-level
blocking. We can simply do a LOT better.
You are assuming that IP-based reputation is used in an
all-or-nothing
way. It isn't. There is more than one list, and just
because an IP
address is or isn't on a specific list doesn't mean that
all mails from
this address are rejected or accepted. It is one
criterion among many.
I consider that other criteria should carry more weight,
then, and IP address carry much less weight.
>Subject: Re: [Asrg] Re: bounces, and anti-spam
>principles
>>[how users configure their whitelist rules]
>>
>>>The problem being that out of the 60,000 seats here,
perhaps less
>>>than 10 of them are able to competently configure a
set of rules
>>>like what you have.
>>
>>That's a software implementation issue, not an
inherent
>>problem in the approach. I envision a button to click
>>on
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>I guess that's the main reason why your ideas aren't
met with wild
>enthusiasm here. You "envision" that this would be
simple to build
>and to use, but it's not even clear that you have even
built a
>prototype which you use yourself, much less deployed
the system for
>"ordinary users", which aren't quite sure what an "HTML
mail" is, and
>have never heard about an "ActiveX component".
I've built and have used portions of what I propose.
Obviously it will work best if the proposed default
rules
are widely used.
As for "deploying it for ordinary users", I think I
could
make the same claim regarding all these DNS-based
proposals that y'all are so fixated on.
No, absolutely not. Apart from not being fixated on
"DNS-based
proposals" (if anything, I'm fixated on bayesian
filtering), I see two
very important differences here:
1) DNSBLs like Spamhaus' SBL+XBL aren't "proposals".
They have been
operational for years and their strengths and weaknesses
are well-known.
Straw man. If existing approaches were satisfactory, then
we don't have a problem and we're all wasting our time
time.
If on the other hand we are going to do things DIFFERENTLY
than they have been done before, then we should EXPECT
that that new approach hasn't been implemented yet.
The fact that it hasn't been fully implemented yet doesn't
mean that it's not promising.
Lots of things are designed and discussed and debated for
a long time before the first working one is actually
built. Large passenger aircraft are one example.
I probably wouldn't go to the trouble to do a full
customer-ready version of such software if it were just
only me going to use it. But Airbus wouldn't build the
A380 if there were only going to be one of them, just as a
Honda Accord wouldn't be practical to design and fully
engineer if only one person were going to have one,
either.
2) The user has absolutely nothing to do with them. I
can simply enable
them on a system-wide basis and be confident that I will
maybe have to
deal with one complaint every few years.
By the same token, a large group of users will be content
with default filtering and default content
("SpamAssassin") filtering. Some will care enough, and
choose to tweak those. Many will not. At least the ones
who CARE to do so CAN do so.
Again, good software implementation doesn't have to
depend on users
understanding those details
I doubt that. In real life users get mails with
"advanced features" all
the time and if they have to decide whether they can
safely enable them
they need to understand them.
Do you understand how your automatic transmission in your
car works? What percentage of drivers do you imagine do?
If enabling a relatively more dangerous feature (say,
executable attachments), the software presumably should
issue some pretty dire-sounding warnings about why the
user maybe shouldn't do that... just to counter
pfishing-type exploits where they try to convince people
to release the safety. (We saw some viruses/spam trying
to do that, a few years back, telling users to please
enable scripting and telling them how to do it... but I
haven't seen any spam like that in quite a while now.).
I predict that the average user will
either have configured that system to accept anything
from anybody
within a week or give up on email entirely.
If the software is well-designed, then I'd take on that
bet with you. :-)
I don't think where things fall on that particular
equation are especially relevant to whether the approach
would be a good one for more widespread adoption. :-)
It is irrelevant whether it "would be good". User's
simply won't adopt
it. Period. It will ask them questions they don't
understand twenty
times a day, so they will resort to either clicking
"yes" all the time
or "no" all the time.
Again, that depends entirely on how well the
human-engineering of the software is done. Some companies
traditionally do a bad job of stuff like that, but doesn't
mean it can't be done right.
As a result they won't get the
mail they want and
they will still get mail they don't want. In addition
they will feel
dumb because they don't understand all those questions,
and they will be
angry at the computer (it should handle that stuff
without asking stupid
questions) and the IT staff or ISP (it's their job to
handle that
stuff). A week later the system will be shut off again
and the poor guy
who thought "it would be good" will be fired.
I'm sure that's what the spammers would wish.
But the fact is that it will be MORE effective at blocking
spam, nearly 100% effective at blocking worms and viruses
(even previously unknown ones that no antivirus program
identifies) and still give the user the ability to improve
the detection to the degree they wish (or not, if they
prefer).
Given the major improvement in spam reduction that is
possible, the people who OUGHT to be fired are those
naysayers who choose to instead pursue costly, compex and
elaborate technical schemes which ultimately and
predictably CAN NOT solve the problem as well.
>So Uncle Bob will see that a mail from Aunt Matilda was
blocked
>because it contained an "executable attachment". Since
he wants to
>get mail from Aunt Matilda (and Aunt Matilda is a nice
lady, she
>wouldn't send him anything bad, would she?) he clicks
on "allow
>E-mails like this from the same sender in the future".
Oops!
Presumably he could tell from the rest of the content in
the mail message that it really didn't look like E-mail
from Aunt Matilda.
To do that he has to read it. What good is an anti-spam
scheme which
requires me to read all my spam?
Well, to begin with, it will block nearly all HTML and
attachment-containing E-mail from people you don't know.
I agree that some folks, especially initially, or those
who get relatively small amounts of spam, will get a "warm
and cozy" feeling by checking their quarantine/block
folder to see what was filtered out (at least they CAN,
which generally isn't the case in IP-type blocking). As
they develop more trust in the system, and get it more
tuned, or as they get more spam end up in the reject bin,
they'll probably come to trust its judgement and just dump
that bin unread more and more often.
During the phase-in period, there will be more "training"
taking place (both of the software, AND of the users!).
That's to be expected.
[comment #4]
Subject: Re: [Asrg] Re: HTML-burdened email
(I don't know
how common HTML
mail is on average - that seems to vary a lot).
It's _very_ high here. Corporate likes their HTML and
attachments.
That's fine, and I don't suggest that it never be used.
I do think it's impolite (at best) and presumptuous to
send HTML E-mail to people without first determining that
they are able and willing to accept mail in that format.
ESPECIALLY given the numerous ways that HTML hugely
facilitates the task of spammers to get past antispam
content filtering.
Accepting HTML ONLY AFTER negotiation from specific
senders strikes me as a very small price to pay if it
hugely reduces the spam problem (and it can).
Solving the spam problem DOES require some changes. The
trick is to make those changes both reasonable, and
effective.
[snip]
1) DNSBLs like Spamhaus' SBL+XBL aren't "proposals".
They have been
operational for years and their strengths and weaknesses
are well-known.
And default recommendations in many packages. Such as
SpamAssassin.
In part, that's because SpamAssassin has a nearly
impossible job to do if it has to deal with things like
text-as-image (whether attachment or embedded), HTML,
ActiveX, and such. Once attachments, scripting, and HTML
are excluded, SpamAssassin can be FAR more accurate and
effective.
So it is understandable that they would suggest IP-based
filtering to help for those more difficult cases.
It might even be the case that IP-based filtering MIGHT
still be a valid component even with a first-stage
fine-grained sender-based whitelisting. Although I
personally believe that by that point, IP-based filtering
will be mostly redundant.
...In real life users get mails with
"advanced features" all
the time and if they have to decide whether they can
safely enable them
they need to understand them. I predict that the average
user will
either have configured that system to accept anything
from anybody
within a week or give up on email entirely.
If we tried that here, the average user would be
screaming at me why
their filters weren't working. Or working too well.
I do expect that such filtering would be phased in during
the initial period, rather than being turned on suddenly
and abruptly.
What good is an anti-spam scheme that, after you've seen
the one good
html email from Aunt Matilda, blindly delivered you the
virus her
machine sends the next day? Or the spam forged in her
name?
That's why you don't just enable ALL HTML, or NO HTML.
Aunt Matilda isn't likely to do scripting, ActiveX, or
other elaborate HTML features. She might use fonts,
color, boldface, stuff like that. These all-or-nothing
whitelists are, indeed, almost useless because they end up
getting turned off.
It's unlikely that one would EVER allow receiving
EXECUTABLE attachments from Aunt Matilda (indeed, most
users would never enable receiving executable attachments
from ANYBODY, at least if the software is sufficiently
dissuasive).
The spam forged in Aunt Matilda's name would have to know
WHOSE name to forge to get past MY filter, and MOREOVER
would have to look "enough" like her mail that it didn't
get filtered out (and it's likely not feasible to decide
just what those criteria are for a given recipient). It's
a very winding, narrow gauntlet the spammers/virus authors
would have to navigate through.
I believe that most of them won't be able to do that very
successfully.
Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area
networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|