<gep2(_at_)terabites(_dot_)com> wrote:
[blocking executable attachments]
Pray tell, how am _I_ to block the executable content from some
dialup luser on level3's machine? All _I_ can do is block his
emissions from _my_ machine.
What one does is to block incoming messages based on a
fine-grained whitelist, and with a default for
non-whitelisted senders which is at least "safe" (no
attachments, no HTML, less than some maxmium size).
Most spam I get fits that criteria. Therefore, it won't do me much
good.
If I could stop the level3 luser from getting infected, that would
help a lot more; but any solution that requires _everybody_ to do
something is mentioned in the FUSSP pages.
Are you considering .jpg to be executable?
No,
But it is, at least with many viewers and a properly-malformed .jpg
file.
But the *spam* emitted by those machines _is_ a problem
for this list.
Absolutely. But if we put measures into effect to make
one very unlikely to ever get their machine infected via
an incoming E-mail, then we can hugely reduce spambot
recruitment.
See FUSSP. I can block stuff from very few machines. All of us
together [tinaout] can block stuff from a lot of machines, but still a
very small percentage of the Internet.
While outbound spam detection might be useful at an ISP
it's not likely to make a big dent in spam, simply because
spammers either avoid the ISP's restricted mail servers or
because they don't use a traditional ISP at all.
Blocking outgoing Port 25 makes it hard to bypass the ISP's (or
someone else's) servers.
But again, we've still put a MAJOR crimp in virus/worm
distribution,
Are you sure that infected websites aren't currently a bigger factor
than email viruses?
and if we do that well enough the spammers
will give up on that venue (much like they've mostly given
up on boot sector viruses on floppies).
How much good has it done that they've given up on boot sector viruses
in floppies?
A substantial portion of the net user population are actively
exchanging executable files.
Sure, and some people don't use condoms, either. That
doesn't mean that we should do anything to enable or
promote that sort of unsafe behavior.
ISPs that don't allow their customers to do what those customers want
tend to become ex-ISPs.
I don't propose that the filtering be done by the ISP,
although the principle certainly doesn't preclude the
filtering from being done at the ISP, but (again) under
the specific direction (perhaps the default one) set by
the individual recipient.
And by the fifth time the recipient has to whitelist somebody he's
going to say "the hell with this waste of effort" and whitelist *.
then they can just as easily unplug that users machine from the net
IF it gets infected and starts abusing the net.
The problem is that even an infected machine might still
need to send occasional, legitimate E-mail messages.
I don't care.
They also might need access to the Net to locate and download
disinfection software, etc.
That's what sandboxes are for. Hijack all connections to the ISP's
disinfection site.
Disconnecting a computer from the Net is not a good
solution, IMHO.
It works for me. That computer stops sending me spam.
Meanwhile, I still believe that eliminating E-mail as a
vector for virus/worm distribution will ENORMOUSLY help
both the virus/worm problem, AND the spam problem.
How much did eliminating boot sector virus propagation accomplish
toward those goals?
The email exploit vector is mostly focussing on getting people to
visit websites rather than actual distribution of exploit code.
Sometimes yes, sometimes no. Increasingly, Web browsers
are being configured out-of-the-box to not run executable
content without checking with the user, first. (And that
process could probably be improved further).
And how many users are immune to social engineering?
I don't think that suing other victims is ultimately a
very good solution to the problem.
You prefer to let them stay connected and continue to spew.
You'll end up adding a whitelist entry which viruses will forge
mail from in order to get to your inbox.
Viruses on some other machine will probably not know what
YOUR whitelist permissions are based on.
They don't care. They'll find that you get mail from X, and forge
mail from X. Eventually, they'll hit an X you've whitelisted.
And individual recipients are likely to have different whitelist
permissions anyhow. The result is a twisty and narrow path which is
difficult for a virus or worm to navigate through.
See "flood distribution".
I don't think it's probably necessary (or even desirable)
to use more elaborate "verification techniques". I might
be visiting a friend and need to send one of MY E-mail
messages from HIS machine. That shouldn't cause any
grief, really.
So if you're whitelisted, any virus that claims to be you coming from
anywhere gets through on your whitelist entry. There goes protection.
I believe that vanity or personal domains should be able
to be used from inhabitual locations.
Mine can be used from anywhere: I know how to ssh. (There's also
SUBMIT and other such verified protocols.)
I agree... it is much harder to get the spam problem under
control simply because of spambot recruitment.
And I don't think it's all that hard to take a BIG bite
out of that.
Come back when you've actually done that and tell us how hard it was.
At that point, you'll have some credibility.
By making spam illegal, the act of transmitting a high volume of
unsolicited messages would then clearly serve as evidence of crime.
Right, but probably not on the part of the OWNER of that
infected machine. He is probably just another innocent
victim himself.
He isn't innocent. See "attractive nuisance".
An example would be a domain provider like Domain Direct
or GoDaddy. But as a customer of EACH of those, I still
could be traveling and need to send a message (using MY
domain name) from a cruise ship Internet cafe or post
office E-mail kiosk. I have NO control over which SMTP
server processes my message.
Then you aren't sufficiently competent to be trusted with email.
My email comes from Panix's mailservers, whether I'm at home, at some
random hotel (like now), in some airport lounge, or anywhere else.
Making spam illegal would make networks many orders of
magnitude safer.
CAN-SPAM has done REMARKABLY little to cut down on
spamming.
The major effect of They-CAN-SPAM was to prevent California from
actually making spam illegal.
I think a far better solution is simply to allow the
recipient to efficiently refuse mail they don't want, or
don't trust.
They already can, they don't need your (or my) "allowing". Ever hear
the saying "My server, my rules"?
Make a law that requires providers sign all public messages with
their own keys. There should even be laws that prohibit signing
with a customer's key.
So what about mailing lists, such as Yahoogroups?
What about them? Yahoo can sign them (and pass on the signatures of
whoever sent the mail to yahoo).
Customers can reference specific keys used on their behalf instead.
There should be laws against the use of highly danger authorization
schemes, such as SPF/ Sender-ID.
There should be laws against making stupid suggestions about what
there should be laws against. (Oops)
I think SPF is a very poor solution.
I think it's a good solution to a specific problem (which isn't spam).
Poisoning or destroying DNS is easily accomplish with this
loathsome technology.
What are you talking about? I have SPF set up for some of my domains;
I haven't noticed any destruction of DNS.
A technology also aimed at side stepping accountability.
How is me stating that only specific IPs are authorized to send mail
from my domains "side stepping accountability"? I would think it
makes me _more_ accountable for mail I actually send, and less for
mail forged to appear from me. Do you think I should be accountable
for mail forgery done by a spammer if he happens to choose me as his
victim this hour?
Enforcement must make any spam illegal AND hold providers
accountable.
I don't think "providers" have all that much control.
They have all the power, hence as much control as they want.
To ensure enforcement, allow anyone damaged to seek legal relief.
Talk about encouraging rampant lawsuits. (What happens
when the spammers THEMSELVES sue as if they are the
injured party...??!)
You mean like they do now? They lose.
The way that spam will ultimately be controlled is by
making it hard enough that it's more trouble than it's
worth.
There's no permanent victory in an arms race.
A manufacturer does not "solicit" customer service E-mails
(well, at least not from specific, known consumers).
Yes, they do, by their very nature.
I think legal means are ultimately problematical because
of the indeterminate jurisdictions involved. What's more,
the problem can be solved adequately without lawyers and
courts.
Like it has been? Your FUSSP doesn't seem to be working.
Spam must be illegal to stop it.
I disagree.
Among other things, it is VERY difficult to prove in a
court of law WHO caused the spam to be sent.
No, it isn't, for someone competent. And if everyone along the chain
is considered responsible, proving _some_ of it is easy.
Providers must control access, block abusers, and be held
accountable when they fail to do so. When someone spams, they must
be blocked.
So you block Aunt Matilda because her machine got
infected. Now what?
Now I don't get any spam from your Aunt Matilda. I think that's a
good thing.
Sending volumes of unsolicited messages is rather easy
to detect,
How do you know (and prove) that they are unsolicited?
The recipients say so, and the sender can't prove otherwise.
When this traffic is from customers using compromised systems,
then each problematic customer's outbound messages must be blocked.
I don't think that must be done. I believe my approach
allows them to continue to send legitimate mail, and
allows an effective triage of legitimate from illegitimate
mail.
I don't know why you think a spam zombie sending me plaintext 419's is
legitimate mail.
I am concerned about E-MAIL as a vector.
But apparently not about spam per se.
Make spam illegal and hold providers accountable instead.
Who do you sue?
The provider.
How do you prove who caused the spam to be sent?
That's the point: I don't have to. I prove the spam came to me from
somewhere in Southern Bell's network, and therefore Southern Bell is
responsible. If they want to turn around and sue their customer or
instrument their network to catch incoming infections, that's fine
with me. Now they'll have an _incentive_ to, and to block infected
customers.
What court has jurisdiction?
Whichever one the law says.
Who has to pay the lawyers involved?
Whatever the law says.
Seth
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg