On Thu, Feb 12, 2009 at 09:58:41PM -0000, John Levine wrote:
Indeed. Now beef some of them up with some realistic estimates of
transactions costs, and the costs of dealing with screwed up and
fraudulent transactions.
Along those same lines, such an estimate must take into account a minimum
of 100M botted hosts, and correspondingly, a minimum of 100M compromised
sets of email credentials. [1]
Thus, such an estimate must be able to cope gracefully with the case
where (say) 1M systems simultaneously (or nearly so) present the same
token to (say) 100K mail systems -- and must do so without permitting on
an effective DoS on the transaction processor. (And note that, modulo
the token, this is a routine occurence. It could reasonably be expected
to become more so if abusers found it effective.)
---Rsk
[1] These estimates may be much too small to reflect reality; for example,
a compromise of my system would eventually expose over 30 sets of such
credentials, each picked up in turn as it was used. Personally, I think
"250m" and "1.5B" are probably more realistic numbers.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg