--On 9 July 2009 07:48:51 -0400 Rich Kulawiec <rsk(_at_)gsp(_dot_)org> wrote:
On Thu, Jul 09, 2009 at 10:08:35AM +0100, Ian Eiloart wrote:
Knowing the real email address responsible lets us:
1. Contact the owner of a compromised account, and advise them to take
action.
Granted, all the following may be true, but we're still better off than the
current situation where we have no clue who has sent most emails.
If the account's compromised, then the new owner may not permit
the former owner to see those communications.
Well, that's a sure way of getting the attention of the account owner.
Or
The former owner is unlikely to believe such reports or take any
meaningful action. For example, they may just abandon the compromised
account, and open a new one...which will shortly be compromised in
the same way.
Well, if people don't value their accounts, that may be true. In that
event, you have to do something else.
Or
The former owner will classify these reports as spam/phishes.
So, blacklist them, or contact their provider.
Relying on the same end-users who have created the problem to solve
it is a 100% pre-failed strategy.
Who said we're relying on that. If I'd given you a list of ONE item, then
you could level that accusation.
2. Contact the account service provider.
If you can manage to jump through the hoops they've put in place, sure.
But automated reporting will misfire, manual reporting doesn't scale,
and many account service providers simply don't care. They don't
have to: there are few, if any, meaningful consequences to apathy,
and as long as they're profitable, few of them care about their
responsibilities to the 'net.
3. Blacklist the address.
(I'm presuming you mean email address, not IP address.)
Yes, but given that there is an inexhaustible supply of those, this will
block the spam that's not coming any more from yesterday's compromised
account and do nothing to block the spam that's coming tomorrow from
the next compromised account. This is also a 100% pre-failed strategy.
No, it's not. It makes life harder for the spammer. With reputation
services, you can limit the amount of inbound email from addresses that
haven't yet acquired good reputation.
(Now, if you're talking about IP address, sure: we have very effective
blacklist mechanisms for doing that.)
No, we don't. Witness the fact that 90% of email is still spam.
4. Bounce unwanted email back to the sender.
Unwanted mail should always be rejected, never bounced. Doing the
latter not only generates useless traffic but is pretty likely
to generate outscatter/backscatter, which is spam. And even if
it's correctly delivered, it will do absolutely no good -- see above.
Bounces only cause backscatter when you can't rely on the sender address
being accurate. When the address is accurate - a compromised account, for
example, there are no good arguments left against it. In fact, it'll
encourage security of the account.
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg