ietf-asrg
[Top] [All Lists]

Re: [Asrg] An "ideal" false positive (TMGRS take 2)

2010-02-14 18:23:30
On Fri, Jan 29, 2010 at 06:59:09PM +0100, Alessandro Vesely wrote:
On Thu, Jan 28, 2010 at 07:04:42PM +0100, Alessandro Vesely wrote:
Alice reports as spam a message from Bob, either by mistake or out
of curiosity.

But there is no way to know that Alice actually filed the report
or that Bob actually sent the message.

Botted users and nonsensical users would result in disputes that
will eventually reveal their true nature.

How, exactly?

Keep in mind that botted users now constitute a significant fraction
of the Internet's total population (whether we're counting "users"
as "human beings" or "email accounts". [1])  Further, The Bad Guys who
have their hands on those 100M+ systems out there can use them,
or any other systems they have access to, to create an essentially-unlimited
number of accounts at any/all of the 10K+ freemail providers out there. [2]

So if there was some strategic reason why having billions of email
accounts, whether "real" or "fake", would provide them with an advantage:
they could make that happen with minimal effort.  They've already long
since demonstrated the ability to do this -- and to do so at rates
that vastly outpace anybody's attempt to keep up with them.

(For the time being, let's
discard the case that _both_ Alice and Bob are botted, with their
bots playing funny games with one another.)

Why should we do that?  Spammers/abusers won't.  They already have
the capability to do this, and if they can somehow game the system
by doing so, *they will*.  Sure, they'll probably make some misteps,
some of which will be obvious, perhaps even laughable, but they'll
learn soon enough.  And some of them will become very good at it.

We know this because they've done it before.

*Anything* that presumes that end-user systems actually belong to
the end-users who think they own them is going to be highly susceptible
to manipulation -- and more so every day, every week, every month
that goes by.  It's only a question of whether or not the enemy
will choose to trouble themselves doing so, and I think that
if it inconveniences them or cuts into their profits, they will.

---Rsk

[1] I've been trying to estimate how mail sets of credentials have
been compromised.  If we take very conservative estimates for zombie'd
systems (100M), email accounts (5 per system) and web sites (10 per
system) we get 1.5 billion.  If we use more realistic number, we
get 5 billion.  If we go with some of higher/outlier numbers 10-20 billion.

I suppose the best that can be said is that it's clearly a large
and monotonically-increasing number.  And that nobody, anywhere,
is taking any effective action to put a stop to it.

[2] Given that there are approximately 10K freemail providers/domains,
clearly it's within the reach of spammers or other bad guys to create
enormous numbers of accounts -- should they have a reason to do so,
and obviously they do, and they have.  They use these to send spam,
to act as dropboxes for spam, to register domains, etc.; there is no
reason to think they wouldn't use them to game reporting systems and
every reason to think they would.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg