On Tue, 2 Mar 2010, Rich Kulawiec wrote:
I'm going to try to summarize and enumerate some of the arguments against
the general idea of a report-as-spam button. My position is that several
of these points (individually) make the case that it's a truly bad idea
and should be abandoned immediately and permanently, and that collectively,
they're an overwhelming rationale. Others differ, of course.
This is a *summary* and not an attempt to provide every nuance
of every argument, so nitpicking is discouraged. You may rest
assured that I read the traffic on this list and have been paying
close attention to the spam problem for the past several decades. ;-)
This message ignores the existence of TIS buttons on existing MUAs for
webmail operators, and the actual experience that those operators have.
1. User incompetence
Users have spent the last quarter-century conclusively proving
that they cannot reliably discern spam from non-spam. They stack
the pile of evidence higher every day, by misclassifying spam
as non-spam and vice versa, by replying to spam, by trying to
unsubscribe from spam, by falling for phishes, by handing over
valuable information to spammers, etc. How many "unsubscribe"
requests do we see sent to entire mailing lists, even by
supposedly-mail-literate technical personnel? How many people
on public mailing lists cannot distinguish between on-list and
off-list replies? It's not reasonable to expect that anyone who
has failed to master these rudimentary email tasks will be able
to distinguish spam from non-spam, especially when some spam is
more competently composed and delivered than some non-spam.
This is, I'm sorry to say, not a solvable problem. And it will
steadily get worse as more (less-experienced) people get online,
and as spammers get craftier: evolutionary pressure on spammers
is clearly selecting for the smarter ones.
This can't be avoided by educating users: "educating users"
is one of Marcus Ranum's six dumbest ideas in security for very
good reason. In the case of spam, we KNOW it has failed because
we wouldn't have much of a spam problem to worry about if it
had worked even modestly well.
Users are incompetent, that is why the existing systems use a single hit
on the TIS button only to affect mail to the user hitting the button, and
only affect mail to other users if a large number of users hit the button.
2. User time
Let's assume that #1 is completely wrong: let's assume that
most/all users are competent spam/non-spam classifying engines.
Let's further assume that they're so proficient at it that they
can do so in 5 seconds per message.
Based on both these incredibly over-optimistic assumptions, we can
then calculate how much end-user time will be spent performing
this classification task and hitting the button. 6.3 million
decisions/pushes equates to about a man-year, which means that even
a single small spam run (say 300 million attempts, 3% delivery rate,
thus 9 million deliveries) can easily chew up well over a man-year
of time. Do the math.
Part of the reason we try to stop spam/spammers is to prevent
them from using up end-user time. We should not be tasking
users with this, as it neatly undercuts part of what we're
trying to do.
I can do spam at 1 second per message or less, and with the TIS button I
will get less spam, saving even that second.
3. User exposure
Many clueless users, unfortunately, use web browsers or otherwise
HTML-enabled mail clients to read their mail. (Of course we can
safely presume that competent professional postmasters or abuse
desk personnel don't do this, but the report-as-spam button is
intended for the masses, and they, sadly, do.)
It is certain that in the process of trying to perform classification
tasks, they'll click on links "just to see what's there". This
not only provides very useful information to spammers, but it will
assist phishers, trojan downloaders and others whose goal isn't
really spamming per se, but using spamming to penetrate
systems/networks or perform reconnaissance on them.
It is mere speculation that the existence of the button will cause more
clicks on malware - I don't see why it should, and in any case if the MTA
acts on the TIS reports, there will be fewer opportunities for users to
make this mistake.
4. User influence on security policy
Anti-spam defenses are similar to firewall rules: they control
site security. End-users should not be permitted to override
or otherwise modify firewall settings: neither should they
be permitted to override or otherwise modify anti-spam settings.
First, because it's not their job, second, because they're
not responsible for the consequences, third, because they
lack expertise in this area.
(This is not to say that they shouldn't have input. But all such
input should be manually, carefully reviewed by qualified and very
skeptical personnel before any decisions are made about using it.)
Please see Hanna Arendt "The Authoritarian Personality" for an explanation
of this claim. Really, if you reject all user influence you will not have
happy users.
5. Duplicates existing functionality
All competently-run sites support the RFC 2142-stipulated
"abuse" role address and have appropriately experienced,
trained, qualified and diligent staff reading every message
sent there. It's trivially easy for any user to forward
questionable mail traffic (with full headers of course) to
the abuse address of their own mail provider, who can then
decide what to do about it. These personnel are far better
situated to decipher headers, correlate against logs,
assess threat severity, etc. They're also much less likely --
presuming that they're competent -- to hand over useful
information to the enemy. See next point as well.
I have never gotten a usefull spam complaint from a user, but it isn't
because the messages weren't spam. It was always because the user didn't
include the headers. All users find it difficult to include headers with
forwarded messages, and will always drop the issue when asked to resend
with headers. The TIS button solves this problem.
6. Free useful intelligence for spammers
It's great when your enemy hands you useful information.
It's even better when they expend considerable time and effort to
do so. Spammers can quite easily rig this methodology to provide them
with a wealth of actionable intelligence -- and some of them will.
We should not be building mechanisms that directly support the enemy.
Really, this is all supposition and there is no evidence that any spammer
cares. There are many claims that spammers must care, but no examples of
cases where they actually did care.
7. Creating more Internet mail traffic is a bad move
We're drowning in (as a more generic term than "spam") junk
SMTP traffic. The last thing we should do is create more of it.
Every possible thing we do to fight spam should dampen the response,
not amplify it.
This (sending outbound traffic) also violates a fundamental
principle of abuse control: do not allow attackers to generate
outbound traffic from *your* site to destinations of
*their* choosing. This never ends well.
If even a small proportion of the TIS hits result in action, the total
traffic will decrease. If the proportion of hits resulting in action is
too small, then users will stop hitting the button and there will be
little traffic increase.
8. Report-as-spam button repurposed as weapon
We've already seen how spammers have repurposed any number of
ill-conceived anti-spam concepts (e.g., SAV) as weapons.
They'll do that with this too, should it profit them to do so.
I trust at least a few methods are obvious on inspection;
there's also a few non-obvious ones that I will not be discussing
on a public mailing list, some of which relate to the next point.
Has this happened on any of the services that currently offer TIS buttons?
How have they handled that?
9. The zombie problem
There are, at bare minimum, 100 million fully-0wned systems
out there. I've seen estimates as high as 250M (Cerf) and more
moderately, 140M (Kletnieks). My back-of-the-envelope
estimate is currently 200M. And climbing.
...
As long as there are zombies, no anti-spam or indeed and security related
protocol is hopeless. But such protocols are necessary if not sufficient
and we shouldn't refuse to take action merely because MS refuses to do its
part. Indeed, their excuse for not taking any action is the same - as long
as the rest of the internet is insecure why should they be any different?
...
Daniel Feenberg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg