On 3/25/2011 10:41 AM, Andy Dawson wrote:
Before wasting effort where others have gone before, is there any milage
in this idea?
There may be some work you could do in this area, but I think you have
to develop the idea a bit better in terms of achievable goals and
practicality before expending too much effort on it.
Years ago we implemented something like this in our global address list,
so that we could detect if someone in the company got infected and
started spewing. Many other organizations undoubtedly did the same.
But the days of those types of viruses is _long_ past (predates even
Netsky/Bagel etc). I think those addresses are still there, but I don't
think they've raised an alarm in the better part of a decade. Viruses
just don't do that no more.
You could consider the "compromise of gmail/yahoo/aol... accounts" as a
new type of something that behaves the same way. It can be a technque
for sites to find out when someone has leaked their address books
counter to policy. But...
Consider - not necessarily as parts of a technique, but helping you
steer it:
- traction - how likely are people to voluntarily put such addresses in
their address books? Not enough to matter. Broader solutions are needed
- noise - how are you going to distinguish infestations versus users
deliberately blasting their entire address book?
- results - what are you going to do when you find one?
- identifiability - you need to be able to figure out _who_ got
infected, even if you don't have tracing information or even a useable
From:.
- survivability - how do you prevent the malicious from evading it? The
honeypot addresses can't be too obvious.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg