Sorry for the old post - deliverability issues.
On 08/30/2011 06:08 PM, Jason W. wrote:
With PCs being owned and email accounts being owned, has anyone
considered blacklisting individual email accounts? Within the past
month, I've gotten an influx of spam from people who I have
communicated with. Given the content, I doubt these people would be
sending me random links to foreign websites designed to own my PC.
Some of these senders are people who I haven't communicated with in
years, but my email address is probably in their email box or address
book. It's all been consumer-grade email (Comcast, AOL, Yahoo, etc.)
from people for whom it would not be a stretch to imagine them getting
owned.
Consider the following points:
- Most "infected user" spam is designed from the very beginning to be
difficult or impossible to tell _who_ is infected. Why would the
spammers make the ISP's (or our) job easier? Believe me they don't,
they make it as hard as possible.
- If you get bot spam, you can be virtually certain someone else is
getting bot spam forged in your email address. It doesn't mean you're
infected.
- Your proposal could naively be implemented by "blocking every from
address ever seen in spam". Most spam is forged. We'd _all_ be
blacklisted. Heck, some bots specialize in forging the from to be the
recipient. You'd be blacklisting yourself ;-)
- In approximately 99% of all cases of spam from "owned" machines, there
is NO WAY for the recipient to know _who_ was infected for any given
spam. It can be incredibly hard even for experts to find it in some cases.
- Even when it is possible, it's rare that any given recipient can
figure it out, because it'll be in a header they don't see, and wouldn't
understand if they did. You want grandma making that choice?
Datapoint: I personally get hundreds of spams per day. The number of
times I could clearly identify who was compromised (and I know how to
read headers ;-) is about once or twice per _year_.
I think the upshot would be that:
- it's only possible to tell in a small fraction of spam who is infected.
- few users would be able to reliably and accurately determine _who_ was
infected, and there'd be far more false positives than true positives.
In other words, very low effectiveness rates, and highly false positive
prone. Ick. Sorry.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg