ietf-mailsig
[Top] [All Lists]

Re: Replay attacks and ISP business models

2005-08-06 20:10:16

How interesting that you think we cannot describe an attack unless we
know the mental state of the attacker.

In this case you are correct, because there is no technical difference
between a "replay attack"  and a "mailing list".  Your bank robbery
example fails because there are plenty of differences other than mental
state between a normal withdrawal and a bank robbery.

I really don't know the mental state of the spammers who send most of
the spam I receive, does that mean I cannot begin to describe how they
sent the spam?

You can do so, but that's not what you're doing.  You are making a
prediction about how they might send spam in the future, without anything
other than your hunch to back it up.

Actually, I was thinking that zombies would be the primary vehicles
for the replay.  This mailing list centric view of the attack would
lead people to believe that it is the only method.  I much prefer the
current wording.

Oh, my.  I would have thought my point would be blindingly obvious, but I
guess I'm still not getting through.  First, I am NOT saying that spammers
will spam through mailing lists.  Here's what I'm saying:

 Every description of a "replay attack" is also a description of a
 mailing list.  Anything that stops mail delivered by "replay attacks"
 will also stop mail delivered by mailing lists.  The only difference
 between the two is mental state.  If we think it's spam, it's
 a replay attack, if think it's good mail it's a mailing list.

The point of my reworded section 9.5 was to show that its description of a
replay attack is also a description of a mailing list.  If you think
they're different, you need give us a way to tell them apart without
resorting to mental states.  Having used bulk counters for a couple of
years, I'm fairly sure it's not possible, since if it were, we'd have come
up with something better than a per-list whitelist to keep list mail from
being tagged by DCC. But please, prove me wrong, show us how to tell list
mail from spam by technical means.

If you're going to say that if it's from a zombie it's a replay attack, I
think you're wrong, but if you're right, that's great, all we have to do
is block mail from zombies, something we all try to do anyway and that has
no relation at all to mail signatures, and the problem is solved.

I see no reason to believe that spammers would send massive numbers of
identical messages through zombies, since they don't now.  What I see from
DCC and in catchall accounts that collect multiple spams is spammers who
mutate messages to defeat bulk detectors.  Since bulk detectors exist now
and are fairly effective (give or take the arms race to recognize the
mutated messages as similar), the direction I see is for spammers to
increase the diversity of what they send, not decrease it.

R's,
John

PS:

Technologists have a fairly poor track record with predicting the
future, especially with regard to how others will use technology.

No disagreement there.

<Prev in Thread] Current Thread [Next in Thread>