ietf-mailsig
[Top] [All Lists]

Re: Replay attacks and ISP business models

2005-08-07 18:44:09

In <42F6AF13(_dot_)10505(_at_)mtcc(_dot_)com> Michael Thomas 
<mike(_at_)mtcc(_dot_)com> writes:

wayne wrote:
Are you seriously suggesting not worrying about the replay attack
until it is widespread?

Widespread is different than seen in the wild. At this point,
there's no evidence that I'm aware of that it's been seen
in the wild. I wouldn't expect it for quite some time --
why would they bother right now?

You snipped the part where I explained that spammers have had a long
history of riding on other people's good reputations.  Any system that
can not deal with that is useless.  That is why we have to bother
RIGHT NOW.


                                 A lot can happen between
then and now, so I'm not sure that proceeding way down _any_
one line of defense is all that wise.

I strongly disagree.  Spammers can adapt very quickly and have done so
in the past.  



                                       For one, it's not
clear that if domains -- in an effort to maintain their
reputation -- start spam-filtering their outbound mail,
you'd reduce the effectiveness of the so-called replay
attack by about 2 orders of magnitude. It seems to me that
it's pretty likely that they'll find something else to do
if that scenario plays out.
I don't see how filtering their outbound will help much in preventing
the reply attack.

It doesn't prevent it, it just makes it less likely to be
a viable vector: if 99% of your spam campaign is not leaving
the outbound ISP, my guess is that you're going to look for
other distribution mechanisms. We're already seeing a shift
on that anyway, right? With zombies, right?

That is the whole point of the the replay attack, you only need one
email to leave the outbound ISP with the signature, and then you can
send it a million times via other sources.

Or, if you are saying that all spam problems can be solved if all mail
sources do a better job of filtering on the outbound, then sure.  But
then, what is the point of DKIM?


I really like the formulation I heard here: a lot of the
utility of signing is in just getting spammers and other
miscreants to attack somebody else instead of me. Eventually
we may be able to close the noose, but until then I'd just
assume at least they not sully my name.

But with the replay attack, there isn't any reason for the spammers to
attack anyone else.  They want the reputation of others to help them
pass spam filters.


-wayne

<Prev in Thread] Current Thread [Next in Thread>