ietf-mailsig
[Top] [All Lists]

Re: Replay attacks and ISP business models

2005-08-08 11:32:28

wayne wrote:
In <42F6AF13(_dot_)10505(_at_)mtcc(_dot_)com> Michael Thomas 
<mike(_at_)mtcc(_dot_)com> writes:
 >>                                 A lot can happen between
then and now, so I'm not sure that proceeding way down _any_
one line of defense is all that wise.


I strongly disagree.  Spammers can adapt very quickly and have done so
in the past.

That's rather the point. Anything that attempts to deal with
this problem would be a *very* long slog. I'm sure they'd like
nothing better than us wasting tons of resources on routes
they don't take. It's not like they don't read these mailing
lists too.

I don't see how filtering their outbound will help much in preventing
the reply attack.

It doesn't prevent it, it just makes it less likely to be
a viable vector: if 99% of your spam campaign is not leaving
the outbound ISP, my guess is that you're going to look for
other distribution mechanisms. We're already seeing a shift
on that anyway, right? With zombies, right?

Or, if you are saying that all spam problems can be solved if all mail
sources do a better job of filtering on the outbound, then sure.  But
then, what is the point of DKIM?

"Solved", no. Mitigated, possibly. And there's still plenty of
motivation for DKIM; like, for instance, that it will actually
give some motivation for domains to police their servers. That
and it will make running an anonymous (ie, not attached to a
domain) zombie farm harder eventually. Both of those would be
good things.

I really like the formulation I heard here: a lot of the
utility of signing is in just getting spammers and other
miscreants to attack somebody else instead of me. Eventually
we may be able to close the noose, but until then I'd just
assume at least they not sully my name.


But with the replay attack, there isn't any reason for the spammers to
attack anyone else.  They want the reputation of others to help them
pass spam filters.

Why would they do that now? Maybe we'll end up in the place
where this is a real live problem, but we can deal with it
then. I mean, we're not even talking about dealing with reputation
and/or accreditation in this working group and that's a *very*
obvious next step, IMO -- much more so than this attack.

                Mike

<Prev in Thread] Current Thread [Next in Thread>