ietf-mxcomp
[Top] [All Lists]

RE: Forging (was Re: Differences between CSV and Sender-ID )

2004-07-08 10:23:58

 Spammers have proved to be astonishingly and quickly adaptable
AD>   In some situations.  In others, they are astonishingly idiotic.
AD> Once again, the behavior is situational.

the folks who command estimated millions of compromised machines, with
a 3- or 4-tier control hierarchy, do not count as idiotic.

let's design mechanisms that deal with those guys. the rest are
irritating but they are mere noise.

Alan is right in pointing out that we should not overestimate
these guys.

Sure it is very clever to set up 3-tier botnets. Our intervention
center discovers a lot of very clever stuff.

But no, these guys are not half as smart as they think they are.
These guys can do stuff that is amazingly complex one minute and
then something really really stupid the next. Like the guys who
tried to phish VeriSign on three separate occasions and used the
exact same ISP in every attack.

The whole theory of the type of intervention we do is that you 
put pressure on the attacker, the more pressure you put on them
the more they are forced to react, the more likely they are to
make a mistake.

If you look at the first attack on the WTC, the perpetrators were
captured because one of them went off to claim their deposit from
the truck rental company. Ever wondered why Al Qaeda uses suicide
bombers in attacks that don't need them? The guys who you can get
to do that sort of stuff are not the sharpest knives in the drawer.
Having them commit suicide during the attack means that the 
leadership don't have to worry about them getting caught.


   Effort on a global standard that deals with a transient symptom is
   certain to have minimal, transient benefit, if any, but with very
   large opportunity and on-going costs.

Everyone accepts the fact that there is a forwarding hole in SenderID.
Fortunately Sender-ID is the first move, not the last.

With Sender-ID you can always authenticate the party that purports to
be the last link in the chain. Therefore I expect the deployment of
Sender-ID to follow something like the following patterm:

Phase-1: Senders are required to issue Sender-ID records.

Phase-2: Forwarding specialists are required to provide either
        an accreditation proof or a proof of consent.

Phase-3: All Senders are required to provide accreditation proofs.

By 'required' I mean, that if you want to reliably send your mail 
to one of the major ISPs (and many smaller ones) you are going to
have to comply. 

Over time I expect that AOL and MSN will be wanting to power down
the huge server farms they currently run for the sole purpose of 
running spam filtering schemes. If you want to send email you are 
going to have to comply.

Sure this is going to be unpopular in Boca Raton, Florida, and 
possibly other places. But at the end of the day insecure email
has failed and the only choice left is a transition to secure 
email.


Please show me a successful, global standard that has been 
designed to respond to
one set of symptoms, when the source of those symptoms is constantly
adapting, guaranteeing that the symptoms will become irrelevant as
soon as the response begins to take effect.

Please show me a successful IETF security standard. Every attempt
to develop end to end solutions has been a miserable failure. The
only security protocol that has been successful is SSL which was
successful independently.

no, computer science.

the difference between accreditation, versus authentication and
authorization, is basic.

Yes, and the MARId group continue to insist on calling a record that
contains an authentication credential an authorization record. But
this does not actually matter much, it just leads to fuzzy thinking.

Accreditation is actually a new term introduced to describe what
we used to call third party attribute assertions.

no, that's not quibbling.  it goes to the difference between
authorization and accreditation.

Yes, I certainly agree here. There has to be an accreditation 
component.

AD>  That's the basic concept behind MARID.  Having domains
AD> maintain BL's about others is expensive and pointless.

pointless?  so spamhaus and all those other lists are pointless?

There is a big, big problem with the blackists. If you only 
list negative reputation you end up having to measure the 
whole world against a set of criteria that is imposed 
unilaterally.

Allowing the sender to nominate the accreditation services that 
are relevant allows the search for positive reputation data from
a source trusted by the recipient can be narrowed.

This means that the market for accreditation services can contain
both the 500,000 domain VDL that we publish and smaller lists from
other providers with a few hundred entries.


                Phill


<Prev in Thread] Current Thread [Next in Thread>