On Fri, 12 Sep 2003 07:34:55 +0800, Shelby Moore said:
3. And here is the kicker. ALL existing anti-spam methods, can be (and thus
will eventually be) easily subverted. This is already in public domain else
where. All someone need do is create a virus which both spreads sometimes via
email and the rest of time sends large quantities of highly randomized spam.
Already been done, and better - Consider a virus that installs an open proxy
for spammers to use. Do the lit review yourself if you can't name which one(s)
did this (yes, more than one has).l
Do the lit review for which famous viruses created havoc by sending around
other attachment at random off a person's disk.
However, keep in mind that the spam can't be TOO randomized and still
convey a message - at the very least you need to convey a hint of what is
being sold, and where to contact the spammer's employer for more details.
The seed would need to be truely random (e.g. cpu clock modulo milliseconds)
and randomize all headers (To, From, Subject, etc) and content, using lookup
tables of common domains, and normal words people use in email.
Already being done: Consider the following obfuscations seen in today's spam
to try to break up the spammy words: (warning, following 2 paragraphs may
mis-display if your MUA is silly enough to attempt to display HTML in a
text/plain
MIME part)
<B> California -</B> A recent online sur<!clarke>vey shows that roughly 46
mil<!support>lion U.S. adults bought pro<!disruptive>ducts or services in
the las<!stowaway>t year in response to e-mail solicitations, for
sal<!saleslady>es of $7.1 billio<!summon>n.<BR>
<BR>
Fo<!avaricious>rrester Research has dete<!coarsen>rmined by online surveys
an<!zaire>d consumer census reports, th<!physik>at an email
advertis<!tungstate>ement is up to 15 tim<!angelina>es
mor<!committing>e likely to res<!conquistador>ult in a sale than a
ban<!dish>ner advertiseme<!brine>nt.
Sometimes, the random words included to reduce a "spamminess percentage"
are set with foreground=#ffffff and background=#ffffff to hide them. And
some spammers just dump in pseudorandom text:
<BR>
<BR>
</FONT></HTML>
vnnxjyc ooq d uzwb wtymbhvgr h
irtka devbic
td z
qnrbjimczahcasdepfys
So it's hardly like these techniques aren't in widespread use already.
Vernon's DCC,
Paul Graham's Bayesian filters, reply opt-in whitelisting, etc.. would all
fail
miserably. Additionally imagine all the bounced traffic (from randomized
address) and especially the case where two reply opt-in whitelisting entities
get caught in infinite loop (randomized From/ Reply-To addresses).
Spammers have for quite some time been using gamed From: headers in the hope
that even if the To: header points at a bum address, they can get the To's MTA
to
forward the bounce to ANOTHER person who will hopefully look at the bounce
and get the message.. The effectiveness of this may have dropped since SoBig-F,
as people are now *used* to getting bounces for mail they didn't send, and so
aren't as likely to open it to see what it was they didn't remember sending...
Also this
would probably overload the DCC servers with too many unique flooded
checksums. Some "script kiddie" could become famous by turning all anti-spam
from 90% in 1% effectiveness in days, not to mention probably overloading
internet email to the point where no one could find their legitimate email.
Sobig-F came close...
But as I noted above, the spammer has to keep a certain signal/noise ratio in
the spam, or risk having the message not do any good (for instance, the
spammers who send me what are effectively 100% noise messages because they are
in Turkish or Chinese/Korean/Japanese are never going to get me to buy from
them, as I have no idea what they're selling...)
If #3 happens, those of you here at the IETF who attempted to ridule me
(unsuccessfully obviously), will be realizing that my warnings of dire
architectual problem are real.
We're quite aware of the architectural problems. We're also aware of exactly
what it would take to deploy a solution....
Lastly I have done the full background search at ASRG (IRTF), and I did not
find prior art for either the proposal I made to legitimize bulk email by
moving it to "pull", nor the prior art for our soon to be patent-pending
anti-spam algorithm.
Your search was incomplete, and here's some prior art. Make sure that the
claims on your patent don't cover anything in this message, as that would
of course be a big no-no.
# To: asrg(_at_)ietf(_dot_)org
# Subject: [Asrg] email pull (was RE: Authentication )
# From: Kaitlin Duck Sherwood <ducky(_at_)osafoundation(_dot_)org>
# Date: 26 Mar 2003 09:57:43 -0800
# In-reply-to:
<CE541259607DE94CA2A23816FB49F4A3110067(_at_)vhqpostal6(_dot_)verisign(_dot_)com>
# Organization: Open Source Applications Foundation
# References:
<CE541259607DE94CA2A23816FB49F4A3110067(_at_)vhqpostal6(_dot_)verisign(_dot_)com>
archived at:
http://www1.ietf.org/mail-archive/working-groups/asrg/current/msg02185.html
Read the whole thread, there's at least 20 followups to that message.
pgpbJqXXpovKK.pgp
Description: PGP signature