Re: increase in spam and what to do about it
- From: david20@xxxxxxxxxxxxxxxx
- Date: Tue, 28 Nov 2006 02:13:05 +0000 (UTC)
In article <4t0tmqF11dlt4U1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <ekfcvi$51m$1@xxxxxxxxxxxxxxxxx>,Ok so lets see if I've got this straight. You don't want to drop SMTP you just
david20@xxxxxxxxxxxxxxxx writes:
In article <4t0o6hF11i1kvU1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <ekc29h$41a$1@xxxxxxxxxxxxxxxxx>,
david20@xxxxxxxxxxxxxxxx writes:
In article <4ssd5nF110jjhU1@xxxxxxxxxxxxxxxxxx>, bill@xxxxxxxxxxx (Bill Gunshannon) writes:
In article <1164427612.373176.124490@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,Two problems
davidc@xxxxxxxxxxxx writes:
Bill Gunshannon wrote:
And I guess I'm still not sure exactly how your method is to actually
work, and how all these agreements are executed and enforced.
By making the users (at least the one's you don't trust) sign a legally
binding contract that has the ability to impose real penalties on those
who violate it.
1) One-to-one agreements aren't scalable with the modern internet unless you
severely restrict who you want to talk to which would be unacceptable for
most organisations.
Actually, among the more serious users, it is probably a lot more
acceptable than you think. Many places don't allow the use of their
email system for anything but official communications both in and
outside ot their own house. (ie. Procter & Gamble). .mil and .gov
severly restrict what can be accessed from their networks.
Any company that has customers (or in the case of education institutions wishes
to recruit students ) needs to expect to receive mail from perfect strangers.
Of course they do. And, that isa only at one address and they have people
paid to wade through the garbage (a kind of wetware spam filter :-). But
I have better things to do with my time. And my time costs considerably more.
I wouldIf by the three flaws you mean
think that places like this would very much like to have a clean
network from which they could contact and conduct business with
their contractors. As would many other serious .coms. The only
one who seems to be likely to prefer being on the outside are the ISP's
with their grandma's and their 9 year old users. I odn't know about
you, but I really have no need to contact or to be contacted by them.
(
note. Usenet News is not a one-to-one agreement between your organisation
and the senders. You have one-to-one agreements with your Usenet feeds but
they just pass along ALL those newsgroups you have agreed to accept which
in turn have been passed along from their feeds etc
Any particular Usenet posting will have passed through a large number of
Usenet systems, which you have no direct agreement with, before reaching
your systems. Usenet is also a broadcast system, unlike email, which makes
such a structure feasible.
Which is why I used Usenet only as an example of how halfway measures
helped. Considering the volume, Usenet has considerably less spam by
percentage than most emails today. I saw no spam messages on Usenet
over the weekend while even with moderate filtering at the server and
aggressive filtering at the personal mailbox I still had a real/spam
ratio of 2/183 just over the last 4 days. This is handled by spam
filtering and the UDP. Not much, but it works. Peering agreements
with the email system can do it to, but they would require a system
that eliminates the three primary flaws I have already mentioned.
Three flaws that NNTP does not have, by the way.
1) Anonymous access is allowed
2) Protocol allows anyone, anywhere to connect to anyone, anywhere
3) Protocol allows for easy address spoofing which adds to 1)
then they are totally irrelevent if you want to restrict which systems
can send to you via one-to-one agreements.
Just use SMTP but set your mail system up so that it just accepts mail from the
IP addresses of the mailservers of the people you have agreements with.
Reject all other connections.
But that isolates you completely from the rest of the INTERNET which is
something you said was unacceptable. My system works simultaneously with
regualr SMTP allowing you specifically separate the emails you know you
want to deal with right away while still letting you receive the stuff
that needs further filtering before you decide if it is worth your time.
SMTP was not designed for controlled access. The protocol expects everyone
to be able to talk to everyone. It also assumes you can trust everyone
which is why it doesn't have any form of authentication built into it.
Any solution has to be over and above what we have today. At least until
we no longer need SMTP.
(Such a setup wouldn't as I indicated above be acceptable to most companies
but there is nothing to stop you setting that up. No need to get rid of SMTP).
But that is exactly what I have been saying.
want your own proposal to run in parallel until it grows big enough to take
over - except it won't because it isn't scalable.
Well forgetting about that last bit about lack of scalability you can still do
this just with SMTP. You just whitelist anything from the IP addresses you have
an agreement with and deal with the rest as usual.
(
Of course NNTP does in fact have at least flaws 1) and 3) since you
have no control over what the systems you peer to have peered with and what
systems those have peered with etc
)
Not at the MTA level.
There are open servers to route through and forging path headers is
no more difficult than forging SMTP received lines.
And, if desired, not at the reader level. I have to
authenticate in order to post or even read news. While some servers don't
require it, the protocol has the ability. SMTP does not.
Rubbish. Look up SASL, SMTP AUTH and the Submission port.
Also see
http://www.rhyolite.com/anti-spam/you-might-be.html
knows-SMTP-4
You know that SMTP has no authentication and have never heard of SMTP-AUTH,
SMTP-TLS, S/MIME, or PGP.
Also, of course, Usenet has it's own problems with
inappropriate postings/SPAM.
See above, not even close to the level found in email today.
And the volume of a full feed per day is miniscule compared to the volume of
mail being exchanged around the world per day.
Binaries are relatively easy to clean out as are known viruses.Depends on the groups and when you look. A while back a number of the vmsnet
groups were almost impossible to use because of binary postings of warez.
Bad news admin. I know it goes on, but on a well run system the
users won't usually see it. Of course, some admins, in the name
of some mistaken notion of "freedom" choose not to filter. Verizon
seems to be one of them and that is why even though they are my ISP
I choose to read me news elsewhere. Thus my additional notion that
some entrepreneur might offer clean email accounts available via the
INTERNET.
SPAM is much more difficult without also dropping legitimate mail.
(Is this mail listing PC prices a spam message or is it the price list the user
requested ?)
There is no such thing as perfect security. Zero day exploits mean that even
More likely the participants found themselves hosting zombied
)
2) Getting organisations to sign legally binding contracts with respect to
their emission of SPAM is likely to be difficult.
Again, what the agreement ends out being is left as an exercise for
the reader. If you deal with someone who's AUP you are already
awar of and you know they enforce it draconianly (ie. .mil) then
you might not require any kind of formal agreement. I have said
the same thing about "communities" like c.o.v. Strongly worded
binding contracts are more likely going ot be for those you don't
trust. they might show you how deterined to work within the rules
they are. if they don't want to agree to paly by the rules, send
'em packin'.
It looks like there was an attempt to set something like this up which overcame
the first problem via the use of a whitelist.
If you look on
http://shopping.declude.com/Articles.asp?ID=97
you'll find a fairly good list of anti-spam lists
at the bottom it mentions
BONDEDSENDER - A whitelist of E-mail senders that have
posted a bond to help prove that their
E-mail is legitimate.
Sadly, if not particularly unexpectedly, when you go to the url listed
http://www.bondedsender.org/ you find
that the service has been renamed "Sender Score Certified" and no longer
seems to mention anything about posting bonds.
But, by not eliminating the three flaws I have already mentioned, it
was doomed from the beginning. The current system can not be fixed.
We can try an already existing method that eliminates these flaws,
we can create a whole new protocol that elimantes these flaws or we
can stay with the status quo. Putting a bandaid and some neosporin
on a wound isn't going to help if the wound is already gangrenous.
systems despite their best efforts and that persuaded them that agreeing to
pay out lots of money when they couldn't guarantee that they could stop it
happening again was not a good idea.
So, I take it you are another of those who think it is impossible to
secure Windows systems. In spite of the evidence to the contrary.
the best setup company will occasionally have an incident.
Sorry the message may be put across with a little bit of humour but the message
How do you stop it at the source? Which is the spammer, himself?
True. You stop it by not giving the spammer a venue from which to send
his spam. The sysadmins all agree (by contract) to not allow spam to be
sent from their systems. Penalty: ostracism. The sysadmins of the local
mailsystems have AUP's that carry penalties (which depend on the type of
organization, ie. ISP - include hefty fines in your customer contract,
business - employee can be fired, school - expulsion or other academic
sanctions, etc.) Thus, the spammer has no place where he is welcome on
the new email network.
Back in the mid '90's, such things were done. Erols and other networks
had fines and such for spammers. It didn't work. This again referrers
to the "whack-a-mole" game of spammer termination. Also, often the
spammers would sign up with accounts using credit cards of the clients,
or even stolen credit cards.
Ummm.... That's a crime, probably federal.
So you end up not billing or punishing
the spammer, anyway. You kill one spammer account, and they have 10
more waiting to abuse when needed.
If you make the users identify themselves and sign a legally binding
contract you know who they are and they can't have 10 more accounts
waiting.
Of course, now much spam is from zombied Windows boxes. The spam can't
be traced back past the zombied PC. So, do you fine and terminate the
account of the person with the infected PC? That's going to sit well
with customers. What about the Wingate proxy exploitation of several
years ago? The proxy would allow SOCK4-like remote access, making the
Wingate proxy appear to be the source, but no way to determine who
initiated the connection. And the wide variety of formmail.pl web form
abuse that occured (and actually, I STILL had several dozen attempts by
some spammer to test my form mail web script on the Hobby Site:
dinotto2@xxxxxxx and topcopl2@xxxxxxx are their test accounts - may the
harvesters get them)? And there are still open SOCK4 proxies, open
SMTP relays, and any number of other methods people are spamming
without using mail servers they are authorized to use.
And, because my proposal doesn't use SMTP at all, none of the above
pose a threat.
If your not using SMTP then what are you using (UUCP) ?
http://www.rhyolite.com/anti-spam/you-might-be.html
programmer-11
The FUSSP involves replacing SMTP.
I'll visit the site, but I got the idea from other comments I have
seen that they post mostly humorous stuff. maybe I have them confused
with someone else. Of course, the last line looks like they agree with
me on at least one point.
Your free to set up your own agreements with whatever companies you wish
They are already not using email networks where they are not welcome,
so why does your solution work?
How are they "not using email networks where they are not welcome"?
Right now, except for private networks, there is only one network
and everyone who is exchanging email is using it. Any Email host
(and many non-legitimate ones like zombied PC's) can contact any
other and 90% of them will accept the connection and the email from
any other.
Also, how do you require uniform AUP's across ISP of various countries?
It is all based on agreements between individuals. Regardless of where
one is I can require whatever I want or refuse to let them play in my
sandbox.
to accept their mail and reject all other mail. It's easy enough to do with
most mailservers (no need to switch to UUCP just set up your mailserver to only
accept mail from specific IP addresses). However such a solution isn't
acceptable to most companies who want complete strangers (otherwise known as
customers) to be able to contact them.
Which is why my proposal is to run both simultaneously and let the serious
user migrate as they see the value of it until eventually all of your
serious usrs (read real customers) are on the clean system and you can
pay much less attention to the garbage. Let me throw one more example out.
We have all been spammed by someone who got our address from c.o.v. Many
people have been forced to munging their address (which poses a burden on
anyone who wishes to talk to them because they can no longer just use the
reply option!) or having other mail accounts on other machines specifically
for use in Usenet postings, which is certainly a butrden on the user.
What if the address you used in your Usenet postings couldn't be reached
by people outside the group, but could be by those within the group?
Wouldn't that offer an advantage?
Read what I said up above. The customers of the ISP all sign a contract
(I know I had to!) You put serious penalties in the contract.
Yes, but they really have no teeth, the spammers are often using
fraudulent information,
If I don't know/trust the individual, I require them to prove who they
are. How is that any different than when someone walks into a store and
plops a credit card down? Fraud is illegal. As near as I know, that
applies in pretty much every civilized country.
or on ISP which don't have strong AUP,
I don't let them join the network until they agree to institute an AUP
that meets the requirements of my network.
or the
spammers are using network which they are not authorized.
Won't be able to use mine. I will know who is allowed to access my mail
server and no one else will be able to.
You are assuming the spammers are Law Abiding Honest Citizens. That
may be true of Usenet back in the day, not anymore.
In order to join the nework, they will have to positively identify
themselves. If they choose to violate the law after they have
positively identified themselves, well, that's what the courts are
for. :-)
Sorry your system will only work if you can impose such rules on all the
ISPs and your only weapon against those who don't comply is to stop them
sending you mail. Until the majority of internet sites adopt those rules
it is simpler for the ISPs to just ignore your rules and let you isolate
yourself.
But as long as I continue to accept other emails as well, I am not isolated.
And, as the users I want to communicat4e with begoin to migrate (assuming my
idea takes hold, of course) I can slowly begin to more and more agressively
filter their garbage and it is eventually they that will be isolated, in a
sea of spam. I don't care about that 98% of garbage that makes up most of
the INTERNET. I am sure that most real businesses and acadeics doing real
research and people like c.o.v who share a common interest are the same.
Let those who really want to get all that spam stay with their ISP and
take it all in. I don't want it.
http://www.rhyolite.com/anti-spam/you-might-be.html
senior-IETF-member-5
The FUSSP won't be effective until it has been deployed at more than 60% of
SMTP servers and that's not a problem.
Mine takes some point at which it attains critical mass as well. I will look
at this FUSSP stuff, but unless it eliminates the three flaws in SMTP it is
doomed to failure. And, if it is yet to be implemented in any usable form,
my proposal still has the advantage. Given some number of interested email
system admins I can have the first stages of my network up and running in
less than 24 hours. The software is already there and the hardware needed
to run it (especially int he earlier stages) can be found in most people's
junk box.
I think you are misunderstanding the FUSSP (Final Ultimate solution to the
Spam problem) is a general description of solutions such as yours to SPAM.
The full title of the webpage is
"You Might be an Anti-Spam Kook If ..."
Like I said, I haevn't been there because I had heard it was not serious.
Your comments make it seem I was right.
is still serious. The solutions of those who think they have found the final
solution to spam usually incorporate a number of the items mentioned.
And those who present such plans are usually blind to these shortcomings.
David Webb
Security team leader
CCSS
Middlesex University
bill.
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
- References:
- increase in spam and what to do about it
- From: Phillip Helbig---remove CLOTHES to reply
- Re: increase in spam and what to do about it
- From: JF Mezei
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: Bill Gunshannon
- Re: increase in spam and what to do about it
- From: davidc
- Re: increase in spam and what to do about it
- From: david20
- Re: increase in spam and what to do about it
- From: david20
- increase in spam and what to do about it
- Prev by Date: CDL VMS fatal drive error Observation
- Next by Date: Re: CDL VMS fatal drive error Observation
- Previous by thread: Re: increase in spam and what to do about it
- Next by thread: Re: increase in spam and what to do about it
- Index(es):
Relevant Pages
|
