[ISN] The price of email is constant vigilance

From: InfoSec News (isn@private)
Date: Mon Mar 08 2004 - 01:48:24 PST

  • Next message: InfoSec News: "[ISN] Critical Infrastructure Protection Project - March Events"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade@private>
    Cc: infosecbc@private, secedu@private, infosec@private, isn@private
    
    Peter Wilson's article on spam and viruses (on Saturday, March 6,
    2004) lists a number of antispam measures that are currently being
    promoted.  He also retails Bill Gates' confident prediction that spam
    will be a thing of the past by 2006.  Remember that prophecy, because
    Bill Gates is going to be proven wrong.  An examination of the
    measures listed in the article demonstrates why.
    
    SPF (sender-permitted format) is currently garnering the greatest
    interest.  The description of SPF as a kind of caller-ID is not quite
    correct.  All email carries caller-ID in the form of the information
    about who the message is from, and information about the Internet
    Protocol (IP) address that originated the message.  SPF is actually an
    attempt to contact the site that is supposed to have originated the
    message, and verify that these two pieces of information match, or, at
    least, are likely.  Spammers, when creating spoofed addresses, don't
    bother to make sure that they do.  Or, at least, they haven't up until
    now.
    
    Microsoft's own version seems to be either an attempt to compete or an
    attempt to derail SPF: SPF is primarily promoted by AOL, and the two
    companies have never played particularly well together.  Microsoft's
    plan is derided by the SPF camp for being proprietary.  It is true
    that SPF uses features and functions that make more effective use of
    the email protocols that are currently in use on the Internet.  The
    configuration of factors is not universal, though, and some of the
    activities will require new programming for everyone who participates
    in SPF.  Which may mean that the Internet might become split into the
    camp of those who use SPF, and those who don't.
    
    I have seen this in action already.  I have a number of accounts.  
    (And, of course, get tons of spam.)  One is through Vancouver
    CommunityNet, which does not have very much in the way of spam
    detection or prevention.  Because of the volume of spam this account
    receives (particularly during the Sobig flood last summer), I
    forwarded the account to a service that does spam and virus filtering.  
    One of the functions that the service uses is similar to the SPF
    protocol.  A great deal of the spam that was being forwarded was
    unverifiable, and so the service simply refused to accept it.  This
    meant that a volume of email built up on Vancouver CommunityNet, to
    the point that it affected the mail system as a whole.  (Vancouver
    CommunityNet, despite being informed of all the details, and my own
    actions to rectify the situation, has handled the whole matter in a
    very sloppy manner.)
    
    SPF has promise, and it may be possible (unlike the Microsoft
    proposal) to provide workarounds for a variety of systems, platforms,
    and applications.  However, there are a number of issues that still
    have to resolved, such as email aliases, third-party services, and
    applications such as mailing lists, which operate in a wide variety of
    forms.  The difficulties are not insurmountable, but an enormous
    amount of work still has to be done.
    
    Microsoft's micropayments strategy is apparently the most recent one,
    but has been raised many times over the history of the nets.  (One of
    the popular programs providing Usenet news, a type of topical
    discussion, used to remind anyone who attempted to post a message that
    it would possibly cost thousands of dollars to send this to everyone:
    did they really want to do that?)  Unfortunately, the issue of mailing
    lists comes up almost immediately.  Even if we assume one cent per
    message, if I send a message to a popular list such as the RISKS-FORUM
    Digest, with a possible hundred thousand subscribers, am I charged a
    thousand dollars for that message?  Is the list moderator charged?  
    In the case of RISKS, it is also redistributed by a number of
    sub-mailing lists: do those costs get charged to the accounts of the
    local administrators?  The list moderator?  Me?
    
    (The obvious second question is: who *gets* the money?  The Internet
    Engineering Task Force?  Some bloated bureaucracy parcelling out the
    cash to the various national telecom carriers?  Charity?  Microsoft?  
    The recipient?  Hmmm.  Maybe I should rethink my objection to the
    micropayment system.  At one point I was getting 8,000 [yes, eight
    thousand] copies of spam from one system in China.  Per hour.  Same
    message.)
    
    And, of course, in order to provide for such a micropayment system,
    everybody is going to have to use a Microsoft mailer.  With a
    Microsoft payment system.  And a Microsoft account.  This sounds like
    an attempt to resurrect the (justly derided and roundly condemned)
    Passport and Palladium systems.
    
    The challenge-response system is already being used by a number of
    outfits providing spam filtering and other services.  It is a
    nuisance.  It can create a great deal of annoyance in a number of
    situations, not least being mailing lists.
    
    It also doesn't work.  The most common challenge response systems
    present a graphical image of a word.  This word is supposed to be
    entered in a field on a web page in order to create permission for the
    message to go through.  People can read the word easily, but machines
    have difficulty with this type of task, so this makes it impossible
    for spammers to automate the sending of email: they have to read and
    respond to every challenge.
    
    That's the theory.  In fact, spammers have already been found to be
    "automating"  the process--using Internet web surfers.  A number of
    web pages have been set up promising access to pornography.  In order
    to access the files, you have to respond to a challenge.  The
    challenges are, of course, those that are being presented on the
    antispam filtering sites.  Those challenges are simply extracted,
    presented to the surfers wanting access to pornographic images, solved
    by the user, and the solution fed back to the antispam site.  The same
    problems apply to computational puzzles: they are simply another form
    of challenge-response.
    
    In fact, most of these antispam technologies fail in the face of the
    problem of spam nets set up by viruses.  Spam sent from infected
    machines could simply use the name of the owner, thus verifying the
    identity.  Spam sent from infected machines could use the micropayment
    "wallet" on the infected machine, thus creating not only problems of
    clean-up for the owner, but also a real cost.  Infected machines could
    be used to crack computational puzzles, or the owner could be
    presented with challenges to respond to, in a variety of ways.
    
    Spam has passed the stage of being a nuisance.  Email is a means of
    communication that is starting to rival the phone, and spam is
    seriously degrading the effectiveness and utility of email.  Antispam
    measures are badly needed, but we cannot accept any proposed solution
    uncritically.  Dividing the Internet into isolated camps of
    incompatible (and rival) antispam technologies takes us back to the
    early days of online systems, when lots of people had email, but
    nobody could talk to each other.
    
    There is no easy fix, and there is no easy answer.  Administrators
    have to ensure that they are not providing open relays that can be
    used for spam.  Email filtering services are checking for
    inappropriate inbound email, but must also check what is going out.  
    ISPs (Internet Service Providers) must be more vigilant in regard to
    the use being made of the net to which they provide access.  Computer
    users at all levels have to check for malicious software, unpatched
    vulnerabilities, open ports and services, and what is going out of
    their systems as well as what is coming in.  Everybody needs to become
    more aware of what is going on, and keep up with the changes in
    threats around us all.
    
    And anyone who tells you it is not going to be painful is selling
    something.
    
    ======================  (quote inserted randomly by Pegasus Mailer)
    rslade@private      slade@private      rslade@private
    The brain is a mass of cranial nerve tissue, most of it in mint
    condition.                                             - Robert Half
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 08 2004 - 04:52:10 PST