Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade@private> Cc: infosecbc@private, secedu@private, infosec@private, isn@private Peter Wilson's article on spam and viruses (on Saturday, March 6, 2004) lists a number of antispam measures that are currently being promoted. He also retails Bill Gates' confident prediction that spam will be a thing of the past by 2006. Remember that prophecy, because Bill Gates is going to be proven wrong. An examination of the measures listed in the article demonstrates why. SPF (sender-permitted format) is currently garnering the greatest interest. The description of SPF as a kind of caller-ID is not quite correct. All email carries caller-ID in the form of the information about who the message is from, and information about the Internet Protocol (IP) address that originated the message. SPF is actually an attempt to contact the site that is supposed to have originated the message, and verify that these two pieces of information match, or, at least, are likely. Spammers, when creating spoofed addresses, don't bother to make sure that they do. Or, at least, they haven't up until now. Microsoft's own version seems to be either an attempt to compete or an attempt to derail SPF: SPF is primarily promoted by AOL, and the two companies have never played particularly well together. Microsoft's plan is derided by the SPF camp for being proprietary. It is true that SPF uses features and functions that make more effective use of the email protocols that are currently in use on the Internet. The configuration of factors is not universal, though, and some of the activities will require new programming for everyone who participates in SPF. Which may mean that the Internet might become split into the camp of those who use SPF, and those who don't. I have seen this in action already. I have a number of accounts. (And, of course, get tons of spam.) One is through Vancouver CommunityNet, which does not have very much in the way of spam detection or prevention. Because of the volume of spam this account receives (particularly during the Sobig flood last summer), I forwarded the account to a service that does spam and virus filtering. One of the functions that the service uses is similar to the SPF protocol. A great deal of the spam that was being forwarded was unverifiable, and so the service simply refused to accept it. This meant that a volume of email built up on Vancouver CommunityNet, to the point that it affected the mail system as a whole. (Vancouver CommunityNet, despite being informed of all the details, and my own actions to rectify the situation, has handled the whole matter in a very sloppy manner.) SPF has promise, and it may be possible (unlike the Microsoft proposal) to provide workarounds for a variety of systems, platforms, and applications. However, there are a number of issues that still have to resolved, such as email aliases, third-party services, and applications such as mailing lists, which operate in a wide variety of forms. The difficulties are not insurmountable, but an enormous amount of work still has to be done. Microsoft's micropayments strategy is apparently the most recent one, but has been raised many times over the history of the nets. (One of the popular programs providing Usenet news, a type of topical discussion, used to remind anyone who attempted to post a message that it would possibly cost thousands of dollars to send this to everyone: did they really want to do that?) Unfortunately, the issue of mailing lists comes up almost immediately. Even if we assume one cent per message, if I send a message to a popular list such as the RISKS-FORUM Digest, with a possible hundred thousand subscribers, am I charged a thousand dollars for that message? Is the list moderator charged? In the case of RISKS, it is also redistributed by a number of sub-mailing lists: do those costs get charged to the accounts of the local administrators? The list moderator? Me? (The obvious second question is: who *gets* the money? The Internet Engineering Task Force? Some bloated bureaucracy parcelling out the cash to the various national telecom carriers? Charity? Microsoft? The recipient? Hmmm. Maybe I should rethink my objection to the micropayment system. At one point I was getting 8,000 [yes, eight thousand] copies of spam from one system in China. Per hour. Same message.) And, of course, in order to provide for such a micropayment system, everybody is going to have to use a Microsoft mailer. With a Microsoft payment system. And a Microsoft account. This sounds like an attempt to resurrect the (justly derided and roundly condemned) Passport and Palladium systems. The challenge-response system is already being used by a number of outfits providing spam filtering and other services. It is a nuisance. It can create a great deal of annoyance in a number of situations, not least being mailing lists. It also doesn't work. The most common challenge response systems present a graphical image of a word. This word is supposed to be entered in a field on a web page in order to create permission for the message to go through. People can read the word easily, but machines have difficulty with this type of task, so this makes it impossible for spammers to automate the sending of email: they have to read and respond to every challenge. That's the theory. In fact, spammers have already been found to be "automating" the process--using Internet web surfers. A number of web pages have been set up promising access to pornography. In order to access the files, you have to respond to a challenge. The challenges are, of course, those that are being presented on the antispam filtering sites. Those challenges are simply extracted, presented to the surfers wanting access to pornographic images, solved by the user, and the solution fed back to the antispam site. The same problems apply to computational puzzles: they are simply another form of challenge-response. In fact, most of these antispam technologies fail in the face of the problem of spam nets set up by viruses. Spam sent from infected machines could simply use the name of the owner, thus verifying the identity. Spam sent from infected machines could use the micropayment "wallet" on the infected machine, thus creating not only problems of clean-up for the owner, but also a real cost. Infected machines could be used to crack computational puzzles, or the owner could be presented with challenges to respond to, in a variety of ways. Spam has passed the stage of being a nuisance. Email is a means of communication that is starting to rival the phone, and spam is seriously degrading the effectiveness and utility of email. Antispam measures are badly needed, but we cannot accept any proposed solution uncritically. Dividing the Internet into isolated camps of incompatible (and rival) antispam technologies takes us back to the early days of online systems, when lots of people had email, but nobody could talk to each other. There is no easy fix, and there is no easy answer. Administrators have to ensure that they are not providing open relays that can be used for spam. Email filtering services are checking for inappropriate inbound email, but must also check what is going out. ISPs (Internet Service Providers) must be more vigilant in regard to the use being made of the net to which they provide access. Computer users at all levels have to check for malicious software, unpatched vulnerabilities, open ports and services, and what is going out of their systems as well as what is coming in. Everybody needs to become more aware of what is going on, and keep up with the changes in threats around us all. And anyone who tells you it is not going to be painful is selling something. ====================== (quote inserted randomly by Pegasus Mailer) rslade@private slade@private rslade@private The brain is a mass of cranial nerve tissue, most of it in mint condition. - Robert Half http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 08 2004 - 04:52:10 PST