|
Posted by David MacQuigg on February 7, 2005, 12:26 am
If you were Registered and logged in, you could reply and use other advanced thread options
Well folks, its been over a year since I posted on this topic, and the
spam has definitely gotten worse. What's even more disturbing is that
the articles and discussions I'm seeing are terribly pessimistic.
Seems like nothing can be done about spam but work on better filters,
pass more laws, or try to convince our fellow netizens not to respond
to spam!
Nonsense. I'm now more convinced than ever that spam can be stopped
without any of the above. It can be stopped at the source, and
companies like AOL are doing it. We just need to get other ISPs to do
the same. Not all ISPs, just enough that there can be an effective
"network" of ISPs that don't allow outgoing spam. Others will then
decide if they want to clean up their domains and join the club, or
leave their systems insecure, and be blocked by anyone using a white
list. That may be a valid choice for a company that doesn't need to
send a lot of email outside its domain.
I've written an article on this topic, and I would like to get some
feedback from experts in computer security. I'm an electrical
engineer, not a computer professional, but I have a good book on
internet protocols, so this time I'm not going to be discouraged by
invalid technical objections. I'm also well aware that as a
non-expert, I may be missing something important, and I would like to
know that before submitting the article.
http://ece.arizona.edu/~edatools/etc/stopping_spam2.pdf
To summarize the article, in case you don't have time to read it:
1) It is possible to block emails with forged domain names, and there
are no significant technical barriers to doing this right now.
2) Having valid domain names will allow anti-spam companies like
SpamCop to replace their current unreliable IP blacklists with much
smaller and reliable lists of domains, rated as to their fraction of
spam.
3) A rating system based on domain names, not IP addresses, will allow
quick and effective filtering at the receiving end.
What can we do to raise awareness? Comments are welcome.
-- Dave
|
|
Posted by ThreeStar on February 7, 2005, 9:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
Source validation really isn't the issue. All that that will do is
drive the spammers to sign up for new, throwaway domains. We're
already seeing that happen.
The heart of spamming, what makes it work as a business proposition, is
volume. The ISPs are having some success in reducing spam by
disallowing large volumes from casual accounts. If you can work out a
white list of sites certified to control volumes, then you would be on
to something. Of course, you'd have to work out exceptions for "known"
high-volume mails. We probably don't want to block US-Cert bulletins!
David MacQuigg wrote:
> Well folks, its been over a year since I posted on this topic, and
the
> spam has definitely gotten worse. What's even more disturbing is
that
> the articles and discussions I'm seeing are terribly pessimistic.
> Seems like nothing can be done about spam but work on better filters,
> pass more laws, or try to convince our fellow netizens not to respond
> to spam!
>
> Nonsense. I'm now more convinced than ever that spam can be stopped
> without any of the above. It can be stopped at the source, and
> companies like AOL are doing it. We just need to get other ISPs to
do
> the same. Not all ISPs, just enough that there can be an effective
> "network" of ISPs that don't allow outgoing spam. Others will then
> decide if they want to clean up their domains and join the club, or
> leave their systems insecure, and be blocked by anyone using a white
> list. That may be a valid choice for a company that doesn't need to
> send a lot of email outside its domain.
>
> I've written an article on this topic, and I would like to get some
> feedback from experts in computer security. I'm an electrical
> engineer, not a computer professional, but I have a good book on
> internet protocols, so this time I'm not going to be discouraged by
> invalid technical objections. I'm also well aware that as a
> non-expert, I may be missing something important, and I would like to
> know that before submitting the article.
>
> http://ece.arizona.edu/~edatools/etc/stopping_spam2.pdf
>
> To summarize the article, in case you don't have time to read it:
>
> 1) It is possible to block emails with forged domain names, and there
> are no significant technical barriers to doing this right now.
>
> 2) Having valid domain names will allow anti-spam companies like
> SpamCop to replace their current unreliable IP blacklists with much
> smaller and reliable lists of domains, rated as to their fraction of
> spam.
>
> 3) A rating system based on domain names, not IP addresses, will
allow
> quick and effective filtering at the receiving end.
>
> What can we do to raise awareness? Comments are welcome.
>
> -- Dave
|
|
Posted by on February 7, 2005, 1:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options >Well folks, its been over a year since I posted on this topic, and the
>spam has definitely gotten worse. What's even more disturbing is that
>the articles and discussions I'm seeing are terribly pessimistic.
>Seems like nothing can be done about spam but work on better filters,
>pass more laws, or try to convince our fellow netizens not to respond
>to spam!
>
>Nonsense. I'm now more convinced than ever that spam can be stopped
>without any of the above. It can be stopped at the source, and
>companies like AOL are doing it. We just need to get other ISPs to do
>the same. Not all ISPs, just enough that there can be an effective
>"network" of ISPs that don't allow outgoing spam. Others will then
>decide if they want to clean up their domains and join the club, or
>leave their systems insecure, and be blocked by anyone using a white
>list. That may be a valid choice for a company that doesn't need to
>send a lot of email outside its domain.
>
>I've written an article on this topic, and I would like to get some
>feedback from experts in computer security. I'm an electrical
>engineer, not a computer professional, but I have a good book on
>internet protocols, so this time I'm not going to be discouraged by
>invalid technical objections. I'm also well aware that as a
>non-expert, I may be missing something important, and I would like to
>know that before submitting the article.
>
>http://ece.arizona.edu/~edatools/etc/stopping_spam2.pdf
>
>To summarize the article, in case you don't have time to read it:
>
>1) It is possible to block emails with forged domain names, and there
>are no significant technical barriers to doing this right now.
>
>2) Having valid domain names will allow anti-spam companies like
>SpamCop to replace their current unreliable IP blacklists with much
>smaller and reliable lists of domains, rated as to their fraction of
>spam.
>
>3) A rating system based on domain names, not IP addresses, will allow
>quick and effective filtering at the receiving end.
>
>What can we do to raise awareness? Comments are welcome.
>
1) SPF just tackles the problem of forged addresses it doesn't tackle SPAM.
2) As I read your proposal all mail would be channelled through "reputable"
mail senders. Hence the number of systems able to send through those systems
which are not under the direct control of the "reputable" mail sender will be
gigantic. (The infrastructure of the "reputable" senders mail hubs will also
have to be gigantic but that's another issue.)
Any of the systems able to send mail through the "reputable" sender might of
course be a mail sending spam zombie.
(
You explicitly state that: "This list would not even need to include most small
companies, since they most often use an email server provided by their ISP.
Even larger companies that operate their own internal email servers for reasons
of economy or security, often use the machines of a reputable ISP for "outside"
mail."
This isn't true. Most companies run their own mail infrastructure - mailhubs,
and mail stores
So, unless you forced everyone to go through a small list of "reputable" mail
servers you would with todays mail infrastructure have a very large list of
valid mail sending domains.
).
How many spam mails inadvertently passed on by the "reputable" mail sender
would it take for that "reputable" mailers domain to be blacklisted - thereby
blocking all the users of that "reputable" mail sender from sending mail ?
(
Note. If you could get all mail to be sent via Organisation's central mailhubs
rather than users being able to send mail directly from their clients then your
list of domains would be identical to a list of the ip addresses of those
central mailhubs. And of course those IP addresses would then appear on
already existing reputable spam blacklists and anyone using those lists would
therefore be blocking the whole domain.
)
3) How are your "reputable" mail senders supposed to distinguish between spam
and non-spam mail ?
If they use filters then those will only be partially effective.
One person's spam is another person's important mail message.
This is why anti-spam filter software is usually just applied to mail being
delivered rather than to mail being sent.
For mail being delivered you can tag the mail and then deliver it or
quarantine it - so that the recipient can then decide what to do with it.
You can also allow users to setup their own white/allow lists to say that
they definitely want to receive mail from certain addresses even if it does
look like spam.
A "reputable" mail sender who automatically deletes mail which is being
sent just because a filter it is running thinks it is spam runs a severe risk
of being sued.
David Webb
Security team leader
CCSS
Middlesex University
>-- Dave
>
|
|
Posted by Colin B. on February 7, 2005, 4:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Nonsense. I'm now more convinced than ever that spam can be stopped
> without any of the above. It can be stopped at the source, and
> companies like AOL are doing it. We just need to get other ISPs to do
> the same. Not all ISPs, just enough that there can be an effective
> "network" of ISPs that don't allow outgoing spam. Others will then
> decide if they want to clean up their domains and join the club, or
> leave their systems insecure, and be blocked by anyone using a white
> list. That may be a valid choice for a company that doesn't need to
> send a lot of email outside its domain.
Stopping mail from forged domains won't help much. People will just register
dozens of domainnames, and spam ("legitimately") from them. Blocking these
domains won't work, because it's a nearly infinite pool of moving targets.
Whitelisting and blocking everyone else isn't much of a solution for most
of us--there is too much mail coming from different sources to avoid killing
something. Besides, I don't WANT to have to authenticate every mail domain
that sends me something, before I can get their email.
The mistake that you're making is trying to eliminate spam with a technical
solution, when it's fundamentally a social problem. You can't completely
eliminate street crime by giving the police better helicopters, and you can't
stop spammers by building better software. Whitelists, blacklists, filters,
milters, and so forth just lead to an arms race, with no end.
The way to stop spam is to make the rewards less than the risks. The way to
do that is to invoke EXISTING laws against the crimes that are being
committed via spam, rather than the spam itself.
Generic viagra? Either false advertising, fraud, or patent infringement.
Same for rolex replicas, anti-depressants, and most other merchandise. In
fact, find me spam that isn't fraudulent, and I'll be amazed.
Then there's the question of money--where is it going? Spam is big enough
business now that it's either being controlled or 'protected' by organised
crime, which invokes another set of laws.
If we start legally censuring companies that deal with spammers and tossing
spammers in jail for decades, then the increased risks and reduced rewards
will drive the business into extinction. (Although the time to do this would
have been a decade ago, rather than now.) Fighting spammers with technology
will provide an endless string of stop-gaps which will be beaten and revised
endlessly.
Colin
|
|
Posted by Michael J. Pelletier on February 7, 2005, 9:39 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Well folks, its been over a year since I posted on this topic, and the
> spam has definitely gotten worse. What's even more disturbing is that
> the articles and discussions I'm seeing are terribly pessimistic.
> Seems like nothing can be done about spam but work on better filters,
> pass more laws, or try to convince our fellow netizens not to respond
> to spam!
>
> Nonsense. I'm now more convinced than ever that spam can be stopped
> without any of the above. It can be stopped at the source, and
> companies like AOL are doing it. We just need to get other ISPs to do
> the same. Not all ISPs, just enough that there can be an effective
> "network" of ISPs that don't allow outgoing spam. Others will then
> decide if they want to clean up their domains and join the club, or
> leave their systems insecure, and be blocked by anyone using a white
> list. That may be a valid choice for a company that doesn't need to
> send a lot of email outside its domain.
>
> I've written an article on this topic, and I would like to get some
> feedback from experts in computer security. I'm an electrical
> engineer, not a computer professional, but I have a good book on
> internet protocols, so this time I'm not going to be discouraged by
> invalid technical objections. I'm also well aware that as a
> non-expert, I may be missing something important, and I would like to
> know that before submitting the article.
>
> http://ece.arizona.edu/~edatools/etc/stopping_spam2.pdf
>
> To summarize the article, in case you don't have time to read it:
>
> 1) It is possible to block emails with forged domain names, and there
> are no significant technical barriers to doing this right now.
>
> 2) Having valid domain names will allow anti-spam companies like
> SpamCop to replace their current unreliable IP blacklists with much
> smaller and reliable lists of domains, rated as to their fraction of
> spam.
>
> 3) A rating system based on domain names, not IP addresses, will allow
> quick and effective filtering at the receiving end.
>
> What can we do to raise awareness? Comments are welcome.
>
> -- Dave
You forgot the most basic and important thing WE ALL CAN do to help each
other out: Report SPAM via DNS blacklists.
The past two years I have been running my own email servers from my house. I
use Spamassassin + Razor + Anitvirus + MIMEDefang and DNS Blacklists on a
sendmail server. I get an average of 97% to 98% kill rate. Now, if you
look at my email address here it is real. I do not hide my email address. I
am on 20+ mail groups and I post on-and-off to 7 or 8 news groups and NEVER
hide anything.
But here is the difference, I REPORT SPAM (even the spam filtered by
spamassassin). I am amazed at how many people complain about SPAM but do
little to help out! If you run/manage/own a mail server sign up for a DNS
blacklist account and report the SPAM. If we all did this WE would reduce
it significantly.
Think about it. When you report SPAM via a DNS blacklist you help out
everyone who uses the DNS blacklist: Worldwide.
Michael
|
| Similar Threads | Posted | | Give up Spam for Lent - New Email System Simply Defeats Spam | February 9, 2005, 7:41 pm |
| GUIs - - Stopping the Intruder from within Narrative | January 2, 2005, 7:06 pm |
| Who is behind Craigslist spam? | August 30, 2008, 9:06 am |
| Statement on Spam and VoteNader.org | April 8, 2004, 7:33 am |
| CMH security jobs SPAM a bit sorry... | October 12, 2005, 9:56 am |
| Spam reaches 30-year anniversary | June 30, 2008, 4:00 am |
| REVIEW: "Spam Kings", Brian McWilliams | August 29, 2005, 9:44 pm |
| Evaluating Anti Spam Service Providers | December 8, 2007, 7:03 pm |
| Spam including actual text from old private e-mails? | November 25, 2005, 5:17 pm |
| Web listings. Originators of spam type messages. Names. Addresses. | May 14, 2006, 5:32 am |
|
XML site map