On 3/25/2014 11:18 PM, John Levine wrote:
3. Arguing about IPv6 in the context of requirements upon SMTP connections is playing that uncomfortable game with ones own combat boots. And not particularly productive.
If you can figure out how to do effective spam filtering without looking at the IP addresses from which mail arrives, you will be in a position to make a whole lot of money.
But, as always, I'm not holding my breath.
Is spam fighting really about SMTP? Or is it about abuse of the transport layer by (among other things) the SMTP? -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
On 3/26/2014 12:33 AM, Larry Sheldon wrote:
3. Arguing about IPv6 in the context of requirements upon SMTP connections is playing that uncomfortable game with ones own combat boots. And not particularly productive.
If you can figure out how to do effective spam filtering without looking at the IP addresses from which mail arrives, you will be in a position to make a whole lot of money. Is spam fighting really about SMTP? Or is it about abuse of the
On 3/25/2014 11:18 PM, John Levine wrote: transport layer by (among other things) the SMTP?
Well, with current spam, the transport layer is irrelevant, given the proper phished credentials :( Jeff
But, as always, I'm not holding my breath.
Is spam fighting really about SMTP? Or is it about abuse of the transport layer by (among other things) the SMTP?
I don't think that your typical spam recipient cares how the spam got into her inbox. Anyone who has any familiarity with large scale mail systems knows that the only way to have any hope of effective spam filtering, in any medium, is to combine all the clues you can get. For mail, the source of the message is a highly useful clue. R's, John
On March 25, 2014 at 23:33 LarrySheldon@cox.net (Larry Sheldon) wrote:
Is spam fighting really about SMTP? Or is it about abuse of the transport layer by (among other things) the SMTP?
That is the point, isn't it. Most see spam as its content. The real problem with spam is its volume. Without the volume, some bot operators probably send on the order of a billion messages per day, it wouldn't be much of a problem. What makes that volume possible and pervasive is IP address mobility. Otherwise we'd just block the offending IPs and be done with it, to some extent -- I have a newer view on that but it'd be distracting. What makes IP address mobility possible is mass, unauthorized if not simply illegal use of others' resources, such as with botnets or massive exploiting of holes in web hosting sites' software. Fundamentally spam is a security isse. A spammer's stock in trade is the massive, free use of IP address and bandwidth resources. That the content is unwanted is almost incidental to this fact. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On 3/26/2014 11:22 AM, Barry Shein wrote:
What makes IP address mobility possible is mass, unauthorized if not simply illegal use of others' resources, such as with botnets or massive exploiting of holes in web hosting sites' software.
Except that compromised personal computers are 'valid' by all normal metrics. An army of such machines provides a kind of address mobility that is not detected by any normal means.
Fundamentally spam is a security isse.
In the same way as burglary is a security issue, yeah. Which is to say that fundamentally, spam is a social issue, like any other crime. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
On March 26, 2014 at 20:21 dhc2@dcrocker.net (Dave Crocker) wrote:
On 3/26/2014 11:22 AM, Barry Shein wrote:
What makes IP address mobility possible is mass, unauthorized if not simply illegal use of others' resources, such as with botnets or massive exploiting of holes in web hosting sites' software.
Except that compromised personal computers are 'valid' by all normal metrics.
From the receiving or intermediary point of view, sure.
One would like to think that the owner of the transmitting host knows s/he didn't intend to send 15,000 herbal hair regrowth ads this morning if somehow it was pointed out to them and would probably be unhappy over it. So, illegal or at best unauthorized from the POV of the transmitter, owner or manager etc of the PC. I'm simply saying that spam would barely exist without these illegal (oh let's not split that hair) resources.
An army of such machines provides a kind of address mobility that is not detected by any normal means.
I agree. Perhaps a more global view might work but we don't have a way to implement that, or perhaps put better, the will to implement that. For example 1,000,000 systems sending out basically the same message (BUY HERBAL HAIR RE-GROWER!) would be suspicious particularly if the sending systems were scattered hither and yon. And we do try to do this via blacklists but it's not quite enough mostly because it's after the fact, much of the damage has been done, the 1M msgs were sent and put into peoples' mailboxes already. And then the spammers change their footprint. Really not a very good method but we do what we can.
Fundamentally spam is a security isse.
In the same way as burglary is a security issue, yeah. Which is to say that fundamentally, spam is a social issue, like any other crime.
No, I really mean that without the illegal (let's not regrow that hair) resources the spammers are sunk, kaput, out of business. It's the only way they can operate in any effective manner. The only way. There's more to this but foiling whatever it is that spammers use to build botnets and massively exploit for example web hosting software will tend to work. The list is pretty short as far as I can tell. Everything else, such as content analysis and blacklisting will tend to not work, or only so much, a never-ending battle. Some will blanche at this but the entire spam problem basically arose from the crap security in Windows systems, particularly prior to maybe XP/SP2. Not sure where all that leads us, however. Better security at those major exploitation points, in a nutshell. And if someone disagrees then please tell me how spammers as we know them (and related miscreants) can operate without these few sources of purloined resources. Preferably without a big hand-wave like "oh they'll just find something else!" Maybe not! -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Barry Shein wrote the following on 3/26/2014 11:24 PM:
Some will blanche at this but the entire spam problem basically arose from the crap security in Windows systems, particularly prior to maybe XP/SP2.
Not sure where all that leads us, however. Better security at those major exploitation points, in a nutshell.
And if someone disagrees then please tell me how spammers as we know them (and related miscreants) can operate without these few sources of purloined resources.
Preferably without a big hand-wave like "oh they'll just find something else!"
Maybe not!
You're largely right. Botnets are a big source of spam. As a mail server operator, they're the biggest source that I see. They're also easy to block through a number of means (The ISPs they're located on often block port 25, PBL (or similar), rDNS, and other behavior). It sounds like it will likely be a similar matter of blocking residential botnet participants on IPv6 due to the fact that residential ISPs will likely apply similar port 25 policy to IPv6 as they do to IPv4 and no rDNS. However, as more attention is being payed to secure these end stations, spammers are looking at alternative avenues. In recent years, they've been harvesting user credentials through various means and then exploiting these compromised accounts to send email through otherwise legitimate servers. These are the spam messages that are hard to block. And these may be the areas where reputation based services will not be able to keep up in an IPv6 landscape. At least this concentrates the sources of spam (from my server's vantage point) and reduces the attack surface so that the problem is likely addressed more quickly and by someone with a higher level of knowledge than the average (unknowing) botnet participant. Unfortunately, I can't keep Suzie teenager or Joe grandpa from giving his or her password out to a phisher. Fortunately, I can place reasonable limits on their accounts and the number of messages they're allowed to send or the rate at which they're allowed to send messages. If everyone else would just do the same we'd be a lot better off against this kind of attack. --Blake
participants (6)
-
Barry Shein -
Blake Hudson -
Dave Crocker -
Jeff Kell -
John Levine -
Larry Sheldon