On Sat, 9 Dec 2000 00:22:39 -0800
Chuq Von Rospach <[EMAIL PROTECTED]> wrote:
> I'm beginning to think that mailback validation as an anti-spam
> technique has been beaten. Worse, I think there are now spam
> systems written that will beat them in an automated way.
I've written on this before to the Mailman lists. I have similar
suspicions. Like you I have no smoking guns, but I have a
suggestive evidence.
> I will say up front I don't have a smoking gun. If and when I find
> one, I'll say so. But I'm now beginning to think the spammers have
> figured out how to beat mailbacks.
Its hardly complex -- just look for key strings in messages coming
to an account, and then bounce back messages accordingly. Given
someone with minimal scripting knowledge, what, 30 minutes? Four
simple patterns will cover 95% of the lists out there.
> Someone we know runs a list on egroups. Twice today he was spammed
> by the porn spammers -- from subscribed accounts. This isn't the
> first time I've heard of this in the last few weeks, but he's
> someone I know runs a pretty clean ship. to get hit by two
> separate porn spammers on the same day, in independent attacks,
> that raises a real warning flag, because where the porn spammers
> innovate, everyone else follows.
Occam's razor indicates that this could be done equally well thru
mail forgery of a blameless member.
> he now owns your list, at least until you figure out what's going
> on and nuke the subscribed address. But if you think about it,
> once that validation handshake is complete, there's never ANY
> further validation. so he can set up temporary shop, validate to
> his heart's content, and then later on, after all the temporary
> stuff is safely hidden away, spam from anywhere, safely. Because
> he knows the address that will get him on the list.
Bingo. This is one of the base reasons I now hand moderate my main
lists. I'm looking hard at going back to a posting_authority setup
(members prove themselves worthy of automatic posting (no moderator
overview)), but Mailman does not currently lend itself to that
model. Yet. (Using approved posted in Mailman is not sufficiently
maintainable)
> If this is true, and it's beginning to look like egroups is a
> target of one attack, and I've heard rumors of some mailman lists
> being hit as well, then lists that depend on mailback validation
> have a problem. And I think there's been a feeling that mailbacks
> are the one true way of validation to the point where there hasn't
> been much (if any) thought about improved techniques or
> alternatives.
When you get down to it this is a question of trust models, and is a
susbset of the problem of reputational systems. Its a non-trivial
problem.
> I've felt for a while that the list community was way too
> comfortable with mailbacks as "safe and unbeatable". I'm now
> seeing what I think is evidence that this is no longer true. And
> I'm afraid that because we have sat back adn not innovated here,
> we're going to end up behind the eight ball. and I don't see any
> easy answers if I'm right -- only that if I am wrong, I won't be
> wrong forever.
I'm at the point where I'm willing to lay money on your being not
only right, but being visibily demonstrated as right within the next
calendar year.
We have two problems:
1) Determining that a given member of a list is not a spammer.
2) Determining that a given post is not a SPAM
The first can be largely addressed via putting in mechanisms where N
moderator approved posts are required before being granted posting
authority. Its a barrier to entry technique -- not secure, but
certainly not profitable for the spammer in terms of ROI. As a side
comment, this is one of the features I'd like to see rolled in the
next Mailman design we're discussing (given the model I'm musing, it
should be trivial).
The second is a horrible nasty problem in this age of mail forgery
and the ease of harvesting member addresses from lists (especially
once you are a subscriber). Given that a spammer can susbcribe and
can then harvest addresses with (presumably) posting authority with
no more than a couple hours worth of scripting and a little time
waiting while his bot runs, the simple MESSAGE_FROM_XXX_IS_OKAY
metric is likely to last no longer.
So what's the final solution? I don't think there is an elegant
solution without involving presumed non-forgeable proofs of identity
(ie public key crypto). Doing that requires a broadscale PKI
structure (a horrible problem in and of itself), severe changes in
user habits, and a host of other invasive non-trivial changes. Its
going to happen tho. TLS/SMTP is just not enough.
--
J C Lawrence [EMAIL PROTECTED]
---------(*) : http://www.kanga.nu/~claw/
--=| A man is as sane as he is dangerous to his environment |=--
