Spam (or, how to buy Cheap Korean Cellphones :-)

[Chris Blask <blask () protegonetworks com>]

At 06:19 PM 2/5/2004 -0500, Paul opined, after dejpegging a part of Chris' 
mail that Chris missed, thus shaming him fatally:
> On 2004/02/05 17:55, "Chris Blask" <blask () protegonetworks com> wrote:
> > At 11:00 PM 2/5/2004 +0000, ÈÞ´ëÆù wrote:
> > > kvcgc l mclfn gbdxtrdevpkfa d xjwwwsmbn b eobfrynpheahnazunbwrj xzno 
> aob tksbtacwizdg

> > ...which brings up the topic of Spam...  <evil grin @ Paul>

<Paul, apparently, peers smugly back...:->

> > Last year I worked (again) at BorderWare* and ended up chairing JamSpam
> > (from which nothing but the AMY triangle has come out of afaik, to my
> > chagrin).  BW's VP of Eng (Rod Gilchrist, infinitely bright guy) and I gave
> > it serious thought and wrote a whitepaper for a structure dubbed "cmail"
> > (certified mail) which as far as I can tell was entirely too straight
> > forward to gain any traction <the reader will please manually subtract any
> > battle-borne irony - I'm too tired to try>.
> >
> > Simply put:
> >
> > Assign four classes of email cert.
> > 1 - person
> > 2 - list
> > 3 - organization
> > 4 - marketing entity
> >
> > 1 - free, anonymous (pass Turing test on cert site, can send to small
> > number - say, 50-100)
> > 2 - free or near free (send to appropriate number)
> > 3 - appropriate cost (send to commercial volume - say 1,000 or more)
> > 4 - appropriate cost. (if an org cannot afford, say, $10k for
> > infrastructure they shouldn't be sending 1M email/day)
>
> I think cost-based e-mail is really, really, really bad- it makes it so that
> only the organizations with money can talk.

o  No per-pay for individuals - it's not e-stamps.  Any individual can get 
a cert for free, just need to insert a Turing test to keep the bots out.

o  As far as orgs go, if the cost scaled properly it should be less than 
people spend on dealing with spam now, and a one-time cost (of course SPs 
could provide services to amortize this in with other regular services).

o  Plain old free non-cmail does not go away, with cmail working.  Anyone 
wanting to not use certs at all can, still and always, use email and usual 
anti-spam filters inbound.  If their recipients expect their mail it can 
still be handled the normal way.

o  I imagine that I'd setup my mail client to put all cmail in Inbox, all 
post-spam-filter non-cmail in a second and discard all spam.  That way 
anyone who wants to *know* that I'll get the mail will get a cert, and the 
rest I'll check as I can (until the volume of real non-cmail is so small 
that I don't have to bother).

These are the kind of logistics worth discussing, though.

> Now, if TruSecure had to *pay* line item costs for the lists we provide, 
> we'd provide no lists-
> Firewall-Wizards puts out a bunch of messages a day, certainly enough that
> if the bar was "get this certificate" the spammers would be looking for the
> same CA level and just get multiples.

o  I don't think line-item costs are what is needed - the fees as I see 
them are not to fund an infrastructure but to insert appropriate cost into 
email to separate spammer's out from real people/orgs.   Commercial Mailers 
like the DMA don't have a problem with cost-of-goods-sold, but it's arsenic 
to spammer.  One list-cert for TruSecure at nominal (how much does your 
email infrastructure cost?  Divide by, say, 20?  200?).  Costs would be 
enough to identify TruSecure as TruSecure and make TS want to be good and 
not have their cert revoked without needing to be punitive.

o  The Commercial Mailer certs and Organizational certs could conceivably 
generate enough cash to fund the infrastructure (and the savings could 
cover anything extra - perhaps one of the few good place for a little gov't 
funding).

o  There are of course all the existing Bayesian yada yada anti-spam tools 
that will still exist - whatever the solution to spam - that can be used on 
top of it all.  DCC is particularly good at handling violations (at least 
last time I looked).

> > Minor tweaks to mail server software would disallow cert-class violations
> > in volume.  DCC is perfectly capable of detecting mass mailing and can
> > support the infrastructure by detecting violations and leading to cert
> > revocation.  Minor tweaks to mail client software to filter cmail and
> > non-cmail makes it simple to filter at the client level.  If my grandmother
> > could go to a site and get a cmail cert to fix spam then she would (she's
> > 92, if you want a perfect example of a Consumer).
>
> It wouldn't fix it though- one of the spam houses would go buy a really big
> certificate, then send out all the spam, or they'd get enough small
> certificates that they could send out all the spam.

o  If many-small-certs == significant time/cost to acquire then you have 
succeeded in inserting cost into the spammers' cycle.

o  It would not be rocket science to setup a structure for buying 
Commercial Mailer certs that would make it expensive and difficult for 
spammer to get Commercial Mailer certs - particularly after their first is 
revoked.  The Direct Marketing Association folks were entirely on board 
with paying to de-classify themselves from spammer.

Keep raising the objections!

> Would AOL's certificate be a single one?  What then stops AOL's customers 
> from sending out 100 messages each?

o  AOL corp could have a single one they use for their mass mailings, and 
perhaps all employee mail (or a generic Individual cert for employee traffic).

o  Email providers could provide Individual certs to their paying 
customers, list hosting services could offer certs to their customers 
amortized in with usual costs.  In either case they are identified be 
definition because they are paying their bills.

> > If I recall, revocation lists were the best reason given for not trying,
> > but at the end of the day SPAM has gotta be an identity fix, so may as well
> > meet it head on.  I read this as yet another data supporting my belief that
> > cert folks have trouble recognizing Users when they see them.
>
> Without revocation, the first Exchange overflow would break the entire
> process.

o  Revocation is necessary, but throwing up the collective PKS hands isn't 
the way to address it.  Fix identity, fix spam.  A problem with efforts to 
fix identity, imho, is that folks try to boil the damn ocean when the task 
is to make a nice cup of tea,,,

Cert folks:  Revocation is a problem?  Fix it!!  Don't make me come down 
there and do it myself, I'll be so cross! ;-)

> > Anyone else see - if in fact this is the right forum - any solution to 
> spam that doesn't involve fixing the identity problem?

There's the actual question for the list:  If it ain't ID, what *is* the 
shape of the solution?


"CanSpam!" is the best we can do?  Ha!  Where's the engineering fix!?!

This is exactly the type of scenario I was talking about in the last 
thread.  All the Leaders in the world have Absolutely No Clue about even 
the *nature* of the spam problem, and virtually no hope of even seeing a 
glimmer of it's shape - except for US (the people who can read and discuss 
these things on a list like this - the Security Experts).

We are not, I'm afraid to say, demonstrating great leadership as a group on 
this one...

> > *  Well, BorderWare *is* a firewall company, and the SMTP product is 
> the MXtreme Mail *Firewall*, so I'm not completely out of decorum, here...

-cheers!

-chris 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards