Re: Spam (or, how to buy Cheap Korean Cellphones :-)

[Paul Robertson <proberts () patriot net>]

On Thu, 5 Feb 2004, Chris Blask wrote:

> <Paul, apparently, peers smugly back...:->

[IOW, nobody missed the first message, it didn't make the list due to an
attachment, I was hoping Chris would repost, but alas we pick up our story
one reply down the road- my fault for putting comments into a rejection
I suppose...]

> > > Last year I worked (again) at BorderWare* and ended up chairing JamSpam
> > > (from which nothing but the AMY triangle has come out of afaik, to my
> > > chagrin).  BW's VP of Eng (Rod Gilchrist, infinitely bright guy) and I gave
> > > it serious thought and wrote a whitepaper for a structure dubbed "cmail"
> > > (certified mail) which as far as I can tell was entirely too straight
> > > forward to gain any traction <the reader will please manually subtract any
> > > battle-borne irony - I'm too tired to try>.
> > >
> > > Simply put:
> > >
> > > Assign four classes of email cert.
> > > 1 - person
> > > 2 - list
> > > 3 - organization
> > > 4 - marketing entity
> > >
> > > 1 - free, anonymous (pass Turing test on cert site, can send to small
> > > number - say, 50-100)
> > > 2 - free or near free (send to appropriate number)
> > > 3 - appropriate cost (send to commercial volume - say 1,000 or more)
> > > 4 - appropriate cost. (if an org cannot afford, say, $10k for
> > > infrastructure they shouldn't be sending 1M email/day)
> >
> > I think cost-based e-mail is really, really, really bad- it makes it so that
> > only the organizations with money can talk.
>
> o  No per-pay for individuals - it's not e-stamps.  Any individual can get
> a cert for free, just need to insert a Turing test to keep the bots out.

Once a non-trivial number of people get certificates, then spammers just
need to compromise those boxes and take them.  This doesn't address that,
nor the hurdles of having people pass a turing test, nor supporting those
who don't understand the language it's written in...

> o  As far as orgs go, if the cost scaled properly it should be less than
> people spend on dealing with spam now, and a one-time cost (of course SPs
> could provide services to amortize this in with other regular services).

People don't line-item the time spent on spam, so it's *very* difficult to
justify the additional expense money- and then we have to deal with
expiry, revocation, and all the "hard stuff."  Worse-yet, you'd need one
for every Web server that originates mail, every mail server...

> o  Plain old free non-cmail does not go away, with cmail working.  Anyone
> wanting to not use certs at all can, still and always, use email and usual
> anti-spam filters inbound.  If their recipients expect their mail it can
> still be handled the normal way.

But every would have to do that- because if you're a business, you can't
reject mail from clients or potential clients, and suddenly the whole idea
turns into an implementation nightmare...

> o  I imagine that I'd setup my mail client to put all cmail in Inbox, all
> post-spam-filter non-cmail in a second and discard all spam.  That way
> anyone who wants to *know* that I'll get the mail will get a cert, and the
> rest I'll check as I can (until the volume of real non-cmail is so small
> that I don't have to bother).

Anything that increases the complexity of mail handling doesn't tend to
thrill me- I don't see how this differs much from TLS though.

> These are the kind of logistics worth discussing, though.
>
> > Now, if TruSecure had to *pay* line item costs for the lists we provide,
> > we'd provide no lists-
> > Firewall-Wizards puts out a bunch of messages a day, certainly enough that
> > if the bar was "get this certificate" the spammers would be looking for the
> > same CA level and just get multiples.
>
> o  I don't think line-item costs are what is needed - the fees as I see
> them are not to fund an infrastructure but to insert appropriate cost into
> email to separate spammer's out from real people/orgs.   Commercial Mailers
> like the DMA don't have a problem with cost-of-goods-sold, but it's arsenic
> to spammer.  One list-cert for TruSecure at nominal (how much does your
> email infrastructure cost?  Divide by, say, 20?  200?).  Costs would be
> enough to identify TruSecure as TruSecure and make TS want to be good and
> not have their cert revoked without needing to be punitive.

> o  The Commercial Mailer certs and Organizational certs could conceivably
> generate enough cash to fund the infrastructure (and the savings could
> cover anything extra - perhaps one of the few good place for a little gov't
> funding).

Suddenly we're taking the "anyone can create something wonderful and share
it with people, and turning it into "anyone who wants to communicate must
pay."  At that point, large companies become more empowered than
individuals to send e-mail- and I think that's a tragic shift that I do
not like- equating e-mail with money just seems so tragic- suddenly
hundreds of really good lists run by folks without means become either
gone or swallowed up by marketers, suddenly the e-mail budget at a lot of
companies goes to the marketing department...

> o  There are of course all the existing Bayesian yada yada anti-spam tools
> that will still exist - whatever the solution to spam - that can be used on
> top of it all.  DCC is particularly good at handling violations (at least
> last time I looked).
>
> > > Minor tweaks to mail server software would disallow cert-class violations
> > > in volume.  DCC is perfectly capable of detecting mass mailing and can
> > > support the infrastructure by detecting violations and leading to cert
> > > revocation.  Minor tweaks to mail client software to filter cmail and
> > > non-cmail makes it simple to filter at the client level.  If my grandmother
> > > could go to a site and get a cmail cert to fix spam then she would (she's
> > > 92, if you want a perfect example of a Consumer).
> >
> > It wouldn't fix it though- one of the spam houses would go buy a really big
> > certificate, then send out all the spam, or they'd get enough small
> > certificates that they could send out all the spam.
>
> o  If many-small-certs == significant time/cost to acquire then you have
> succeeded in inserting cost into the spammers' cycle.

One mass mailing worm could collect them, and how do you handle massive
revocation after-the-fact with consumers who will want to send mail?
Otherwise, DULs work just as well without the overhead or cost associated
with it- but again subject the service provider to rogue abuse.

> o  It would not be rocket science to setup a structure for buying
> Commercial Mailer certs that would make it expensive and difficult for
> spammer to get Commercial Mailer certs - particularly after their first is
> revoked.  The Direct Marketing Association folks were entirely on board
> with paying to de-classify themselves from spammer.
>
> Keep raising the objections!
>
> > Would AOL's certificate be a single one?  What then stops AOL's customers
> > from sending out 100 messages each?
>
> o  AOL corp could have a single one they use for their mass mailings, and
> perhaps all employee mail (or a generic Individual cert for employee traffic).

But then you don't stop spammers from compromising AOL customer machines
and mailing- the solution to spam must address compromised hosts- and I
don't think penalizing small and medium sized businesses for compromised
hosts after the fact helps anyone either.  Let alone the infrastructure
required for massive keychange and redistribution (and how do we
distribute those keys?  Certainly not inband...)

> o  Email providers could provide Individual certs to their paying
> customers, list hosting services could offer certs to their customers
> amortized in with usual costs.  In either case they are identified be
> definition because they are paying their bills.

Those with the money send the mails, and buy new certs from new providers?
Spammers make money- and they make enough on volume that this won't hurt
them.

> > > If I recall, revocation lists were the best reason given for not trying,
> > > but at the end of the day SPAM has gotta be an identity fix, so may as well
> > > meet it head on.  I read this as yet another data supporting my belief that
> > > cert folks have trouble recognizing Users when they see them.
> >
> > Without revocation, the first Exchange overflow would break the entire
> > process.
>
> o  Revocation is necessary, but throwing up the collective PKS hands isn't
> the way to address it.  Fix identity, fix spam.  A problem with efforts to
> fix identity, imho, is that folks try to boil the damn ocean when the task
> is to make a nice cup of tea,,,

This is where you're wrong, fixing identity *doesn't* fix spam!  You
assume that the person identified is the person sending the mail- we have
too many already ccmpromised boxes for *any* authentication scheme to
work- without any OS-based protections (MAC, RBAC...) there's no way to
protect the credential.

> Cert folks:  Revocation is a problem?  Fix it!!  Don't make me come down
> there and do it myself, I'll be so cross! ;-)

Mass revocation and redistribution sure is!

> > > Anyone else see - if in fact this is the right forum - any solution to
> > spam that doesn't involve fixing the identity problem?
>
> There's the actual question for the list:  If it ain't ID, what *is* the
> shape of the solution?

Fixing the compromised and copromisability of the boxes-

Spammers are going to the compromise and relay approach because the spam
from the business approach doesn't work-- you're proposing we allow them
to spam from a fixed spot if they pay- that just changes the ROI, not the
behaviour.

> "CanSpam!" is the best we can do?  Ha!  Where's the engineering fix!?!
>
> This is exactly the type of scenario I was talking about in the last
> thread.  All the Leaders in the world have Absolutely No Clue about even
> the *nature* of the spam problem, and virtually no hope of even seeing a
> glimmer of it's shape - except for US (the people who can read and discuss
> these things on a list like this - the Security Experts).
>
> We are not, I'm afraid to say, demonstrating great leadership as a group on
> this one...

We have bigger issues- spam isn't strictly speaking a security issue, it's
a cost issue, and a usability issue, but not strictly a security issue.
Stopping the copromises that create the vector for the spam problem is,
IMO significantly more important.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards