Firewall Wizards mailing list archives
Re: Spam (or, how to buy Cheap Korean Cellphones :-)
From: Paul Robertson <proberts () patriot net>
Date: Thu, 5 Feb 2004 21:58:36 -0500 (EST)
On Thu, 5 Feb 2004, Chris Blask wrote:
<Paul, apparently, peers smugly back...:->
[IOW, nobody missed the first message, it didn't make the list due to an attachment, I was hoping Chris would repost, but alas we pick up our story one reply down the road- my fault for putting comments into a rejection I suppose...]
Last year I worked (again) at BorderWare* and ended up chairing JamSpam (from which nothing but the AMY triangle has come out of afaik, to my chagrin). BW's VP of Eng (Rod Gilchrist, infinitely bright guy) and I gave it serious thought and wrote a whitepaper for a structure dubbed "cmail" (certified mail) which as far as I can tell was entirely too straight forward to gain any traction <the reader will please manually subtract any battle-borne irony - I'm too tired to try>. Simply put: Assign four classes of email cert. 1 - person 2 - list 3 - organization 4 - marketing entity 1 - free, anonymous (pass Turing test on cert site, can send to small number - say, 50-100) 2 - free or near free (send to appropriate number) 3 - appropriate cost (send to commercial volume - say 1,000 or more) 4 - appropriate cost. (if an org cannot afford, say, $10k for infrastructure they shouldn't be sending 1M email/day)I think cost-based e-mail is really, really, really bad- it makes it so that only the organizations with money can talk.o No per-pay for individuals - it's not e-stamps. Any individual can get a cert for free, just need to insert a Turing test to keep the bots out.
Once a non-trivial number of people get certificates, then spammers just need to compromise those boxes and take them. This doesn't address that, nor the hurdles of having people pass a turing test, nor supporting those who don't understand the language it's written in...
o As far as orgs go, if the cost scaled properly it should be less than people spend on dealing with spam now, and a one-time cost (of course SPs could provide services to amortize this in with other regular services).
People don't line-item the time spent on spam, so it's *very* difficult to justify the additional expense money- and then we have to deal with expiry, revocation, and all the "hard stuff." Worse-yet, you'd need one for every Web server that originates mail, every mail server...
o Plain old free non-cmail does not go away, with cmail working. Anyone wanting to not use certs at all can, still and always, use email and usual anti-spam filters inbound. If their recipients expect their mail it can still be handled the normal way.
But every would have to do that- because if you're a business, you can't reject mail from clients or potential clients, and suddenly the whole idea turns into an implementation nightmare...
o I imagine that I'd setup my mail client to put all cmail in Inbox, all post-spam-filter non-cmail in a second and discard all spam. That way anyone who wants to *know* that I'll get the mail will get a cert, and the rest I'll check as I can (until the volume of real non-cmail is so small that I don't have to bother).
Anything that increases the complexity of mail handling doesn't tend to thrill me- I don't see how this differs much from TLS though.
These are the kind of logistics worth discussing, though.Now, if TruSecure had to *pay* line item costs for the lists we provide, we'd provide no lists- Firewall-Wizards puts out a bunch of messages a day, certainly enough that if the bar was "get this certificate" the spammers would be looking for the same CA level and just get multiples.o I don't think line-item costs are what is needed - the fees as I see them are not to fund an infrastructure but to insert appropriate cost into email to separate spammer's out from real people/orgs. Commercial Mailers like the DMA don't have a problem with cost-of-goods-sold, but it's arsenic to spammer. One list-cert for TruSecure at nominal (how much does your email infrastructure cost? Divide by, say, 20? 200?). Costs would be enough to identify TruSecure as TruSecure and make TS want to be good and not have their cert revoked without needing to be punitive.
o The Commercial Mailer certs and Organizational certs could conceivably generate enough cash to fund the infrastructure (and the savings could cover anything extra - perhaps one of the few good place for a little gov't funding).
Suddenly we're taking the "anyone can create something wonderful and share it with people, and turning it into "anyone who wants to communicate must pay." At that point, large companies become more empowered than individuals to send e-mail- and I think that's a tragic shift that I do not like- equating e-mail with money just seems so tragic- suddenly hundreds of really good lists run by folks without means become either gone or swallowed up by marketers, suddenly the e-mail budget at a lot of companies goes to the marketing department...
o There are of course all the existing Bayesian yada yada anti-spam tools that will still exist - whatever the solution to spam - that can be used on top of it all. DCC is particularly good at handling violations (at least last time I looked).Minor tweaks to mail server software would disallow cert-class violations in volume. DCC is perfectly capable of detecting mass mailing and can support the infrastructure by detecting violations and leading to cert revocation. Minor tweaks to mail client software to filter cmail and non-cmail makes it simple to filter at the client level. If my grandmother could go to a site and get a cmail cert to fix spam then she would (she's 92, if you want a perfect example of a Consumer).It wouldn't fix it though- one of the spam houses would go buy a really big certificate, then send out all the spam, or they'd get enough small certificates that they could send out all the spam.o If many-small-certs == significant time/cost to acquire then you have succeeded in inserting cost into the spammers' cycle.
One mass mailing worm could collect them, and how do you handle massive revocation after-the-fact with consumers who will want to send mail? Otherwise, DULs work just as well without the overhead or cost associated with it- but again subject the service provider to rogue abuse.
o It would not be rocket science to setup a structure for buying Commercial Mailer certs that would make it expensive and difficult for spammer to get Commercial Mailer certs - particularly after their first is revoked. The Direct Marketing Association folks were entirely on board with paying to de-classify themselves from spammer. Keep raising the objections!Would AOL's certificate be a single one? What then stops AOL's customers from sending out 100 messages each?o AOL corp could have a single one they use for their mass mailings, and perhaps all employee mail (or a generic Individual cert for employee traffic).
But then you don't stop spammers from compromising AOL customer machines and mailing- the solution to spam must address compromised hosts- and I don't think penalizing small and medium sized businesses for compromised hosts after the fact helps anyone either. Let alone the infrastructure required for massive keychange and redistribution (and how do we distribute those keys? Certainly not inband...)
o Email providers could provide Individual certs to their paying customers, list hosting services could offer certs to their customers amortized in with usual costs. In either case they are identified be definition because they are paying their bills.
Those with the money send the mails, and buy new certs from new providers? Spammers make money- and they make enough on volume that this won't hurt them.
If I recall, revocation lists were the best reason given for not trying, but at the end of the day SPAM has gotta be an identity fix, so may as well meet it head on. I read this as yet another data supporting my belief that cert folks have trouble recognizing Users when they see them.Without revocation, the first Exchange overflow would break the entire process.o Revocation is necessary, but throwing up the collective PKS hands isn't the way to address it. Fix identity, fix spam. A problem with efforts to fix identity, imho, is that folks try to boil the damn ocean when the task is to make a nice cup of tea,,,
This is where you're wrong, fixing identity *doesn't* fix spam! You assume that the person identified is the person sending the mail- we have too many already ccmpromised boxes for *any* authentication scheme to work- without any OS-based protections (MAC, RBAC...) there's no way to protect the credential.
Cert folks: Revocation is a problem? Fix it!! Don't make me come down there and do it myself, I'll be so cross! ;-)
Mass revocation and redistribution sure is!
Anyone else see - if in fact this is the right forum - any solution tospam that doesn't involve fixing the identity problem?There's the actual question for the list: If it ain't ID, what *is* the shape of the solution?
Fixing the compromised and copromisability of the boxes- Spammers are going to the compromise and relay approach because the spam from the business approach doesn't work-- you're proposing we allow them to spam from a fixed spot if they pay- that just changes the ROI, not the behaviour.
"CanSpam!" is the best we can do? Ha! Where's the engineering fix!?! This is exactly the type of scenario I was talking about in the last thread. All the Leaders in the world have Absolutely No Clue about even the *nature* of the spam problem, and virtually no hope of even seeing a glimmer of it's shape - except for US (the people who can read and discuss these things on a list like this - the Security Experts). We are not, I'm afraid to say, demonstrating great leadership as a group on this one...
We have bigger issues- spam isn't strictly speaking a security issue, it's a cost issue, and a usability issue, but not strictly a security issue. Stopping the copromises that create the vector for the spam problem is, IMO significantly more important. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 05)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 05)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 06)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 06)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Rod Gilchrist (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Joseph S D Yao (Feb 07)
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Paul Robertson (Feb 05)
- <Possible follow-ups>
- Re: Spam (or, how to buy Cheap Korean Cellphones :-) Chris Blask (Feb 06)