Re: botted hosts

[Dean Anderson <dean () av8 com>]

On Sun, 3 Apr 2005, Dave Rand wrote:

> [In the message entitled "botted hosts" on Apr  3, 19:13, Petri Helenius writes:]
> > I run some summaries about spam-sources by country, AS and containing 
> > BGP route.
> > These are from a smallish set of servers whole March aggregated. 
> > Percentage indicates incidents out of total.
> > Conclusion is that blocking 25 inbound from a handful of prefixes would 
> > stop >10% of spam.
>
> This would be correct.  In the bigger perspective, blocking port 25 on all
> ISP's consumer circuits would currently stop over 99% of the spam.  Yes,
> spammers would adjust to this over time.  It is still a great idea to block
> port 25 by default, and unblock it on customer request.

It would probably stop 99% of ALL email, too.  What, your customers don't
have email servers? But __you__ have an email server.  Unblocking on 
customer request is an expensive operation, for both the ISP and the 
customer.

> That means that if just the ISPs that we have identified as having
> "dynamically assigned" addresses were to install port 25 blocking, more than
> 1/3 of the spam would vanish.

Err, not likely. SPF came out, and now bots can find the ISPs "closed
relays" with very little trouble at all.  (Funny coincidence that SPF
should come out just as the open relay blacklists are mostly closing down)  
But even without SPF, if it was really made necessary, without doubt
abusers would include code to figure out the config files for the roughly
1000+ email clients out there. Or perhaps, bots would start to sniff
packets looking for an outgoing SMTP connection by an authorized user.

For many years I've told people (but they never seem to listen):  
__Everyone__ is authorized to send email, and to have relay services,
right up until their access is terminated.  Bots can use that.  Schemes
for blocking port 25 assume that bots aren't upgradeable. And they
frequently assume that network operations changes are free---Comcast
reported that it would cost $58 million to implement port 25 blocking and
notify customers, just for Comcast.

On a deeper level, I discovered (its not at proof level, but probably at
'strong conjecture' level) that results from information theory show that
spam cannot be stopped technically. I'll write it up a bit more formally,
and post a link.  (And I'll see if I can carry it out to a proof) To
summarize, I show that spam is equivalent to a covert/sneaky channel [or
rather, "sneaky channel"  in the network liturature and other names in
other areas of liturature--e.g. "covert channel" is usually specific to
multi-user OS analysis, but the concepts are the same]. Then I show that
since one can't prove an information system is free of covert/sneaky
channels, it can't be proven free of spam either.  And the conclusion is
that a technical solution to spam doesn't exist.  Yes, there are things
that can still be done---one can continue to play whack-a-mole, but it
never gets better than whack-a-mole.  There are still technical methods
that aren't fully exploited (text analysis for intent, bayesian, etc) but
for each of these things, there are countermeasures that the abuser can do
to fool them.  If you want to talk information theory and spam, contact me
off-list.

                --Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000