Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups)

[Nick FitzGerald <nick () virus-l demon co uk>]

Larry Seltzer to Rich Kulawiec:

> > > All such [sender-authentication] systems have *already* been defeated
> by The Bad Guys....
>
> When was DKIM defeated? It's more fair to say that it never was, and
> never will be widely implemented enough to be effective. And by design
> it can only be effective in conjunction with reputation and
> accreditation services.

DKIM, just like SPF and the MS twist on it, were _designed defeated_.

They were not actually designed to do what their early proponents said
-- or at least initially strongly hinted/suggested --  they would do.  
They "authenticate" the connection, not the sender.

Worst case, such "solutions" to spam turned spam-bots into even more 
valuable commoditites than they already were.  With a few lines of 
extra code, the spambot developers have done/will do (depending on 
if/when DKIM, SPF, etc actually impact the spammers' business success) 
one or more of the folowing:

1.  Spamming only/mainly from bots in "good reputation" networks.

2.  Spamming only/mainly from bots in "networks too big to be blocked 
by many".  Yes, a few of the extreme anti-spam bigots will block 
live.com, Yahoo, GMail, etc, but no-one with serious numbers of Email 
clients making or spending money online will do this.

3.  Spamming only/mainly from bots within one network/using one service 
provider to recipients (apparently) in the same network/using the same 
SP.  Do you really think that live.com, Yahoo, GMail, etc will block 
mail purely between users of their service based on some external view 
of the reputation of their service?

Add the multiplier effect of endless accounts on any and all large 
Email service provider systems through sweatshop and bot-automated 
CAPTCHA-cracking and account creation and it just gets worse and worse.

The root cause of the problem with "sender-authentication" anti-spam 
solutions?

Enough of the Email-sending client-base must be assumed to be 
compromised at the level that appearing to be any "legitimate" user of 
a client network connection is trivial for the bad guys.  Any anti-spam 
solution that does not factor that into its calculations is broken by 
design.  SPF, DKIM, etc are _all_ such flawed designs.

The only interesting question in all this is how wilful were the 
designers of these reputed anti-spam systems in ignoring the above self-
evident truth when they designed, and more importantly, touted, their 
worthless (in the big-picture sense -- in the "accruing Internet cred 
and/or moolah" stakes, quite the opposite) "solutions"?

Oh, and I guess another interesting question is why haven't the few 
clueful tech-journos picked up on this?



Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.