funsec mailing list archives
Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 20 Oct 2009 11:09:06 +1300
Larry Seltzer to Rich Kulawiec:
All such [sender-authentication] systems have *already* been defeatedby The Bad Guys.... When was DKIM defeated? It's more fair to say that it never was, and never will be widely implemented enough to be effective. And by design it can only be effective in conjunction with reputation and accreditation services.
DKIM, just like SPF and the MS twist on it, were _designed defeated_. They were not actually designed to do what their early proponents said -- or at least initially strongly hinted/suggested -- they would do. They "authenticate" the connection, not the sender. Worst case, such "solutions" to spam turned spam-bots into even more valuable commoditites than they already were. With a few lines of extra code, the spambot developers have done/will do (depending on if/when DKIM, SPF, etc actually impact the spammers' business success) one or more of the folowing: 1. Spamming only/mainly from bots in "good reputation" networks. 2. Spamming only/mainly from bots in "networks too big to be blocked by many". Yes, a few of the extreme anti-spam bigots will block live.com, Yahoo, GMail, etc, but no-one with serious numbers of Email clients making or spending money online will do this. 3. Spamming only/mainly from bots within one network/using one service provider to recipients (apparently) in the same network/using the same SP. Do you really think that live.com, Yahoo, GMail, etc will block mail purely between users of their service based on some external view of the reputation of their service? Add the multiplier effect of endless accounts on any and all large Email service provider systems through sweatshop and bot-automated CAPTCHA-cracking and account creation and it just gets worse and worse. The root cause of the problem with "sender-authentication" anti-spam solutions? Enough of the Email-sending client-base must be assumed to be compromised at the level that appearing to be any "legitimate" user of a client network connection is trivial for the bad guys. Any anti-spam solution that does not factor that into its calculations is broken by design. SPF, DKIM, etc are _all_ such flawed designs. The only interesting question in all this is how wilful were the designers of these reputed anti-spam systems in ignoring the above self- evident truth when they designed, and more importantly, touted, their worthless (in the big-picture sense -- in the "accruing Internet cred and/or moolah" stakes, quite the opposite) "solutions"? Oh, and I guess another interesting question is why haven't the few clueful tech-journos picked up on this? Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups), (continued)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Dan White (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) der Mouse (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Valdis . Kletnieks (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) der Mouse (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Nick FitzGerald (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Paul M. Moriarty (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Michael Collins (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) der Mouse (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Larry Seltzer (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Nick FitzGerald (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) G. D. Fuego (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Valdis . Kletnieks (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Nick FitzGerald (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Nick FitzGerald (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)