Re: 95% of User Generated Content is spam or malicious

[Dan Kaminsky <dan () doxpara com>]

On Wed, Feb 24, 2010 at 8:37 AM, Rich Kulawiec <rsk () gsp org> wrote:
> On Tue, Feb 23, 2010 at 05:39:05PM -0500, Dan Kaminsky wrote:
> > Do we know what Postini and Google are doing?  If not, do we really
> > have any idea what works?
>
> We have been discussing these points for many, many years on spam-l, where
> the world's leading experts on spam hang out.  I would suggest subscribing
> to the list, participating, and reading the archives.

Heh, man.  You're the one who brought up all the useless products.
There certainly seem to be many people working on many approaches that
do not work.

> And yes, we know full well what works and doesn't work, but again, it
> depends on whether the goal is merely stopping spam (which is quite easy
> for any minimally-competent postmaster and does not require paying for
> software, appliances or services [1])

Really?  What is this set of small deployment guides I can read that
will take the thousands of spams I get a day and cut it to a few spams
a month, with apparently no false positive rate?

I'm serious.  I would love to have better advice to customers than
"Uh, I can't tell you how to fix your Spam problem; nothing I've ever
tried seemed to work.  Go hire Postini."

> or whether it's stopping spammers.
> Not many people grasp the distinction, which is why almost without
> exception, efforts over the past decade-plus have been directed at the
> former, not the latter.
>
> Treating the symptoms makes the patient feel better, but does not
> cure the disease.
>
> It does, however, provide a steady revenue stream for those who are
> doing the former while pretending the latter doesn't exist.
>
> And meanwhile the latter has gotten much, much worse.

Somebody is successful at stopping spammers?  Like, making a human
being not hit the send button?

Who?

Best I can tell, there are really only three options that stop a spammer:

1) Arrest the Spammer
2) Kill the Spammer
3) Bribe the Spammer

#1 is funny.  Haha.
#2 has happened (top spammer in Russia, had to identify him from
dental records).  Strangely unpopular.
#3 ...who knows.  It would explain a lot though :)



> ---Rsk
>
> [1] Sufficiently high usage of the Spamhaus DNSBLs may incur a fee.  But
> (a) very few operations reach that mark and (b) best practice in anti-spam
> defense is to use a *lot* of other things before querying any DNSBL,
> thus providing faster processing and reducing the load on the DNSBLs.
> Most of the mail systems I run currently reject 80-85% of the spam
> that they're going to reject before they consult any external resource.
> This is vastly superior to those which *begin* by querying DNSBLs.

We all know I love me some DNS, but at the nth degree, heavy use of
DNS for blacklists devolves back into a traditional database
synchronization problem, and the DNS protocol stops being the
appropriate way to carry such a load.

> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.