The price of email is constant vigilance

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>
Cc: infosecbc () yahoogroups com, secedu () egroups com, infosec () yahoogroups com, isn () c4i org

Peter Wilson's article on spam and viruses (on Saturday, March 6,
2004) lists a number of antispam measures that are currently being
promoted.  He also retails Bill Gates' confident prediction that spam
will be a thing of the past by 2006.  Remember that prophecy, because
Bill Gates is going to be proven wrong.  An examination of the
measures listed in the article demonstrates why.

SPF (sender-permitted format) is currently garnering the greatest
interest.  The description of SPF as a kind of caller-ID is not quite
correct.  All email carries caller-ID in the form of the information
about who the message is from, and information about the Internet
Protocol (IP) address that originated the message.  SPF is actually an
attempt to contact the site that is supposed to have originated the
message, and verify that these two pieces of information match, or, at
least, are likely.  Spammers, when creating spoofed addresses, don't
bother to make sure that they do.  Or, at least, they haven't up until
now.

Microsoft's own version seems to be either an attempt to compete or an
attempt to derail SPF: SPF is primarily promoted by AOL, and the two
companies have never played particularly well together.  Microsoft's
plan is derided by the SPF camp for being proprietary.  It is true
that SPF uses features and functions that make more effective use of
the email protocols that are currently in use on the Internet.  The
configuration of factors is not universal, though, and some of the
activities will require new programming for everyone who participates
in SPF.  Which may mean that the Internet might become split into the
camp of those who use SPF, and those who don't.

I have seen this in action already.  I have a number of accounts.  
(And, of course, get tons of spam.)  One is through Vancouver
CommunityNet, which does not have very much in the way of spam
detection or prevention.  Because of the volume of spam this account
receives (particularly during the Sobig flood last summer), I
forwarded the account to a service that does spam and virus filtering.  
One of the functions that the service uses is similar to the SPF
protocol.  A great deal of the spam that was being forwarded was
unverifiable, and so the service simply refused to accept it.  This
meant that a volume of email built up on Vancouver CommunityNet, to
the point that it affected the mail system as a whole.  (Vancouver
CommunityNet, despite being informed of all the details, and my own
actions to rectify the situation, has handled the whole matter in a
very sloppy manner.)

SPF has promise, and it may be possible (unlike the Microsoft
proposal) to provide workarounds for a variety of systems, platforms,
and applications.  However, there are a number of issues that still
have to resolved, such as email aliases, third-party services, and
applications such as mailing lists, which operate in a wide variety of
forms.  The difficulties are not insurmountable, but an enormous
amount of work still has to be done.

Microsoft's micropayments strategy is apparently the most recent one,
but has been raised many times over the history of the nets.  (One of
the popular programs providing Usenet news, a type of topical
discussion, used to remind anyone who attempted to post a message that
it would possibly cost thousands of dollars to send this to everyone:
did they really want to do that?)  Unfortunately, the issue of mailing
lists comes up almost immediately.  Even if we assume one cent per
message, if I send a message to a popular list such as the RISKS-FORUM
Digest, with a possible hundred thousand subscribers, am I charged a
thousand dollars for that message?  Is the list moderator charged?  
In the case of RISKS, it is also redistributed by a number of
sub-mailing lists: do those costs get charged to the accounts of the
local administrators?  The list moderator?  Me?

(The obvious second question is: who *gets* the money?  The Internet
Engineering Task Force?  Some bloated bureaucracy parcelling out the
cash to the various national telecom carriers?  Charity?  Microsoft?  
The recipient?  Hmmm.  Maybe I should rethink my objection to the
micropayment system.  At one point I was getting 8,000 [yes, eight
thousand] copies of spam from one system in China.  Per hour.  Same
message.)

And, of course, in order to provide for such a micropayment system,
everybody is going to have to use a Microsoft mailer.  With a
Microsoft payment system.  And a Microsoft account.  This sounds like
an attempt to resurrect the (justly derided and roundly condemned)
Passport and Palladium systems.

The challenge-response system is already being used by a number of
outfits providing spam filtering and other services.  It is a
nuisance.  It can create a great deal of annoyance in a number of
situations, not least being mailing lists.

It also doesn't work.  The most common challenge response systems
present a graphical image of a word.  This word is supposed to be
entered in a field on a web page in order to create permission for the
message to go through.  People can read the word easily, but machines
have difficulty with this type of task, so this makes it impossible
for spammers to automate the sending of email: they have to read and
respond to every challenge.

That's the theory.  In fact, spammers have already been found to be
"automating"  the process--using Internet web surfers.  A number of
web pages have been set up promising access to pornography.  In order
to access the files, you have to respond to a challenge.  The
challenges are, of course, those that are being presented on the
antispam filtering sites.  Those challenges are simply extracted,
presented to the surfers wanting access to pornographic images, solved
by the user, and the solution fed back to the antispam site.  The same
problems apply to computational puzzles: they are simply another form
of challenge-response.

In fact, most of these antispam technologies fail in the face of the
problem of spam nets set up by viruses.  Spam sent from infected
machines could simply use the name of the owner, thus verifying the
identity.  Spam sent from infected machines could use the micropayment
"wallet" on the infected machine, thus creating not only problems of
clean-up for the owner, but also a real cost.  Infected machines could
be used to crack computational puzzles, or the owner could be
presented with challenges to respond to, in a variety of ways.

Spam has passed the stage of being a nuisance.  Email is a means of
communication that is starting to rival the phone, and spam is
seriously degrading the effectiveness and utility of email.  Antispam
measures are badly needed, but we cannot accept any proposed solution
uncritically.  Dividing the Internet into isolated camps of
incompatible (and rival) antispam technologies takes us back to the
early days of online systems, when lots of people had email, but
nobody could talk to each other.

There is no easy fix, and there is no easy answer.  Administrators
have to ensure that they are not providing open relays that can be
used for spam.  Email filtering services are checking for
inappropriate inbound email, but must also check what is going out.  
ISPs (Internet Service Providers) must be more vigilant in regard to
the use being made of the net to which they provide access.  Computer
users at all levels have to check for malicious software, unpatched
vulnerabilities, open ports and services, and what is going out of
their systems as well as what is coming in.  Everybody needs to become
more aware of what is going on, and keep up with the changes in
threats around us all.

And anyone who tells you it is not going to be painful is selling
something.

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
The brain is a mass of cranial nerve tissue, most of it in mint
condition.                                             - Robert Half
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.