Re: botted hosts

[Valdis.Kletnieks () vt edu]

On Mon, 04 Apr 2005 16:12:51 EDT, Dean Anderson said:

> On a deeper level, I discovered (its not at proof level, but probably at
> 'strong conjecture' level) that results from information theory show that
> spam cannot be stopped technically. I'll write it up a bit more formally,
> and post a link.  (And I'll see if I can carry it out to a proof) To
> summarize, I show that spam is equivalent to a covert/sneaky channel [or
> rather, "sneaky channel"  in the network liturature and other names in
> other areas of liturature--e.g. "covert channel" is usually specific to
> multi-user OS analysis, but the concepts are the same]. Then I show that
> since one can't prove an information system is free of covert/sneaky
> channels, it can't be proven free of spam either.

The thing your analysis will probably fall short on is that although you
can *at best* limit the bandwidth of a covert channel (a well understood
concept as far back as the old Orange Book), there's the assumption that
a covert channel has a cooperating sender and receiver, both doing the
moral equivalent of an FFT to extract the signal from the noise.

The problem arises when you are trying to push signal (spam) to a non-cooperating
recipient. I've seen spam that's so obfuscated that it's unclear whether
it's trying to sell me a R00leckss or medications.  At that point, it may
be able to pass under the effective-bandwidth filter of your covert channel.

But it's also likely to be under the effective bandwidth needed to actually
deliver a message to an end-user.

If you hide the spam in a steganographic message inside a .JPG of a giraffe,
it will almost certainly make it to the mailbox.  But at that point, the
user is left looking at a picture of a giraffe......

Attachment: _bin
Description: