Re: [Asrg] Summary/outline of why the junk button idea is pre-failed

[Jose-Marcio Martins da Cruz <Jose-Marcio.Martins@mines-paristech.fr>]

I'm top posting to give a short answer. Sorry.

I do research on anti-spam filters. Some ideas I investigate are related to
having user feedback, reliable or not. For my requirements, John is right :
I just need two kind of feedbacks : this is ham/wanted or this is spam/unwanted.
This is ok for me.

I may agree with some of your arguments. But OK, you're not interested in
having user feedback. Other people are. So, let they get it. If you think
this is useless, just don't use it. It's an option : MAY, not MUST.

Regards,

JM

Rich Kulawiec wrote:
> I'm going to try to summarize and enumerate some of the arguments against
> the general idea of a report-as-spam button.  My position is that several
> of these points (individually) make the case that it's a truly bad idea
> and should be abandoned immediately and permanently, and that collectively,
> they're an overwhelming rationale.  Others differ, of course.
> 
> This is a *summary* and not an attempt to provide every nuance
> of every argument, so nitpicking is discouraged.  You may rest
> assured that I read the traffic on this list and have been paying
> close attention to the spam problem for the past several decades. ;-)
> 
> 1. User incompetence
> 
> 	Users have spent the last quarter-century conclusively proving
> 	that they cannot reliably discern spam from non-spam.  They stack
> 	the pile of evidence higher every day, by misclassifying spam
> 	as non-spam and vice versa, by replying to spam, by trying to
> 	unsubscribe from spam, by falling for phishes, by handing over
> 	valuable information to spammers, etc.	How many "unsubscribe"
> 	requests do we see sent to entire mailing lists, even by
> 	supposedly-mail-literate technical personnel?  How many people
> 	on public mailing lists cannot distinguish between on-list and
> 	off-list replies?  It's not reasonable to expect that anyone who
> 	has failed to master these rudimentary email tasks will be able
> 	to distinguish spam from non-spam, especially when some spam is
> 	more competently composed and delivered than some non-spam.
> 
> 	This is, I'm sorry to say,  not a solvable problem.  And it will
> 	steadily get worse as more (less-experienced) people get online,
> 	and as spammers get craftier: evolutionary pressure on spammers
> 	is clearly selecting for the smarter ones.
> 
> 	This can't be avoided by educating users: "educating users"
> 	is one of Marcus Ranum's six dumbest ideas in security for very
> 	good reason.  In the case of spam, we KNOW it has failed because
> 	we wouldn't have much of a spam problem to worry about if it
> 	had worked even modestly well.
> 
> 2. User time
> 
> 	Let's assume that #1 is completely wrong: let's assume that
> 	most/all users are competent spam/non-spam classifying engines.
> 	Let's further assume that they're so proficient at it that they
> 	can do so in 5 seconds per message.
> 
> 	Based on both these incredibly over-optimistic assumptions, we can
> 	then calculate how much end-user time will be spent performing
> 	this classification task and hitting the button.  6.3 million
> 	decisions/pushes equates to about a man-year, which means that even
> 	a single small spam run (say 300 million attempts, 3% delivery rate,
> 	thus 9 million deliveries) can easily chew up well over a man-year
> 	of time.  Do the math.
> 
> 	Part of the reason we try to stop spam/spammers is to prevent
> 	them from using up end-user time.  We should not be tasking
> 	users with this, as it neatly undercuts part of what we're
> 	trying to do.
> 
> 3. User exposure
> 
> 	Many clueless users, unfortunately, use web browsers or otherwise
> 	HTML-enabled mail clients to read their mail.  (Of course we can
> 	safely presume that competent professional postmasters or abuse
> 	desk personnel don't do this, but the report-as-spam button is
> 	intended for the masses, and they, sadly, do.)
> 
> 	It is certain that in the process of trying to perform classification
> 	tasks, they'll click on links "just to see what's there".  This
> 	not only provides very useful information to spammers, but it will
> 	assist phishers, trojan downloaders and others whose goal isn't
> 	really spamming per se, but using spamming to penetrate
> 	systems/networks or perform reconnaissance on them.
> 
> 4. User influence on security policy
> 
> 	Anti-spam defenses are similar to firewall rules: they control
> 	site security.	End-users should not be permitted to override
> 	or otherwise modify firewall settings: neither should they
> 	be permitted to override or otherwise modify anti-spam settings.
> 	First, because it's not their job, second, because they're
> 	not responsible for the consequences, third, because they
> 	lack expertise in this area.
> 
> 	(This is not to say that they shouldn't have input.  But all such
> 	input should be manually, carefully reviewed by qualified and very
> 	skeptical personnel before any decisions are made about using it.)
> 
> 5. Duplicates existing functionality
> 
> 	All competently-run sites support the RFC 2142-stipulated
> 	"abuse" role address and have appropriately experienced,
> 	trained, qualified and diligent staff reading every message
> 	sent there.  It's trivially easy for any user to forward
> 	questionable mail traffic (with full headers of course) to
> 	the abuse address of their own mail provider, who can then
> 	decide what to do about it.  These personnel are far better
> 	situated to decipher headers, correlate against logs,
> 	assess threat severity, etc.  They're also much less likely --
> 	presuming that they're competent -- to hand over useful
> 	information to the enemy.  See next point as well.
> 
> 6. Free useful intelligence for spammers
> 
> 	It's great when your enemy hands you useful information.
> 
> 	It's even better when they expend considerable time and effort to
> 	do so.	Spammers can quite easily rig this methodology to provide them
> 	with a wealth of actionable intelligence -- and some of them will.
> 	We should not be building mechanisms that directly support the enemy.
> 
> 7. Creating more Internet mail traffic is a bad move
> 
> 	We're drowning in (as a more generic term than "spam") junk
> 	SMTP traffic.  The last thing we should do is create more of it.
> 	Every possible thing we do to fight spam should dampen the response,
> 	not amplify it.
> 
> 	This (sending outbound traffic) also violates a fundamental
> 	principle of abuse control: do not allow attackers to generate
> 	outbound traffic from *your* site to destinations of
> 	*their* choosing.  This never ends well.
> 
> 8. Report-as-spam button repurposed as weapon
> 
> 	We've already seen how spammers have repurposed any number of
> 	ill-conceived anti-spam concepts (e.g., SAV) as weapons.
> 	They'll do that with this too, should it profit them to do so.
> 	I trust at least a few methods are obvious on inspection;
> 	there's also a few non-obvious ones that I will not be discussing
> 	on a public mailing list, some of which relate to the next point.
> 
> 9. The zombie problem
> 
> 	There are, at bare minimum, 100 million fully-0wned systems
> 	out there.  I've seen estimates as high as 250M (Cerf) and more
> 	moderately, 140M (Kletnieks).  My back-of-the-envelope
> 	estimate is currently 200M.  And climbing.
> 
> 	It doesn't really matter.  Whatever the number is, it's enormous,
> 	and growing steadily.  And abusers who now own those systems *also*
> 	own every report-as-spam button that those users have access to,
> 	e.g., if they have a work email account, home email account,
> 	freemail account, then they fully control all three.  They can
> 	suppress pushes; they can create pushes.  They can generate
> 	ersatz traffic in order to suppress or create pushes related
> 	to it.  They can manipulate this any way, every way, they wish.
> 
> 	They can create additional email accounts -- at their own ISP
> 	(many consumer ISPs offer 5 per household and similar) or at
> 	freemail providers just to have more buttons to push more often.
> 	Or *not* to push, which is just as important.
> 
> 	Moreover, they can do this easily and cheaply, and far faster
> 	than real live users can.  And they can do it in much greater
> 	numbers -- surely it is extremely unrealistic to expect all
> 	users, or a majority of users, to use such a button,
> 	even if furnished to them.
> 
> 	Which means that spammers can easily dominate the statistics by
> 	as much as they wish.  They could, on a whim, account for 10% or 50%
> 	or 90% or 99% of them.  Of course, *today* there is little reason
> 	for them to bother.  But if we (again, very over-optimistically)
> 	presume that a report-as-spam mechanism is deployed tomorrow
> 	without any of the *other* issues listed above, THEN they will
> 	have a reason to.  Spammers have long since proven that they can
> 	and will innovate when they need to -- and quickly.
> 
> Summary of the summary:
> 
> I think any of 1, 6, 7, 8, and 9 alone are sufficient to kill the
> idea outright.  9 kills a lot of ideas outright: it's the elephant
> in the room that lots of people like to ignore or wishful-think away
> because it neatly undercuts what they're proposing.  6 is often
> badly under-estimated by those who haven't put in the time required
> to study the enemy.
> 
> I think 2 and 3 are strong points but not sufficient to kill it.
> 
> I think 4 is arguable, but sites which allow users to override system
> and network administrators tend to show up on the dataloss mailing
> list and similar.  It's a very bad move to allow users to make any
> decision related to security: they will invariably choose poorly.
> (e.g., Knight-in-cave-after-bad-guy-dies-horribly: "He chose...poorly".
> Yeah.  Like that.)
> 
> We've had 5 for years; what we unfortunately don't have are sites
> that operate their abuse desks properly.  A button is not a substitute
> for diligent staff who are willing to individually investigate every
> single abuse report. This is called "baseline competence" and it's quite
> reasonable to expect it of every operation, regardless of size.
> 
> Could *some* of these be mitigated?  Yes.  Rate-limiting, DNS bogusing,
> firewalling, and other mechanisms might be able to at least slow down some
> of the resulting attacks and abuse.  (For example, DNS bogusing can be
> used to prevent users on intranets from resolving the hostnames of
> known-phishing sites, thus probably preventing them from accessing their
> web sites.  Of course this won't work for users who are reading their
> work email from home and using their ISP's resolvers.)  But there's no
> fixing 1, 2, 6, 8 or 9.
> 
> Bottom line: widescale deployment of this builds a mechanism that spammers
> will own the moment they choose to do so.  I can't say for certain what
> they'll choose to do with it, but it would be silly to think that whatever
> they do with their brand-new toy will be for *our* benefit.
> 
> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
> 


--