Re: [Asrg] A Vouch By Feedback proposal

Rich Kulawiec <rsk@gsp.org> Thu, 09 July 2009 11:48 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 040FA3A6AD3 for <asrg@core3.amsl.com>; Thu, 9 Jul 2009 04:48:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.525
X-Spam-Level:
X-Spam-Status: No, score=-6.525 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GXs+sdvU4dKK for <asrg@core3.amsl.com>; Thu, 9 Jul 2009 04:48:33 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id 1391A3A699E for <asrg@irtf.org>; Thu, 9 Jul 2009 04:48:32 -0700 (PDT)
Received: from squonk.gsp.org (bltmd-207.114.17.37.dsl.charm.net [207.114.17.37]) by taos.firemountain.net (8.14.1/8.14.1) with ESMTP id n69Bmv2E011864 for <asrg@irtf.org>; Thu, 9 Jul 2009 07:48:58 -0400 (EDT)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.1/8.14.1) with ESMTP id n69BhW6Y008314 for <asrg@irtf.org>; Thu, 9 Jul 2009 07:43:32 -0400 (EDT)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-4) with ESMTP id n69BmpTW027102 for <asrg@irtf.org>; Thu, 9 Jul 2009 07:48:51 -0400
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id n69Bmpaw027101 for asrg@irtf.org; Thu, 9 Jul 2009 07:48:51 -0400
Date: Thu, 09 Jul 2009 07:48:51 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20090709114851.GB26436@gsp.org>
References: <4A43618A.6000205@tana.it> <4A4F7DD0.4040404@billmail.scconsult.com> <4A51D35E.70306@tana.it> <4A52C36D.6040207@billmail.scconsult.com> <4A532344.5010509@tana.it> <4A53AC55.8030801@cybernothing.org> <4A5450B9.1050306@tana.it> <4A545D29.2010908@telmon.org> <200907081423.KAA06850@Sparkle.Rodents-Montreal.ORG> <DF5D26EA213E71501516EAB4@lewes.staff.uscs.susx.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DF5D26EA213E71501516EAB4@lewes.staff.uscs.susx.ac.uk>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [Asrg] A Vouch By Feedback proposal
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2009 11:48:34 -0000

On Thu, Jul 09, 2009 at 10:08:35AM +0100, Ian Eiloart wrote:
> Knowing the real email address responsible lets us:
>
> 1. Contact the owner of a compromised account, and advise them to take  
> action.

If the account's compromised, then the new owner may not permit
the former owner to see those communications.

Or

The former owner is unlikely to believe such reports or take any
meaningful action.  For example, they may just abandon the compromised
account, and open a new one...which will shortly be compromised in
the same way.

Or

The former owner will classify these reports as spam/phishes.

Relying on the same end-users who have created the problem to solve
it is a 100% pre-failed strategy.

> 2. Contact the account service provider.

If you can manage to jump through the hoops they've put in place, sure.
But automated reporting will misfire, manual reporting doesn't scale,
and many account service providers simply don't care.  They don't
have to: there are few, if any, meaningful consequences to apathy,
and as long as they're profitable, few of them care about their
responsibilities to the 'net.

> 3. Blacklist the address.

(I'm presuming you mean email address, not IP address.)

Yes, but given that there is an inexhaustible supply of those, this will
block the spam that's not coming any more from yesterday's compromised
account and do nothing to block the spam that's coming tomorrow from
the next compromised account.  This is also a 100% pre-failed strategy.

(Now, if you're talking about IP address, sure: we have very effective
blacklist mechanisms for doing that.)

> 4. Bounce unwanted email back to the sender.

Unwanted mail should always be rejected, never bounced. Doing the
latter not only generates useless traffic but is pretty likely
to generate outscatter/backscatter, which is spam.  And even if
it's correctly delivered, it will do absolutely no good -- see above.

---Rsk
Do NOT send me off-list copies of on-list replies: it's rude and wasteful.