Re: [Asrg] An "ideal" false positive (TMGRS take 2)

Michael Thomas <mike@mtcc.com> Mon, 15 February 2010 00:15 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6DB128B797 for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 16:15:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.541
X-Spam-Level:
X-Spam-Status: No, score=-2.541 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcDq5-goVpeK for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 16:15:10 -0800 (PST)
Received: from mtcc.com (mtcc.com [64.142.29.208]) by core3.amsl.com (Postfix) with ESMTP id B4D993A7A78 for <asrg@irtf.org>; Sun, 14 Feb 2010 16:15:10 -0800 (PST)
Received: from piolinux.mtcc.com (206-104-215-159.volcano.net [206.104.215.159] (may be forged)) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id o1F0GbB4006506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <asrg@irtf.org>; Sun, 14 Feb 2010 16:16:38 -0800
Message-ID: <4B789265.30402@mtcc.com>
Date: Sun, 14 Feb 2010 16:16:37 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <4B61D1BA.6060807@tana.it> <20100129135607.GB27203@gsp.org> <FBFC96085D5112AA96E23D0F@lewes.staff.uscs.susx.ac.uk> <20100214224735.GB11546@gsp.org> <4B788C90.20108@mtcc.com> <20100215000234.GB19491@gsp.org>
In-Reply-To: <20100215000234.GB19491@gsp.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1963; t=1266192999; x=1267056999; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[Asrg]=20An=20=22ideal=22=20false=20pos itive=20=20(TMGRS=20take=202) |Sender:=20 |To:=20Anti-Spam=20Research=20Group=20-=20IRTF=20<asrg@irtf .org> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=Unq3ln7kpj4wLZaNVktXKCjMfz+ZFYzYVg6m18ozVeM=; b=ebbebV0Xf/Cy7D6G7FCg+ZV8Fh8tcaolr2ejYVyNRamI1mlBqUV3x6ZXPc qQ4ePazhDfrA63eDlZM6QDmWKx6b0Z5nkYMT9piyG/nKGWt+Duc1lj08kVAm O0j1dmbGI2850BAI9kxBxjItacMDp2nj4jDcqcAm5z46RSw2BDSN4=;
Authentication-Results: mtcc.com; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Subject: Re: [Asrg] An "ideal" false positive (TMGRS take 2)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 00:15:15 -0000

Rich Kulawiec wrote:
> On Sun, Feb 14, 2010 at 03:51:44PM -0800, Michael Thomas wrote:
>   
>> Why is "security policy" different than "crown jewels"? If they own my
>> machine, they can tar up a svn checkout of the crown jewels and do
>> immeasurably more harm than shipping bogus anti spam reports.
>>     
>
> Perhaps, but (a) that would be far more difficult to automate
> (b) it might or might not serve their purposes (c) it would have
> limited impact.
>   

Yeahbut, this is all about work/reward on the part of the bad guys.

>> That and it might be *good* for them to start trying to game AS
>> reporting stuff: if the backend started looking for those patterns,
>> they'd probably stick out like a sore thumb, and you could put the
>> machine in the penalty box.
>>     
>
> I'm sure that SOME of their attempts to game these would be sufficiently
> heavy-handed as to stick out like a sore thumb.  I'm equally certain
> that some of them would not.  Don't underestimate the enemy's intelligence,
> diligence, or guile.
>   

I'm not. That's why we need to keep some perspective about these kinds 
of things.
They could spend their time crafting a Stealth Antispam Report Bomber, 
or they could...
hack something up to steal a company's crown jewels with their army of 
owned machines.
Or any number of other things that we've not even considered. Looking 
too far down this
decision tree is perilous because while we get stovepiped into 
categories (i'm an AS d00d!)
happily lopping off all of the other threats branches since it's not our 
job, the bad guys aren't so
constrained.

 From that standpoint, you're already completely hosed if you have owned 
machines on your
net. Them gaming an AS reporting mechanism is the *least* of your worries.

Mike
> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
>