Re: [Asrg] Email service assumptions and making system-wide changes

Barry Shein <bzs@world.std.com> Tue, 17 January 2006 17:54 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Eyv2d-0007VW-QJ; Tue, 17 Jan 2006 12:54:47 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Eyv2b-0007VG-VS for asrg@megatron.ietf.org; Tue, 17 Jan 2006 12:54:46 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04689 for <asrg@ietf.org>; Tue, 17 Jan 2006 12:53:20 -0500 (EST)
Received: from pcls3.std.com ([192.74.137.143] helo=TheWorld.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EyvAl-0000gI-Ln for asrg@ietf.org; Tue, 17 Jan 2006 13:03:12 -0500
Received: from world.std.com (root@world.std.com [192.74.137.5]) by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id k0HHixuf011806; Tue, 17 Jan 2006 12:45:01 -0500
Received: (from bzs@localhost) by world.std.com (8.12.8p1/8.12.8) id k0HHiXx7014407; Tue, 17 Jan 2006 12:44:33 -0500 (EST)
From: Barry Shein <bzs@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <17357.11504.741228.156521@world.std.com>
Date: Tue, 17 Jan 2006 12:44:16 -0500
To: Seth Breidbart <sethb@panix.com>
Subject: Re: [Asrg] Email service assumptions and making system-wide changes
In-Reply-To: <200601170726.k0H7Q9b16604@panix5.panix.com>
References: <OF4768D65E.ECA3CB39-ON802570F8.004A9BA8-802570F8.004AA408@slc.co.uk> <43CBF4CD.30708@dcrocker.net> <17355.64568.706837.635025@world.std.com> <200601162206.k0GM68I27130@panix5.panix.com> <17356.38171.951736.912706@world.std.com> <200601170726.k0H7Q9b16604@panix5.panix.com>
X-Mailer: VM 7.07 under Emacs 21.2.2
X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED,FUZZY_AMBIEN autolearn=failed version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on pcls3.std.com
X-Virus-Scanned: ClamAV 0.86rc1/1244/Tue Jan 17 03:46:07 2006 on pcls3.std.com
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 944ecb6e61f753561f559a497458fb4f
Content-Transfer-Encoding: 7bit
Cc: asrg@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/asrg>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
Sender: asrg-bounces@ietf.org
Errors-To: asrg-bounces@ietf.org

On January 17, 2006 at 02:26 sethb@panix.com (Seth Breidbart) wrote:
 > > I don't think there are all that many opportunities open to spammers
 > > to cause the kind of global mayhem they cause, and raising their
 > > cost of business (i.e., forcing them to retool drastically over and
 > > over) should have its effects on them.
 > 
 > What part of that argument couldn't have been made about open relays
 > before the advent of botnets?
 > 
 > Why don't you think it will sound just as silly after botnets have
 > been replace by the next thing?

The process of identifying and closing the open relays was very
helpful in closing subsequent spamming methods.

The initial reaction to identifying open relays as major spam sources
and requiring modification by their legitimate operators was
frequently responded to with reactions ranging from "why me", to "why
don't you find some other way to stop these guys?" and even "I have
every right to run an open relay if I want / my server my rules" (I
can name names.)

By and large those attitudes changed as it was made more and more
clear that open relays were a major target of opportunity for
spammers.

The activity of closing down open relays helped tremendously in
establishing the ethic that if your server is being exploited in some
obvious, fixable way by spammers you need to fix it and fix it quickly
or, e.g., find your server in netwide blocklists.

This carried over very well to similar exploits such as those found in
popular web applications. One example is mailto.pl (Doug's WWW Mail
Gateway), a perl CGI script which managed forms data for fill-in
responses on web pages.

It was popular and turned out to be exploitable by spammers; just
stick in any target address and msg, more or less, and hit a site
running the script over and over and it'd spew spam for you. In
essence just automate filling out the form. The exploits actually
allowed hundreds of target addresses per send.

I know this first-hand because it was a bane here on World for a
while. These were closed down in mass droves, after the open relay
experience few needed to be asked twice. It never occurred to us to
respond "oh why bother they'll just find another exploit?". We shut
them down actively.

Education, awareness, actual shutting down of probably tens of
thousands of open relays, preparation and distribution of easy recipes
for fixing common mail server (sendmail, postfix, exim, etc)
configurations, and subsequent releases of those server software
packages with those more secure configurations the default, and new
features improving more secure behavior.

More Importantly...

I'm skeptical of your claim of this unending list of exploits readily
available to replace zombie botnets and doubt it's a good analysis of
the situation.

Put simply, we'd see these new exploits already.

Large botnet operators are being arrested and have been sentenced to
hard time, or are facing hard time.

Running and renting botnets is becoming dangerous, legally.

If there were some other technology easily switched to they'd be
switching to it already. So what is it?

The arrest and conviction of botnet operators is a good development
and should help.

The impression is that many of them are willing to operate in the gray
areas if they believe they are unlikely to be caught and convicted but
few will persist as the behavior becomes more legally dangerous. Or
they won't be able to persist from a jail cell if nothing else.

And the fewer there are, the more likely the hardcore cases can be
identified and arrested. That fact can't be missed except by the most
naive criminals.

Finally, we're talking about spammers finding a way to send many
billions of messages per day, anonymously, with sufficient delivery
resources, and in a manner difficult to identify and block technology.

That's a long and difficult list of requirements.

Such massive exploits don't just grow on trees.

There haven't been very many successful methodologies for spammers in
the past decade (throw away accounts, cooperative and/or negligent
ISPs, open relays, botnets), and it's reasonable to assume the same
will be true in the future. Successful exploits will be few and
identifiable and we can deal with them when and if they come along.

Put another way, what's the other choice? To just allow the zombie
nets to operate because they might find another method?

-- 
        -Barry Shein

The World              | bzs@TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg