Re: [Asrg] An "ideal" false positive (TMGRS take 2)

Michael Thomas <mike@mtcc.com> Sun, 14 February 2010 23:50 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEEEE28C151 for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 15:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.521
X-Spam-Level:
X-Spam-Status: No, score=-2.521 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8PJMaWUzzKx for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 15:50:40 -0800 (PST)
Received: from mtcc.com (mtcc.com [64.142.29.208]) by core3.amsl.com (Postfix) with ESMTP id E92703A6919 for <asrg@irtf.org>; Sun, 14 Feb 2010 15:50:39 -0800 (PST)
Received: from piolinux.mtcc.com (206-104-215-159.volcano.net [206.104.215.159] (may be forged)) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id o1ENpkfa029148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <asrg@irtf.org>; Sun, 14 Feb 2010 15:52:07 -0800
Message-ID: <4B788C90.20108@mtcc.com>
Date: Sun, 14 Feb 2010 15:51:44 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <4B61D1BA.6060807@tana.it> <20100129135607.GB27203@gsp.org> <FBFC96085D5112AA96E23D0F@lewes.staff.uscs.susx.ac.uk> <20100214224735.GB11546@gsp.org>
In-Reply-To: <20100214224735.GB11546@gsp.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1394; t=1266191528; x=1267055528; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[Asrg]=20An=20=22ideal=22=20false=20pos itive=20=20(TMGRS=20take=202) |Sender:=20 |To:=20Anti-Spam=20Research=20Group=20-=20IRTF=20<asrg@irtf .org> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=VqlQSKImLU3lsaB4kgBIgXrhd0hp3awKMEbPbvjjMas=; b=JvMGVUwJXMd5YxlCCAyahwAnq+ZVz8I9yZyQzFWvwDAILfJv4bK1YKHsoP bROm94L2fulvC6i756XtrVrEVw6Z2AsgNLEG57rq5GEctRaXXVYhaKOLnTZQ BFYNuFjFIRVmq17teWgKCrQckWCzNrhqE6XoFz7Z+4VaUHCv5K73Q=;
Authentication-Results: mtcc.com; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Subject: Re: [Asrg] An "ideal" false positive (TMGRS take 2)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2010 23:50:41 -0000

Rich Kulawiec wrote:
> On Fri, Jan 29, 2010 at 02:33:56PM +0000, Ian Eiloart wrote:
>   
>> So, does that mean that all computer mediated communication is pointless?
>>     
>
> Of course not. But it does mean that anything originating on an
> end-user system should never be used as an input to a security policy
> mechanism, since The Bad Guys can either fabricate or block an
> arbitrary number of such inputs as they see fit. [1]
>   

Why is "security policy" different than "crown jewels"? If they own my
machine, they can tar up a svn checkout of the crown jewels and do 
immeasurably
more harm than shipping bogus anti spam reports.

That and it might be *good* for them to start trying to game AS 
reporting stuff:
if the backend started looking for those patterns, they'd probably stick 
out like a
sore thumb, and you could put the machine in the penalty box.

Mike

> ---Rsk
>
> [1] Within the constraint that they can only do so from those systems
> which they control.  But given that the number of such systems is
> already very large and still growing, and that there is no reason
> at all to think that this trend will reverse or even slow down, this
> constraint is not really very limiting in practice.
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
>