Re: [Asrg] An "ideal" false positive (TMGRS take 2)

Rich Kulawiec <rsk@gsp.org> Fri, 29 January 2010 13:55 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE58F3A6A51 for <asrg@core3.amsl.com>; Fri, 29 Jan 2010 05:55:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.364
X-Spam-Level:
X-Spam-Status: No, score=-6.364 tagged_above=-999 required=5 tests=[AWL=-0.079, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cQ3awpe0K9K for <asrg@core3.amsl.com>; Fri, 29 Jan 2010 05:55:51 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id C668F3A6849 for <asrg@irtf.org>; Fri, 29 Jan 2010 05:55:51 -0800 (PST)
Received: from squonk.gsp.org (bltmd-207.114.17.180.dsl.charm.net [207.114.17.180]) by taos.firemountain.net (8.14.4/8.14.4) with ESMTP id o0TDuCLj008358 for <asrg@irtf.org>; Fri, 29 Jan 2010 08:56:13 -0500 (EST)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.1/8.14.1) with ESMTP id o0TDt2l6003224 for <asrg@irtf.org>; Fri, 29 Jan 2010 08:55:02 -0500 (EST)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-9ubuntu1) with ESMTP id o0TDu7LH027761 for <asrg@irtf.org>; Fri, 29 Jan 2010 08:56:07 -0500
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id o0TDu770027760 for asrg@irtf.org; Fri, 29 Jan 2010 08:56:07 -0500
Date: Fri, 29 Jan 2010 08:56:07 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20100129135607.GB27203@gsp.org>
References: <4B61D1BA.6060807@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B61D1BA.6060807@tana.it>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] An "ideal" false positive (TMGRS take 2)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2010 13:55:52 -0000

On Thu, Jan 28, 2010 at 07:04:42PM +0100, Alessandro Vesely wrote:
> Alice reports as spam a message from Bob, either by mistake or out
> of curiosity. 

But there is no way to know that Alice actually filed the report
or that Bob actually sent the message.

If either Alice's or Bob's system is a zombie, which -- if they're
running Windows -- already has a two-digit percentage probability which
has been monotonically increasing for most of a decade -- then there is
no way for any external observer to distinguish between:

	- Alice pushed the report-as-spam button
	- Malware resident on Alice's system pushed the report-as-spam button

Nor is there any way for any external observer to distinguish between:

	- Bob sent the message
	- Malware resident on Bob's system sent the message

We already know that the latter case happens billions of times a day
(at least) on hundreds of millions of systems.  There is no reason
to think that the former won't happen too, if report-as-spam buttons
become ubiquitous/standardized, and every reason to think it *will* happen.

There are even some reasons to think it has already happened.

Let me also note in passing that there is no way for any external
observer to distinguish between:

	- Alice did not push the report-as-spam button
	- Alice pushed the report-as-spam button, but malware
		resident on Alice's system intercepted the push,
		prevented the information from being transmitted,
		yet told Alice that it had been sent

My point being that even if we accept that users are reliable classifiers
of spam/not-spam (and I've already expressed in another thread that I
think they're utterly incompetent, but let's ignore that for now) there
is no way to know that apparently-user-originated input via such a mechanism
is in fact user-originated.  There are at minimum 100M zombies out there
(lesser estimates should be laughed out of the room) and more every minute.
I see no reason -- at the moment -- why that number won't steadily continue
to increase over the next several years, which is as far as my crystal ball
will let me see. ;-)  Given that, setting up a mechanism that spammers and
other abusers can co-opt for their own purposes *at will* appears to me
to be a pointless exercise.

---Rsk