Re: [Asrg] request for review for a non FUSSP proposal

Claudio Telmon <claudio@telmon.org> Tue, 23 June 2009 10:47 UTC

Return-Path: <claudio@telmon.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44D5B28C2A2 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 03:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.428
X-Spam-Level:
X-Spam-Status: No, score=-0.428 tagged_above=-999 required=5 tests=[AWL=-0.024, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cbc3tfJg33iu for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 03:47:17 -0700 (PDT)
Received: from slim-2a.inet.it (slim-2a.inet.it [213.92.5.122]) by core3.amsl.com (Postfix) with ESMTP id EC40A3A6E99 for <asrg@irtf.org>; Tue, 23 Jun 2009 03:47:16 -0700 (PDT)
Received: from 88-149-250-16.dynamic.ngi.it ([::ffff:88.149.250.16]) by slim-2a.inet.it via I-SMTP-5.6.0-560 id ::ffff:88.149.250.16+hNh1BFhPGW0; Tue, 23 Jun 2009 12:47:31 +0200
Message-ID: <4A40B2C0.8090604@telmon.org>
Date: Tue, 23 Jun 2009 12:47:28 +0200
From: Claudio Telmon <claudio@telmon.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090318 Lightning/0.8 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <4A3DFC91.2090506@telmon.org> <4A3F9B2B.8020603@tana.it> <4A3FF3AF.9030401@telmon.org> <4A3FF7F1.1060705@nd.edu> <4A3FFB64.6030409@telmon.org> <20090622215251.GA2137@gsp.org> <4A400246.9060103@telmon.org> <20090623100542.GA9628@gsp.org>
In-Reply-To: <20090623100542.GA9628@gsp.org>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 10:47:18 -0000

Rich Kulawiec wrote:

> This is unworkable for multiple reasons, not the least of which of scale:
> as of a few years ago, there were at least a hundred million compromised
> systems, and the number today is certainly much higher.  There's no
> good way to inform the former owners of those systems, there's no reason
> to believe that they'll see the notification (especially if automated,
> since the new owners of those systems can prevent them from seeing it),
> there's no way to stop those systems from emitting bogus notifications,
> the recipients' systems may themselves be compromised, etc.  Not to
> mention it's a LOT of work for everyone to keep track of all these tokens.

While what you say is true in general, I think you missed a critical
part of the consent framework I'm proposing. A consent-enabled address
will only accept messages from senders that received a valid token for
that address though some channel (usually, not email). That is, each
sender will only have tokens for consent-enabled addresses he received a
token for, which is comparable to the number of addresses he has in his
address book. If the sender's system is compromised, the
attacker/spammer will only collect tokens for these addresses. The
spammer can send spam to any non-consent-enabled address, but this is
outside the scope of the framework. The spammer can however send
messages only to the consent-enabled addresses he has tokens for, which
are the people in the address book of the compromised system. These are
the (few) people the system owner is in direct contact with, which will
detect which token is used in the spam they receive and therefore whose
system was compromised. The owner of this system will be informed,
possibly not via email, and the tokens will be invalidated anyway. The
other millions of compromised hosts are not relevant in this scenario:
even if the spammer distributes the tokens to these hosts, or sells the
address and the token in a list, all this becomes useless once the token
is invalidated, which should happen almost immediately after a couple of
spam messages.
At this point, those receiving the spam can decide if they want to issue
a new token for the (once) compromised sender, provided that its host
has been cleaned. If they keep receiving spam with the new token, they
surely will revoke this token too, and will be put in front of the
problem of their relationship with somebody that is not able to keep its
system clean. With respect to consent-enabled addresses, it would turn
the problem of informing the owners of millions of compromised systems,
into a "local" problem of relationships inside small groups of people.


-- 

Claudio Telmon
claudio@telmon.org
http://www.telmon.org