RE: [Asrg] Two ways to look at spam
Barry Shein <bzs@world.std.com> Wed, 02 July 2003 19:47 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09387 for <asrg-archive@odin.ietf.org>; Wed, 2 Jul 2003 15:47:04 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XnYs-0007MM-OS for asrg-archive@odin.ietf.org; Wed, 02 Jul 2003 15:46:38 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h62JkcOx028284 for asrg-archive@odin.ietf.org; Wed, 2 Jul 2003 15:46:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XnYs-0007M7-LW for asrg-web-archive@optimus.ietf.org; Wed, 02 Jul 2003 15:46:38 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09378; Wed, 2 Jul 2003 15:46:34 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XnYp-0006Op-00; Wed, 02 Jul 2003 15:46:35 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19XnYo-0006Ol-00; Wed, 02 Jul 2003 15:46:34 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XnYH-0007F1-SW; Wed, 02 Jul 2003 15:46:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XnXe-00078M-Cy for asrg@optimus.ietf.org; Wed, 02 Jul 2003 15:45:22 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09283 for <asrg@ietf.org>; Wed, 2 Jul 2003 15:45:17 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XnXO-0006NS-00 for asrg@ietf.org; Wed, 02 Jul 2003 15:45:06 -0400
Received: from pcls1.std.com ([199.172.62.103] helo=TheWorld.com) by ietf-mx with esmtp (Exim 4.12) id 19XnXN-0006NK-00 for asrg@ietf.org; Wed, 02 Jul 2003 15:45:06 -0400
Received: from world.std.com (mrobi@world-f.std.com [199.172.62.5]) by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id h62Jj1BG013023; Wed, 2 Jul 2003 15:45:01 -0400
Received: (from bzs@localhost) by world.std.com (8.9.3/8.9.3) id PAA24512; Wed, 2 Jul 2003 15:45:00 -0400 (EDT)
From: Barry Shein <bzs@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <16131.13884.492660.11369@world.std.com>
To: Yakov Shafranovich <research@solidmatrix.com>
Cc: Barry Shein <bzs@world.std.com>, "'asrg@ietf.org'" <asrg@ietf.org>
Subject: RE: [Asrg] Two ways to look at spam
In-Reply-To: <5.2.0.9.2.20030701172808.00bcda88@std5.imagineis.com>
References: <5.2.0.9.2.20030630221600.00b34f90@std5.imagineis.com> <B1F08F445F370846AB7BEE424365F00D0188CA52@ctxchg.ciphertrus t.com> <5.2.0.9.2.20030701172808.00bcda88@std5.imagineis.com>
X-Mailer: VM 7.07 under Emacs 21.2.2
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 02 Jul 2003 15:45:00 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Well, some ideas:
1. Some sort of time-domain analysis of where spam actually comes from
(ip addresses, nets.)
If it's seemingly random that would point towards the theory that it's
just (presumably illegally) exploited machines.
If it's coming from specific places with some predictability then that
would lean towards more consent-based conclusions.
2. Stability of web addresses etc advertised in spam.
I've heard it claimed (by one of the speakers at the MIT spam conf)
that the typical lifespan of a spamvertised website is two hours.
Again, that sort of instability tends to promote the idea of spam
being a product of criminal behavior.
3. Stability of relays
Similar, but how long does a spam relay spew spam, typically (what's
the distribution)? One hour? 12 hours? Years? And related summary
statistics such as the number of msgs spewed, the time domain (is it
bursty or continuous), etc.
-b
On July 1, 2003 at 17:30 research@solidmatrix.com (Yakov Shafranovich) wrote:
> At 03:30 PM 7/1/2003 -0400, Barry Shein wrote:
>
>
> > At 03:35 PM 6/29/2003 -0400, Paul Judge wrote:
> > > >Just as in any other business, the profit in spamming is equal to
> > revenues
> > > >minus costs. In spamming, revenue is equal to the number of spam messages
> > > >received times the response rate times the profit per item. Expenses
> > include
> >I will point out that the hard evidence for this is lacking.
> >
> >[..]
> >More to the point I would assert that if we don't endeavor to nail
> >down hard evidence and work forward from there we're in great danger
> >of shadow-boxing with our own imaginings about how we would like to
> >think spammers operate.
> >
> >I realize the urge to show progress is great and fact-gathering sounds
> >like a frustrating impediment to some, but...how bad would it be if
> >our efforts turned out to be foolish and disconnected from reality,
> >research into a June bug*?
>
> Great, what kind of evidence or things should we be looking for? From
> (http://www.irtf.org/asrg/asrg-work-items.txt):
>
> ---snip---
> 2.a. Spam Measurements. This works needs to be focused on immediately. This
> data will help us understand the current weaknesses in the system and where
> efforts should be focused. Requirements need to be set and then we have to
> gather the data. I see two separate paths here: One is based on user survey
> input. Ted Gavin has volunteered to conduct this. The other data is based
> on real spam measurements. Once the requirements are gathered, Brightmail,
> CipherTrust, CloudMark and MessageLabs have each volunteered to contribute
> information. Any other volunteers?
> ---snip--
>
> As you can see Brightmail, CipherTrust and a bunch of others agreed to
> provide data. All we need is to define what we are looking for.
>
> Yakov
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Two ways to look at spam Yakov Shafranovich
- [Asrg] Two ways to look at spam Yakov Shafranovich
- RE: [Asrg] Two ways to look at spam Paul Judge
- Re: [Asrg] Two ways to look at spam Alan DeKok
- RE: [Asrg] Two ways to look at spam Yakov Shafranovich
- Re: [Asrg] Two ways to look at spam Yakov Shafranovich
- RE: [Asrg] Two ways to look at spam Barry Shein
- RE: [Asrg] Two ways to look at spam Bob Wyman
- Re: [Asrg] Two ways to look at spam C. Wegrzyn
- RE: [Asrg] Two ways to look at spam Paul Judge
- RE: [Asrg] Two ways to look at spam Yakov Shafranovich
- RE: [Asrg] Two ways to look at spam Yakov Shafranovich
- RE: [Asrg] Two ways to look at spam Bob Wyman
- Re: [Asrg] Two ways to look at spam Bruce Stephens
- Re: [Asrg] Two ways to look at spam Jon Kyme
- Re: [Asrg] Two ways to look at spam Dave Aronson
- Re: [Asrg] Two ways to look at spam Bruce Stephens
- Re: [Asrg] Two ways to look at spam Jon Kyme
- Re: [Asrg] Two ways to look at spam Kee Hinckley
- 6. Solutions - Detection (was Re: [Asrg] Two ways… Yakov Shafranovich
- Re: [Asrg] Two ways to look at spam Bruce Stephens
- Re: [Asrg] Two ways to look at spam Jon Kyme
- RE: [Asrg] Two ways to look at spam Barry Shein
- Re: [Asrg] Two ways to look at spam Andrew Akehurst
- Re: [Asrg] Two ways to look at spam Walter Dnes
- Re: [Asrg] Two ways to look at spam Bruce Stephens