IETF Logo Mail Archive

Re: [Asrg] Point of information...

Barry Shein <bzs@world.std.com> Fri, 20 June 2003 23:34 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14413 for <asrg-archive@odin.ietf.org>; Fri, 20 Jun 2003 19:34:34 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5KNY7c06706 for asrg-archive@odin.ietf.org; Fri, 20 Jun 2003 19:34:07 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19TVOR-0001k5-CJ for asrg-web-archive@optimus.ietf.org; Fri, 20 Jun 2003 19:34:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14399; Fri, 20 Jun 2003 19:34:03 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19TVOP-0004Kj-00; Fri, 20 Jun 2003 19:34:05 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19TVOP-0004Kg-00; Fri, 20 Jun 2003 19:34:05 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19TVOL-0001iB-GI; Fri, 20 Jun 2003 19:34:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19TVOC-0001hz-Gs for asrg@optimus.ietf.org; Fri, 20 Jun 2003 19:33:52 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14394 for <asrg@ietf.org>; Fri, 20 Jun 2003 19:33:49 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19TVOB-0004Kd-00 for asrg@ietf.org; Fri, 20 Jun 2003 19:33:51 -0400
Received: from pcls4.std.com ([199.172.62.106] helo=TheWorld.com) by ietf-mx with esmtp (Exim 4.12) id 19TVOA-0004Ka-00 for asrg@ietf.org; Fri, 20 Jun 2003 19:33:50 -0400
Received: from world.std.com (root@world-f.std.com [199.172.62.5]) by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id h5KNXoBk017035; Fri, 20 Jun 2003 19:33:50 -0400
Received: (from bzs@localhost) by world.std.com (8.9.3/8.9.3) id TAA02169; Fri, 20 Jun 2003 19:33:50 -0400 (EDT)
From: Barry Shein <bzs@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <16115.39389.986920.976051@world.std.com>
To: Yakov Shafranovich <research@solidmatrix.com>
Cc: Barry Shein <bzs@world.std.com>, asrg@ietf.org
Subject: Re: [Asrg] Point of information...
In-Reply-To: <5.2.0.9.2.20030620175628.00b92600@std5.imagineis.com>
References: <5.2.0.9.2.20030619221149.00b67008@std5.imagineis.com> <200306192120.RAA16724@world.std.com> <5.2.0.9.2.20030620175628.00b92600@std5.imagineis.com>
X-Mailer: VM 7.07 under Emacs 21.2.2
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Fri, 20 Jun 2003 19:33:49 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

On June 20, 2003 at 18:10 research@solidmatrix.com (Yakov Shafranovich) wrote:
 > So your bottom line is that the spam problem is based on "how spammers 
 > amplify their distribution channels while keeping costs nearly at zero." 

I propose that if that is removed (or seriously diminished) the
problem will become mostly inconsequential and can then be dealt with
more in the manner of "consenting communications" via various methods,
mostly MUA, routinely mentioned here.

 > Legally pursuing spammers is not something we can affect or do in this 
 > group. But what we CAN do, is look at these aspects closer and see if any 
 > technical solutions are possible.
 > 
 > There are several approaches that have been mentioned that might have 
 > relevance to this. First of all, making sure email is not untraceble allows 
 > for LEA to catch the spammers. This would involve either changing SMTP, 
 > implementing C/R, or some other system that would allow for traceability. 
 > Domain names being owned by spammers is a problem too. Solutions must be 
 > made to deal with that as well. Foreign ISPs, allowing for spam are also a 
 > problem. And as you have mentioned many times before computers infected 
 > with viruses and other similar junk are a problem as well, although I do 
 > not see any possible solutions for that as well, not even any avenues of 
 > research.

Many years ago I had a professor who ran an 800-student lecture like a
discussion group taking questions at any time.

His only admonition, when a hand went up, would be ``are you SURE the
other 799 people in the room are interested in what you are about to
ask? Or can it wait until after class?''

It worked pretty well.

On that note, I won't try to address your telling us of your personal
inability to think of any possible solutions...[or]...avenues of
research...

Let's start easy.

We've seen various blacklists. I consider them a mostly bad idea,
perhaps of some use to individuals, but it's something we should all
be familiar with.

Some of the more notorious black lists actively scanned the net with
software for systems which fit their notion of "open relays" and would
add these to the net as a hazard.

Now, would it be possible to scan similarly for systems infected with
Jeem or one of the other spammer slave bugs?

What would we do with that information?

That's probably not necessary to answer, unless someone doubts
anything good could be done. But, for example, inform the owner, an
ISP might quarantine or mail rate-limit a known infected computer
until it's fixed, block it entirely (from mail, from everything), etc.

Also, could these viruses be used as honeypots to gather information
about who is using them for both evidence and to just get those perps
shut down and/or blocked?

Anyhow, this all starts with whether it's possible to write a piece of
software which begins to scan the net for infected systems? I don't
know enough about these specific viruses right now to answer that
question: Do they use hard to guess passwords? Do they give failure
indications on use of a bad passwd which identifies the infection, or
listen on a specific port, etc?

Maybe we should also issue an RFC that simply says that the days of
computer, including personal and desktop computer, operating systems
being vulnerable to viruses (within some problem definition) should
have been over years ago via widely distributed and well-known
techniques utilized in highly successful and comparable operating
systems software.

As such, any operating system which does not meet a minimum standard
of being viral resistant (obviously some detail is needed here) and is
connected to the internet is non-conformant to RFC XYZZY or however
that's usually worded and is a potential hazard to the net at large.

For the love of money, XP and Windows/ME (and all earlier MS windows)
are both vulnerable to Jeem, sobig.a, and Proxy-Guzu, some of the more
cited viruses used in this sort of spamming.

And, in all cases, according to Symantec's database:

  Systems Not Affected: Macintosh, OS/2, UNIX, Linux

I rest my case.

I think we know who's handing out the free whiskey and loaded shotguns
in the bad part of town. Make them stop doing that.

-- 
        -Barry Shein

Software Tool & Die    | bzs@TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989     *oo*

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email