Re: [Asrg] request for review for a non FUSSP proposal

Rich Kulawiec <> Thu, 25 June 2009 11:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 03B163A6AAD for <>; Thu, 25 Jun 2009 04:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.279
X-Spam-Status: No, score=-6.279 tagged_above=-999 required=5 tests=[AWL=-0.280, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 540ENSvpTK1U for <>; Thu, 25 Jun 2009 04:39:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DED1F3A6B49 for <>; Thu, 25 Jun 2009 04:39:04 -0700 (PDT)
Received: from ( []) by (8.14.1/8.14.1) with ESMTP id n5PBZR2T009923 for <>; Thu, 25 Jun 2009 07:35:29 -0400 (EDT)
Received: from ( []) by (8.14.1/8.14.1) with ESMTP id n5PBUmS5014533 for <>; Thu, 25 Jun 2009 07:30:48 -0400 (EDT)
Received: from (localhost []) by (8.14.3/8.14.3/Debian-4) with ESMTP id n5PBZLkT014531 for <>; Thu, 25 Jun 2009 07:35:21 -0400
Received: (from rsk@localhost) by (8.14.3/8.14.3/Submit) id n5PBZL9v014522 for; Thu, 25 Jun 2009 07:35:21 -0400
Date: Thu, 25 Jun 2009 07:35:21 -0400
From: Rich Kulawiec <>
To: Anti-Spam Research Group - IRTF <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jun 2009 11:39:19 -0000

On Wed, Jun 24, 2009 at 09:36:14AM +0200, Claudio Telmon wrote:
> I don't think that much action would be needed. If my system is
> compromised, the tokens I have were compromised. My friends would
> complain (the "local" blame that works), and the spammer would have a
> token for the mailing list, the one I use, so it would be able to send
> spam to the list.

(a) How would your friends know?


(b) What stops an attacker who has compromised Fred *and* Barney's
computer from using Barney's tokens from Fred's computer?  Keep in
mind that since the attacker has full control over both systems,
he/she also has, or can have, all of Fred and Barney's email
credentials -- login names, passwords, etc.


(c) I get the sense that this will scale as N^2, which doesn't bode well.

> Dealing with the framework without an address book would be actually
> impossible.

So you want me to stop using the mail client I've used for years --
which I've deliberately chosen because of its simplicity, speed,
features, and most importantly, security?

Not a chance.

Moreover, even if I had a mail client with an address book, why would
I want to put 11,500 people in it?  Especially since the overwhelming
majority of those communications are one-time?

> With respect to numbers, I cannot answer. People and
> software explicitly dealing with large lists of addresses/subscribers
> would usually need to deal with an equal (well, double) number of
> tokens. People like you, dealing, if I understand correctly, with a
> large number of occasional correspondents, would need to do the same.

I'm already way too busy to even try to answer most of my email; where
am I going to get all the extra time needed to do this task?  Especially
given that there is no meaningful anti-spam value: if today I approve
a token from Fred, that doesn't help me at all if Fred's computer
is compromised tomorrow night and delivers 50 spam messages to me before
I wake up the next morning.  I could have done *nothing* and done just
as well.

> > Moreover, "informing the owners" has already proven to be a badly-losing
> > strategy.  *If* the owners actually receive such communication
> > (telling them their system is probably compromised), they tend to
> > either disbelieve it, ignore it, classify it as a phish--often correct,
> > deny it, or act ineffectively to remedy the situation.
> Do you feel that the same would be true if the communication were not an
> automated communication but a communication from correspondents, not by
> email, and maybe implying the (temporary) inability to communicate with
> some of them? This would actually severely limit the usability of the
> scheme.

Two points; first:

If it's not automated, it won't scale.

If it's automated, then it will be faked billions of times and people
will quickly learn not to pay any attention to it.

Second: how am I going to communicate with correspondents "not by email"
when that's the only way I *have* to communicate with them?  You can't
seriously expect me or anyone else to spend out time IM'ing or phoning
or otherwise trying to convince people that their system is compromised.
I see several thousand attempts per day on this address alone that
are obviously from compromised end-user systems.

> >  No anti-spam
> > scheme which requires effective, clueful participation by end-users has
> > any chance of working: if they existed (in very large numbers) then we
> > wouldn't have such a large spam problem because (a) their systems would
> > be compromised in huge numbers and (b) they would have learned by
> > now to never respond to any spam.
> I don't know. Me, as probably each of us, I'm often asked by friends to
> "reinstall" their systems because they are full of garbage. [...]
> Should I receive spam using their token, I could be much more aggressive
> than I've been until now, and maybe others would do the same. This kind
> of blame usually works with other communication channels (again, people
> disseminating phone numbers), why shouldn't it work with email? People
> usually don't care of ineffective blame, but don't like to be considered
> stupid by their friends.

We're now 6-7 years into the period when Windows systems are compromised
at will by attackers and used not just for spam, but for DoS attacks
and all kinds of other mischief.   Yet there has been no mass migration
away from these insecure and insecurable systems -- just a little bit
of movement here and there.  Your approach won't get them to change either.
They'll either (a) deny there's a problem (b) run some anti-malware tool
on their compromised system and believe what it says (c) get someone
else to do (b) or (d) in rare cases, get the system detoxed using
known-clean boot media or by starting over...but will then get it
re-infested a month later the same way they got it infested the first time.