IETF Logo Mail Archive

Re: [Asrg] seeking comments on new RMX article

J C Lawrence <claw@kanga.nu> Tue, 06 May 2003 18:24 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA02032 for <asrg-archive@odin.ietf.org>; Tue, 6 May 2003 14:24:59 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h46IXZV15675 for asrg-archive@odin.ietf.org; Tue, 6 May 2003 14:33:35 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h46IXZ815672 for <asrg-web-archive@optimus.ietf.org>; Tue, 6 May 2003 14:33:35 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA02022; Tue, 6 May 2003 14:24:29 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19D798-0001Bt-00; Tue, 06 May 2003 14:26:34 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19D798-0001Bq-00; Tue, 06 May 2003 14:26:34 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h46IQE815243; Tue, 6 May 2003 14:26:14 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h46INX815157 for <asrg@optimus.ietf.org>; Tue, 6 May 2003 14:23:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA01779 for <asrg@ietf.org>; Tue, 6 May 2003 14:14:27 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19D6zR-00018y-00 for asrg@ietf.org; Tue, 06 May 2003 14:16:33 -0400
Received: from ocker.kanga.nu ([198.144.204.213] helo=dingo.home.kanga.nu) by ietf-mx with esmtp (Exim 4.12) id 19D6zQ-00018v-00 for asrg@ietf.org; Tue, 06 May 2003 14:16:32 -0400
Received: from localhost ([127.0.0.1] helo=kanga.nu) by dingo.home.kanga.nu with esmtp (Exim 3.35 #1 (Debian)) id 19D70D-0001Hi-00; Tue, 06 May 2003 11:17:21 -0700
To: "Eric D. Williams" <eric@infobro.com>
cc: "asrg@ietf.org" <asrg@ietf.org>
Subject: Re: [Asrg] seeking comments on new RMX article
In-Reply-To: Message from "Eric D. Williams" <eric@infobro.com> of "Tue, 06 May 2003 13:02:47 EDT." <01C313CF.E5F6F170.eric@infobro.com>
References: <01C313CF.E5F6F170.eric@infobro.com>
X-face: ?<YUs-cNP1\Oc-H>^_yw@fA`CEX&}--=*&XqXbF-oePvxaT4(kyt\nwM9]{]N!>b^K}-Mb9 YH%saz^>nq5usBlD"s{(.h'_w|U^3ldUq7wVZz$`u>MB(-4$f\a6Eu8.e=Pf\
X-image-url: http://www.kanga.nu/~claw/kanga.face.tiff
X-url: http://www.kanga.nu/~claw/
Message-ID: <4941.1052245041@kanga.nu>
From: J C Lawrence <claw@kanga.nu>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 06 May 2003 11:17:21 -0700

On Tue, 6 May 2003 13:02:47 -0400 
Eric D Williams <eric@infobro.com> wrote:
> On Tuesday, May 06, 2003 12:30 PM, J C Lawrence [SMTP:claw@kanga.nu]
> wrote:
>> On Tue, 6 May 2003 11:42:47 -0400 Damian Gerow <damian@sentex.net>
>> wrote:
 
>>> So all that really happens is that things like open relays and open
>>> proxies become less and less valuable, and anonymous remailers
>>> become infinitely more popular.  However, they are no more
>>> /valuable/ than they are right now -- the provide the same service,
>>> they do the same thing.

>> We currently have compromised Windows systems being used as spam
>> origination points.  Are we next going to see such zombie systems
>> used as anonymous remailers?  Or are they more likely to use the
>> compromised system to extract appropriate mailing credentials to tack
>> onto spam (creds which for instance satisfy RMX etc)?

> How would such an attack work?  Although you present an interesting
> issue re: security and 'zombie' eMail how would RMX break (if that is
> your implication) in the proposed scenario.  What credentials other
> than domain name and IP address would satisfy an RMX query if stolen?
> In any event the 'zombie' (or maybe zonebie is better :) would be a
> security concern first and a spam origination concerns second IMHO.

The trivial approach:

  BoxA is compromised.

  The zombie code sucks in a spamming engine (SE).

  The SE determines the mail configuration of BoxA in terms of
  appropriate SMTP envelope etc from the registry.

  BoxA spams away using the stolen credentials from its registry.

Notes:

  Yeah, its illegal.  So is a significant percentage of the spam I
  receive.  Additionally, chasing law breaking spammers across
  international borders is not a fun game.

  This is a bad scenario, not just for RMX, but on almost all scores.
  Most automated authentication or credential schemes can be broken if
  subjected to localhost compromise.  In essence its a reply attack
  using the same source node.  Its not clear to me that it is possible
  to defend against this case in any reasonable fashion, with or without
  RMX.

  RMX suffers in this scenario as perfectly legitimate mail cannot be
  distinguished from spam.  This pain is not exclusive to RMX, its just
  a side effect.  

  It makes the ISP a target and gives some, very marginal and slight,
  encouragement for ISPs to __attempt__ to police their user's systems
  and pro-actively search out and shut down compromised systems.  This
  will not be welcomed by ISPs or the ISP's users.  Prediction: One big
  finger pointing whining profit margin eating tar baby morass.

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email