Re: [Asrg] An "ideal" false positive (TMGRS take 2)

Rich Kulawiec <rsk@gsp.org> Mon, 15 February 2010 00:21 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1C7F28C15C for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 16:21:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.54
X-Spam-Level:
X-Spam-Status: No, score=-6.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gSXFDCIqXEzZ for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 16:21:48 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id 11AF528C158 for <asrg@irtf.org>; Sun, 14 Feb 2010 16:21:47 -0800 (PST)
Received: from squonk.gsp.org (bltmd-207.114.17.32.dsl.charm.net [207.114.17.32]) by taos.firemountain.net (8.14.4/8.14.4) with ESMTP id o1F0NFJP018625 for <asrg@irtf.org>; Sun, 14 Feb 2010 19:23:15 -0500 (EST)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.3/8.14.3) with ESMTP id o1F0PcRb025285 for <asrg@irtf.org>; Sun, 14 Feb 2010 19:25:38 -0500 (EST)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-9ubuntu1) with ESMTP id o1F0N9Q2022816 for <asrg@irtf.org>; Sun, 14 Feb 2010 19:23:09 -0500
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id o1F0N9di022815 for asrg@irtf.org; Sun, 14 Feb 2010 19:23:09 -0500
Date: Sun, 14 Feb 2010 19:23:09 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20100215002309.GB21231@gsp.org>
References: <4B61D1BA.6060807@tana.it> <20100129135607.GB27203@gsp.org> <4B6321ED.4050403@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B6321ED.4050403@tana.it>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] An "ideal" false positive (TMGRS take 2)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 00:21:51 -0000

On Fri, Jan 29, 2010 at 06:59:09PM +0100, Alessandro Vesely wrote:
> >On Thu, Jan 28, 2010 at 07:04:42PM +0100, Alessandro Vesely wrote:
> >> Alice reports as spam a message from Bob, either by mistake or out
> >> of curiosity.
> >
> >But there is no way to know that Alice actually filed the report
> >or that Bob actually sent the message.
> 
> Botted users and nonsensical users would result in disputes that
> will eventually reveal their true nature.

How, exactly?

Keep in mind that botted users now constitute a significant fraction
of the Internet's total population (whether we're counting "users"
as "human beings" or "email accounts". [1])  Further, The Bad Guys who
have their hands on those 100M+ systems out there can use them,
or any other systems they have access to, to create an essentially-unlimited
number of accounts at any/all of the 10K+ freemail providers out there. [2]

So if there was some strategic reason why having billions of email
accounts, whether "real" or "fake", would provide them with an advantage:
they could make that happen with minimal effort.  They've already long
since demonstrated the ability to do this -- and to do so at rates
that vastly outpace anybody's attempt to keep up with them.

> (For the time being, let's
> discard the case that _both_ Alice and Bob are botted, with their
> bots playing funny games with one another.)

Why should we do that?  Spammers/abusers won't.  They already have
the capability to do this, and if they can somehow game the system
by doing so, *they will*.  Sure, they'll probably make some misteps,
some of which will be obvious, perhaps even laughable, but they'll
learn soon enough.  And some of them will become very good at it.

We know this because they've done it before.

*Anything* that presumes that end-user systems actually belong to
the end-users who think they own them is going to be highly susceptible
to manipulation -- and more so every day, every week, every month
that goes by.  It's only a question of whether or not the enemy
will choose to trouble themselves doing so, and I think that
if it inconveniences them or cuts into their profits, they will.

---Rsk

[1] I've been trying to estimate how mail sets of credentials have
been compromised.  If we take very conservative estimates for zombie'd
systems (100M), email accounts (5 per system) and web sites (10 per
system) we get 1.5 billion.  If we use more realistic number, we
get 5 billion.  If we go with some of higher/outlier numbers 10-20 billion.

I suppose the best that can be said is that it's clearly a large
and monotonically-increasing number.  And that nobody, anywhere,
is taking any effective action to put a stop to it.

[2] Given that there are approximately 10K freemail providers/domains,
clearly it's within the reach of spammers or other bad guys to create
enormous numbers of accounts -- should they have a reason to do so,
and obviously they do, and they have.  They use these to send spam,
to act as dropboxes for spam, to register domains, etc.; there is no
reason to think they wouldn't use them to game reporting systems and
every reason to think they would.