Re: [Asrg] An "ideal" false positive (TMGRS take 2)

Rich Kulawiec <rsk@gsp.org> Mon, 15 February 2010 00:01 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8EC128C15C for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 16:01:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.532
X-Spam-Level:
X-Spam-Status: No, score=-6.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RE6TMAluzhJ7 for <asrg@core3.amsl.com>; Sun, 14 Feb 2010 16:01:12 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id B274628C15A for <asrg@irtf.org>; Sun, 14 Feb 2010 16:01:12 -0800 (PST)
Received: from squonk.gsp.org (bltmd-207.114.17.32.dsl.charm.net [207.114.17.32]) by taos.firemountain.net (8.14.4/8.14.4) with ESMTP id o1F02dUN008833 for <asrg@irtf.org>; Sun, 14 Feb 2010 19:02:40 -0500 (EST)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.3/8.14.3) with ESMTP id o1F053AZ025291 for <asrg@irtf.org>; Sun, 14 Feb 2010 19:05:03 -0500 (EST)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-9ubuntu1) with ESMTP id o1F02YSI020672 for <asrg@irtf.org>; Sun, 14 Feb 2010 19:02:34 -0500
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id o1F02YxP020671 for asrg@irtf.org; Sun, 14 Feb 2010 19:02:34 -0500
Date: Sun, 14 Feb 2010 19:02:34 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20100215000234.GB19491@gsp.org>
References: <4B61D1BA.6060807@tana.it> <20100129135607.GB27203@gsp.org> <FBFC96085D5112AA96E23D0F@lewes.staff.uscs.susx.ac.uk> <20100214224735.GB11546@gsp.org> <4B788C90.20108@mtcc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B788C90.20108@mtcc.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] An "ideal" false positive (TMGRS take 2)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 00:01:16 -0000

On Sun, Feb 14, 2010 at 03:51:44PM -0800, Michael Thomas wrote:
> Why is "security policy" different than "crown jewels"? If they own my
> machine, they can tar up a svn checkout of the crown jewels and do
> immeasurably more harm than shipping bogus anti spam reports.

Perhaps, but (a) that would be far more difficult to automate
(b) it might or might not serve their purposes (c) it would have
limited impact.

> That and it might be *good* for them to start trying to game AS
> reporting stuff: if the backend started looking for those patterns,
> they'd probably stick out like a sore thumb, and you could put the
> machine in the penalty box.

I'm sure that SOME of their attempts to game these would be sufficiently
heavy-handed as to stick out like a sore thumb.  I'm equally certain
that some of them would not.  Don't underestimate the enemy's intelligence,
diligence, or guile.

---Rsk