Re: [Asrg] request for review for a non FUSSP proposal

"Claudio Telmon" <> Thu, 25 June 2009 13:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BFB6B3A6B0C for <>; Thu, 25 Jun 2009 06:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_23=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FlxN6gqtXAw3 for <>; Thu, 25 Jun 2009 06:47:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C48BE3A69B8 for <>; Thu, 25 Jun 2009 06:47:53 -0700 (PDT)
Received: from ::ffff: ([::ffff:]) by via I-SMTP-5.6.0-560 id ::ffff:; Thu, 25 Jun 2009 15:46:43 +0200
From: "Claudio Telmon" <>
To: Anti-Spam Research Group - IRTF <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
Date: Thu, 25 Jun 2009 13:46:43 +0000
X-Mailer: NGI Webmail
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To:, Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jun 2009 13:47:55 -0000

Da: Rich Kulawiec <>

> (a) How would your friends know?

They too get spam with my tokens, unless the spammer decided to just target the mailing list. Each of them will receive spam messages carrying the token they provided (just) to me

> and
> (b) What stops an attacker who has compromised Fred *and* Barney's
> computer from using Barney's tokens from Fred's computer?  Keep in
> mind that since the attacker has full control over both systems,
> he/she also has, or can have, all of Fred and Barney's email
> credentials -- login names, passwords, etc.

Hmm, Maybe I don't understand the scenario. If the spammer uses the tokens he found on Barney's computer, he will be able to send spam to Barney's contacts, no matter from which computer. And, Barney's contact will know that Barney's computer has been compromised, since they gave that token to Barney, no matter where the message comes from. 

> and
> (c) I get the sense that this will scale as N^2, which doesn't bode well.

I considered this issue, but I think it doesn't apply. It would be a problem if  some part of the system would need to deal with all of the tokens. However, each user will deal win N tokens, no matter if they are equal or different from the tokens others use. To be clear: each will have N addresses of their correspondents, which scale with N. Each will have N (well, 2N) tokens for their correspondents, even if they are different for each couple and scale with N^2. They won't see the difference, nor will any part of the system.
> So you want me to stop using the mail client I've used for years --
> which I've deliberately chosen because of its simplicity, speed,
> features, and most importantly, security?
> Not a chance.

:) Each tool has some drawbacks. As we (almost) switched from telnet to ssh, people started to need keyrings, which are very similar in terms of usability. There was a good reason for this, which had to be evaluated by each person vs. the convenience of telnet. 
However, if you won't adopt the consent framework, you may still be required to insert tokens if your correspondents adopt the framework. But, if most (of your correspondents) agree with you and don't see a benefit from the framework, they won't adopt it either and you won't be required to put tokens in your messages.

> Moreover, even if I had a mail client with an address book, why would
> I want to put 11,500 people in it?  Especially since the overwhelming
> majority of those communications are one-time?

If a communication is one-time, you don't need to add the address to an address book, since you won't need to keep any token for future contacts. BTW, this may increase the use of short text-only messages for fast email exchanges, instead of html or similar. This kind of messages would fit the constraints of consent requests, and wouldn't require to actually manage tokens.

> I'm already way too busy to even try to answer most of my email; where
> am I going to get all the extra time needed to do this task?

The goal is to have less useless messages to deal with. If you have a very low noise/signal in your messages, then the framework probably wouldn't fit your need. I see it somehow as to publish the cell number and spend the time answering the (few?) undesired calls, instead of spending time giving the number only to people you want to talk with. 
However, I would avoid any evaluation based on personal taste (mine or yours), that's why I asked if there are available statistics on how many correspondents people have.

>  Especially
> given that there is no meaningful anti-spam value: if today I approve
> a token from Fred, that doesn't help me at all if Fred's computer
> is compromised tomorrow night and delivers 50 spam messages to me before
> I wake up the next morning.  I could have done *nothing* and done just
> as well.

So you don't think that being able to tell Fred that he, and not "the Internet", is the reason why you receive spam, would not  help convincing Fred to keep his computer clean? I mean, if Fred cares about your opinion, which usually happens with at least some of our correspondents (and usually happens much less if the communication comes from some unknown person).

> > Do you feel that the same would be true if the communication were not an
> > automated communication but a communication from correspondents, not by
> > email, and maybe implying the (temporary) inability to communicate with
> > some of them? This would actually severely limit the usability of the
> > scheme.
> Two points; first:
> If it's not automated, it won't scale.

It will, in my opinion, since it is distributed among the same people that increase the number. Saying that anything that is not automated won't scale is a bit too generic.

> Second: how am I going to communicate with correspondents "not by email"
> when that's the only way I *have* to communicate with them?  You can't
> seriously expect me or anyone else to spend out time IM'ing or phoning
> or otherwise trying to convince people that their system is compromised.

Well, I do :) Either you are interested into communicating with them, or you're not. If you're not, just invalidate their token and avoid providing a new one. If you are interested, and you know that their system is compromised (don't think at the consent framework, it doesn't matter in this), wouldn't you search a mean to tell them? If someone I want to send mail to has some consistent delivery error, so that I cannot contact him by email, I usually manage to inform him through some other channel.
For what I understand and hear about social networks (actual social networks, not the services that support some), they are very effective in forcing people to a behaviour that is accepted by their peers. BTW, this is how the Internet managed to have a "netiquette" in the beginning. 
This interest in not having our peers as our main source of spam, is the "social" base for the whole framework, be it because you tell them, or because you invalidate their token.

> I see several thousand attempts per day on this address alone that
> are obviously from compromised end-user systems.

These thousands of attempts are due to thousands of compromised systems, not to thousands of compromised correspondents of yours. The number of systems the spammer would use with the same token is not relevant, since they would all be blocked by invalidating that token.

>  Yet there has been no mass migration
> away from these insecure and insecurable systems -- just a little bit
> of movement here and there.  Your approach won't get them to change either.

Why should they? People is used to these problems, which to them seem to be part of ICT. However, I don't agree that a properly configured Windows system is that undefendable these days.
(b) run some anti-malware tool
> on their compromised system and believe what it says (c) get someone
> else to do (b) or (d) in rare cases, get the system detoxed using
> known-clean boot media or by starting over...but will then get it
> re-infested a month later the same way they got it infested the first time.

Well, they will do what they can. Which, in my opinion, would take us anyway to a much cleaner Internet than it is now.

Claudio Telmon