IETF Logo Mail Archive

Re: [Endymail] spam versus cleartext

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 07 September 2014 17:19 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A61311A02FC for <endymail@ietfa.amsl.com>; Sun, 7 Sep 2014 10:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.301
X-Spam-Level: *
X-Spam-Status: No, score=1.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ak45_A_R5mv3 for <endymail@ietfa.amsl.com>; Sun, 7 Sep 2014 10:19:13 -0700 (PDT)
Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B80421A0476 for <endymail@ietf.org>; Sun, 7 Sep 2014 10:19:12 -0700 (PDT)
Received: by mail-la0-f53.google.com with SMTP id q1so7594336lam.40 for <endymail@ietf.org>; Sun, 07 Sep 2014 10:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XToCGh+bNzGkWniOEKAfcnYgZB3xOEwP0Z0u/7/mE30=; b=SU2+T50R8d5r5H2rtiByPPnv+lXDhoEEbEOk4FShh3Q6gJJ+6T6wYaD0d/qTDaxjrA c+0oOYuLD1WNMv2eTSf8/ozk0HQ+LQ/vTFN4YZ/GabTqnsC4P0dsvpMHzkx81U6e1kOA LPjPQf5mjTW/21YTzqfdmTPNv5ePq9SzYKS6mWi7PDmhX8SUkDJS62xdOJylMwWUk6LL CJJ4ajdgDTv5FuLuJSR3zPAB5jo7/UQpq42KKiU1sMrMFDc9jp5rnlDtHqdQxUFntanE vMU5RsUM7saTlnsCllnN6EjvLSWcBSLPlJbXj4PiP1HQ8v2PORuo3JTYC2b5uDDtPytI sORA==
MIME-Version: 1.0
X-Received: by 10.152.87.170 with SMTP id az10mr901928lab.20.1410110350877; Sun, 07 Sep 2014 10:19:10 -0700 (PDT)
Received: by 10.112.64.170 with HTTP; Sun, 7 Sep 2014 10:19:10 -0700 (PDT)
In-Reply-To: <20140907170207.14888.qmail@joyce.lan>
References: <CACsn0cka7oDGi=UzSnM96+18QZ8U-1mADOn_ieVZZ6a+m5wUrw@mail.gmail.com> <20140907170207.14888.qmail@joyce.lan>
Date: Sun, 7 Sep 2014 13:19:10 -0400
Message-ID: <CAHbuEH5hoKV_cAPpEZUE2WYgAUd3G86bRQ4AvAU0g8WuNX2Q+g@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary=001a11c223b68ee6ef05027ce679
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/SX385kLqUhumChaL9a9IAc_tFIA
Cc: watsonbladd@gmail.com, endymail@ietf.org
Subject: Re: [Endymail] spam versus cleartext
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>, <mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>, <mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Sep 2014 17:19:14 -0000

On Sun, Sep 7, 2014 at 1:02 PM, John Levine <johnl@taugh.com> wrote:

> >To connect to server side filtering, the filtering engine on the
> >server just needs to put probabilities it thinks that the message is
> >spam in the headers, as well as have a standardized means for the
> >client to report spam or ham. This doesn't seem that complicated: just
> >a double and some sort of forwarding info to get the backchannel.
> >(This assumes naive Bayes as a filter design)
>
> Keeping in mind that upwards of 90% of mail is spam, you're going to
> be downloading an order of magnitude mail if you do the filtering on
> the end device.  On a desktop with a cable connection that's probably
> OK.  On my phone, it's not.
>
>
I think it would be worthwhile to detail out the operational practices used
today for phishing and spear phishing as well.  The APWG does a lot of good
work with their members to help combat this problem.  Their members include
financial institution (affected by these attacks), vendors (help with
take-down services in combination with law enforcement and service
providers of mail servers, malware distributions points linked in phishing
emails, etc.) and others venders/service providers assist with maintaining
and distributing up-to-date block lists - not just for email, but also for
the malware distribution servers linked in email through the help of
browser vendors.

Understanding what they need to get their jobs done today and trying to
figure out what changes make sense could be very useful.  E2e may just
change their approach, and that may be fine, but I do think it's important
to understand the current environment and side impacts (good & bad) as we
move forward.

Maybe someone involved int he APWG can help here in a way similar to the
email that started this thread?

Thanks,
Kathleen


>True: how much does DKIM+sender based blacklists do vs. filtering
> >based on content?
>
> In terms of volume, IP blacklists are still by far the most effective,
> since they knock out most botnet spam.  Other than DMARC, which is a
> separate can of worms, I don't know of anyone who does message
> rejection based on DKIM signatures.  There's a whole lot of body
> filtering going on.
>
> Same thing for malware distribution points in phishing attacks, blacklists
provided through web browsers is very effective.  It uses very few analytic
(human) resources and impacts every browser user (enterprise or home).

The changes in operational handling of phishing may not be as bad if end
users are relied upon most anyway to report, but it would be good to
understand how we might be changing things.

Thanks,
Kathleen


> R's,
> John
>
> _______________________________________________
> Endymail mailing list
> Endymail@ietf.org
> https://www.ietf.org/mailman/listinfo/endymail
>



-- 

Best regards,
Kathleen

v2.8.7 | Report a Bug | By Email