Re: [Rucus] [spitstop] Botnets, take 2... Re: Draft RUCUS charter
"Jan Seedorf" <Jan.Seedorf@nw.neclab.eu> Fri, 22 February 2008 11:44 UTC
Return-Path: <rucus-bounces@ietf.org>
X-Original-To: ietfarch-rucus-archive@core3.amsl.com
Delivered-To: ietfarch-rucus-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB56128C17D; Fri, 22 Feb 2008 03:44:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.086
X-Spam-Level: *
X-Spam-Status: No, score=1.086 tagged_above=-999 required=5 tests=[AWL=-1.169, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MANGLED_SPAM=2.3, RDNS_NONE=0.1, SARE_UNSUB30=0.351, SARE_UNSUB30B=0.041]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUbTo3d6ZwBf; Fri, 22 Feb 2008 03:44:16 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E8E03A6B7A; Fri, 22 Feb 2008 03:44:16 -0800 (PST)
X-Original-To: rucus@core3.amsl.com
Delivered-To: rucus@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B5C473A6B7A for <rucus@core3.amsl.com>; Fri, 22 Feb 2008 03:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Af3KgweftARK for <rucus@core3.amsl.com>; Fri, 22 Feb 2008 03:44:14 -0800 (PST)
Received: from smtp0.neclab.eu (smtp0.neclab.eu [195.37.70.41]) by core3.amsl.com (Postfix) with ESMTP id B936F3A6839 for <rucus@ietf.org>; Fri, 22 Feb 2008 03:44:13 -0800 (PST)
Received: from localhost (localhost.office [127.0.0.1]) by smtp0.neclab.eu (Postfix) with ESMTP id 7CC582C000355; Fri, 22 Feb 2008 12:44:09 +0100 (CET)
X-Virus-Scanned: Amavisd on Debian GNU/Linux (atlas2.office)
Received: from smtp0.neclab.eu ([127.0.0.1]) by localhost (atlas2.office [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MrH9fE1mstx2; Fri, 22 Feb 2008 12:44:09 +0100 (CET)
Received: by smtp0.neclab.eu (Postfix, from userid 1001) id 5DB7F2C009E8F; Fri, 22 Feb 2008 12:44:09 +0100 (CET)
Received: from mx1.office (mx1.office [10.1.1.23]) by smtp0.neclab.eu (Postfix) with ESMTP id BF9172C000355; Fri, 22 Feb 2008 12:43:48 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Fri, 22 Feb 2008 12:42:47 +0100
Message-ID: <113091BD57179D4491C19DA7E10CD69601B5639F@mx1.office>
In-Reply-To: <47BEAEE3.4040701@gmx.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [spitstop] [Rucus] Botnets, take 2... Re: Draft RUCUS charter
Thread-Index: Ach1RFsqW1IrRPPCSaa1Bsu1tWF7hgAAnyJg
References: <C3E0C78D.4346A%Quittek@nw.neclab.eu> <3A86FA4E-6D4A-43FE-B380-6676CD4BCD90@voxeo.com> <42B56C6A683EBA4581C01CB49A914CA70E6EA261@MAILFAXSRV.gfimalta.com><909E8DC8-CB3A-478D-995F-94A4B3656D8D@cs.columbia.edu> <47BEAEE3.4040701@gmx.net>
From: Jan Seedorf <Jan.Seedorf@nw.neclab.eu>
To: Hannes.Tschofenig@gmx.net, Signaling TO Prevent SPIT <spitstop@listserv.netlab.nec.de>
X-Sanitizer: This message has been sanitized!
Cc: rucus@ietf.org, Juergen Quittek <Quittek@nw.neclab.eu>
Subject: Re: [Rucus] [spitstop] Botnets, take 2... Re: Draft RUCUS charter
X-BeenThere: rucus@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <rucus.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rucus>
List-Post: <mailto:rucus@ietf.org>
List-Help: <mailto:rucus-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: rucus-bounces@ietf.org
Errors-To: rucus-bounces@ietf.org
Dear Hannes, > I think we should put Henning's classification somewhere in > our documents. I also like Henning's classification because it narrows down where the problem with botnets regarding SPIT is. > > - Uses credentials, spams addresses in addressbook: > whitelists don't > > help, but at least the sender can be identified and > fixed/fined/taken > > offline. I fully agree: this is the problem and the "compromised identity" then needs to be identified and blocked. One question then is, how can we share the identification of a not-trustworthy identity (as perceived by end-users or domains) among SIP-entities/domains. One building block I see here clearly is http://www.ietf.org/internet-drafts/draft-niccolini-sipping-spam-feedback-00.txt for giving users the possibility to indicate that some identity may not be trustworthy anymore (e.g., because it got compromised in the sense Henning describes above). Additionally, http://tools.ietf.org/html/draft-wing-sipping-spam-score-01 and http://www.ietf.org/internet-drafts/draft-seedorf-sipping-spam-score-semantics-00.txt offer a solution for signalling such information between entities. Note that in the semantics draft we tried to point the importance of having a precise meaning associated with a SPIT score. - Jan > -----Original Message----- > From: spitstop-bounces@listserv.netlab.nec.de > [mailto:spitstop-bounces@listserv.netlab.nec.de] On Behalf Of > Hannes Tschofenig > Sent: Friday, February 22, 2008 12:16 PM > To: Signaling TO Prevent SPIT > Cc: Brian Azzopardi; rucus@ietf.org; Juergen Quittek > Subject: Re: [spitstop] [Rucus] Botnets, take 2... Re: Draft > RUCUS charter > > I think we should put Henning's classification somewhere in > our documents. > > I had a chat with Peter Saint-Andre this week and he reported > me about problems they had with malicious users (potentially > using the XMPP servers for file sharing) in their XMPP server > infrastructure. He told me that their community is looking > into a mechanism to allow one domain to report problems to > another domain. This would correspond to Henning's 2nd > category below and a mechanisms similar to the one described > in > http://www.ietf.org/internet-drafts/draft-niccolini-sipping-sp > am-feedback-00.txt > would be useful (expect that it would not be run between the > end host and the VoIP provider but between two VoIP providers). > > Ciao > Hannes > > PS: I put Peter on CC in case I misunderstood something. > > Henning Schulzrinne wrote: > > There are three sub-cases of bot nets: > > > > - Just uses host, without credentials: identity-based whitelisting > > works (subject to the usual problems with whitelisting) > > > > - Uses credentials, but spews randomly: unlikely that the recipient > > will have that person in their whitelist, so still manageable. > > > > - Uses credentials, spams addresses in addressbook: > whitelists don't > > help, but at least the sender can be identified and > fixed/fined/taken > > offline. > > > > I'm not trying to downplay bot nets, just that this is a bit more > > nuanced. > > > > Henning > > > > On Feb 20, 2008, at 3:37 AM, Brian Azzopardi wrote: > > > > > >> Dan, > >> > >> I am afraid that we may have to hit the ground running. > Email spam is > >> already a big industry with well established operators. > Spewing out > >> SPIT instead of email spam is just another 'product' for them. > >> Only amateur SPITers will use spitter and other such tools - the > >> professional ones already have the infrastructure in place > and they'd > >> be irrational not to reuse it for SPIT - they will just short- > >> circuit to your step 5. We do need to think deeply about > botnets - > >> they are the principal means of sending spam and have been for at > >> least the last 2 years. > >> > >> Regards, > >> > >> Brian Azzopardi - Senior Business Analyst GFI Software - > www.gfi.com > >> > >> > >> From: rucus-bounces@ietf.org [mailto:rucus-bounces@ietf.org] On > >> Behalf Of Dan York > >> Sent: 19 February 2008 21:24 > >> To: Juergen Quittek > >> Cc: rucus@ietf.org; Signaling TO Prevent SPIT > >> Subject: [Rucus] Botnets, take 2... Re: Draft RUCUS charter > >> > >> Juergen (and Saverio and others), > >> > >> I appreciate the point you are raising here. My interest and > >> passion are in networking, communication and security. To me, > >> botnets are both incredibly fascinating and incredibly > terrifying. > >> I agree with you that botnets very certainly may be the biggest > >> source of SIP spam in the future. > >> > >> Here's my problem: > >> > >> We have to crawl before we can walk and before we can run. > >> > >> Let's say that this is the (incredibly simplistic view of the) > >> evolution of email spam: > >> > >> 1. Someone figures out that they can send advertisements > to a range > >> of email addresses they have collected. > >> 2. Someone realizes that they can add those addresses to a > "mailing > >> list" to easily send to a large number of addresses. > >> 3. Tools are developed that automate the collection of > addresses and > >> the sending out of messages. > >> 4. At a certain time, there are enough people using email > out there > >> that this whole area of email advertising is a huge financial > >> marketplace. Companies/entities set up server farms to > just send out > >> tons of email messages. (Defenders blacklist those servers.) > >> 5. Those "servers" get distributed into massive botnets > and are then > >> able to avoid blacklisting, etc. > >> > >> I have absolutely no doubt that SIP spam will > unfortunately follow > >> the exact same trajectory. We're already seeing the tools to > >> automate SPIT (here's one: > http://www.hackingvoip.com/tools/spitter.tar.gz > >> ). At some point we will hit my #4 when there are enough people > >> using SIP *with publicly accessible SIP addresses* that it > becomes > >> financially lucrative enough for the larger automation to occur - > >> and following on the heels of that will be the botnets. It will > >> happen. To me it's not a question of IF but rather WHEN. > >> > >> Right now, though, we're still in my steps 1-3 as people start to > >> get SIP endpoints and realize how they can abuse them. > >> > >> My concern about adding the focus on botnets into RUCUS is > the fact > >> that we can easily get distracted into looking at how to solve > >> bigger issues and not get done the smaller issues that we can > >> perhaps address today. > >> > >> Let's face it, probably all of us on this list would be > categorized > >> as early adopters who like to explore cutting edge > technologies. We > >> like to chase bright shiny objects and what is new and sexy and > >> interesting. Let's say that you have a choice at the next > IETF to > >> listen to either: > >> 1. a presentation on a SIP header to pass a "spam score" value > >> between a SIP proxy and a UA; or > >> 2. a presentation about SIP botnets, how they are constructed and > >> the threats they pose. > >> I would expect that probably 90% of us would choose the > botnet talk. > >> (No disrespect intended to the spam-score folks, just using an > >> example.) The reality, though, is that the spam score discussion > >> might be far more useful in moving us toward solutions that will > >> help us with the people abusing SIP systems today. I > don't want to > >> wake up some day and find out that while we've been having > a ton of > >> discussions about botnets, some idiot meanwhile is repeatedly > >> connecting to my SIP server and pumping our voicemail > system full of > >> SPIT. > >> > >> Maybe it's crazy on my part, but I want to see RUCUS have > a charter > >> that results in an achievable plan and architecture. > >> > >> Yes, we should consider botnets as a potential source of SIP spam > >> and, yes, the potential existence of SIP botnets should be > included > >> in our thinking about an architecture to address SIP spam > (so that > >> any architecture we come up with does not discount dealing with > >> botnets). But I also think we need to stay focused on > what we can > >> do now about the threats that are out there today (before > it's too > >> late). Let's crawl first, then walk, then run. > >> > >> My 2 cents, > >> Dan > >> > >> On Feb 19, 2008, at 11:51 AM, Juergen Quittek wrote: > >> Today, most of the spam email comes from bot-nets and recently > >> email spammers started to send massively from compromized > >> valid email accounts. I do not see why this would not become > >> also the biggest source of SIP spam in the future. > >> > >> Consequently, we should address this issue when developing an > >> architecture for reducing SIP spam in the RUCUS WG. The > >> architecture should be general enough for covering also means > >> that reduce SIP spam from bot nets and compromized accounts > >> > >> Whether or not to work on this problem is being discussed > >> highly controversially in the IETF. But considering that the > >> RUCUS BoF is targeted at establishing not a regular working > >> group, but an RFC 5111 Exploratory Group, I do not think it > >> would be appropriate to exclude such work from the beginning. > >> > >> It should rather be part of the exploratory work to find out > >> whether or not reducing SIP spam from bot nets is a target > >> worth to be attacked by the IETF. > >> > >> -- > >> Dan York, CISSP, Director of Emerging Communication Technology > >> Office of the CTO Voxeo Corporation dyork@voxeo.com > >> Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com > >> Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com > >> > >> Bring your web applications to the phone. > >> Find out how at http://evolution.voxeo.com > >> > >> > >> > >> > >> > >> > >> DISCLAIMER > >> The information contained in this electronic mail may be > >> confidential or legally privileged. It is for the intended > >> recipient(s) only. Should you receive this message in > error, please > >> notify the sender by replying to this mail. Unless > expressly stated, > >> opinions in this message are those of the individual > sender and not > >> of GFI. Unauthorized use of the contents is strictly prohibited. > >> While all care has been taken, GFI is not responsible for the > >> integrity of the contents of this electronic mail and any > >> attachments included within. > >> > >> This mail was checked for viruses by GFI MailSecurity. GFI also > >> develops anti-spam software (GFI MailEssentials), a fax > server (GFI > >> FAXmaker), and network security and management software (GFI > >> LANguard) - www.gfi.com > >> > >> _______________________________________________ > >> Rucus mailing list > >> Rucus@ietf.org > >> http://www.ietf.org/mailman/listinfo/rucus > >> > > > > _______________________________________________ > > spitstop mailing list > > spitstop@listserv.netlab.nec.de > > https://listserv.netlab.nec.de/mailman/listinfo/spitstop > > > > _______________________________________________ > spitstop mailing list > spitstop@listserv.netlab.nec.de > https://listserv.netlab.nec.de/mailman/listinfo/spitstop > _______________________________________________ Rucus mailing list Rucus@ietf.org http://www.ietf.org/mailman/listinfo/rucus
- [Rucus] Draft RUCUS charter Juergen Quittek
- Re: [Rucus] Draft RUCUS charter Hannes Tschofenig
- Re: [Rucus] Draft RUCUS charter Saverio Niccolini
- [Rucus] Botnets, take 2... Re: Draft RUCUS charter Dan York
- Re: [Rucus] Draft RUCUS charter Hannes Tschofenig
- Re: [Rucus] Draft RUCUS charter Juergen Quittek
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Brian Azzopardi
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Fischer, Kai
- Re: [Rucus] Draft RUCUS charter Martin Stiemerling
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Henning Schulzrinne
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Dan York
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Otmar Lendl
- [Rucus] EG vs WG - Re: [spitstop] Botnets, take 2… Dan York
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Dan Wing
- Re: [Rucus] Draft RUCUS charter Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Jan Seedorf
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Fischer, Kai
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Peter Saint-Andre
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Fischer, Kai
- [Rucus] Let's ONLY send to RUCUS now, please! (an… Dan York
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Peter Saint-Andre
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Hannes Tschofenig
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Dan York
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Charzinski, Joachim (NSN - DE/Muenich)
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Henning Schulzrinne
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Jan Seedorf
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig