Re: [Rucus] [spitstop] Botnets, take 2... Re: Draft RUCUS charter
Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Fri, 22 February 2008 11:51 UTC
Return-Path: <rucus-bounces@ietf.org>
X-Original-To: ietfarch-rucus-archive@core3.amsl.com
Delivered-To: ietfarch-rucus-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA13A3A6C5F; Fri, 22 Feb 2008 03:51:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.784
X-Spam-Level:
X-Spam-Status: No, score=0.784 tagged_above=-999 required=5 tests=[AWL=-1.471, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, MANGLED_SPAM=2.3, RDNS_NONE=0.1, SARE_UNSUB30=0.351, SARE_UNSUB30B=0.041]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8g-8yazM6vK; Fri, 22 Feb 2008 03:51:03 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5489428C20F; Fri, 22 Feb 2008 03:51:03 -0800 (PST)
X-Original-To: rucus@core3.amsl.com
Delivered-To: rucus@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7523A6B7B for <rucus@core3.amsl.com>; Fri, 22 Feb 2008 03:51:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IfE+UdHv3WS4 for <rucus@core3.amsl.com>; Fri, 22 Feb 2008 03:51:00 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 204023A6839 for <rucus@ietf.org>; Fri, 22 Feb 2008 03:50:59 -0800 (PST)
Received: (qmail invoked by alias); 22 Feb 2008 11:50:54 -0000
Received: from proxy1-nsn.nsn-inter.net (EHLO [217.115.75.229]) [217.115.75.229] by mail.gmx.net (mp049) with SMTP; 22 Feb 2008 12:50:54 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/75DBzFaj72KUF0wUasw2GHORQWzGScEnQGVJ3iI cNayj8x49axZCR
Message-ID: <47BEB721.8040305@gmx.net>
Date: Fri, 22 Feb 2008 13:50:57 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Jan Seedorf <Jan.Seedorf@nw.neclab.eu>
References: <C3E0C78D.4346A%Quittek@nw.neclab.eu> <3A86FA4E-6D4A-43FE-B380-6676CD4BCD90@voxeo.com> <42B56C6A683EBA4581C01CB49A914CA70E6EA261@MAILFAXSRV.gfimalta.com><909E8DC8-CB3A-478D-995F-94A4B3656D8D@cs.columbia.edu> <47BEAEE3.4040701@gmx.net> <113091BD57179D4491C19DA7E10CD69601B5639F@mx1.office>
In-Reply-To: <113091BD57179D4491C19DA7E10CD69601B5639F@mx1.office>
X-Y-GMX-Trusted: 0
Cc: rucus@ietf.org, Signaling TO Prevent SPIT <spitstop@listserv.netlab.nec.de>, Juergen Quittek <Quittek@nw.neclab.eu>
Subject: Re: [Rucus] [spitstop] Botnets, take 2... Re: Draft RUCUS charter
X-BeenThere: rucus@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Hannes.Tschofenig@gmx.net
List-Id: <rucus.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rucus>
List-Post: <mailto:rucus@ietf.org>
List-Help: <mailto:rucus-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: rucus-bounces@ietf.org
Errors-To: rucus-bounces@ietf.org
Hi Jan, Jan Seedorf wrote: > Dear Hannes, > > >> I think we should put Henning's classification somewhere in >> our documents. >> > I also like Henning's classification because it narrows down where the problem with botnets regarding SPIT is. > > >>> - Uses credentials, spams addresses in addressbook: >>> >> whitelists don't >> >>> help, but at least the sender can be identified and >>> >> fixed/fined/taken >> >>> offline. >>> > I fully agree: this is the problem and the "compromised identity" then needs to be identified and blocked. One question then is, how can we share the identification of a not-trustworthy identity (as perceived by end-users or domains) among SIP-entities/domains. One building block I see here clearly is > http://www.ietf.org/internet-drafts/draft-niccolini-sipping-spam-feedback-00.txt > Let's take an example: When Henning's host is compromised and a bot is using Henning's account to send me spam then I would contact Henning (by using various ways) to tell him that something is wrong with his PC/phone/etc. I would not tell my VoIP provider that there is something wrong with Henning's account. Typically, this will lead to more problems rather than less -- such as no communication to Columbia University anymore because my VoIP provider just blocks all calls from that domain. (Just to reflect my experience with email problems in the company....) > for giving users the possibility to indicate that some identity may not be trustworthy anymore (e.g., because it got compromised in the sense Henning describes above). Additionally, > http://tools.ietf.org/html/draft-wing-sipping-spam-score-01 > and > http://www.ietf.org/internet-drafts/draft-seedorf-sipping-spam-score-semantics-00.txt > offer a solution for signalling such information between entities. Note that in the semantics draft we tried to point the importance of having a precise meaning associated with a SPIT score. > I haven't read draft-seedorf-sipping-spam-score-semantics-00.txt yet. Comments later. Ciao Hannes > - Jan > > >> -----Original Message----- >> From: spitstop-bounces@listserv.netlab.nec.de >> [mailto:spitstop-bounces@listserv.netlab.nec.de] On Behalf Of >> Hannes Tschofenig >> Sent: Friday, February 22, 2008 12:16 PM >> To: Signaling TO Prevent SPIT >> Cc: Brian Azzopardi; rucus@ietf.org; Juergen Quittek >> Subject: Re: [spitstop] [Rucus] Botnets, take 2... Re: Draft >> RUCUS charter >> >> I think we should put Henning's classification somewhere in >> our documents. >> >> I had a chat with Peter Saint-Andre this week and he reported >> me about problems they had with malicious users (potentially >> using the XMPP servers for file sharing) in their XMPP server >> infrastructure. He told me that their community is looking >> into a mechanism to allow one domain to report problems to >> another domain. This would correspond to Henning's 2nd >> category below and a mechanisms similar to the one described >> in >> http://www.ietf.org/internet-drafts/draft-niccolini-sipping-sp >> am-feedback-00.txt >> would be useful (expect that it would not be run between the >> end host and the VoIP provider but between two VoIP providers). >> >> Ciao >> Hannes >> >> PS: I put Peter on CC in case I misunderstood something. >> >> Henning Schulzrinne wrote: >> >>> There are three sub-cases of bot nets: >>> >>> - Just uses host, without credentials: identity-based whitelisting >>> works (subject to the usual problems with whitelisting) >>> >>> - Uses credentials, but spews randomly: unlikely that the recipient >>> will have that person in their whitelist, so still manageable. >>> >>> - Uses credentials, spams addresses in addressbook: >>> >> whitelists don't >> >>> help, but at least the sender can be identified and >>> >> fixed/fined/taken >> >>> offline. >>> >>> I'm not trying to downplay bot nets, just that this is a bit more >>> nuanced. >>> >>> Henning >>> >>> On Feb 20, 2008, at 3:37 AM, Brian Azzopardi wrote: >>> >>> >>> >>>> Dan, >>>> >>>> I am afraid that we may have to hit the ground running. >>>> >> Email spam is >> >>>> already a big industry with well established operators. >>>> >> Spewing out >> >>>> SPIT instead of email spam is just another 'product' for them. >>>> Only amateur SPITers will use spitter and other such tools - the >>>> professional ones already have the infrastructure in place >>>> >> and they'd >> >>>> be irrational not to reuse it for SPIT - they will just short- >>>> circuit to your step 5. We do need to think deeply about >>>> >> botnets - >> >>>> they are the principal means of sending spam and have been for at >>>> least the last 2 years. >>>> >>>> Regards, >>>> >>>> Brian Azzopardi - Senior Business Analyst GFI Software - >>>> >> www.gfi.com >> >>>> From: rucus-bounces@ietf.org [mailto:rucus-bounces@ietf.org] On >>>> Behalf Of Dan York >>>> Sent: 19 February 2008 21:24 >>>> To: Juergen Quittek >>>> Cc: rucus@ietf.org; Signaling TO Prevent SPIT >>>> Subject: [Rucus] Botnets, take 2... Re: Draft RUCUS charter >>>> >>>> Juergen (and Saverio and others), >>>> >>>> I appreciate the point you are raising here. My interest and >>>> passion are in networking, communication and security. To me, >>>> botnets are both incredibly fascinating and incredibly >>>> >> terrifying. >> >>>> I agree with you that botnets very certainly may be the biggest >>>> source of SIP spam in the future. >>>> >>>> Here's my problem: >>>> >>>> We have to crawl before we can walk and before we can run. >>>> >>>> Let's say that this is the (incredibly simplistic view of the) >>>> evolution of email spam: >>>> >>>> 1. Someone figures out that they can send advertisements >>>> >> to a range >> >>>> of email addresses they have collected. >>>> 2. Someone realizes that they can add those addresses to a >>>> >> "mailing >> >>>> list" to easily send to a large number of addresses. >>>> 3. Tools are developed that automate the collection of >>>> >> addresses and >> >>>> the sending out of messages. >>>> 4. At a certain time, there are enough people using email >>>> >> out there >> >>>> that this whole area of email advertising is a huge financial >>>> marketplace. Companies/entities set up server farms to >>>> >> just send out >> >>>> tons of email messages. (Defenders blacklist those servers.) >>>> 5. Those "servers" get distributed into massive botnets >>>> >> and are then >> >>>> able to avoid blacklisting, etc. >>>> >>>> I have absolutely no doubt that SIP spam will >>>> >> unfortunately follow >> >>>> the exact same trajectory. We're already seeing the tools to >>>> automate SPIT (here's one: >>>> >> http://www.hackingvoip.com/tools/spitter.tar.gz >> >>>> ). At some point we will hit my #4 when there are enough people >>>> using SIP *with publicly accessible SIP addresses* that it >>>> >> becomes >> >>>> financially lucrative enough for the larger automation to occur - >>>> and following on the heels of that will be the botnets. It will >>>> happen. To me it's not a question of IF but rather WHEN. >>>> >>>> Right now, though, we're still in my steps 1-3 as people start to >>>> get SIP endpoints and realize how they can abuse them. >>>> >>>> My concern about adding the focus on botnets into RUCUS is >>>> >> the fact >> >>>> that we can easily get distracted into looking at how to solve >>>> bigger issues and not get done the smaller issues that we can >>>> perhaps address today. >>>> >>>> Let's face it, probably all of us on this list would be >>>> >> categorized >> >>>> as early adopters who like to explore cutting edge >>>> >> technologies. We >> >>>> like to chase bright shiny objects and what is new and sexy and >>>> interesting. Let's say that you have a choice at the next >>>> >> IETF to >> >>>> listen to either: >>>> 1. a presentation on a SIP header to pass a "spam score" value >>>> between a SIP proxy and a UA; or >>>> 2. a presentation about SIP botnets, how they are constructed and >>>> the threats they pose. >>>> I would expect that probably 90% of us would choose the >>>> >> botnet talk. >> >>>> (No disrespect intended to the spam-score folks, just using an >>>> example.) The reality, though, is that the spam score discussion >>>> might be far more useful in moving us toward solutions that will >>>> help us with the people abusing SIP systems today. I >>>> >> don't want to >> >>>> wake up some day and find out that while we've been having >>>> >> a ton of >> >>>> discussions about botnets, some idiot meanwhile is repeatedly >>>> connecting to my SIP server and pumping our voicemail >>>> >> system full of >> >>>> SPIT. >>>> >>>> Maybe it's crazy on my part, but I want to see RUCUS have >>>> >> a charter >> >>>> that results in an achievable plan and architecture. >>>> >>>> Yes, we should consider botnets as a potential source of SIP spam >>>> and, yes, the potential existence of SIP botnets should be >>>> >> included >> >>>> in our thinking about an architecture to address SIP spam >>>> >> (so that >> >>>> any architecture we come up with does not discount dealing with >>>> botnets). But I also think we need to stay focused on >>>> >> what we can >> >>>> do now about the threats that are out there today (before >>>> >> it's too >> >>>> late). Let's crawl first, then walk, then run. >>>> >>>> My 2 cents, >>>> Dan >>>> >>>> On Feb 19, 2008, at 11:51 AM, Juergen Quittek wrote: >>>> Today, most of the spam email comes from bot-nets and recently >>>> email spammers started to send massively from compromized >>>> valid email accounts. I do not see why this would not become >>>> also the biggest source of SIP spam in the future. >>>> >>>> Consequently, we should address this issue when developing an >>>> architecture for reducing SIP spam in the RUCUS WG. The >>>> architecture should be general enough for covering also means >>>> that reduce SIP spam from bot nets and compromized accounts >>>> >>>> Whether or not to work on this problem is being discussed >>>> highly controversially in the IETF. But considering that the >>>> RUCUS BoF is targeted at establishing not a regular working >>>> group, but an RFC 5111 Exploratory Group, I do not think it >>>> would be appropriate to exclude such work from the beginning. >>>> >>>> It should rather be part of the exploratory work to find out >>>> whether or not reducing SIP spam from bot nets is a target >>>> worth to be attacked by the IETF. >>>> >>>> -- >>>> Dan York, CISSP, Director of Emerging Communication Technology >>>> Office of the CTO Voxeo Corporation dyork@voxeo.com >>>> Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com >>>> Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com >>>> >>>> Bring your web applications to the phone. >>>> Find out how at http://evolution.voxeo.com >>>> >>>> >>>> >>>> >>>> >>>> >>>> DISCLAIMER >>>> The information contained in this electronic mail may be >>>> confidential or legally privileged. It is for the intended >>>> recipient(s) only. Should you receive this message in >>>> >> error, please >> >>>> notify the sender by replying to this mail. Unless >>>> >> expressly stated, >> >>>> opinions in this message are those of the individual >>>> >> sender and not >> >>>> of GFI. Unauthorized use of the contents is strictly prohibited. >>>> While all care has been taken, GFI is not responsible for the >>>> integrity of the contents of this electronic mail and any >>>> attachments included within. >>>> >>>> This mail was checked for viruses by GFI MailSecurity. GFI also >>>> develops anti-spam software (GFI MailEssentials), a fax >>>> >> server (GFI >> >>>> FAXmaker), and network security and management software (GFI >>>> LANguard) - www.gfi.com >>>> >>>> _______________________________________________ >>>> Rucus mailing list >>>> Rucus@ietf.org >>>> http://www.ietf.org/mailman/listinfo/rucus >>>> >>>> >>> _______________________________________________ >>> spitstop mailing list >>> spitstop@listserv.netlab.nec.de >>> https://listserv.netlab.nec.de/mailman/listinfo/spitstop >>> >>> >> _______________________________________________ >> spitstop mailing list >> spitstop@listserv.netlab.nec.de >> https://listserv.netlab.nec.de/mailman/listinfo/spitstop >> >> _______________________________________________ Rucus mailing list Rucus@ietf.org http://www.ietf.org/mailman/listinfo/rucus
- [Rucus] Draft RUCUS charter Juergen Quittek
- Re: [Rucus] Draft RUCUS charter Hannes Tschofenig
- Re: [Rucus] Draft RUCUS charter Saverio Niccolini
- [Rucus] Botnets, take 2... Re: Draft RUCUS charter Dan York
- Re: [Rucus] Draft RUCUS charter Hannes Tschofenig
- Re: [Rucus] Draft RUCUS charter Juergen Quittek
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Brian Azzopardi
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Fischer, Kai
- Re: [Rucus] Draft RUCUS charter Martin Stiemerling
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Henning Schulzrinne
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Dan York
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Otmar Lendl
- [Rucus] EG vs WG - Re: [spitstop] Botnets, take 2… Dan York
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Dan Wing
- Re: [Rucus] Draft RUCUS charter Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] Botnets, take 2... Re: Draft RUCUS ch… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Jan Seedorf
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Fischer, Kai
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Peter Saint-Andre
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Fischer, Kai
- [Rucus] Let's ONLY send to RUCUS now, please! (an… Dan York
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Peter Saint-Andre
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Hannes Tschofenig
- Re: [Rucus] EG vs WG - Re: [spitstop] Botnets, ta… Dan York
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Charzinski, Joachim (NSN - DE/Muenich)
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Henning Schulzrinne
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Jan Seedorf
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Saverio Niccolini
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Otmar Lendl
- Re: [Rucus] [spitstop] Botnets, take 2... Re: Dra… Hannes Tschofenig