The Risks of Automatic Spam Filtering/Deadbolt
 
            An item from Risks-Forum Digest forwarded through the Red Rock Eater News Service- --C Date: Thu, 27 Mar 1997 11:31:55 -0800 (PST) From: risks@csl.sri.com Subject: RISKS DIGEST 18.94 RISKS-LIST: Risks-Forum Digest Thursday 27 March 1997 Volume 18 : Issue 94 ---------------------------------------------------------------------- Date: Wed, 26 Mar 1997 09:25:38 -0600 (CST) From: Prentiss Riddle <riddle@is.rice.edu> Subject: Risks of automatic spam blockers Forwarded from Edupage, 25 March 1997: | SPAM BLOCK | A California software engineer [Ron Guilmette] takes the annoyance | caused by unsolicited e-mail messages seriously, and has developed an | anti-spam weapon he plans to unveil next month. Dead Bolt allows | online users to share their "blacklists" of spam purveyors so that they | can more effectively filter offending e-mail. "The problem now is that | everyone who is filtering is keeping their own blacklists and they're | not working together to tie their lists together in a meaningful way," | says Dead Bolt's creator. "What I hope my package will do is allow | people to work together over the Net and filter all this stuff out and | finally put these people out of business....The problem is that it | costs the sender virtually zero dollars to send out a million messages, | and even if the response rate is minuscule by all standards -- say .001 | percent -- they've made money. So from an economic selfish point of | view, it's in their interest to annoy the other 99.99 percent of the | people." (Miami Herald 24 Mar 97) The full Miami Herald article is available at: http://www.herald.com/archive/cyber/techdocs/056735.htm Some of the risks of automatic spam filtering which Deadbolt will have to overcome in order to be successful include: -- The risk of false and malicious blacklisting of non-spammers. -- The risk of harm to innocent bystanders who happen to share hostnames, ISPs, or other characteristics with targeted spammers. -- The possibility that spam messages will avoid detection by varying return addresses and other signatures in each copy of a message. I find the first two particularly troubling -- were an imperfect spam filtering system in wide use, then triggering it against an innocent party could become a handy form of denial-of-service attack. Published details of Deadbolt are sketchy, but a Deja News or Alta Vista search of Usenet for "Ron Guilmette" reveals some of its designer's thinking on the subject. So far, I don't see enough to convince me that he will be successful. Prentiss Riddle riddle@rice.edu ------------------------------ End of RISKS-FORUM Digest 18.94 ************************ Date: Tue, 1 Apr 1997 17:01:10 -0800 (PST) From: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Wednesday 02 April 1997 Volume 19 : Issue 02 ---------------------------------------------------------------------- Date: Thu, 27 Mar 97 13:44:07 PST From: zerkle@cs.ucdavis.edu (Dan Zerkle) Subject: Re: Risks of automatic spam blockers (Riddle, RISKS-18.94)
Dead Bolt allows online users to share their "blacklists" of spam purveyors so that they can more effectively filter offending e-mail.
Something like this has, unfortunately, become necessary. It will happen someday. Stopping spam is a topic near and dear to me, and I've already considered the risks mentioned.
The risk of false and malicious blacklisting of non-spammers.
This is a serious problem. A step towards solving it would be a secure clearing house of data on spammers. It would need to be distributed via a technique like PGP-signed Usenet messages or a on online database downloadable through some secure transfer medium. Whoever maintained the database would need to somehow decide what went into it and what didn't. The entries would have to be classified by reliability level so that the users could decide which data to use and which to ignore. Unfortunately, doing this would subject whoever did it to a suit by spammers who didn't want to be blocked. I haven't figured out a way to avoid this particular risk short of establishing the operation in a country without spammers.
The risk of harm to innocent bystanders who happen to share hostnames, ISPs, or other characteristics with targeted spammers.
This is not a risk. This is a benefit. If users at an ISP get blocked because the other users at that ISP are spamming, they will take their business elsewhere. ISP's will either take measures to avoid harboring spammers, or they will lose their customers and go out of business. Either way, spammers will have one less place to hide.
The possibility that spam messages will avoid detection by varying return addresses and other signatures in each copy of a message.
If the source of a spam can be discovered, this is not a problem. The original spamming host is going to show up somewhere in the Received: line, even if only as an IP number. Poorly configured sendmails on intermediate (relay) hosts might not properly include the Received: information. If this is the case, the defective site should be blocked until its owners fix it. ------------------------------ Date: Fri, 28 Mar 1997 10:57:47 -0500 From: Wayne Mesard <wmesard@sgi.com> Subject: Spam-proofed "From:" lines A recent trend in the war against spam is to munge the "From:" line in outgoing Usenet and e-mail messages (e.g., by adding asterisks or exclamation points to the beginning or end of the userid). These messages are typically accompanied by a terse note at the bottom of the message instructing respondents to "Remove asterisks [or whatever] from my address if you would like to reply." I see several risks with this technique: - False security: Most mail and news agents will dutifully add a "Sender:" line containing the "actual" e-mail address, if the user-supplied "From:" line doesn't look right. Since many spammers already gather addresses from the "Sender:" line, munging the "From:" line provides only limited protection. - Inconsideration: In that a munged "From:" line reduces the spam received, it reduces the amount of work the munger has to do. So instead of having to press one key to delete a junk e-mail message, everyone that wants to reply to one of his messages has to (a) notice that the address is bogus (b) press many keys to fix it. (Indeed, some mail readers make it quite tedious to edit the headers in replies.) In other words, it hasn't eliminated the problem; it's merely shifted the work from the sender to his correspondents. - Lost messages: a non-scientific survey of some novice-user friends indicated that a large number of them had no idea what the "remove asterisks..." directive meant, how to perform this task, or what to do with the bounced messages that will result from the failure to do so. - False security 2: In the ever-escalating spam arms race, it won't be long before spammers' address-gathering software is modified to unmunged munged "From:" lines. (I can think of two obvious techniques, which I won't describe here so as to avoid providing aid and comfort to the enemy.) Wayne ------------------------------ End of RISKS-FORUM Digest 19.02 ************************ Date: Fri, 4 Apr 1997 17:04:13 -0800 (PST) From: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Friday 4 April 1997 Volume 19 : Issue 04 ---------------------------------------------------------------------- Date: Tue, 1 Apr 1997 18:35:54 -0800 (PST) From: C Matthew Curtin <cmcurtin@research.megasoft.com> Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
The risk of false and malicious blacklisting of non-spammers. (Riddle) Dan> This is a serious problem. A step towards solving it would be [...]
This is unnecessarily complex. The NoCeM effort (see http://www.cm.org/ for details) has simply, and effectively, dealt with the spam problem for usenet. Efforts are underway to adapt this to e-mail. NoCeM works this way: * Someone takes it upon himself to watch for spam in a newsgroup (or groups). * When spam does appear, that someone posts a "NoCeM" message to news:alt.nocem.misc and/or news:news.admin.net-abuse.misc, PGP signed. * Users who want to benefit from the filters have clients that, when they grab news, look in news:alt.nocem.misc (and potentially other places) for NoCeM messages. The client verifies the signatures, and if it's signed by someone the client agrees to listen to, the message won't be shown to the user at all. * Clients are also available to work with news servers, to NoCeM messages on a site-wide basis. (I believe that these actually cancel the NoCeM'd messages on the site.) This is nice, because it uses what's already there (news), and allows the user (or admin, depending on the model) to select which users' NoCeMs he honors. Either you trust someone's judgement and honor their NoCeMs, or you don't, and they're completely ignored. Dan> Unfortunately, doing this would subject whoever did it to a suit Dan> by spammers who didn't want to be blocked. Superfluous lawsuits are threatened all the time... few have the resources of CyberPromo to actually be stupid enough to try any of this. (It's another thing about NoCeM...it doesn't kill the messages, it just is another post, that certain clients deal with behind the scenes. :-) Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ ------------------------------ Date: Wed, 2 Apr 1997 11:57:49 -0800 (PST) From: Ted Wong <tmw5@cornell.edu> Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02) Instead of having a central repository of spam, why not use a distributed spam-control system analogous to NoCeMs for Usenet news? Anyone could then issue digitally-signed spam-block notifications, but an individual user would configure their system to only apply notices that came from cancellers they trusted. An Alpha version of NoCeM for e-mail already exists, at <http://www.novia.net/~doumakes/abuse/>. Some advantages of this system are: o It thwarts malicious individuals or organizations attempting to systematically censor e-mail. Unless the user lists them as trusted cancellers, their notices will be ignored. o A 'spotcheck' mode would allow users to occasionally receive an otherwise cancelled e-mail, to ensure that an otherwise trusted canceller hasn't stepped over the line between spam-blocking and censorship. o There is no risk of some central database being compromised by spammers or censors. o Users receive more timely warnings of new spam, without needing to periodically check and download a spam-list. o The spammers have no-one to sue for freedom-of-speech violations. While I'm not a lawyer, I can't see any way to sue someone for merely suggesting that a spammer's mail isn't worth reading.
The risk of harm to innocent bystanders who happen to share hostnames, ISPs, or other characteristics with targeted spammers.
This is not a risk. This is a benefit. [...]
I can't see that this is a benefit. Changing your ISP is hardly a trivial task - you have to notify all of your correspondents of your new e-mail address, archive any web pages you may have stored at your ISP, reconfigure your internal network if you were using a Class C subnet, etc. It's grossly unfair to punish legitimate users because they were unfortunate enough to have some Canter and Siegal wanna-be set up shop on their ISP. Ted Wong Information Technology Section Mann Library, Cornell University <tmw5@cornell.edu> ------------------------------ Date: Wed, 2 Apr 1997 08:33:02 -0800 (PST) From: "Rosenthal, Harlan" <rosenthh@dialogic.com> Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
[...] they will take their business elsewhere.
Easy to say from a university or company account. In the real world, nobody wants to change addresses and notify all of their correspondents, especially if it means losing an established presence that may have been widely disseminated to =potential= correspondents (not to mention reprinting stationary and business cards). And why should the multitude suffer this inconvenience, expense, and loss of communication, for the activities of the few? Spam is the biggest single argument for usage charges. As long as it's cheap to set up a new address and free to abuse it, there's no reason for the spammers to cut down on e-mailing spam and freeloading on other people's processors and comm lines. The fact that spam can be sent from a domain shared by many legitimate users, and that even new addresses may be reused after the spammer changes away, means that abusers are hiding among the innocent like hostage-taking terrorists - hyperbole, perhaps, but congruent in style if not in magnitude. The goal of any anti-spam approach should be to block, slow, or encumber transmission as close to the source as possible. Yet legitimate cases are always at risk; limiting the cc: lines, for example, could inconvenience clubs or companies almost as much as it slows the spammers. As in any police-power or security effort, the problem is how much freedom the average innocent person is prepared to give up so that the abuser can be blocked. -harlan ------------------------------ Date: Wed, 2 Apr 1997 09:32:46 -0800 (PST) From: Dan Franklin <dan@copernicus.bbn.com> Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
The original spamming host is going to show up somewhere in the Received: line, [...]
Note that if you are fortunate enough to have Received: lines to work from (the most recent spam I received had none at all, either because the relay host was defective or because it really was sent directly to my mailhost) you still have a challenge, because the spammer can insert one or more bogus Received lines in the initial message, so the one added by the first relay host will be buried in the middle. By the way, it does not seem practical to me to block all mail-relay sites that don't add Received lines. How would you generate such a list? What incentive would you provide to such a site to change their software? Dan Franklin ------------------------------ Date: Wed, 2 Apr 1997 10:57:55 -0800 (PST) From: "J. DeBert" <onymouse@hypatia.com> Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02) Any method of auto-blocking spam will create a serious problem for anyone who later acquire the spammers' discarded domain names. Spammers are registering lots of domain names and faking many to evade anti-spam and cancel bots and to hide from their enemies as well as the public at large. Once they are done with the domain names and they--the registered names--become available again, the next organization to acquire the name will find their mail bouncing or disappearing into /dev/null somewhere and perhaps harassed by bots and hostile spam-haters which do not know that the domain name has changed hands. The unfortunate victims of such acts may not even be able to escape them by merely changing their domain name, either. Who is going to removed dead spammer domains from the anti- spam and cancel bots' records and make sure that everyone knows about it? onymouse@hypatia.com | I've only one thing to Send NO spam | say to spammers: "47USC227". [Many thanks to an onymouse contributor (J DeBert), who acted as a guest moderator for this topic. PGN] ------------------------------ End of RISKS-FORUM Digest 19.04 ************************ Date: Tue, 22 Apr 1997 12:03:12 -0700 (PDT) From: risks@csl.sri.com Subject: RISKS DIGEST 19.10 RISKS-LIST: Risks-Forum Digest Tuesday 22 April 1997 Volume 19 : Issue 10 ---------------------------------------------------------------------- Date: Thu, 17 Apr 97 19:49:30 EDT From: dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM) Subject: Re: Risks of automatic spam blockers (Curtin, RISKS-19.04) On the risks of issuing NoCeMs I've been issuing NoCeMs for off-topic articles in several newsgroups (both global Usenet and the nyc.* hierarchy) since the summer of '96. I've received two legalese threats of legal action from posters of material that matched my criteria of being off-topic. 1. Michael Weir, a recruiter from Canada, insisted on posting job ads in an unmoderated discussion newsgroup whose charter prohibits job ads and resumes. He threatened to sue me for using his name in the NoCeM notices. He also posted a series of abusive flames about me. A search of DejaNews revealed several articles from him in Canadian newsgroups discussing his litigations and asking for personal information about a judge. Eventually he went away. 2. The "New York Theosophical Society" insists on posting in the local newsgroup nyc.seminars (usually used to announce, what else, seminars). One Bart Lidofsky responded to the NoCeM articles by saying: "I consider these messages to be a form of harassment, and will treat them as such." I have also seen several claims that the NoCeM notices themselves are "spam". Apparently, this term now applies to any traffic that the user doesn't like for any reason. I understand that other issuers of NoCeMs have also received threats, and at least one poster has been forging old-fashioned cancels for the NoCeM notices that mention his articles (another good reason to stop processing all old-fashioned cancels). Dimitri "co-proponent of news.lists.filters where NoCeM notices are posted" Vulis Dr.Dimitri Vulis KOTM ------------------------------ End of RISKS-FORUM Digest 19.10 ************************ Standard Risks reuse disclaimer: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse.
participants (1)
- 
                 Charles Anthony Charles Anthony