The Risks of Automatic Spam Filtering/Deadbolt
Charles Anthony
canthony at info-nation.com
Wed Apr 23 05:52:19 PDT 1997
An item from Risks-Forum Digest forwarded through the Red Rock Eater
News Service-
--C
Date: Thu, 27 Mar 1997 11:31:55 -0800 (PST)
From: risks at csl.sri.com
Subject: RISKS DIGEST 18.94
RISKS-LIST: Risks-Forum Digest Thursday 27 March 1997 Volume 18 : Issue 94
----------------------------------------------------------------------
Date: Wed, 26 Mar 1997 09:25:38 -0600 (CST)
From: Prentiss Riddle <riddle at is.rice.edu>
Subject: Risks of automatic spam blockers
Forwarded from Edupage, 25 March 1997:
| SPAM BLOCK
| A California software engineer [Ron Guilmette] takes the annoyance
| caused by unsolicited e-mail messages seriously, and has developed an
| anti-spam weapon he plans to unveil next month. Dead Bolt allows
| online users to share their "blacklists" of spam purveyors so that they
| can more effectively filter offending e-mail. "The problem now is that
| everyone who is filtering is keeping their own blacklists and they're
| not working together to tie their lists together in a meaningful way,"
| says Dead Bolt's creator. "What I hope my package will do is allow
| people to work together over the Net and filter all this stuff out and
| finally put these people out of business....The problem is that it
| costs the sender virtually zero dollars to send out a million messages,
| and even if the response rate is minuscule by all standards -- say .001
| percent -- they've made money. So from an economic selfish point of
| view, it's in their interest to annoy the other 99.99 percent of the
| people." (Miami Herald 24 Mar 97)
The full Miami Herald article is available at:
http://www.herald.com/archive/cyber/techdocs/056735.htm
Some of the risks of automatic spam filtering which Deadbolt will have
to overcome in order to be successful include:
-- The risk of false and malicious blacklisting of non-spammers.
-- The risk of harm to innocent bystanders who happen to share
hostnames, ISPs, or other characteristics with targeted spammers.
-- The possibility that spam messages will avoid detection by
varying return addresses and other signatures in each copy of
a message.
I find the first two particularly troubling -- were an imperfect spam
filtering system in wide use, then triggering it against an innocent
party could become a handy form of denial-of-service attack.
Published details of Deadbolt are sketchy, but a Deja News or Alta
Vista search of Usenet for "Ron Guilmette" reveals some of its
designer's thinking on the subject. So far, I don't see enough to
convince me that he will be successful.
Prentiss Riddle riddle at rice.edu
------------------------------
End of RISKS-FORUM Digest 18.94
************************
Date: Tue, 1 Apr 1997 17:01:10 -0800 (PST)
From: risks at csl.sri.com
RISKS-LIST: Risks-Forum Digest Wednesday 02 April 1997 Volume 19 : Issue 02
----------------------------------------------------------------------
Date: Thu, 27 Mar 97 13:44:07 PST
From: zerkle at cs.ucdavis.edu (Dan Zerkle)
Subject: Re: Risks of automatic spam blockers (Riddle, RISKS-18.94)
> Dead Bolt allows online users to share their "blacklists" of spam
> purveyors so that they can more effectively filter offending e-mail.
Something like this has, unfortunately, become necessary. It will happen
someday. Stopping spam is a topic near and dear to me, and I've already
considered the risks mentioned.
> The risk of false and malicious blacklisting of non-spammers.
This is a serious problem. A step towards solving it would be a secure
clearing house of data on spammers. It would need to be distributed via a
technique like PGP-signed Usenet messages or a on online database
downloadable through some secure transfer medium.
Whoever maintained the database would need to somehow decide what went into
it and what didn't. The entries would have to be classified by reliability
level so that the users could decide which data to use and which to ignore.
Unfortunately, doing this would subject whoever did it to a suit by spammers
who didn't want to be blocked. I haven't figured out a way to avoid this
particular risk short of establishing the operation in a country without
spammers.
> The risk of harm to innocent bystanders who happen to share hostnames,
> ISPs, or other characteristics with targeted spammers.
This is not a risk. This is a benefit. If users at an ISP get blocked
because the other users at that ISP are spamming, they will take their
business elsewhere. ISP's will either take measures to avoid harboring
spammers, or they will lose their customers and go out of business. Either
way, spammers will have one less place to hide.
> The possibility that spam messages will avoid detection by varying return
> addresses and other signatures in each copy of a message.
If the source of a spam can be discovered, this is not a problem. The
original spamming host is going to show up somewhere in the Received: line,
even if only as an IP number. Poorly configured sendmails on intermediate
(relay) hosts might not properly include the Received: information. If this
is the case, the defective site should be blocked until its owners fix it.
------------------------------
Date: Fri, 28 Mar 1997 10:57:47 -0500
From: Wayne Mesard <wmesard at sgi.com>
Subject: Spam-proofed "From:" lines
A recent trend in the war against spam is to munge the "From:" line in
outgoing Usenet and e-mail messages (e.g., by adding asterisks or
exclamation points to the beginning or end of the userid).
These messages are typically accompanied by a terse note at the bottom
of the message instructing respondents to "Remove asterisks [or
whatever] from my address if you would like to reply."
I see several risks with this technique:
- False security: Most mail and news agents will dutifully add a
"Sender:" line containing the "actual" e-mail address, if the
user-supplied "From:" line doesn't look right.
Since many spammers already gather addresses from the "Sender:" line,
munging the "From:" line provides only limited protection.
- Inconsideration: In that a munged "From:" line reduces the spam
received, it reduces the amount of work the munger has to do.
So instead of having to press one key to delete a junk e-mail message,
everyone that wants to reply to one of his messages has to (a) notice
that the address is bogus (b) press many keys to fix it. (Indeed, some
mail readers make it quite tedious to edit the headers in replies.)
In other words, it hasn't eliminated the problem; it's merely shifted
the work from the sender to his correspondents.
- Lost messages: a non-scientific survey of some novice-user friends
indicated that a large number of them had no idea what the "remove
asterisks..." directive meant, how to perform this task, or what to do
with the bounced messages that will result from the failure to do so.
- False security 2: In the ever-escalating spam arms race, it won't be
long before spammers' address-gathering software is modified to
unmunged munged "From:" lines. (I can think of two obvious techniques,
which I won't describe here so as to avoid providing aid and comfort
to the enemy.)
Wayne
------------------------------
End of RISKS-FORUM Digest 19.02
************************
Date: Fri, 4 Apr 1997 17:04:13 -0800 (PST)
From: risks at csl.sri.com
RISKS-LIST: Risks-Forum Digest Friday 4 April 1997 Volume 19 : Issue 04
----------------------------------------------------------------------
Date: Tue, 1 Apr 1997 18:35:54 -0800 (PST)
From: C Matthew Curtin <cmcurtin at research.megasoft.com>
Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
>> The risk of false and malicious blacklisting of non-spammers. (Riddle)
Dan> This is a serious problem. A step towards solving it would be [...]
This is unnecessarily complex. The NoCeM effort (see http://www.cm.org/ for
details) has simply, and effectively, dealt with the spam problem for
usenet. Efforts are underway to adapt this to e-mail.
NoCeM works this way:
* Someone takes it upon himself to watch for spam in a newsgroup (or groups).
* When spam does appear, that someone posts a "NoCeM" message to
news:alt.nocem.misc and/or news:news.admin.net-abuse.misc, PGP signed.
* Users who want to benefit from the filters have clients that, when
they grab news, look in news:alt.nocem.misc (and potentially other
places) for NoCeM messages. The client verifies the signatures,
and if it's signed by someone the client agrees to listen to, the
message won't be shown to the user at all.
* Clients are also available to work with news servers, to NoCeM
messages on a site-wide basis. (I believe that these actually
cancel the NoCeM'd messages on the site.)
This is nice, because it uses what's already there (news), and allows the
user (or admin, depending on the model) to select which users' NoCeMs he
honors. Either you trust someone's judgement and honor their NoCeMs, or you
don't, and they're completely ignored.
Dan> Unfortunately, doing this would subject whoever did it to a suit
Dan> by spammers who didn't want to be blocked.
Superfluous lawsuits are threatened all the time... few have the resources
of CyberPromo to actually be stupid enough to try any of this. (It's
another thing about NoCeM...it doesn't kill the messages, it just is another
post, that certain clients deal with behind the scenes. :-)
Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin at research.megasoft.com
http://www.research.megasoft.com/people/cmcurtin/
------------------------------
Date: Wed, 2 Apr 1997 11:57:49 -0800 (PST)
From: Ted Wong <tmw5 at cornell.edu>
Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
Instead of having a central repository of spam, why not use a
distributed spam-control system analogous to NoCeMs for Usenet news?
Anyone could then issue digitally-signed spam-block notifications, but
an individual user would configure their system to only apply notices
that came from cancellers they trusted. An Alpha version of NoCeM for
e-mail already exists, at <http://www.novia.net/~doumakes/abuse/>.
Some advantages of this system are:
o It thwarts malicious individuals or organizations attempting to
systematically censor e-mail. Unless the user lists them as trusted
cancellers, their notices will be ignored.
o A 'spotcheck' mode would allow users to occasionally receive an otherwise
cancelled e-mail, to ensure that an otherwise trusted canceller hasn't
stepped over the line between spam-blocking and censorship.
o There is no risk of some central database being compromised by spammers or
censors.
o Users receive more timely warnings of new spam, without needing to
periodically check and download a spam-list.
o The spammers have no-one to sue for freedom-of-speech violations.
While I'm not a lawyer, I can't see any way to sue someone for merely
suggesting that a spammer's mail isn't worth reading.
> > The risk of harm to innocent bystanders who happen to share hostnames,
> > ISPs, or other characteristics with targeted spammers.
>
> This is not a risk. This is a benefit. [...]
I can't see that this is a benefit. Changing your ISP is hardly a trivial
task - you have to notify all of your correspondents of your new e-mail
address, archive any web pages you may have stored at your ISP, reconfigure
your internal network if you were using a Class C subnet, etc. It's grossly
unfair to punish legitimate users because they were unfortunate enough to
have some Canter and Siegal wanna-be set up shop on their ISP.
Ted Wong Information Technology Section Mann Library, Cornell University
<tmw5 at cornell.edu>
------------------------------
Date: Wed, 2 Apr 1997 08:33:02 -0800 (PST)
From: "Rosenthal, Harlan" <rosenthh at dialogic.com>
Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
> [...] they will take their business elsewhere.
Easy to say from a university or company account. In the real world, nobody
wants to change addresses and notify all of their correspondents, especially
if it means losing an established presence that may have been widely
disseminated to =potential= correspondents (not to mention reprinting
stationary and business cards). And why should the multitude suffer this
inconvenience, expense, and loss of communication, for the activities of the
few?
Spam is the biggest single argument for usage charges. As long as it's
cheap to set up a new address and free to abuse it, there's no reason for
the spammers to cut down on e-mailing spam and freeloading on other people's
processors and comm lines. The fact that spam can be sent from a domain
shared by many legitimate users, and that even new addresses may be reused
after the spammer changes away, means that abusers are hiding among the
innocent like hostage-taking terrorists - hyperbole, perhaps, but congruent
in style if not in magnitude. The goal of any anti-spam approach should be
to block, slow, or encumber transmission as close to the source as possible.
Yet legitimate cases are always at risk; limiting the cc: lines, for
example, could inconvenience clubs or companies almost as much as it slows
the spammers. As in any police-power or security effort, the problem is how
much freedom the average innocent person is prepared to give up so that the
abuser can be blocked.
-harlan
------------------------------
Date: Wed, 2 Apr 1997 09:32:46 -0800 (PST)
From: Dan Franklin <dan at copernicus.bbn.com>
Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
> The original spamming host is going to show up somewhere in the Received:
> line, [...]
Note that if you are fortunate enough to have Received: lines to work from
(the most recent spam I received had none at all, either because the relay
host was defective or because it really was sent directly to my mailhost)
you still have a challenge, because the spammer can insert one or more bogus
Received lines in the initial message, so the one added by the first relay
host will be buried in the middle.
By the way, it does not seem practical to me to block all mail-relay sites
that don't add Received lines. How would you generate such a list? What
incentive would you provide to such a site to change their software?
Dan Franklin
------------------------------
Date: Wed, 2 Apr 1997 10:57:55 -0800 (PST)
From: "J. DeBert" <onymouse at hypatia.com>
Subject: Re: Risks of automatic spam blockers (Zerkle, RISKS-19.02)
Any method of auto-blocking spam will create a serious problem for anyone
who later acquire the spammers' discarded domain names.
Spammers are registering lots of domain names and faking many to evade
anti-spam and cancel bots and to hide from their enemies as well as the
public at large. Once they are done with the domain names and they--the
registered names--become available again, the next organization to acquire
the name will find their mail bouncing or disappearing into /dev/null
somewhere and perhaps harassed by bots and hostile spam-haters which do not
know that the domain name has changed hands. The unfortunate victims of such
acts may not even be able to escape them by merely changing their domain
name, either.
Who is going to removed dead spammer domains from the anti- spam and cancel
bots' records and make sure that everyone knows about it?
onymouse at hypatia.com | I've only one thing to
Send NO spam | say to spammers: "47USC227".
[Many thanks to an onymouse contributor (J DeBert),
who acted as a guest moderator for this topic. PGN]
------------------------------
End of RISKS-FORUM Digest 19.04
************************
Date: Tue, 22 Apr 1997 12:03:12 -0700 (PDT)
From: risks at csl.sri.com
Subject: RISKS DIGEST 19.10
RISKS-LIST: Risks-Forum Digest Tuesday 22 April 1997 Volume 19 : Issue 10
----------------------------------------------------------------------
Date: Thu, 17 Apr 97 19:49:30 EDT
From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM)
Subject: Re: Risks of automatic spam blockers (Curtin, RISKS-19.04)
On the risks of issuing NoCeMs
I've been issuing NoCeMs for off-topic articles in several newsgroups (both
global Usenet and the nyc.* hierarchy) since the summer of '96. I've
received two legalese threats of legal action from posters of material that
matched my criteria of being off-topic.
1. Michael Weir, a recruiter from Canada, insisted on posting job ads in
an unmoderated discussion newsgroup whose charter prohibits job ads and
resumes. He threatened to sue me for using his name in the NoCeM notices.
He also posted a series of abusive flames about me. A search of DejaNews
revealed several articles from him in Canadian newsgroups discussing
his litigations and asking for personal information about a judge.
Eventually he went away.
2. The "New York Theosophical Society" insists on posting in the local
newsgroup nyc.seminars (usually used to announce, what else, seminars). One
Bart Lidofsky responded to the NoCeM articles by saying:
"I consider these messages to be a form of harassment, and will treat them
as such."
I have also seen several claims that the NoCeM notices themselves are
"spam". Apparently, this term now applies to any traffic that the user
doesn't like for any reason.
I understand that other issuers of NoCeMs have also received threats, and at
least one poster has been forging old-fashioned cancels for the NoCeM
notices that mention his articles (another good reason to stop processing
all old-fashioned cancels).
Dimitri "co-proponent of news.lists.filters where NoCeM notices are posted"
Vulis Dr.Dimitri Vulis KOTM
------------------------------
End of RISKS-FORUM Digest 19.10
************************
Standard Risks reuse disclaimer:
Reused without explicit authorization under blanket
permission granted for all Risks-Forum Digest materials.
The author(s), the RISKS moderator, and the ACM have no
connection with this reuse.
More information about the cypherpunks-legacy
mailing list