blackhole spam => mail unreliability (Re: A Trial Balloon to Ban Email?)

Anne & Lynn Wheeler lynn at garlic.com
Sat May 10 08:36:43 PDT 2003


do you think that earthlink would automatically blacklist aol if it found 
incoming spam from aol? I think that earthlink would contact aol and say 
... your ingress filtering doesn't seem to be working. It would only be 
after all attempts to understand aol's ingress filtering that earthlink 
might take action.

again ... it is analogous to somebody hearing about traffic lights for the 
first time and coming up with all the reasons why people would ignore 
traffic lights.

I would claim that the current issue isn't that spam exists (aka traffic 
violations), it is that there are billions of spams each day. and that this 
easily cuts the majority of it if the top ten start doing ingress mail 
filtering and that ingress mail filtering is orders of magnitude more 
efficient than other kinds of solutions.

the blacklisting isn't for the mistakes ... it is for the ISPs that 
obviously aren't going to follow the traffic rules.

so there are lots of kinds of tunneling. the major ISPs are already doing 
ingress filtering for email not coming from a recognizable customer. so 
tunneling actually reduces to a common vulnerability with ISPs not doing 
ingress email filtering (aka the tunneling issue to a ISP that isn't doing 
ingress email filtering is common vulnerability with a customer directly 
getting an email account with ISP that isn't doing ingress email 
filtering). So the issue comes back to ISPs that are recognized as not 
doing ingress email filtering.

So lets say this gets something like 80 percent of the traffic violations.

So the majority of the random traffic violations are now starting to be 
taken care of. There are 1) the corporations effectively operating as 
private ISPs, 2) compromised machines, 3) random anarchy.

So both #2 and #3 are vulnerabilities treated just the same as a real 
spammer getting a real account and directly doing spam. These two 
vulnerabilities should be caught be ingress email filtering. Real spammers 
caught by ISP ingress filtering, compromised machines caught by ISP ingress 
filtering, and hit&run anarchist caught by ingress filtering .... all 
appear to be a common vulnerability caught by ingress email filtering.

The issues actual reduce to a very few simple, non-complex vulnerabilities 
from a business process standpoint (ignoring all the technology twists and 
turns): 1) ISPs that do ingress email filtering and 2) ISPs that do not do 
ingress email filtering.

If ISPs are doing ingress email filtering .... then all the situations of 
known spammers, spammers masquerading enormously getting accounts, spammers 
compromising other machines and masquerading enormously, tunneling, etc ... 
all get taken care of. There are still the periodic traffic accidents where 
somebody might be able to do a couple hundred before getting cut .... but 
it probably reduces over 90 percent of the traffic.

So the remain issue is whether an ISP is following the traffic laws and 
doing ingress email filtering or flagrantly flaunting the law and letting 
millions of spam thru. This is regardless of whether it is a real public 
ISP ... or effectively a corporate/private ISP. The other ISPs then use 
blacklisting. The first line of defense is that all ISPs are to do ingress 
email filtering and the 2nd line of defense is that the major ISPs do 
blacklisting  on the ISPs that obviously are flaunting the law.

The primary business issue is that majority of spam is being done for some 
profit .... that the cost of sending the spam is less than the expected 
financial return. This should address the 99 percentile.

Again, it is very simple, first line of defense is ingress email filtering. 
This is only a moderate extension of what the major ISPs are currently 
doing with regard to not accepting email from entities that are obviously 
not their customers, current traffic limiting business rules, etc. The 
second line of defense is blacklisting ISPs that aren't following the 
traffic rules. I claim, it actually is rather much simpler and much more 
effective.

So back to the obvious traffic violations. One is the compromised machines. 
Large proportion of the compromised machines are their because they all got 
hit by spamming virus. I claim, that over time if over 90 percent of 
spamming gets cut ... then 90 percent of the machines that get compromised 
by virus in spam can also get cut.

Situation is now down to large number of compromised machines each sending 
couple hundred emails each ... staying under the ingress filtering 
radar.  That is orders of magnitude better than the current situation but 
it is starting to reduce the case to manageable traffic violations.

So this scenario gets down to providing significantly more focus on 
compromised machines ... and back to a recent comment about lots of vendors 
saying that consumers won't pay for better security ... because they have 
no motivation. This is somewhat the insurance industry theory of improving 
on severity of traffic accidents (what motivated automobile manufactory to 
build safer cars). My ISP currently charges me extra over the flat rate for 
certain behavioral activities. Violating ingress email filtering rules 
would be such a valid inducement. I get ingress email filtering accident 
insurance the premiums are based on the integrity of the machine i'm operating.

So, two simple rules .... 1) ISPs do ingress email filtering, and 2) ISPs 
blacklist other ISPs that flagrantly violate the ingress email filtering rules.

With a sizeable reduction in spam, there is corresponding sizeable 
reduction in compromised machines. However, compromised machines that do 
spam and hit the ISPs ingress email filtering rules, get fined. It is 
treated as accident and operating an unsafe vehicle. You can get accident 
and fine insurance .... but the premium is related to kind of machine you 
operate. Some inducement for consuming public to purchase safer machines. 
The two simple rules ... with the fines for violations then provides some 
inducement for consumer buying habit regarding purchasing safer machines. 
And it is all quite similar to policies and practices currently in place.




--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm





More information about the cypherpunks-legacy mailing list