blackhole spam => mail unreliability (Re: A Trial Balloon to Ban Email?)
Anne & Lynn Wheeler
lynn at garlic.com
Sat May 10 08:36:43 PDT 2003
do you think that earthlink would automatically blacklist aol if it found
incoming spam from aol? I think that earthlink would contact aol and say
... your ingress filtering doesn't seem to be working. It would only be
after all attempts to understand aol's ingress filtering that earthlink
might take action.
again ... it is analogous to somebody hearing about traffic lights for the
first time and coming up with all the reasons why people would ignore
traffic lights.
I would claim that the current issue isn't that spam exists (aka traffic
violations), it is that there are billions of spams each day. and that this
easily cuts the majority of it if the top ten start doing ingress mail
filtering and that ingress mail filtering is orders of magnitude more
efficient than other kinds of solutions.
the blacklisting isn't for the mistakes ... it is for the ISPs that
obviously aren't going to follow the traffic rules.
so there are lots of kinds of tunneling. the major ISPs are already doing
ingress filtering for email not coming from a recognizable customer. so
tunneling actually reduces to a common vulnerability with ISPs not doing
ingress email filtering (aka the tunneling issue to a ISP that isn't doing
ingress email filtering is common vulnerability with a customer directly
getting an email account with ISP that isn't doing ingress email
filtering). So the issue comes back to ISPs that are recognized as not
doing ingress email filtering.
So lets say this gets something like 80 percent of the traffic violations.
So the majority of the random traffic violations are now starting to be
taken care of. There are 1) the corporations effectively operating as
private ISPs, 2) compromised machines, 3) random anarchy.
So both #2 and #3 are vulnerabilities treated just the same as a real
spammer getting a real account and directly doing spam. These two
vulnerabilities should be caught be ingress email filtering. Real spammers
caught by ISP ingress filtering, compromised machines caught by ISP ingress
filtering, and hit&run anarchist caught by ingress filtering .... all
appear to be a common vulnerability caught by ingress email filtering.
The issues actual reduce to a very few simple, non-complex vulnerabilities
from a business process standpoint (ignoring all the technology twists and
turns): 1) ISPs that do ingress email filtering and 2) ISPs that do not do
ingress email filtering.
If ISPs are doing ingress email filtering .... then all the situations of
known spammers, spammers masquerading enormously getting accounts, spammers
compromising other machines and masquerading enormously, tunneling, etc ...
all get taken care of. There are still the periodic traffic accidents where
somebody might be able to do a couple hundred before getting cut .... but
it probably reduces over 90 percent of the traffic.
So the remain issue is whether an ISP is following the traffic laws and
doing ingress email filtering or flagrantly flaunting the law and letting
millions of spam thru. This is regardless of whether it is a real public
ISP ... or effectively a corporate/private ISP. The other ISPs then use
blacklisting. The first line of defense is that all ISPs are to do ingress
email filtering and the 2nd line of defense is that the major ISPs do
blacklisting on the ISPs that obviously are flaunting the law.
The primary business issue is that majority of spam is being done for some
profit .... that the cost of sending the spam is less than the expected
financial return. This should address the 99 percentile.
Again, it is very simple, first line of defense is ingress email filtering.
This is only a moderate extension of what the major ISPs are currently
doing with regard to not accepting email from entities that are obviously
not their customers, current traffic limiting business rules, etc. The
second line of defense is blacklisting ISPs that aren't following the
traffic rules. I claim, it actually is rather much simpler and much more
effective.
So back to the obvious traffic violations. One is the compromised machines.
Large proportion of the compromised machines are their because they all got
hit by spamming virus. I claim, that over time if over 90 percent of
spamming gets cut ... then 90 percent of the machines that get compromised
by virus in spam can also get cut.
Situation is now down to large number of compromised machines each sending
couple hundred emails each ... staying under the ingress filtering
radar. That is orders of magnitude better than the current situation but
it is starting to reduce the case to manageable traffic violations.
So this scenario gets down to providing significantly more focus on
compromised machines ... and back to a recent comment about lots of vendors
saying that consumers won't pay for better security ... because they have
no motivation. This is somewhat the insurance industry theory of improving
on severity of traffic accidents (what motivated automobile manufactory to
build safer cars). My ISP currently charges me extra over the flat rate for
certain behavioral activities. Violating ingress email filtering rules
would be such a valid inducement. I get ingress email filtering accident
insurance the premiums are based on the integrity of the machine i'm operating.
So, two simple rules .... 1) ISPs do ingress email filtering, and 2) ISPs
blacklist other ISPs that flagrantly violate the ingress email filtering rules.
With a sizeable reduction in spam, there is corresponding sizeable
reduction in compromised machines. However, compromised machines that do
spam and hit the ISPs ingress email filtering rules, get fined. It is
treated as accident and operating an unsafe vehicle. You can get accident
and fine insurance .... but the premium is related to kind of machine you
operate. Some inducement for consuming public to purchase safer machines.
The two simple rules ... with the fines for violations then provides some
inducement for consumer buying habit regarding purchasing safer machines.
And it is all quite similar to policies and practices currently in place.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
More information about the cypherpunks-legacy
mailing list