Spam, phishing and other trash transmissions

Spam, phishing and other trash transmissions

Summary: fixing the inappropriateinternet use problem is easy: all it requires is the will to do it and some minor changes in router and emailsoftware.

TOPICS: Tech Industry
One Nick FitzGerald, a long time PC security researcher, has been making the news lately with a paper dedicated to the proposition that user authentication isn't all that effective as a means of stopping spam, phishing, and other forms of junk TCP/IP transmissions.

Here's the summary provided by Virus Bulletin:

SPF, Caller-ID, Sender ID and DomainKeys are all, to varying degrees, user authentication schemes being actively pushed as anti-spam measures - things that will slightly change how we do email but significantly reduce, if not eliminate, spam and keep it down. All such claims are based on a naive belief in the power of user authentication to beat the spam problem.

Sadly, the common claim that these approaches will greatly reduce spam is not only a misguided idealisation of what may be achievable, but it is downright wrong-headed. The chance to make a buck may be behind one or two of the major players pushing for such solutions, but mainly the inability of these approaches to deliver what is so often promised is apparently due to abject ignorance of how the world is already really working in ways that render these proposals useless. This paper will point out a few nasty facts about spam and spamming that the SPF, etc. folk have either entirely missed or chosen to ignore, then proceeds to explain why these realities not only make SPF, etc. irrelevant as anti-spam approaches, but also all but entirely remove the real, but very small, advantages the more conservative sometimes claim for these approaches.

I haven't been able to get the full paper yet, but other things he's said suggest that the core objections come down to how easy it is to spoof all forms of Sender ID, how enforcement assumptions violate the realities of ISP economics, and how resistant the PC community is to security motivated procedural change.

As I've said elsewhere, fixing the inappropriate internet use problem is easy: all it requires is the will to do it and some minor changes in router and email software.

Specifically what needs to be done is:

  1. The software on at least one major company's router products needs to change to incorporate strong device authentication such that each router inside the trusted community this creates can "know" with certainty which other member was the first one in the community to process an arriving message.

    The point here is simple: there is no such thing as free internet access - for every access, there is someone who pays. Putting internet edge routers inside a trusted community allows co-operating ISPs to securely embed and verify sender account information in every message at the point where that message is first placed on the internet.
  2. Some major mail clients and some major mail transfer agents will need to be modified to display sender account information.
  3. Some sample code should be provided to enable a multiple-to-one email response to an inappropriate transmission from a known sender by sending back a much larger number of responses.

Thus, for example, a phishing attack, originating on bot-ed PCs on a dozen local networks, would draw a flood of emails arriving at the network gateways for the originating PCs. The PC operators, whether professionals or home users, would therefore quickly become aware of the problem and face a continued denial of service until they take remedial action - at which point the sending stops, and the denial of service therefore does too.

Notice that the source information is added to all packets by the first ISP owned router to handle them. As a result, spoofing this (for example to create denial of service attacks on third parties) would be extremely difficult since the technology needed to secure router identification is well known and understood.

Basically two things happen: first, whoever pays for the internet access being abused, intentionally or otherwise, faces the penalty and gets forced to take action. Secondly: phishers, spammers, and others maintaining their own offshore access accounts to receive responses -whether html page requests or email - get flooded by false responses and become unable to winnow the chaff from the paydirt: basically transferring the SPAM problem to its originators.

Put this structure in place using just one major company's router products and that company will have a significant short term market advantage - bringing the current flood of SPAM and other inappropriate network transmissions to a crashing halt.

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Losing your soul?

    Stooping to the level of hackers by intentionally creating DOS attacks is very troubling. The poor soul who's PC was hijacked into being a bot is the one that pays - like REAL money for a professional to clean his machine. I would prefer to see the ISP shut down his email ability and he recieves only ONE email per day - from the ISP explaining why he can't get any mail.

    In the end, even spammers will figure out a way around this. If "depth" of spamming is easily id'ed, then they will go to "breadth" - co-opting thousands of machines that send out a few spam messages apiece. This would be MUCH more difficult to identify without scanning people's email - which is NOT something that people like to see.

    I'm no expert on email, but the way to combat spam is to change the underlying protocols. I've read about certain DNS/MX record stuff that is unused today and could be utilized to combat spam. It would be a CHORE, but we need to figure out how to do email RIGHT at the protocol level, and then have ISPs push customers to use it. SMTP is TOO simple and needs to be updated.
    Roger Ramjet
    • the dns/mx stuff is sender id

      And is trivially easy to beat.

      Worse,it's limited to spam/phishing - and says nothing other means of spreading malware. My approach applies equally to sql server probes etc.

      As for innocent victims: yes, there would be some, but right now I'm a victim, and so are you, and we neither send spam nor let others our gear to to do it. Maybe it's past time to hold the people whose bad choices lead to the prolem responsible?
  • tracking spam is nice

    but the real answer lies in denying access to the "bot farm" in the first place, secured operating systems are a must. A dos attack on the offending machines is a good response to the problem, as it offers real incentive for the person with an unsecured machine to find a solution (fixing the machine and securing it.) Most people don't know about securing their operating systems.

    If by this point Microsoft can't provide a secure OS then I think they too should get a foreward of the spam to let them understand the breadth of the problem.
    • I agreed with you - in about 1985

      and 86
      and 89
      and 96
      and 2000

      ALl major new releases, each worse than the last one.

      When do we learn?
      • You're not talking about

        ..."Windows 85", are you?
  • Advocating DOS attacks by mailbombing?

    As an approved *standard*? With supporting tools, widely available?

    Talk about instantly losing your credibility...
    diane wilson
    • umm - perhaps you could read the blog

      Yes, I'm suggesting "mailbombing" but before you get upset, please read the blog so you understand what the controls are and why I think doing this makes sense.
  • Misunderstanding of authentication

    "SPF, Caller-ID, Sender ID and DomainKeys are all, to varying degrees, user authentication schemes being actively pushed as anti-spam measures - things that will slightly change how we do email but significantly reduce, if not eliminate, spam and keep it down."

    [b]WRONG.[/b] They only serve to authenticate the identity of the person sending the emails. They do [b]not[/b] claim to curb spam, nor do they do so. It is up to [b]other[/b] technologies to check the now confirmed identity to see if the email is spam or ham.
    • Exactly the point

      The parent post is correct. SPF (et al) will not "cure spam". However, by implementing them on a wide scale, authentication standards allow other techniques to be used more effectively (like ISPs blocking port 25, etc.).
  • Spamassassin is your friend! (nt)

    none none
  • DoS Attacks on Spammers

    Let's see if I understand this correctly. DoS attacks on computers that are sending out spam, etc. until those computers stop sending spam.

    With all the publicity about keeping one's computer up to date in security patches, anti-virus and anti-spyware programs, I do not feel any sympathy for a user who has chosen not to do this and has had their computer hijacked. If they are doing this because they have a pirated copy of an OS, they are SOL. (Shame on Microrot if they do not allow anyone to keep their OS and IE up to date with critical security patches.) They have lost their privilege to use the Internet until they fix things.

    Minimal users of the Internet likely will be unaffected simply because they are not online enough to be found and compromised.

    Spammers sending out their trash will, um, be denied access to the Internet until they stop sending spam. Sounds about right to me.

    Until a spammer is forced to act responsibly, i.e., ask for permission to send their spam, dutifully remove addresses of those who do not want to receive the spam AND not sell those same addresses to others, then they can regain their Internet privileges.

    An ounce of prevention is worth a pound of cure. Attack spam at the source instead of treating the symptoms will more quickly thwart the spammers and force them to decide if it is worth continuing to act irresponsibly or clean up their act.

    Right now, spammers' costs of doing business are such that it is worth continuing to act as they do. If we can up those costs high enough, then the spammers will be forced elsewhere because they then cannot make money.
  • It's a dumb idea - stick to Linux

    All that would do is cause sporadic, ongoing service outages for many people, without resolving the issue. Authentication is much more practical and has a much better chance of leading to a long term solution.
    • Linux doesn't solve this

      Actually, according to most "penguins", linux systems can handle greater volumes of email, both at the end-user and the server level. In other words, if this were a penguin world instead of a MS one, we would have more SPAM, not less.