Re: spoofing email addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 27 May 2004 18:23:17 +0200, Iljitsch van Beijnum said:
> There is also the possibility of blacklisting known bad credentials.

Anybody who's had to get themselves out of 3,000 private blacklists, and
anybody who's had to fight with places that were blackholing the 69/8 address
space, knows that private blacklists are a bad idea.

And nobody seems to want to trust anybody to run a public blacklist to
everybody's satisfaction.  Consider that we as an industry haven't even figured
out how to pick an organization to supervise the DNS to everybody's
satisfaction.  Think about ICANN and "how many TLD's should there be?" and
Verisign's "Site Finder".  Add in Matt Blaze's adage about "A CA can protect
you from anybody they're not accepting money from", and the various
jurisdictional issues.  Then ask yourself if we're in any position to let
*anybody* decide "You can't send/receive email".

(Notice, I haven't said it's impossible - I said that we as a community don't
know how to do it.  There's a big and very important distinction there...)

> Yes, spammers can steal credentials, but this is several orders of 
> magnitude more difficult than just generating a random from address as 
> can be done today. The question is whether spammers can obtain new 
> credentials (stolen or otherwise) faster than others can blacklist 
> them. For user-based credentials this could very well be the case 
> (although I'm not conceding to that), but for MTA-based credentials it
> should be possible to rate limit the obtaining of a new identity such 
> that spammers can no longer reach critical mass. (I.e., wait a week 
> before you can use an MTA with a certain address, then spam an hour 
> before you're blacklisted reduces the amount of spam that can be sent 
> from an address by a factor 169.)

There's two problems with this:

1) Waiting a week probably isn't a sellable to the user community.  If you
don't believe me, consider how fast people bailed their domain registrations
away from a registrar that had a reputation of taking a week to do anything,
and going to registrars that promised setup times measured in hours.

2) The assumption that you can catch, verify, and deploy a blacklist for a
spammer in an hour is highly suspect, for several reasons:

(a) it means that the *effective* TTL of a DNS MX entry is much lower than an
hour (as everybody will have to re-fetch at least 2-3 times an hour to verify
they're not blacklisted - a once-an-hour update means that on the *average*
there will be a 30 minute delay, and up to 59 minutes at worst case).  Notice
how few software products that use X.509 certs actually implement CRL's
*correctly*...

(b) "Under an hour" deployment almost certainly implies an automated process to
blacklist..  That has "denial of service" written all over it....

Again, I haven't said it's *impossible* - merely that we've not seen a concrete
proposal that actually has the right scaling and uptake characteristics...

> "The people who claim that something can't be done shouldn't get in the 
> way of the people doing it."

I didn't say it *cant* be done.  I said there were known problems that any
successful solution would have to address.

Solving the spam problem is like solving global warming - neither is a problem
that demonstrably *cant* be done, but both are problems that we don't know how
to solve and which don't have anybody actively solving the problem in a production
mode (the fact that both are still perceived as a problem is proof that neither is
actually being solved).

Attachment: pgp00443.pgp
Description: PGP signature

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]