Date:         Mon, 1 Mar 2004 13:53:28 -0500
Sender:       Spam Prevention Discussion List 
From:         Rich Kulawiec 
Subject:      Re: MEDIA: m$ "Caller-ID" v SPF v Yahoo! "Domain Keys"
In-Reply-To:  <200402290134.i1T1YmQ17907.smij@home.gtcs.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
All of these will fail to achieve the goal of stopping spam.

Not because there aren't some good ideas in them: SPF has several
very nice ideas.  The "Tripoli" proposal has some good things.
And so on.

No, they will fail because none of them take into [adequate]
account at least three major factors.

1. They all presume that end user systems are actually under
the control of their putative owners.  They're not.  By the
tens of millions.

2. They all presume that network operators have a vested interest
in controlling outbound spam/abuse from their networks.

3. They all presume that SMTP (as used by spammers today) is
the only means by which spam can be shoveled.


Point 1 means that any virus/worm-infected end-user system can
be used to subvert any/all of these mechanisms, since of course
whatever code is running on that system "knows" whatever the user
of that system knows, and can thus emit spam that complies with
whatever "caller-ID" system is in use.

This cannot be solved without replacing the operating systems on
those end-user systems with one that isn't trivially comprised.

That will not happen.

Point 2 means that the same network operators who have already
established multi-year track records of failing to doing anything
about the abuse outbound from their networks will keep doing the
same thing: nothing.  This, coupled with #1, means that tens
of millions of 0nwed systems will remain 0wned (modulo the
occasional addition or subtraction) and that they will continue
to be used to conduct attacks, send spam, 0wn other systems, etc.

This cannot be solved without holding network operators accountable
for the traffic coming out of their networks.  The only viable
mechanisms for doing so at present are DNSBLs.  However, the current
levels of fiscal pain inflicted by DNSBLs are not high enough to
cause the necessary actions on the part of some network operators.

Point 3 means that spammers have already shown great adaptability
in migrating from NNTP to SMTP to {pick your other abused protocol}.
If necessary, they will do so again.  Their object is NOT to send spam
via SMTP: their object is to get the payload in front of eyeballs, and
SMTP is only a means to that goal.  I fully expect the next generation
of spam-facilitating malware to accept spam downloads and *write them
directly to the MUA storage area on the target system*.  No SMTP.  No DNS.
I further expect that malware to start piggybacking spam payloads on
ordinary outbound messages and/or disguising it as ordinary outbound
messages, sent right through the designated outbound mail server.
And so on -- it just gets worse from there, especially as other protocols,
wireless services, integrated Internet/phone functionality, etc. come
into play.


None of these caller-ID packages can address these problems -- although
some of the features of some of them can/will be useful in mitigating
the effects.

But anyone who thinks, or claims, that these approaches packages are
"The Answer" to spam is being overly optimistic.  They need to be evaluated
not as "The Answer" but as "useful techniques with some applicability,
which must be evaluated in terms of their costs and benefits".

And one of the costs that really REALLY needs to be assessed is "how
much control does this mechanism place in the hands of entities who are
best known for utilizing control in order to maximize profits?"  To put
it less obliquely, there is NO WAY that Microsoft would weigh in with a
proposal unless they had already figured out a way to profit massively
from it.  They're evil bastards, but they're geniuses at making money.
They never do *anything* without a reason, and that reason is "profits".
So whatever comes out of Redmond needs to be scrutinized VERY carefully,
because I assure you there IS a catch -- or ten.

But M$ aside, all the proposals need to be assessed in terms of the
level of effort required to implement them, the consequences of
implementing them (including the unintended ones), and how effective
they will REALLY be in stopping spam once spammy has a chance to
see how they work and how they can be bypassed/gamed/overcome.

Again: this is NOT to say they're bad ideas: some of them have some
darn good ideas.  But IMHO they're all going to fail at actually
stopping spam, because spammy is not going to simply play along and
do what's expected.

---Rsk