[fw-wiz] Spam (or, how to buy Cheap Korean Cellphones :-)

From: Chris Blask (blask_at_protegonetworks.com)
Date: 02/06/04

  • Next message: Paul Robertson: "Re: [fw-wiz] Spam (or, how to buy Cheap Korean Cellphones :-)" 
    To: firewall-wizards@honor.icsalabs.com, rod@borderware.com
Date: Thu, 05 Feb 2004 16:28:23 -0800

    At 06:19 PM 2/5/2004 -0500, Paul opined, after dejpegging a part of Chris'
    mail that Chris missed, thus shaming him fatally:
    >On 2004/02/05 17:55, "Chris Blask" <blask@protegonetworks.com> wrote:
    > > At 11:00 PM 2/5/2004 +0000, ÈÞ´ëÆù wrote:
    > > > kvcgc l mclfn gbdxtrdevpkfa d xjwwwsmbn b eobfrynpheahnazunbwrj xzno
    > aob tksbtacwizdg

    > > ...which brings up the topic of Spam... <evil grin @ Paul>

    <Paul, apparently, peers smugly back...:->

    > > Last year I worked (again) at BorderWare* and ended up chairing JamSpam
    > > (from which nothing but the AMY triangle has come out of afaik, to my
    > > chagrin). BW's VP of Eng (Rod Gilchrist, infinitely bright guy) and I gave
    > > it serious thought and wrote a whitepaper for a structure dubbed "cmail"
    > > (certified mail) which as far as I can tell was entirely too straight
    > > forward to gain any traction <the reader will please manually subtract any
    > > battle-borne irony - I'm too tired to try>.
    > >
    > > Simply put:
    > >
    > > Assign four classes of email cert.
    > > 1 - person
    > > 2 - list
    > > 3 - organization
    > > 4 - marketing entity
    > >
    > > 1 - free, anonymous (pass Turing test on cert site, can send to small
    > > number - say, 50-100)
    > > 2 - free or near free (send to appropriate number)
    > > 3 - appropriate cost (send to commercial volume - say 1,000 or more)
    > > 4 - appropriate cost. (if an org cannot afford, say, $10k for
    > > infrastructure they shouldn't be sending 1M email/day)
    >
    >I think cost-based e-mail is really, really, really bad- it makes it so that
    >only the organizations with money can talk.

    o No per-pay for individuals - it's not e-stamps. Any individual can get
    a cert for free, just need to insert a Turing test to keep the bots out.

    o As far as orgs go, if the cost scaled properly it should be less than
    people spend on dealing with spam now, and a one-time cost (of course SPs
    could provide services to amortize this in with other regular services).

    o Plain old free non-cmail does not go away, with cmail working. Anyone
    wanting to not use certs at all can, still and always, use email and usual
    anti-spam filters inbound. If their recipients expect their mail it can
    still be handled the normal way.

    o I imagine that I'd setup my mail client to put all cmail in Inbox, all
    post-spam-filter non-cmail in a second and discard all spam. That way
    anyone who wants to *know* that I'll get the mail will get a cert, and the
    rest I'll check as I can (until the volume of real non-cmail is so small
    that I don't have to bother).

    These are the kind of logistics worth discussing, though.

    >Now, if TruSecure had to *pay* line item costs for the lists we provide,
    >we'd provide no lists-
    >Firewall-Wizards puts out a bunch of messages a day, certainly enough that
    >if the bar was "get this certificate" the spammers would be looking for the
    >same CA level and just get multiples.

    o I don't think line-item costs are what is needed - the fees as I see
    them are not to fund an infrastructure but to insert appropriate cost into
    email to separate spammer's out from real people/orgs. Commercial Mailers
    like the DMA don't have a problem with cost-of-goods-sold, but it's arsenic
    to spammer. One list-cert for TruSecure at nominal (how much does your
    email infrastructure cost? Divide by, say, 20? 200?). Costs would be
    enough to identify TruSecure as TruSecure and make TS want to be good and
    not have their cert revoked without needing to be punitive.

    o The Commercial Mailer certs and Organizational certs could conceivably
    generate enough cash to fund the infrastructure (and the savings could
    cover anything extra - perhaps one of the few good place for a little gov't
    funding).

    o There are of course all the existing Bayesian yada yada anti-spam tools
    that will still exist - whatever the solution to spam - that can be used on
    top of it all. DCC is particularly good at handling violations (at least
    last time I looked).

    > > Minor tweaks to mail server software would disallow cert-class violations
    > > in volume. DCC is perfectly capable of detecting mass mailing and can
    > > support the infrastructure by detecting violations and leading to cert
    > > revocation. Minor tweaks to mail client software to filter cmail and
    > > non-cmail makes it simple to filter at the client level. If my grandmother
    > > could go to a site and get a cmail cert to fix spam then she would (she's
    > > 92, if you want a perfect example of a Consumer).
    >
    >It wouldn't fix it though- one of the spam houses would go buy a really big
    >certificate, then send out all the spam, or they'd get enough small
    >certificates that they could send out all the spam.

    o If many-small-certs == significant time/cost to acquire then you have
    succeeded in inserting cost into the spammers' cycle.

    o It would not be rocket science to setup a structure for buying
    Commercial Mailer certs that would make it expensive and difficult for
    spammer to get Commercial Mailer certs - particularly after their first is
    revoked. The Direct Marketing Association folks were entirely on board
    with paying to de-classify themselves from spammer.

    Keep raising the objections!

    >Would AOL's certificate be a single one? What then stops AOL's customers
    >from sending out 100 messages each?

    o AOL corp could have a single one they use for their mass mailings, and
    perhaps all employee mail (or a generic Individual cert for employee traffic).

    o Email providers could provide Individual certs to their paying
    customers, list hosting services could offer certs to their customers
    amortized in with usual costs. In either case they are identified be
    definition because they are paying their bills.

    > > If I recall, revocation lists were the best reason given for not trying,
    > > but at the end of the day SPAM has gotta be an identity fix, so may as well
    > > meet it head on. I read this as yet another data supporting my belief that
    > > cert folks have trouble recognizing Users when they see them.
    >
    >Without revocation, the first Exchange overflow would break the entire
    >process.

    o Revocation is necessary, but throwing up the collective PKS hands isn't
    the way to address it. Fix identity, fix spam. A problem with efforts to
    fix identity, imho, is that folks try to boil the damn ocean when the task
    is to make a nice cup of tea,,,

    Cert folks: Revocation is a problem? Fix it!! Don't make me come down
    there and do it myself, I'll be so cross! ;-)

    > > Anyone else see - if in fact this is the right forum - any solution to
    > spam that doesn't involve fixing the identity problem?

    There's the actual question for the list: If it ain't ID, what *is* the
    shape of the solution?

    "CanSpam!" is the best we can do? Ha! Where's the engineering fix!?!

    This is exactly the type of scenario I was talking about in the last
    thread. All the Leaders in the world have Absolutely No Clue about even
    the *nature* of the spam problem, and virtually no hope of even seeing a
    glimmer of it's shape - except for US (the people who can read and discuss
    these things on a list like this - the Security Experts).

    We are not, I'm afraid to say, demonstrating great leadership as a group on
    this one...

    > > * Well, BorderWare *is* a firewall company, and the SMTP product is
    > the MXtreme Mail *Firewall*, so I'm not completely out of decorum, here...

    -cheers!

    -chris

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Robertson: "Re: [fw-wiz] Spam (or, how to buy Cheap Korean Cellphones :-)"

    Relevant Pages

    • Re: Certificates for ActiveSync
      ... would not expect a fix in the weeks to months time period, ... "Chris De Herrera" wrote: ... PPC/WM for Active Sync? ... Or any cert where the URL doesn't match the CN ...
      (microsoft.public.pocketpc.activesync)
    • Re: *nix cert
      ... > being to fix problems far outweigh any cert and PhD ... > with a subject of "unsubscribe". ... Trouble? ...
      (Debian-User)
    • Re: !@#$% Cert Server
      ... Cert Srv, reboot, reinstall Cert Srv, reboot, install fix, reboot, install ...
      (microsoft.public.win2000.security)
    • Re: MCSD Insights or What I learned on the way to MCSD.NET Cert land....
      ... I'm not spamming, I just finished the course this weekend and passed the ... worthless but eight months of study and no cert is just a bad. ... >> because they have a continuing education policy that permits me to ... > How much was it for the cost of travel, accomodations, etc., for the extra ...
      (microsoft.public.cert.exam.mcsd)
    • Re: Newbie Alert/RANT - 3rd Party SSL Cert requires Static IP address!
      ... If this is your own environment, why not just use the built in Self Signed Cert, rather than godaddy's and there is no cost for that. ... I had no idea that the IP address was part of the SSL cert (and not just the ... address from my ISP ComCast. ...
      (microsoft.public.windows.server.sbs)