SMTP "authentication" (was: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky)

• Previous message: Thor Larholm: "RE: [Full-Disclosure] Backdoor not recognized by Kaspersky"
• In reply to: Larry Seltzer: "RE: [Full-Disclosure] Backdoor not recognized by Kaspersky"
• Next in thread: Martin Mačok: "[Full-Disclosure] SMTP authentication will save the world (was: EXE not recognized in passworded ZIP by Kaspersky)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Thu, 04 Mar 2004 12:28:58 +1300

"Larry Seltzer" <larry@larryseltzer.com> wrote:

> I really feel for you guys. As I've argued in another thread, I think
> SMTP authentication will likely cut this stuff down to a trickle
> compared to the current volume. As an ISP, how big a problem would you
> have with that. An even better question: Would you have a problem
> implementing SPF, Caller ID and Domain Keys (i.e. all 3)? It gets to
> the same issue of changing practices for your users: at some point you
> have to either bounce or segregate mail that doesn't authenticate.

I really think you (and all the SPF, etc pundits) are overselling those
"technologies" as possible solutions to problems that exist because of
what are, and perhaps always will remain with us as, essentially psycho-
social issues.

SPF, Caller-ID, etc will either not take off or, if it does it will not
greatly reduce the level of the spam or the self-mailing virus problem.
If it does take off we may initially see a dip in such things but as
these technologies will not (and _CANNOT_) be blanket implemented
overnight, the spammers and virus writers will watch the developments
and if they see a risk to their future success there are many tricks
available for them to add to their "creations" that these "anti-spam"
or "anti-forgery" technologies _alone_ cannot prevent being exploited
to the benefit of the spammers.

Although I'm sure the "professional" mass-mailer writers and spammers
have a fair idea of what to do next if SPF, etc do start to bite, I'm
not going to spell out how I'd do it in case I give any less clueful
folk some ideas they don'tdeserve. However, the bottom line is that
for SPF, etc to be "successful" (i.e. to become very widely deployed
and used) they (and the things they require at the client end) have to
be "set and forget". Why?? Because the sad (?) reality is that most
folk are simply lazy and won't use systems that don't let them ignore
the things they don't care about. To date (and SPF, etc
notwithstanding), I've seen no reason to expect this to change, even to
fix the spam or mass-mailing virus problem, no matter how much "common
folk" may belly-ache about it not being fixed. This all means Mike
Howard's "first immutable law of computer security":

   If the bad guy can run his program on your computer, it's not
   your computer any more

is broken from the outset _AND_ will remain so.

Compound all manner of other atrociously bad anti-security features
that most computer users have become so accustomed to they will not
allow to be changed and the bad guys will just keep doing what they do,
albeit after adding a few dozen more lines of code to their existing
bots, etc so they can send "properly authenticated" Email through the
"right" SMTP servers. SPF, etc pundits will counter "but we can then
quickly get the ISPs to shut those machines down because we can prove
that 'bad' Email came from that machine". This ignores the rather
salient (I'd have thought) point that the ISPs have entirely failed to
deal with the existing armies of such machines, and it seems utterly
unlikely they will add more staff (even just short-term) to handle
their abuse@ enquiries once (or if) SPF, etc becomes widely deployed
(after all, SPF, etc is supposed to eliminate the core problems in
those areas so the ISPs may even be thinking they can _reduce_ their
abuse staff!).

In summary, it seems that the bad guys are starting from a (probably)
insurmountable advantage of the existing vast army of readily
compromisable and/or already backdoor-ed machines. And, if SPF, etc is
successfully "sold" to the consumers, add the fact that many more users
than the current crop of utterly reckless click-a-holics would then
_trust_ more (or even all) of their Email and its attachments _because
the SPF, etc pundits have been telling them that this is precisely one
of the benefits of shafting the existing mail system_. On balance, it
seems we could easily see things _GET WORSE_.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Thor Larholm: "RE: [Full-Disclosure] Backdoor not recognized by Kaspersky"
• In reply to: Larry Seltzer: "RE: [Full-Disclosure] Backdoor not recognized by Kaspersky"
• Next in thread: Martin Mačok: "[Full-Disclosure] SMTP authentication will save the world (was: EXE not recognized in passworded ZIP by Kaspersky)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]