Spam Solutions 01

Category: Education

Presentation Description

No description available.


Presentation Transcript

Spamming the Anti-Spam Solution Space : 

Spamming the Anti-Spam Solution Space SDForum Security Sig / 28-Oct-04 D. Crocker Brandenburg InternetWorking Spammer? Phisher?

What we will cover: 

What we will cover Problem space What is spam? How is it sent? Solution Space – Focus on technology Types and places for control Types of ‘Solution’ efforts Standards efforts Prognostications

Disclaimer and Caveat: 

Disclaimer and Caveat Not a full tutorial Focus on technical efforts, primarily authentication Spam is complicated and simplistic solutions will be damaging Email is more complex than people usually realize Spam is a social problem, like crime Technical solutions need to follow the social assessment No single action will eliminate it — nothing will “eliminate” it!

Setting the Context: 

Setting the Context © 1975(!) Datamation This? Oh, this is the display for my electronic junk mail.

We Do Have A Problem!: 

We Do Have A Problem! We do not need to cite statistics We have a dire problem. It is getting worse, quickly. Nothing has yet reduced global spam! It is like moving from a safe, small town to a big (U.S.) city We must distinguish Local, transient effects that only move spammers to use different techniques, versus Global, long-term effects that truly reduce spam at its core

Dangerous Logic: 

Dangerous Logic “We have to do something now!” (Ignore any side-effects, or dismiss them as minor.) “Maybe it’s not perfect… but at least we’re taking some action!” “What have we got to lose?” “At least it reduces the problem… for now.” “We must replace SMTP… even though we don’t know what we want to do “We can do something in the interim…” Even though nothing on the Internet is ever interim “…but this is urgent!!”

A Bit of Perspective: 

A Bit of Perspective Spam is complex, confusing and emotional Imagine that time has passed What changes will be important? Effects of “solutions” on email Will it still be easy to reach everyone? Will it be cumbersome, with fragmented communities? Different types of spam Legitimate business will behave acceptably (mostly) Rogue (criminal) spammers will be worse than today

Make Changes Cautiously: 

Make Changes Cautiously Experience making Internet changes means… Changes to an installed base of 1billion users are risky, difficult, expensive and slow Assume there will be (bad) unintended consequences Providers operate differently, so control is limited Changes need to produce direct, basic benefit Directly affect key problem or directly improve service Orchestrated inter-dependent changes do not work

Universal spam solution rebuttal: 

Universal spam solution rebuttal Checkbox form-letter for responding to spam solutions proposals. See: <> Your post advocates a ( ) technical ( ) legislative ( ) market-based ( ) vigilante approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)…

But What Is Spam, Exactly?: 

But What Is Spam, Exactly? No common definition UCE? UBE? Anything I don’t want? No technical differences from “regular” mail How can we make policy When we cannot formulate a common, Internet-wide definition? So, instead… Try a pragmatic approach Focus on core, identifiable characteristics Define specific solution Ignore the rest, for now And why do we still need this slide?

A Spamming Network: 

A Spamming Network Spammer Victim

Wheel of Spam (Mis)Fortune: 

Wheel of Spam (Mis)Fortune Control of spam Cannot be “surgically” precise Must balance the wheel Needs range of partial solutions Different techniques for near-term vs. long-term, except that near-term never is Heuristics Long lists  complicated Complicated  Be careful! Many Facets

Email Points of Control: 

Email Points of Control Email Architecture: draft-crocker-email-arch

Secondary Approaches: 

Secondary Approaches Charging – Sender pays fee Some vs. all senders How much? Who gets the money? Enforcement – Laws and contracts Scope of control – national boundaries? Precise, objective, narrow? Administration Exchange filtering rules Exchange incident (abuse) reports Coordination among Abuse desks

Email Security Functions Make someone accountable: 

Email Security Functions Make someone accountable

What to Authenticate?: 

What to Authenticate?

Security Models: 

Security Models Mail Mail

Email Path(s) Today!: 

Email Path(s) Today! MUA MSA MTA MTA MDA MUA MTA MTA Peer MTA Peer MTA MTA MTA MTA MTA MTA MTA MDA MUA Mail Agents MUA = User MSA = Submission MTA = Transfer MDA = Delivery

SPF and Sender-ID: Source Registers Path: 

SPF and Sender-ID: Source Registers Path MUA MSA MTA1 MTA4 MDA MUA MTA3 MTA2 Peer Peer Assigns Sender and MailFrom Did MSA authorize MTA1 to send messages for domain? Did MSA authorize MTA2? Did MSA authorize MTA3? MSA must pre-register and trust each MTA in entire path to every recipient! Mail Agents MUA = User MSA = Submission MTA = Transfer MDA = Delivery

Emerging Favorites: 

Emerging Favorites Validate content DomainKeys, Identified Internet Mail (IIM) Transit signature of msg Validate operator Client SMTP Validation (CSV) Operator validates MTA Validate Bounce Bounce Address Tag Validation (BATV) Sign MailFrom Reputation CSA & DNA (CSV) Still learning Reporting No candidates, yet Enforcement We are still learning

Client SMTP Validation: Assess Peer MTA: 

Client SMTP Validation: Assess Peer MTA MUA MSA MTA MTA MDA MUA MTA MTA Peer MTA Does a domain's operator authorize this MTA to be sending email? Do independent accreditation services consider that domain's policies and practices sufficient for controlling email abuse?

CSV Functions: 

CSV Functions

Moving Towards Standards: 

Moving Towards Standards Accountability (Author & Operator) Authentication Authorization (Accreditation) Filtering (Format of rules) Reporting & monitoring (Immediate problems) (Aggregate statistics) Enforcement (Contracts and laws are standards) Terminology Acceptable behavior

How to Choose the Future : 

How to Choose the Future Look at each proposal Who must adopt it? When? How much effort is need to administer it? How much does it change email? Where to look for documents Internet Drafts

authorStream Live Help