On Thursday, February 3, 2005, 8:01:42 AM, Marc wrote: MF> True or False:� The bottom line is, once a machine can MF> connect, to either port 25 or port 587, AND can AUTHENTICATE, MF> then "game over".� But if you have a properly secured mail MF> server, with SMTP AUTH/Relay for Addresses, and the SPAM zombie MF> CANNOT authenticate, then you are still "safe", or at least MF> "configured the best you can be".� ???� (We don't use Declude.� MF> We are moving to open source email/spam/virus alternatives.� We MF> have a tough road ahead it seems, no matter WHAT we're running...)
False. Even if the zombie is able to authenticate (and they will soon) you can still use trust mechanisms, voting mechanisms, and content filtering to mitigate the abuse. Some of these mechanisms are already here. FILTERING: Filtering can be quite strong and efficient. For example, we already filter more than 99.6% of spam based on filtering alone (no DNS or URI BLs) using our pattern matching engine (60K heuristics in well under 200ms on generic hardware). ( See SNIFFER line in this analysis: ( ( <http://reports.microneil.com/mdlplong.html> ( ( This is a comparative analysis of a wide range of tests including ( most of the effective BLs that are out there. The tests vote ( together to determine whether the message is spam. Then each test ( is measured against that metric. Though this is not "perfect" it is ( very, very close. Hyper-accurate tests (like SNIFFER) get penalized ( because they often know something is spam before enough of the other ( tests agree -- but in general it's clear enough that content ( filtering systems like Message Sniffer are capable of virtually ( eliminating spam without depending on source information. ( ( Compensating for the hyper-accuracy penalty, and by using data from ( other systems we monitor (can't share - security reasons) we can ( safely estimate that 99.5% of spam is captured. The value in the ( report at the time of this writing is 98.716% of spam. In practice, ( the spam that did not get captured was new spam on it's way into ( our filtering queue from spamtraps and spam reports. TRUST: An authenticated machine can be tracked to it's source. After all, an authenticated sender _is_ who they authenticated themselves to be for all intents and purposes. This means that trust mechanisms can be leveraged to identify systems that are acting abnormally and those systems can be shut down - either at their source, or by the receiving system. Any such zombie delivering known spam content can be black-listed and reported. If the content is new then it is likely there is no trust at the recipient location - so the message can be delayed until it can be identified as reasonably safe, or (more likely) a peer network of trusted systems can be queried to establish the local trust for the new sender. Trust mechanisms are growing, and still require development work, but they will be developed and they will be very effective. We have work planned in this area - and I'm sure others do also... Though working trust mechanisms are more difficult, they will be created and deployed as the resources become available -- and they will as other mechanisms become less effective. AUTOMATED CLASSIFICATION: Local use of statistical text classification (Bayesian) will always be very helpful though it's not widely applicable at a more global level due to differences in preferences and the lack of good training data. Reasonably trained classification systems can be used to generate voting data for mechanisms further up in the chain. SUMMARY: There are many other mechanisms on the drawing board which go to mitigate bandwidth problems and other side-effects of abuse. It's only a matter of time before they are taken seriously, funded, accepted, and deployed. (DSQP (Dynamic Squelch Propagation), for example could democratically and automatically shut down offensive sources without creating wholesale censorship or the need for any centralize authority that could be gamed or become corrupted.) Email is too important to let it die, and there are ways to get it fixed... some of them will not be taken seriously until the problem gets worse. Eventually, however, the correct mix of tools will be developed and deployed. We're just not there yet in many ways. MHO. _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
