Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation)
(everybody is on the mailing list; why all the CC's?) Adam Back writes: Will it be enough -- we don't know yet, but if widely deployed it would make spammers adapt. We just don't yet know how they will adapt. Cryptography is not about math; it's not about secrets; it's not about security. It's about economics. I'd really like to see people NOT talk about the security of cryptography, but instead of about the cost of it. If the cost of breaking a system exceeds the value of an identifiable message, nobody will bother breaking it. If the cost of using a system exceeds the value of the system, nobody will bother using it. So, in this context, Ben Richards paper is not so much that hashcash won't work but instead the value of using hashcash is exceeded by the cost of using it. -- --My blog is at angry-economist.russnelson.com | Violence never solves Crynwr sells support for free software | PGPok | problems, it just changes 521 Pleasant Valley Rd. | +1 212-202-2318 voice | them into more subtle Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | problems. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Spam Spotlight on Reputation
On Tue, 7 Sep 2004, Hadmut Danisch wrote: The last 17 month of work in ASRG (Anti Spam Research Group, IRTF) and MARID (Mail authorization records in DNS, IETF) are an excellent example of how to not design security protocols. This was all about marketing, commercial interests, patent claims, giving interviews, spreading wrong informations, underminding development, propaganda. It completely lacked proper protocol design, a precise specification of the attack to defend against, engineering of security mechanisms. It was a kind of religious war. And while people were busy with religious wars, spammers silently realized that this is not a real threat to spam. For what it's worth, do you remember a device that was marketed on American television called the Ronco Pocket Fisherman? It was a sort of folding fishing rod with a built-in, tiny, tacklebox, and the idea was that here was a complete fishing rig that you could toss into a suitcase and still have room for all your clothes and stuff. The fact is, as fishing gear, it was astonishingly bad. But, as the owner of a bait shop once explained to me after someone who had come in with one tossed it in the trash and walked out with a real fishing rod, It's not made to catch fish. It's made to catch fishermen. Similarly, the current generation of anti-spam technology isn't made to catch spammers; it's made to catch ISP's and software companies and get them to part with their money. Alas, unlike the Ronco Pocket Fisherman, there is no proven technology that people can go back to after getting fed up with it not working. It has been clear from the outset that all the solutions to spam consisting of building a fence around the internet and keeping the spammers out aren't going to work, any more than the old anarchist-cypherpunk dream of building a fence around our cryptographic networks and keeping the government out was going to to work. The problem in both cases is that if the information needed to join the network is available to members of your intended in group, it's also available to members of your intended excluded group. I have two patents in natural language, and a fair amount of experience engineering in the field. But that's a fairly recondite skill, and these days most folks are looking for engineers for much more prosaic tasks like interfacing their middleware with their databases. In the last year, I have been unemployed. I've turned down two job offers, though -- from software companies with bulk mail products, looking for natural-language guys to build paraphrase engines to bypass spam filters or copy check functions to estimate the likelihood of a particular message body being filtered. That's the level of commitment these guys are showing. They're actually willing to hire engineers at specialist salaries to build new ways to bypass filters. We should not be at all surprised, when we offer a way to auto-whitelist email and therefore bypass filters at a lower cost than hiring engineers, that they're leaping onto it at a much higher rate than legit senders. From a cryptographic perspective, there are a lot of systems out there that are solving some trivialized version of the problem or some not-very-crucial aspect of the problem. There are a lot of systems that have a threat model that's very peculiar, and which can be solved, however meaninglessly, while their customers still get lots of UCE. Indeed, there are a lot of systems out there that don't have any published threat model. These are failures of protocol design, though not necessarily failures of marketability. But to the extent that they allow bypassing filters, the spammers are the biggest customers. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Spam Spotlight on Reputation
http://www.eweek.com/print_article/0,1761,a=134748,00.asp EWeek Spam Spotlight on Reputation Spam Spotlight on Reputation September 6, 2004 By Dennis Callaghan As enterprises continue to register Sender Protection Framework records, hoping to thwart spam and phishing attacks, spammers are upping the ante in the war on spam and registering their own SPF records. E-mail security company MX Logic Inc. will report this week that 10 percent of all spam includes such SPF records, which are used to authenticate IP addresses of e-mail senders and stop spammers from forging return e-mail addresses. As a result, enterprises will need to increase their reliance on a form of white-listing called reputation analysis as a chief method of blocking spam. E-mail security appliance developer CipherTrust Inc., of Alpharetta, Ga., also last week released a study indicating that spammers are supporting SPF faster than legitimate e-mail senders, with 38 percent more spam messages registering SPF records than legitimate e-mail. The embrace of SPF by spammers means enterprises' adoption of the framework alone will not stop spam, which developers of the framework have long maintained. Enter reputation analysis. With the technology, authenticated spammers whose messages get through content filters would have reputation scores assigned to them based on the messages they send. Only senders with established reputations would be allowed to send mail to a user's in-box. Many anti-spam software developers already provide such automated reputation analysis services. MX Logic announced last week support for such services. There's no question SPF is being deployed by spammers, said Dave Anderson, CEO of messaging technology developer Sendmail Inc., in Emeryville, Calif. Companies have to stop making decisions about what to filter out and start making decisions about what to filter in based on who sent it, Anderson said. The success of reputation lists in organizations will ultimately depend on end users' reporting senders as spammers, Anderson said. In the system we're building, the end user has the ultimate control, he said. Scott Chasin, chief technology officer of MX Logic, cautioned that authentication combined with reputation analysis services still won't be enough to stop spam. Chasin said anti-spam software vendors need to work together to form a reputation clearinghouse of good sending IP addresses, including those that have paid to be accredited as such. There is no central clearinghouse at this point to pull all the data that anti-spam vendors have together, said Chasin in Denver. We're moving toward this central clearinghouse but have to get through authentication first. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]