Re: Replay attacks and ISP business models

[wayne <wayne@xxxxxxxxxxx>]

In <42F66351.6040303@xxxxxxxx> Michael Thomas <mike@xxxxxxxx> writes:

>
> I agree. I think that the thing that really ought to
> be proven here is whether "replay" is a real threat or
> not. At this point, it is purely academic and I think we
> have a pretty spotty track record of determining what the
> miscreants next steps will actually be.

I don't think the replay attack is purely academic.  There is an
extremely long history of spammers doing all sorts of things to ride
on the reputation of others.  That includes signing up for free email
accounts on the hopes that people won't reject email from
$large_emailer, trying to get on things like bondedsender/iadb,
sending email $big_isp's MTAs, and, of course forging email
addresses.

Are you seriously suggesting not worrying about the replay attack
until it is widespread?


>                                         For one, it's not
> clear that if domains -- in an effort to maintain their
> reputation -- start spam-filtering their outbound mail,
> you'd reduce the effectiveness of the so-called replay
> attack by about 2 orders of magnitude. It seems to me that
> it's pretty likely that they'll find something else to do
> if that scenario plays out.


I don't see how filtering their outbound will help much in preventing
the reply attack.  At the time the original email is sent, it is
neither bulk nor unsolicited.  It is only once it is recent to
millions that it becomes bulk and unsolicited.  While I'm not one of
those people who think that content is 100% irrelevant and and should
never be checked as part of spam filtering, I do think that trying to
detect spam based solely on the content is a bad idea and won't work.


-wayne