[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replay attacks and ISP business models

To: "IETF MASS WG" <ietf-mailsig@xxxxxxx>
Subject: Re: Replay attacks and ISP business models
From: wayne <wayne@xxxxxxxxxxx>
Date: Sun, 07 Aug 2005 20:33:15 -0500
In-reply-to: <> (Michael Thomas's message of "Sun, 07 Aug 2005 18:02:11 -0700")
List-archive: <http://www.imc.org/ietf-mailsig/mail-archive/>
List-id: <ietf-mailsig.imc.org>
List-unsubscribe: <mailto:ietf-mailsig-request@imc.org?body=unsubscribe>
Mail-copies-to: nobody
References: <> <> <> <>
Reply-to: "IETF MASS WG" <ietf-mailsig@xxxxxxx>
Sender: owner-ietf-mailsig@xxxxxxxxxxxx
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4 (Jumbo Shrimp, linux)

In <42F6AF13.10505@xxxxxxxx> Michael Thomas <mike@xxxxxxxx> writes:

> wayne wrote:
>> Are you seriously suggesting not worrying about the replay attack
>> until it is widespread?
>
> Widespread is different than seen in the wild. At this point,
> there's no evidence that I'm aware of that it's been seen
> in the wild. I wouldn't expect it for quite some time --
> why would they bother right now?

You snipped the part where I explained that spammers have had a long
history of riding on other people's good reputations.  Any system that
can not deal with that is useless.  That is why we have to bother
RIGHT NOW.

>                                  A lot can happen between
> then and now, so I'm not sure that proceeding way down _any_
> one line of defense is all that wise.

I strongly disagree.  Spammers can adapt very quickly and have done so
in the past.  

>>>                                        For one, it's not
>>>clear that if domains -- in an effort to maintain their
>>>reputation -- start spam-filtering their outbound mail,
>>>you'd reduce the effectiveness of the so-called replay
>>>attack by about 2 orders of magnitude. It seems to me that
>>>it's pretty likely that they'll find something else to do
>>>if that scenario plays out.
>> I don't see how filtering their outbound will help much in preventing
>> the reply attack.
>
> It doesn't prevent it, it just makes it less likely to be
> a viable vector: if 99% of your spam campaign is not leaving
> the outbound ISP, my guess is that you're going to look for
> other distribution mechanisms. We're already seeing a shift
> on that anyway, right? With zombies, right?

That is the whole point of the the replay attack, you only need one
email to leave the outbound ISP with the signature, and then you can
send it a million times via other sources.

Or, if you are saying that all spam problems can be solved if all mail
sources do a better job of filtering on the outbound, then sure.  But
then, what is the point of DKIM?

> I really like the formulation I heard here: a lot of the
> utility of signing is in just getting spammers and other
> miscreants to attack somebody else instead of me. Eventually
> we may be able to close the noose, but until then I'd just
> assume at least they not sully my name.

But with the replay attack, there isn't any reason for the spammers to
attack anyone else.  They want the reputation of others to help them
pass spam filters.

-wayne

Follow-Ups:
- Re: Replay attacks and ISP business models
  - From: Michael Thomas

References:
- Re: Replay attacks and ISP business models
  - From: John Levine
- Re: Replay attacks and ISP business models
  - From: Michael Thomas
- Re: Replay attacks and ISP business models
  - From: wayne
- Re: Replay attacks and ISP business models
  - From: Michael Thomas

Prev by Date: Re: Replay attacks and ISP business models
Next by Date: Re: Replay attacks and ISP business models
Previous by thread: Re: Replay attacks and ISP business models
Next by thread: Re: Replay attacks and ISP business models
Index(es):
- Date
- Thread