| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4047210A.13634.2CC356C@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: SMTP "authentication" (was: RE: Backdoor not recognized by Kaspersky) "Larry Seltzer" <larry@...ryseltzer.com> wrote: > I really feel for you guys. As I've argued in another thread, I think > SMTP authentication will likely cut this stuff down to a trickle > compared to the current volume. As an ISP, how big a problem would you > have with that. An even better question: Would you have a problem > implementing SPF, Caller ID and Domain Keys (i.e. all 3)? It gets to > the same issue of changing practices for your users: at some point you > have to either bounce or segregate mail that doesn't authenticate. I really think you (and all the SPF, etc pundits) are overselling those "technologies" as possible solutions to problems that exist because of what are, and perhaps always will remain with us as, essentially psycho- social issues. SPF, Caller-ID, etc will either not take off or, if it does it will not greatly reduce the level of the spam or the self-mailing virus problem. If it does take off we may initially see a dip in such things but as these technologies will not (and _CANNOT_) be blanket implemented overnight, the spammers and virus writers will watch the developments and if they see a risk to their future success there are many tricks available for them to add to their "creations" that these "anti-spam" or "anti-forgery" technologies _alone_ cannot prevent being exploited to the benefit of the spammers. Although I'm sure the "professional" mass-mailer writers and spammers have a fair idea of what to do next if SPF, etc do start to bite, I'm not going to spell out how I'd do it in case I give any less clueful folk some ideas they don'tdeserve. However, the bottom line is that for SPF, etc to be "successful" (i.e. to become very widely deployed and used) they (and the things they require at the client end) have to be "set and forget". Why?? Because the sad (?) reality is that most folk are simply lazy and won't use systems that don't let them ignore the things they don't care about. To date (and SPF, etc notwithstanding), I've seen no reason to expect this to change, even to fix the spam or mass-mailing virus problem, no matter how much "common folk" may belly-ache about it not being fixed. This all means Mike Howard's "first immutable law of computer security": If the bad guy can run his program on your computer, it's not your computer any more is broken from the outset _AND_ will remain so. Compound all manner of other atrociously bad anti-security features that most computer users have become so accustomed to they will not allow to be changed and the bad guys will just keep doing what they do, albeit after adding a few dozen more lines of code to their existing bots, etc so they can send "properly authenticated" Email through the "right" SMTP servers. SPF, etc pundits will counter "but we can then quickly get the ISPs to shut those machines down because we can prove that 'bad' Email came from that machine". This ignores the rather salient (I'd have thought) point that the ISPs have entirely failed to deal with the existing armies of such machines, and it seems utterly unlikely they will add more staff (even just short-term) to handle their abuse@ enquiries once (or if) SPF, etc becomes widely deployed (after all, SPF, etc is supposed to eliminate the core problems in those areas so the ISPs may even be thinking they can _reduce_ their abuse staff!). In summary, it seems that the bad guys are starting from a (probably) insurmountable advantage of the existing vast army of readily compromisable and/or already backdoor-ed machines. And, if SPF, etc is successfully "sold" to the consumers, add the fact that many more users than the current crop of utterly reckless click-a-holics would then _trust_ more (or even all) of their Email and its attachments _because the SPF, etc pundits have been telling them that this is precisely one of the benefits of shafting the existing mail system_. On balance, it seems we could easily see things _GET WORSE_. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists