Discussion:
Let's try to be productive...
Barry Shein
2014-01-06 03:26:01 UTC
Permalink
Ok, if we do these tit-for-tats nothing will be accomplished.

It's too easy to take some overly literal interpretation of someone
else's words and spin a rebuttal. And paragraphs of anecdotes from
one's own mailbox really isn't useful either, maybe you're just lucky?

That said:

What's a current taxonomy of what we're trying to deal with?

If I may be so bold, what can we agree on, where should effort be
expended:

1. High volume "bulk" mailers with no discernible business
relationship with intended recipients whose intentions may or may
not be per se malicious.

e.g., Hawking herbal viagra -- if that's really what you get it's
not necessarily malicious. Doing it to a billion mailboxes per day
unsolicited is a problem. Hawking what appears to be a product
which is in high rotation on late night TV (e.g., those expandable
hoses) when all you want is a credit card number to abuse is
malicious and a problem.

2. Phishers -- those who specifically create deceptive email intended
to lure recipients into a position of trust soas to defraud them.

3. Direct fraudulent or trust appeals such as 419 ("Nigerian Scam".)
Also falsely appearing to be a legitimate charity and similar (or
is that a separate category?)

4. High volume unsolicited or questionably solicited (according to
CAN-SPAM or other similar standards) email even if from a
verifiably legitimate source (green card type spam.) Let's call
this spam by unscrupulousness.

5. What about email dictionary attacks and similar?

e.g., I'll see connections for ***@theworld.com,
***@theworld.com etc, hundreds per minute, or just what looks
like pick-a-random-mailbox or next in a large list and attach
@theworld.com, again hundreds per minute.

6. What appears to be purely malicious or hard to discern very high
volume email.

e.g., empty or indecipherable or trite ("hello!") bodies and/or
subjects.

What am I missing? Assuming one needs to start somewhere where would
we start?

There's also a broader category implied by the above:

A. Spam which hits end-users' mailboxes.

B. Spam which is blocked but represents bandwidth and storage problems
to service providers and the net in general.

Those last two, A & B, are in my experience on lists like this very
important because they tend to separate people on these lists.

Those not particularly concerned with (B) tend to only want to focus
on (A), if it doesn't hit my box it's not important.

Those concerned with (B) tend to be interested in both as they tend to
be service providers.

Wikipedia has an article on "Email spam" which lists some of these but
tends to be more descriptive (e.g., talks about legality and countries
of origin.)

http://en.wikipedia.org/wiki/Email_spam
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-06 04:08:58 UTC
Permalink
Part II

What is the expected work product of this group? Ok, I like to get
started with lists.

Any or all or other than:

1. BCPs, RFCs

2. Scholarly papers

3. Software or software design recommendations

4. Recommendations and guidelines for:

a. End users
b. Law enforcement
c. The legal community in general (litigation, legislation.)
d. Providers of email services
e. Vendors involved in email services (e.g., firewalls, spam
appliances.)

5. Public awareness such as that aimed at journalists

6. Position papers (e.g., circleid.com or other non-scholarly pubs.)

7. Research in support of the above such as statistics gathering and
analysis.

8. Lobbying (e.g., FCC, FTC, regulatory agencies.)

9. International efforts for any of these.

10. Fund raising, directly or involvement of fund raising groups to
support efforts (e.g., ISOC, IETF, ICANN.)

11. Wiki or similar website creation (blog, etc.) Or space on an
existant site (leverage their visitors.)

12. Unspecified target definitional works such as taxonomies,
reviews of others' spam policies or frameworks, critical
reviews of publications, products.

13. Direct support of litigation or prosecution such as model
expert witness documents.

14. Workshops, courseware, conferences or presentations at
existing conferences (e.g., MAWWG, ICANN, IETF),
meet-ups (small, informal presentations), webinars.

15. Academic outreach such as involvement of faculty involved
in spam research, courseware and other involvement with
students, curriculum recommendations.

Again, what did I miss? What shouldn't be there?
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-06 04:51:32 UTC
Permalink
Part III (and this will be the last for now):

What has changed recently in the spam-o-verse?

What is likely to change in the near future?

How does it affect any or all of Parts I & II?

For example:

1. ICANN is injecting over 1,000 new TLDs. Many have already been
added to the DNS root but aren't in general use yet such as .CEO,
.EMAIL, .HOUSE, etc.

http://newgtlds.icann.org/en/program-status/delegated-strings

2. The net is moving to IPv6.

One example is this vastly expands the IP blacklisting and IP mobility
landscape.

3. Internationalization - ICANN is approving new scripts for TLDs and
host names (SLDs etc) such as Chinese, Arabic, Cyrillic, etc. A lot of
work has gone on in recent years in this area but now these are going
live.

One obvious and well-discussed problem is homograph fraud.

For example using a Cyrillic code point (character) which looks like
an ASCII or Latin-1 'o' but can be delegated to a different owner such
as microsoft.com vs (replace the 'o's with Cyrillic 'o's). And
punycode and all that (does it help?)

http://en.wikipedia.org/wiki/Homograph_attack

http://en.wikipedia.org/wiki/Punycode

4. Social networking.

I seem to get more and more spam which uses a real name probably
scraped from my facebook friends list or similar (linkedin etc) in an
automated attempt to get me to open it.

From: <***@malware.sy> Chris Lewis

that sort of thing.

I'm sure there are many issues arising from the ubiquity of social
networking and relating to or amplified in spam.

5. Smartphones and related -- tablets, wi-fi hotspots, mi-fi devices,
etc. all providing for more and more identity hiding, potential
botnets, as well as new targeting methods for users of these devices.

6. Changes in legislation and court decisions? Always a moving target.

Others?
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-01-06 13:43:46 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Barry Shein
What has changed recently in the spam-o-verse?
DMARC ... now whether is has made a difference is a reasonable
question for research to answer !
Post by Barry Shein
One obvious and well-discussed problem is homograph fraud.
which, to a first approximation, is non-existent -- the APWG six monthly
reports show that the use of non-latin domain names (at all, let alone
for misleading) has only ever been countable on the fingers of one or
two hands ...

where one _does_ see homographs is in people trying to disguise phishing
web pages so that the text looks like "PayPal" but a simple-minded
content scanner (operated by the web hosting company perhaps) will not
detect the page to be a phish ... &Rho; is useful for that...
Post by Barry Shein
4. Social networking.
I seem to get more and more spam which uses a real name probably
scraped from my facebook friends list or similar (linkedin etc) in an
automated attempt to get me to open it.
yes, Facebook leaked this information [at scale] for a while about a
year ago (until their security hole was plugged)

interesting that you're still seeing this (or are you just relating
anecdotes from some time back ?)

- --
Dr Richard Clayton <***@cl.cam.ac.uk>
tel: 01223 763570, mobile: 07887 794090
Computer Laboratory, University of Cambridge, CB3 0FD

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUsqzEuINNVchEYfiEQJ58QCaAmwRWfe+mJ5r3PPMLBGV/gLvyiYAnR5X
jYfpsbyZbqqlUOnfhClwL1HP
=Ep0F
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-06 20:34:41 UTC
Permalink
Post by Richard Clayton
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Barry Shein
What has changed recently in the spam-o-verse?
DMARC ... now whether is has made a difference is a reasonable
question for research to answer !
That's a good topic.

I suppose a next pass for a taxonomy is matching up current efforts in
each area. Even if imperfect it'd be a useful reference.
Post by Richard Clayton
Post by Barry Shein
One obvious and well-discussed problem is homograph fraud.
which, to a first approximation, is non-existent -- the APWG six monthly
reports show that the use of non-latin domain names (at all, let alone
for misleading) has only ever been countable on the fingers of one or
two hands ...
It's still rather new.

Yes it's probably more practical to be reactive but we need to know
where to look and how to determine whether something is within our
stated purview and of course whether that purview needs to be modified
if not.
Post by Richard Clayton
where one _does_ see homographs is in people trying to disguise phishing
web pages so that the text looks like "PayPal" but a simple-minded
content scanner (operated by the web hosting company perhaps) will not
detect the page to be a phish ... &Rho; is useful for that...
I agree, that's the sort of thing I was getting at.

There's also all that work going on largely in Kanji or Hanzi, the
Chinese character set(s). Dennis Jennings has been working on this
w/in ICANN for about two years or so.

There are a lot of domain strings possible in at least East Asian
ideographic scripts which are for all practical purposes analogous to
Latin-1's notion of upper/lower case.

That is, they should be treated identically.

Or so it's been argued successfully by people with a lot more
expertise in this area than I have. Wode putonghua shi bu hao ba!

ICANN's concern is more in the realm of, like upper/lower case, if you
register one should you automatically or implictly be registered for
all of them? Or should they be taken off the market perhaps offering a
right of first refusal? etc etc etc.

But it's much more complicated, you can't just add/sub ASCII space :-)

Well, none of that is directly a concern of spam but where there is a
possibility of confusion there's a possibility of fraud.

And it does raise the issue of how do we (and should we?) possibly
cover an emerging multi-script world?

If nothing else it would be nice to at least acknowledge it where
relevant to other efforts and not be accused of being overly
LATIN-1-centric.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-06 17:49:33 UTC
Permalink
Post by Barry Shein
What has changed recently in the spam-o-verse?
What is likely to change in the near future?
Seems like reasonable questions.
Post by Barry Shein
1. ICANN is injecting over 1,000 new TLDs. Many have already been
added to the DNS root but aren't in general use yet such as .CEO,
.EMAIL, .HOUSE, etc.
I doubt we'll see many of them in spam. About half are private
corporate vanity domains (one is a personal vanity domain), the rest
are all likely to cost two or three times as much as .com or .org. I
can't tell how many of them will turn up in URLs; we can expect
companies with vanity TLDs to use them, but that's only a few hundred
of the millions of commercial domains.
Post by Barry Shein
2. The net is moving to IPv6.
One example is this vastly expands the IP blacklisting and IP mobility
landscape.
Yeah, that's the interesting one. We all seem to agree that the
minimum granularity for blacklisting will be /64, although there are
hosting companies who made poor decisions and put all the customers in
a rack in the same /64. My inclination is to say tough luck.

For whitelisting, it really should be individual IPs, although people
have some odd ideas about mail servers with auto-configured addresses.
There's also long running arguments about whether v6 mail servers need
rDNS (non-server hosts won't) and whether to be fussier about
authentication of mail that arrives over v6.

So far v6 mail has been pretty easy to filter. I just got my v6 IP
filtering code working last week although I've been accepting v6 mail
for a year.
Post by Barry Shein
3. Internationalization - ICANN is approving new scripts for TLDs and
host names (SLDs etc) such as Chinese, Arabic, Cyrillic, etc. A lot of
work has gone on in recent years in this area but now these are going
live.
One obvious and well-discussed problem is homograph fraud.
ICANN has a huge and complex set of rules about IDN languages and
character sets that make homographs in 2LDs pretty unlikely, You can
have homographs at lower levels, but you can have "microsoft" and
"google" at lower levels, too.
Post by Barry Shein
For example using a Cyrillic code point (character) which looks like
an ASCII or Latin-1 'o' but can be delegated to a different owner such
as microsoft.com vs (replace the 'o's with Cyrillic 'o's). And
punycode and all that (does it help?)
The language rules make that impossible to register. There are a few
homographs in .com grandfathered from before the language rules were
(mostly) debugged but they seem to be harmless.
Post by Barry Shein
4. Social networking.
Sigh. Yes.
Post by Barry Shein
6. Changes in legislation and court decisions? Always a moving target.
See http://www.inboxproject.org/

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Daniel Feenberg
2014-01-06 21:29:24 UTC
Permalink
Post by John Levine
Post by Barry Shein
2. The net is moving to IPv6.
One example is this vastly expands the IP blacklisting and IP mobility
landscape.
Yeah, that's the interesting one. We all seem to agree that the
minimum granularity for blacklisting will be /64, although there are
hosting companies who made poor decisions and put all the customers in
a rack in the same /64. My inclination is to say tough luck.
Agreed that IPv6 DNSBL isn't straightforward, but it may not be necessary.

There is some logic to not accepting mail on IPv6 at all. While there are
currently some MTAs with ipv6 capability, there are apparently no MTAs
that lack IPv4 fallback. So if you simply fail to support IPv6 for SMTP
then the senders will fall back to IPv4, and your DNSBL is as effective as
ever. How long will this work? Certainly for a long time and possibly
forever. Consider that most mail admins would resist using an IPv4 address
that was balcklisted on a fraction of 1% of receivers. So anyone
establishing an IPv6 only MTA needs to wait till 99+% of MTAs support
IPv6. That isn't likely for many years.

Daniel Feenberg
NBER
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-08 16:04:33 UTC
Permalink
Post by Daniel Feenberg
Agreed that IPv6 DNSBL isn't straightforward, but it may not be necessary.
There is some logic to not accepting mail on IPv6 at all. ...
For a while, sure. Mail will be the last thing to move to IPv6 because it
is unusual both in that it works flawlessly through extra relays, and you
can pump vast amounts of mail through very small amounts of address space.

On the other hand ...

I expect it will matter a lot who you correspond with. In China in
particular, they use IPv6 more than we do because they were late to
the IPv4 party. In a few years we'll likely be seeing mail systems
that mostly work on v6, with only a cruddy gateway to and from v4. If
you know what EAI is, the mail extension that allows full non-ASCII
addresses, I can easily believe that the mail system will do EAI but
the gateway won't, which will lock you out from all of the users who
don't have legacy ASCII addresses. (In China, that will be a lot of
people.)

The large v6 address space also makes it possible to do stuff like
assign known bulk senders specific IPs to send to, either by telling
them (ESPs will do anything you tell them to if they think it will
improve their deliverability by 0.1%), or by DNS tricks. This will
make it easier to notice funkiness like mail from a sender showing up
from places it's not supposed to come from.

I'm in the process of upgrading my v6 mail software to handle address
rules like v4 rules, mostly so I can send mail from networks who never
send mail worth reading directly to the spam trap. Will advise.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-01-08 16:20:48 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by John Levine
The large v6 address space also makes it possible to do stuff like
assign known bulk senders specific IPs to send to
If IPv6 email really takes off (and that certainly won't be soon (IMO)
apart from some special cases), then we might very well see ISPs and/or
the really big mail handlers (Gmail, Yahoo &c) using one IPv6 address
per account ...

... this will allow people to block (or perhaps whitelist) specific
people who are using mass platforms without having to agonise over the
pain of blocking "the whole of gmail/whatever"
Post by John Levine
, either by telling
them (ESPs will do anything you tell them to if they think it will
improve their deliverability by 0.1%)
ESPs will rapidly adopt anything that prevents compromised customer A or
wicked customer B spoiling the party for paying customers C, D, E....

... and given that IPv6 reception will run ahead of IPv6 sending and
adoption by the few large sites will run ahead of adoption by the many
medium or small ones, we may see this very soon.

- --
richard Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUs164OINNVchEYfiEQIKuwCgxcKdAt5dUhXK7J2QZ8tRMCfclvMAoO0c
CrMnE/as3jxrFyfKfGc5zP85
=0o9x
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-09 21:44:39 UTC
Permalink
Post by Richard Clayton
If IPv6 email really takes off (and that certainly won't be soon (IMO)
apart from some special cases), then we might very well see ISPs and/or
the really big mail handlers (Gmail, Yahoo &c) using one IPv6 address
per account ...
... this will allow people to block (or perhaps whitelist) specific
people who are using mass platforms without having to agonise over the
pain of blocking "the whole of gmail/whatever"
Apart from being able to drop the connection slightly earlier during the SMTP transaction, does this give you a significant advantage over just blacklisting (or whitelisting) individual email addresses? Something which I would think doesn't really scale.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-09 22:10:41 UTC
Permalink
Post by Martijn Grooten
Apart from being able to drop the connection slightly earlier during the SMTP transaction, does this give you a significant advantage over just blacklisting (or whitelisting) individual email addresses? Something which I would think doesn't really scale.
Dropping the SMTP transaction "slightly earlier" can be the Holy Grail
of surviving these onslaughts.

You have to sit here on a bad day when we're getting hundreds or even
thousands of spam attempts per second, all the mail servers pegged,
little or no legitimate mail getting through, phones ringing off the
hook from customers who noticed they're not getting email, etc.

Put an IP block at various levels -- depends on the details of the
attack, but the earlier in the chain the better -- and watch
everything come back to normal when you get it right.

I assume that's roughly what AOL went through over the past few weeks
when a lot of service providers (see the NANOG thread) noticed AOL
seemed to be randomly blocking mail servers and even when unblocked
would just return "Service Unavailable" for every SMTP delivery
attempt generally after the DATA phase which is indicative to me that
something was out of control.

P.S. AOL seems ok now and has been ok for a few days.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-10 19:28:56 UTC
Permalink
Post by Barry Shein
Post by Martijn Grooten
Apart from being able to drop the connection slightly earlier during the SMTP transaction, does this give you a significant advantage over just blacklisting (or whitelisting) individual email addresses? Something which I would think doesn't really scale.
Dropping the SMTP transaction "slightly earlier" can be the Holy Grail
of surviving these onslaughts.
Sure.

But Richard's post refered to using IP(v6) addresses to distinguish
individual users at large webmail providers. If such users can send so
much spam to an organisation that this "slightly earlier" makes a
noticeable difference, then I'd say the webmail provider has a very big
problem.
Post by Barry Shein
You have to sit here on a bad day when we're getting hundreds or even
thousands of spam attempts per second, all the mail servers pegged,
little or no legitimate mail getting through, phones ringing off the
hook from customers who noticed they're not getting email, etc.
Put an IP block at various levels -- depends on the details of the
attack, but the earlier in the chain the better -- and watch
everything come back to normal when you get it right.
Out of curiosity: are you using some kind of anti-spam solution? Even if
it's just a DNSBL to drop connections from "known spammers".

For over the years I have come to realise that thanks to spam filters
and various actions against spammers and their networks (port 25
blocking, botnet takedowns, legislation etc.) the spam problem has
been mitigated rather well: the vast majority of spam is blocked. Most
legitimate email arrives. Networks rarely get clogged and we don't need
significantly bigger tubes to deal with all the spam.

I always assume that the lack of activity in groups like this one and
its predecessors is for a large part because of that: it isn't easy to
make any actual difference any more.

I might of course be wrong. I know the quantity and quality of spam
received by various organisations differs a whole lot. I know that for
some it can be a very hard to mitigate pain. But perhaps I am
underestimating the number of organisations having for whom this is the
case. And perpahs I am just wrong about the state of spam.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-10 03:53:09 UTC
Permalink
Post by Martijn Grooten
Apart from being able to drop the connection slightly earlier during the SMTP
transaction, does this give you a significant advantage over just blacklisting (or
whitelisting) individual email addresses? Something which I would think doesn't
really scale.
I think so. Some advertisers not unreasonably use an address per
campaign, or they might have multiple brands with multiple domains.

Some even use an encoded return address per recipient to make bounce
and unsub handling more reliable.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Dave Crocker
2014-01-10 04:32:29 UTC
Permalink
Post by John Levine
Some advertisers not unreasonably use an address per
campaign,
that essentially means zero reputation history for that IP Address stream.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-10 08:14:59 UTC
Permalink
Post by John Levine
Post by Martijn Grooten
Apart from being able to drop the connection slightly earlier
during the SMTP transaction, does this give you a significant
advantage over just blacklisting (or whitelisting) individual
email addresses? Something which I would think doesn't really
scale.
I think so. Some advertisers not unreasonably use an address per
campaign, or they might have multiple brands with multiple
domains.
Isn't that poor man's email authentication? Some clients maintain a
pool of open connections, during a queue run, so as to optimize the
tcp/tls per-connection overhead.
Post by John Levine
Some even use an encoded return address per recipient to make
bounce and unsub handling more reliable.
That, a new EHLO, or a different DKIM signer, should change the token
used for reputation tracking without tearing the session down.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-10 16:45:06 UTC
Permalink
Post by Alessandro Vesely
Post by John Levine
I think so. Some advertisers not unreasonably use an address per
campaign, or they might have multiple brands with multiple
domains.
Isn't that poor man's email authentication?
No, I mean an e-mail address per campaign, not an IP address.

Sensible mailers (I realize, I'm making a leap here) stick to a fixed
set of domains to help recipients track their reputations. My point
is that with IPv6 the fixed set of domains can also have a fixed
unshared IP address.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
James Cloos
2014-01-10 23:32:37 UTC
Permalink
RC> If IPv6 email really takes off

I currently see about 30% incoming over v6. (Including this list. :)

RC> we might very well see ISPs and/or the really big mail handlers
RC> (Gmail, Yahoo &c) using one IPv6 address per account ...

That would be cool. It would take some work, but they certainly
could do so.

-JimC
--
James Cloos <***@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Dave Crocker
2014-03-27 12:43:50 UTC
Permalink
Post by Richard Clayton
If IPv6 email really takes off (and that certainly won't be soon (IMO)
apart from some special cases), then we might very well see ISPs and/or
the really big mail handlers (Gmail, Yahoo &c) using one IPv6 address
per account ...
... this will allow people to block (or perhaps whitelist) specific
people who are using mass platforms without having to agonise over the
pain of blocking "the whole of gmail/whatever"
(taking up an old thread.)


They don't have to wait.

They could sign with DKIM, using a different d= domain name for every
user.

By way of an easy convention to extend d= granularity, they could
'encode' the author's full address into d=, such as:

<selector>._domainkey.<mailbox>._at.<domain>

e.g.,

1234._domainkey.richard._at.example.com


d/

ps. No, this doesn't enable evaluation when the connection is first
attempted or opened.
--
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-03-27 13:04:46 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Dave Crocker
Post by Richard Clayton
If IPv6 email really takes off (and that certainly won't be soon (IMO)
apart from some special cases), then we might very well see ISPs and/or
the really big mail handlers (Gmail, Yahoo &c) using one IPv6 address
per account ...
... this will allow people to block (or perhaps whitelist) specific
people who are using mass platforms without having to agonise over the
pain of blocking "the whole of gmail/whatever"
They don't have to wait.
They could sign with DKIM, using a different d= domain name for every
user.
By way of an easy convention to extend d= granularity, they could
<selector>._domainkey.<mailbox>._at.<domain>
given the number of mailboxes at the large providers, this will make the
task of DNSSEC signing the .com domain (a mere 113 million domains) look
somewhat trivial in comparison
Post by Dave Crocker
ps. No, this doesn't enable evaluation when the connection is first
attempted or opened.
assessing the load on DNS servers and contrasting that with the impact
of existing reputation systems would doubtless be instructive

- --
richard Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUzQh7uINNVchEYfiEQKdsQCg78hsU/jVkJLAvo3DfwfUy2G0VA8AnjIt
bhCwjBR6P06TU8GgQYl6yWlS
=ydlk
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-03-27 14:04:37 UTC
Permalink
Post by Richard Clayton
Post by Dave Crocker
They don't have to wait.
They could sign with DKIM, using a different d= domain name for every
user.
By way of an easy convention to extend d= granularity, they could
<selector>._domainkey.<mailbox>._at.<domain>
given the number of mailboxes at the large providers, this will make the
task of DNSSEC signing the .com domain (a mere 113 million domains) look
somewhat trivial in comparison
I also don't see how using the same d= domain but adding granularity by
putting per-user values in the envelope from wouldn't have the same
effect.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Dave Crocker
2014-03-27 14:33:52 UTC
Permalink
Post by Martijn Grooten
I also don't see how using the same d= domain but adding granularity by
putting per-user values in the envelope from wouldn't have the same
effect.
you mean other than the fact that none of the envelope information is
protected/authenticated?

i thought the point of the exercise was to have a validated basis for
making per-user distinctions.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-03-27 16:00:33 UTC
Permalink
Post by Dave Crocker
you mean other than the fact that none of the envelope information
is protected/authenticated?
i thought the point of the exercise was to have a validated basis
for making per-user distinctions.
Yes, sorry, I should have said the Return-Path header. Or some new fancy
header that is always equal to the envelope from.

But if you want to drop connections from unwanted addresses as early
as possible - as you could do if there's a per-user sending IPv6-address
- you can actually use the envelope from for that, because you don't
really care if it is correct/authenticated.

(The point I tried to make is that I don't think per-user IPv6-addresses
would solve anyone's problem, but that if it did, they'd already have
the tools to solve it.)

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-07 19:17:58 UTC
Permalink
Post by John Levine
Post by Barry Shein
What has changed recently in the spam-o-verse?
What is likely to change in the near future?
Seems like reasonable questions.
Post by Barry Shein
1. ICANN is injecting over 1,000 new TLDs. Many have already been
added to the DNS root but aren't in general use yet such as .CEO,
.EMAIL, .HOUSE, etc.
I doubt we'll see many of them in spam. About half are private
corporate vanity domains (one is a personal vanity domain), the rest
are all likely to cost two or three times as much as .com or .org. I
can't tell how many of them will turn up in URLs; we can expect
companies with vanity TLDs to use them, but that's only a few hundred
of the millions of commercial domains.
I think it's too early to tell. Right now we only have about a dozen
gTLDs, even expanding that to 100 might have significant effects and I
think it's going to be a lot more than 100.

If nothing else it'll probably interact with a lot of anti-spam
software which thinks it knows something about domain names as a cheap
test, for example that TLDs "aren't longer than 4 chars" (pick a
number), already broken for .MUSEUM and .TRAVEL but who would
notice??? Particularly if it's just a scoring system like spamassassin
rather than outright blocking.

Where we'll probably see them is embedded in messages as just more
legitimate URLs to try to trick people into clicking, particularly
where they can be visually confusing or misleading.

I suppose we can sum that up as more degress of freedom, more
opportunities for mischief.

IF YOU WANT MY PERSONAL OPINION ON NEW gTLDs (consider the price :-):

<PERSONAL OPINION>

Outside of the vanity domains like .SONY which need no business model
really -- they'll just be treated as sunk marketing cost -- some of
these TLDs will probably be successful, and a lot of them will
flounder and fail.

It's the old 80/20 rule of startups: 80% will fail quickly like one or
two years, 80% of those remaining will fail in the following five
years, etc.

Or pick a percentage but it's probably very high.

As these hundreds of domains begin to fail registration prices will
drop. What else can someone who has sunk a coupla-few million ramping
one up and facing losses do?

Well, there are other choices, but lowering prices so long as they
remain above COGS is always a big one. And these are annuities so
their profit structure can be a little subtle.

Their marginal cost is probably about a buck or so per registration or
renewal particularly where the overhead has been farmed out to large
registries and registrars who already have infrastructure (e.g.,
GoDaddy reselling .HOUSE, little extra overhead to GoDaddy.)

Those that become economically distressed will become targets of the
less and less scrupulous.

For example, call a less popular registrar which charges $25/year for
a domain and tell them you have a need for 5,000/month what would the
price be?

If you're credible you'll get a much better price in most cases, MUCH
better.

And why not, you're probably paying cash, even offering to pay up
front, and it's just one account to deal with for thousands of domain
sales per month, and probably a sophisticated and educated account.

It's been a topic of discussion because the sort of person who can and
will pay for 5,000 domains/month (or more, or other deals like
thousands of one-day domains) is often not the most savory sort.

So sticker price can be misleading.

But, as is always the case with the future, we can only guess until it
begins to happen.

But it's something to keep an eye on since it's such a potentially
profound change to the internet.

</PERSONAL OPINION>

Again, it comes down to more degrees of freedom, which is not
necessarily a good thing even if the word "freedom" seems like a
superficially positive term.

-b
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Peter Blair
2014-01-08 16:43:41 UTC
Permalink
Post by John Levine
So far v6 mail has been pretty easy to filter. I just got my v6 IP
filtering code working last week although I've been accepting v6 mail
for a year.
Would love to see a blog post or a README!
John Levine
2014-01-08 19:54:50 UTC
Permalink
-=-=-=-=-=-
Post by John Levine
So far v6 mail has been pretty easy to filter. I just got my v6 IP
filtering code working last week although I've been accepting v6 mail
for a year.
Would love to see a blog post or a README!
Will do, once it's been running a little longer.

R's,
John

PS: Do keep in mind that I am one of the 12 people in the world who
use mailfront to receive my mail.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Peter Blair
2014-01-10 14:25:40 UTC
Permalink
Post by John Levine
Post by Peter Blair
Would love to see a blog post or a README!
Will do, once it's been running a little longer.
R's,
John
PS: Do keep in mind that I am one of the 12 people in the world who
use mailfront to receive my mail.
Weird+Wonderful software should be the first to get documented! Otherwise,
how would other people find it and perhaps give it a shot?
John Levine
2014-01-10 17:00:54 UTC
Permalink
Post by Peter Blair
Post by John Levine
PS: Do keep in mind that I am one of the 12 people in the world who
use mailfront to receive my mail.
Weird+Wonderful software should be the first to get documented! Otherwise,
how would other people find it and perhaps give it a shot?
Mailfront is here:

http://untroubled.org/mailfront/

I've written some plugins for starttls, greylisting, DCC, dmarc, and
so forth that I will put on the web if I can ever figure out how
github works.

Each copy of mailfront only handles one connection, so you have to run
it from tcpserver, part of the old djb ucspi-tcp package, which
includes tcprules, which lets you maintain tables of special handling
rules for various IP addresses. An updated version for IPv6 called
ucspi-tcp6 is (or will shortly be, we're picking bugs from it) here:

http://www.fehcom.de/ipnet/ucspi-tcp6.html

Tcpserver is typically run from daemontools, a remarkably robust
package that hasn't changed since 2001:

http://cr.yp.to/daemontools.html

This is a simple design but due to the way it passes config options
along as environment variables, it's remarkably flexible. You can,
for example, easily set up IP-specific rules for snarky SMTP responses
to particular envelope senders.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Steve Atkins
2014-01-06 04:13:58 UTC
Permalink
Post by Barry Shein
Ok, if we do these tit-for-tats nothing will be accomplished.
It's too easy to take some overly literal interpretation of someone
else's words and spin a rebuttal. And paragraphs of anecdotes from
one's own mailbox really isn't useful either, maybe you're just lucky?
What's a current taxonomy of what we're trying to deal with?
If I may be so bold, what can we agree on, where should effort be
1. High volume "bulk" mailers with no discernible business
relationship with intended recipients whose intentions may or may
not be per se malicious.
e.g., Hawking herbal viagra -- if that's really what you get it's
not necessarily malicious. Doing it to a billion mailboxes per day
unsolicited is a problem. Hawking what appears to be a product
which is in high rotation on late night TV (e.g., those expandable
hoses) when all you want is a credit card number to abuse is
malicious and a problem.
2. Phishers -- those who specifically create deceptive email intended
to lure recipients into a position of trust soas to defraud them.
3. Direct fraudulent or trust appeals such as 419 ("Nigerian Scam".)
Also falsely appearing to be a legitimate charity and similar (or
is that a separate category?)
4. High volume unsolicited or questionably solicited (according to
CAN-SPAM or other similar standards) email even if from a
verifiably legitimate source (green card type spam.) Let's call
this spam by unscrupulousness.
5. What about email dictionary attacks and similar?
like pick-a-random-mailbox or next in a large list and attach
@theworld.com, again hundreds per minute.
6. What appears to be purely malicious or hard to discern very high
volume email.
e.g., empty or indecipherable or trite ("hello!") bodies and/or
subjects.
(5) I consider to be a net-positive rather than a problem. It’s
miscreants providing you, at no cost, with a list of their compromised
or spamming machines.

Other than that, all of the above. I’d add malware emails, as a higher
urgency than any of the above, as they’re part of the positive feedback
loop that makes more bots, which send more problematic mail.

(On a personal level, I don’t care as much about (2) or (3) unless it leads
to the recipients machines being compromised, as anyone who
falls prey for phishes will probably fall prey to some other scam
even we eliminate phishing altogether. But when I’m trying to be
professional they’re still a concern.)

I have more concern about mail that’s coming from senders
who send a mix of wanted and unwanted email, as opposed
to senders of 99%+ unwanted email, as it’s much harder to
reliably mechanically mitigate. They’re not really a large
fraction of the problem right now, though (other than exceptions
like Amazon, Yahoo and Google).
Post by Barry Shein
What am I missing? Assuming one needs to start somewhere where would
we start?
A. Spam which hits end-users' mailboxes.
B. Spam which is blocked but represents bandwidth and storage problems
to service providers and the net in general.
Those last two, A & B, are in my experience on lists like this very
important because they tend to separate people on these lists.
They’re both issues. (B) is more painful in the short term to anyone running
an email system (but of negligible interest to anyone else) if
you include the effort and resources expended on spam filtering and associated
issues; (A) is more damaging to email in the medium to long term, and
a higher pain point to anyone at an ISP who isn’t running the email system.

Cheers,
Steve
Post by Barry Shein
Those not particularly concerned with (B) tend to only want to focus
on (A), if it doesn't hit my box it's not important.
Those concerned with (B) tend to be interested in both as they tend to
be service providers.
Wikipedia has an article on "Email spam" which lists some of these but
tends to be more descriptive (e.g., talks about legality and countries
of origin.)
http://en.wikipedia.org/wiki/Email_spam
--
-Barry Shein
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-06 05:00:43 UTC
Permalink
Post by Barry Shein
5. What about email dictionary attacks and similar?
(5) I consider to be a net-positive rather than a problem. It�s
miscreants providing you, at no cost, with a list of their compromised
or spamming machines.
Except when we're being hit from high-profile servers which one is
loathe to block such as right this minute I'm getting dozens of SMTP
connections per minute (not too bad) from outlook.com mail servers
which is a microsoft service. I can't just block *.outlook.com, it
would block too much ham.

I'll get these attacks from AOL, google, whatever and these are their
mail servers not end-user hosts.

My best guess is these are many compromised hosts on their hosting
services being used to send spam through their email servers, or maybe
bots with accts on their services or who knows, direct compromises of
their mail servers?

I suppose we could work harder to follow the received chains and we do
use some methods. And of course trying to contact the admins but let's
just say they're not always very responsive and such attacks can go on
for days before they suddenly stop, and then sometimes start right
back up again in a few hours.

But it's problematic.

It's war out there.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-06 17:40:41 UTC
Permalink
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-01-06 13:33:56 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Steve Atkins
Post by Barry Shein
1. High volume "bulk" mailers
2. Phishers
3. Direct fraudulent or trust appeals
4. High volume unsolicited email
5. What about email dictionary attacks and similar?
6. purely malicious or hard to discern very high volume email
the problem with this "taxonomy" is that it is mixing up issues related
to the nature of the sender, the nature of the content and the degree to
which the email is targeted

as such I don't see much value to it :(

#4 for example (empty bodies) is generally believed to be malfunctioning
software that would be sending you #1 type email if it wasn't so buggy
Post by Steve Atkins
Other than that, all of the above. I’d add malware emails
which is a content issue ... since it generally comes under #1 or #2
Post by Steve Atkins
I have more concern about mail that’s coming from senders
who send a mix of wanted and unwanted email, as opposed
to senders of 99%+ unwanted email, as it’s much harder to
reliably mechanically mitigate. They’re not really a large
fraction of the problem right now, though (other than exceptions
like Amazon, Yahoo and Google).
again -- a mixing of issues. The reason you see a mixture of email from
Yahoo, Gmail (etc) is that they provide service to hundreds of millions
of people (each) and some of those people are more wicked than others

However, if you see a mixture of email from Amazon, then their machine
learning marketing system is malfunctioning

BTW: no-one has mentioned the distinction so far (which matters
considerably for senders like Gmail, Yahoo etc) between senders who
exist solely to send spam ("mass reg" in the usual jargon) and those who
are compromised (they re-used their password at a third party who was
then popped).

- --
Dr Richard Clayton <***@cl.cam.ac.uk>
tel: 01223 763570, mobile: 07887 794090
Computer Laboratory, University of Cambridge, CB3 0FD

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUsqwxOINNVchEYfiEQI2gQCfRE8AYI8uwWIKI4I6eA8buddT+JcAoMEU
ZN4KPFY+FpAcwhZ96FlqLkWM
=vTLX
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Steve Atkins
2014-01-06 17:50:05 UTC
Permalink
Post by Richard Clayton
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Steve Atkins
Post by Barry Shein
1. High volume "bulk" mailers
2. Phishers
3. Direct fraudulent or trust appeals
4. High volume unsolicited email
5. What about email dictionary attacks and similar?
6. purely malicious or hard to discern very high volume email
the problem with this "taxonomy" is that it is mixing up issues related
to the nature of the sender, the nature of the content and the degree to
which the email is targeted
+1.
Post by Richard Clayton
as such I don't see much value to it :(
#4 for example (empty bodies) is generally believed to be malfunctioning
software that would be sending you #1 type email if it wasn't so buggy
Post by Steve Atkins
Other than that, all of the above. I’d add malware emails
which is a content issue ... since it generally comes under #1 or #2
Yes. But it’s a special case - as it’s unwanted mail that causes more unwanted
mail, on a scale much more massive than the chain letters we used
to get so riled up about a couple of decades ago.
Post by Richard Clayton
Post by Steve Atkins
I have more concern about mail that’s coming from senders
who send a mix of wanted and unwanted email, as opposed
to senders of 99%+ unwanted email, as it’s much harder to
reliably mechanically mitigate. They’re not really a large
fraction of the problem right now, though (other than exceptions
like Amazon, Yahoo and Google).
again -- a mixing of issues. The reason you see a mixture of email from
Yahoo, Gmail (etc) is that they provide service to hundreds of millions
of people (each) and some of those people are more wicked than others
However, if you see a mixture of email from Amazon, then their machine
learning marketing system is malfunctioning
No, they’re probably one of the worlds biggest hosting providers - and the
mail that comes from their hosting machines is very mixed, for much the
same reasons as Yahoo and Gmail (large volume of customers -> too
big to block -> laissez faire when it comes to all but the most egregious
spam issues -> abuse magnet, perhaps).
Post by Richard Clayton
BTW: no-one has mentioned the distinction so far (which matters
considerably for senders like Gmail, Yahoo etc) between senders who
exist solely to send spam ("mass reg" in the usual jargon) and those who
are compromised (they re-used their password at a third party who was
then popped).
Yup. ESPs, too, are very aware of that distinction.

Cheers,
Steve

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-06 18:09:47 UTC
Permalink
Post by Richard Clayton
1. High volume "bulk" mailers 2. Phishers 3. Direct fraudulent
or trust appeals 4. High volume unsolicited email 5. What about
email dictionary attacks and similar? 6. purely malicious or
hard to discern very high volume email
the problem with this "taxonomy" is that it is mixing up issues
related to the nature of the sender, the nature of the content and
the degree to which the email is targeted
as such I don't see much value to it :(
This is my issue with much of this thread too. It's conflating
content, delivery mechanism, intentions, degree of violating laws not
related specifically to the Internet specifically (eg: fraud vs.
promoting stuff that ain't illegal), attack support methodologies and
others with the definition of spam.

These categories heavily overlap each other. Worse, some of them
aren't necessarily spam at all. A high volume bulk sender sending
only material to those who explicitly want it isn't spamming at all.

I can't see how such a blenderized taxonomy is at all useful in trying
to define spam, let alone combat it.

This is highly reminiscent of confused conversations back in the late
90's.

Before going down this taxonomic path, or any other, it's useful to
identify what we're trying to do with it.

For example, if we're trying to figure out means by which spam can be
made non-economic, a taxonomy of monitization methods is useful.

In contrast, a taxonomy of spam sending mechanisms helps you design
filters, sometimes to help target LE, etc.

So, what are you trying to do here?

I personally have several different taxonomies, each used for a
different particular purpose.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-06 20:17:08 UTC
Permalink
Well, proposing a specific taxonomy was certainly a straw man to be
refined.

But we can take a step back, is there any value to a generally agreed
upon taxonomy?

I think so because it's the only way to begin to classify and
categorize anti-spam efforts and compartmentalize efforts and even
language or audience (e.g., end user vs ISP.)

I noticed no one seems to have responded to the list of possible work
products.

That would seem to be what any taxonomy of spam ultimately is
supporting, what are the intended work products? What in the taxonomy
do they address?

Any attempt to manage an effort needs some way to set goals and
measure how well those goals are being met.

I suppose we could roll that first question back even further:

How would we know we agreed on a taxonomy or work product goals etc?

That is, what is the process for this list?

Do we vote, form committees or working groups, just endlessly pick
paragraphs out of each others' notes and find fault with them and then
let both efforts (the original pp and the response) fade disappear for
all eternity into the heat death of the universe?
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-01-06 20:29:22 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Barry Shein
How would we know we agreed on a taxonomy or work product goals etc?
That is, what is the process for this list?
it doesn't have one... see http://asrg.sp.am/ and note the past tense
Post by Barry Shein
Do we vote, form committees or working groups, just endlessly pick
paragraphs out of each others' notes and find fault with them and then
let both efforts (the original pp and the response) fade disappear for
all eternity into the heat death of the universe?
this might be an appropriate place to assess whether there was value in
going forward with some particular work product; and perhaps garnering
advice as to whether that was best done within the IETF, within M3AAWG,
within the UN or as a startup...

- --
richard Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUssSIuINNVchEYfiEQJvPACg4ONDU6a2BdSYAIF69twj9Badj6MAn00L
pjhJukz5RkadHDHpMyPvEiun
=nz63
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-06 20:51:18 UTC
Permalink
Post by Barry Shein
How would we know we agreed on a taxonomy or work product goals etc?
Do we vote, form committees or working groups, ...
The ASRG doesn't exist any more. I'm running this list because some
people seemed to want it.

If you want taxonomies, you might start by looking at the ones on the
ASRG wiki. If you note mistakes or omissions, drop me a note and I'll
send you a password so you can update it.

http://wiki.asrg.sp.am/

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-07 19:24:25 UTC
Permalink
I am aware of the history and that this list is not IETF/IRTF
sponsored.

That's why I even suggested funding and business activities which
would have probably been at least superficially inappropriate on an
IRTF/IETF group.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-07 16:31:41 UTC
Permalink
Post by Barry Shein
I noticed no one seems to have responded to the list of possible work
products.
That would seem to be what any taxonomy of spam ultimately is
supporting, what are the intended work products? What in the taxonomy
do they address?
3. Software or software design recommendations
and
Post by Barry Shein
d. Providers of email services
(both email marketers and mailbox providers)

about the method http://fixforwarding.org/wiki/Water_tight_opt-in

It isn't a new method. It is the subject of a number of patents, from
the original US 5930479, by Robert J. Hall, filed in October 1996, to
US 20130007896. Yet, it seems to me the method is being used and
diffused much less than it deserves, and I don't know why.

It is toilsome to use that method without an assisting add-on. In
particular, I wouldn't like to make a fork of TrashMail's add-on for
the sole purpose of replacing its hard-coded server name, a practice
that obviously wouldn't scale well. So I'm looking for advice on how
to design, implement, and spread code so as to make deployment as
straightforward as possible.

Thank you
Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Ian Eiloart
2014-01-10 12:52:40 UTC
Permalink
Hi,

If the object is to classify anti-spam efforts, then probably the wrong place to start is with classifying spam. As a rough first draft, I’d start here:

1. Ensuring your own network security. Clearly this is a different task for at least these groups: Internet Service Providers, Email service providers, home and business consumers of both types of service.

2. For email service providers: filtering inbound email, including as consumers of higher level co-operative ventures like RBLs.

3. Provision of information about bad senders, such as RBLs with IP address and sender domain reputations.

4. Provision of information about suspect content, such as header and body content patterns. SPAMCOP rules would be one example.

5. Legislation: drafting of national and international legislation, and state enforcement actions.

6. Internet governance: drafting of standards to support best practice.

7. Internet governance: actions taken against known bad actors, such as taking down IP addresses, domains, etc.

8. Code support for detecting bad actors, filtering email on that basis, and co-operating with other Internet users to share information about email source reputations.
Post by Barry Shein
Well, proposing a specific taxonomy was certainly a straw man to be
refined.
But we can take a step back, is there any value to a generally agreed
upon taxonomy?
I think so because it's the only way to begin to classify and
categorize anti-spam efforts and compartmentalize efforts and even
language or audience (e.g., end user vs ISP.)
I noticed no one seems to have responded to the list of possible work
products.
That would seem to be what any taxonomy of spam ultimately is
supporting, what are the intended work products? What in the taxonomy
do they address?
Any attempt to manage an effort needs some way to set goals and
measure how well those goals are being met.
How would we know we agreed on a taxonomy or work product goals etc?
That is, what is the process for this list?
Do we vote, form committees or working groups, just endlessly pick
paragraphs out of each others' notes and find fault with them and then
let both efforts (the original pp and the response) fade disappear for
all eternity into the heat death of the universe?
--
-Barry Shein
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-10 17:02:00 UTC
Permalink
Post by Ian Eiloart
If the object is to classify anti-spam efforts, then probably the wrong place to
How about starting at
http://wiki.asrg.sp.am/wiki/Taxonomy_of_anti-spam_techniques ?

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-10 19:43:18 UTC
Permalink
Post by Ian Eiloart
Hi,
I like your effort but if we can't agree on what is spam, and I think
you'd be surprised, it's difficult to recommend where to put effort.

Consider #5 in your list, legislation, that's going to require a
pretty good definition of what one is legislating against.

So it's push-pull, you need both.

I also think there's drift, those who want to market will redefine to
suit their own objectives.

For example, I get email from Angie's List here to addresses which
can't possibly have ever existed (e.g., to domains which are just
parked and have no mailboxes.) I distinguish this from the perhaps
more forgivable expired mailboxes, but even that.

So Angie's List (and they're not the only ones by far) have punted on
any sort of confirmed opt-in.

If you tell me that's illegal under CAN-SPAM I'll say the word
"enforcement?"

And I think the line is much fuzzier than that once you try to write
down details. That's just one crass example which comes up all the
time here.

Another is Apple, their "insideapple" list is a mess.

And not only is their list a mess I have it on HIGH AUTHORITY (I know
someone who pinged someone at the VP level at Apple about this for me)
that their attitude is: We will NEVER fix that. That was the
answer. Sorry, Apple will NEVER fix that, you're wasting your breath.

Which means they sense zero pressure to fix it, of course.

Ok, sounds like a small problem.

But the one with Angie's List is new to me this week. How many
companies are there out there who can't be bothered to even do
confirmed opt-in? Do the math. Thousands? Tens of thousands?
Post by Ian Eiloart
1. Ensuring your own network security. Clearly this is a different task for at least these groups: Internet Service Providers, Email service providers, home and business consumers of both types of service.
2. For email service providers: filtering inbound email, including as consumers of higher level co-operative ventures like RBLs.
3. Provision of information about bad senders, such as RBLs with IP address and sender domain reputations.
4. Provision of information about suspect content, such as header and body content patterns. SPAMCOP rules would be one example.
5. Legislation: drafting of national and international legislation, and state enforcement actions.
6. Internet governance: drafting of standards to support best practice.
7. Internet governance: actions taken against known bad actors, such as taking down IP addresses, domains, etc.
8. Code support for detecting bad actors, filtering email on that basis, and co-operating with other Internet users to share information about email source reputations.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-10 20:10:31 UTC
Permalink
Post by Barry Shein
I like your effort but if we can't agree on what is spam, and I think
you'd be surprised, it's difficult to recommend where to put effort.
The usual definitions are unsolicited bulk mail or perhaps unsolicited
bulk commercial mail.

In practice, most of the definitions describe almost the same mail.

CAN SPAM, the worst, weakest spam law in the world, defines it as
commercial mail where the recipient hasn't told them to stop, along
with commercial mail that has fraudulent characteristics. As weak as
it is, most of the spam you get violates CAN SPAM and the reasons
there's no action against the spammers has nothing to do with the
definition of spam.

The new Canadian law and all of the European laws define it as
unsolicited commercial mail, with various sized loopholes for B2B mail
or mail to people you already know somehow.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-11 04:09:25 UTC
Permalink
Well, yes, if we use sufficiently general language then sure, it can
be covered in a few words like "unsolicited bulk email".

I think there's value in breaking it out by technique and motive, and
by frequency/volume, and some other categories.

For example, surely there's a big difference between something like
Green Card Spam where the sender is identifiable and probably has a
reasonably legitimate business motivation, it's basically just very
cheap and rude advertising, versus phishing, 419 spam, virus-embedded
bulk mail, etc.

That's just one dimension (criminal product, or not.) There are
others.
Post by John Levine
Post by Barry Shein
I like your effort but if we can't agree on what is spam, and I think
you'd be surprised, it's difficult to recommend where to put effort.
The usual definitions are unsolicited bulk mail or perhaps unsolicited
bulk commercial mail.
In practice, most of the definitions describe almost the same mail.
CAN SPAM, the worst, weakest spam law in the world, defines it as
commercial mail where the recipient hasn't told them to stop, along
with commercial mail that has fraudulent characteristics. As weak as
it is, most of the spam you get violates CAN SPAM and the reasons
there's no action against the spammers has nothing to do with the
definition of spam.
The new Canadian law and all of the European laws define it as
unsolicited commercial mail, with various sized loopholes for B2B mail
or mail to people you already know somehow.
R's,
John
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Ian Eiloart
2014-01-14 10:30:01 UTC
Permalink
Post by John Levine
Post by Barry Shein
I like your effort but if we can't agree on what is spam, and I think
you'd be surprised, it's difficult to recommend where to put effort.
The usual definitions are unsolicited bulk mail or perhaps unsolicited
bulk commercial mail.
Not in Europe, where the definition is "unsolicited communications for the purposes of direct marketing by means of electronic mail" where marketing encompasses all sorts of promotions: commercial, charitable, political, etc. BULK doesn’t come into it.

http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

The UK legislation is based on the European Union’s Directive on Privacy and Electronic Communications, which are separately legislated in each EU country. "Privacy" might seem odd in this context, but OED includes "freedom from interference or intrusion" in the definition, not just "a state in which one is not observed".

BULK has nothing to do with the annoyance to me as a recipient: nobody has a right to spam me just because they’re not spamming other people. Also, when investigating spam, I should not require access to third party networks in order to demonstrate that an email was spam.

Clearly some unsolicited email has to be permitted, as do unsolicited phone calls. It’s a feature of email that the recipient doesn’t have to be expecting the incoming email. That’s why it’s just "marketing" that’s forbidden. Email to "business addresses" is excluded from the "prior permission" part of the UK legislation, and we have a problem where I work: senders tend to assume that all sussex.ac.uk addresses are business addresses. I’d argue that you have to look at the left hand side: "i.eiloart@…" is not a business address, but "postmaster@…" is.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-14 19:28:52 UTC
Permalink
nobody has a right to spam me just because they�re not spamming
other people. Also, when investigating spam, I should not require
access to third party networks in order to demonstrate that an
email was spam.
That's true, at least in theory. But if it's not bulk it's probably
diffiicult to prosecute though it might suggest other remedies.

In the US CAN-SPAM specifically raises the standards in the case of
individuals seeking remedy.
Clearly some unsolicited email has to be permitted, as do
unsolicited phone calls. It�s a feature of email that the
recipient doesn�t have to be expecting the incoming
email. That�s why it�s just "marketing" that�s
forbidden. Email to "business addresses" is excluded from the
"prior permission" part of the UK legislation, and we have a
problem where I work: senders tend to assume that all sussex.ac.uk
addresses are business addresses. I�d argue that you have to
Is political campaigning "marketing" in this sense?

I'm surprised we're not pounded more with political campaign materials
particularly from the major parties (i.e., they have enough money to
be dangerous in this regard.)

Maybe it's not effective, maybe they haven't figured it out yet. They
certainly don't mind ringing phones with robocalls etc. particularly
as an election nears.

In the US they've excluded most political campaigning from legislation
such as CAN-SPAM, right?

From the CAN-SPAM wikipedia page, content is exempt if it consists of:

o religious messages
o political messages
o content that broadly complies with the marketing mechanisms
specified in the law; or
o national security messages.

http://en.wikipedia.org/wiki/Canspam
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-01-14 20:14:39 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Barry Shein
Is political campaigning "marketing" in this sense?
In the UK, yes -- there are existing relevant decisions relating to cold
calling (not allowed to opted out individuals) which strongly indicate
that email from political parties are subject to the same rules as that
from Persil

IANAL, but I've worked on this a lot
- --
richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUtWar+INNVchEYfiEQJ08gCeLXU75spKJ73lbS0kK0FMaZdqHyYAoMeR
Fr2JQDzuzOF2rHgGJQfLxXpn
=O2E2
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2014-01-15 14:41:44 UTC
Permalink
Post by Barry Shein
I'm surprised we're not pounded more with political campaign materials
particularly from the major parties (i.e., they have enough money to
be dangerous in this regard.)
Maybe it's not effective, maybe they haven't figured it out yet.
That one must explain that the Obama and Kerry campaigns launched the largest email sends in history is baffling to me. it wasn’t exactly a secret.

Data Driven Email (and other) Marketing
http://blog.wordtothewise.com/2012/11/data-driven-email-and-other-marketing/

The frequency of emails from the Obama campaign ended up being a talking point for pundits and late night talk show hosts. Jon Stewart of The Daily show even asked President Obama about email directly during his October 18th interview. (Video, email question at the 5:56 mark)

Jon Stewart: “We have been talking here for 12 – 14 minutes. I am curious. How many emails, in that time, do you think your campaign has sent me?”

President Obama: “It depends on whether you’ve maxed out!”
Post by Barry Shein
I feel we're repeating ourselves in this discussion, […] Preferably backed
up by some actual data relevant to how email is being used today
I am beginning to feel this conversation is pointless and will be fruitless. Anachronistic, anecdotal comments that we must refute point-by-point is a waste of time.

I strongly suggest everyone read the document referenced here; it was the culmination of dozens of contributors over the course of a year’s work :

CAUCE, MAAWG, London Action Plan release "Best Practices to Address Online and Mobile Threats" Report
http://www.cauce.org/2012/10/best-practices-report.html

I have proposed we look at current and future issues and posted some suggestions. Let’s either follow up on these or shut this thing down, please.

Social
Mobile
Hosting
IPv6



-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Loading...