mailing list archives
SMTP "authentication" (was: RE: Backdoor not recognized by Kaspersky)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 04 Mar 2004 12:28:58 +1300
"Larry Seltzer" <larry () larryseltzer com> wrote:
I really feel for you guys. As I've argued in another thread, I think
SMTP authentication will likely cut this stuff down to a trickle
compared to the current volume. As an ISP, how big a problem would you
have with that. An even better question: Would you have a problem
implementing SPF, Caller ID and Domain Keys (i.e. all 3)? It gets to
the same issue of changing practices for your users: at some point you
have to either bounce or segregate mail that doesn't authenticate.
I really think you (and all the SPF, etc pundits) are overselling those
"technologies" as possible solutions to problems that exist because of
what are, and perhaps always will remain with us as, essentially psycho-
SPF, Caller-ID, etc will either not take off or, if it does it will not
greatly reduce the level of the spam or the self-mailing virus problem.
If it does take off we may initially see a dip in such things but as
these technologies will not (and _CANNOT_) be blanket implemented
overnight, the spammers and virus writers will watch the developments
and if they see a risk to their future success there are many tricks
available for them to add to their "creations" that these "anti-spam"
or "anti-forgery" technologies _alone_ cannot prevent being exploited
to the benefit of the spammers.
Although I'm sure the "professional" mass-mailer writers and spammers
have a fair idea of what to do next if SPF, etc do start to bite, I'm
not going to spell out how I'd do it in case I give any less clueful
folk some ideas they don'tdeserve. However, the bottom line is that
for SPF, etc to be "successful" (i.e. to become very widely deployed
and used) they (and the things they require at the client end) have to
be "set and forget". Why?? Because the sad (?) reality is that most
folk are simply lazy and won't use systems that don't let them ignore
the things they don't care about. To date (and SPF, etc
notwithstanding), I've seen no reason to expect this to change, even to
fix the spam or mass-mailing virus problem, no matter how much "common
folk" may belly-ache about it not being fixed. This all means Mike
Howard's "first immutable law of computer security":
If the bad guy can run his program on your computer, it's not
your computer any more
is broken from the outset _AND_ will remain so.
Compound all manner of other atrociously bad anti-security features
that most computer users have become so accustomed to they will not
allow to be changed and the bad guys will just keep doing what they do,
albeit after adding a few dozen more lines of code to their existing
bots, etc so they can send "properly authenticated" Email through the
"right" SMTP servers. SPF, etc pundits will counter "but we can then
quickly get the ISPs to shut those machines down because we can prove
that 'bad' Email came from that machine". This ignores the rather
salient (I'd have thought) point that the ISPs have entirely failed to
deal with the existing armies of such machines, and it seems utterly
unlikely they will add more staff (even just short-term) to handle
their abuse@ enquiries once (or if) SPF, etc becomes widely deployed
(after all, SPF, etc is supposed to eliminate the core problems in
those areas so the ISPs may even be thinking they can _reduce_ their
In summary, it seems that the bad guys are starting from a (probably)
insurmountable advantage of the existing vast army of readily
compromisable and/or already backdoor-ed machines. And, if SPF, etc is
successfully "sold" to the consumers, add the fact that many more users
than the current crop of utterly reckless click-a-holics would then
_trust_ more (or even all) of their Email and its attachments _because
the SPF, etc pundits have been telling them that this is precisely one
of the benefits of shafting the existing mail system_. On balance, it
seems we could easily see things _GET WORSE_.
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.