Digg this story   Add to del.icio.us   (page 2 of 3 ) previous  next 
From Physics to Security
Federico Biancuzzi, 2008-09-16

Story continued from Page 1

I expect more from radical changes in the programming model. Almost 30 years ago the spreadsheet's invention revolutionized the way that non-expert users could program their personal computers. Until then, those users were mostly stuck with BASIC. We need a similar revolution for programming the Internet.

What is your opinion on the current battle against spam?

Anti-spam tools alone will not solve the problem; they merely reduce the level of pain for the organizations and individuals that can afford the use of such tools. The technical arms race will continue unless politicians and law enforcement join the battle with effective measures that work across national borders.

In my personal opinion, the reliability of email reached its maximum near 1998; it has gone down ever since as the result of increasingly aggressive anti-spam/virus measures. This observation has led me to conclude that the spammers aren't destroying the email infrastructure, it's the well-meaning people with their countermeasures.

Is there any anti-spam technology that impressed you positively? Maybe Bayesian filtering?

Out-source it to human eyeballs. It's the best anti-spam technology to date. Humans can quickly recognize new patterns; computers need to be reprogrammed for each new trick that sidesteps the existing filter software. Of course these human eyeballs would still use conventional technology to filter out the obvious junk. By the way, spammers can out-source to human eyeballs too. For examples of this, type "captcha porn" into your favorite web search engine.

In practice, DNS-based IP address block lists will eliminate most spam for me: most Internet nodes should never send direct email across the Internet. Instead, they should send it through the ISP's mail servers, where acceptable use policies can be enforced. We already see this happening; spammers are already collecting user's ISP passwords and are using those accounts to send spam. Other spam can be blocked because of technical limitations in the way that zombies work, using techniques such as grey-listing, no-listing, and so on. All these techniques block email before it can be sent over the network, so they are relatively inexpensive.

I use email content inspection primarily to stop undeliverable spam that is being "returned" to me by poorly operated mail servers. These servers accept spam that claims to come "from me" for non-existent users at their site, and then later these servers send me unhelpful email that those users don't exist.

Do you think that the problem could be solved using a crypto based solution?

Authentication by itself does not make email spam-free, just like cryptography by itself doesn't make the Internet secure. Authentication provides a tool to confirm that mail from my bank actually came from my bank. However, authentication doesn't stop malicious parties from sending 100% authentic mail that comes from a bank with a very similar name, and that has a very similar website. For example, spammers were among the earliest adopters of SPF (sender permitted from) email authentication. They will adopt the authentication technology du jour without any difficulty.

What is the best theoretic solution to the problem from your point of view?

The best theoretic solution is to change the email distribution model, but this may never happen. Right now, email is a "push" technology where the sender has most of the control, and where the receiver bears most of the cost.

Story continued on Page 3 

Federico Biancuzzi is freelancer; in addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.
    Digg this story   Add to del.icio.us   (page 2 of 3 ) previous  next 
Comments Mode:
From Physics to Security 2008-09-19
Security Admin
From Physics to Security 2008-09-19
Anonymous (2 replies)
Re: From Physics to Security 2008-09-22
Re: From Physics to Security 2008-09-24
Robert Lemos
Authors Avatar 2008-09-22
Anonymous (1 replies)
Re: Authors Avatar 2008-09-23
Federico Biancuzzi
From Physics to Security 2008-09-22
Public awareness is required as well 2008-09-22
flash tekkie
A Non-Stochastic Plan for SPAM 2008-09-26


Privacy Statement
Copyright 2010, SecurityFocus