[anti-abuse-wg] Email Spam & Spam Abuse Definitions

Comments on two points raised in this discussion:


First, the canonical definition of [email] spam is "unsolicited bulk
email", UBE for short.  (This effectively replaced terms that were extant
earlier in ARPAnet days, e.g., "mass mail abuse".)  This is not open
for question or debate: the matter was been settled a long time ago.
Since then, of course, other (slang) terms describing other forms
of abuse/attack have been coined: for example, "phish".  It seems reasonable
to presume that still other terms will eventually come into common use
as new kinds of threats arise and we find ourselves requiring a way to
refer to them -- for example, "spear-phishing" is even more recent.
But the emergence of new terminology is not in any way a valid reason
to change the longstanding use of existing terminology.

Over the many years since the canonical definition of spam
was determined, a lot of people have attempted to change it.  All of
them fall into one of two categories: (a) people who do not understand
the definition (b) people who understand it quite well but wish to modify
it in order to cause what they're doing to not be classified as spam.

The people in (a) are often well-intentioned, which is good, but their
lack of understanding and their resulting wish to change a definition that
has served us extremely well for a very long time is counterproductive.
They may not realize it, but they are serving the cause of spammers by
trying to tinker with something they don't really understand.  I strongly
encourage anyone contemplating doing this to consider the consequences
of doing so at length -- because in dozens and dozens of instances I've
observed over the past couple of decades, even a brief examination suffices
to reveal massive and quite clearly fatal flaws in all such proposals.

The people in (b) are, of course, spammers (or their shills, apologists,
lobbyists, etc.), and as Vernon Schryver has pointed out, they seek a
customized redefinition of spam as "that which we do not do".  They,
and their arguments, must be immediately dismissed with prejudice,
for the same reason that we do not allow murderers to advance a line
of reasoning which would conveniently redefine murder as "that which
we do not do".


Second, captchas are a worst practice.  They can be and are defeated
at will by any adversary who can trouble themselves to do so. [1]
They're security theater: think Wile E. Coyote holding an umbrella
over his head while a boulder drops toward him. [2]  Worth noting
as well are (a) the continued and accelerating convergence of the
trend lines denoting "captcha hard enough to defeat automation"
and "captcha easy enough to be solvable by humans" and (b) the onerous
additional burden that these often place on people who have diminished
eyesight and hearing, who are part of different cultures, etc.

There are far better ways to defend resources, and -- judiciously
deployed -- these methods are not nearly as susceptible to adversarial
manipulation, nor do they make life more difficult for people
whose lives are arguably difficult enough already.

---rsk

[1] Here's an example of what I mean by "defeated at will":
 
	Wiseguys Indicted in $25 Million Online Ticket Ring | Threat Level | Wired.com
	http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/


[2] A partial list of references follows.  Do note that the contemporary
state of the art in captcha-defeating techniques is much more advanced than
any of these suggest.  Of course it is: attacks always get better -
they never get worse. (h/t to Bruce Schneier)

Also, there's plenty of funding -- see footnote [1] above -- available to
support research and development in this area that will NOT be helpfully
published in blogs or journals.  So consider what is enumerated below as
the lower bound of what *was* possible and extrapolate markedly upwards
to estimate what *is* currently available.

	Stanford researchers outsmart captcha codes
	http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html

	CIntruder: pentesting tool to bypass captchas
	http://cintruder.sourceforge.net/

	How a trio of hackers brought Google's reCAPTCHA to its knees | Ars Technica
	http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

	Snapchat Account Registration CAPTCHA Defeated - Slashdot
	http://it.slashdot.org/story/14/01/23/2037201/snapchat-account-registration-captcha-defeated

	Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA
	http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html

	Troy Hunt: Breaking CAPTCHA with automated humans
	http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html

	Slashdot | Now Even Photo CAPTCHAs Have Been Cracked
	http://it.slashdot.org/article.pl?sid=08/10/14/1442213

	Cheap CAPTCHA Solving Changes the Security Game
	https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/

	unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds
	https://www.bleepingcomputer.com/news/technology/uncaptcha-breaks-450-recaptchas-in-under-6-seconds/