This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Email Spam & Spam Abuse Definitions
- Next message (by thread): [anti-abuse-wg] New on RIPE Labs: Abuse-c Validation: Update on Progress and Some Numbers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rich Kulawiec
rsk at gsp.org
Thu May 9 16:48:43 CEST 2019
Comments on two points raised in this discussion: First, the canonical definition of [email] spam is "unsolicited bulk email", UBE for short. (This effectively replaced terms that were extant earlier in ARPAnet days, e.g., "mass mail abuse".) This is not open for question or debate: the matter was been settled a long time ago. Since then, of course, other (slang) terms describing other forms of abuse/attack have been coined: for example, "phish". It seems reasonable to presume that still other terms will eventually come into common use as new kinds of threats arise and we find ourselves requiring a way to refer to them -- for example, "spear-phishing" is even more recent. But the emergence of new terminology is not in any way a valid reason to change the longstanding use of existing terminology. Over the many years since the canonical definition of spam was determined, a lot of people have attempted to change it. All of them fall into one of two categories: (a) people who do not understand the definition (b) people who understand it quite well but wish to modify it in order to cause what they're doing to not be classified as spam. The people in (a) are often well-intentioned, which is good, but their lack of understanding and their resulting wish to change a definition that has served us extremely well for a very long time is counterproductive. They may not realize it, but they are serving the cause of spammers by trying to tinker with something they don't really understand. I strongly encourage anyone contemplating doing this to consider the consequences of doing so at length -- because in dozens and dozens of instances I've observed over the past couple of decades, even a brief examination suffices to reveal massive and quite clearly fatal flaws in all such proposals. The people in (b) are, of course, spammers (or their shills, apologists, lobbyists, etc.), and as Vernon Schryver has pointed out, they seek a customized redefinition of spam as "that which we do not do". They, and their arguments, must be immediately dismissed with prejudice, for the same reason that we do not allow murderers to advance a line of reasoning which would conveniently redefine murder as "that which we do not do". Second, captchas are a worst practice. They can be and are defeated at will by any adversary who can trouble themselves to do so. [1] They're security theater: think Wile E. Coyote holding an umbrella over his head while a boulder drops toward him. [2] Worth noting as well are (a) the continued and accelerating convergence of the trend lines denoting "captcha hard enough to defeat automation" and "captcha easy enough to be solvable by humans" and (b) the onerous additional burden that these often place on people who have diminished eyesight and hearing, who are part of different cultures, etc. There are far better ways to defend resources, and -- judiciously deployed -- these methods are not nearly as susceptible to adversarial manipulation, nor do they make life more difficult for people whose lives are arguably difficult enough already. ---rsk [1] Here's an example of what I mean by "defeated at will": Wiseguys Indicted in $25 Million Online Ticket Ring | Threat Level | Wired.com http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] A partial list of references follows. Do note that the contemporary state of the art in captcha-defeating techniques is much more advanced than any of these suggest. Of course it is: attacks always get better - they never get worse. (h/t to Bruce Schneier) Also, there's plenty of funding -- see footnote [1] above -- available to support research and development in this area that will NOT be helpfully published in blogs or journals. So consider what is enumerated below as the lower bound of what *was* possible and extrapolate markedly upwards to estimate what *is* currently available. Stanford researchers outsmart captcha codes http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html CIntruder: pentesting tool to bypass captchas http://cintruder.sourceforge.net/ How a trio of hackers brought Google's reCAPTCHA to its knees | Ars Technica http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/ Snapchat Account Registration CAPTCHA Defeated - Slashdot http://it.slashdot.org/story/14/01/23/2037201/snapchat-account-registration-captcha-defeated Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html Troy Hunt: Breaking CAPTCHA with automated humans http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html Slashdot | Now Even Photo CAPTCHAs Have Been Cracked http://it.slashdot.org/article.pl?sid=08/10/14/1442213 Cheap CAPTCHA Solving Changes the Security Game https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/ unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds https://www.bleepingcomputer.com/news/technology/uncaptcha-breaks-450-recaptchas-in-under-6-seconds/
- Next message (by thread): [anti-abuse-wg] New on RIPE Labs: Abuse-c Validation: Update on Progress and Some Numbers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]