Slashdot Mirror
US Military Looks For Massive Spam Solution
Several users have pointed out a recent request to technology companies from the Defense Information System Agency for ideas on how to build an e-mail defense system to catch spam. The solution would have to scan about 50 million inbound messages a day across some 700 unclassified network domains. "Defense currently scans e-mails for viruses and spam coming into systems serving the military services, commands or units. DISA wants to extend the protection to the interface between the Internet and its unclassified network, the Non-classified Internet Protocol Router Network. The agency also wants the ability to scan all outbound e-mails from the 5 million users. [...] DISA's request ties in with recommendations that the Defense Science Board issued in April that said Defense is more vulnerable to cyberattacks because of its decentralized networks and systems. The board envisioned a major role for DISA in developing the architecture for enterprise-wide systems."
Nuke spammers from orbit.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Establish a "fine" network.
Another mail network sends you spam?
You fine them.
They in turn fine whoever sent them spam.
Whoever does not pay then fine, gets turned off.
I hope they don't shoot $10M cruiser missile to take out $10 tent housing Packard Bell botnet control center.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Great, and then there will be secret abductions of spammers who are sent to Guantanamo without trial or hope of quick appeal. There will be water boarding and sleep deprivation and acts of humiliation.
Really, I think that my point is that it's not severe enough.
Why are you letting these clowns ruin our country?
Seriously, it's less than two dozen guys pumping out 90% of the spam in the world. I would guess that the law enforcements and militaries of the world should just do their jobs and apprehend these criminals.
I'd certainly appreciate real action like getting rid of spam than for the CIA/US Military to spend time chasing down far fetched terrorist plots. I'm constantly stunned that given the damage spam creates, special branches aren't more active in tracking and _eliminating_ the sources of these things.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.
When information is power, privacy is freedom.
That's because you want a router to do something it doesn't care about. That would require full layer 7 visibility on the router - then it wouldn't be nearly as good at doing what its supposed to: routing.
Most routers rarely look above layer 3. Occasionally they'll do some layer 4 stuff, but that is best left to firewalls or load balancers.
Also, routers aren't programmed to ignore DOS attacks. They're programmed to ignore very specific types of DOS attacks, sometimes.
.
If it's not classified, hire a few companies in India or China to do non-artificial intelligence spam filtering. Problem solved.
In fact, they have several: the Green Berets, the SEALS, and (depending on whom you ask) the whole fucking United States Marine Corps. Turn 'em loose on the spammers.
I write sci-fi for metalheads
If only it were as simple as "Host X sends spam -> block Host X." The problem is n clients of host X are zombies sending spam while the other y clients are legitimate users. So, sure, you can block my ISP because of the clients that are sending you spam, but then I couldn't send you an E-Mail either, and I actually DO know the secret to penis enlargement.
I know a workplace where they set up a bounce-and-confirmation system, so that mail from non-confirmed e-mail addresses was bounced, asking to reply if this was a real human. When it got the reply, the address was added to a whitelist. The person working there said to me that he got zero spam after the implementation. Probably becouse almost all spam has a forged from header and/or is not able to receive and reply to incoming mail.
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Infrastructure costs that are involved in deep packet inspection on the core routers
(X) Privacy concerns in letting ISPs perform deep packet inspection on the core routers
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
For this rare instance I would certainly condone a few black ops. Find the people who are responsible, capture them, torture them and if they are bad enough, kill them. When there is money involved, it should be trivial to follow that money back to the people who collect it.
This also gives me a great idea for a movie sequel to "Taken." '...I have a very special set of skills... I will find you and I will kill you.' '//good luck//'
Yeah, I would totally watch that...
NOT!
Here goes another few hundred million .... *sigh*
If we really believe in taxation without representation then my unborn baby should be able to vote already ...
The Defense Information Systems Agency advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. The idea will not work. Here is why it won't work. (One or more of the following may apply to this particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to this are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
(X) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about them:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and they're stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
I am officially gone from
Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.
First, I wonder about the 20-30 messages a day bit. There are roughly 150 billion spam messages sent daily. There are 6 billion people on the planet. In order for your 20-30 messages a day number to be correct, that would every man, woman, and child on the earth would need a computer and every single one of them would be part of a botnet.
Next, if we are assuming that your 20-30 number is correct, I assume many of these messages are identical or similar enough to be identified. I know I get several repeat messages in my GMail spam box every day. There are only so many routers that lead into the US. Set these up to monitor email traffic (is it port 22? 25? I don't remember)... and look for patterns. If the same email is being sent 20 billion times, you can bet it's spam, block those hosts until they can show they are not longer spamming, even if it's a million machines that are part of the bot-net.
As for domestically generated spam, track them and let local law enforcement hand them.
This will require funding, of course, but if you tax the companies that would benefit from this, they will end up spending less in the long run.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
i think it would be easier if the ISPs start blocking any email coming from non-corporate users. If you want to have an email server at home, ask your ISP to unblock the port. Then, all the grandma-zombie-computers will be unable to send spam.
Whats the difference between legitimate listserv messages and spam in your scenario?
Don't blame me, I voted for Kodos
Yeah there's a solution, it's cheap, and it's even explicitly in the Constitution: get Congress to issue Letters of Marque.
I'm sure there are plenty of people who would take care of the problem for free, if only they got suitable permission.
Can we get a "-1 Wrong" moderation option?
Would it really require "full layer 7 visibility on the router" to count the number of port 25 messages coming from each host? I would assume the biggest problem would be the memory involved in counting the messages and keeping that count in RAM for each and every host, keeping track of which hosts are blocked by each router and every other router (national database) and securing the system so that some hacker can't get in there and put every Microsoft IP into the black-list.
Still, I don't see these problems as being insurmountable. It also doesn't have to be the routers that do the packet inspection. We could set up machines at various choke-points on the web to take care of this. If we can route every phone conversation through a closet at AT&T for a government spy program, surely we can work this out.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Whats the difference between legitimate listserv messages and spam in your scenario?
Excellent question. Companies that send out legitimate mass emails would need to be added to an "allow-list".
I know, it sux, but the benefit of no spam outweighs the pain of asking legit listserv's to register.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Change the word table from:
"Bomb", "Terrorist", etc...
to
"Penis", "Pen1s", etc...
then
Give Chuck Norris a call.
The only solution is to make a system that uses a whitelist. But whitelists suck. So we need a whitelist that doesn't suck.
The first step is to have all the email clients start digitally signing emails. It is trivially easy to forge the headers on an email, so it would be stupid to trust them for identity information.
The second step is to have email servers check the identity against the whitelist. If the digital signature is invalid, or the credentials are forged (message was digitally signed, but the announced public key of the sender doesn't match) the message is trashed, with no error message sent. If the signature checks out, but the sender was not on the whitelist, the message bounces back to the sender, with an explanation ("you weren't on the whitelist, sorry").
Okay, but whitelists suck. If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.
My proposed solution is that your email server should advertise a list of ways that you will accept to bypass your whitelist for a message. One possible way: attach a micropayment of five cents. Another way: attach a certificate showing that your computer worked for an hour on some worthy problem like protein folding at home or something. Another way: here's a URL of a web page; it contains some riddle... attach the answer to your email. I'm sure you can think of other schemes to make it possible for a friend to bypass your whitelist while not enabling zombie Windows clusters to spray spam into your inbox.
There are other refinements possible. Your whitelist can accept, not just individual signatures, but "badges" from some organization. So, anyone from Mozilla.org can attach a Mozilla.org badge to their emails, and I can allow all Mozilla.org emails through. IEEE member badge, SourceForge.net badge, Apple.com badge, go nuts. Even an organization of "I Swear I Will Never Send Out Spam". The key with the badges is that, if you get kicked out of an organization, you have to lose access to the badge. One simple way would be for the check to be live: if you attach a Mozilla.org badge, the Mozilla.org server had better agree that your identity is one known to it.
The current email system is a "Default Permit" system (the #1 dumbest idea on this list). It has to change.
This system would run on the infrastructure we already have, with a few additions. You could have one account with the whitelist, and another account without... but the one with the whitelist is the only one that pages you, or whatever. The important thing is that this doesn't require everyone in the whole world to adopt it before it starts to become useful. Mailing lists would still work, because when you sign up for a mailing list you would add that mailing list identity to your whitelist (probably a badge, such that members of the mailing list are then cleared to email you directly, through the badge).
Someone may claim that validating public key signatures is computationally expensive. No, not compared to running complicated heuristics over the content of a message, trying to guess whether it's spam or not (SpamAssassin and other systems). With this system, the server doesn't attempt to classify a message. Either it passes the whitelist, it's bounced back to the sender, or it's deleted. Done.
Now, if you have found a hole in this idea, you will score bonus points by explaining how to fix it, not merely pointing out that I am an idiot.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
9 servers. 50 million messages a week. Those 9 servers cost maybe $3,000 each. We have 9 servers because we want some redundancy. So let say you multiply that by 7. So you get ~50 machines to handle the army's volume. $150,000. Plus all the extras, so multiply that by 6. That's about a million dollars.
Seriously? From the article they say it would cost $100 million. Do you really think that is going to cost $100 million dollars? Seriously?
WTF. I need to become a DoD contractor.
Unless you use your new system to hunt down and kill the spammers, you will never win. You will only spend an ever increasing amount of money fighting a losing holding action.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Let's say we each run ISPs. You send me spam. I charge you. You charge the spammer. The spammer doesn't pay. You cut off the spammer.
Then I cut off you. After all, you didn't pay. Now no one on my network can email anyone on yours.
Back to the old drawing board.
....You hunt them down and kick their asses.
Cops and prisons exist for a set of very real reasons. Applying technical 'fixes' to what is a criminal enterprise is like busting your ass building ever higher and ever thicker walls around your house: If you don't deal with the root of the problem, the criminals themselves, all you're doing is delaying the inevitable.
Everybody up to this point has been engrossed in spending all this time and money building ever higher and ever futile walls, ceding the world of the Internet to the criminals while we try to make our tiny little pieces of turf 'safe.'
Personally, I think it's time we took the Internet back.
'Nuff said.
Regards;
As a sibling post pointed out, this checklist is used whenever there's discussion of solutions to the spam problem.
(X) Mailing lists and other legitimate email uses would be affected
Legitimate mass mailers would require a registration to be placed on an allow list. Of course, spammers need not apply. Licensing fees could even be charged for this list to pay for the program, but that may not be fair.
What if I'm a legitimate mass mailer who, say, wants to organize political protests? Who may not want their activities on a government list?
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
Machines that have been zombiefied would be cut off from the web at the router level. They will be allowed back on once their ISP can verify they have been de-zombied.
How long do you think AT&T and other broadband ISPs would put up with this? All the customer sees is "My Internets is broken. $ISP sucks, I'm switching." Also, if there's a 10000 per host limit (over a particular period), 9999 * 10 million is a pretty significant chunk of spam.
(X) Infrastructure costs that are involved in deep packet inspection on the core routers
(X) Privacy concerns in letting ISPs perform deep packet inspection on the core routers
Why not just use the same setup the previous administration did to monitor phone calls?
Because it's illegal under wiretapping laws, for starters.
(X) I don't want the government reading my email
Since the emails are counted instead of read, there would be no privacy concerns.
Using the example of a non-profit group, the government now has a count of the size of everyone's email list. Or has a much shorter list of who to look at for who's running the email server of a political group.
I am officially gone from