FW: Risks Digest 23.36 - auto-blacklists/whitelists

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Mon May 10 11:26:05 IST 2004 

This is indirectly relevant to MailScanner. If you are interested in the
risks posed by challenge-response anti-spam methods when coupled with
auto-blacklisting then the following short RISKS article will be of
interest.

The message is about the dangers of auto blacklists. It makes the point
that, in contrast, auto-whitelisting does not suffer the same problems.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 

-----Original Message-----
>RISKS-LIST: Risks-Forum Digest  Friday 7 May 2004  Volume 23 : Issue 36



>Date: Thu, 06 May 2004 12:49:28 -0700 (PDT)
>From: Drew Dean <ddean at csl.sri.com>
>Subject: Auto-Blacklisting is a bad idea
>
>I recently received a challenge from someone's challenge-response spam
>filter.  Alas, I had not sent the original message.  Unfortunately,
said
>challenge-response system warned that it was going to automatically
>blacklist my e-mail address if I didn't respond.  But I didn't want to
>respond, because the original message was either malware (most
probably, see
>below) or spam.
>
>Milgram's famous "six degrees of separation" turns out to make
>auto-blacklisting a really bad idea: many types of e-mail-based malware
>propagate via random choices from the victim's address book.  As it's
an
>awfully small world, there's a good chance that someone knows two
people
>with common interests, who may not have exchanged e-mail before.  (Lots
of
>people seem to have my old e-mail address in their address books, even
though
>I've never heard from them, or sent them mail, other than indirectly
via a
>mailing list (or USENET posting).)
>
>If auto-blacklisting challenge-responses systems become the norm, there
will
>be interesting risks related to the combination of forged mail, and
>auto-blacklists: what happens if you follow the challenge-response
protocol
>to avoid being on someone's blacklist (the only obvious option), and
said
>person (e.g., your research sponsor) receives a highly inappropriate
piece
>of mail nominally from you?  Other denial of service attacks are also
>possible: seed your competitors (auto-)blacklists with the e-mail
addresses
>of your (mutual) funding agency.  I'm sure the clever will have even
more
>ideas about risks here.
>
>Auto-whitelisting, by contrast, has none of these problems.
>
>Drew Dean, Computer Science Laboratory, SRI International

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list