US Military Looks For Massive Spam Solution 228
Several users have pointed out a recent request to technology companies from the Defense Information System Agency for ideas on how to build an e-mail defense system to catch spam. The solution would have to scan about 50 million inbound messages a day across some 700 unclassified network domains. "Defense currently scans e-mails for viruses and spam coming into systems serving the military services, commands or units. DISA wants to extend the protection to the interface between the Internet and its unclassified network, the Non-classified Internet Protocol Router Network. The agency also wants the ability to scan all outbound e-mails from the 5 million users. [...] DISA's request ties in with recommendations that the Defense Science Board issued in April that said Defense is more vulnerable to cyberattacks because of its decentralized networks and systems. The board envisioned a major role for DISA in developing the architecture for enterprise-wide systems."
Not big... (Score:1, Interesting)
There are plenty of solutions out there that work on this scale. I worked at a company that did roughly double that, and now I work at a company that does well over 50 times that.
Off the top of my head, Ironport is probably their best choice.
its pretty simple (Score:2, Interesting)
Establish a "fine" network.
Another mail network sends you spam?
You fine them.
They in turn fine whoever sent them spam.
Whoever does not pay then fine, gets turned off.
Bounce confirmation whitelist (Score:3, Interesting)
Re:Router level solution (Score:3, Interesting)
Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.
First, I wonder about the 20-30 messages a day bit. There are roughly 150 billion [mywot.com] spam messages sent daily. There are 6 billion people on the planet. In order for your 20-30 messages a day number to be correct, that would every man, woman, and child on the earth would need a computer and every single one of them would be part of a botnet.
Next, if we are assuming that your 20-30 number is correct, I assume many of these messages are identical or similar enough to be identified. I know I get several repeat messages in my GMail spam box every day. There are only so many routers that lead into the US. Set these up to monitor email traffic (is it port 22? 25? I don't remember)... and look for patterns. If the same email is being sent 20 billion times, you can bet it's spam, block those hosts until they can show they are not longer spamming, even if it's a million machines that are part of the bot-net.
As for domestically generated spam, track them and let local law enforcement hand them.
This will require funding, of course, but if you tax the companies that would benefit from this, they will end up spending less in the long run.
Comment removed (Score:3, Interesting)
Letters of Marque (Score:3, Interesting)
Yeah there's a solution, it's cheap, and it's even explicitly in the Constitution: get Congress to issue Letters of Marque.
I'm sure there are plenty of people who would take care of the problem for free, if only they got suitable permission.
Re:Router level solution (Score:3, Interesting)
Would it really require "full layer 7 visibility on the router" to count the number of port 25 messages coming from each host? I would assume the biggest problem would be the memory involved in counting the messages and keeping that count in RAM for each and every host, keeping track of which hosts are blocked by each router and every other router (national database) and securing the system so that some hacker can't get in there and put every Microsoft IP into the black-list.
Still, I don't see these problems as being insurmountable. It also doesn't have to be the routers that do the packet inspection. We could set up machines at various choke-points on the web to take care of this. If we can route every phone conversation through a closet at AT&T for a government spy program, surely we can work this out.
Re:Router level solution (Score:3, Interesting)
Whats the difference between legitimate listserv messages and spam in your scenario?
Excellent question. Companies that send out legitimate mass emails would need to be added to an "allow-list".
I know, it sux, but the benefit of no spam outweighs the pain of asking legit listserv's to register.
We need a whitelist that doesn't suck (Score:5, Interesting)
The only solution is to make a system that uses a whitelist. But whitelists suck. So we need a whitelist that doesn't suck.
The first step is to have all the email clients start digitally signing emails. It is trivially easy to forge the headers on an email, so it would be stupid to trust them for identity information.
The second step is to have email servers check the identity against the whitelist. If the digital signature is invalid, or the credentials are forged (message was digitally signed, but the announced public key of the sender doesn't match) the message is trashed, with no error message sent. If the signature checks out, but the sender was not on the whitelist, the message bounces back to the sender, with an explanation ("you weren't on the whitelist, sorry").
Okay, but whitelists suck. If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.
My proposed solution is that your email server should advertise a list of ways that you will accept to bypass your whitelist for a message. One possible way: attach a micropayment of five cents. Another way: attach a certificate showing that your computer worked for an hour on some worthy problem like protein folding at home or something. Another way: here's a URL of a web page; it contains some riddle... attach the answer to your email. I'm sure you can think of other schemes to make it possible for a friend to bypass your whitelist while not enabling zombie Windows clusters to spray spam into your inbox.
There are other refinements possible. Your whitelist can accept, not just individual signatures, but "badges" from some organization. So, anyone from Mozilla.org can attach a Mozilla.org badge to their emails, and I can allow all Mozilla.org emails through. IEEE member badge, SourceForge.net badge, Apple.com badge, go nuts. Even an organization of "I Swear I Will Never Send Out Spam". The key with the badges is that, if you get kicked out of an organization, you have to lose access to the badge. One simple way would be for the check to be live: if you attach a Mozilla.org badge, the Mozilla.org server had better agree that your identity is one known to it.
The current email system is a "Default Permit" system (the #1 dumbest idea on this list [ranum.com]). It has to change.
This system would run on the infrastructure we already have, with a few additions. You could have one account with the whitelist, and another account without... but the one with the whitelist is the only one that pages you, or whatever. The important thing is that this doesn't require everyone in the whole world to adopt it before it starts to become useful. Mailing lists would still work, because when you sign up for a mailing list you would add that mailing list identity to your whitelist (probably a badge, such that members of the mailing list are then cleared to email you directly, through the badge).
Someone may claim that validating public key signatures is computationally expensive. No, not compared to running complicated heuristics over the content of a message, trying to guess whether it's spam or not (SpamAssassin and other systems). With this system, the server doesn't attempt to classify a message. Either it passes the whitelist, it's bounced back to the sender, or it's deleted. Done.
Now, if you have found a hole in this idea, you will score bonus points by explaining how to fix it, not merely pointing out that I am an idiot.
steveha
It's simple, really.... (Score:4, Interesting)
....You hunt them down and kick their asses.
Cops and prisons exist for a set of very real reasons. Applying technical 'fixes' to what is a criminal enterprise is like busting your ass building ever higher and ever thicker walls around your house: If you don't deal with the root of the problem, the criminals themselves, all you're doing is delaying the inevitable.
Everybody up to this point has been engrossed in spending all this time and money building ever higher and ever futile walls, ceding the world of the Internet to the criminals while we try to make our tiny little pieces of turf 'safe.'
Personally, I think it's time we took the Internet back.
'Nuff said.
Re:The US Military already has a solution. (Score:1, Interesting)
not to mention Delta Force, 24th Special Tactics Squadron, Intelligence Support Activity, 160th Special Operations Aviation Regiment (Airborne), 352d Special Operations Group,1st Special Operations Wing, among others but for this application the 3 that are probably best suited are
Intelligence Community Special Units
* Strategic Support Branch (CIA/DIA)
* Special Activities Division (CIA)
* Special Collections Service (NSA - CIA)
particularly the Special Collections Service which boasts a wikipedia page that looks small enough to be a twitter post and basically says "CIA + NSA == worse than extraordinary rendition