Wandering Thoughts archives

Thesis: reputation based antispam systems are dead

It recently struck me that one of the things that the university webmail phish attacks demonstrate is that reputation based antispam systems are now dead. The university webmail attacks aren't just a few previously good sources going bad, which has happened before; they're a systemic, broad attack on a whole class of systems that previously had a good to great 'spam reputation'.

(Well, this exaggerates the situation somewhat. There are two aspects of reputation based antispam systems; you can attempt to blacklist places that are spam sources, and you can attempt to whitelist places that are sources of good email. It is the whitelist approach that is primarily in trouble here.)

There's two aspects to this. First, it demonstrates very vividly that past good performance (emitting lots of good email and little or no spam) is no predictor of future performance, and that this happens for reasons beyond the site's control and thus beyond prediction and early warning signs. Second, I think that reputation based systems may even be counterproductive; clearly it is possible to compromise places with good reputations, and reputation based systems makes compromising such places fairly valuable.

(I do not think that this is the only reason for spammers to like compromising university webmail systems, but that's another entry.)

The corporate identity problem

One of the periodically proposed spam solutions is that someone will issue certificates to people and if they misbehave, the certificates will be revoked. One of the many problems with this idea is what I will call the corporate identity problem.

The problem with corporate identities is twofold, or perhaps threefold. First, corporate identities are much like Internet identities: they provide only positive identity, that person A is associated with corporation B, not negative identities, that corporation B is not associated with person A. In fact there are a lot of legal features about corporations that are designed more or less expressly to hide who a corporation is owned by and associated with.

(Note that using these things is not illegal or even underhanded. Things like 'silent partners' are perfectly routine.)

This might not matter if it was hard to get corporate identities, but it isn't. It's both easy and common to create new corporations, even ones that are more or less anonymous, to the extent that there are lots of support services to help you out with it. Thus, there is nothing to stop people having as many corporate identities as they need, and there is usually no way for an outsider not armed with a court order to know that behind all of the identities is the same set of bad people.

Finally, new corporations need things like domain names and certificates all the time. It's infeasible to say something like 'you cannot have an SSL certificate until you have been in business for two years', and attempting to do so would only serve the interests of the current incumbent companies (although I'm sure they'd be overjoyed at the sudden drop in new competition). Note that there are ways to (try to) do this indirectly, and they are going to be as problematic as just stating this limit outright; barriers to entry are barriers to entry, regardless of the exact form that they take.

To summarize, the corporate identity problem means that you can't throw people out of any system that allows corporations to be members, because they can just get new ones. It also means that you cannot attach any trust to the mere existence of a corporate entity, because you don't actually know anything important about it.