[Standards] Re: spim, spam, spit, splogs

Dawid Toton d0 at wp.pl
Mon Feb 5 00:48:17 UTC 2007


> Perhaps we could make a clearer distinction here between spam generated
> by rogue clients and rogue servers. (Rogue servers are probably easier
> to deal with, since a legitimate server could block all traffic from a
> rogue server.) I suppose there may also be a distinction between
> completely rogue accounts (created solely for the purpose of spamming)
> and legitimate accounts (or specific clients) that have been compromised
> by malware.

I'd like to share few thoughts about spim. They are marked with (*)
somewhere below.  :)  (I'm not a spam expert or anything like that, I
don't know if these ideas can be useful.)

I see following possible sources of spim:
a) server created by spimmer
b) server hijacked by spimmer
c) account created just for spimming
d) client's machine taken over by spimmer

Let us have clients A and B, and their servers SA and SB respectively.

Note that spimmer would make captured server (b) to imitate the
behaviour of case d) (exploiting users' authorized contacts).
If so, SB would be no longer trusted.

I'm going to focus on d) and I assumed for simplicity that we know that
it is not the case b). Then SB is trusted for us.

(Here I make no distinction between machine, software and human, but I
hope I haven't mixed up terms too badly.)

0. A and B are mutually trusted and authorized. Let's imagine B uses
some outdated, insecure OS.
1. Spimmer breaks into B and sends spim to all B's authorized contacts.
2. A recognizes unwanted message and reports it to SA. SB is better
place for blocking B, so SA should forward spim report to SB.
At this point A is sure that B is taken over by spimmer, but servers
doesn't know whether to block B. They have to collect evidences
carefully. So A blocks B (possibly using standard privacy list).
But A wants to re-establish communication with B as soon as possible.
(*) So when SB will see that B is OK again, A should be notified about that.
3. After some time (when collected enough complaints) SB blocks all B's
outgoing communication. Spimmer wants to keep his malware on B for
possibly long time. So B has no way to recognize that his machine is
doing something bad other than observing people behaving as if his
messages are not delivered. (Spimmer won't let any server to inform B
about the problem.)
4. When B knows he is blocked (and knows no reason or simply his
attempts to remove malware were ineffective), he wants to say to SB: "My
software is OK, stop blocking me." But it doesn't make sense since B is
untrusted.
(*) So SB has to remove the block on B after some period of spimmer's
inactivity. I suggest using formula like this:
T(n)=2*T(n-1)*exp(-C*t_n)
where t_n stands for time between nth and (n-1)th SB's decisions (that B
is spimmer). The idea is to let spimmer send logarythmic amount of spim,
while B is able to save his JID. I added extra "relief factor"
exp(-C*t_n) because the mentioned unsafe OS would have next and next
holes revealed and after, say, one year B should be penalized for
starting new "spimming affair" (as much as when his machine was
compromised for the first time).
What could happen then:
5. Spimmer is inactive for some time.
6. SB unblocks B, and informs A that B is trusted again.
7. A unblocks B.
8. B spims all his authorized contacts. (And maybe solve some CAPTCHAs
to send more spim utilizing victim's machine.)
9. A complains, blocks B.
10. SB block B for 2 times longer period.
11. Let's say, B is now truly healed (but nobody else believes that). B
has to wait inevitably.
12. Eventually SB informs A, that B is OK, A and B communicate happily.

(A may expect that B will still use bad OS and therefore ask SA to
create challenge for *each* message from B. But how one could do that?)

In order to send reasonable amount of spim, one has to capture very many
cilent's machines or break into a server. There will be (number of
accessible accounts)*(average size of contact list)*(small number that
results from multiple attempts on the same machine) messages sent.

May we use special presence stanza to say "B is now considered OK"
(after some time being blocked due to spimming)?
--
Dawid Toton





More information about the Standards mailing list