[Asrg] Spam profitability analysis and countermeasures

[Douglas Otis]

On Apr 25, 2007, at 10:55 AM, Chris Lewis wrote:

> Matthias Leisi wrote:
>
>> Further, given that botnets can be in the tens of thousands of  
>> members, it's easy for the botnet operator to initiate counter- 
>> attacks if the number, "click-rate" and aggregated bandwidth of  
>> spam-recipients does not outnumber the botnet operator's resources  
>> by an order of a magnitude.
>
> We must _not_ forget the Blue Frog lesson:
>
> http://en.wikipedia.org/wiki/Blue_Frog

Latency in any counter-measure makes reacting to individual events  
futile.  As such, counter-measures must be broad and lasting.  A  
fly's perceptions and reactions are much faster, making them  
difficult to swat.  With their low persistence, by the time a swatter  
can even be raised, they have already taken light.  Warnings only  
work accompanied with negative ramifications.  A "No Solicitation"  
announcement can be made with rfc3865.  IP addresses might be  
exploited, so a safe identity for which to apply long lasting  
ramifications would be the ASN at the very moment of the offense.

This indicates which ASNs monitor their outbound traffic, checks SMTP  
error rates generated by outbound clients, disables port 25 for  
residential access points, and responds to complaints of abuse.   
Alas, industry attempts to punish or restrict individual users, where  
various providers continue to profit from revenues generated by abuse  
and abuse counter measures.  Holding the ASN accountable is the  
_only_ practical means to affect the profit motive driving abuse.   
Many of the schemes that attempt to identity individuals actually  
enables devastating DDoS exploits.

-Doug