[gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)

[Neil Schwartzman]

With all due modesty (did I do that right?)  i am a bit of an expert… the primary focus of my dayjob for the past four years has been entirely phishing; i‘ve worked on spam since it began (I wrote the first distributed spam filters on the Internet), and helped build the first email certification programme from the ground up.

> Some mail providers subscribe to certain blocklists that others don't, some search engines, browsers, and browser plugins will flag particular domains that others don't, and so on. 

That is a product of logistical limitations  not the reputation of a given domain. everyone has a budget to consider, numerous checks can be costly in terms of computing overhead, and there is absolutely disparity between reputation systems (competitive advantages of one over the other), and how they manifest at a given user. you may believe a domain isn’t listed on a given blacklist because it renders in browser X, however, that is a factor of the constraints of the underlying distribution infrastructure, particularly acute in mobile browsers at present, or that an email isn’t blocked outright vs. being shunted to a junk folder, or is dependant upon there being more than X volume in Y timeframe + rep.

Reputation is *always* a question of proportion. While amazonaws.com has phishing content on it, in fact it has precious little as far as I have seen. Indeed, a quick check indicates this to be true; they have proportionately a very small amount, are responsive to phishing reports, and take preemptive action:

https://www.virustotal.com/#/domain/amazonaws.com vs The ranking at Alexa, this is the 10th-most popular domain in the world.

> I suspected that Let's Encrypt would take a huge beating reputation-wise after the IDN browser display goof up, and over 15k certs issued for domain names used in PayPal phishing attacks and god knows what. 


15K for paypal - when was that? I've seen nearly that number for brands of interest to me, in the past 90 days.

As a willfully intentional cesspool, an organization that "has decided that that's not part of its job  to refuse to issue certificates for particular domains based on reputation” has thus made the presence of a Let’s Encrypt cert the perfect datapoint. One upon which one can block.

That’s how reputation works. 

> Recently the EFF has been worried about malware and phishing attacks against NGOs, and has been a proponent of patching compromised machines that are being used to attack other people.  Reputation systems are what people use to protect themselves and their networks against such things.

Let’s also put this into context: Compromised machines came to be a matter of much concern in 2002. I’m glad they are now on the EFF’s RADAR. But, more often than not, that’s not what I encounter with phish. You don’t need a compromised machine to spam a phishing campaign (compromised user accounts at mailbox providers, a series of fraudulently acquired accounts at a hosting provider, or some hijacked IP space all work just fine), host phish (most phish I encounter are on legitimate hosting providers), or certify a phish domain (Let’s Encrypt!).

In fact, the current overwhelming manner in which phish are distributed underscores the entire issue of reputation.

The payloads are predominately on throw-away free domains/TLDs, and use a free SSL cert such as Let’s encrypt. But that is not what appears ion the messaging lure. No, the phishers are using domains with great reputations such as Bit.ly ther URL shortener, which is something with far too many false positives to be blocked outright. Again, proportion.


Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
Twitter : @cauce




> On Sep 29, 2017, at 19:47, Jeremy Malcolm <jmalcolm at eff.org> wrote:
> 
> On 29/9/17 10:29 am, Andrew Sullivan wrote:
>> So, we can't treat reputation service support as something that's nice
>> to have.  It's necessary for the functioning of domain names on the
>> Internet, and therefore we must provide for it.
> 
> Interesting argument, but not convincing to me.  The reputation systems
> that I'm aware of *are* optional to support.  Some mail providers
> subscribe to certain blocklists that others don't, some search engines,
> browsers, and browser plugins will flag particular domains that others
> don't, and so on. 


> In the similar context of certificate authorities
> that issue SSL certificates for domains, Let's Encrypt (which EFF is a
> sponsor of) is often asked to refuse to issue certificates for
> particular domains based on reputation, but has decided that that's not
> part of its job.  Consider the domain amazonaws.com, which host millions
> of Amazon S3 buckets.  There's a lot of phishing content stored under
> that domain from time to time, but assigning a bad reputation to the
> registered owner of amazonaws.com would be pointless and cause lots of
> collateral damage.  It hardly seems that it's an essential part of the
> domain name system to be able to do that.
> 
> -- 
> Jeremy Malcolm
> Senior Global Policy Analyst
> Electronic Frontier Foundation
> https://eff.org
> jmalcolm at eff.org
> 
> Tel: 415.436.9333 ext 161
> 
> :: Defending Your Rights in the Digital World ::
> 
> Public key: https://www.eff.org/files/2016/11/27/key_jmalcolm.txt
> PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122
> 
> 
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171002/6b418ed2/attachment.html>