Re: [gnso-ff-pdp-may08] Domain takedown through 100% automation - kicking the hornet's nest of controversy

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

Marc,

Any issues folks might have with the automation you suggest probably lie in the 
details not the principle. So I want to sidestep part of the controversy by 
first analyzing your detection methodology.

Consider the markers you identify as "this is a fraud email" even in your brief 
overview of your software:


 *   message not from paypal server
 *   paypal's domain key signature not present
 *   originating domain is on a trusted blocklist
 *   several "suspicious" DNS markers are present that you call "clearly fast 
flux"

I imagine if you took more time, you'd identify several more. Having identified 
these, we have to agree on not only the markers/metrics but the values that 
represent "clearly fast flux".

Suppose we were to agree on markers/metrics/values. Could it not be left to 
registrars whether the process is automated or manual, since they could be held 
be accountable for false positives?

Automation is always appealing, but my perhaps naïve notion of automation is 
that many are successful work because they perform relatively simple logic or 
repetitive tasks. An anti-spam software is not nearly as effective as a 
password cracker because it has many more variables to consider so I don't 
really think if antispam software as automation but as something considerably 
more complex and often requiring human intervention (e.g., a static filter).

It's not the automation itself that some registrars may find worrisome, it's 
the non-zero probability of false positives that some registrars may feel calls 
for a human decision.  I'm not suggesting that the human factor is infallable, 
but that the human decision may say, "before I take down ebay.com, even if 
every marker in the universe of possible markers  says this is bogus, I'm going 
to make a call". Perhaps you could program an automaton to think like this, but 
I think it would be harder and more expensive.

On 8/3/08 11:29 AM, "Marc Perkel" <marc@xxxxxxxxxx> wrote:



OK - moving to controversial, I want to address automated domain
takedown. Let me give you an example of why this can work.

I am a spam filtering operation and a huge number of fraud attempts come
into our servers every hour. In this example I'll use PayPal. A message
comes into the system in this form:

From:  paypaI@xxxxxxxxxxxxxxxxxxxxxxxx
To: honeypot@xxxxxxxxxxxxxxxxxxx
Subject:  Please unlock your PayPal Password

Your Online PayPal Password was blocked on 19/07/2008
Log In into your account to resolve the problem.

Click here to Log In

The link goes to this address: http://paypaI.com/login.cgi

The message did not come from a PayPal server and does not have PayPal's
domain key signature. So there's no doubt that it's bogus and there are
no civil liberty or free speech issues involved. This is 100% about
criminals stealing money form technically ignorant users.

My software isolates the domain from the link and sees "paypaI.com"
(note the I instead of the L) and the domain appears in URI blacklist.
And suppose I read information from the DNS info I've proposed and I can
see the domain is 1 day old, the name servers have changed 40 times in
the first day (clearly fast flux), and the domain is registered through
godaddy.com. So - being part of a trusted closed reporting group my
software blocks the email and sends it to GoDaddy's automated abuse
system. At the same time GoDaddy has received similar messages from
several other trusted sources (not a secret society forming a shadow
government to dominate the world).

So as a result GoDaddy - through automation - takes down paypai.com in
less that 15 minutes after the fraud starts, disrupting the fraud, and
saving thousands of people from being ripped off by the russian mafia.
With a network like this one could probably ID 90% of purely criminal
fast flux abuse with 100% accuracy and be so effective that fast flux no
longer works and criminal abandoned the technique.

Tell me why this isn't a good idea.