[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] 0. General - Inquiry about CallerID Verification

To: "ASRG" <asrg@ietf.org>
Subject: Re: [Asrg] 0. General - Inquiry about CallerID Verification
From: "Hector Santos" <winserver.support@winserver.com>
Date: Sun, 30 Nov 2003 00:18:12 -0500
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: Santronics Software, Inc
References: <2A1D4C86842EE14CA9BC80474919782E0111322D@mou1wnexm02.vcorp.ad.vrsn.com> <c1e97a355b0e1a3d53a373400cb2817a3fc72e9b@mhs> <002001c3b59a$a9b07250$60c6d344@FAMILY> <3FC78D06.6020909@solidmatrix.com> <004601c3b5fd$211bcfd0$60c6d344@FAMILY> <p06002031bbeef916a8b6@[192.168.254.12]> <1031130041852.ZM29089@candle.brasslantern.com>
Sender: asrg-admin@ietf.org

>
> It does share an important "feature" of C/R systems, though:  It's cost-
> shifting.  If someone (or some worm) sends you 1000 messages with forged
> senders in the brasslantern.com domain, you're going to hit my MX host
> 1000 times to refute them all.  Why is it *my* responsibility to expend
> bandwidth and server cycles to help you reject the spam run?  How is what
> you're doing to my server any less an abuse of resources than what the
> spammer is doing to you?

Correct.  Optimization is surely next on the list for WCSAP.

> Suppose a large ISP were to adopt the "caller ID" scheme (one already may
> have, see below).  A spammer forges winserver.com MAIL FROM: on a couple
of
> million messages destined for that ISP, distributed across all its dozens
> of MXs.  They all begin connecting to your MX to ID the caller.  Are you
> prepared to handle that load, or have you just been DoS'd into oblivion?

Doesn't this apply to any approach? A DNS based solution can also be
overloaded just as well.

But no, your right.  The process has to take this into account.  My main
design goal was to work out the interface into our SMTP state machine - a
black box concept.

Abuse, blacklisting,  optimization is next for this specific implementation.
I already have some ideas that address this.  A cached or database is
required, maybe timed based.  This could also be based on a network of
peer-to-peer systems.

> More recently, I missed a message from another mailing list, and got a
> bounce probe from the list software (which fortunately came through)
> because my MX forwarder's DNS went down briefly, causing verizon's test
> to fail.  This seems excessively brittle to me.

If I felt it was, trust me, I wouldn't be putting it in our system.   It
works.  The kinks need to be worked out.  By far, it is the #1 method to
drastic reduce spoofing spammers using current technology - TODAY!

> Exactly -- a "MAIL FROM: <>" followed by "RCPT TO:" an unknown address
> is the signature of, for example, a system that is bouncing wormspew to
> the worm-forged sender address.  How would the administrator of the MXs
> that are being "caller ID" probed, know the difference?

Good point.

What we did here was to make the HELO and MAIL FROM: definable.   So you can
define what you want to put in there:

        SapMailFrom    <wcsap-callerid@winserver.com>
        SapLocalHost  <winserver.com>

One of the beta testers needed to do this for his HOTMAIL account which is
violating the RFC by not accepting NULL addresses.

But it doesn't end there.  I am going to explore other ideas, such as use
"VRFY" option, which many systems disable but it can be tested, and other
ideas such as maybe using a new EHLO keyword:  XSAP

C:  EHLO winserver.com
S: 250-winserver.com, Pleased to meet you.
S: 250-XSAP
S: 250-AUTH CRAM-MD5 LOGIN PLAIN PLAIN-MD5 SHA-1
S: 250-AUTH=LOGIN
S: 250 HELP
C: XVALIDATE  xy@whereever.com

That way we can use MAIL FROM and also a loops.

--
Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com




_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Yakov Shafranovich

References:
- RE: [Asrg] Re: 6. Proposals - rDNS and rMX
  - From: Hallam-Baker, Phillip
- Re: [SPAM] RE: [Asrg] Re: 6. Proposals - rDNS and rMX
  - From: Jukka Inkeri
- [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Yakov Shafranovich
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry aboutCallerID Verification)
  - From: Bill Cole
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Bart Schaefer

Prev by Date: Re: [Asrg] 6. Proposals - Legal - Subject labelling (?)
Next by Date: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Previous by thread: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Next by thread: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Index(es):
- Date
- Thread