[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] 0. General - Inquiry about CallerID Verification

To: Hector Santos <winserver.support@winserver.com>
Subject: Re: [Asrg] 0. General - Inquiry about CallerID Verification
From: Yakov Shafranovich <research@solidmatrix.com>
Date: Sun, 30 Nov 2003 01:17:43 -0500
Cc: ASRG <asrg@ietf.org>
In-reply-to: <008b01c3b701$5a9c2a20$60c6d344@FAMILY>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: SolidMatrix Technologies, Inc.
References: <2A1D4C86842EE14CA9BC80474919782E0111322D@mou1wnexm02.vcorp.ad.vrsn.com><c1e97a355b0e1a3d53a373400cb2817a3fc72e9b@mhs><002001c3b59a$a9b07250$60c6d344@FAMILY> <3FC78D06.6020909@solidmatrix.com><004601c3b5fd$211bcfd0$60c6d344@FAMILY><p06002031bbeef916a8b6@[192.168.254.12]><1031130041852.ZM29089@candle.brasslantern.com><008b01c3b701$5a9c2a20$60c6d344@FAMILY>
Sender: asrg-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)Gecko/20031007

Hector Santos wrote:

Suppose a large ISP were to adopt the "caller ID" scheme (one already may
have, see below).  A spammer forges winserver.com MAIL FROM: on a couple

of

million messages destined for that ISP, distributed across all its dozens
of MXs.  They all begin connecting to your MX to ID the caller.  Are you
prepared to handle that load, or have you just been DoS'd into oblivion?


Doesn't this apply to any approach? A DNS based solution can also be
overloaded just as well.

DNS lookups are *much* more lightweight than SMTP sessions. According to RFC 1035, DNS queries can be done over UDP, with a limit of 512 bytes per query, with the usual ones much smaller than that. This has two advantages - very low transfer size, and also the usage of UDP does not require an acknowledgement to be sent back unlike TCP, reducing traffic. Also, DNS information tends to be cached all over the Internet.

That is why an DNS method is being pushed in LMAP, since it is more lightweight. As a matter of fact the "L" in "LMAP" stands for "lightweight".

Plus many domains have their DNS services outsourced to someone else like UltraDNS, whose systems are more than enough to withstand most DDOS attacks.

But it doesn't end there.  I am going to explore other ideas, such as use
"VRFY" option, which many systems disable but it can be tested, and other
ideas such as maybe using a new EHLO keyword:  XSAP

Use of VRFY should be done with caution, many systems may turn it off and a good reasond to do so, from RFC 2821:

"7.3 VRFY, EXPN, and Security

As discussed in section 3.5, individual sites may want to disable
either or both of VRFY or EXPN for security reasons.
"

From RFC 2505:

"2.11. SMTP VRFY and EXPN

Both SMTP VRFY and EXPN provide means for a potential spammer to test
whether the addresses on his list are valid (VRFY) and even get more
addresses (EXPN). Therefore, the MTA SHOULD control who is is allowed
to issue these commands. This may be "on/off" or it may use access
lists similar to those mentioned previously.

Note that the "VRFY" command is required according to RFC821, [1].
The response can, though, be "252 Argument not checked" to represent
"off" or blocked via an access list. This should be the default.

Default for the "EXPN" command should be "off".
"

ALSO, please do not take my comments as an attack on your approach, rather I think that what is missing here, is the fact that your approach is not 100% compliant with the standards. If you are proposing to change the standards, that's fine but I think that should be made clear. However, in my opinion as you are proposing it now, this proposal is not in compliance with existing email standards since it requires the receiving domains to answer 252 upon RCPT TO to valid addresses only. That is not a current requirement, and blacklisting Yahoo and others for doing that is incorrect.

I think that we need to evaluate the current SMTP model first to see how many holes there are, and THEN see what we can do about them. Since can help to put things in perspective better.

Yakov

-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"I ate your Web page. / Forgive me. It was juicy / And tart on my tongue." (MIT's 404 Message)
-------

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos

References:
- RE: [Asrg] Re: 6. Proposals - rDNS and rMX
  - From: Hallam-Baker, Phillip
- Re: [SPAM] RE: [Asrg] Re: 6. Proposals - rDNS and rMX
  - From: Jukka Inkeri
- [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Yakov Shafranovich
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry aboutCallerID Verification)
  - From: Bill Cole
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Bart Schaefer
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos

Prev by Date: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Next by Date: Re: [Asrg] Re: 6. Proposals - Pull System (revisited)
Previous by thread: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Next by thread: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Index(es):
- Date
- Thread