[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] 0. General - Inquiry about CallerID Verification

To: ASRG <asrg@ietf.org>
Subject: Re: [Asrg] 0. General - Inquiry about CallerID Verification
From: "Peter J. Holzer" <hjp-asrg@hjp.at>
Date: Sun, 30 Nov 2003 22:04:36 +0100
In-reply-to: <005a01c3b781$7e434d70$60c6d344@FAMILY>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Mail-followup-to: ASRG <asrg@ietf.org>
References: <2A1D4C86842EE14CA9BC80474919782E0111322D@mou1wnexm02.vcorp.ad.vrsn.com> <c1e97a355b0e1a3d53a373400cb2817a3fc72e9b@mhs> <002001c3b59a$a9b07250$60c6d344@FAMILY> <3FC78D06.6020909@solidmatrix.com> <004601c3b5fd$211bcfd0$60c6d344@FAMILY> <p06002031bbeef916a8b6@[192.168.254.12]> <1031130041852.ZM29089@candle.brasslantern.com> <00c701c3b706$03a4bac0$60c6d344@FAMILY> <1031130170305.ZM2895@candle.brasslantern.com> <005a01c3b781$7e434d70$60c6d344@FAMILY>
Sender: asrg-admin@ietf.org
User-agent: Mutt/1.4.1i

On 2003-11-30 15:35:28 -0500, Hector Santos wrote:
> 
> ----- Original Message ----- 
> From: "Bart Schaefer" <schaefer@brasslantern.com>
> To: "ASRG" <asrg@ietf.org>
> Sent: Sunday, November 30, 2003 12:03 PM
> Subject: Re: [Asrg] 0. General - Inquiry about CallerID Verification
> 
> 
> > } This is already controlled by server access and availability.
> >
> > You're missing the point.
> >
> > You might believe it's a non-issue for you, but that doesn't make it a
> > non-issue for everyone who might become a victim of it.  Recommending an
> > approach such as your caller-ID technique is irresponsible, because it
> > can lead to indirect abuse of innocent third parties.
> 
> I fail to see how.   I would love to see an example.

He already gave one.

To reiterate:

Someone sends out millions of messages with a forged winsite.com return
path to sites which implement the caller-ID technique. All of these
sites will connect to your mail server and ask it whether the return
path is valid.

Is your mail server prepared to handle this load and still accept
legitimate messages? Do you have enough bandwidth?

Of course this is not a new problem. They could also send lots of
messages with your domain in the return path to sites with an "accept
and bounce" policy and DDoS you with the bounces. Or DDoS you directly
with millions of messages, although a spammer probably wouldn't do that
unless you really annoy him.

> > ALL of your mail is going to stop flowing with
> > this error until such time as the flood of caller-ID connections stops.
> 
> No, its not.  Again, I fail to see this.   I have WCSAP running for nearly
> 5-6 days now with very little issues that is being worked out.

After 5-6 days on a single site it seems awfully optimistic to me when
you say "we haven't been DDoSed yet, so it will never happen".

> 
> > And assuming the hypothetical ISP in the example does wait and try again,
> 
> You can't design software on the assumption that SMTP systems will not be
> following specifications. 

You should. Because some systems out there won't follow specifications.
You don't have to provide service to those systems (although your
customers may have different opinions about that), but when designing
the software you must consider what happens if the the other breaks the
rules.

> You will go nuts otherwise.

That's always a possibility ;-)

> I am going to make available the logs from WCSAP.  I think you will find
> them interesting.  There are questionable issues that need manual checks.
> There are also VERY interesting behaviors (as we learn about YAHOO delayed
> validation).

ACK. I deployed greylisting at two (rather different) sites 2-3 
months ago, and I've certainly learned a lot about "interesting"
behaviours.

	hp

-- 
   _  | Peter J. Holzer    | In this vale
|_|_) | Sysadmin WSR       | Of toil and sin
| |   | hjp@hjp.at         | Your head grows bald
__/   | http://www.hjp.at/ | But not your chin.           -- Burma Shave

Attachment: pgp00101.pgp
Description: PGP signature

Follow-Ups:
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Yakov Shafranovich

References:
- RE: [Asrg] Re: 6. Proposals - rDNS and rMX
  - From: Hallam-Baker, Phillip
- Re: [SPAM] RE: [Asrg] Re: 6. Proposals - rDNS and rMX
  - From: Jukka Inkeri
- [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Yakov Shafranovich
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry aboutCallerID Verification)
  - From: Bill Cole
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Bart Schaefer
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Bart Schaefer
- Re: [Asrg] 0. General - Inquiry about CallerID Verification
  - From: Hector Santos

Prev by Date: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Next by Date: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Previous by thread: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Next by thread: Re: [Asrg] 0. General - Inquiry about CallerID Verification
Index(es):
- Date
- Thread