ietf-asrg
[Top] [All Lists]

Re: [Asrg] Ban the bounce; improved challenge-response systems

2003-04-07 08:30:39

On Monday, April 7, 2003, at 01:54  AM, Claus Färber wrote:
Consider AOL's case for starters.  From what I can tell they have a
three-level setup, with a first line of simple receivers, a middle area of message routers and analysers (eg where the silent discards happen),
and then a set of back end storage servers handling the LDA business.

Even this system should not receive mail faster than the analysers can
handle it and storage servers can tuck it away. Each level can start to
temporarily reject messages (or connection) until the next level can
handle the mail.


Doesn't work under many situations. I have a machine specifically set up as a incoming "sponge", to accept mail as fast as possible and hold it until it can be sent to a series of processing machines or scripts or mailboxes or other things.

To do what you want, I'd have to, among other things, move my processing machines from inside the firewall to a DMZ, where they connect directly to the net, which would make them much more vulnerable to cracking, and it would force me to move data that's currently behind the firewall system into a location where it's potentially accessible. To me, that's a non-starter. Sorry.

I think it also makes these systems more accessible to a dictionary attack, since now a spammer can directly query the account status via probing bounces -- and it's much more difficult to track that probe and stop it, since you've moved it out to the periphery, where a spammer who's poking at 8-10 incoming relays in sequence to do the dictionary attack would be very difficult to recognize and intercept on a real time basis.

Since since a lot of my incoming mail is very bursty (lots of short, intense peaks), I use the sponges to accept them as quickly as possible, and then process it in non-real time. this proposal would require my outgoing servers to accept and process the failures, and the requirement that I have to accept email in real time is not acceptable, some of my processing cycles can be delayed 10 days. Leaving mail on someone else's server until I get around to accepting it is a ban neighbor policy, I try to avoid that. Leaving email on someone else's server because I can't accept it until I'm ready to process it is a really bad idea.

This whole proposal doesn't seem to understand how and why large corporate e-mail systems work, and I'm not sure it buys anything useful on top of it. it asks companies to move their data into vulnerable situations, exactly the opposite of what we ought to be asking. Those stupid incoming relays are there for very good reasons: one is to accept mail to reduce the need for secondary MXes and other fallback situations, and to cut the need for mail retries and delivery delays (If my system is overloaded, currently, I can accept the mail into a sponge, and then retry every 10 minutes to speed delivery. If I have to push it back to someone else's system, their retry might by four hours, or six, or worse, causing that email to be horribly delayed. Bad thing). Second, those relays allow us to DMZ our mail systems, so that even if they are penetrated, no significant data is released. By forcing those systems to make these bounce decisions, you also force the data needed to make those decisions out from behind the firewall where it's vulnerable to attack or penetration, and that alone will make this proposal a non-starter for most large email installations.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>