ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 0. General - Inquiry about CallerID Verification

2003-11-30 14:06:25
from [Peter J. Holzer] [Permanent Link] 
On 2003-11-30 15:35:28 -0500, Hector Santos wrote:


----- Original Message ----- 
From: "Bart Schaefer" <schaefer(_at_)brasslantern(_dot_)com>
To: "ASRG" <asrg(_at_)ietf(_dot_)org>
Sent: Sunday, November 30, 2003 12:03 PM
Subject: Re: [Asrg] 0. General - Inquiry about CallerID Verification



} This is already controlled by server access and availability.

You're missing the point.

You might believe it's a non-issue for you, but that doesn't make it a
non-issue for everyone who might become a victim of it.  Recommending an
approach such as your caller-ID technique is irresponsible, because it
can lead to indirect abuse of innocent third parties.


I fail to see how.   I would love to see an example.


He already gave one.

To reiterate:

Someone sends out millions of messages with a forged winsite.com return
path to sites which implement the caller-ID technique. All of these
sites will connect to your mail server and ask it whether the return
path is valid.

Is your mail server prepared to handle this load and still accept
legitimate messages? Do you have enough bandwidth?

Of course this is not a new problem. They could also send lots of
messages with your domain in the return path to sites with an "accept
and bounce" policy and DDoS you with the bounces. Or DDoS you directly
with millions of messages, although a spammer probably wouldn't do that
unless you really annoy him.



ALL of your mail is going to stop flowing with
this error until such time as the flood of caller-ID connections stops.


No, its not.  Again, I fail to see this.   I have WCSAP running for nearly
5-6 days now with very little issues that is being worked out.


After 5-6 days on a single site it seems awfully optimistic to me when
you say "we haven't been DDoSed yet, so it will never happen".




And assuming the hypothetical ISP in the example does wait and try again,


You can't design software on the assumption that SMTP systems will not be
following specifications. 


You should. Because some systems out there won't follow specifications.
You don't have to provide service to those systems (although your
customers may have different opinions about that), but when designing
the software you must consider what happens if the the other breaks the
rules.


You will go nuts otherwise.


That's always a possibility ;-)



I am going to make available the logs from WCSAP.  I think you will find
them interesting.  There are questionable issues that need manual checks.
There are also VERY interesting behaviors (as we learn about YAHOO delayed
validation).


ACK. I deployed greylisting at two (rather different) sites 2-3 
months ago, and I've certainly learned a lot about "interesting"
behaviours.

        hp

-- 
   _  | Peter J. Holzer    | In this vale
|_|_) | Sysadmin WSR       | Of toil and sin
| |   | hjp(_at_)hjp(_dot_)at         | Your head grows bald
__/   | http://www.hjp.at/ | But not your chin.           -- Burma Shave

Attachment: pgpAzmai5JykO.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Hector Santos
Next by Date:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Yakov Shafranovich
Previous by Thread:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Hector Santos
Next by Thread:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]