ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 0. General - Inquiry about CallerID Verification

2003-11-30 19:06:34
from [Matthew Elvey] [Permanent Link] 
On 11/30/2003 5:00 PM, Bart Schaefer sent forth electrons to convey:


...
As my original example doesn't seem to have gotten the point across, I'll
try it another way.

Let's suppose that your product with WSCAP included is wildly successful,
and 10,000 sites deploy it.  Collectively call these sites W.

Further suppose that some other vendor likes your suggestion and deploys
an equivalent system to another 10,000 sites.  Call these Q.

Now add spammer X and third-party site V.

X sends 1000 messages to each of the sites in W, forging V's domain in
the MAIL FROM:.  What happens to V's MX host?

Next X sends 1000 messages to each of the sites in Q, forging random
domains from W.  What happens?  (Remember that some fraction, possibly
all, of the hosts in both W and Q are performing the caller-id probes
with non-empty MAIL FROM: because they don't want to be mistaken for a
wormspew bounce.)

In the victim V case, an innocent third party has been DDoS'd by the
servers in set W.  That there currently exist other mechanisms by which
a similar DDoS could be caused is not justification for recommending
yet another one.
Without WSCAP, wouldn't V likely receive tons of DSNs for email it never sent? Replacing those with WSCAP probes seems a net reduction in the impact of the DDoS to me. 


In the Q vs. W case, what stops all the systems involved from deadlocking,
as each site in W tries to caller-ID the non-empty MAIL FROM: generated by
the servers in Q, which then try to caller-ID the non-empty MAIL FROM:
generated by the servers in W, and so on around again?
Good example. This is indicative of the Challenge-Response nature of WSCAP, as you say below. But haven't some C-R systems solved this problem, or do they just have klugey partial solutions that only work if only their C-R system is used? If not resolvable, we have a dealbreaker. 



All challenge systems are highly effective when deployed in isolation.
The troubles begin when you consider what happens if they become widely
distributed.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification), Bart Schaefer
Next by Date:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Bart Schaefer
Previous by Thread:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Bart Schaefer
Next by Thread:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Bart Schaefer
Indexes:  [Date] [Thread] [Top] [All Lists]