ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Dictionary Attacks

2008-11-18 11:55:48
from [John Leslie] [Permanent Link] 
Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com> wrote:

On November 17, 2008 at 16:47 davidnicol(_at_)gmail(_dot_)com (David Nicol) 
wrote:


I'm wondering why World doesn't script a little log watcher that
identifies the source of dictionary attacks and drop all their packets
at the perimter for a few hours when they occur.


Of course we do that sort of thing, almost exactly that.


   This is a tactic _many_ ISPs have considered, and a good number have
implemented. It, of course, cannot fully protect against dictionary
attacks, because a dictionary attack can be distributed...


But one gets a little frustrated when it's all of earthlink's (e.g.)
servers which are being blocked most of the time.

Occasionally we've had to put in exceptions allowing them thru so mail
customers want gets through.


   Indeed, Earthlink is one of the ISPs (by no means the worst) that
sends significant amounts of both abusive traffic and wanted traffic.
IMHO, Earthlink _does_ make efforts to limit abusive traffic.

   Earthlink _cannot_ avoid sending some abusive traffic. The question
is, what balance of good traffic to abusive traffic will receiving
SMTP servers tolerate? That, IMHO, is a balancing act where no two
receiving domains will have exactly the same parameters.


Think about that: We have to put exceptions in to let their stuff
through when they are behaving at their worst and tripping these log
analyzers so much that customers are comlaining.


   My point, exactly!


Here is a summary right this moment on one mail server, a few seconds
sample:

  Unknown Users By Host:
...
Earthlink, OH YEAH, direct hit, CUT+PASTE, as always:

Nov 17 18:33:35 pcls5 sendmail[13516]: NOUSER: tracer3 
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
Nov 17 18:33:38 pcls5 sendmail[13516]: NOUSER: tracer4 
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
Nov 17 18:33:41 pcls5 sendmail[13516]: NOUSER: tracer5 
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
...


   All very familiar to ISPs... :^(

   But perhaps not familiar to other readers of this list.

   I'd like to suggest a few principles:

1) ISPs like Barry have _really_ helpful information they could share;

2) neither Earthlink nor World can afford to have humans in the loop;

3) it is not helpful to argue which of them to blame;

4) there _could_ be value in an automated way to tell Earthlink about abuse;

5) any use of <abuse(_at_)earthlink(_dot_)com> cannot serve that purpose;

   Now, a question for ASRG:

- can we design a _useful_ reporting scheme for, e.g., dictionary attacks?

--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] The state of the email system, David Nicol
Next by Date:  Re: [Asrg] The state of the email system, Ian Eiloart
Previous by Thread:  Re: [Asrg] Email Postage (was Re: FeedBack loops), Barry Shein
Next by Thread:  Re: [Asrg] Dictionary Attacks, der Mouse
Indexes:  [Date] [Thread] [Top] [All Lists]