Well, any way to modify SMTP to still send ARF reports without taking down the
whole Internet?
Speaking out loud, a new capability in ESMTP, that would advertise the
reception of ARF report, or a special mailbox standard on all MTA to accept ARF
reports. We have postmaster, abuse, why not ARF?
Or may be send this ARF report to a DNSBL service? After Authentication, it
would place the original sender in a DNSBL stopping other from receiving
further infected emails?
Cheers
----- Original Message -----
From: "Chris Lewis" <clewis(_at_)nortel(_dot_)com>
To: "Anti-Spam Research Group - IRTF" <asrg(_at_)irtf(_dot_)org>
Sent: Friday, 16 January, 2009 9:17:31 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] Meta channel, not bounces
Alessandro Vesely wrote:
Chris said their filter is not able to distinguish viruses from
generic malware.
That should be read to mean "not in general", as opposed to "never".
Having an appropriate error message is not enough. It is also
necessary to deliver that message to the right operator.
Thus becoming a DDOS vector.
Some large sites have established feedback loops whereby a message is
"bounced" to some postmaster. Apparently, they are mainly meant for
"this is spam" actions. However, the ARF format (quite similar to DSN)
provides fields for reporting bad DKIM signatures. I don't know at
what level such bounces could be generated. It is technically possible
to generate them right after the data transfer, just like for viral
content. If we recognize that viruses are a problem, don't they
deserve using that meta channel as well? This leaves us wondering how
can such a meta channel be established for small and medium sites as
well...
Thus becoming a DDOS vector.
Went through this conversation on another list recently.
It is technically possible (in fact trivial in many cases) to instrument
a MTA to automatically generate and send ARF in real time. Even
assuming that the MTA can figure out the _right_ place to send the ARF,
it becomes a WMD.
Imagine, if you will, everybody did it. Some moderately sized site gets
a reasonably prolific (single) infection, and spews out a few million
viruses. You're expecting the site's MTAs to handle a few million ARFs,
when only one _should_ suffice.
If broadly implemented, it'd cause global meltdown.
God help us all if the site receiving the ARF somehow doesn't recognize
it as ARF, and replies with its own ARFs. Or, if the virus writer
figures out a way to get the ARF generators to send it to the wrong
place - believe me, they'd be trying...
ARF is good stuff. But only insofar as there is limitations on how it's
emitted/deployed.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg