On Fri, Jan 23, 2009 at 04:01:39PM -0800, SM wrote:
Now what happens to all the small businesses that use MS-Exchange to
send email?
Either you discriminate against them and lose business or else you
combine your fingerprinting with other heuristics to reduce its effect.
Exactly what I've done in some cases -- after observing something about
patterns of inbound mail on many different mail servers: in almost all
cases, the number of sources for mail (excluded spam-only sources)
is surprisingly small. (Spare me the counterexamples, I already know
about them.) If that number is weighted by message count, then the
resulting graph is pretty lopsided.
This means that it's actually reasonable to consider enumerating the
primary sources of mail and treating them differently. In one setup
that I built, logs were analyzed to determine the top senders, who,
combined, accounted for 92% of all mail the site received. Those top
sending networks were then presented with a DNS view that specified
a different MX order from the rest of the world, with the top MX's
configured with a firewall that only permits connections from those
senders. They've also got greylisting turned off, and they don't impose
OS-specific rate limiting.
What happens if someone else grabs this DNS view and tries to hit
the "private" MX's? They can't: firewall. What happens if one of
those known sending sites starts using a different network allocation?
Then they get the same DNS view as the rest of the world, which specifies
the "public" MXs, for lack of a better term, and their mail still gets
through: just not as quickly and with more scrutiny. But: since all
the logs are post-processed every day, and part of that post-processing
includes looking for exactly this situation, when it happens the DNS
view and firewall config will be updated to track the change, and soon
thereafter they'll be back to delivering to the "private" MX's. (What
happens if they have their old DNS view but are sending from a new network?
They step through the MX list until they find the "public" ones.)
This kind of split-view essentially provides two tiers of mail service:
the "we know who you are" tier, and the "you look like a stranger" tier.
It requires detailed knowledge of mail traffic patterns, but IMHO anyone
running a mail server should already have that. One of the nice things
about it is that it allows resources to be allocated where they're most
needed -- on the servers that will handle most of the real mail traffic,
as opposed to fending off abuse.
This isn't a new idea; I think possibly the only thing I added to it
was the use of passive OS fingerprinting on the "public" MX's, and in
practice, that's turned out not to be particularly needed because of
all the other blocking enabled on those.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg