On Fri, Dec 07, 2012 at 08:50:03PM -0000, John Levine wrote:
SMTP callbacks are one of those bad ideas that just won't go away.
They're quite abusive (consider the 95% of mail that is spam with
someone else's return address) and don't work, since your idea of what
I should say in response to your MAIL FROM and RCPT TO commands is
probably not the same as my idea of what I actually do say.
+1
And:
Callbacks enable DDoS-by-proxy attacks. [1]
And they violate a fundamental principle of network abuse mitigation:
never deal with bad traffic by generating more traffic, it doesn't scale.
Moreover: even if they worked perfectly, they'd still have no anti-spam
value. Knowing that an address is valid tells you nothing about the
intentions of either (a) its putative owner or (b) the current owner,
who, as we know, are often not the same entity.
---rsk
[1] Consider, as one scenario out of many possibilities: the target
is example.net. Attacker registers example[1-500].info. Attacker sets
MX for all 500 of those domains to the MX for example.net. Attacker uses
50K bots to open 10 simultaneous connections each to 500K distinct MX's
for other domains. All 500K of those MX's look at putative sender (e.g.,
user456(_at_)example123(_dot_)info), look up MX for that domain (which is of
course
the MX for example.net), open up a connection to it to do a callback...
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg