ietf-mxcomp
[Top] [All Lists]

Re: draft-schlitt-spf-classic-01.txt

2005-06-07 18:59:56

Alan, I think you misrember. And looking at www.striker.ottawa.on.ca just
now, I see you've been subject to reverse ping floods as well.  The
reverse attacks you describe are most telling. These happen when people
send pings with your IP address as the ICMP source IP address. That's why
you get people calling up and saying "your machine is attacking me". They
just see the source IP address in the ICMP packets.  But in fact, those
packets originate from the botnet machines. The same ones attacking your
SMTP port. Thats what botnets do.

Your "spam" problem was first reported in January 2002:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Date: Wed, 30 Jan 2002 10:53:15 +0000 (UTC)
From: Miquel van Smoorenburg <miquels(_at_)cistron(_dot_)nl>
Reply-To: freeradius-devel(_at_)lists(_dot_)cistron(_dot_)nl
To: freeradius-devel(_at_)lists(_dot_)cistron(_dot_)nl, 
freeradius-users(_at_)lists(_dot_)cistron(_dot_)nl
Subject: Re: Private email to me

    [ The following text is in the "iso8859-15" character set. ]
    [ Your display is set for the "ISO-8859-1" character set.  ]
    [ Some characters may be displayed incorrectly. ]

In article 
<E16VbDR-0004vJ-00(_at_)giles(_dot_)striker(_dot_)ottawa(_dot_)on(_dot_)ca>,
 <aland(_at_)striker(_dot_)ottawa(_dot_)on(_dot_)ca> wrote:
 I am no longer accepting private email to my 'striker.ottawa.on.ca'
domain.  For reasons why, see:

 http://www.striker.ottawa.on.ca/

 The domain is on *all* of the spam lists from what I can tell, and
is receiving 400K+ spam emails a day.  Even dropping the connection
after the "RCTP TO", and not accepting the message body, it's still
too much.  The spam is using 10Mbytes per HOUR of bandwidth, which I
can't afford.
[...]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++



This early exchange was significant:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
So, Alan: Who have you annoyed?

  Lots of people, I think.  I've had the domain since 1996, or so.
I've always been vocal and opinionated.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++


See http://www.striker.ottawa.on.ca/

Other messages of the time noted that back then this IP was hosted with
Ottawa Carleton Unix Corp (AS26227). I see its currently with UUnet. 

BTW, A medium sized ISP with perhaps 20,000 users receives about 400,000
messages per day (spam and ham). Probably should have a T3 or OC3 for that
kind of volume. 

A medium sized colo center would host several hundred such domains as
striker.ottawa.on.ca. A virtual host center would probably have several
dozen to perhaps a hundred+ domains on a single machine.  Plainly, neither
a colo nor virtual host datacenter going to be able to handle 400K PER
DAY, PER obscure DOMAIN.

It is simply not credible to say that 400K messages per day is normal for
an obscure (no offense) one-person domain: Its an attack. There are other
ICMP-based attacks on your your personal domain as well. In other messages
you describe hundreds or perhaps thousands of hosts doing this. You aren't
the first person to experience such attacks. You're just the first person
to claim (rather obstinately) that they aren't one (or a few users 
with a botnet) as this quote of shows:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
  And the IP address of *my* machine has changed, along with all of
it's upstream providers.

  The issue *is* really that there are lots of different spammers
attacking me.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

While you _insist_ that spammers are just routinely spamming you with an
aggregate 400K messages per day, there is no credible reason to think
that. Instead, you are tangling with a botnet.  See
http://grc.com/dos/grcdos.htm for an interesting read on botnet attacks.
And yes, they do "spam"/"mailbomb" you.

There are successful strategies for dealing with botnet attacks. GRC is
one interesting way, reporting abuse is another. Reporting abuse
eventually causes them bots, and that causes them to risk getting caught,
and causes them to lose resources (in the form of bots).  Your way, of
trying to pursue anti-spam techniques isn't one of the successful
strategies.

There is no help for you in SPF.  If you get 400K messages per second
without SPF, you will still get 400K with SPF. As you pointed out in 
November, 2002:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
  The bandwidth number I quoted in my previous email worked out to
~2-5 gigabytes a month, for:

EHLO . . . 
MAIL FROM: spammer
RCTP TO: no-such-user(_at_)striker(_dot_)ottawa(_dot_)on(_dot_)ca
<hangup>

  If the messages had been delivered, the total data transferred would
go up by a factor of 10-100 times.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

SPF isn't going to reduce that. Banning spam isn't even going to reduce
that: It isn't commercial spammers doing this. In fact, __nothing__ other
than tracking down the botnets will reduce that.

                --Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000