[Top] [All Lists]

Re: Introduction and query

2003-02-10 16:27:21
On Mon, 10 Feb 2003 10:41:05 PST, Adonis El Fakih said:

Max email size 30k which means message >= 30 will pass to be delivered
content, if as we receive it the counting algorithm hits 35k, the
message is dropped)
this is the difference. We asked the mailer to be honest, if they do
not, we drop the 
message. So if they want a message to pass they have to be bound by the
of the public policy.

This is already provided by the ESMTP SIZE extension.

You keep saying that spammer wil lit in their classification, and of
they will do that. The certificate will tell us what the have been doing
on other sites,

There's privacy issues and traffic-analysis threats here.

Actually, if you think really hard about it, you'll realize that this
*really* stop fake FROM - all it does is make the spammer use a
FROM address that happens to point to a server he controls. 

Actually it does, since that host has to be explicitly on the outgoing
mail list
for the domain. Let us assume we have 100 servers within out network, as
a system admin i can assign 4 of them to be used for outgoing mail
i.e. MHFs. The chances of somone hacking onto other non-attended hosts
is much higher that the ones the admin controls. Also in the case of
it can be pin pointed to the specific host within the domain.

And in your model, it doesn't matter, because the other 96 hosts will be
configured to forward all their mail to the 4 that are MHFs.  So all a spammer
needs to do is find an open formail or proxy, and use that to inject
mail with a forged MAIL FROM:<whatever(_at_)victim(_dot_)dom>, and let its MHFs 
do the
work for it.

We use this technique today in one of the products we use, where it
slows down the
spammer incrementaly, but still does not work. Many proffesional
spammers will have
a whole C bock and use them randomly to overcome settings made based on

Which is why the next paragraph said "from a given /24".. ;)

Which is fine, but his category listing and "honesty" ratings are also
low, so they will
have to pay higher rates for mail delivery.

Be careful here that you don't make e-mail too expensive for small sites.

- One time IP, used to post the millions of messages and then goes
offline. In AMDP the domai has to be within the outgoing mail scheme of
the domain, and must stay online so we retrieve the message. Spweing out
a million message gonly sends out a million envelopes, not the messages.
if they want to make some cash they will need to stay online to server
those messages.

And the majority of recipients will try to fetch it right away or fairly soon,
so all they need is another (or even the same IP) address online to catch the
inbound connections, and a DNS entry to point them there.

- If it is a hijacked MHF once notifed the admin can drop the message
from queue, and the damage is controled at his end.

Oh, so you're expecting the MHF admin to fix the problem, when these are
probably going to be the same servers that have been open SMTP relays for

I disagree about these figures, Most of the mail I receive today uses
fake host
name, fake mail froms, open relays, fresh relays setup by the spammers
over the world. They use cheap ISP accounts in brazil, russia, south
middle east, canada, japan, korea, etc.. 

OK... open relays?  See above comment about MHF servers not being closed.

Fresh relays set up by spammers?  Hmm.. if they can set up a relay,
they can set up a DNS pointer.

Cheap ISP accounts? The ISP will provide a MHF for you.

You're not really addressing the real problems here.

You are relying on a third party to do the blocking here. Why should it
not be part 
of the design?? not everyone has a firwall, and if someone want to go
around than 
they can.

Umm.. No.  You're talking about *OUTBOUND* mail here - and if *YOUR* firewall
isn't able to stop outbound SMTP that you don't filter, why do you expect it
to stop outbound AMDP?

Once you know that an email is coming from domain A and no one else,
then we 
can go to a third party (that is paid by domain A to be their
certificate manager) and 
check if they are within the category they claim to be. So if domain A
claims to be 
XY category and ends up being ZZ using some smart filters, then we can
the abuse to the manager of the certificate and they update the
category based on 
feedback not only from me, but based on reports received from other
AMDP sources. 

*BZZT* Wrong, but thank you for playing.  This is called a "paid endorsement"
and is usually about as valid as a sports figure endorsing a brand of life
insurance.   There's no reason to assume that a registrar hired by the
spammer will tell you the truth....

And remember that even Verisign has been caught spamming.  Think about that. ;)

You want to be asking a third party that *YOU* pay to give you good advice,
or at least some third party you can reasonably trust to be neutral...

I asked this to myself. In SMTP the message goes one way, regardless if
message is good or bad, however in most cases spam over shadows the good
mail. By doing the extra handshake i achieve the following.
1. I am forcing the sender to be online to tell me that indeed they sent
me a message

If the spammer can be online to send the message, they can have a second
server online as well.

2. I am asking the sender to have that message ready for later pickup

Be careful what you ask for, you may receive it. ;)

Do you think many users will actually *ASK* for "don't bother picking it
up for at least 2 hours"?

Also, note that if the spammer is making a very large run, they'll be online
for a few days doing it, so the chances of them being gone when you call back
aren't that high.

Also now they can truley know which message was read, and by whom, and
on creating a business geared on the users, and not random mailings to
no end..

Read section 6.2 and 6.3 of RFC2298 (Message Disposition Notifications), which
discusses the security implications of this sort of service.

You may also want to ponder the statistics produced by the guys over at - they believe that 90% of the spam in the US is
the result of a small group of 100 to 150 individuals.

That's all the commentary for now, it's been a long and ugly day (nothing
like a print server misbehaving to make your day ;)


Attachment: pgpBkI85QuoEP.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>