Problems with CBV
Two days ago I wrote that I liked the idea of CBV, but re-thinking it i am not
so fond of it anymore. This is a public open discussion document and if you
want to disagree with me please do so.
Definitions used in this document:
SenderA -> Mail from:<senderA(_at_)domain1(_dot_)tld>
MTA1 -> <MTA that receives emails send to senderA.
the MX records of domain1.tld points to this MTA.
MTA2 MTA that sends the email to be checked to MTA3
MTA3 MTA that does the Call back testing
First remark
MTA1 doesn't have to be the same MTA as MTA2.
As matter of In fact it mostly isn't.
Second remark
SFP classic tries to answer if MTA2 can be used to send emails from domain1.tld
The first problem is: what questions does CBV really answer?
CBV only answers The questions:
Does MTA1 accepts email for SenderA?
And with the latest add-on (try to send an email to a fake emailaddress)
Is MTA1 some kind of open relay?
What CBV doesn't awnser
- Did this email come from SenderA?
- Is SenderA a spammer?
- Is MTA2 an open relay? (except if MTA2 ==MTA1)
- And other questions (please add)
This has the consequence that CBV is easely fooled.
It is as easy as to forge the "mail from" to a real emailaddress: any
"Postmaster(_at_)any-company(_dot_)com" or
"postmaster(_at_)any-organisation(_dot_)org" will do.
This will also results in many false negatives.
(emails that are spam but not recognised as such)
Crashing SMTP
Anti spam rules are build on the implicit assumption that the whole email can
be forged "do not rely on anything that somebody else has tested".
This implies that you can not trust headers like
"X-virustest: this email is absolutly free from virusses, i know i am one"
"X-Spamtest: This email is not spam i know i wrote it all by hand,(the
mass-mailer i mean) "
This also means that a test has to be redone every time a e-mail crosses over a
system boundary.
I do not define the concept of system-boundary but it does imply that a test
has to be done a more than once.
Counting for virusscanning showed me that an virusfree-email was checked seven
times before it unscratched reached it destination.
For the simplicity of the discussion lets assume that a CBV test is done three
times during the transport from mail-client to final-MDA.
This means that for every proper email there will be three call backs to MTA1.
These calls come from different MTA's and this can resolve in a DOS attack on
MTA1, because non of this can be cached.
Resolving this duplicate call scenario by adding a special header to the email
will not work, the only way to be sure of an CBV check is to do the CBV check
again.
In IP load
a typical CBV test will need about 30 IP datagrams. (Ps this is only an
informed guess, i will accept better guesses)
So an for one email three tests will have an extra load of 90 IPdatagrams.
That doesn't look much but comparing it with other spamcounter measures it is
an enormous ammount.
Even SFP is argued to cause Dos attacks and SFP only uses between 2 and 20
datagrams.
And for SFP the DNS records can be cached for CBV they cannot.
This is mainly becaurse other systems use the UDP protocol and DNS records,
while CBV uses TCP protocol and SMTP sessions that both have a big overhead.
So CBV will work on a small scale but as soon as its is used in a grand scale
it will resullt in a denail of service.
Where does this leads us:
CVB is not able to answer the importand question:
Is this email SPAM?
If CBV is used by many it will result in a DoS attack on MTA1
CBV is easely fooled,
So for a while it will stop some spam, but in the long run it will not work and
it will ruin the email structure.
Hoping on a fruitful discussion.