[Top] [All Lists]

Problems with CBV an discussion document

2005-07-01 05:40:05

Problems with CBV

Two days ago I wrote that I liked the idea of CBV, but re-thinking it i am not 
so fond of it anymore. This is a public open discussion document and if you 
want to disagree with me please do so.

Definitions used in this document:

SenderA  -> Mail from:<senderA(_at_)domain1(_dot_)tld>

MTA1 -> <MTA that receives emails send to  senderA.
the MX records of domain1.tld points to this MTA.

MTA2  MTA that sends the email to be checked to MTA3

MTA3  MTA that does the Call back testing

First remark
MTA1 doesn't have to be the same MTA as MTA2.
As matter of In fact it mostly isn't.

Second remark
SFP  classic tries to answer if MTA2 can be used to send emails from domain1.tld

The first problem is: what questions does CBV really answer?

CBV only answers The questions:
Does MTA1 accepts email for SenderA?
And with the latest add-on  (try to send an email to a fake emailaddress)
Is MTA1 some kind of open relay?

What CBV doesn't awnser
- Did this email come from SenderA?
- Is SenderA a spammer?
- Is MTA2 an open relay? (except if MTA2 ==MTA1)
- And other questions (please add)

This has the consequence that CBV is easely fooled.
It is as  easy as to forge the "mail from" to a real emailaddress: any 
"Postmaster(_at_)any-company(_dot_)com" or 
"postmaster(_at_)any-organisation(_dot_)org" will do.

This will also results in many false negatives.
(emails that are spam but not recognised as such)

Crashing SMTP

Anti spam rules are build on the implicit assumption that the whole email can 
be forged  "do not rely on anything that somebody else has tested".
This implies that you can not trust headers like

"X-virustest: this email is absolutly free from virusses, i know i am one"
"X-Spamtest: This email is not spam i know i wrote it all by hand,(the 
mass-mailer i mean) "
This also means that a test has to be redone every time a e-mail crosses over a 
system boundary.
I do not define the concept of system-boundary but it does imply that a test 
has to be done a more than once.
Counting for virusscanning showed me that an virusfree-email was checked seven 
times before it unscratched reached it destination.
For the simplicity of the discussion lets assume that a CBV test is done three 
times during the transport from mail-client to final-MDA.

This means that for every proper email there will be three call backs to MTA1.

These calls come from different MTA's and this can resolve in a DOS attack on 
MTA1, because non of this can be cached.
Resolving this duplicate call scenario by adding a special header to the email 
will not work, the only way to be sure of an CBV check is to do the CBV check 

In IP load
a typical CBV test will need about 30 IP datagrams. (Ps this is only an 
informed guess, i will accept better guesses)

So an for one email three tests will have an extra load of 90 IPdatagrams.
That doesn't look much but comparing it with other spamcounter measures it is 
an enormous ammount.
Even SFP is argued to cause Dos attacks and SFP only uses between 2 and 20 
And for SFP the DNS records can be cached for CBV they cannot.

This is mainly becaurse other systems use the UDP protocol and DNS records, 
while CBV uses TCP protocol and SMTP sessions that both have a big overhead.

So CBV will work on a small scale  but as soon as its is used in a grand scale 
it will resullt in a denail of service.

Where does this leads us:
CVB is not able to answer the importand question:
Is this email SPAM?
If CBV is used by many it will result in a DoS attack on MTA1
CBV is easely fooled,

So for a while it will stop some spam, but in the long run it will not work and 
it will ruin the email structure.

Hoping on a fruitful discussion.

<Prev in Thread] Current Thread [Next in Thread>