[Top] [All Lists]

Re: NDNs considered harmful

2010-08-12 19:53:22

Rich Kulawiec wrote:
On Thu, Aug 12, 2010 at 12:58:51PM -0400, Hector Santos wrote:
In our implementation, we use CBV (Callback Verification) and this

This should never be used; it enables spammers to bypass security
measures, it facilitates DoS/DDoS attacks, and it's easily gamed.
We've known this for most of a decade; figured it out when we watched
Verizon deploy it and promptly get used to target third parties.
See the archives of spam-l for copious discussion and analysis.


The valid return path is a SMTP requirement and it MUST be valid at the time it is issued by the sender. Testing it is a VALID option to perform for the simple reason ERROR REPORTING is a required possibility. It must not be invalid.

Implemented a CBV correctly, its works extremely well. Ours has a unique OPEN RELAY test which tries a 2nd bad RCPT TO with a bad remote domain. If the host accepts it, its a CBV failure and the original transaction is rejected.

Just today our small support site had over 500 CBV rejections of bad return paths - that is 500 possible errant Bounces that did not have to be perform.

None of our customer installations have seen DoS/DDoS due to this which is an separate issue dealt with connection and session balancing and limits. I don't see how it allows spammers to bypass security measures. It can however, make them more compliant - a valid return path is a SMTP requirement, not a MAYBE, not a COULD be valid later or tomorrow - but at the time it is provided. Not doing so puts pressure on the system, which is something we try to alleviate by filtering SMTP non-compliant clients.


Hector Santos