Re: [ietf-smtp] [Shutup] Levels of proposals
2015-12-03 20:00:13
On 12/03/2015 07:36 PM, Brandon Long wrote:
The WG proposal seems to imply taking all IPs out. The discussion has
mostly been about submission.
The draft has been mostly about submission, but there have been some
conversations about internals. I've seen auditors bring up points about
obscuring internals (corporate context, it's one of their checkoff 10
commandments), but, we managed to convince them that ease of diagnosing
problems outweighed the downsides.
Before getting too far into concrete proposals, we still need to decide
whether it should be done, and what (if anything) should be done in
mitigation.
That said:
Submission IPs seem like the largest level of risk, and from my gross
understanding of anti-spam, pretty minor.
Yes, and no... It depends on how you use/acquire them, this is a fairly
complex/esoteric end of spam filtering, and just doing it justice would
take up pages of text. I'll try to short cut - purely from a filtering
but not-ML perspective:
Using them:
If you have a list of IPs known to be infected with AUTH-cracking
spambots, it's of immediate/valuable use to both the MSAs themselves in
detecting malicious injects, as well as the recipient's filtering, and
header forgery is not an issue (certainly not to MSAs, and headers that
forge collisions with the list you don't want anyway).
The potential yields are huge - ISPs (using a list we create of 2.2M IPs
demonstrably capable of AUTH-cracking) can see botnet suppression rates
at the MSA of 80% (of all submissions) or even higher, depending on the
spam/botnet de-jour. In just one case it's in the 1000+/second range.
Some of these botnets are very very prolific per IP.
Which boils down to the MSAs being able to stop it at source, or the
receivers being able to stop it at destination. If a significant
fraction of MSAs stopped it at source, then, maybe, the MSA Received
line isn't important. But where they don't (the majority), losing the
MSA Received line is potentially a big hit.
Obtaining them:
Obviously, someone trying to authenticate to you and is demonstrably
infected isn't spoofable. That yields the vast majority of our list.
On a case-by-case basis with specialized knowledge it is possible to
derive trustworthy infected submission addresses from received lines.
Yes, actually, it really is. Useful, but not terribly significant (or
at least how far we've followed that rathole).
By eliminating MSA received clauses, it means that only the MSA can do
blocking based on this technique, the receivers can't.
On one server, in a 40 minute interval, 774123 out of 1126763
connections were AUTH spoofing from just one particular botnet. That's
775,000 spams that ordinary receivers couldn't filter via IP if the from
clauses disappeared.
Also, if the previous thread's list of large MSPs inclusion of
submission IPs is correct, then >2 out of the top 3 have already removed
them (ie, only a fraction of Gmail mail has them at this point).
The top 3 aren't generally large scale botnet spam sources, and botnets
generally don't use real mail servers (except via AUTH crackers), and
the top 3 are amply well instrumented with rate limiters etc. So they
really aren't relevant to this.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
|
|