Re: [ietf-smtp] [Shutup] Levels of proposals

Thursday, Dec 3, 2015 10:48 PM Russ Allbery wrote:
> > I am still a bit puzzled: how does increasing the number of attackers
> > help to bypass the throttling mechanism?  Why isn't the throttle per
> > id/password pair, rather than per ip-address/password/id triple?
> Why would you throttle per id/password pair?  The attacker doesn't try the
> same pair more than once.  That would be pointless.
I think you missed the distinction I was making.   You are describing 
throttling per ip-address, irrespective of the password/id pair.   I am asking 
why you don't simply say "if more than 10 attempts are made on this username 
per hour, lock it out for a while."   This is a common practice on some web 
sites.   If you require the user to have a non-dictionary password, then 10 
attempts per hour is few enough to prevent a botnet of any number of hosts from 
guessing that password.

> The TLDR in case something about that message was confusing is that only
> the authentication point can block the IP addresses at the authentication
> point, but you can analyze Received headers to do a bunch of other things,
> such as determine compromised botnet IP addresses that someone else
> *didn't* block but that you *do* want to block for *your* service.  It
> improves the scale and flexibility of what you can do by basically giving
> you more threat intelligence.
Yes, I have heard that before.  It makes sense.   However, it does make me 
wonder why you don't just stop accepting mail from sites that are this badly 
run until they shape up.   You seem to be suggesting that it's because you 
value the intelligence that you glean from their incompetence.   Did I 
misunderstand?


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon(_at_)fugue(_dot_)com

pgpKytYKBH9ap.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp