[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 07:46:58
On 12/03/2015 11:53 PM, Russ Allbery wrote:
Ted Lemon <mellon(_at_)fugue(_dot_)com> writes:
Thursday, Dec 3, 2015 10:48 PM Russ Allbery wrote:

Why would you throttle per id/password pair?  The attacker doesn't try
the same pair more than once.  That would be pointless.

I think you missed the distinction I was making.  You are describing
throttling per ip-address, irrespective of the password/id pair.  I am
asking why you don't simply say "if more than 10 attempts are made on
this username per hour, lock it out for a while."

Oh, you didn't mean throttle by id/password pair.  You meant throttle
purely by user ID.

There are two reasons (well, at least -- maybe more) why this doesn't help
as much as it sounds like it would, particularly in the case of SMTP AUTH.

Third and most telling reason: few people know how many valid id/password pairs they already have, and coupled with the large numbers of IPs they also have, and the fact that userid/password pairs often work under multiple services, you can spread the spam across so many IPs and userids that throttling is only useful in some marginal edge cases (even when the throttle levers are in the hands of a certified BOFH).

Case in point: less than 10% of our list of auth-cracking IPs is derived from methods useable by MSAs, and those that are derived from MSAs utilize very specialized fingerprinting that has nothing to do with throttles.

ietf-smtp mailing list