On 12/03/2015 11:53 PM, Russ Allbery wrote:
Ted Lemon <mellon(_at_)fugue(_dot_)com> writes:
Thursday, Dec 3, 2015 10:48 PM Russ Allbery wrote:
Why would you throttle per id/password pair? The attacker doesn't try
the same pair more than once. That would be pointless.
I think you missed the distinction I was making. You are describing
throttling per ip-address, irrespective of the password/id pair. I am
asking why you don't simply say "if more than 10 attempts are made on
this username per hour, lock it out for a while."
Oh, you didn't mean throttle by id/password pair. You meant throttle
purely by user ID.
There are two reasons (well, at least -- maybe more) why this doesn't help
as much as it sounds like it would, particularly in the case of SMTP AUTH.
Third and most telling reason: few people know how many valid
id/password pairs they already have, and coupled with the large numbers
of IPs they also have, and the fact that userid/password pairs often
work under multiple services, you can spread the spam across so many IPs
and userids that throttling is only useful in some marginal edge cases
(even when the throttle levers are in the hands of a certified BOFH).
Case in point: less than 10% of our list of auth-cracking IPs is derived
from methods useable by MSAs, and those that are derived from MSAs
utilize very specialized fingerprinting that has nothing to do with
throttles.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp