[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 16:51:28
On Thu, Dec 3, 2015 at 6:00 PM, Chris Lewis <ietf(_at_)mustelids(_dot_)ca> 

On 12/03/2015 07:36 PM, Brandon Long wrote:

The WG proposal seems to imply taking all IPs out.  The discussion has
mostly been about submission.

The draft has been mostly about submission, but there have been some
conversations about internals.  I've seen auditors bring up points about
obscuring internals (corporate context, it's one of their checkoff 10
commandments), but, we managed to convince them that ease of diagnosing
problems outweighed the downsides.

Before getting too far into concrete proposals, we still need to decide
whether it should be done, and what (if anything) should be done in

That said:

Submission IPs seem like the largest level of risk, and from my gross
understanding of anti-spam, pretty minor.

Yes, and no...  It depends on how you use/acquire them, this is a fairly
complex/esoteric end of spam filtering, and just doing it justice would
take up pages of text.  I'll try to short cut - purely from a filtering but
not-ML perspective:

Using them:

If you have a list of IPs known to be infected with AUTH-cracking
spambots, it's of immediate/valuable use to both the MSAs themselves in
detecting malicious injects, as well as the recipient's filtering, and
header forgery is not an issue (certainly not to MSAs, and headers that
forge collisions with the list you don't want anyway).

The potential yields are huge - ISPs (using a list we create of 2.2M IPs
demonstrably capable of AUTH-cracking) can see botnet suppression rates at
the MSA of 80% (of all submissions) or even higher, depending on the
spam/botnet de-jour.  In just one case it's in the 1000+/second range. Some
of these botnets are very very prolific per IP.

Which boils down to the MSAs being able to stop it at source, or the
receivers being able to stop it at destination.  If a significant fraction
of MSAs stopped it at source, then, maybe, the MSA Received line isn't
important.  But where they don't (the majority), losing the MSA Received
line is potentially a big hit.

Obtaining them:

Obviously, someone trying to authenticate to you and is demonstrably
infected isn't spoofable.  That yields the vast majority of our list.

On a case-by-case basis with specialized knowledge it is possible to
derive trustworthy infected submission addresses from received lines. Yes,
actually, it really is.  Useful, but not terribly significant (or at least
how far we've followed that rathole).

By eliminating MSA received clauses, it means that only the MSA can do
blocking based on this technique, the receivers can't.

On one server, in a 40 minute interval, 774123 out of 1126763 connections
were AUTH spoofing from just one particular botnet.  That's 775,000 spams
that ordinary receivers couldn't filter via IP if the from clauses

Also, if the previous thread's list of large MSPs inclusion of
submission IPs is correct, then >2 out of the top 3 have already removed
them (ie, only a fraction of Gmail mail has them at this point).

The top 3 aren't generally large scale botnet spam sources, and botnets
generally don't use real mail servers (except via AUTH crackers), and the
top 3 are amply well instrumented with rate limiters etc.  So they really
aren't relevant to this.

We've had to deal with hijacked account spam for years at this point, and
have invested heavily against it, and why we are doing our best to sunset
"programmatic" password based auth, ie:

Of course, oauth isn't quite ready for widespread adoption, due to issues
with discoverability of end-points and software registration.
And a botnet may be able to lift the oauth tokens out of the local
software, but it has some benefits.

ietf-smtp mailing list