[Top] [All Lists]

Re: [ietf-smtp] Auth Crackers was [Shutup] Levels of proposals

2015-12-06 19:16:31
On 12/06/2015 05:57 PM, Rich Kulawiec wrote:
On Fri, Dec 04, 2015 at 01:44:03PM +0000, Paul Smith wrote:
If there was a "central" repository of IP addresses which have
generated failed login attempts to ANY server, then it seems to me
to make sense that you could catch them quicker [snip]

Probably a stupid idea, what with scaling, potential for abuse, etc,
but may be worth considering for a second or two.

It's not a stupid idea, but it does have serious operational, scalability,
privacy, and security problems.  For example (and this is not exhaustive):

- how do we decide who gets to submit data?

- how do we know what they're submitting is valid?

- how do we anonymize the data (which is a much more difficult
problem that it might first appear)?

- what happens when botnet operators decide to have some fun with this
and generate failed 6B login attempts to 50M servers from 400M addresses?

- how do we query this repository?

-how and when do we remove entries from it?

Heh, I never intending on doing this.  But...

What makes you think it has to be just one?

We're running one, specifically oriented towards blocking auth-cracking spambots. I would assume that most of us are all interested in blocking spambots, so our "attack" will be other's "attack".

We've been running one with a modest number of large scale providers using it in production for quite a while. It is already preloaded with auth-crack-capable bots (which is a byproduct of other systems), but the wider intel we can get on plain failures, the better we can do with extended heuristics based on AUTH-time behaviour - that was always our intent.

Normal scale usage would involve rsync transfers. But small-scale experiments can be done by DNSBL query if there's a need.

Usage is, and will remain, free based upon the ability to usefully contribute data to it, or to other of our other projects. You don't need to be able to feed data back right away, but that is the expectation.

This is primarily of interest to people running MSA farms. If you're interested in trying it out, please drop me a note off-forum with an idea of how you want to try/use it, and I'll fill you in on the details.

ietf-smtp mailing list