ietf
[Top] [All Lists]

Re: IP-based reputation services vs. DNSBL (long)

2008-11-11 16:48:49
TS Glassey wrote:
Matthias
Any DNS BL Listing process where those listings are based on complaints 
would create this. [spoofed IPs in DNSBLs]

Few DNSBL listing processes rely on "complaints" as you put it.
Certainly, none of the popular ones use them extensively, and most
refuse them.  Eg: the CBL explicitly refuses contributions of complaints.

Most DNSBL listing processes rely _only_ on the peer address of the
connection (either direct, or by header insertion by their own trusted
systems).  No-one has yet come up with a spam-economy-practical
mechanism for spoofing source IP in TCP/IP (SMTP) sessions.  There has
been much research on the topic, and it all seems to indicate that there
isn't one.  I'll refer you to papers by Steven Bellovin, Marcus Leech
and others.

[UDP packet source IPs are trivially forgeable.  But you can't send
email by UDP packets.  TCP/IP source IP is forgeable, but only at
extremely high effort levels - few spammers would be satisfied with a
throughput rate of a few spams per week (at most) per bot that works
only against some destinations, when the return rate is measured in the
single digits per million spams.  If TCP/IP source spoofing were to
become a spammer-practical method, the Internet has vastly bigger
problems than flakey email.]

The two most effective DNSBLs of all (CBL & PBL, both part of Spamhaus
Zen) don't look at headers at all.  The former takes its IPs directly
from the TCP/IP stack of the MTA receiving the email (eg:
getpeername()), and the latter is a policy assertion, largely by the
verified owner of the IP ranges in question.  IP spoofing is effectively
impossible in one, and irrelevant to the second.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf