ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IP-based reputation services vs. DNSBL (long)

2008-11-12 11:31:31
from [Hallam-Baker, Phillip] [Permanent Link] 
Agree with your conclusion but your statement is not quite accurate.
 
Some spammers have in fact developed schemes that involve spoofing the source 
IP address of TCP sessions, but only where both IP addresses were under spammer 
control.
 
What some spammers used to do when dialup connections were still common and 
broadband rare is that they would use a dialup session as the purported source 
of the packets but really send the bulk of the message from a high speed 
connection. The dialup connection telling the high speed connection which 
sequence numbers to employ.
 
I don't know if it is still widely used but when is was being used the 
disruption caused to the network was cosiderably higher than for normal spam as 
you can expect.
 

________________________________

From: ietf-bounces(_at_)ietf(_dot_)org on behalf of Chris Lewis
Sent: Tue 11/11/2008 4:47 PM
Cc: IETF
Subject: Re: IP-based reputation services vs. DNSBL (long)



TS Glassey wrote:

Matthias
Any DNS BL Listing process where those listings are based on complaints
would create this. [spoofed IPs in DNSBLs]


Few DNSBL listing processes rely on "complaints" as you put it.
Certainly, none of the popular ones use them extensively, and most
refuse them.  Eg: the CBL explicitly refuses contributions of complaints.

Most DNSBL listing processes rely _only_ on the peer address of the
connection (either direct, or by header insertion by their own trusted
systems).  No-one has yet come up with a spam-economy-practical
mechanism for spoofing source IP in TCP/IP (SMTP) sessions.  There has
been much research on the topic, and it all seems to indicate that there
isn't one.  I'll refer you to papers by Steven Bellovin, Marcus Leech
and others.

[UDP packet source IPs are trivially forgeable.  But you can't send
email by UDP packets.  TCP/IP source IP is forgeable, but only at
extremely high effort levels - few spammers would be satisfied with a
throughput rate of a few spams per week (at most) per bot that works
only against some destinations, when the return rate is measured in the
single digits per million spams.  If TCP/IP source spoofing were to
become a spammer-practical method, the Internet has vastly bigger
problems than flakey email.]

The two most effective DNSBLs of all (CBL & PBL, both part of Spamhaus
Zen) don't look at headers at all.  The former takes its IPs directly
from the TCP/IP stack of the MTA receiving the email (eg:
getpeername()), and the latter is a policy assertion, largely by the
verified owner of the IP ranges in question.  IP spoofing is effectively
impossible in one, and irrelevant to the second.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Announcement: New Boilerplate Text Required for all new Submissions to IETF, Ed Juskevicius
Next by Date:  Re: Comment on draft-ietf-radext-design-05.txt, Alan DeKok
Previous by Thread:  Re: IP-based reputation services vs. DNSBL (long), Chris Lewis
Next by Thread:  Re: IP-based reputation services vs. DNSBL (long), Chris Lewis
Indexes:  [Date] [Thread] [Top] [All Lists]