ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IP-based reputation services vs. DNSBL (long)

2008-11-13 16:37:33
from [Hallam-Baker, Phillip] [Permanent Link] 
Yes, there are many spammers who use systems that essentially send out the 
buffer in a single packet. Even if not doing one arm routing they use it for 
acceleration.
 
Which is why a somewhat effective spam pre-filter is to simply enforce proper 
SMTP protocol use and reject a connection if the other side has queued up RCPT 
and DATA commands in the HELO packet.

________________________________

From: ietf-bounces(_at_)ietf(_dot_)org on behalf of Chris Lewis
Sent: Thu 11/13/2008 3:52 PM
Cc: IETF
Subject: Re: IP-based reputation services vs. DNSBL (long)



Hallam-Baker, Phillip wrote:

To answer your question about how they got round port 25 blocking, my
guess is that they sent the initial packet out on yet another connection
that was unblocked.


Actually, I answered that question - they didn't "get around port 25
blocking".  They never sent from the (say AOL dialup) side, only from
the high speed side.   "three way handshaking" emulation of what's
supposed to be "two way", but physically only two (not three) machines.
 Since they're on the same machine, the timing is not much of an issue.
 Got high speed spam emission, at the expense of burning (lots of) free
AOL low speed access dialup disks.  Especially if you pipelined (whether
the recipient said it was okay or not) multiple parallel SMTP streams.

[The recipient usually has no way of knowing whether you're really
waiting for it's SMTP command return codes or not.  Which is exemplified
by one particular type of HTTP proxy attack.  Arrange the entire sending
side's SMTP commands in one buffer (eg: a HTTP CONNECT proxy), and send
it all at once.  Works just fine if you don't care about errors.  Which
high volume spammers don't.]


I have seen something similar described recently in the context of a
cyber-conflict type attack.


Potentially still useful technique, where the economies are different.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BEHAVE] Can we have on NAT66 discussion?, Iljitsch van Beijnum
Next by Date:  TSV Area review of draft-ietf-dime-qos-parameters, Scott O. Bradner
Previous by Thread:  Re: IP-based reputation services vs. DNSBL (long), Chris Lewis
Next by Thread:  Re: not spoofing, was IP-based reputation services vs. DNSBL, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]