spf-discuss
[Top] [All Lists]

RE: RCPT TO: rejecting

2004-05-26 06:05:27
From: Lars Dybdahl
Sent: Tuesday, May 25, 2004 3:53 AM


I've found that connecting to the mail server of the MAIL FROM:
address and attempting to initiate an email (up to the DATA stage)
successfully detects around 30% of all my "joe jobs" spam

shouldn't this be part of the wider scheme to prevent joejobbing ?

No. This would make it extremely easy to make a distributed
denial-of-service attack againt a mail server.

I respectfully disagree.  Verizon and PoBox both use callbacks to help
qualify their incoming mail simply because it works.  Virtually any network
protocol, particularly those that are based on TCP, can be used to engineer
a DoS attack.  It is already fairly easy to engineer a DDoS against any
exposed node on the internet.  Most of these methods take advantage of the
peculiarities of TCP, they are have been shown to work time and time again,
and they are extremely difficult to stop, even under ideal conditions.  The
offending traffic appears to be coming "from everywhere at once".  Blocking
it at the router is usually not a viable option.  You may be able to close
some of the connections early, but you still have to open a socket and do
the requisite checking for each incoming request.  Depending on the size of
the zombie group and the amount of network bandwidth you have, they can
knock almost anyone off the net.

As an example, consider the DDoS attacks experienced by GRC in the last
couple of years.  They have reasonable amount of dedicated bandwidth (two
T1's), they colocate their own border routers in their provider's facility,
they have the expertise to remotely monitor and manage the routers properly,
they have the cooperation of their providers engineers to help block
additional classes of traffic, yet they still have been periodically knocked
off the net for days at a time.  Some of the smaller blacklists have been
literally DDoS'd out of existence.  Don't kid yourself:  if they want to
saturate your connection, they can do it today with existing tools.  A
callback DDoS attack is easy to recognize and defeat compared to the other
methods, so I don't see it as a serious threat.

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>