On May 26, 2004, at 9:05 AM, Seth Goodman wrote:
From: Lars Dybdahl
Sent: Tuesday, May 25, 2004 3:53 AM
I've found that connecting to the mail server of the MAIL FROM:
address and attempting to initiate an email (up to the DATA stage)
successfully detects around 30% of all my "joe jobs" spam
shouldn't this be part of the wider scheme to prevent joejobbing ?
No. This would make it extremely easy to make a distributed
denial-of-service attack againt a mail server.
I respectfully disagree. Verizon and PoBox both use callbacks to help
qualify their incoming mail simply because it works. Virtually any
network
protocol, particularly those that are based on TCP, can be used to
engineer
a DoS attack. It is already fairly easy to engineer a DDoS against any
exposed node on the internet. Most of these methods take advantage of
the
peculiarities of TCP, they are have been shown to work time and time
again,
and they are extremely difficult to stop, even under ideal conditions.
The
offending traffic appears to be coming "from everywhere at once".
Blocking
it at the router is usually not a viable option. You may be able to
close
some of the connections early, but you still have to open a socket and
do
the requisite checking for each incoming request. Depending on the
size of
the zombie group and the amount of network bandwidth you have, they can
knock almost anyone off the net.
The point is that they no longer need a "zombie group" nor do they need
to compromise machines. Instead, you've decided to offer a service
that allows them to have you beat the crap out of some innocent victim.
It doesn't seem so bad when the little guy uses these cost-shifting
tactics, but when a big boy like Verizon does it has bad ramifications
and is entirely irresponsible.
Everyone has always blamed spammers for using cost-shifting tactics to
avoid being "responsible." I find it entirely ironic that well know
and well respected anti-spam advocates no say it's okay to cost shift.
The Internet is a hostile place and people can pretty much use whatever
tactics they want. But having a system with a lot of horsepower (as I
assume pobox.com does) commit to a solution that will initiate
unsolicited SMTP sessions to any victim and attacker chooses is...
well... disappointing. It's as if cost-shifting is okay now that you
are benefiting from it.
You claim "Verizon and PoBox use callbacks to help qualify their
incoming mail simply because it works." There are a lot of tactics in
various arenas of life that "work" and that _IS NOT_ reason enough
alone to use them.
Perhaps somone should make a logo for people that says "I'm accosted
and my resources are used by mail servers running mailfrom CBV." A
"prevent mailfrom CBV abuse" banner. This way people can show their
opposition in a more uniform manner.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth