From: Theo Schlossnagle
Sent: Wednesday, May 26, 2004 8:30 AM
On May 26, 2004, at 9:05 AM, Seth Goodman wrote:
From: Lars Dybdahl
Sent: Tuesday, May 25, 2004 3:53 AM
I've found that connecting to the mail server of the MAIL FROM:
address and attempting to initiate an email (up to the DATA stage)
successfully detects around 30% of all my "joe jobs" spam
shouldn't this be part of the wider scheme to prevent joejobbing ?
No. This would make it extremely easy to make a distributed
denial-of-service attack againt a mail server.
I respectfully disagree. Verizon and PoBox both use callbacks to help
qualify their incoming mail simply because it works. Virtually any
network
protocol, particularly those that are based on TCP, can be used to
engineer
a DoS attack. It is already fairly easy to engineer a DDoS against any
exposed node on the internet. Most of these methods take advantage of
the
peculiarities of TCP, they are have been shown to work time and time
again,
and they are extremely difficult to stop, even under ideal conditions.
The
offending traffic appears to be coming "from everywhere at once".
Blocking
it at the router is usually not a viable option. You may be able to
close
some of the connections early, but you still have to open a socket and
do
the requisite checking for each incoming request. Depending on the
size of
the zombie group and the amount of network bandwidth you have, they can
knock almost anyone off the net.
The point is that they no longer need a "zombie group" nor do they need
to compromise machines.
Yes, they do still need a bunch of zombies to send out their forged
messages. If they tried to send them out from legitimate machines, they
would quickly get blacklisted and the DDoS would grind to a halt.
Instead, you've decided to offer a service
that allows them to have you beat the crap out of some innocent victim.
It doesn't seem so bad when the little guy uses these cost-shifting
tactics, but when a big boy like Verizon does it has bad ramifications
and is entirely irresponsible.
In case it isn't obvious, this "service" has been in place since RFC821 came
out. Anyone controlling a zombie group can barrage a target with MAIL
FROM:<>, RCPT TO:<anyuser(_at_)yourdomain(_dot_)com> SMTP sessions. While this
doesn't
have the multiplier effect of a spam run, it could still be an effective
attack.
The reason nobody does this is that it is so easy to deflect with IP
heuristics at the initiation of the connection. In particular, if you
include a DNSBL that lists dynamic IP address space, most of it can be
eliminated. If the attack is indirect, via a spam run, you can stop
accepting CBV's until the attack stops.
As far as major providers using CBV's, since there is no way to verify MAIL
FROM: at present, it does tend to cost shift to third parties. If all mail
recipients did CBV's, the load would be equally shared, more or less. I
agree that the load belongs to the sender, but until something sensible is
widely adopted, there is currently no way to do that. Absent a way to put
the load in the "correct" place, I don't have any problem with the recipient
community jointly sharing the costs of CBV's. Doing nothing in the face of
the current problem is not a reasonable option.
As far as beating the crap out of an innocent victim through an indirect CBV
attack, I haven't heard of a single instance of this. If you have, please
present some evidence to prove that this is an actual problem. I'll say it
again: if you want to DDoS someone, there are better ways that are
virtually impossible to shut down. This "attack" scenario is comparatively
easy to shut down, which is why no one uses it.
Everyone has always blamed spammers for using cost-shifting tactics to
avoid being "responsible." I find it entirely ironic that well know
and well respected anti-spam advocates no say it's okay to cost shift.
The Internet is a hostile place and people can pretty much use whatever
tactics they want. But having a system with a lot of horsepower (as I
assume pobox.com does) commit to a solution that will initiate
unsolicited SMTP sessions to any victim and attacker chooses is...
well... disappointing. It's as if cost-shifting is okay now that you
are benefiting from it.
Sorry, I don't benefit at all. I just don't begrudge them the right to do a
reasonable check on incoming mail, even if it costs me a few cents extra on
my internet bill. In the present climate, they'd be foolish not to. Anyone
else can do the same. Anyone can refuse to respond to CBV's from any or all
sites. This sounds more like a philosophical issue than a practical one.
Once SPF, or something like it is in place, doing a CBV with a signed
return-path is a completely justifiable action. The MAIL FROM: you have
just received from a forwarder lists some other domain as the purported
originating domain for the message. If the forwarder's RFROM passes SPF, it
is perfectly reasonable to check the signed return-path with the purported
originating domain. If the forwarder has played by the SPF rules, all of
its forwarded mail will have been SPF checked when it received it. In that
case, every CBV you do will be to the legitimate sender of the message. If
any of the MAIL FROM:'s do not pass a CBV, then the first hop forwarder
should be blacklisted for accepting forgeries. In such an environment,
CBV's to innocent third parties should be rare, and they will result in
either domains or forwarders being blacklisted, thus closing the hole. The
small cost of the few CBV's that fail are well worth it to secure the email
system back from the forgers. Even though the failed CBV's go to innocent
third parties, the CBV will either stop the initiator of the CBV from
propagating a joe-job message or will reject a forged bounce spam to the
third party. In both cases, the third party still benefits.
You claim "Verizon and PoBox use callbacks to help qualify their
incoming mail simply because it works." There are a lot of tactics in
various arenas of life that "work" and that _IS NOT_ reason enough
alone to use them.
On the contrary, if something works for a serious common problem, you need a
good reason not to use it. Shifting a small amount of cost to third parties
is a reasonable tradeoff if the mechanism is equally available to everyone
and the benefits are larger than the combined cost. I think it passes both
of these tests, but I also think it is something that reasonable people can
disagree on. If you like, you can refuse to accept CBV's from Verizon and
PoBox. So can anyone else that finds it bothersome.
Perhaps somone should make a logo for people that says "I'm accosted
and my resources are used by mail servers running mailfrom CBV." A
"prevent mailfrom CBV abuse" banner. This way people can show their
opposition in a more uniform manner.
An excellent idea. Please let us know how many people display the banner.
--
Seth Goodman