spf-discuss
[Top] [All Lists]

Re: RCPT TO: rejecting

2004-05-26 11:31:40
On May 26, 2004, at 12:02 PM, Seth Goodman wrote:
Yes, they do still need a bunch of zombies to send out their forged
messages. If they tried to send them out from legitimate machines, they
would quickly get blacklisted and the DDoS would grind to a halt.

Not true. If everyone starts adopting mailfrom CBV you are one of many zombies. They just need one compromised machine or open proxy and they can send message to thousands of sites running mailfrom CBV all with the same forged victim's return path. They aren't using solely you to do a DDoS (as that would not be distributed at all). Instead they would be using you and a large mass of other with same "flexibility" in using other's resources unasked to orchestrate a distribured DoS.

In case it isn't obvious, this "service" has been in place since RFC821 came
out.  Anyone controlling a zombie group can barrage a target with MAIL
FROM:<>, RCPT TO:<anyuser(_at_)yourdomain(_dot_)com> SMTP sessions. While this doesn't have the multiplier effect of a spam run, it could still be an effective
attack.

Zombies can do that, so your legitimate email service should be able to do it? You just equated yourself with Zombies, I hope that wasn't intended. Sure, Zombies can attack servers that way (because they are hostile and malicious), how and why does that give you the right to do that?

The reason nobody does this is that it is so easy to deflect with IP
heuristics at the initiation of the connection.  In particular, if you
include a DNSBL that lists dynamic IP address space, most of it can be
eliminated.  If the attack is indirect, via a spam run, you can stop
accepting CBV's until the attack stops.

Nobody does this? We constantly witness sessions that last 5 minutes and disconnect in the middle. Also MAIL FROM: RCPT TO: disconnect sessions as a part of directory harvesting attempts. It has the same resource consuming effect regardless of whether there was intention or the exact mechanics employed.

As far as major providers using CBV's, since there is no way to verify MAIL FROM: at present, it does tend to cost shift to third parties. If all mail recipients did CBV's, the load would be equally shared, more or less. I agree that the load belongs to the sender, but until something sensible is widely adopted, there is currently no way to do that. Absent a way to put the load in the "correct" place, I don't have any problem with the recipient community jointly sharing the costs of CBV's. Doing nothing in the face of
the current problem is not a reasonable option.

Okay, I just don't feel that I could make that decision for "the community." It is their resources and if I made that decision without their consent, I would be stealing.

As far as beating the crap out of an innocent victim through an indirect CBV attack, I haven't heard of a single instance of this. If you have, please present some evidence to prove that this is an actual problem. I'll say it
again:  if you want to DDoS someone, there are better ways that are
virtually impossible to shut down. This "attack" scenario is comparatively
easy to shut down, which is why no one uses it.

AOL has been accused of doing this for ages with DSNs. The argument that there are better ways to abuse people is absolutely insane. It is the same thing as saying that we will knowingly have small security holes in our system and that it doesn't matter because bigger ones already exist! mailfrom CBV cost-shifts without the permission of the receiver. period. end of discussion. Why you choose to support that method is the question I am raising. My argument is that "it works" and "their are bigger dangers than this danger" are horrible supporting arguments for the approach.

Mechanisms that are adopted _should not_ abuse other people. period. If you choose to ignore that or disagree with that, that is your business. There are many people out there that believe (in this case) that ends justify the means. That is a dangerous path to start down, who knows what the next compromise will be.

Everyone has always blamed spammers for using cost-shifting tactics to
avoid being "responsible."  I find it entirely ironic that well know
and well respected anti-spam advocates no say it's okay to cost shift.
The Internet is a hostile place and people can pretty much use whatever
tactics they want.  But having a system with a lot of horsepower (as I
assume pobox.com does) commit to a solution that will initiate
unsolicited SMTP sessions to any victim and attacker chooses is...
well... disappointing.  It's as if cost-shifting is okay now that you
are benefiting from it.

Sorry, I don't benefit at all.

My "You" through has not been you personally, it is has been "one who deploys mailfrom CBV." And yes, they do benefit or they would not have implemented the solution.

I just don't begrudge them the right to do a
reasonable check on incoming mail, even if it costs me a few cents extra on my internet bill. In the present climate, they'd be foolish not to. Anyone else can do the same. Anyone can refuse to respond to CBV's from any or all sites. This sounds more like a philosophical issue than a practical one.

It is absolutely a philosophical issue. Sorry I didn't make that more clear in the beginning. Anyone _can_ do this. Implementation is actually very easy. In one weekend of work, we implemented a mailfrom_cbv inline check for Ecelerity. It supports up to 50,000 concurrent inbound sessions all with concurrent active mailfrom_cbv checks all on a single instance.

The question is whether one _should_ do that. Arguments of the "climate" do not provide a reason to compromise ones ethics/morals/responsibilities to not abuse a neighbor. It shouldn't happen off the Internet and it shouldn't happen on it. This are philosophical views. I just hope my argument gives people something to think about.

Once SPF, or something like it is in place, doing a CBV with a signed
return-path is a completely justifiable action.

If you get an SPF allow back, I completely agree. Until then, you are knowingly deploying a technology that can be used to victimize the innocent. To me, that seems wrong, regardless of the benefit.

The MAIL FROM: you have
just received from a forwarder lists some other domain as the purported
originating domain for the message. If the forwarder's RFROM passes SPF, it is perfectly reasonable to check the signed return-path with the purported originating domain. If the forwarder has played by the SPF rules, all of its forwarded mail will have been SPF checked when it received it. In that case, every CBV you do will be to the legitimate sender of the message. If
any of the MAIL FROM:'s do not pass a CBV, then the first hop forwarder
should be blacklisted for accepting forgeries.  In such an environment,
CBV's to innocent third parties should be rare, and they will result in
either domains or forwarders being blacklisted, thus closing the hole. The small cost of the few CBV's that fail are well worth it to secure the email system back from the forgers. Even though the failed CBV's go to innocent
third parties, the CBV will either stop the initiator of the CBV from
propagating a joe-job message or will reject a forged bounce spam to the
third party.  In both cases, the third party still benefits.



You claim "Verizon and PoBox use callbacks to help qualify their
incoming mail simply because it works."  There are a lot of tactics in
various arenas of life that "work" and that _IS NOT_ reason enough
alone to use them.

On the contrary, if something works for a serious common problem, you need a good reason not to use it. Shifting a small amount of cost to third parties is a reasonable tradeoff if the mechanism is equally available to everyone and the benefits are larger than the combined cost. I think it passes both of these tests, but I also think it is something that reasonable people can disagree on. If you like, you can refuse to accept CBV's from Verizon and
PoBox.  So can anyone else that finds it bothersome.

The benefits are larger than the combined costs? This argument is valid in a cost/benefit framework when a single entity realizes both the costs and the benefits. You are applying a economic paradigm to a problem that doesn't meet that paradigm's basic assumptions. A valid claim that the benefits outweigh costs require you to be able to valuate the costs. These costs are not your costs to realize and they are impossible for you to assume and thus are costs on which it is impossible for you to establish a legitimate value.

The costs are costs of others. You are incurring those costs without their permission. When spammers do this it is called stealing. I don't understand how (or if) you think that it can be called something else if the resources are stolen for "the purpose of good."

An excellent idea. Please let us know how many people display the banner.

I'll propose it on some anti-spam forums. My issue isn't how many, it is who. Of particular interest is MTA vendors/authors and large-scale network implementors. It is easy for the systems admin of a small system to not see the ramifications as clearly as an experienced scalable systems architect.

Also, do not take this a personal attack. I am attacking the "righteousness" of mailfrom CBV. Many people use it and like it but do not understand they implications. After learning how and why it is irresponsible, some change their position. After all, we are all trying to protect people's inboxes from abuse. I think we all have the same "master agenda" -- just some people have different line items than others.

// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth


<Prev in Thread] Current Thread [Next in Thread>