Tuesday, June 22, 2004, 7:46:00 PM, tony wrote:
TF> On Tue, 22 Jun 2004, Chris Drake wrote:
Tuesday, June 22, 2004, 12:29:11 AM, Tony wrote:
TF> Note that this protocol doesn't prevent joe jobs, because the
TF> forger won't advertise ChrisDrakeCBV regardless of whether the
TF> forged domain normally would.
The forged domain gets the opportunity to advertise it's CBV support
in response to the VRFY command given to the VMTA (which can't happen
if SPF is also supported, since the joe-job would not have been
acceptable enough to trigger a CBV anyhow).
TF> So if the recipient does a CBV anyway, what's the advantage over
TF> properly specifying plain CBV?
per-message authentication, sender+recipient pair authentication,
dictionary attack prevention, OMTA CBV "opt out" mechanism,
extensibility, improved reliability with existing (non-CBV-aware)
MTAs, CBV loop avoidance, alternative verification service features,
etc etc...
Prevents dictionary attacks, since the RMTA can verify the sender
before letting the attacker know if the recipient exists, and (if the
attacker speaks SMTP-CBV) gives the RMTA a "constant" (the VMTA IP
address) to use for throttling attack speed.
TF> This paragraph disagrees with the protocol you described.
How so?
TF> The protocol you described performs the CBV between DATA and its response,
TF> which is after the oMTA has found out about the recipients.
The OMTA only knows if the recipients are valid after sending the data
and waiting for the response from the RMTA (which, in my scenario,
does the CBV inbetween). Telnet into a yahoo MX or read up about
pipelining, or think about what you (as a dictionary attacker) have
learned when you do this:-
RCPT
TO:<erghvqkwjechwk57678ijhfkjerh689o68fjkwrtghkjwhbvwehrv(_at_)yahoo(_dot_)com>
and the MTA responds thusly:-
250 recipient
<erghvqkwjechwk57678ijhfkjerh689o68fjkwrtghkjwhbvwehrv(_at_)yahoo(_dot_)com> ok
Chris.