spf-discuss
[Top] [All Lists]

RE: SPF-compliant phishing?

2004-09-16 11:50:35
From: Meng Weng Wong
Sent: Thursday, September 16, 2004 12:16 PM

<...>

The only reason I don't think it's advisable to go with an
SES-only recommendation is this:

Because SES depends on a callback verification, it would be
trivial to trigger a DDOS by forging mail from an SES domain
to 100,000 receiving MTAs.  Under SPF, those receiving MTAs
launch a bunch of DNS queries.  Under SES, those receiving
MTAs start a bunch of SMTP sessions.  DNS can support
100,000 queries a lot better than SMTP can.

Therefore the combination of SPF and SES is still needed.

SES callbacks are now a single UDP packet to the domain MX with a single UDP
packet response.  There is no need for an SMTP callback, though it is still
supported.  Both positive and negative validation responses can be cached at
both ends.  In addition, it is feasible to use "stunt" DNS servers who's
only job in life is to respond to SES validation queries.

An additional feature to deal with the large number of queries that would
result from a joe-job is rate limiting negative validation responses by
requesting IP.  Positive validation responses are never delayed.  Any lack
of response to queries during a period of high query activity would only
cause temporary failures, so no legitimate mail would be rejected or lost.
As the negative validation result for a particular joe-job is cached at each
recipient, the requests would slow down and regular validation activity
would resume.

Because of the current method of dealing with replays, not a single replay
forgery would be delivered.  This would greatly discourage replay attacks as
a method of spam delivery.  As a DDoS mechanism, it is fairly impotent.
Each recipient MTA only generates one UDP request packet for each message.
If your aim is to DDoS a site, there are much easier and efficient ways.

Therefore, SES actually can stand alone.

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>