Mailing List Archive: SPF: SRS

Re: timestamp and bounce spam

Index | Next | Previous | View Threaded

B.Candler at pobox

Feb 21, 2004, 4:39 AM

Post #1 of 24 (4632 views)
Permalink

Re: timestamp and bounce spam

On Fri, Feb 20, 2004 at 06:08:22PM -0600, Seth Goodman wrote:
> > [Seth Goodman]
> > The problem seems to be that all the information needed for this
> > exploit is
> > sent in the clear. I think the situation is very different if the MTA at
> > forwarding-domain implements SRS with local storage and some of this
> > information is hidden.
>
> Actually, I don't even think this is true. In the database driven method in
> Shevek's description, everything a downstream MTA needs to send a valid
> bounce back to the first forwarder is included in the rewritten
> envelope-sender address.

Sure. If the magic envelope-sender is valid for (say) 10 days, then it can
be used to send *any* message (including spam) for those 10 days. It's
impossible to do otherwise; even crypto signing the whole message is no
good, because a bounce/DSN is a different messsage containing different
content - i.e. status information about the failure.

So you want to hide it where possible - in particular, don't display the
Return-Path: on mailing list archives. And don't send mails to spammers :-)
(That might sound like a silly comment, but naive users *do* often send
complaints or 'remove me' messages in response to spam)

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

mengwong at dumbo

Feb 21, 2004, 9:01 AM

Post #2 of 24 (4529 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Sat, Feb 21, 2004 at 11:39:58AM +0000, Brian Candler wrote:
|
| So you want to hide it where possible - in particular, don't display the
| Return-Path: on mailing list archives. And don't send mails to spammers :-)
| (That might sound like a silly comment, but naive users *do* often send
| complaints or 'remove me' messages in response to spam)
|

I know this smacks of security through obscurity, but in practice, it's
pretty hard for spammers to get their hands on SRS addresses --- unless
they:

1 - sign up at pobox.com
2 - forward spammer [at] pobox to actualspammer [at] spam
3 - forge a message from victim [at] aol to spammer [at] pobox

Then they could

4 - inject spam to pobox.com to victim [at] aol

The logical next step would be for pobox.com to secure its borders by

5 - rejecting SPF fails at step 3
6 - rejecting SPF fails at step 4

Are there other ways a spammer could pick up the SRS-encoded return-path?

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

B.Candler at pobox

Feb 21, 2004, 11:15 AM

Post #3 of 24 (4539 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Sat, Feb 21, 2004 at 11:01:24AM -0500, Meng Weng Wong wrote:
> I know this smacks of security through obscurity, but in practice, it's
> pretty hard for spammers to get their hands on SRS addresses --- unless
> they:
>
> 1 - sign up at pobox.com
> 2 - forward spammer [at] pobox to actualspammer [at] spam
> 3 - forge a message from victim [at] aol to spammer [at] pobox
>
> Then they could
>
> 4 - inject spam to pobox.com to victim [at] aol

Well yes, but if I understand rightly, all that would happen would be that
pobox.com would strip off the SRS and return the spam to <victim [at] aol>.
Since the spammer is a pobox.com customer they could just send the spam
directly anyway.

I think this goes back to my original point: aol.com should take
responsibility for protecting their users against invalid bounces. That
means using sender cookies (e.g. SRS) in *all* outgoing mail from aol.com,
and rejecting bounces which are not signed.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 21, 2004, 12:25 PM

Post #4 of 24 (4502 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> [Meng Weng Wong]
> Are there other ways a spammer could pick up the SRS-encoded
> return-path?

Scraping the archives of not so diligent mailing lists or mailing lists
that use weak obfuscation, as mentioned in previous postings. I don't
know much about these vulnerabilities personally, as I've never
administered a list, but if you can get that SRS info for the first hop,
you have an open channel into that box for quite a while. See my
subsequent posting for a couple of suggestions to close this loophole,
if anyone cares to.

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 21, 2004, 5:13 PM

Post #5 of 24 (4570 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> [Brian Candler]
> I think this goes back to my original point: aol.com should take
> responsibility for protecting their users against invalid
> bounces. That
> means using sender cookies (e.g. SRS) in *all* outgoing mail
> from aol.com,
> and rejecting bounces which are not signed.

I don't think that protects them from the exploit I've outlined. If
anyone gets a copy of a SRS-signed message, they can send a
legitimate-looking bounce regardless of the content. I'll let others
who know more about how hard this is to do decide how likely it is for a
spammer to obtain this information, but if they can, it is an open door.
I know that neither SPF or SRS will stop spam, but we certainly don't
want to open a validated channel for them to spam through.

Here are a couple of possible fixes for this exploit, some requiring
local storage, some not, giving various degrees of protection. The
first scheme retains Shevek's shortcut scheme for sending a bounce
directly back to the first hop). The rest of them break that
beautifully elegant scheme.

The schemes that break Shevek's shortcut method force a bounce to
traverse the same outgoing path the message took. While this is clearly
not optimal, I believe that legitimate bounces are a small part of
normal message traffic so this fact by itself should not impact
throughput much on real systems. Hopefully, someone more knowledgeable
about message traffic than myself can shed some light on that statement.

A) No SRS modification, minimal local storage
---------------------------------------------

This scheme allows a single spam to be delivered per SRS-signed address
harvested. Since I don't really know how hard it is to get someone's
SRS-signed envelope-sender information, I don't know if this is a
sufficiently high barrier for the spammers. The good part is that is
only requires local storage for each successful bounce message received
as opposed to all outgoing messages. I don't think it's possible for a
spoofed bounce message to beat a legitimate bounce message back to the
original forwarding MTA, but I'll leave that to the MTA experts to
answer. If that were possible, it would be serious as we need to
receive 100% of legitimate bounces.

1) When an MTA receives a bounce, validate the SRS0 hash.

2) If the hash verifies, check the local bounce cache for the
hash_value/timestamp. If it exists in the local cache, reject the
bounce.

3) If the hash_value/timestamp does not exist in the local cache, enter
it in the cache and accept the bounce.

B) Significant SRS modification, no local storage
-------------------------------------------------

This scheme includes the next hop address in the hash calculation. It
thereby causes rejection of a bounce coming from any other domain. The
cost of this particular scheme is twofold. First, it requires an
additional hash calculation at each forwarding hop. I'll let the MTA
experts pass judgment here, but avoiding open relaying via bounces is an
important goal and is worth some CPU cycles. The second cost is that
the envelope-sender address grows with each hop. While multiple
forwards could easily cause the address to exceed the 64-byte limit,
Shevek already states in his section 3.4 that the current SRS is likely
to exceed that limit anyway. Again, I'll let the MTA experts comment on
how much of a burden the longer address is. The entire message path in
the clear, but those are the only possible injection points for forged
bounce messages. This could be made stronger by reversibly encrypting
the next hop address at each stage, so it is not in the clear, using the
forwarding domain secret key salted with the previous link hash value.
I think that would be over-the-top, but quite secure.

1) Include the next hop domain in the SRS0 record hash calculation but
do not put it in the record. That is, calculate the hash over
<TT+next_hop_domain+original_hostname+original_username>. When a bounce
comes in, the MTA will put the connecting domain in the appropriate
place to do the hash validation. Each subsequent forwarder moves the
previous forwarder address from after the @ symbol to left of the
leftmost hash, calculates a hash over the address with the next hop
prepended, places this new hash at the leftmost end and appends it own
address after the @ symbol. This protects each subsequent forwarder's
address from later forgery. Here is an example showing the
envelope-sender (return-path) address as it passes through three
forwarders:

SRS0+HHH1+TT+original_hostname+original_username [at] forwarding_domain_

SRS1+HHH2+forwarding_domain_1+HHH1+TT+original_hostname+original_usernam
e [at] forwarding_domain_

SRS1+HHH3+forwarding_domain2+HHH2+forwarding_domain_1+HHH1+TT+original_h
ostname+original_username [at] forwarding_domain_

2) If forwarding_domain_3 is unable to deliver the message to the next
hop, bounces it back to forwarding_domain_2 with the same return-path
minus the HHH3 and forwarding_domain_2 fields, as follows:

SRS1+HHH2+forwarding_domain_1+HHH1+TT+original_hostname+original_usernam
e [at] forwarding_domain_

3) Upon receipt of the bounce, forwarding_domain_2 inserts the domain
name of the connecting machine (forwarding_domain_3) and verifies hash
HHH2 over:

forwarding_domain_3+forwarding_domain_1+HHH1+TT+original_hostname+origin
al_username

4) If the hash verifies, forwarding_domain_2 bounces the message back to
forwarding_domain_1 with the same return-path minus the HHH2 and
forwarding_domain_1 fields. Since it is now going back to the first hop
address, the return path looks like:

SRS0+HHH1+TT+original_hostname+original_username [at] forwarding_domain_

5) Upon receipt of the bounce, forwarding_domain_1 inserts the domain
name of the connecting machine (forwarding_domain_2) and verifies hash
HHH1 over:

forwarding_domain_2+original_hostname+original_username

6) If the hash verifies, it accepts the bounce and sends it back to
original_username [at] original_hostname

C) No SRS modification, lots of local storage
---------------------------------------------

This approach stores the forward-from and forward-to return-path
information for every message locally, not in the SRS address. To
defeat this approach, the spammer has to send the bogus bounce message
from one point on the original message outgoing path to the preceding
one. Since the spammer can't know the original message path, he is at a
disadvantage. Of course, he can guess that there were no forwarding
hops beyond the first one and he would be right most of the time. We
can defeat that by always using at least two forwarding hops instead of
one to hide the original forwarder, since Shevek's scheme only shows the
address of the last forwarder in the chain. This is not desirable, but
neither is open relaying. The real cost of this approach, however, is
that forwarding information must be kept on _every_ outgoing message,
since we can't know ahead of time which ones will come back. Though the
information can be discarded after a short while, storing it in the
first place may be burdensome.

1) For every outgoing SRS-signed message, store the SRS0 hash value,
timestamp, domain forwarded from and domain forwarded to.

2) When an MTA receives a bounce, if that MTA was the first hop,
validate the hash. If the hash validation fails, reject the bounce.

3) If the hash validates or the MTA was not the first hop, check the
outgoing message cache to see if that hash value/timestamp was forwarded
to the domain that is now attempting to deliver the bounce.

4) If the connecting domain attempting to deliver the bounce is the same
as the one the message was originally forwarded to, accept the bounce
and forward it back to the original domain (or local user) forwarded
from. Otherwise, reject the bounce.

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 21, 2004, 5:24 PM

Post #6 of 24 (4488 views)
Permalink

RE: timestamp and bounce spam [In reply to]

There is a mistake in my description of method B, step 5:

> 5) Upon receipt of the bounce, forwarding_domain_1 inserts the domain
> name of the connecting machine (forwarding_domain_2) and verifies hash
> HHH1 over:
>
> forwarding_domain_2+original_hostname+original_username

The last line should read:

forwarding_domain_2+TT+original_hostname+original_username

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

admin at asarian-host

Feb 21, 2004, 6:52 PM

Post #7 of 24 (4539 views)
Permalink

Re: timestamp and bounce spam [In reply to]

----- Original Message -----
From: "Seth Goodman" <sethg [at] GoodmanAssociates>
To: <srs-discuss [at] v2>
Sent: Sunday, February 22, 2004 1:13 AM
Subject: RE: [srs-discuss] timestamp and bounce spam

> This scheme allows a single spam to be delivered per SRS-signed address
> harvested. Since I don't really know how hard it is to get someone's
> SRS-signed envelope-sender information, I don't know if this is a
> sufficiently high barrier for the spammers. The good part is that is
> only requires local storage for each successful bounce message received
> as opposed to all outgoing messages. I don't think it's possible for a
> spoofed bounce message to beat a legitimate bounce message back to the
> original forwarding MTA, but I'll leave that to the MTA experts to
> answer. If that were possible, it would be serious as we need to
> receive 100% of legitimate bounces.

I have been following this discussion for a while. And I have a few comments
to make.

Perhaps you are looking at this from the wrong angle? An SRS address is --
or rather, should never be, considered a pass-key. Instead of using positive
logic, we should use negative logic: "Not every bounce whose envelope-from
passes the SRS 'reverse' test, is valid per se for that reason. But should
that same envelope-from fail the test, or is not SRS signed at all, then it
may be invalid."

An empty envelope-from + unsigned SRS address + DATA phase, these three
conditions together are eough to make a negative determination: the bounce
is fake -- assuming, of course, you sign your outgoing envelope-from
addresses. That is negative logic: not the presence of a valid SRS signed
address determines our course, but the absence of an (expected) SRS address
+ two supporting conditions. I outlined most of this in my sendmail
integration project:

http://asarian-host.net/srs/sendmailsrs.htm

If you are going into this, with the idea of a single SRS address, in and by
itself, providing a positive, water-proof authentication, then I fear you wi
ll be disappointed.

> 1) When an MTA receives a bounce, validate the SRS0 hash.
>
> 2) If the hash verifies, check the local bounce cache for the
> hash_value/timestamp. If it exists in the local cache, reject the bounce.
>
> 3) If the hash_value/timestamp does not exist in the local cache, enter it
> in the cache and accept the bounce.

You lost me here. If I sign A address, to form SRS address B, then if I sign
A again, the new address C will be the same as address B (for a while). So,
are you saying, that if I send out 5 messages in a row, that I can only
receive one bounce for the lot? Surely not, I hope.

Cheers,

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

admin at asarian-host

Feb 21, 2004, 8:27 PM

Post #8 of 24 (4539 views)
Permalink

Re: timestamp and bounce spam [In reply to]

----- Original Message -----
From: "Seth Goodman" <sethg [at] GoodmanAssociates>
To: <srs-discuss [at] v2>
Sent: Sunday, February 22, 2004 1:13 AM
Subject: RE: [srs-discuss] timestamp and bounce spam

> B) Significant SRS modification, no local storage
>
> -------------------------------------------------
>
> This scheme includes the next hop address in the hash calculation. It
> thereby causes rejection of a bounce coming from any other domain.

An interesting thought. :) But define 'domain'.

1): Is it the domain name of the recipient email address? In that case, that
domain name may not correspond with the MX you are speaking to (or sends the
bounce).

2): Is the the domain name of the MX? In that case, the domain name of the
MTA that sends you the bounce may not match that of the MTA you connected
to.

3): Is it the IP address of the MX you talked to? Same objection: the MTA
that sends you the bounce may differ from who you earlier talked to.

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

B.Candler at pobox

Feb 22, 2004, 3:32 AM

Post #9 of 24 (4499 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Sat, Feb 21, 2004 at 06:13:45PM -0600, Seth Goodman wrote:
> > [Brian Candler]
> > I think this goes back to my original point: aol.com should take
> > responsibility for protecting their users against invalid
> > bounces. That
> > means using sender cookies (e.g. SRS) in *all* outgoing mail
> > from aol.com,
> > and rejecting bounces which are not signed.
>
> I don't think that protects them from the exploit I've outlined. If
> anyone gets a copy of a SRS-signed message, they can send a
> legitimate-looking bounce regardless of the content. I'll let others
> who know more about how hard this is to do decide how likely it is for a
> spammer to obtain this information, but if they can, it is an open door.
> I know that neither SPF or SRS will stop spam, but we certainly don't
> want to open a validated channel for them to spam through.

Sure: SRS gives a validated channel which effectively says "if you have
*seen* one of my outgoing messages (including the raw envelope sender) in
the past <X> days, you can send me stuff".

> 1) When an MTA receives a bounce, validate the SRS0 hash.
>
> 2) If the hash verifies, check the local bounce cache for the
> hash_value/timestamp. If it exists in the local cache, reject the
> bounce.
>
> 3) If the hash_value/timestamp does not exist in the local cache, enter
> it in the cache and accept the bounce.

Problem: if the spammer captures the address in the way you suggest is
likely to defeat SRS, before your message has bounced,
(a) you will receive one spam, but more importantly
(b) you will not receive the legitimate bounce

Bounces from store-and-forward systems often arrive towards the end of the
expiry time.

> This scheme includes the next hop address in the hash calculation. It
> thereby causes rejection of a bounce coming from any other domain.

Nice idea. The problem with this scheme seems to be that I think you are
assuming that the domain of a reverse DNS lookup [or HELO name] bears some
relationship to the domain of the original recipient. This is generally not
true. A common example I see:

vanity.com. MX 10 mail.vanity.com.
MX 20 mail.otherisp.com.

mail.vanity.com. A 192.0.2.10

10.2.0.192.in-addr.arpa. PTR mailhost.myisp.net.
mailhost.myisp.net. A 192.0.2.10

So a message to foo [at] vanity may get a bounce back from
mailhost.myisp.net.

Furthermore: in ISPs where I've worked, there's so much bounce mail (much of
it undeliverable) that they are forwarded to the separate smarthost cluster
to deal with. So the bounce may in fact come from a machine whose reverse
DNS is something like
smarthost-4.mail.myisp.net.

So the only way I can see your scheme working is for users to make a
declaration in the DNS in an SPF-like way: "bounces for mail to any user at
domain A can come from IP addresses X, Y, Z".

That to me sounds like the strongest suggestion so far. But since the bounce
*envelope* does not contain any information about the address being
rejected, it would involve parsing DSNs looking for the recipient address,
which is really very difficult. And it would break forwarding too.

I think you would have to track each forwarding hop in the SMTP envelope,
noting each address which was rewritten for forwarding. I think I saw an
OSNDR (original sender) RFC once, but I doubt it's widely implemented. We
would also need an "original recipient" for bounces.

> We
> can defeat that by always using at least two forwarding hops instead of
> one to hide the original forwarder, since Shevek's scheme only shows the
> address of the last forwarder in the chain. This is not desirable, but
> neither is open relaying. The real cost of this approach, however, is
> that forwarding information must be kept on _every_ outgoing message,
> since we can't know ahead of time which ones will come back. Though the
> information can be discarded after a short while, storing it in the
> first place may be burdensome.

And remember that outgoing forwarding clusters are often separate from
incoming mail handling clusters, so making use of per-message storage means
some sort of shared database accessible (e.g. an NFS store, SQL database)
accessible by all the machines in both clusters. That's a big scaling hammer
to crack the bounce nut.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 22, 2004, 2:38 PM

Post #10 of 24 (4530 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> [Mark]
> Perhaps you are looking at this from the wrong angle? An SRS
> address is --
> or rather, should never be, considered a pass-key. Instead of
> using positive
> logic, we should use negative logic: "Not every bounce whose
> envelope-from
> passes the SRS 'reverse' test, is valid per se for that
> reason. But should
> that same envelope-from fail the test, or is not SRS signed
> at all, then it
> may be invalid."
>
> An empty envelope-from + unsigned SRS address + DATA phase,
> these three
> conditions together are eough to make a negative
> determination: the bounce
> is fake -- assuming, of course, you sign your outgoing envelope-from
> addresses. That is negative logic: not the presence of a
> valid SRS signed
> address determines our course, but the absence of an
> (expected) SRS address
> + two supporting conditions. I outlined most of this in my sendmail
> integration project:
>
> http://asarian-host.net/srs/sendmailsrs.htm
>
> If you are going into this, with the idea of a single SRS
> address, in and by
> itself, providing a positive, water-proof authentication,
> then I fear you wi
> ll be disappointed.

As SRS stands now, I am disappointed. By making these various
suggestions, all I'm asking is: is there a way to avoid having an
SRS-signed address give a spammer a clear channel into my mailer? I
understand that I can and will always further scrutinize every message,
even if it passes SPF and SRS. However, an explicit SRS-pass is a
positive value in any weighting scheme, and that makes spam harder to
detect. To make matters worse, legitimate DSN's are among the most
important messages, which leads one to be more lenient in scoring
apparent bounces (assuming that we put enough logic in the mailer to do
that). Perhaps I will be disappointed, but I would like to find out if
we can do something with SRS to avoid encouraging bounce spam.

>
> > 1) When an MTA receives a bounce, validate the SRS0 hash.
> >
> > 2) If the hash verifies, check the local bounce cache for the
> > hash_value/timestamp. If it exists in the local cache,
> reject the bounce.
> >
> > 3) If the hash_value/timestamp does not exist in the local
> cache, enter it
> > in the cache and accept the bounce.
>
> You lost me here. If I sign A address, to form SRS address B,
> then if I sign
> A again, the new address C will be the same as address B (for
> a while). So,
> are you saying, that if I send out 5 messages in a row, that
> I can only
> receive one bounce for the lot? Surely not, I hope.

You are absolutely right. With the timestamp set to one day resolution,
that invalidates this bounce cache approach. I personally think it
unnecessarily miserly in character count to do that. I would recommend
that the timestamp have at least 1 millisecond resolution, so that it
can support a couple of million messages per hour with unique
timestamps. Looking to the future, with faster hardware and more
network bandwidth, we should probably consider 100microsecond
resolution.

With 14-bits to the right of the binary point, we have 61 microsecond
resolution or 59 million unique timestamps per hour. With the present
12-bit day field, that gives a total of 26-bits, or six base-32
characters. If we reduce the number of bits in the day field from 12 to
11, it would be 25-bits total, or five base-32 characters. This
increases the timestamp from two characters to five, but there is an
immediate bounce-spam prevention payback. There now, I'll surely be
flamed, but like they say, if 'ya can't take the heat, get out of the
kitchen.

If we change the secret at least every five years (that's pretty
reasonable, isn't it?), we are then covered for when the timestamp wraps
around every 5.6 years. Every single message we ever send will have a
unique timestamp. Since I was suggesting storing the timestamp with the
hash value in the bounce cache, a hash collision is not even a
consideration. In fact, if we increase the timestamp resolution as I
have suggested, all we have to store is the timestamp itself since that
uniquely identifies an outgoing message. This is starting to sound
interesting.

As an aside, and risking a total list flameout, let me suggest that we
entertain using six base-32 characters for the timestamp: 16-bits for
the day field and 14-bits for the fractional day field. That gives us
61 microsecond resolution over a period of 179 years. The eleven year
rollover is now history and the timestamp becomes a unique message ID
right in the return-path. Really, a six character timestamp field is
small compared to the address information so what's the real issue here?
Certainly not network bandwidth, considering the bloated HTML emails
flying around. Being a hardware guy (quick, get the clue bat!), I can
tell you that you can't even send an Ethernet packet shorter than about
64 bytes, so let's keep things in perspective. A packet could
theoretically get shortened at a network bridge further down the line,
but even ATM packets have fixed 53 byte payloads, so let's get real.
Segmentation and reassembly across network bridges is not trivial, but
in general, very short packets get padded and stay that way for ease of
implementation. Unless you are using a dialup modem, your short telnet
strings are being padded out to 64 bytes before they leave your machine
and stripped at the destination.

Getting back to the local bounce-cache idea, even with a unique
timestamp on each message, that still leaves Brian's objection, which I
also posted as a possibility earlier. That is, if a forged bounce beats
a legitimate back to the MTA for a given outgoing message, it would
effectively block the legitimate bounce. If this can really happen,
Brian is right and the method is kaput. However, I think (hope) it
can't happen for the following reason (again, help me out if I'm
misunderstanding something): until the message is delivered to the end
target, there is no way for a spammer to harvest the SRS-signed return
path from it. If it is successfully delivered and a spammer harvests
the return-path, there will be no DSN. If it bounces anywhere along the
delivery path, there is nothing for the spammer to harvest so the real
DSN will be the only one coming back. Does this analysis hold water?

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 22, 2004, 2:50 PM

Post #11 of 24 (4543 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> > B) Significant SRS modification, no local storage
> >
> > -------------------------------------------------
> >
> > This scheme includes the next hop address in the hash
> calculation. It
> > thereby causes rejection of a bounce coming from any other domain.
>
> An interesting thought. :) But define 'domain'.

Sorry that I wasn't explicit. I meant permitted mailers for the next
hop domain as specified in the SPF record.

>
> 1): Is it the domain name of the recipient email address? In

Nope.

> that case, that
> domain name may not correspond with the MX you are speaking
> to (or sends the
> bounce).
>
> 2): Is the the domain name of the MX? In that case, the

Closer.

> domain name of the
> MTA that sends you the bounce may not match that of the MTA
> you connected
> to.
>
> 3): Is it the IP address of the MX you talked to? Same
> objection: the MTA
> that sends you the bounce may differ from who you earlier talked to.

I was thinking of all permitted mailers for the next hop domain. My
thought was that the SPF record is supposed to include all of them,
including backup and bounce mailers.

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

daniel at roe

Feb 22, 2004, 3:30 PM

Post #12 of 24 (4533 views)
Permalink

Re: timestamp and bounce spam [In reply to]

Seth Goodman <sethg [at] GoodmanAssociates> [2004-02-22/15:38]:
> Getting back to the local bounce-cache idea, even with a unique
> timestamp on each message, that still leaves Brian's objection, which
> I also posted as a possibility earlier. That is, if a forged bounce
> beats a legitimate back to the MTA for a given outgoing message, it
> would effectively block the legitimate bounce. If this can really
> happen, Brian is right and the method is kaput. However, I think
> (hope) it can't happen for the following reason (again, help me out if
> I'm misunderstanding something): until the message is delivered to
> the end target, there is no way for a spammer to harvest the
> SRS-signed return path from it. If it is successfully delivered and a
> spammer harvests the return-path, there will be no DSN. If it bounces
> anywhere along the delivery path, there is nothing for the spammer to
> harvest so the real DSN will be the only one coming back. Does this
> analysis hold water?

This analysis works just fine (I tink).

But there's another problem, as I pointed out in earlier discussions
about this issue. There can be more than one legitimate bouce. Consider
a message sent to a multi recipient alias, something like this in an
aliases file:

xxx: yyy [at] yyy,zzz [at] zzz

Say both bounce, you'd certainly want both bounces. But they will both
be sent to the same address.

Furthermore, some MTA send a "You do not need to take action" bounce for
messages which have been waiting in the queue for a long time, and then
send a later final bounce when the full 5 days are over and it still
could not be delivered. You'd want the second bounce too.

Limiting the number of bounces to receive on any single bounce address
is fundamentally flawed. I'd consider such limits harmful (others migth
not).

Cheers,
Dan

--
Daniel Roethlisberger <daniel [at] roe>
GnuPG key ID 0x804A06B1 (DSA/ElGamal)

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

admin at asarian-host

Feb 22, 2004, 3:45 PM

Post #13 of 24 (4530 views)
Permalink

Re: timestamp and bounce spam [In reply to]

----- Original Message -----
From: "Seth Goodman" <sethg [at] GoodmanAssociates>
To: <srs-discuss [at] v2>
Sent: Sunday, February 22, 2004 10:38 PM
Subject: RE: [srs-discuss] timestamp and bounce spam

> > If you are going into this, with the idea of a single SRS address, in
> > and by itself, providing a positive, water-proof authentication, then I
> > fear you will be disappointed.
>
> As SRS stands now, I am disappointed. By making these various
> suggestions, all I'm asking is: is there a way to avoid having an
> SRS-signed address give a spammer a clear channel into my mailer?

A valid question. :)

> > > 1) When an MTA receives a bounce, validate the SRS0 hash.
> > >
> > > 2) If the hash verifies, check the local bounce cache for the
> > > hash_value/timestamp. If it exists in the local cache,
> > > reject the bounce.
> > >
> > > 3) If the hash_value/timestamp does not exist in the local cache,
> > > enter it in the cache and accept the bounce.
> >
> > You lost me here. If I sign A address, to form SRS address B, then if I
> > sign A again, the new address C will be the same as address B (for a
> > while). So, are you saying, that if I send out 5 messages in a row, that
> > I can only receive one bounce for the lot? Surely not, I hope.
>
> You are absolutely right. With the timestamp set to one day resolution,
> that invalidates this bounce cache approach. I personally think it
> unnecessarily miserly in character count to do that. I would recommend
> that the timestamp have at least 1 millisecond resolution, so that it
> can support a couple of million messages per hour with unique
> timestamps.

Having unique SRS addresses could be accomplished, for instance, by
inserting a randomized part in the string we encrypt. For example, in the
"X-trace" string in my headers, I use Rijndael to encrypt user-info. But I
lace that user-info with random characters, every other position, obtained
from /dev/urandom. Then I encrypt. This way, I never have the same output.
And upon decryption, of course, I remove every other character from the
reversed string. If SRS did something like this too, you would always get
unique addresses, without having to tinker with the timestamp.

I think the overall usefulness of having unique SRS addresses is
questionable, though. As pointed out by others as well, there are too many
objections to the "only-one-bounce-per-address" rule.

Cheers,

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 22, 2004, 3:58 PM

Post #14 of 24 (4540 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> [Mark]
> Having unique SRS addresses could be accomplished, for instance, by
> inserting a randomized part in the string we encrypt. For
> example, in the
> "X-trace" string in my headers, I use Rijndael to encrypt
> user-info. But I
> lace that user-info with random characters, every other
> position, obtained
> from /dev/urandom. Then I encrypt. This way, I never have the
> same output.
> And upon decryption, of course, I remove every other
> character from the
> reversed string. If SRS did something like this too, you
> would always get
> unique addresses, without having to tinker with the timestamp.

The additional timestamp information requires no more system overhead
than the limited timestamp, we have already made the system call to get
it and I am just suggesting throwing less of it away. That is certainly
a lot simpler than reversible encryption.

>
> I think the overall usefulness of having unique SRS addresses is
> questionable, though. As pointed out by others as well, there
> are too many
> objections to the "only-one-bounce-per-address" rule.

You're right about that. Daniel pointed out the problem with multiple
recipients and that has to be solved to be useful. This either means
keeping track of how many recipients each message has locally, or this
could be part of the SRS header. I agree there are some difficulties,
but if we don't do anything, we have just created a clear channel for
spamming.

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

spf at anarres

Feb 22, 2004, 4:53 PM

Post #15 of 24 (4556 views)
Permalink

RE: timestamp and bounce spam [In reply to]

On Sun, 22 Feb 2004, Seth Goodman wrote:

> As SRS stands now, I am disappointed. By making these various
> suggestions, all I'm asking is: is there a way to avoid having an
> SRS-signed address give a spammer a clear channel into my mailer? I

SRS is not designed to prevent spam.

SRS is not designed to prevent spam.

A spammer has a clear channel into your mailer anyway - he can just mail
you. SRS is not designed to provide any weighting for spam trapping. If in
practice it does so (quite likely, given its inherent integrity), that
will be a bonus.

> understand that I can and will always further scrutinize every message,
> even if it passes SPF and SRS. However, an explicit SRS-pass is a
> positive value in any weighting scheme, and that makes spam harder to

If it is, that's the first I've heard of it, but I suspect it isn't
unreasonable to do so.

> detect. To make matters worse, legitimate DSN's are among the most
> important messages, which leads one to be more lenient in scoring
> apparent bounces (assuming that we put enough logic in the mailer to do
> that). Perhaps I will be disappointed, but I would like to find out if
> we can do something with SRS to avoid encouraging bounce spam.

If a spammer gets hold of an SRS return address, he can mail you for 14
days. This isn't the end of the world. Don't mail the spammer, then he
can't get the address. It's already putting a hell of an expense on
spammers when all SRS addresses expire after 14 days anyway. They want
addresses to stay live for years, not days.

> You are absolutely right. With the timestamp set to one day resolution,
> that invalidates this bounce cache approach. I personally think it
> unnecessarily miserly in character count to do that. I would recommend
> that the timestamp have at least 1 millisecond resolution, so that it
> can support a couple of million messages per hour with unique
> timestamps. Looking to the future, with faster hardware and more
> network bandwidth, we should probably consider 100microsecond
> resolution.

Why on earth would you want to make email addresses expire with
microsecond resolution? When measuring miles, don't use a micrometer.
We're talking about expiry periods between 1 week and 21 days. Why would
anyone care about 6 hours here or there?

To be honest, you can put anything you like in the timestamp field if you
override timestamp_create() and timestamp_check() in some subclass of
Mail::SRS. This is part of the reason for keeping it as a separate field.
However, it seems singularly pointless to go to microseconds.

> With 14-bits to the right of the binary point, we have 61 microsecond
> resolution or 59 million unique timestamps per hour. With the present
> 12-bit day field, that gives a total of 26-bits, or six base-32
> characters. If we reduce the number of bits in the day field from 12 to
> 11, it would be 25-bits total, or five base-32 characters. This
> increases the timestamp from two characters to five, but there is an
> immediate bounce-spam prevention payback. There now, I'll surely be
> flamed, but like they say, if 'ya can't take the heat, get out of the
> kitchen.

[SNIP]

> As an aside, and risking a total list flameout, let me suggest that we
> entertain using six base-32 characters for the timestamp: 16-bits for

Feel free to write a subclass overriding timestamp_create() and
timestamp_check(), and use it. You will still be SRS compliant if you do
so. If you want me to export the base32 code for your benefit, I can do
this in a future release.

> the day field and 14-bits for the fractional day field. That gives us
> 61 microsecond resolution over a period of 179 years. The eleven year
> rollover is now history and the timestamp becomes a unique message ID

Which needs storing... which needs backing store... so you might as well
use the DBM solution.

[SNIP]

> Getting back to the local bounce-cache idea, even with a unique
> timestamp on each message, that still leaves Brian's objection, which I
> also posted as a possibility earlier. That is, if a forged bounce beats
> a legitimate back to the MTA for a given outgoing message, it would

You frequently get multiple bounces per message. "This message has been in
the queue for 1 day. Still trying." You cannot reasonably limit bounces.

> effectively block the legitimate bounce. If this can really happen,
> Brian is right and the method is kaput. However, I think (hope) it
> can't happen for the following reason (again, help me out if I'm
> misunderstanding something): until the message is delivered to the end
> target, there is no way for a spammer to harvest the SRS-signed return
> path from it. If it is successfully delivered and a spammer harvests

This is also true.

> the return-path, there will be no DSN. If it bounces anywhere along the

Well, this is assuming that you mailed a spammer. If you mail a spammer,
he becomes entitled to reply to you via SRS for 21 days (or whatever).
Don't mail spammers.

> delivery path, there is nothing for the spammer to harvest so the real
> DSN will be the only one coming back. Does this analysis hold water?

I think other people have posted good comments. I'm tired. I hope my reply
holds water.

S.

--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 22, 2004, 4:58 PM

Post #16 of 24 (4528 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> > [Mark]
> > I think the overall usefulness of having unique SRS addresses is
> > questionable, though. As pointed out by others as well, there
> > are too many
> > objections to the "only-one-bounce-per-address" rule.
>
> [Seth Goodman]
> You're right about that. Daniel pointed out the problem with multiple
> recipients and that has to be solved to be useful. This either means
> keeping track of how many recipients each message has locally, or this
> could be part of the SRS header. I agree there are some difficulties,
> but if we don't do anything, we have just created a clear channel for
> spamming.

The other schemes I proposed in a previous post attempt to attempt to
close this hole without limiting the number of bounces per address,
however they both had a cost. The basic approach was to force the DSN
to follow the outgoing path back to the source rather than using the
elegant shortcut in Shevek's "guarded" method. This severely limits the
possible injection points for spam and in the case where the information
was stored in the header. In one case, there was no local storage
requirement, but each forwarder had to add their domain name and a hash
to the return-path. In the another case, the path information was
stored locally at each forwarder but not put in the message.

Neither of these is ideal, but they would work (I believe) and there is
a bounce spam problem with the present implementation. Does anyone have
any other approaches to closing this hole in the protocol?

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

admin at asarian-host

Feb 22, 2004, 5:07 PM

Post #17 of 24 (4499 views)
Permalink

Re: timestamp and bounce spam [In reply to]

----- Original Message -----
From: "Seth Goodman" <sethg [at] GoodmanAssociates>
To: <srs-discuss [at] v2>
Sent: Sunday, February 22, 2004 10:50 PM
Subject: RE: [srs-discuss] timestamp and bounce spam

> > > B) Significant SRS modification, no local storage
> > >
> > > -------------------------------------------------
> > >
> > > This scheme includes the next hop address in the hash calculation. It
> > > thereby causes rejection of a bounce coming from any other domain.
> >
> > An interesting thought. :) But define 'domain'.
>
> Sorry that I wasn't explicit. I meant permitted mailers for the next
> hop domain as specified in the SPF record.

You know, this is actually quite a worthwhile idea. :) And I just had
another idea, based on your idea... What if you made the SPF record part of
your local secret!! Seriously. :)

Imagine you have the following secret:

$secret = 'theanswermyfriendisblowinginthewind'

And you sign the address like this:

my $srs = new Mail::SRS (Secret => $secret ...

Now, say you want to send mail to an AOL recipient. You obtain the SPF
record, but sign it like so:

my $srs = new Mail::SRS (Secret => "$secret.$spf_record" ... !

Then you would have to change NOTHING to the SRS format! For reversal you
would do the same: get the AOL SPF record, add it to the local secret, and
try and reverse the address! Embedded in your secret, you would now have the
guarantee that you can ONLY reverse this new address when it actually came
from AOL!

There are a couple of objections, though:

1): Not everyone uses SPF.

2): SPF records could be forged; that is, a spammer could create an exact
copy of the AOL SPF record.

3): You might not immediately be able to identify whose SPF record you need
to obtain when an MTA connects.

Still, no need to use an SPF record for this. It could be anything (IP
address?)

That is why I asked you to specify 'domain'. Because, whereas an SPF record
may not work, if you could define an identifiable part of the host you send
to, and one which is guaranteed to appear in the return communication, then
we would have a water-proof system against misuse of SRS addresses! And,
like I said, without even changing the SRS format.

As I said in my initial reply to you, I think we will be hard-pressed to
find such a solid identifier of the remote host (that we can extract on
return too), but still, I am going to think a bit more on this; because I
feel it has potential.

Cheers,

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 22, 2004, 6:18 PM

Post #18 of 24 (4540 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> > [Seth Goodman]
> > As SRS stands now, I am disappointed. By making these various
> > suggestions, all I'm asking is: is there a way to avoid having an
> > SRS-signed address give a spammer a clear channel into my mailer? I
>
> [Shevek]
>
> SRS is not designed to prevent spam.

I understand that.

> [Shevek]
>
> SRS is not designed to prevent spam.

I still understand it. I don't have a memory disorder.

>
> A spammer has a clear channel into your mailer anyway - he
> can just mail
> you. SRS is not designed to provide any weighting for spam
> trapping. If in
> practice it does so (quite likely, given its inherent integrity), that
> will be a bonus.

Yes he does, but we are cutting that down a bit with SPF (indirectly by
forcing them to use easily blacklisted domain names). I'd rather not
reopen it due to a hole in SRS.

>
> > understand that I can and will always further scrutinize
> every message,
> > even if it passes SPF and SRS. However, an explicit SRS-pass is a
> > positive value in any weighting scheme, and that makes spam
> harder to
>
> If it is, that's the first I've heard of it, but I suspect it isn't
> unreasonable to do so.

Just like an explicit SPF pass, it should raise your degree of
confidence that the message is legitimate. If it didn't do that, why
would anyone use it?

> If a spammer gets hold of an SRS return address, he can mail
> you for 14
> days. This isn't the end of the world. Don't mail the
> spammer, then he
> can't get the address. It's already putting a hell of an expense on
> spammers when all SRS addresses expire after 14 days anyway.
> They want
> addresses to stay live for years, not days.

Not so at all. Most of their web sites don't stay up more than a week
or two. They may spam dead addresses for years, but their business
model is very short term. Their accounts and web sites frequently get
nuked so they plan accordingly. Having an address that's good for two
weeks suits them just fine. Successful spammers don't get their
databases from the "Million Address CD's" for $20.

> Why on earth would you want to make email addresses expire with
> microsecond resolution? When measuring miles, don't use a
> micrometer.
> We're talking about expiry periods between 1 week and 21
> days. Why would
> anyone care about 6 hours here or there?

To uniquely identify a message from a system that sends out several
million messages per hour without reading the whole header. For this
purpose, we could just as easily use an integer message number as a
timestamp, but the timestamp allows you to reject a DSN that's "too old"
without further lookups.

> You frequently get multiple bounces per message. "This
> message has been in
> the queue for 1 day. Still trying." You cannot reasonably
> limit bounces.

I agree. Perhaps one of the other two solutions I proposed would be
more acceptable.

>
> > effectively block the legitimate bounce. If this can really happen,
> > Brian is right and the method is kaput. However, I think (hope) it
> > can't happen for the following reason (again, help me out if I'm
> > misunderstanding something): until the message is
> delivered to the end
> > target, there is no way for a spammer to harvest the
> SRS-signed return
> > path from it. If it is successfully delivered and a
> spammer harvests
>
> This is also true.
>
> > the return-path, there will be no DSN. If it bounces
> anywhere along the
>
> Well, this is assuming that you mailed a spammer. If you mail
> a spammer,
> he becomes entitled to reply to you via SRS for 21 days (or
> whatever).
> Don't mail spammers.

I don't mail spammers, and neither does anyone else with a brain. That
doesn't mean that our SRS-signed addresses will stay secret.

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

B.Candler at pobox

Feb 23, 2004, 3:43 AM

Post #19 of 24 (4527 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Sun, Feb 22, 2004 at 07:18:19PM -0600, Seth Goodman wrote:
> > A spammer has a clear channel into your mailer anyway - he
> > can just mail
> > you. SRS is not designed to provide any weighting for spam
> > trapping. If in
> > practice it does so (quite likely, given its inherent integrity), that
> > will be a bonus.
>
> Yes he does, but we are cutting that down a bit with SPF (indirectly by
> forcing them to use easily blacklisted domain names). I'd rather not
> reopen it due to a hole in SRS.

<record condition=broken>
SPF won't cut down spam at all. If SPF becomes widely implemented,
spammers will simply send mails which give 100% passes in SPF. You can
blacklist their entire ISP, but that's more cost-effectively done just by
blocking their IP addresses (i.e. IP-based RBLs).
</record>

OTOH, SRS *does* close a hole, which is that spammers can send things to you
which look like bounces. With SRS, they can only do so if (a) they captured
one of your envelope-sender addresses, which is hard, and (b) they re-use it
within a week or two. It also closes the hole which lets "joe jobs" pollute
your inbox with bounces to messages you didn't send, which is a huge plus.

SRS doesn't close this hole if you use it in the way that SPF envisages,
namely, rewriting only when forwarding messages at the delivery end-point.
But if you rewrite everything, you get this protection.

> Successful spammers don't get their
> databases from the "Million Address CD's" for $20.

Where do they get them, then? And which of these sources would reveal the
envelope sender? Just don't send mail to any of those places.

Actually, I can see the appeal of additionally validating bounces by domain
- i.e. if I send mail to aol.com then I only accept bounces from aol.com.
But the practicalities of implementing this with multi-step forwarding mean
that
(a) it's far too complex, and
(b) I am likely to lose bounces, which is a really Bad Thing. It's errors in
forwarding setups which bounces are most useful in debugging.

I reckon SRS sets the barrier at the right level. In fact there's no need
for me to argue it here - I can just go ahead and implement it regardless.
However if people start using SPF on the Internet, I get a small advantage
of using the 'standard' SRS format rather than my own, when people start
forwarding my mails.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

dwmw2 at infradead

Feb 23, 2004, 5:15 AM

Post #20 of 24 (4524 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Mon, 2004-02-23 at 10:43 +0000, Brian Candler wrote:
> <record condition=broken>
> SPF won't cut down spam at all. If SPF becomes widely implemented,
> spammers will simply send mails which give 100% passes in SPF.

You may be being a little harsh.

If _everyone_ published SPF records, to the point where we could simply
blacklist those who _don't_ publish SPF records, and if _everyone_
implemented some non-broken form of SRS, it could perhaps cut down some
spam.

I suspect a porcine implementation of RFC1149 is likely to happen long
before all that comes to pass though.

And then the spammers would probably start sending mail with an empty
reverse-path anyway. But that problem can be alleviated as you
suggest...

> OTOH, SRS *does* close a hole, which is that spammers can send things to you
> which look like bounces. With SRS, they can only do so if (a) they captured
> one of your envelope-sender addresses, which is hard, and (b) they re-use it
> within a week or two. It also closes the hole which lets "joe jobs" pollute
> your inbox with bounces to messages you didn't send, which is a huge plus.

Yeah. To be honest that's the only reason I'm actually _looking_ at SRS,
rather than just telling the user who was complaining that SPF ate her
forwarded mail "Go use a delivery point who actually thinks things
through". It's a neat idea.

> Actually, I can see the appeal of additionally validating bounces by domain
> - i.e. if I send mail to aol.com then I only accept bounces from aol.com.
> But the practicalities of implementing this with multi-step forwarding mean
> that
> (a) it's far too complex, and
> (b) I am likely to lose bounces, which is a really Bad Thing. It's errors in
> forwarding setups which bounces are most useful in debugging.

It's not just complex. It's fundamentally impossible unless you throw
the baby out with the bathwater. If your plan requires that _every_
machine out there implements some new scheme, you're no better off than
the people who are talking about ditching SMTP completely and inventing
something new.

Without such a radical change, you can basically never tell a valid
bounce from an invalid one, except by the destination address in the way
that you suggest.

--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

B.Candler at pobox

Feb 23, 2004, 5:40 AM

Post #21 of 24 (4540 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Mon, Feb 23, 2004 at 12:15:13PM +0000, David Woodhouse wrote:
> On Mon, 2004-02-23 at 10:43 +0000, Brian Candler wrote:
> > <record condition=broken>
> > SPF won't cut down spam at all. If SPF becomes widely implemented,
> > spammers will simply send mails which give 100% passes in SPF.
>
> You may be being a little harsh.
>
> If _everyone_ published SPF records, to the point where we could simply
> blacklist those who _don't_ publish SPF records, and if _everyone_
> implemented some non-broken form of SRS, it could perhaps cut down some
> spam.

I don't see how?

(1) Spammers can register thousands of domains, and include SPF records for
them. They can be "laid down" for a year before being used to send spam, if
you penalise newly-registered domains. At best, you can blacklist all
domains registered through registrar R, by doing some sort of whois query;
that is going to give *serious* amounts of false positives, and you will
probably hurt yourself more than the registrar.

(2) Spammers can send MAIL FROM:<anyone [at] theirisp>, where theirisp.net
publishes SPF records for their legitimate users. If those SPF records state
that mail must go through their relays, then spammers will use the relays
(perhaps rate-limited; but then rate-limiting and port 25 blocking/
transparent proxying can be done independently of SPF anyway)

and as you said,

(3) Spammers can send MAIL FROM:<>, i.e. which looks like a DSN. SPF makes
no provision for that; people have talked about validating the HELO name,
which seems like little or no protection whilst risking losing valid
bounces.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

mengwong at dumbo

Feb 23, 2004, 8:54 AM

Post #22 of 24 (4480 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Mon, Feb 23, 2004 at 10:43:55AM +0000, Brian Candler wrote:
| <record condition=broken>
| SPF won't cut down spam at all. If SPF becomes widely implemented,
| spammers will simply send mails which give 100% passes in SPF. You can
| blacklist their entire ISP, but that's more cost-effectively done just by
| blocking their IP addresses (i.e. IP-based RBLs).
| </record>

Actually, it's even easier to blacklist the domain; making it possible
to do that was one of the major goals of SPF. Also, if spammers use
their own domains, we have an audit trail that we didn't have before,
and can prosecute them more easily in the usual way.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

sethg at GoodmanAssociates

Feb 23, 2004, 11:14 AM

Post #23 of 24 (4556 views)
Permalink

RE: timestamp and bounce spam [In reply to]

> > [Seth Goodman]
> > Successful spammers don't get their
> > databases from the "Million Address CD's" for $20.
>
> [Brian Candler]
> Where do they get them, then? And which of these sources
> would reveal the
> envelope sender? Just don't send mail to any of those places.

If it were only that simple, none of us would have a spam problem. I'm
sure none of us emails anyone they know to be disreputable. Most of us
take care to use registrars and connectivity providers that we believe
to be reputable according to sources that we trust. Yet our addresses
inevitably get out. Public forums, product registrations, private
mailing lists, prospect information collected and sold by salespeople
you deal with, etc. There are lots of ways for this to happen and I'm
fairly certain I'm unaware most of them. Unless you use a unique email
address for every use, you'll never know where the "leak" was.

As far as the envelope-sender being revealed, that is a valid question
that I cannot answer. I simply pose it as a potential problem and ask
others to say how likely that is to happen. Shevek has declared that it
is not a problem. That carries a lot of weight. But I would like to
hear other people's opinion on the matter.

--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

B.Candler at pobox

Feb 23, 2004, 11:26 AM

Post #24 of 24 (4507 views)
Permalink

Re: timestamp and bounce spam [In reply to]

On Mon, Feb 23, 2004 at 12:14:52PM -0600, Seth Goodman wrote:
> > > [Seth Goodman]
> > > Successful spammers don't get their
> > > databases from the "Million Address CD's" for $20.
> >
> > [Brian Candler]
> > Where do they get them, then? And which of these sources
> > would reveal the
> > envelope sender? Just don't send mail to any of those places.
>
> If it were only that simple, none of us would have a spam problem. I'm
> sure none of us emails anyone they know to be disreputable.

I was talking only about SRS-signed envelope addresses here. I'd expect
spammers not to be able to harvest the return path. If a mailing list
archive reveals it, then I would not use that mailing list.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads