Re: [ietf-smtp] [Emailcore] Status of Greylisting (i'd wish MessageID were part of SMTP prologue)
Steffen Nurpmeso <steffen@sdaoden.eu> Fri, 07 January 2022 17:52 UTC
Return-Path: <steffen@sdaoden.eu>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E279E3A0E06 for <ietf-smtp@ietfa.amsl.com>; Fri, 7 Jan 2022 09:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyNQ8hi8GFzW for <ietf-smtp@ietfa.amsl.com>; Fri, 7 Jan 2022 09:51:59 -0800 (PST)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D23E3A0E02 for <ietf-smtp@ietf.org>; Fri, 7 Jan 2022 09:51:57 -0800 (PST)
Received: from kent.sdaoden.eu (kent.sdaoden.eu [10.5.0.2]) by sdaoden.eu (Postfix) with ESMTPS id 9161B16057; Fri, 7 Jan 2022 18:51:53 +0100 (CET)
Received: by kent.sdaoden.eu (Postfix, from userid 1000) id 788222B86; Fri, 7 Jan 2022 18:51:51 +0100 (CET)
Date: Fri, 07 Jan 2022 18:51:51 +0100
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: John Levine <johnl@taugh.com>
Cc: ietf-smtp@ietf.org
Message-ID: <20220107175151.XI1dU%steffen@sdaoden.eu>
In-Reply-To: <20220107002334.A8FAF345BD86@ary.qy>
References: <20220107002334.A8FAF345BD86@ary.qy>
Mail-Followup-To: "John Levine" <johnl@taugh.com>, ietf-smtp@ietf.org
User-Agent: s-nail v14.9.23-206-gfff8ce373d
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/aPiulZhWFvLxWvz3lVd3NB5nOps>
Subject: Re: [ietf-smtp] [Emailcore] Status of Greylisting (i'd wish MessageID were part of SMTP prologue)
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2022 17:52:04 -0000
John Levine wrote in <20220107002334.A8FAF345BD86@ary.qy>: |It appears that Steffen Nurpmeso <steffen@sdaoden.eu> said: |>This is interesting, for example the Firefox browser i use only |>can manage one password for all the IETF mailing-lists i am |>subscribed too (iirc, many many months, but it tried to auto-fill |>a false one now, and i definetely recall having problems with |>password auto-fill for mailing-list subscriptions), so |>auto-filling the password just does not work. | |I believe you, but that has nothing whatsoever to do with SMTP or |the way that mail works. It was only a ready to hand example of the importance of identifiability (of course). |>These are interesting numbers far beyond mine, thank you! (It |>surely will increase now that i post on @ietf.org, as always.) |>Yes /24, not /8. Really very interesting that /24 is of so much |>use even today. Many sites use multiple "deferred" until a retry |>is accepted, and your "one month" white listing is also a number |>quite large i think. | |It might as well be forever. The only point of greylisting is |to see if an MTA follows the spec well enough to retry. Once |you've seen a retry, greylisting is of no further use for that |source. The only reason I time out after a month is to keep |the local whitelist database from getting too big. Ok i mean with all the checks that the SMTP server performs before the greylist policy even comes into play (most importantly DNS domain name and address/mapping verification) this may indeed be doable, but i do see very much different behaviour, for example by NetBSD.org, with multiple deferrals and short-time whitelisting. (Without knowing the actual configuration details, and happily going down a colour name route btw.) |>I find it interesting that such simple greylisting that cannot |>even correctly identify a specific message seems so useful still. | |But identifying the specific message is not important. How often does |a spambot send two different messages with the same envelope in a |time gap that makes it look like a retry? Basically, never. You know and that is what is so hard to believe. Given that the concept is twenty years old and the standard becomes ten this year, wouldn't it make sense for a bot to simply try an address a second time after X minutes, if it has the time and space? Never done that myself, but in my logs i have seen SSH attacks which really figured out firewall delays and then tried logins in an interval that was not causing blacklisting, over months! (I actually cheered the attacker via a public list he/she might have read, and doing this now and here, again! (The login as such was not successful, thus.)) What i also have seen is, i tried out OpenSMTPD once for a day, it might have been in 2017, it was to my shame a misconfiguration (falsely read the manual) that turned it into an open relay, and, i really should have kept the logs because it was so fascinating, one IP connected, and did nothing for several minutes, then another IP connected, and then they started sending mails simultaneously (how did they know??), to my shame. (All against Yahoo Taiwan if i recall correctly, then there was a friendly email from Yahoo Taiwan iirc that my account produces suspicious activity, massively understated.) It was a nice interval (for nothing), IPs came, send massively for some time, then went again. (Luckily i looked once again before i went, reinstalled postfix and with its *error_limit= directive that storm subsided within minutes.) What i mean is, there are smart attacks doable and out there, and whereas the small attack surface of greylisting may not seem worth the effort, and maybe only today, improving this situation by strengthening the concept of greylisting standard-wise may bring benefits in the future. |I have tried a version of greylisting that did the retry after DATA |and kept a hash of the message. I found that a certain number of |systems regenerate the retried message in a form that is not quite the |same, e.g., different timestamps. The hashes don't match and the |retries always failed. I personally did not think about greylisting at such a late time, quite a lot of processing has happened already by that time. I thought with say a regular SMTP extension that brings the unique Message-ID into the SMTP prologue greylisting could be strengthened by allowing exact identification of messages, and so greylisting and its delays could be improved by allowing the greylist daemon to let exact matches pass through after one retry, whereas software which does not use the extension could continue to be penaltized by even (many) hours, as can be seen in practice. I mean, of course grey listing affects only a small subset of traffic at all, and many gigantic providers like gmail etc., as well as a lot of well-known domains, they all are or have to be whitelisted anyway, best at pre-greylisting stages, of course (though greylist server whitelisting may even be faster than explicit whitelisting dependent on the used database format and the file system's locking speed). --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… John Levine
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… Steffen Nurpmeso
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… John Levine
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… Steffen Nurpmeso
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… John Levine
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… Steffen Nurpmeso
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… John Levine
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… Steffen Nurpmeso
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… John Levine
- Re: [ietf-smtp] [Emailcore] Status of Greylisting… Steffen Nurpmeso