IETF Logo Mail Archive

Re: IP-based reputation services vs. DNSBL (long)

"Chris Lewis" <clewis@nortel.com> Thu, 13 November 2008 20:52 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E9ED3A6912; Thu, 13 Nov 2008 12:52:29 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5E323A6912 for <ietf@core3.amsl.com>; Thu, 13 Nov 2008 12:52:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.369
X-Spam-Level:
X-Spam-Status: No, score=-5.369 tagged_above=-999 required=5 tests=[AWL=-0.062, BAYES_00=-2.599, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tATGe9OXsWEh for <ietf@core3.amsl.com>; Thu, 13 Nov 2008 12:52:27 -0800 (PST)
Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by core3.amsl.com (Postfix) with ESMTP id E18513A6807 for <ietf@ietf.org>; Thu, 13 Nov 2008 12:52:26 -0800 (PST)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id mADKqOh00792 for <ietf@ietf.org>; Thu, 13 Nov 2008 20:52:24 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 13 Nov 2008 15:52:09 -0500
Received: from [47.130.80.2] (47.130.80.2) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.311.2; Thu, 13 Nov 2008 15:52:08 -0500
Message-ID: <491C9377.8010100@nortel.com>
Date: Thu, 13 Nov 2008 15:52:07 -0500
From: Chris Lewis <clewis@nortel.com>
Organization: Nortel
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
CC: IETF <ietf@ietf.org>
Subject: Re: IP-based reputation services vs. DNSBL (long)
References: <49172BCE.2000705@network-heretics.com> <alpine.LSU.2.00.0811111711310.14367@hermes-1.csi.cam.ac.uk> <4919C264.4000209@network-heretics.com> <4919C6FA.909@earthlink.net> <4919CB7C.3070604@leisi.net> <4919D1FC.9070801@earthlink.net> <4919FD8F.5010200@nortel.com> <2788466ED3E31C418E9ACC5C316615572FFB38@mou1wnexmb09.vcorp.ad.vrsn.com> <491B1977.9060504@nortel.com> <2788466ED3E31C418E9ACC5C316615572FFB40@mou1wnexmb09.vcorp.ad.vrsn.com>
In-Reply-To: <2788466ED3E31C418E9ACC5C316615572FFB40@mou1wnexmb09.vcorp.ad.vrsn.com>
X-OriginalArrivalTime: 13 Nov 2008 20:52:09.0045 (UTC) FILETIME=[B1D00050:01C945D1]
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Hallam-Baker, Phillip wrote:
> To answer your question about how they got round port 25 blocking, my
> guess is that they sent the initial packet out on yet another connection
> that was unblocked.

Actually, I answered that question - they didn't "get around port 25
blocking".  They never sent from the (say AOL dialup) side, only from
the high speed side.   "three way handshaking" emulation of what's
supposed to be "two way", but physically only two (not three) machines.
 Since they're on the same machine, the timing is not much of an issue.
 Got high speed spam emission, at the expense of burning (lots of) free
AOL low speed access dialup disks.  Especially if you pipelined (whether
the recipient said it was okay or not) multiple parallel SMTP streams.

[The recipient usually has no way of knowing whether you're really
waiting for it's SMTP command return codes or not.  Which is exemplified
by one particular type of HTTP proxy attack.  Arrange the entire sending
side's SMTP commands in one buffer (eg: a HTTP CONNECT proxy), and send
it all at once.  Works just fine if you don't care about errors.  Which
high volume spammers don't.]

> I have seen something similar described recently in the context of a
> cyber-conflict type attack.

Potentially still useful technique, where the economies are different.
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.46.0 | Report a Bug | By Email | System Status