IETF Logo Mail Archive

Re: IP-based reputation services vs. DNSBL (long)

"Chris Lewis" <clewis@nortel.com> Tue, 11 November 2008 21:48 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE9F43A6822; Tue, 11 Nov 2008 13:48:23 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 361D63A6822 for <ietf@core3.amsl.com>; Tue, 11 Nov 2008 13:48:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.908
X-Spam-Level:
X-Spam-Status: No, score=-4.908 tagged_above=-999 required=5 tests=[AWL=0.400, BAYES_00=-2.599, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xq0if1aWiX5 for <ietf@core3.amsl.com>; Tue, 11 Nov 2008 13:48:21 -0800 (PST)
Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by core3.amsl.com (Postfix) with ESMTP id 35ED13A67A3 for <ietf@ietf.org>; Tue, 11 Nov 2008 13:48:21 -0800 (PST)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id mABLmIu13683 for <ietf@ietf.org>; Tue, 11 Nov 2008 21:48:19 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 11 Nov 2008 16:48:02 -0500
Received: from [47.130.66.198] (47.130.66.198) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.311.2; Tue, 11 Nov 2008 16:48:01 -0500
Message-ID: <4919FD8F.5010200@nortel.com>
Date: Tue, 11 Nov 2008 16:47:59 -0500
From: Chris Lewis <clewis@nortel.com>
Organization: Nortel
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
CC: IETF <ietf@ietf.org>
Subject: Re: IP-based reputation services vs. DNSBL (long)
References: <49172BCE.2000705@network-heretics.com> <alpine.LSU.2.00.0811111711310.14367@hermes-1.csi.cam.ac.uk> <4919C264.4000209@network-heretics.com> <4919C6FA.909@earthlink.net> <4919CB7C.3070604@leisi.net> <4919D1FC.9070801@earthlink.net>
In-Reply-To: <4919D1FC.9070801@earthlink.net>
X-OriginalArrivalTime: 11 Nov 2008 21:48:02.0216 (UTC) FILETIME=[2BA1CA80:01C94447]
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

TS Glassey wrote:
> Matthias
> Any DNS BL Listing process where those listings are based on complaints 
> would create this. [spoofed IPs in DNSBLs]

Few DNSBL listing processes rely on "complaints" as you put it.
Certainly, none of the popular ones use them extensively, and most
refuse them.  Eg: the CBL explicitly refuses contributions of complaints.

Most DNSBL listing processes rely _only_ on the peer address of the
connection (either direct, or by header insertion by their own trusted
systems).  No-one has yet come up with a spam-economy-practical
mechanism for spoofing source IP in TCP/IP (SMTP) sessions.  There has
been much research on the topic, and it all seems to indicate that there
isn't one.  I'll refer you to papers by Steven Bellovin, Marcus Leech
and others.

[UDP packet source IPs are trivially forgeable.  But you can't send
email by UDP packets.  TCP/IP source IP is forgeable, but only at
extremely high effort levels - few spammers would be satisfied with a
throughput rate of a few spams per week (at most) per bot that works
only against some destinations, when the return rate is measured in the
single digits per million spams.  If TCP/IP source spoofing were to
become a spammer-practical method, the Internet has vastly bigger
problems than flakey email.]

The two most effective DNSBLs of all (CBL & PBL, both part of Spamhaus
Zen) don't look at headers at all.  The former takes its IPs directly
from the TCP/IP stack of the MTA receiving the email (eg:
getpeername()), and the latter is a policy assertion, largely by the
verified owner of the IP ranges in question.  IP spoofing is effectively
impossible in one, and irrelevant to the second.
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email