Re: [Shutup] [ietf-smtp] Levels of proposals

Ned Freed <> Fri, 04 December 2015 15:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0365E1A8836; Fri, 4 Dec 2015 07:35:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ju5UroifkySy; Fri, 4 Dec 2015 07:35:16 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 29CF71A87BD; Fri, 4 Dec 2015 07:32:37 -0800 (PST)
Received: from by (PMDF V6.1-1 #35243) id <>; Fri, 4 Dec 2015 07:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mauve; t=1449242853; bh=Mcvj/kBPX3zphaCW2WJp6U0tLAYkuHOXwkMsdGSjmeI=; h=Cc:Date:From:Subject:In-reply-to:References:To; b=OO0ZLg8KZnXblnLNzw6KOwnCXJQqNAfioTtd5C8SgdqmsA66+8OJmWJb1SUZct67s 5v29ixTMqQRAeeYgZh+L+3Mh7ho4XH2KkFEWoSH964eg1TPkRYRTRCfeYV/hLH5nMR Rye+9Jemj4XHmZs8JQIAtPw+jrZJTMonUG9udzfo=
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from by (PMDF V6.1-1 #35243) id <>; Fri, 04 Dec 2015 07:27:30 -0800 (PST)
Message-id: <>
Date: Fri, 04 Dec 2015 07:17:55 -0800 (PST)
From: Ned Freed <>
In-reply-to: "Your message dated Thu, 03 Dec 2015 20:53:32 -0800" <>
References: <> <> <> <> <> <> <> <>
To: Russ Allbery <>
Archived-At: <>
Cc:, Ted Lemon <>,
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 15:35:19 -0000

> Oh, you didn't mean throttle by id/password pair.  You meant throttle
> purely by user ID.

An important reason not to have a pure user ID block is it provides an easy way
to block someone's access to their email: Simply set up a system to constantly
bang on their account with the wrong password, and they're effectively locked

An alternative is a pure user ID slowdown (as opposed to a complete block),
but there are limits to how effective this can be. Bad guys can afford to be
patient whereas legitimate clients time out pretty quickly, turning a 
slowdown back into a block.

> There are two reasons (well, at least -- maybe more) why this doesn't help
> as much as it sounds like it would, particularly in the case of SMTP AUTH.

> One is that the attacker just changes the pattern of their brute force
> search to distribute it across more known accounts or across more time, so
> they just probe more accounts with fewer passwords.  It's all the same to
> them; they're just doing a combinatoric search, and varying parameters
> that way doesn't have too negative of an impact on their ability to
> compromise accounts.

> Another reason is more specific to SMTP AUTH: dozens of incorrect login
> attempts for the same username is a common *legitimate* pattern for users
> who have a single misconfigured device (a typo in their password, for
> instance.  (And thanks to cell phones, those failed logins often come from
> a huge variety of IP addresses.)  SMTP UAs often retry authentication
> pretty aggressively and will happily look like an attacker.  If you lock
> an account for that pattern, you can lock out that user's other legitimate
> devices.  Web sites usually don't have to worry as much about automated
> incorrect legitimate login attempts.

I note that this also applies to IMAP and POP3. In fact the most common
case is probably going to be legitimate IMAP clients banging on the door.

Sometimes a single client even does it from multiple threads.