Re: [Shutup] [ietf-smtp] Levels of proposals

Ned Freed <ned.freed@mrochek.com> Fri, 04 December 2015 15:35 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0365E1A8836; Fri, 4 Dec 2015 07:35:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ju5UroifkySy; Fri, 4 Dec 2015 07:35:16 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.159.242.17]) by ietfa.amsl.com (Postfix) with ESMTP id 29CF71A87BD; Fri, 4 Dec 2015 07:32:37 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PTVFEN4Y2O00WLY5@mauve.mrochek.com>; Fri, 4 Dec 2015 07:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mrochek.com; s=mauve; t=1449242853; bh=Mcvj/kBPX3zphaCW2WJp6U0tLAYkuHOXwkMsdGSjmeI=; h=Cc:Date:From:Subject:In-reply-to:References:To; b=OO0ZLg8KZnXblnLNzw6KOwnCXJQqNAfioTtd5C8SgdqmsA66+8OJmWJb1SUZct67s 5v29ixTMqQRAeeYgZh+L+3Mh7ho4XH2KkFEWoSH964eg1TPkRYRTRCfeYV/hLH5nMR Rye+9Jemj4XHmZs8JQIAtPw+jrZJTMonUG9udzfo=
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PTUN3IDZ9C018EYG@mauve.mrochek.com>; Fri, 04 Dec 2015 07:27:30 -0800 (PST)
Message-id: <01PTVFELDFAC018EYG@mauve.mrochek.com>
Date: Fri, 04 Dec 2015 07:17:55 -0800 (PST)
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Thu, 03 Dec 2015 20:53:32 -0800" <874mfy95mb.fsf@hope.eyrie.org>
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com> <87k2ov7xly.fsf@hope.eyrie.org> <1449196775597-73137a19-d32873ba-cad85c2a@fugue.com> <87a8pq98m3.fsf@hope.eyrie.org> <1449202966785-573af732-876dd2d9-16d51672@fugue.com> <874mfy95mb.fsf@hope.eyrie.org>
To: Russ Allbery <eagle@eyrie.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/HxlSNUdytvp6BIaYXDz53uFHl30>
Cc: shutup@ietf.org, Ted Lemon <mellon@fugue.com>, ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 15:35:19 -0000

> Oh, you didn't mean throttle by id/password pair.  You meant throttle
> purely by user ID.

An important reason not to have a pure user ID block is it provides an easy way
to block someone's access to their email: Simply set up a system to constantly
bang on their account with the wrong password, and they're effectively locked
out.

An alternative is a pure user ID slowdown (as opposed to a complete block),
but there are limits to how effective this can be. Bad guys can afford to be
patient whereas legitimate clients time out pretty quickly, turning a 
slowdown back into a block.

> There are two reasons (well, at least -- maybe more) why this doesn't help
> as much as it sounds like it would, particularly in the case of SMTP AUTH.

> One is that the attacker just changes the pattern of their brute force
> search to distribute it across more known accounts or across more time, so
> they just probe more accounts with fewer passwords.  It's all the same to
> them; they're just doing a combinatoric search, and varying parameters
> that way doesn't have too negative of an impact on their ability to
> compromise accounts.

> Another reason is more specific to SMTP AUTH: dozens of incorrect login
> attempts for the same username is a common *legitimate* pattern for users
> who have a single misconfigured device (a typo in their password, for
> instance.  (And thanks to cell phones, those failed logins often come from
> a huge variety of IP addresses.)  SMTP UAs often retry authentication
> pretty aggressively and will happily look like an attacker.  If you lock
> an account for that pattern, you can lock out that user's other legitimate
> devices.  Web sites usually don't have to worry as much about automated
> incorrect legitimate login attempts.

I note that this also applies to IMAP and POP3. In fact the most common
case is probably going to be legitimate IMAP clients banging on the door.

Sometimes a single client even does it from multiple threads.

			Ned