Re: [Shutup] [ietf-smtp] Levels of proposals

Ted Lemon <> Fri, 04 December 2015 02:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CA33E1B2A32; Thu, 3 Dec 2015 18:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XE69xXVUsXrC; Thu, 3 Dec 2015 18:39:39 -0800 (PST)
Received: from ( [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by (Postfix) with ESMTP id 30F711B2A2D; Thu, 3 Dec 2015 18:39:38 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14491967752630.3112983494065702"
From: Ted Lemon <>
In-Reply-To: <>
References: <> <> <> <>
Date: Fri, 04 Dec 2015 02:39:35 +0000
Message-Id: <>
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 02:39:41 -0000

Thursday, Dec 3, 2015 9:31 PM Russ Allbery wrote:
> Standard practice for attackers these days is to automate attacks on any
> sort of password-protected system, whether that be web pages,
> authentication providers, or anything else that takes a password.  Usually
> this is done by taking some list of common passwords and some list of
> account names and just brute-forcing combinations, although some attackers
> do more sophisticated things.
> Obviously, that sort of brute force approach is easy to detect and
> throttle, so the next step in the arms race was for attackers to use large
> networks of compromised machines, usually home machines behind DSL and
> cable modem links, each of which tries a small number of passwords against
> a variety of targets to stay below the radar.  Those machines were
> generally compromised via malware of some kind and are part of a botnet,
> without the knowledge of the user of the machine.

Thanks for explaining!

I am still a bit puzzled: how does increasing the number of attackers help to bypass the throttling mechanism?   Why isn't the throttle per id/password pair, rather than per ip-address/password/id triple?

Secondarily, if distributed processing makes throttling per id/password pair difficult, why is it hard to do the botnet IP address matching at the authentication point?   This seems like it would avoid a _lot_ of extra processing.

Sent from Whiteout Mail -

My PGP key: