Re: [Shutup] [ietf-smtp] Levels of proposals

Chris Lewis <ietf@mustelids.ca> Fri, 04 December 2015 16:31 UTC

Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC4631A8A4E; Fri, 4 Dec 2015 08:31:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.242
X-Spam-Level: **
X-Spam-Status: No, score=2.242 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhbtpEWtFJAB; Fri, 4 Dec 2015 08:31:38 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B99901A8AAE; Fri, 4 Dec 2015 08:31:37 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4GVaYE015438 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 11:31:36 -0500
To: shutup@ietf.org
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com> <566190E2.9090301@mustelids.ca> <5661B844.4050605@isdg.net>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <5661BFE8.2070706@mustelids.ca>
Date: Fri, 4 Dec 2015 11:31:36 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <5661B844.4050605@isdg.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/YbKgr1MI6Vs190POhyWXoQkSObY>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 16:31:38 -0000

On 12/04/2015 10:59 AM, Hector Santos wrote:
> On 12/4/2015 8:10 AM, Chris Lewis wrote:

>> AUTH-cracking to this extent is a relatively recent phenomena, and is
>> clearly being used as an attempt to bypass normal direct-2-MX botnet
>> blocking and hijack the reputation of the MTA instead of some random
>> cracked PC.

> Hi, I'm surprise to read you say this is "relatively recent."  Are you
> mean in months, years or one to several decades?

I should say that "back in the day", SMTP-auth from BOTs was 
sufficiently rare that it could safely be ignored.

SMTP-auth from bot started in a noticable fashion about 2-3 years ago 
and continuing to rise to extreme levels in the past 6-12 months.  To 
some MSAs, the impacts were obvious before that.

To me, this is "relatively recent".  Sorry, should have clarified.

As a MUCH more recent development, remember "open relay"?  That was 
obsolete 10 years ago, and except for a couple of low volume Chinese 
spammers, not seen at all.  Well, guess what?  One extremely prolific 
spambot started doing it in very high volumes less than a month ago. 
That's right, spambots attempting to open relay through MTAs.  Shipping 
almost exclusively malware at that.

Fun eh?