Re: [Shutup] [ietf-smtp] Levels of proposals

Ted Lemon <> Fri, 04 December 2015 04:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 538B41B2D14; Thu, 3 Dec 2015 20:22:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4KrmdEXssNrp; Thu, 3 Dec 2015 20:22:50 -0800 (PST)
Received: from ( [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by (Postfix) with ESMTP id 7A8341B2D13; Thu, 3 Dec 2015 20:22:49 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14492029664600.627680711215362"
From: Ted Lemon <>
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Fri, 04 Dec 2015 04:22:46 +0000
Message-Id: <>
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 04:22:52 -0000

Thursday, Dec 3, 2015 10:48 PM Russ Allbery wrote:
>> I am still a bit puzzled: how does increasing the number of attackers
>> help to bypass the throttling mechanism?  Why isn't the throttle per
>> id/password pair, rather than per ip-address/password/id triple?
> Why would you throttle per id/password pair?  The attacker doesn't try the
> same pair more than once.  That would be pointless.

I think you missed the distinction I was making.   You are describing throttling per ip-address, irrespective of the password/id pair.   I am asking why you don't simply say "if more than 10 attempts are made on this username per hour, lock it out for a while."   This is a common practice on some web sites.   If you require the user to have a non-dictionary password, then 10 attempts per hour is few enough to prevent a botnet of any number of hosts from guessing that password.

> The TLDR in case something about that message was confusing is that only
> the authentication point can block the IP addresses at the authentication
> point, but you can analyze Received headers to do a bunch of other things,
> such as determine compromised botnet IP addresses that someone else
> *didn't* block but that you *do* want to block for *your* service.  It
> improves the scale and flexibility of what you can do by basically giving
> you more threat intelligence.

Yes, I have heard that before.  It makes sense.   However, it does make me wonder why you don't just stop accepting mail from sites that are this badly run until they shape up.   You seem to be suggesting that it's because you value the intelligence that you glean from their incompetence.   Did I misunderstand?

Sent from Whiteout Mail -

My PGP key: