Re: [Shutup] [ietf-smtp] Levels of proposals

Chris Lewis <> Fri, 04 December 2015 13:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 61BEF1A700F; Fri, 4 Dec 2015 05:46:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.364
X-Spam-Level: *
X-Spam-Status: No, score=1.364 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, MISSING_HEADERS=1.021, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v9K4eNc3YQxd; Fri, 4 Dec 2015 05:46:53 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 062E61B319A; Fri, 4 Dec 2015 05:46:52 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4DkpHK029695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 08:46:51 -0500
References: <> <> <> <> <> <> <> <>
From: Chris Lewis <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Fri, 4 Dec 2015 08:46:51 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 13:46:54 -0000

On 12/03/2015 11:53 PM, Russ Allbery wrote:
> Ted Lemon <> writes:
>> Thursday, Dec 3, 2015 10:48 PM Russ Allbery wrote:
>>> Why would you throttle per id/password pair?  The attacker doesn't try
>>> the same pair more than once.  That would be pointless.
>> I think you missed the distinction I was making.  You are describing
>> throttling per ip-address, irrespective of the password/id pair.  I am
>> asking why you don't simply say "if more than 10 attempts are made on
>> this username per hour, lock it out for a while."

> Oh, you didn't mean throttle by id/password pair.  You meant throttle
> purely by user ID.
> There are two reasons (well, at least -- maybe more) why this doesn't help
> as much as it sounds like it would, particularly in the case of SMTP AUTH.

Third and most telling reason: few people know how many valid 
id/password pairs they already have, and coupled with the large numbers 
of IPs they also have, and the fact that userid/password pairs often 
work under multiple services, you can spread the spam across so many IPs 
and userids that throttling is only useful in some marginal edge cases 
(even when the throttle levers are in the hands of a certified BOFH).

Case in point: less than 10% of our list of auth-cracking IPs is derived 
from methods useable by MSAs, and those that are derived from MSAs 
utilize very specialized fingerprinting that has nothing to do with