[SATLUG] Fwd: Undelivered Mail Returned to Sender

[Bob Tracy]

Brad Knowles wrote:
> For 90% of the servers out there, I can poison their DNS in less than 
> a second, and stuff in whatever data I want.  All it takes is 
> connecting to their port 25.  I don't even have to send a message.  I 
> just want them to do a reverse DNS lookup on my IP address, and I own 
> them.
> 
> In most cases, I can subvert the DNS of the individuals sending the 
> message, so that their own SPF records that come directly from their 
> own nameservers would be intentionally mis-directed to some other 
> machines, thus causing all receiving servers which properly implement 
> SPF to throw away all mail from these machines.
> 
> 
> Just in case your servers are secure and I can't poison them, I can 
> still poison 90% of the other servers out there, and make them 
> *think* that your SPF records point somewhere else, and throw away 
> all your mail.

All of the above are true and possible for a motivated attacker.  The
second and third paragraphs, however, are clearly above and beyond the
call as far as what a spammer is trying to accomplish.  The spammer
really couldn't care less about my outbound mail.  More to the point,
the spammer requires the infrastructure he abuses to possess at least
a minimal level of health, else, he makes no money because he can't
deliver at least some portion of his boatload of unwanted crap.  For
the spammer to behave otherwise violates basic financial common sense.

As for the first paragraph, I may or may not be vulnerable to such an
attack, but how likely is it that a spammer will attack me in that
manner?  This is an exercise in risk-management, and analysis of
gigabytes of logfiles across multiple sites over the past several years
tells me the likelihood of a spammer doing this to me is so far down in
the noise that I can safely ignore it.  In other words, my assertion
that spammers are inherently lazy and have more cost-effective ways to
spend their money than implementing widespread DNS cache poisoning
attacks would seem to be supported by the available evidence.  In
summary, just because something is possible or even trivially easy to
accomplish does not mean it will happen.

> SPF records are difficult to craft correctly.  Many people craft them 
> incorrectly, so even if your server is configured to implement them 
> in the appropriate fashion, you would still throw away their 
> legitimate mail.

I would counter they are no more difficult to craft than other DNS
record types, and as with the other types, there are tools to assist.
Malformed DNS records of all kinds are a continuing issue...  The
spammers have abused and will continue to abuse them.  Specific
example: SPF neutrality doesn't technically constitute a malformed
record, but it *is* a "hole" in the specification of which spammers
are currently taking advantage.  Any SPF record ending in anything
other than "-all" will eventually be abused, and gmail.com is
actively being abused as I type this.

> SPF is hard to implement correctly.  Even if all the nameservers in 
> the world were hardened and impossible to poison, and even if it was 
> trivially easy for everyone in the world to correctly craft SPF 
> records, there would still be a lot of broken machines out there 
> which throw away legitimate mail, simply because they do not behave 
> correctly.
> 
> This is the case for your server.

Clearly brokenness is in the eye of the beholder.  Philosophically,
most of the world seems to prefer content analysis.  I'm in the
envelope filtering camp.  Neither method is 100% effective, and both
suffer from the false positive problem.  A BIG potential disadvantage
of envelope filtering is turning DNS problems into mail problems.
Locally, DNS failures are handled by returning "please try again"
error codes: I've taken great pains to ensure that DNS problems do
not become mail problems.  Otherwise, the biggest disadvantage of
envelope filtering is it potentially generates bounces: while my
server doesn't directly generate the bounce, the SMTP client that
gets the door slammed in its face typically does in the case of false
positives.  On the plus side, a legitimate sender at least knows his
message didn't get through, even if he can't immediately figure out or
appreciate why.  With content filtering, there are several possible
outcomes, but no bounce will get generated because the message is
accepted by the server.  Consider that the sender doesn't know *where*
the message got delivered: it could have been to the desired recipient,
but it could also have been delivered to /dev/null, a quarantine queue,
or a junk mail "in" box.  The sender doesn't know, until a response (if
expected) doesn't happen within some period of time.  You see
"brokenness" because you know you are not a spammer AND you received
an indication you had been speared by an anti-spam filter.  If you had
been inappropriately speared by content filtering, we wouldn't be having
this conversation because you would never have known about it.  I
acknowledge the false positive, but claim the filters worked as designed.
The error has been corrected.  What else would you have me do?  When it
comes right down to it (and you've acknowledged this), whether my server
violates RFCs isn't the issue (it doesn't): it's *my* server, *my*
responsibility, and *I* have to live with the consequences of its behavior.

> I know the guy that wrote the postfix patches you're using.  Ron F. 
> Guilmette...

Bad assumption: his work inspired mine, but the flaws in his approach
were noted and, IMHO, are being addressed reasonably by what I'm trying
to do.  I'm not yet convinced I'm on the wrong path, and remain open to
other approaches.

> Paul Vixie has said for many years now that the biggest problem in 
> this field is not the spammers, but the anti-spammers -- by which he 
> means the ones that fundamentally misunderstand the problem and apply 
> inappropriate solutions, and then defend their decisions to the death.

Paul and I have known each other since the mid-80's, and while we don't
agree on everything, we nevertheless respect each other.  The above is
one of the points on which we *do* agree in principle.

> Brad Knowles <brad at shub-internet.org>, Consultant & Author
> Co-author of SAGE Booklet #15 "Internet Postmaster: Duties and 
> Responsibilities"
> Founding Member and Platinum Individual Sponsor of LOPSA: 
> <http://www.lopsa.org>
> Papers: <http://tinyurl.com/tj6q4> LinkedIn Profile: 
> <http://tinyurl.com/y8kpxu>

You've had ample opportunity to make your argument without being
condescending and rude, but have consistently failed to do so.  I note
that both the amount of name-dropping and the length of your signature
block have increased since this exchange began.  I further note the
personal jabs in unrelated threads.  Above, I asked what else you would
have me do.  One could easily get the impression you would have me admit
I'm an idiot and accept your position without questioning it.  I regret
that I don't know either you or your work well enough to do either of
those things, completely ignoring for the moment whatever opinion I may
have of myself.  If we're going to continue this conversation, I expect
you to start behaving as the professional I assume you are or would have
me believe you are.  An apology in this forum would be a nice beginning.
Otherwise, I believe I've said all I'm going to say on this issue.

Sincerely,
--Bob