[SATLUG] Fwd: Undelivered Mail Returned to Sender

Brad Knowles brad at shub-internet.org
Sun Feb 11 20:13:24 CST 2007 

At 12:51 PM -0600 2/11/07, Bob Tracy wrote:

>  As for the first paragraph, I may or may not be vulnerable to such an
>  attack, but how likely is it that a spammer will attack me in that
>  manner?

How likely is it that you will get hit and killed by a car, if you're 
walking in the street?  The probability is zero, right up until it 
happens.

>  I would counter they are no more difficult to craft than other DNS
>  record types, and as with the other types, there are tools to assist.

Uh, no.  They are considerably more difficult to craft than MX 
records, and there are plenty of people who continue to screw those 
up -- regardless of whatever tools they may or may not have available 
to them.

>  Clearly brokenness is in the eye of the beholder.  Philosophically,
>  most of the world seems to prefer content analysis.  I'm in the
>  envelope filtering camp.  Neither method is 100% effective, and both
>  suffer from the false positive problem.

Neither method is sufficient by itself.  You have to use multiple 
sources of information.

>                                     A BIG potential disadvantage
>  of envelope filtering is turning DNS problems into mail problems.
>  Locally, DNS failures are handled by returning "please try again"
>  error codes: I've taken great pains to ensure that DNS problems do
>  not become mail problems.

Above, you say that you don't care about cache poisoning.  Here, you 
say that you've gone to great lengths to ensure that DNS problems 
don't become mail problems.

So which is it?


At you point out, cache poisoning is actually a relatively rare type 
of attack.  However, cache pollution is a very common problem, and is 
not a malicious attack on the part of anyone.  Instead, there were 
some people who were careless or clueless, and their mistake causes 
pain and heartburn for others.

Surveys I've seen from a variety of sources indicate that not only 
are most nameservers vulnerable to cache poisoning attacks, but that 
most nameservers have a corrupted cache as their default ground 
state, regardless of whether that happened as a result of a conscious 
attack or was simply the result of an honest mistake on the part of 
someone else.

But phishing attacks are most definitely on the rise, and the most 
aggressive types of attackers are creating what are called "spear 
phishing" attacks.  And they most definitely make use of cache 
poisoning, because that's one key way that they get you to direct all 
your traffic to their bogus servers, so that they can play 
man-in-the-middle attacks on you, even on almost all SSL-secured 
connections.

>                  With content filtering, there are several possible
>  outcomes, but no bounce will get generated because the message is
>  accepted by the server.

This is why you use exclusively pre-queue filtering, so that you can 
make a final decision as to whether or not to accept the message 
while the sender is still connected.  After-queue filtering is 
quickly going away.  In another year or two, I would say that you 
probably won't find any sites anywhere that recommend or even discuss 
after-queue filtering.

>                                What else would you have me do?  When it
>  comes right down to it (and you've acknowledged this), whether my server
>  violates RFCs isn't the issue (it doesn't): it's *my* server, *my*
>  responsibility, and *I* have to live with the consequences of its behavior.

One good thing has come out of this.  I'll be including this incident 
in the updated version of my series of articles to be published, and 
I'll at least get the opportunity to warn everyone else in the world 
against this kind of behaviour.

This is starting to look like it might end up a seven-part or even 
eight-part series.

>                                                                  I note
>  that both the amount of name-dropping and the length of your signature
>  block have increased since this exchange began.

You might want to check your archives for some facts, before you 
start making claims like this.  My first post to this list was on 
Fri, 12 Jan 2007 12:47:12 -0600, with message-id 
<p06240504c1cd87897a57@[10.0.1.11]>.  My .sig then was exactly as it 
is now.

I have posted a couple of messages to this list with a different (and 
shorter) .sig, because I wanted to discuss some organizational issues 
with regards to CACTUS (wearing my official Program Director hat), so 
I created a different .sig to match.

So, my crime is continuing to use exactly the same .sig as I used on 
my first post to this list?

>                                      Above, I asked what else you would
>  have me do.  One could easily get the impression you would have me admit
>  I'm an idiot and accept your position without questioning it.

All I'm trying to do is to get you to fix your MTA.  You don't have 
to say anything publicly or privately on this subject.

>  Otherwise, I believe I've said all I'm going to say on this issue.

And I think I've said my piece, too.

-- 
Brad Knowles <brad at shub-internet.org>, Consultant & Author
Co-author of SAGE Booklet #15 "Internet Postmaster: Duties and 
Responsibilities"
Founding Member and Platinum Individual Sponsor of LOPSA: 
<http://www.lopsa.org>
Papers: <http://tinyurl.com/tj6q4> LinkedIn Profile: 
<http://tinyurl.com/y8kpxu>

More information about the SATLUG mailing list