RE: IP-based reputation services vs. DNSBL (long)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Re: IP-based reputation services vs. DNSBL (long)
Agree with your conclusion but your statement is not quite accurate.
 
Some spammers have in fact developed schemes that involve spoofing the source IP address of TCP sessions, but only where both IP addresses were under spammer control.
 
What some spammers used to do when dialup connections were still common and broadband rare is that they would use a dialup session as the purported source of the packets but really send the bulk of the message from a high speed connection. The dialup connection telling the high speed connection which sequence numbers to employ.
 
I don't know if it is still widely used but when is was being used the disruption caused to the network was cosiderably higher than for normal spam as you can expect.
 

From: ietf-bounces@xxxxxxxx on behalf of Chris Lewis
Sent: Tue 11/11/2008 4:47 PM
Cc: IETF
Subject: Re: IP-based reputation services vs. DNSBL (long)

TS Glassey wrote:
> Matthias
> Any DNS BL Listing process where those listings are based on complaints
> would create this. [spoofed IPs in DNSBLs]

Few DNSBL listing processes rely on "complaints" as you put it.
Certainly, none of the popular ones use them extensively, and most
refuse them.  Eg: the CBL explicitly refuses contributions of complaints.

Most DNSBL listing processes rely _only_ on the peer address of the
connection (either direct, or by header insertion by their own trusted
systems).  No-one has yet come up with a spam-economy-practical
mechanism for spoofing source IP in TCP/IP (SMTP) sessions.  There has
been much research on the topic, and it all seems to indicate that there
isn't one.  I'll refer you to papers by Steven Bellovin, Marcus Leech
and others.

[UDP packet source IPs are trivially forgeable.  But you can't send
email by UDP packets.  TCP/IP source IP is forgeable, but only at
extremely high effort levels - few spammers would be satisfied with a
throughput rate of a few spams per week (at most) per bot that works
only against some destinations, when the return rate is measured in the
single digits per million spams.  If TCP/IP source spoofing were to
become a spammer-practical method, the Internet has vastly bigger
problems than flakey email.]

The two most effective DNSBLs of all (CBL & PBL, both part of Spamhaus
Zen) don't look at headers at all.  The former takes its IPs directly
from the TCP/IP stack of the MTA receiving the email (eg:
getpeername()), and the latter is a policy assertion, largely by the
verified owner of the IP ranges in question.  IP spoofing is effectively
impossible in one, and irrelevant to the second.
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]