[Exim] About SMTP callback used as a DDOS

Etusivu
Poista viesti
Vastaa
Lähettäjä: Marc MERLIN
Päiväys:  
Vastaanottaja: exim-users
Aihe: [Exim] About SMTP callback used as a DDOS
To explain the setting, I am the mail/list admin for sourceforge.net, which
contains 10,000+ mailing lists and a few hundred thousand subscribers.

In order to combat spam, random junk, unroutable/traceable and unbounceable
mails, I have pretty much all the exim checks turned on, including my SMTP
callback check on postmaster (i.e. if you don't have a postmaster, we're not
accepting your mail). Patch here:
ftp://ftp.valinux.com/pub/people/merlin/exim-3.31-woody-99.1/exim-callback_and_gooderrmsg.diff

When I unabled SMTP callback, my first thought was: how about one person who
sends a message to a 10,000 subscriber list and gets back 10,000 SMTP
probes?
How about forging your headers and sending this to lots of big mailing lists
to cause lots of callbacks to go back to some unsuspecting domain?

I've attached a mail from a user who is complaining about that.

Right now, it is not an issue just because very few sites on the internet
are using SMTP callback, but if we want its use to spread, we need to fix
that somehow.

The solution I see to that is
1) make header from callback optional for people who don't want to check at
all (and only care to have an envelope sender they can bounce to)
We already have a patch for that:
ftp://ftp.valinux.com/pub/people/merlin/exim-3.31-woody-99.1/exim-hdrfrmcallback.diff
2) Any exploder/mailing list would be responsible for validating the header
from, and indicating that it's been checked with a custom header
X-SMTP-Callback-Checked-From: emailinfrom@???
(or something like that).
3) Exim would then automatically disable header from callbacks if the above
header was present

The only problem is why should you trust that header?
Well, callback is only to catch headers from misconfigured systems and spam
with really bad headers.
I don't see someone going through the trouble of setting
X-SMTP-Callback-Checked-From: when you could simply set your From: to
foobar@??? and be done with it.
(there are unfortunately too many services that will accept mail for any
receipients as the gateway MTA doesn't have knowledge of the user list)

If that's not enough, we could have some kind of RBL list where some IPs
(known big list servers running exim, or some other SMTP callback capable
MTA) would be listed as trustworthy.
If the host is not in there, exim would then ignore
X-SMTP-Callback-Checked-From and do its callback as usual.

Comments? Feedback?

Thanks
Marc


----- Forwarded message from Marc MERLIN <merlin@???> -----

Date: Sat, 21 Jul 2001 08:28:05 -0700
From: Marc MERLIN <merlin@???>
To: System operator <postmaster@???>
Cc: abuse@???, abuse@???
Subject: Re: Odd SMTP sessions
User-Agent: Mutt/1.3.18i
X-Sysadmin: BOFH
X-URL: http://marc.merlins.org/
X-Operating-System: Proudly running Linux 2.4.5-beta4va3.23-isd200usb/Debian testing/unstable

On Sat, Jul 21, 2001 at 10:56:08AM +0200, System operator wrote:
> > There is one callback, and it checks two addresses, you and
> > postmaster@yoursite (it does a RSET in between because some sites refuse
> > more than one RCPT TO if the sender is <>)
>
> It's safe to call the basic idea flawed.


You can make an argument for it, true.

> If I send a message to bugtraq it get's send to about 40000 addresses. If
> they all behave this way it is effectively a DDoS on my link and likewise
> a huge resource hog on many other posters.


Ideally no because when this becomes more widespread (SMTP callback will
probably get implemented in other mailers than exim), the bugtraq MTA does
SMTP callback, validates the message, and with preconfiguration, or some
other kind of trust, the receiving MTAs do not check the header sender
anymore (of course, by then, the envelope sender doesn't point to you
anymore)
I also wrote a patch for exim so that it can optionally only check the
envelope sender and not the header sender, solving the mailing list case,
however Sourceforge being the mailing list server, it will still be the one
checking both envelope and header.

> RFC 821 has a clear purpose for these messages. It is to allow error
> reports back.


True. RFC 821 was also written in days where sites were mostly configured
right, and where spam didn't exist.

> Unless a clear pointer to a RFC (which explicitly requires one to support
> these probes for this specific purpose) is given I must conclude that you


The URL I pointed you to (http://marc.merlins.org/netrants/nullenvelope.txt)
is for people who refuse empty envelope senders, which is in direct
violation of RFC 1123 (which states that you must accept an empty envelope
sender in order to receive bounces).

We both know that there is nothing in RFCs about you having to accept SMTP
callback. It didn't exist back then, nor do most people know about it
even nowadays.

> are using my SMTP resources in a hostile way which makes it effectively a
> computercrime. So I suggest you remove this 'feature' at once.


I was trying to send you mail, and what did I see?
ippl: auth connection attempt from hvdkooij.xs4all.nl [213.84.18.35]

How dare you? Who gave you permission to connect to my port 113 when I send
you mail? This feels like computercrime to me, and I can't find any RFCs
that requires me to support that reverse probe from you so I suggest you
remove thie feature at once.

Seriously, get over it. Reverse probes are very common and as long as they
do not create loops (which this one won't since it uses the null envelope on
purpose), there is not much of a reason to get all up and arms about it.

Your only valid point is the DDOS one when you post to a mailing list, and
1) it's not a problem yet, 2) it is being researched and addressed, 3) it
will probably not affect sourceforge, as in its capacity of mailing list
server, it will have to validate all headers before broadcasting the message
back to thousands of users (you have no idea how much spam it gets rid of
that way)

Marc
--
VA Linux Systems Server Sysadmin / Sourceforge mail&list master. 510 687 7061

Home page: http://marc.merlins.org/
Finger marc_f@??? for PGP key

----- End forwarded message -----

-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key