On Sat, 21 Jul 2001, Marc MERLIN wrote:
> To explain the setting, I am the mail/list admin for sourceforge.net, which
> contains 10,000+ mailing lists and a few hundred thousand subscribers.
>
> In order to combat spam, random junk, unroutable/traceable and unbounceable
> mails, I have pretty much all the exim checks turned on, including my SMTP
> callback check on postmaster (i.e. if you don't have a postmaster, we're not
> accepting your mail). Patch here:
> ftp://ftp.valinux.com/pub/people/merlin/exim-3.31-woody-99.1/exim-callback_and_gooderrmsg.diff
>
> When I unabled SMTP callback, my first thought was: how about one person who
> sends a message to a 10,000 subscriber list and gets back 10,000 SMTP
> probes?
Er, that would only happen if the MTA's for all 10,000 users were doing
SMTP callback. The exploder wouldnt do a callback for each recpient,
only one for the sender as it received the message. If the sender
somehow send out 10,000 individual messages, to 10,000 systems that all
supported SMTP callback, then they would get 10,000 callbacks, but if
they can handle 10,000 outbound sessions, surely they can handle the
callbacks. Now I suppose theres nothing stopping them from pointing the
callbacks somewhere else.. Hrm.. Perhaps exim should cache the last N
callback results? No.. one could get around that by generating a new
random username each time..
> How about forging your headers and sending this to lots of big mailing lists
> to cause lots of callbacks to go back to some unsuspecting domain?
>
> I've attached a mail from a user who is complaining about that.
>
> Right now, it is not an issue just because very few sites on the internet
> are using SMTP callback, but if we want its use to spread, we need to fix
> that somehow.
>
> The solution I see to that is
> 1) make header from callback optional for people who don't want to check at
> all (and only care to have an envelope sender they can bounce to)
> We already have a patch for that:
> ftp://ftp.valinux.com/pub/people/merlin/exim-3.31-woody-99.1/exim-hdrfrmcallback.diff
> 2) Any exploder/mailing list would be responsible for validating the header
> from, and indicating that it's been checked with a custom header
> X-SMTP-Callback-Checked-From: emailinfrom@???
> (or something like that).
> 3) Exim would then automatically disable header from callbacks if the above
> header was present
>
> The only problem is why should you trust that header?
> Well, callback is only to catch headers from misconfigured systems and spam
> with really bad headers.
> I don't see someone going through the trouble of setting
> X-SMTP-Callback-Checked-From: when you could simply set your From: to
> foobar@??? and be done with it.
> (there are unfortunately too many services that will accept mail for any
> receipients as the gateway MTA doesn't have knowledge of the user list)
>
> If that's not enough, we could have some kind of RBL list where some IPs
> (known big list servers running exim, or some other SMTP callback capable
> MTA) would be listed as trustworthy.
> If the host is not in there, exim would then ignore
> X-SMTP-Callback-Checked-From and do its callback as usual.
>
> Comments? Feedback?
>
> Thanks
> Marc
>
>
> ----- Forwarded message from Marc MERLIN <merlin@???> -----
>
> Date: Sat, 21 Jul 2001 08:28:05 -0700
> From: Marc MERLIN <merlin@???>
> To: System operator <postmaster@???>
> Cc: abuse@???, abuse@???
> Subject: Re: Odd SMTP sessions
> User-Agent: Mutt/1.3.18i
> X-Sysadmin: BOFH
> X-URL: http://marc.merlins.org/
> X-Operating-System: Proudly running Linux 2.4.5-beta4va3.23-isd200usb/Debian testing/unstable
>
> On Sat, Jul 21, 2001 at 10:56:08AM +0200, System operator wrote:
> > > There is one callback, and it checks two addresses, you and
> > > postmaster@yoursite (it does a RSET in between because some sites refuse
> > > more than one RCPT TO if the sender is <>)
> >
> > It's safe to call the basic idea flawed.
>
> You can make an argument for it, true.
>
> > If I send a message to bugtraq it get's send to about 40000 addresses. If
> > they all behave this way it is effectively a DDoS on my link and likewise
> > a huge resource hog on many other posters.
>
> Ideally no because when this becomes more widespread (SMTP callback will
> probably get implemented in other mailers than exim), the bugtraq MTA does
> SMTP callback, validates the message, and with preconfiguration, or some
> other kind of trust, the receiving MTAs do not check the header sender
> anymore (of course, by then, the envelope sender doesn't point to you
> anymore)
> I also wrote a patch for exim so that it can optionally only check the
> envelope sender and not the header sender, solving the mailing list case,
> however Sourceforge being the mailing list server, it will still be the one
> checking both envelope and header.
>
> > RFC 821 has a clear purpose for these messages. It is to allow error
> > reports back.
>
> True. RFC 821 was also written in days where sites were mostly configured
> right, and where spam didn't exist.
>
> > Unless a clear pointer to a RFC (which explicitly requires one to support
> > these probes for this specific purpose) is given I must conclude that you
>
> The URL I pointed you to (http://marc.merlins.org/netrants/nullenvelope.txt)
> is for people who refuse empty envelope senders, which is in direct
> violation of RFC 1123 (which states that you must accept an empty envelope
> sender in order to receive bounces).
>
> We both know that there is nothing in RFCs about you having to accept SMTP
> callback. It didn't exist back then, nor do most people know about it
> even nowadays.
>
> > are using my SMTP resources in a hostile way which makes it effectively a
> > computercrime. So I suggest you remove this 'feature' at once.
>
> I was trying to send you mail, and what did I see?
> ippl: auth connection attempt from hvdkooij.xs4all.nl [213.84.18.35]
>
> How dare you? Who gave you permission to connect to my port 113 when I send
> you mail? This feels like computercrime to me, and I can't find any RFCs
> that requires me to support that reverse probe from you so I suggest you
> remove thie feature at once.
>
> Seriously, get over it. Reverse probes are very common and as long as they
> do not create loops (which this one won't since it uses the null envelope on
> purpose), there is not much of a reason to get all up and arms about it.
>
> Your only valid point is the DDOS one when you post to a mailing list, and
> 1) it's not a problem yet, 2) it is being researched and addressed, 3) it
> will probably not affect sourceforge, as in its capacity of mailing list
> server, it will have to validate all headers before broadcasting the message
> back to thousands of users (you have no idea how much spam it gets rid of
> that way)
>
> Marc
>
--
