Re: [Exim] Re: Bagle, unqualified HELO, time delays

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Alan J. Flavell
Date:  
À: Exim users list
Sujet: Re: [Exim] Re: Bagle, unqualified HELO, time delays
On Fri, 5 Mar 2004, James P. Roberts wrote:

[excess quotage snipped]

> My original point stands.


Then I guess I should have contradicted it sooner. Sorry.

> I don't believe there would be significant impact
> to receiving or legitimate sending hosts.


Like several of the measures discussed here, I'm afraid this one only
gives us a temporary edge over the rest of the internet. It benefits
us because it's easy to apply in exim - most of the other victims
aren't applying it, consequently the baddies aren't adopting measures
to defeat it. But as soon as it became a normal thing to do, the
baddies would just compensate for it.

And then we'd all be worse off.

It's the same with callouts, although I do them myself (selectively, I
mean): if everyone resorted to callouts (and if everyone responded
with the correct answer when a callout arrived), then all the baddies
would have to fake real sender addresses instead of fictitious ones,
and we'd be worse off.

> A given email would suffer a short delay, yes, but the resource cost
> is minimal to both ends (see previous arguments). Most users suffer
> several minute delays anyway, simply because their MUA only checks
> for new mail at intervals. A 30 second-ish delay would generally
> not be noticed.

[...]
> Because RFC's ask for senders to accept up to a 300 second delay, it is well
> within existing norms. The only ones significantly affected would be
> "viruses" (spelling nod to MBM), and spammers that don't conform to RFC
> standards of MTA behavior.


In the technical jargon, "it does not scale". That doesn't mean it
isn't useful as a short-term defence measure - it obviously *is*[1] -
but if a substantial proportion of mailers adopt it, then the baddies
will make sure that it will no longer be effective, and then we'll all
be worse off.

That's the way I see it, anyhow.

[1] This week's result so far says that of 1771 requests which were
rated by my criteria as worthy of a Long Wait, 1433 of them timed-out
instead of waiting for the response. Now, bearing in mind that in
this particular week, most of those are in fact Bagle virus attempts,
which result in three actual requests per attack, the figure isn't
quite as impressive as it looks, but nevertheless, it's doing a useful
job for us IMHO. We haven't logged a single Bagle since 2004-03-01
15:47:18 , with the exception of five hits on 'W32/Bagle-Zip' which
would have been forwarded by some other MTA, rather than sent to us
directly.

But the Bogus Virus Alerts are a _much_ harder nut to crack than the
viruses themselves, mumble.