Re: [exim] ident timeout

On Tue, 24 May 2005, Matthew Byng-Maddick wrote:

> ident is for the systems administrators at the host which issued the ident
> string to identify which one of their users did anything in particular.

Normally, yes. The rfc1413_query_timeout can happily be set to a
much lower value than 30s, say 10s or 7s. Those who don't wish to
respond to it would be nicer to reject the request than just to drop
it on the floor, but both behaviours can be found in practice.
There's little point in waiting around for 30s before giving up.

> If you claim that my machine has been the originator of some kind of
> network abuse and can't provide an ident string for me, then I will
> waste a lot more time chasing it down, and probably get bored
> sooner.

Indeed. But I think it's fair to say that a multi-user system also
being the direct source of mail offers to the wider Internet is
becoming increasingly rare, as outgoing MTAs are increasingly run as
dedicated mail servers.

> You are not supposed to infer anything about the content of the
> string, though traditionally it has been the plaintext username, but
> merely to pass it on as a token.

Indeed - see, for example, the crypted token option in the pidentd
server.

But if that string says "squid" or "CacheFlow Server" or "proxy" then
we're going to smell a rat, and decline the mail. Such incidents have
become relatively rare now, as the insecure versions of the respective
software have been updated out there, but they're still logged
occasionally: last week's log has half a dozen U=squid, half a dozen
U=proxy and a dozen U=CacheFlow Server, all of which on inspection are
obvious attempts to relay a spam. We could probably have kept those
spams out by other means (indeed we rejected those particular squid
ones because they HELO'ed with our own IP number as a domain name,
before we got to testing the ident) but IMHO it's still a worthwhile
defence.