LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Postmaster spam

Valdis Kletnieks <[log in to unmask]>

Fri, 14 Dec 2007 23:59:29 -0500

text/plain (48 lines)

On Fri, 14 Dec 2007 19:09:09 PST, Nate Eckstine said:
> How is postmaster spam avoided? Occasionally we get these spam storms of
> 100-200 consecutive bad emails that are advertisements. They are sent to
> the postmasters as rejected emails.  The firewall crew doesn't want to
> block them in case the IP address is spoofed.

Umm.. You have an overly paranoid firewall staff - it's *really* hard to
spoof the IP address for a TCP connection, as long as the destination
system does *any* sort of RFC1948 ISN randomization - and that RFC was
written all the way back in the Stone Age of 1996.

RFC1948 Defending Against Sequence Number Attacks. S. Bellovin. May 1996.
     (Format: TXT=13074 bytes) (Status: INFORMATIONAL)

Once upon a time, it *was* possible to blind-spoof a TCP connection with
only 3 or 4 attempts to figure out the target machine's internal state.
These days, even the *broken* systems takes enough packets that your firewall
guys would be yelling "Incoming SYN flood!!" - Michael Zalewski's work is
the best attack I'm familiar with:

http://lcamtuf.coredump.cx/oldtcp/tcpseq.html - the state of the net in 2001
http://lcamtuf.coredump.cx/newtcp/ - a year later.

Note that in order to *start* the analysis, he takes some 50,000 ISN
values - which implies that the target machine has been probed 50,000
times.  And then he's looking at the chance that in 5,000 attempts *after*
that, you'll get lucky.

And you get to re-gather those 50,000 values for *each* target system.

Most likely, they're worried that they'll accidentally block an "important"
internal system if somebody spoofs packets with that system as a source. Of
course, anybody who does auto-blocking and doesn't whitelist things that would
be Really Disastrously Bad if they got blocked *deserves* the results. ;)

On the other hand, it would do the Net a world of good if everybody did proper
ingress/egress filtering - if it's got a source address in your IP space, it
shouldn't be seen inbound on your exterior link, and if the source address
isn't in your IP space, it shouldn't be outbound.

2827 Network Ingress Filtering: Defeating Denial of Service Attacks
     which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
     2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
     RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)
3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
     March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
     BCP0084) (Status: BEST CURRENT PRACTICE)

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM