Re: Should ISP's send bounceback on mail to non-existent address?

On Wed, 29 Jun 2005 09:01:41 -0400, "Uriel Wittenberg"
<urielw@xxxxxxxxxx> wrote:

>>By monitoring the number of good and bad recipients per sending IP for
>>those IP's which go above a certain theresold of bad versus good it's
>>very easy to detect such attacks. I.e. we ignore such IP's at the TCP
>>level for a complete week if the firmware triggers that it's enough
>>from a given IP.
>
>Ahh! That's what I was looking for.
>
>So, to reiterate:
>
>-------------------------
>- Sympatico has told me that it simply DISCARDS AND IGNORES any incoming
>email addressed to non-existent-address@xxxxxxxxxxxxx
>
>- Its justification: If it somehow indicated to a sender when a
>recipient didn't exist, a spammer could use that to guess valid
>addresses. The spammer would do that by sending to a@xxxxxxxxxxxx,
>b@xxxxxxxxxxxx, c@xxxxxxxxxxxx, etc. Whenever there was no notice of
>non-existence, he'd know he'd guessed a valid address.
>
>- The above justification is nonsense since, as above, the proper way
>for sympatico to prevent this kind of spammer action is to monitor
>sending IP's and ignore those with excess bad/good ratios.

Well, "the propper way" is of course a matter of one's view. It's
surely "propper" in that this aproach does not create any problematic
cases. That said, valid senders get their propper bounce, attackers
get blocked.

The downside of this is that probably many mail server software does
not implement such a feature. On the other hand, ISP's as big as
sympatico should be able to buy/hire/get this functionality quite
easily. So from this perspective yes the justification IS nonsense.

>-------------------------
>
>However, I'm still not clear about sympatico's claim that "Microsoft has
>implemented this feature [in the MSN enhanced email platform] as a spam
>prevention method."
>
>(I gather the "MSN enhanced email platform" is MS software that
>sympatico uses for processing email.)

I figure they use MS Internet Information Service probably along with
Exchange Server 5.5 or older. The newer Exchange servers (surprize
surprize) finally CAN validate the recipient during the SMTP
transaction. To my knownleadge, they do not implement rumpelstilz
attack detection though. So, if cou call the lack of a feature
"enhenced" technology then this statement is probably right :-)

IMHO that's just marketing fuzz to obfuscate the embarassing fact that
their first incarnations of mailserver software is utterly broken in
many places. Note, don't ge me wrong, I don't think that the GROUPWARE
part of Exchange is that bad. Their SMTP implementation - especially
the older ones - are seriousely broken though.

>Sympatico's claim suggests that the reason sympatico's systems
>discard/ignore incoming email addressed to
>non-existent-address@xxxxxxxxxxxx is that that's the way the "MSN
>enhanced email platform" is designed to work. Is that right?

Yes, it's designed to work this way because they are using a layered
aproach. The original Internet informatoin Service which deals with
SMTP has no knownleadge about users hence MUST accept all mail.
Exchange server then reads the mails in a seperate step and then
generates the bounces (or as in the case of sympatico and in clear
violation of the RFC's drops such mail). Again, newer incarnations of
the internet information service are aparently able to verify the
recipients address during the SMTP phase hence can genreate those 5xx
responses. Since this still leaves the possibility of rumpelstilz
attacks, it remains unclear if sympatico would also "drop" mails to
unknown recipients if their servers were able (or maybe even are able)
to verify the recipients during the SMTP phase or if they just use
this argumentation due to the pure lack of the recipeint verification
feature.

>If so -- why is MS taking this obviously wrong approach, rather than the
>correct one you've outlined above?

Again, "correct" is a matter of point of view, but I figure they had
the problem because they were splitting the task between "internet
information service" and Exchange server. It's beond me why they did
it this way, but I figure if you take enough software developpers to
design a system this is what happens...

[snip]
>Uhhh -- not sure you understood/remembered: What sympatico is doing is
>discarding/ignoring incoming email addressed to
>non-existent-address@xxxxxxxxxxxxx So I think the answer to my question
>is: "yes, sympatico's approach (discarding/ignoring) is misguided
>because it's unnecessary for foiling the spammer attack referred to."

Yes, it IS misguided if they silently drop the mail cause this is a
violation of the RFC which clearly states that once a server accepts a
mail by returning a 220 code after the data phase it takes
responsability for it's delivery. If it cant be delivered, it takes
the responsability to inform the sender with a propper bounce. However
this part is questionable these days. It's clear that the RFC by
itself is a bit outdated by the reality with regard to spam and worm
mails. My previousely sugested way of dealing with the problem (i.e.
recongnizing rumpelstilz attacks and deal with them) is of course not
based on any RFC - it's just a good way to deal with the problems
faced these days. I admit though that if one is not having the
possibilities to detect rumpelstilz attacks and expericnes such
attacks might revert to the way sympatico is dealing with it. It's
just embarassing that an ISP of that size does not implement counter
measures. Even if it should turn out that they are using Micrsoft
servers they could either hook up some security apliance in front of
them or use different e-mail server software or switch to Linux based
servers. Since I'm not a sympatico customer, I don't know if they
probably offer groupware functionaltiy to their customers. If they do,
transition to another mailserver software would be difficult. It still
would leave the option of hooking up propper security appliances in
front of their servers.

HTH

Markus
.

Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Full-Disclosure)
  • RE: Your message did not reach some or all of the intended recipie
    ... recipients' email addresses, and try again to check if the issue can be ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... >> 6) Do you have Recovery Storage group enabled on the SBS server? ...
    (microsoft.public.windows.server.sbs)
  • Re: ARP Spoofing and Routing
    ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
    (Pen-Test)