[Asrg] Meta channel, not bounces

Franck Martin franck at avonsys.com
Thu Jan 15 13:42:52 PST 2009 

Well, any way to modify SMTP to still send ARF reports without taking down the whole Internet?

Speaking out loud, a new capability in ESMTP, that would advertise the reception of ARF report, or a special mailbox standard on all MTA to accept ARF reports. We have postmaster, abuse, why not ARF?

Or may be send this ARF report to a DNSBL service? After Authentication, it would place the original sender in a DNSBL stopping other from receiving further infected emails?

Cheers
----- Original Message -----
From: "Chris Lewis" <clewis at nortel.com>
To: "Anti-Spam Research Group - IRTF" <asrg at irtf.org>
Sent: Friday, 16 January, 2009 9:17:31 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] Meta channel, not bounces

Alessandro Vesely wrote:

> Chris said their filter is not able to distinguish viruses from 
> generic malware.

That should be read to mean "not in general", as opposed to "never".

> Having an appropriate error message is not enough. It is also 
> necessary to deliver that message to the right operator.

Thus becoming a DDOS vector.

> Some large sites have established feedback loops whereby a message is 
> "bounced" to some postmaster. Apparently, they are mainly meant for 
> "this is spam" actions. However, the ARF format (quite similar to DSN) 
> provides fields for reporting bad DKIM signatures. I don't know at 
> what level such bounces could be generated. It is technically possible 
> to generate them right after the data transfer, just like for viral 
> content. If we recognize that viruses are a problem, don't they 
> deserve using that meta channel as well? This leaves us wondering how 
> can such a meta channel be established for small and medium sites as 
> well...

Thus becoming a DDOS vector.

Went through this conversation on another list recently.

It is technically possible (in fact trivial in many cases) to instrument
a MTA to automatically generate and send ARF in real time.  Even
assuming that the MTA can figure out the _right_ place to send the ARF,
it becomes a WMD.

Imagine, if you will, everybody did it.  Some moderately sized site gets
a reasonably prolific (single) infection, and spews out a few million
viruses.  You're expecting the site's MTAs to handle a few million ARFs,
when only one _should_ suffice.

If broadly implemented, it'd cause global meltdown.

God help us all if the site receiving the ARF somehow doesn't recognize
it as ARF, and replies with its own ARFs.  Or, if the virus writer
figures out a way to get the ARF generators to send it to the wrong
place - believe me, they'd be trying...

ARF is good stuff.  But only insofar as there is limitations on how it's
emitted/deployed.
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg

More information about the Asrg mailing list