i don't exactly see how limiting the speed of confirm requests solves
the problem. it just extends it over a longer period of time. the only
limit i could see that would make sense would be to limit confirm requests
per address (crpa's) to one per day (somewhat like mailman for instance).
in fact if there's a limit of one crpa per day, the rest of argument is
kind of silly since if i wanted to annoy a tmda using [EMAIL PROTECTED] i
wouldn't forge mails from other people and send them to him to cause him
to send off confirm messages. i'd just forge a whole bunch of emails
with a from address of [EMAIL PROTECTED] or just forge one address from
[EMAIL PROTECTED] with tons of addresses.
it should be noted that the same attack is available against people who
run vacation or against mailing list subscription addresses. the single
automatic response per email address per day solution is pretty much
the only solution implemented.
note, i've sent this on to the tmda-users list and cc'd paul.
kevin
ps paul doesn't like btvs either. i think he just really doesn't like
things that abbreviate into four letters as they're harder for him
to remember then tla's. so don't be too upset by his grumpiness. :)
----- Forwarded message from Paul Jakma <[EMAIL PROTECTED]> -----
From: Paul Jakma <[EMAIL PROTECTED]>
To: kevin lyda <[EMAIL PROTECTED]>
Subject: Re: does tmda have "obnoxious git" protection?
hmm...
the reply seems to assume the victim is "an anti-spam crusader" - why
would this be so?
also, it ignores fact that identity of originator of attack may be
untraceable (open anonymous proxy - lists are easily available).
TMDA needs some kind of connection dampening. full stop.
--paulj
On Sun, 22 Sep 2002, kevin lyda wrote:
> > ok, so let's say [EMAIL PROTECTED] has tmda guarding his mailbox. for some
> > reason another user has decided to annoy [EMAIL PROTECTED] so he sends
> > mail from forged addresses via proxies to hide his identity. perhaps
> > forged from addresses of anti-spam people who maintain "bad" ip addresses.
> > this would cause tmda to generate confirm messages to those addresses.
>
> This sounds like a variation on a "joe-job", where the spammer forges
> the victim's address in the From/Reply-To fields and the envelope
> sender and the victim gets all the bounces and angry responses. The
> only way to "prevent" it is to notice it early and block those
> specific emails.
>
> Forging the return address of an anti-spam crusader, however, would
> probably one of the most foolish things an attacker could do. Unless
> the attacker used a true anonymous remailer chain to send the mail, he
> can most likely be traced through Received fields. He can fake any
> Received headers he wants, as long as the server is under his control.
> Once the mail hits another MTA, though, even an open relay, the
> Received fields will be valid and will point back to him.
>
> If he used an anonymous remailer, he couldn't send more than a few
> messages before the remailer decided it was suspicious and blocked his
> IP (yes, they do that). And it's still not an automated process. In
> fact, it's a heck of a lot of work.
>
> For the same reason, using a web service like Hotmail or even Hushmail
> is much too time-consuming, since you have to send each message
> manually.
>
> > now granted the malicious user would have to send one message per
> > generated annoyance message, so it would take a lot of time, but is it
> > a possible attack?
>
> The attack is only really meaningful if you can send lots of mail
> automatically. Then it's only annoying, since the victim can tell
> from the headers what's going on and block it while tracing the
> attacker's address. That why it's dumb to forge an anti-spammers
> address. Many of those people get a real thrill from hunting down
> attackers and getting them kicked off their ISP.
>
> But that's just my opinion. <wink>
> ----- End forwarded message -----
--
Paul Jakma Sys Admin Alphyra
[EMAIL PROTECTED]
Warning: /never/ send email to [EMAIL PROTECTED] or [EMAIL PROTECTED]
----- End forwarded message -----
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users
