On Jun 22, 2008, at 8:22 PM, Matt Kettler wrote:
Just because a packet can get theredoesn't mean they can deliver
mail. (by the way, IMO you're *insane* for not having a something in
place that filters such things. A simple PIX firewall at your border
with "ip verify reverse-path" enabled would do the job nicely. On a
budget simple ACLs in your border routing would do. Step up to at
least 1980's grade network security. seriously.)
Matt, what exactly does insulting me gain you, me, or this list?
Really? Better yet, what does insulting me from an incorrect
assumption gain you?
My "border router" is a Force10 E-series system with 10gig
interfaces. We have full line-speed RPF on every interface (unlike
most providers) and we do a lot of work to keep the network secure.
This is significantly better than 1980s networking. And I was in the
1980s building networks (when 1mb/sec LAN was fast and 32k was a big
wan link) and you were not, so I'm really not sure what point you are
trying to make.
I know from reading your posts that you're a smart, level-headed guy.
Let's forget you said this and focus on real responses that elevate
the conversation, rather than just piss both of us off, ok? Because
this post didn't help anyone, but did make me think a lot less of you.
FYI: I spent nearly 20 years as a consultant. And I've been to dozens
of networks where someone pointed out to me that certain attacks
weren't possible -- like IP spoofing against a PIX with reverse-path
enabled. And in every case, the "impossible" was pretty darn easy.
My favorite was a site that realized their firewall wasn't working
when their internal Word documents were found indexed on Altavista.
The site engineer and the firewall service provider claimed this must
have been exported illegally, and showed me the configuration. Yes,
it worked on paper ;-)
I've not seen such mass IP forgery going on. Have you? Of course
not, because it pretty much can't be done.
With a statement such as this you demonstrate that you aren't in the
security field, and don't read either security papers or security
mailing lists ... so I'm really not sure how to respond to you,
honestly. I'm not trying to be rude, but your statement has no basis
in reality.
Not only can it be done for given short-term purposes, but there are
at least 3 toolkits which test systems and then generate entire forged
TCP streams at the hosts. They are remarkably effective. I haven't
found one which works 100% against modern FreeBSD, which is what we
are running, but that doesn't mean it doesn't exist. And a toolkit
which takes 100 or 200 attempts to succeed... is easy to accomplish on
multi-gig networks without raising even the slightly alarm.
Perhaps you want to show me the syslog message your system generates
when it receives a TCP session id that isn't in use? No, my operating
system doesn't generate one either. (however my IDS will notice this
and log it, but that doesn't mean my mail server should trust it)
NOW perhaps we can stop talking about networking? Because this isn't
about networking, really. It's about SpamAssassin. I don't want my
spamassassin to trust something it shouldn't receive. That's the
nature of the question.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness