[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#207300: tmda: Challenge-response is fundamentally broken



    Just some additional data points as I have been following this and other
related C-R threads for a while now.

On Thu, 28 Aug 2003 12:35:25 +0100
"Karsten M. Self" <kmself@ix.netcom.com> wrote:
[ Snip ]
> Specific to my own experience:  over half the C-R challenges (TMDA or
> otherwise) I've received have been for mail I didn't send.  I expect
> this trend to increase in both magnitude and percentage.  I'm likely to
> either ignore messages or filter them with other spam.

    The only C-R challenges I've gotten were when I actually responded to Alan
Conner on D-U by accident.  He had a habit of setting his reply-to and
Sylpheed-Claws honored it.  Normally I hit reply and get the list.  This
accounts for 3 C-R ever.  Since they I've gotten at least a hundred or so in
recent days thanks to the virus going around.

[ Snip ]
 
> More chillingly, other users post Sobig.F stats:
 
>     TMDA and Sobig.F virus - praise
>     Sven Neuhaus <sn@heise.de>
>     Thu, 21 Aug 2003 17:04:09 +0200
>     http://mla.libertine.org/tmda-users/2003-08/msg00120.html
 
>     In the last 3 days, I received more than 4000 copies of the Sobig.F
>     virus.  Thanks to TMDA, I didn't even notice it until today (when I
>     noticed the 330megs in my pending folder).
 
> That's 4,000 innocent parties spammed with C-R challenges, if I'm
> interpreting what the meaning of 330 MiB in the pending folder is.

    This... is scary.  Within hours of one machine trying to hit me I had
blacklisted him at the firewall and implored my secondary MX to do the same. 
It was because each instance of a bounce or the virus itself was 100k.  Praise
for being ignorant of 4Gb of traffic being moved!?  Praise for moving 4Gb in
bounces?  That's bordering on criminal.

[ Snippage ]

> This then leaves a small number of messages daily to be assessed -- they
> are not viruses, spam, or on an existing whitelist.
 
> My question at this point is:  why not simply look at the damned mail
> and figure out for yourself whether or not it's worth reading?  We're
> probably talking something like a couple of items, a few times a week.

    I posted a message to d-u a few weeks back with hard stats about that
narrow band.  I think it came down to 4 a week as my rough estimate.  And, so
far, not a single piece in that band was legitimate.  I was in the process of
adjusting sa-exim's limitations downward since the band wasn't so narrow any
more.  With Bayesian filters on, razor checked and auto-learning set to -2 and
+5 for ham and spam respectively my average ham score was quickly approaching
-5 and my average spam score was pushing well over 6 with very little, if
anything, in between.  I think I saw 1-2 pieces a day with scores between
those two points.  I figure if I adjusted my scores downward I would have been
able to cut that close to 1 every 10 days or so.

-- 
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
       PGP Key: 8B6E99C5       | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------

Attachment: pgpV4_QqQUVNB.pgp
Description: PGP signature


Reply to: