Re: db.debian.org (and related infrastructure) updates

To: debian-devel@lists.debian.org
Subject: Re: db.debian.org (and related infrastructure) updates
From: Josip Rodin <joy@entuzijast.net>
Date: Sat, 30 Dec 2006 17:35:33 +0100
Message-id: <[🔎] 20061230163533.GB21494@keid.carnet.hr>
In-reply-to: <[🔎] 45969066.3010800@proxad.net>
References: <20061230053428.4122140a@ninsei.internal.cyberhqz.com> <[🔎] 20061230134920.GA10114@bongo.bofh.it> <[🔎] 8764bt79l8.fsf@vorlon.ganneff.de> <20061230053428.4122140a@ninsei.internal.cyberhqz.com> <[🔎] 20061230134920.GA10114@bongo.bofh.it> <[🔎] 20061230140531.GA25898@keid.carnet.hr> <[🔎] 20061230154406.GA11319@bongo.bofh.it> <[🔎] 45969066.3010800@proxad.net>

On Sat, Dec 30, 2006 at 05:14:30PM +0100, Francois Petillon wrote:
> As we have started to collect stats, out of 1K connections, there are from
> 30 to 50 connections that look like sender verify. This is quite low right
> now but it could be harmful on big domains if more people use it.

Yes. Just like any other large amount of traffic could be harmful on
big domains.

> you are using someone else ressources to fight spam.

That's certainly true.

But, come to think of it, using someone else's resources is not really a
taboo on the Internet. We all participate in such things, almost constantly.
Whenever I make a connection to a site, that site has to spend resources to
answer me (even if the answer is a rejection). If I resolve a domain, this
takes a toll on the entire DNS infrastructure leading up to the desired
domain. I use a search engine, whose crawler bot most probably spent gobs
of resources on countless sites in order to get me search results.

I suppose we could just go about being unusually thrifty and use only our
own resources in anti-spam, but these days even content filtering from
SpamAssassin is fairly inadequate without a number of checks in remote
databases.

I guess the counter-argument could be - all those services are explicitly
created in order to voluntarily serve requests, but nobody volunteered their
server to answer sender verification requests. Yet, a sender verification
request is nothing but a three-command SMTP conversation. If someone puts an
SMTP server online, and connects it via DNS, it's not exactly strange that
other people talk to it.

> Second, spammers may adapt in an annoying way (either they will use
> domains who always answer a 2xx to rcpt to, or they will use verified
> emails).

Some of them actually already do that, all the time, for years now.

> >Also, sender verification when seen from the side of the victims is
> >indistinguishable from a dictionary attack, and may cause deliverability
> >issues to the hosts attempting it.
> 
> I confirm it : we already have blacklisted IPs as they were issuing too 
> many rcpt-to on not existing emails. These were dued to sender 
> verifications...

You choose to ban those, just like someone else chooses to ban deliveries
from unverifiable senders. There's nothing particularly strange there.

-- 
     2. That which causes joy or happiness.

Reply to:

Follow-Ups:
- Re: db.debian.org (and related infrastructure) updates
  - From: Francois Petillon <fantec@proxad.net>

References:
- Re: db.debian.org (and related infrastructure) updates
  - From: md@Linux.IT (Marco d'Itri)
- Re: db.debian.org (and related infrastructure) updates
  - From: Joerg Jaspert <joerg@debian.org>
- Re: db.debian.org (and related infrastructure) updates
  - From: Josip Rodin <joy@entuzijast.net>
- Re: db.debian.org (and related infrastructure) updates
  - From: md@Linux.IT (Marco d'Itri)
- Re: db.debian.org (and related infrastructure) updates
  - From: Francois Petillon <fantec@proxad.net>

Prev by Date: Re: db.debian.org (and related infrastructure) updates
Next by Date: Re: db.debian.org (and related infrastructure) updates
Previous by thread: Re: db.debian.org (and related infrastructure) updates
Next by thread: Re: db.debian.org (and related infrastructure) updates
Index(es):
- Date
- Thread