[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What would happen to Challenge/Response if ...

On Thu, Oct 23, 2003 at 09:30:42AM +0100, Karsten M. Self wrote:
> on Wed, Oct 22, 2003 at 09:42:31PM -0600, Paul E Condon (pecondon@peakpeak.com) wrote:
> > I've been looking at a lot of options for dealing with Swen
> > and the next Sobig, soon to arrive. In the discussions here,
> > I learned that some people use tmda as a part of their spam
> > defense, and looking into it I soon learned that
> > 
> > TMDA == C/R
> 
> Not strictly true, though this is what most people seem to use TMDA for.

Yes, not strictly true, but where tmda does not send a challenge, the rest
of my plan is pointless.

> There is actually some useful process tracking which can be achieved
> through the tagged delivery aspects of TMDA -- TMDA invlves _both_
> setting up special-use accounts _and_ filters for automated handling of
> reesponses to same.  C-R is actually only one of several functions
> supported.
> 
> > I had already heard that C/R is a bad thing, but I didn't hadn't
> > really read much about what it really is. 
> 
> I suppose you've looked at the references Steve's pointed out.

Yes.

> 
snip
> > the internet. Instead, craft your response to be as terse as possible.
> >
> > What is the downside of doing this? Am I crazy?
> 
> First:
> 
>   - Any autoresponder is an invitation to abuse from the Internet.
>     Spoofed C-R challenges sent to your system could be used to DoS or
>     DDoS a targeted account. 

I'm proposing to autorespond to the challenge message of a C/R pair. In
other words to complete the C/R pair automatically. The return address
of the challenge message has a very special local part that is unlike
any 'real' email address that I have seen. I could, I think, use the
rate limiting code in 'vacation' to avoid participating in a DDoS. 

> 
>   - I'd craft any such system to only respond to spoofed challenges.

Not quite what you really mean, I think. A spoofed challenge would be
sent for the purpose of recruiting my machine into a DDoS. I should
try not to respond to these. Or, at least, try to limit the rate of
repeat responses.  Maybe try to limit my autoresponse to real challenges
that were triggered by emails with spoofed From address. But if I did
send something to a person who uses C/R, why not have my software do
my R automatically? Well, because C/R is bad, and should not be encouraged.
But my way discourages ise of C/R by making it ineffective against swen and
swen-like virusen (a new form or the plural which is totally wrong which
is totally within the spirit of conversational English)

>     Stuff you know you didn't send.  Which sort of perverts the whole
>     response angle of C-R.  I currently do this manually, and the volume
>     is low enough it's not much of a hassle.
> 
>   - Don't reply to valid challenges.  Only encourages the bastards.

If I don't respond, I will get several more requests for response. Each 
request will contain a copy of swen, or whatever. By responding, I reduce
the junk traffic on the internet; I am being a proper netizen (no?)

Bastards write things like swen. Jerks use C/R to fight things like
swen. My purpose is to discourage the jerks while we try to figure out
how to discourage the bastards. And reduce junk traffic on the net.

> 
> Peace.
> 


-- 
Paul E Condon           
pecondon@peakpeak.com
Reply to: