on Thu, Oct 23, 2003 at 04:21:49PM -0600, Paul E Condon (pecondon@peakpeak.com) wrote:
> On Thu, Oct 23, 2003 at 09:30:42AM +0100, Karsten M. Self wrote:
> > on Wed, Oct 22, 2003 at 09:42:31PM -0600, Paul E Condon (pecondon@peakpeak.com) wrote:
> > - Any autoresponder is an invitation to abuse from the Internet.
> > Spoofed C-R challenges sent to your system could be used to DoS or
> > DDoS a targeted account.
>
> I'm proposing to autorespond to the challenge message of a C/R pair.
> In other words to complete the C/R pair automatically.
How do you propose to determine that this is a legitimate challenge?
E.g.: one that's not been sent to recruit addresses (as you describe
below). Or generate a DDoS on some third party? That's the harm I see.
> The return address of the challenge message has a very special local
> part that is unlike any 'real' email address that I have seen. I
> could, I think, use the rate limiting code in 'vacation' to avoid
> participating in a DDoS.
You can reduce your participation, but if the DDoS is large enough, you
can't really restrict _it_.
> > - I'd craft any such system to only respond to spoofed challenges.
>
> Not quite what you really mean, I think.
More clearly: I'd restrict my self to responses to challenges based on
mail received by the challenger spoofing my own address. An
"inappropriate challenge" might be a better term.
> > Stuff you know you didn't send. Which sort of perverts the whole
> > response angle of C-R. I currently do this manually, and the volume
> > is low enough it's not much of a hassle.
> >
> > - Don't reply to valid challenges. Only encourages the bastards.
>
> If I don't respond, I will get several more requests for response.
> Each request will contain a copy of swen, or whatever. By responding,
> I reduce the junk traffic on the internet; I am being a proper netizen
> (no?)
A given message to a TMDA system only generates one challenge. Other
C-R systems may be configured differently (a'la the Heinlein "this bomb
will explode in 60 seconds" trick, with ever more frantic requests for
response), but none that I've seen so this. Multiple mails to a given
C-R system will generally result in multiple challenges.
Few C-R systems include the entire received message in the challenge
itself.
> Bastards write things like swen. Jerks use C/R to fight things like
> swen. My purpose is to discourage the jerks while we try to figure out
> how to discourage the bastards. And reduce junk traffic on the net.
Drop the Swen and filter the ports. Stash a list of responses to
upstreams of compromised systems, and release these manually on
confirmation. Drop the challenges. Period.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
GNU/Linux web browsing mini review: Galeon. Kicks ass.
http://galeon.sourceforge.org/
Attachment:
signature.asc
Description: Digital signature