IP address reputation, BorderWare

Chris Yuzik itdept at fractalweb.com
Fri Mar 23 22:54:10 CET 2007


Kevin Miller wrote:
>
> Well, as someone else pointed out, that server will get hassled either
> way.  Without SAV I'm accepting mail from invalid users.  If someone
> uses phoney from addresses with your domain, and runs a dictionary
> attack against me, I'm going to send an NDR back to your server for each
> address that is invalid on my side.  That will take a lot more server
> resources and bandwidth on your side than a simple SAV query would have.
> With SAV, I never accept the message from the original sender, saving
> that bandwidth on both the last mile as well as the core routers, and I
> never send you an unnecessary NDR saving you server usage, lastmile
> bandwidth, and core router usage.
>
> Personally, I'd rather someone query my server, than send my users NDRs
> from Joe jobbed spam.  It's a lot less resouce intensive as nearly as I
> can see..
>   
Kevin,

You make a good point here.

As part of the default setup for most (all?) MTAs, a message to an 
invalid recipient results in a fail message being sent back to the 
joe-jobbed sender's server. So, if someone sends to hundreds of 
non-existent users at a server from hundreds of non-existent users at 
the joe-jobbed server, the recipient's server will automatically send 
fail messages back. On the other hand, if the recipient's server is 
doing SAV, then it will check each of the hundreds of fake senders, find 
out they don't exist, and NOT send a fail message back to the joe-jobbed 
domain's server.

So, for example let's say a piece of spam arrives that is 20 KB in size 
from a non-existent user at a joe-jobbed domain to a non-existant user 
at the recipient's domain, and assume that the recipient has a current 
and somewhat sanely configured MTA (no catch-all account, etc). Let's 
give these sallydoe at joe-jobbed.tld and bgates12345 at domain1.com.

If domain1.com is not using SAV, then it will (likely) reject the 
message and a fail message will be sent to sallydoe at joe-jobbed.tld, 
possibly with the contents of the original message attached. Since 
sallydoe is not a valid user on joe-jobbed.tld, the fail message will 
also fail, end of transaction.

On the other hand, if domain1.com IS using SAV, then it will connect to 
the recipient's server to check to see if sallydoe has a valid account, 
and if not, reject the inbound message.

In either case, there is traffic to the joe-jobbed.tld domain's mail 
server, whether from SAV or backsplatter, and likely LESS traffic from 
SAV than from backsplatter.

Or am I completely missing something?

Chris


More information about the MailScanner mailing list