[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 email reflector

To: Jeroen Massar <jeroen@unfix.org>
Subject: Re: IPv6 email reflector
From: Bob Van Zant <bob@veznat.com>
Date: Wed, 14 Jul 2010 08:45:22 -0700
Cc: v6ops@ops.ietf.org
In-reply-to: <4C3D5F9F.4010206@unfix.org>
References: <AANLkTimGRsL7UrGbqXua4u-69n-9ip1SDlzRX_JAGFY6@mail.gmail.com> <4C3D5F9F.4010206@unfix.org>

Thanks for your feedback, Jeroen. There were 3 main security threats
that I tried to address when setting this up:

1. Someone overloading my MTA
2. Someone finding a way to turn it into an open relay
3. People getting blasted with backscatter

Realistically there's not a lot I can do to avoid someone overloading
my MTA. I have very stringent throttling in place on this machine but
a distributed attack would put those defenses to shame. In any case
this affects only me.

The box simply isn't an open relay. We've known for a long time how to
avoid creating an open relay and this simply isn't an open relay.

This leaves backscatter as the primary concern. As others have pointed
out no spammer is going to use this machine as the starting point for
a spam campaign. It completely throws away the original email leaving
nothing of value for the spammer. The most likely scenario is that the
reflector email address gets scraped from mailing list archives like
these ones and is then used as the recipient of a spam campaign.
Spammers rarely use their own email address in the mail from and so,
yes, that forged sender would receive backscatter. The defenses in
place here are numerous. The outermost MTA in this setup is an
IronPort appliance and for this particular address the settings are
dialed way down to prevent abuse. Both IP reputation and content-based
spam scanning (and virus scanning) are applied and any hint of spam is
simply discarded. Even people with good IP reputation are severely
limited in the number of tests they can run.

Add all of this to the fact that I'm continually monitoring the use of
the system to look for signs of abuse. It's my IP address' reputation
on the line and I even put my email address into the body of the reply
message.

At the end of the day I think it provides a valuable service for folks
trying to setup IPv6 email. I hope others will as well.

-Bob

On Tue, Jul 13, 2010 at 11:56 PM, Jeroen Massar <jeroen@unfix.org> wrote:
> On 2010-07-14 04:09, Bob Van Zant wrote:
>> I setup a reflector a few weeks ago that helps email users identify
>> whether or not they're sending over IPv6 and also clues them in to
>> what their DNS looks like from the outside world.
>>
>> To use it simply send an empty email to ipv6@test-ipv6.veznat.com
>>
>> It'll reply to the email showing you the Received headers as well as
>> dig -t mx output for your domain.
>>
>> Nothing too terribly fancy. Feel free to provide feedback or
>> enhancement requests. Use it but please don't abuse it :-).
>
> Congratulations, you have just set up an automatic spammer for the
> millions of spammers out there, they spam you, and you spam back the
> spoofed email address.
>
> You do realize that this email list is nicely indexed all around the
> world I hope and that spammers can easily also read the above email address?
>
> People who configure mail servers can check the log files of their mail
> servers.
>
> Others can when sending mail to another person, just ask that person to
> cut&paste the headers back and hey, presto you know which parts went
> over IPv6 or not.
>
> Greets,
>  Jeroen
>

References:
- IPv6 email reflector
  - From: Bob Van Zant <bob@veznat.com>
- Re: IPv6 email reflector
  - From: Jeroen Massar <jeroen@unfix.org>

Prev by Date: Re: IPv6 email reflector
Next by Date: IPv6 Operations - IETF 78
Previous by thread: Re: IPv6 email reflector
Next by thread: Re: IPv6 email reflector
Index(es):
- Date
- Thread