-----Original Message----- From: Mariano Absatz [mailto:el.baby@gmail.com] Sent: Friday, July 30, 2004 8:32 AM To: SpamAssassin users list; SURBL discussion list Subject: Re: {SPAM} Re: SURBL DoS possible?
On Thu, 29 Jul 2004 17:27:00 -0400, Matt Kettler mkettler@evi-inc.com wrote:
At 04:48 PM 7/29/2004, Dougie Nisbet wrote:
It picks a random sample of URLs. This was one of the
main concerns when we
started talking about this feature. We're always one
step ahead of Mr.
Spammy ;)
I'm not so sure :(
I've just received a spam which has several embedded URLs.
Each URL is based
on the recipient's name, in this case djn@highmoor.co.uk.
So there's djn.org,
djn.net, djn.com etc. At the the end there's the spam URL itself -
A "random sample" is a bit of an over-simplified description of the behavior, but is at least partly true.
From looking at the source code itself, no true DoS is
possible this way,
although it may be possible for a spammer to reduce their
chances of being
checked.
Disclaimer: I'm not a Perl programer, so my interpretation
of the code's
behavior may be incorrect. However, clearly the code has
limits to the
number of queries they will generate per email.
Mail::SpamCopURI (the plugin for 2.63) has a hard coded
limit the number of
URI's it will check. Once it hits that limit, it seems to
ignore the rest
of the URIs in the email. I'm unsure if the build-order is
sequential,
alphabetical, or random, but I suspect sequential. (This is
as-of 0.18, I
haven't checked 0.19). You can check this yourself in SpamCopURI.pm.
In SA 3.0-pre3, there is a limit defined by the config option uridnsbl_max_domains. First, all the domains are extracted
from the URIs of
the email and duplicates are removed. Then up to
uridnsbl_max_domains are
randomly selected from the list. If there are fewer domains
than the limit,
all of them should end up being selected. You can check this
behavior in
lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm. The default for
this limit is
20, so your example email didn't approach that limit.
So both do have limits to prevent DoS's by generating tons
of URI's. SA
3.0's URIDNSBL code appears to be more abuse resistant than Mail::SpamCopURI for 2.63 is.
If any spammer tries to start evading the URI RBLs by
stuffing with tons of
garbage URIs it should be easy to detect them by doing a
rule that counts
URIs in the eval tests. Even in this case, the existing code
will prevent
that stuffing from resulting in an absurd number of queries.
So, for what people say, the DoS part is taken care of...
What seems to be possible is an evasive attack by adding more and more non-relevant URIs to a message so as that the spammy ones have a larger chance of NOT being chosen randomly by the plugin...
Maybe when I grow up and have more time and knowledge :-) I will take the 3.0 plugin and see if the 'randomness' can be somehow heuristically helped... that is, ignore invisible ones, give more chances to domains that appear more than once, etc...
Regards.
I *think* I remember the devs saying 3.0 will ignore blank (invisible) URL links. BUt that might have been a discussion on SARE or the SURBL list. The threads start to blur together sometimes :)
--Chris
-
Chris Santerre