[SURBL-Discuss] Re: {SPAM} Re: SURBL DoS possible?

Mariano Absatz el.baby at gmail.com
Fri Jul 30 10:32:04 CEST 2004


On Thu, 29 Jul 2004 17:27:00 -0400, Matt Kettler <mkettler at evi-inc.com> wrote:
> At 04:48 PM 7/29/2004, Dougie Nisbet wrote:
> > > It picks a random sample of URLs. This was one of the main concerns when we
> > > started talking about this feature. We're always one step ahead of Mr.
> > > Spammy ;)
> >
> >I'm not so sure :(
> >
> >I've just received a spam which has several embedded URLs. Each URL is based
> >on the recipient's name, in this case djn at highmoor.co.uk. So there's djn.org,
> >djn.net, djn.com etc. At the the end there's the spam URL itself -
> 
> A "random sample" is a bit of an over-simplified description of the
> behavior, but is at least partly true.
> 
>  From looking at the source code itself, no true DoS is possible this way,
> although it may be possible for a spammer to reduce their chances of being
> checked.
> 
> Disclaimer: I'm not a Perl programer, so my interpretation of the code's
> behavior may be incorrect. However, clearly the code has limits to the
> number of queries they will generate per email.
> 
> Mail::SpamCopURI (the plugin for 2.63) has a hard coded limit the number of
> URI's it will check. Once it hits that limit, it seems to ignore the rest
> of the URIs in the email. I'm unsure if the build-order is sequential,
> alphabetical, or random, but I suspect sequential. (This is as-of 0.18, I
> haven't checked 0.19). You can check this yourself in SpamCopURI.pm.
> 
> In SA 3.0-pre3, there is a limit defined by the config option
> uridnsbl_max_domains. First, all the domains are extracted from the URIs of
> the email and duplicates are removed. Then up to uridnsbl_max_domains are
> randomly selected from the list. If there are fewer domains than the limit,
> all of them should end up being selected. You can check this behavior in
> lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm.  The default for this limit is
> 20, so your example email didn't approach that limit.
> 
> So both do have limits to prevent DoS's by generating tons of URI's. SA
> 3.0's URIDNSBL code appears to be more abuse resistant than
> Mail::SpamCopURI for 2.63 is.
> 
> If any spammer tries to start evading the URI RBLs by stuffing with tons of
> garbage URIs it should be easy to detect them by doing a rule that counts
> URIs in the eval tests. Even in this case, the existing code will prevent
> that stuffing from resulting in an absurd number of queries.
> 
So, for what people say, the DoS part is taken care of... 

What seems to be possible is an evasive attack by adding more and more
non-relevant URIs to a message so as that the spammy ones have a
larger chance of NOT being chosen randomly by the plugin...

Maybe when I grow up and have more time and knowledge :-) I will take
the 3.0 plugin and see if the 'randomness' can be somehow
heuristically helped... that is, ignore invisible ones, give more
chances to domains that appear more than once, etc...

Regards.


-- 
Mariano Absatz - El Baby
el (dot) baby (AT) gmail (dot) com
el (punto) baby (ARROBA:@) gmail (punto) com


More information about the Discuss mailing list