On Thursday 25 September 2003 02:55, Tracy R Reed wrote: > On Wed, Sep 24, 2003 at 08:31:55PM -0500, Pascal spake thusly: > > Interesting story on Slashdot today. I wonder how hard it would be to > > implement in Freenet? > > > > http://yro.slashdot.org/article.pl?sid=03/09/24/132216 > > Not hard at all and I think it is an excellent idea.
Agreed. However, a patch to the MTA would be required to give it a different mechanism for look-ups, e.g. one that looks up from a text file. Either that, or we would need a DNS proxy that would do that for the MTA, but this would probably need to be patched into the DNS server that the MTA is using. > The big issue is you > would have to make the entire zone file available on one whack which lots > of people will see as irresponsible because it gives spammers a list of > open relays. However they may end up crashing those boxes resulting in > overall less spam, who knows. Not if it's done properly. Set it up so that each file is under a separate key. Therefore, if a node 1.2.3.4 is an open relay, you would insert a file/key called SSK@<public key>/mydnsrbl//1.2.3.4, and put some information in it, such as the last time the relay was checked and confirmed for openness. That way one could not just go and harvest a complete list of open relays - they would have to know what the relay being checked is to look up whether to allow relaying, i.e. perfect for RBL checking, but totally useless for spammers wanting to get a complete list of known open relays. > This could be an excellent incentive to > admins to run a freenet node on their network and it is a desperately > needed legitimate use for freenet. Agreed. But what are the chances of spammers having enough bandwidth to DoS the entire Freenet? There are certainly a LOT more zombied machines out there than there are Freenet nodes. > Anyone know how to go about setting up such a service? See above. Would almost certainly require an MTA patch, and it would probaby require a rather heavy node for checking. Fred is not great at handling lots of simultaneous requests constantly. I have done some tests on this, and it takes approximately a P3/700, 1024 connections, 256 threads, 256 routing table size to mostly saturate a 256 Kb/s upstream connection, if there is no local load. This goes up by approximately a factor of 2-2.5 if there is a local load of 16-32 simultaneous local connections. All this means that if you are running a rather heavy mail server, you would need a Freenet node running on hardware that is an order of magnitude bigger. And a transient node probably wouldn't cut it, either, because the routing would not be settled enough. If the argument is to save bandwidth, the chances are that spam still uses less bandwidth on a network than a reasonable Freenet node would, depending on the load put on by the mail server. I am sure there will be SOME network admins who will decide to upgrade their mail server to a dual Opteron with 2 Gb of RAM just so they can run a Freenet RBL, but for most of them, the situation is not sufficiently desperate. It will get there, it just hasn't happened yet. There have been 3 major RBLs that were shut down in the past month or two. I am sure there will be more, as the fewer RBLs there are, there are fewer to distribute the attacking resources across. We rather seem to be in a downward spiral on this issue. My big concern is that entire Freenet is potentially DoS-able with somebody who has that much bandwidth available. > Ideally we could get one of the existing services to do it. Then the source node would be traceable and could be attacked. Attacking 1 node is still a lot easier than attacking the whole network. > I really wouldn't want to get > into the business of probing mail servers and keeping a list etc. but I > could if I had to. It's not exactly difficult. Set up a script that will scan all IP addresses on port 25, and start creating a cache of IP addresses in a database. Run a second script that takes the live mail servers and tries sending an email to some email address you use as a testing drop box. To get better and more reliable results, you'd need a list of all registered domains, so you could look up their MX. Then try to get through by forging the MAIL FROM and/or From: headers to the domain (or even specific known to work email address) that the mail server is supposed to handle. No doubt there would be a lot of incompetent mail server admins who would argue that their relays are not open (it happened before, some were even stupid enough to voice their stupidity and lack of understanding of what an open relay is in public rants and online articles), but I don't really have much sympathy for them. Anyway, this is getting very off topic for a Freenet list. Gordan _______________________________________________ Devl mailing list [EMAIL PROTECTED] http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl
