>-----Original Message----- >From: Mariano Absatz [mailto:[EMAIL PROTECTED] >Sent: Friday, July 30, 2004 8:32 AM >To: SpamAssassin users list; SURBL discussion list >Subject: Re: {SPAM} Re: SURBL DoS possible? > > >On Thu, 29 Jul 2004 17:27:00 -0400, Matt Kettler ><[EMAIL PROTECTED]> wrote: >> At 04:48 PM 7/29/2004, Dougie Nisbet wrote: >> > > It picks a random sample of URLs. This was one of the >main concerns when we >> > > started talking about this feature. We're always one >step ahead of Mr. >> > > Spammy ;) >> > >> >I'm not so sure :( >> > >> >I've just received a spam which has several embedded URLs. >Each URL is based >> >on the recipient's name, in this case [EMAIL PROTECTED] >So there's djn.org, >> >djn.net, djn.com etc. At the the end there's the spam URL itself - >> >> A "random sample" is a bit of an over-simplified description of the >> behavior, but is at least partly true. >> >> From looking at the source code itself, no true DoS is >possible this way, >> although it may be possible for a spammer to reduce their >chances of being >> checked. >> >> Disclaimer: I'm not a Perl programer, so my interpretation >of the code's >> behavior may be incorrect. However, clearly the code has >limits to the >> number of queries they will generate per email. >> >> Mail::SpamCopURI (the plugin for 2.63) has a hard coded >limit the number of >> URI's it will check. Once it hits that limit, it seems to >ignore the rest >> of the URIs in the email. I'm unsure if the build-order is >sequential, >> alphabetical, or random, but I suspect sequential. (This is >as-of 0.18, I >> haven't checked 0.19). You can check this yourself in SpamCopURI.pm. >> >> In SA 3.0-pre3, there is a limit defined by the config option >> uridnsbl_max_domains. First, all the domains are extracted >from the URIs of >> the email and duplicates are removed. Then up to >uridnsbl_max_domains are >> randomly selected from the list. If there are fewer domains >than the limit, >> all of them should end up being selected. You can check this >behavior in >> lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm. The default for >this limit is >> 20, so your example email didn't approach that limit. >> >> So both do have limits to prevent DoS's by generating tons >of URI's. SA >> 3.0's URIDNSBL code appears to be more abuse resistant than >> Mail::SpamCopURI for 2.63 is. >> >> If any spammer tries to start evading the URI RBLs by >stuffing with tons of >> garbage URIs it should be easy to detect them by doing a >rule that counts >> URIs in the eval tests. Even in this case, the existing code >will prevent >> that stuffing from resulting in an absurd number of queries. >> >So, for what people say, the DoS part is taken care of... > >What seems to be possible is an evasive attack by adding more and more >non-relevant URIs to a message so as that the spammy ones have a >larger chance of NOT being chosen randomly by the plugin... > >Maybe when I grow up and have more time and knowledge :-) I will take >the 3.0 plugin and see if the 'randomness' can be somehow >heuristically helped... that is, ignore invisible ones, give more >chances to domains that appear more than once, etc... > >Regards. >
I *think* I remember the devs saying 3.0 will ignore blank (invisible) URL links. BUt that might have been a discussion on SARE or the SURBL list. The threads start to blur together sometimes :) --Chris
