Jump to content


Photo

Issues with Blacklist processing

blacklist LDAP recipient Verification

  • Please log in to reply
4 replies to this topic

#1 ABHOWSpamCloud

ABHOWSpamCloud
  • Members
  • 5 posts

Posted 09 December 2013 - 12:41 PM

This request is specific to your products handling of blacklisted IP addresses.

It appears that your product does blacklist checks as one of the LAST steps in your spam processing.

 

For example.  when your product receives an Email from a blacklisted IP address it still

 

1) Accepts the connection (EHLO)

2) Accepts the MAIL FROM

3) verifies the RCPT TO:  address AGAINST MY LDAP Server!

3a)  Reports to the malicious sender wheter their intended target is good or not, so now they KNOW if they have a good email address to which to attack.

4) Accepts the email Data,  which may be large. (if the RCPT TO checks out)

5) Finally rejects the data.

 

Other services I have used usually operate like the following, and I Propose that you adopt this method ASAP.

 

1) Accepts the connection (EHLO)

2) Accepts the MAIL FROM (to check if the from address is white-listed) 

3) DUMPS the connection if the IP is on a blacklist.

 

(I attached SMPT logs to the end of this to show the differing behaviors from your product and other products)

 

In the end,  the mail was rejected, but ONLY after the known spammer has used my system and network resources INCLUDING CPU costly LDAP queries.  AND,  this KNOWN spammer was able to do a directory look up on my LDAP server thus allowing him to determine the validity of the destination address.

 

 

This causes several problems:

 

* On my production system (not Barracuda yet)  I get 30,000 Emails per day,  approximately 28,000 are on the blacklists.  Our current system dumps the connection BEFORE verifying the RCPT TO:  which means that only about 2000 emails total get through to our network at all, let alone do a LDAP look up.

 

* In the SAME situation with the barracuda appliance, all 30,000 email would get through and use up network bandwidth AND cause 30,000 LDAP queries per day,  on my Domain Controller that normally handles less than 4000 per day!  and has OTHER services to provide to my customers here!  We are concerned about Excessive utilization of this server.

 

* In our small Barracuda test environment, MY LDAP server is responsible for the BLOCKING of almost 97% of all incoming emails (Bad Recipient)   while the barracuda itself only blocks about 3% (this is because 97% of email is just misaddressed garbage).

 

Please think about this last statement.  97% of our bad mail is being blocked,  not by our barracuda Spam filter,  but by our LDAP server! this is NOT sustainable,  what if we got 100,000 emails per day,  1,000,000?  I'd need a fleet of LDAP servers just to handle SPAM!  All while I am PAYING for spam protection from barracuda.



#2 ABHOWSpamCloud

ABHOWSpamCloud
  • Members
  • 5 posts

Posted 09 December 2013 - 12:45 PM

-----------------LOG FILES----------

 

 

Barracuda Product

Resolving hostname...

Connecting...

SMTP -> FROM SERVER:

220 mail14.ess.barracuda.com ESMTP (mx1408.ess.rzc)

SMTP -> FROM SERVER:

250-mx1408.ess.rzc.cudaops.com Hello node-mec2.wormly.com [184.72.226.23], pleased to meet you

250-PIPELINING

250-AUTH LOGIN

250-STARTTLS

250 HELP

MAIL FROM: mailto:test@gmail.com

SMTP -> FROM SERVER:

250 Sender  OK

RCPT TO: mailto:postmaster@myabhow.com

SMTP -> FROM SERVER:

250 Recipient  OK      

(NOTE: now this attacker KNOWS that this address is good, AND performed an LDAP lookup on MY server)

Sending Mail Message Body...

SMTP -> FROM SERVER:

354 Start mail input; end with .   

SMTP -> FROM SERVER:

550 permanent failure for one or more recipients (mailto:postmaster@myabhow.com:blocked)

SMTP -> ERROR: DATA not accepted from server: 550 permanent failure for one or more recipients (mailto:postmaster@myabhow.com:blocked)

 

Message sending failed.



#3 ABHOWSpamCloud

ABHOWSpamCloud
  • Members
  • 5 posts

Posted 09 December 2013 - 12:47 PM

Please note:  This is the CORRECT behavior exhibited by MXlogic, for example:

Does accept EHLO

Does accept sender

Rejects on Recipient,  never does a LDAP lookup to verify recipient.

 

 

Resolving hostname...

Connecting...

SMTP -> FROM SERVER:

220 p01c12m116.mxlogic.net ESMTP mxl_mta-7.2.2-0 [2b9bd4a0b940.472277.00-2083]; Wed, 04 Dec 2013 11:11:17 -0700 (MST); NO UCE, INBOUND

SMTP -> FROM SERVER:

250-p01c12m116.mxlogic.net

250-SIZE 0

250-STARTTLS

250-SUBMITTER

250-8BITMIME

250 PIPELINING

MAIL FROM: mailto:test@gmail.com

SMTP -> FROM SERVER:

250 Sender Ok

RCPT TO: mailto:postmaster@abhow.com

SMTP -> FROM SERVER:

551 Mailhost is on domain's block list (Mode: normal)

SMTP -> ERROR: RCPT not accepted from server: 551 Mailhost is on domain's block list (Mode: normal)

(Note: failed before doing ANY address verification, No LDAP look up,  No Network bandwidth used, No exposing my directory )

Message sending failed.



#4 TeraGo IT

TeraGo IT
  • Members
  • 69 posts

Posted 27 February 2014 - 02:57 PM

Any update on this?



#5 Nick Simkins

Nick Simkins
  • Members
  • 2 posts

Posted 06 March 2014 - 11:34 AM

I would like to +1 this as I noticed this behavior and thought it was odd.