Mechanisms and Experiences Securing Mail Relay Chip Rosenthal <chip@laserlink.net>

Disclaimers

• No source code

• Your mileage may vary

The Laser Link Environment

• Limited to consumer services

• Distributed mail system

• Combines open source and proprietary software products

Our Goals

• Secured relays

• Appropriate to our environment
  • Distributed implementation

  • Highly scalable

• Happy customers
  • No special protocols

  • No special procedures

  • Allow roaming

Unauthorized Third-Party Relay

• IMC reports 83% relays closed. [http://www.imc.org/ube-relay.html]

• Several mechanisms available

• General anti-relay algorithm:

  

• Inspect email address of recipient.

• Inspect IP address of sender.

• Do not use email address of sender - subject to spoofing

Static Anti-Relay

• Compare sender IP address to static list

• Reference: http://mail-abuse.org/tsi/

• Advantages:
  • Efficient

  • Widely supported

• Disadvantages:
  • Leased POPs

  • Roaming

• Laser Link couldn't abide the disadvantages

POP-before-SMTP Authorization

• Record IP address after successful POP authentication

• Grant that host a ticket to relay

• Reference: http://spam.abuse.net/tools/smPbS.html

• Advantages:
  • No unusual protocol support required

  • Supports roaming

• Disadvantages:
  • Little support available in existing servers

  • Need to communicate state between POP and SMTP

  • Not always transparent to user

• Laser Link thought this would be our solution

• Our users hated it - particularly those using MS Outlook

Escalating Credentials

• Curently deployed in Laser Link network

• Amalgamation of two mechanisms:
  • POP-before-SMTP

  • Rate limiting

• Count mail from originating IP address

• Track as messages/hour

  

• At 3 mssgs/hr - require POP-before-SMTP

• At 80 mssgs/hr - reject with 450 error

• Messages:
  • 550 Relaying denied - example.net customers must check mail before trying to send mail
  • 450 Quota on sending mail exceeded - please try again later
  • 450 Cannot access relay authorization database right now

• Advantages:
  • All advantages of POP-before-SMTP

  • Eliminated user confusion

  • Beyond anti-relay - makes us unattractive to spammers

• Disadvantages:
  • Complex implementation

  • Will users accept upper limit?

  • False positive to conventional relay testing