<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi everyone,<br>
<br>
multiple times, i wrote about "enhanced SMTP Status Codes". That
was nonsense. What i meant were Extended SMTP commands (e.g.
250-STARTTLS). Sounds similar, but is something different:<br>
<br>
ESMTP -
<a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Extensions">https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Extensions</a><br>
Enhanced Status Codes -
<a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/List_of_SMTP_server_return_codes#Enhanced_status_code">https://en.wikipedia.org/wiki/List_of_SMTP_server_return_codes#Enhanced_status_code</a><br>
<br>
My apologies!<br>
<br>
<br>
Best regards,<br>
Simon<br>
<br>
<br>
<br>
On 23.09.22 17:08, Simon Brandt via ripe-atlas wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7f3ff6f4-1a3f-9674-95f7-76482f500cb0@toppas.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">Hi Michel,<br>
<br>
>Are we monitoring the Internet or monitoring a service using
the proposed SMTP measurement?<br>
First of all, we are monitoring the service of a specific
target. Same as http or ntp measurements, just another protocol.
But we also monitor the Internet. Using an SMTP measurement, we
could identify censorship or discover Man-in-the-middle attacks
(downgrade attack by suppressing the STARTTLS command).<br>
<br>
>Can we achieve the first 2 items of this measurement by
doing a TCP traceroute on port 25?<br>
I would say no. Using TCP Traceroute, you can may check for
reachability/responsiveness of the host, but not the actual
service (smtp).<br>
<br>
>Does the SSL measurement cover the intended use cases?<br>
I would say no. Correct me if am am wrong. Usually (for example
HTTPS or LDAPS) the SSL/TLS encryption starts right after the
TCP 3-way Handshake was successfull. For SMTP, that doesn't
work. That's because regular SMTP communication starts first, so
both sides can negotiate if SSL/TLS encryption is possible (via
Enhanced SMTP Status Codes). However, as far as i know, OpenSSL
<u>does</u> support SMTP and STARTTLS. So you could probably
modify the existing SSL measurement.<br>
<br>
Keep in mind that there's also MTA-STS and DANE, which are
really enhancing SMTPs security. A dedicated SMTP measurement
would be a good thing.<br>
<br>
BR,<br>
Simon<br>
<br>
<br>
<br>
On 23.09.22 16:04, Michel Stam wrote:<br>
</div>
<blockquote type="cite"
cite="mid:B5640B9C-ADC1-496C-8145-4D8C48EA8D5D@ripe.net">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
Hi everyone,
<div class=""><br class="">
</div>
<div class="">Great that this request sparked a good discussion
on the merits of a measurement, as well as its potential
impact on servers around the world. Good to see this!</div>
<div class=""><br class="">
</div>
<div class="">So I’m going to do a quick recap here, hoping that
I capture the intent and the concerns correctly. Please
correct me if I err.</div>
<div class=""><br class="">
</div>
<div class="">The intent of the measurement would be to validate
whether an SMTP server is:</div>
<div class="">
<ul class="MailOutline">
<li class="">reachable</li>
<li class="">responsive</li>
<li class="">capable of secured transmissions</li>
</ul>
<div class=""><br class="">
</div>
</div>
<div class="">The concern is that such a check would trigger one
of a variety of anti spam measures in place around the world,
and/or cause undue traffic to SMTP server operators.</div>
<div class=""><br class="">
</div>
<div class="">With this in mind, I am wondering: </div>
<div class="">
<ul class="MailOutline">
<li class="">Are we monitoring the Internet or monitoring a
service using the proposed SMTP measurement? </li>
<li class="">Can we achieve the first 2 items of this
measurement by doing a TCP traceroute on port 25?</li>
<li class="">Does the SSL measurement cover the intended use
cases?</li>
<ul class="">
<li class=""> Is it worth exploring STARTTLS support as an
extension and what would the implications be?</li>
</ul>
</ul>
<div class=""><br class="">
</div>
</div>
<div class="">Have a good weekend!</div>
<div class=""><br class="">
</div>
<div class="">Best regards,</div>
<div class=""><br class="">
</div>
<div class="">Michel</div>
<div class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 21 Sep 2022, at 00:11, Avamander <<a
href="mailto:avamander@gmail.com"
class="moz-txt-link-freetext" moz-do-not-send="true">avamander@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">> Making arguments based upon
extreme cases, assumptions, or
potential-for-collateral-damage is not scientific. "I
know one that even [...]" Anecdotal evidence isn't
scientific.
<div class=""><br class="">
</div>
<div class="">From the perspective of your previous
sentences that's kinda humorous. "To avoid
unnecessary costs incurred from disruption of
service, excessive traffic, annoyances using up *my*
time, and countless other reasonable rationale from
*my* point of view." Because sure, a few
(hypothetical RIPE probe) connections are exactly
that, zero exaggeration, right?</div>
<div class=""><br class="">
</div>
<div class="">In the end such fail2ban-fueled (or
similar) behaviour I initially addressed, is exactly
a non-scientific extreme-case assumption-based
approach. There are better and even more standard
ways. </div>
<div class=""><br class="">
</div>
<div class="">Crutch solutions out in the wild
shouldn't be a showstopper for measuring the
ecosystem. (That is already quite neglected)</div>
<div class=""><br class="">
</div>
<div class="">> What _objective_ risk/benefit
analysis are you basing your opinions upon?<br
class="">
<br class="">
And you? What's the implication here about systems
being as trigger-happy as previously described?</div>
<div class=""><br class="">
</div>
<div class="">Because sure, at some point rate limits
make total sense, but certainly not at the point
where it would ban any potential RIPE probes.</div>
<div class=""><br class="">
</div>
<div class="">> Are you a systems administrator?</div>
<div class=""><br class="">
</div>
<div class="">Let's not get into such measuring
contests, even if it is the RIPE Atlas mailing list.</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Sep 20, 2022
at 11:42 PM Paul Theodoropoulos via ripe-atlas <<a
href="mailto:ripe-atlas@ripe.net"
class="moz-txt-link-freetext"
moz-do-not-send="true">ripe-atlas@ripe.net</a>>
wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div class=""> On 9/20/2022 10:45 AM, Avamander
wrote:<br class="">
<blockquote type="cite" class="">
<div dir="ltr" class="">Great to hear it works
for you, but the potential unfortunate
collateral from such a blanket action is not
really RIPE Atlas' problem. There are more
fine-grained methods against bruteforce
attempts and open relay probes, than
triggering on a few connections.</div>
</blockquote>
What _objective_ risk/benefit analysis are you
basing your opinions upon? Are you a systems
administrator? My responsibility is to avoid
unnecessary costs incurred from disruption of
service, excessive traffic, annoyances using up
*my* time, and countless other reasonable
rationale from *my* point of view. <br class="">
<br class="">
You suggest that it is "not really RIPE Atlas'
problem". That's very true. And it is not really
my problem if I bounce yoinky, pointless probes of
my server, and ruthlessly block them from
contacting my server ever again. My server, my
choice, my wallet, nobody's business but my own.<br
class="">
<blockquote type="cite" class="">
<div dir="ltr" class="">
<div class="">Some webmasters ban IP's for
simply visiting a domain, I know one that
even dispatches an email to your ISP's
abuse@ address upon visit. Should RIPE Atlas
probes then not probe any HTTP servers? The
answer is obviously no, they shouldn't care.</div>
</div>
</blockquote>
Making arguments based upon extreme cases,
assumptions, or potential-for-collateral-damage is
not scientific. "I know one that even [...]"
Anecdotal evidence isn't scientific.<br class="">
<br class="">
Note, I run a probe myself. I don't block any RIPE
Atlas traffic on my separate servers hosted on
AWS, Oracle, and GCE. <br class="">
<br class="">
<div class="">-- <br class="">
Paul Theodoropoulos<br class="">
<a href="https://www.anastrophe.com/"
target="_blank" class=""
moz-do-not-send="true">anastrophe.com</a></div>
</div>
-- <br class="">
ripe-atlas mailing list<br class="">
<a href="mailto:ripe-atlas@ripe.net" target="_blank"
class="moz-txt-link-freetext"
moz-do-not-send="true">ripe-atlas@ripe.net</a><br
class="">
<a
href="https://lists.ripe.net/mailman/listinfo/ripe-atlas"
rel="noreferrer" target="_blank"
class="moz-txt-link-freetext"
moz-do-not-send="true">https://lists.ripe.net/mailman/listinfo/ripe-atlas</a><br
class="">
</blockquote>
</div>
-- <br class="">
ripe-atlas mailing list<br class="">
<a href="mailto:ripe-atlas@ripe.net"
class="moz-txt-link-freetext" moz-do-not-send="true">ripe-atlas@ripe.net</a><br
class="">
<a class="moz-txt-link-freetext"
href="https://lists.ripe.net/mailman/listinfo/ripe-atlas"
moz-do-not-send="true">https://lists.ripe.net/mailman/listinfo/ripe-atlas</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
</body>
</html>