Re: [ISN] Email attack could kill servers

From: InfoSec News (isn@private)
Date: Fri Apr 09 2004 - 01:07:04 PDT

Next message: InfoSec News: "[ISN] Security tool more harmful than helpful?"

Previous message: InfoSec News: "[ISN] PHRACK #62 CALL FOR PAPERS"
Maybe in reply to: InfoSec News: "[ISN] Email attack could kill servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Kurt Seifried <listuser@private>

> All email is sent across the internet using the Simple Mail Transfer
> Protocol (SMTP), which stipulates that a notification should be sent
> whenever a message with a bad address is received. There are
> numerous different types of email server, however, which can all be
> configured in various ways.

While serious this can be dealt with relatively easily, Postfix for
example supports local recipient maps which can be based on the local
UNIX password database, the alias maps database, a virtual users
database (meaning it can be completely arbitrary and no local
accounts/etc are required, just export a list from your Exchange
server/ADS once a day and dump it in). Thus if an email recipient
doesn't exist the email is rejected during the connection, i.e. no
real traffic amplification takes place (and you stay RFC compliant).
In addition to this it prevents spam to non-existent email accounts
from clogging up your mail servers causing them to hold messages,
create bounces, etc.

In general some form of traffic amplification will always be capable
with email if the mail server creates bounce messages at all (and it's
unlikely people will be willing to completely disable bounce/error
messages/etc). However with intelligent filtering/limiting what you
accept and rejecting email during the connection, not once it has been
accepted for delivery this problem can largely be addressed. Hopefully
this will also lead to better rejection/bounce capabilities from major
mail servers at the connection level and not force people to accept
mail so that they can then reject/bounce it, or to third party
products/proxies that bolt on to existing systems.

Of course setting your server up correctly won't prevent you from
inbound attacks, but it will prevent you from being used to attack
other people.

Kurt Seifried, kurt@private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org

Next message: InfoSec News: "[ISN] Security tool more harmful than helpful?"
Previous message: InfoSec News: "[ISN] PHRACK #62 CALL FOR PAPERS"
Maybe in reply to: InfoSec News: "[ISN] Email attack could kill servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 09 2004 - 01:40:25 PDT