RE: Distributed spam-based DoS in progress

From: Hugo van der Kooij (hvdkooijat_private)
Date: Tue Feb 18 2003 - 22:49:55 PST

Next message: william.millerat_private: "Re: port 17300 probe fingerprint analysis"

Previous message: Transistor Sister: "Re: Distributed spam-based DoS in progress"
In reply to: Dave Hart: "RE: Distributed spam-based DoS in progress"
Next in thread: Kee Hinckley: "Re: Distributed spam-based DoS in progress"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 18 Feb 2003, Dave Hart wrote:

> > From: Hugo van der Kooij [mailto:hvdkooijat_private] 
> > Sent: Tuesday 18 February 2003 06:48
> [...]
> > If a message is undeliverable it will be bounced BUT if the 
> > bounce message 
> > can not be delivered it will be discarded immediatly to 
> > prevent double 
> > bounce loops.
> > 
> > See also RFC 2821 section 4.5.5
> 
> Would you care to cite where it's said that NDRs and other MAIL FROM:<>
> messages must be discarded immediately if the first delivery attempt
> fails?  The various mailers I have used continue to retry transmission
> until configured timeouts, as with any other outbound message.  When the
> mail is an NDR being sent to a bogus domain (such as in response to spam
> with a forged sender email), it does clog up the queue for that timeout
> period.

From 4.5.5.:

   Implementors of automated email processors should be careful to make
   sure that the various kinds of messages with null reverse-path are
   handled correctly, in particular such systems SHOULD NOT reply to
   messages with null reverse-path.

But the problem arises before that. If your server is set to accept 
message for non existing accounts you have a server that can be easily 
brought down.

If you do not accept these messages you do not have to send bounce 
messages. It will the task of the system that tried to hand them to you.

If you find yourself with a server with lots of waiting bounces your are 
likely (ab)used as relay and you have other fish to fry.

And from 6.1:

   When the receiver-SMTP accepts a piece of mail (by sending a "250 OK"
   message in response to DATA), it is accepting responsibility for
   delivering or relaying the message.  It must take this responsibility
   seriously.  It MUST NOT lose the message for frivolous reasons, such
   as because the host later crashes or because of a predictable
   resource shortage.

Which seems to indicate you have to make sure your mailserver is up to the 
task.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooijat_private		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: william.millerat_private: "Re: port 17300 probe fingerprint analysis"
Previous message: Transistor Sister: "Re: Distributed spam-based DoS in progress"
In reply to: Dave Hart: "RE: Distributed spam-based DoS in progress"
Next in thread: Kee Hinckley: "Re: Distributed spam-based DoS in progress"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 11:41:21 PST