Attacks using pop

[alan () manawatu planet org nz (Alan Brown)]

This is a slightly different from of denial of service attack.
I haven't been on the list long so I don't know if it's been discussed before.

Eudora and Pegasus both have timeouts of around 2-3 minutes when collecting
mail via POP. This can cause problems on dialup accounts or on heavily
loaded mail servers if the user's mailbox exceeds 2Mb or so.

When the user POPs to collect mail, the mailbox is first copied into
~mail/.user.pop (or ~mail/poptmp/.user.pop depending how you've
configured at compilation). The original mailbox is then zeroed.

If the collecting client times out, the ~/user.pop is appended back onto
~/user. If the client times out while the .user.pop file is being
built, ~/user  isn't zeroed but ~/.user.pop is still appended

See the problem? You end up with a situation like this:

1: Eudora times out while collecting an overly large mailbox
2: Mailbox is appended onto itself
3: Goto 1

The only solution currently is to adjust network timeouts in Eudora and
Pegasus. This may be a problem with other POP clients but these are the
only 2 used here.

We have 2-5 instances of this each month, mostly due to someone being
mailed an 8-10Mb file they weren't expecting. (which is another denial
of service attack of a type because they're charged per Mb of data
sent/received). Usually we only notice this when we run out of disk space
and the user's mail and .pop files are corrupted due to lack of space.

I've seen one mailbox grow to 420Mb under these conditions. :(

AB