Workaround for (RE: Run a mail host with a public MX record? Seeing large numbers of bounces?)

["Andrew van der Stock" <ajv () e-secure com au>]

> From discussions with various people, I think the best workarounds for this
problem might be:

* if the errors-to: field has > 1 recipient, it's very likely to be spam. Do
not process it - log and drop it
* if your MTA just adds a few lines to the top of the NDR or encapsulates
the message entirely before sending it to errors-to:, you need to find a way
to remove the original message

This is the bit that will make mail list administration that much harder:
* if you are the postmaster or (even better) the MTA configurator for your
platform, consider turning errors-to: processing off by default

MTAs probably not vulnerable by default:

Postfix (pretty much all versions)
Sendmail (at least) >= 8.9.3 has errors-to: processing turned off by default
in the ISC distribution. Vendor Unixes, Linux distro's, *BSD configurations
= unknown at this time
Exchange 5.5/2000, to a limited degree.

Exchange 5.5 and 2000 will encapsulate the original mail in the NDR. In
addition, Exchange 2000 adds a delivery read receipt header as well. This
could be used as a rather lame method of DDoS as one SMTP exchange will
generate at least two resultant SMTP exchanges.

Andrew


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com