Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email attack could kill servers

From: InfoSec News <isn () c4i org>
Date: Fri, 9 Apr 2004 03:07:04 -0500 (CDT)
Forwarded from: Kurt Seifried <listuser () seifried org>


All email is sent across the internet using the Simple Mail Transfer
Protocol (SMTP), which stipulates that a notification should be sent
whenever a message with a bad address is received. There are
numerous different types of email server, however, which can all be
configured in various ways.


While serious this can be dealt with relatively easily, Postfix for
example supports local recipient maps which can be based on the local
UNIX password database, the alias maps database, a virtual users
database (meaning it can be completely arbitrary and no local
accounts/etc are required, just export a list from your Exchange
server/ADS once a day and dump it in). Thus if an email recipient
doesn't exist the email is rejected during the connection, i.e. no
real traffic amplification takes place (and you stay RFC compliant).
In addition to this it prevents spam to non-existent email accounts
from clogging up your mail servers causing them to hold messages,
create bounces, etc.

In general some form of traffic amplification will always be capable
with email if the mail server creates bounce messages at all (and it's
unlikely people will be willing to completely disable bounce/error
messages/etc). However with intelligent filtering/limiting what you
accept and rejecting email during the connection, not once it has been
accepted for delivery this problem can largely be addressed. Hopefully
this will also lead to better rejection/bounce capabilities from major
mail servers at the connection level and not force people to accept
mail so that they can then reject/bounce it, or to third party
products/proxies that bolt on to existing systems.

Of course setting your server up correctly won't prevent you from
inbound attacks, but it will prevent you from being used to attack
other people.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org
Previous By Date Next
Previous By Thread Next

Current thread: