Re: Wake Up! (was: spamspamspam)

[David Stoddard <dgs () us net>]

Joe Rhett writes:
> If your systems are so badly configured that a mail bomb attack denies
> your users access, then you don't qualify as a "responsible ISP"
> yourself. In fact, you qualify under both "naive" and "intensely
> stupid".

        Wow, thanks for clarifying that for me!  And I had always thought
        the mail bombs were the problem ...

        If you think you can set the Ob class in sendmail.cf to block
        large amounts of incoming mail, you are wrong -- sendmail is
        stupid enough to eat the entire thing before applying the size
        rule, which bounces it to postmaster, leaving it on your server.
        This is just what a mail bomber wants it to do.  You can use
        something other than sendmail, but you give up a huge amount
        of flexibility to a small amount of additional security.

        Sure, you can install filters in your routers to block access, but
        you need to know you are under attack before you can take action.
        If the attack comes at 2:00 am and you are asleep at the switch,
        your /var partition will fill up before you will know what happened.
        Most folks don't put quotas on root or support, so if the flood 
        comes to those accounts, you are screwed.  It won't bring your
        server down, but it will make your customers unhappy while mail
        is blocked and disk space is exausted.

        Once you know you have a problem, you can check your mail log,
        look for the source, and filter it.  If the source is aol.com,
        you have a bigger problem on your hands because 1) they don't
        have a NOC you can talk to [you can sit on hold waiting for a
        tech support person], and 2) all other mail to/from AOL will be
        blocked at the same time [which WILL make your customers unhappy].
        Not to mention the fact that AOL uses several mail servers, and you
        will need to filter all of them to get the attack to stop.  The
        same goes for most of the national Internet providers.

        Just so you are in the loop, we use a network tool called NOCOL that
        monitors all of our systems and ports.  One of our NOCOL monitors
        evaluates disk space on each system (I wrote it) -- we placed the disk
        monitor in the public domain and made it available on our system
        at ftp://ftp.us.net/pub/unix/monitors/nocol-usnet/diskmon.  We
        also have code for a simple system to drive numeric pagers from
        a BSDI server running NOCOL (you can get it from the same directory).
        As a result, they never fill our /var partition on either of our mail
        servers before the monitor alerts us (and we have a 50 MB cusion on
        each server after the monitor is triggered).  We also have written
        procedures for our 22 employees to follow in the event of an attack,
        and we have had the opportunity to place those procedures in action
        more than once, so we know they work.

        Of course, you won't need our software -- it's only for the other
        naive and intensely stupid ISP's out there that think mail bombing
        is a bad idea ...  ;->

> I don't agree with mailbombing, but it sounds like you are ripping your
> clients off, since you obviously don't know to configure a system.

        If you don't agree with mail bombing, then why did you suggest it
        as a solution to mail spam on this list?  And if your suggestion is
        supposed to be a "joke", why do you feel that ISPs that don't like
        dealing with mail bombing are naive and intensely stupid?  And how
        do you make the leap that everyone that disagrees with your opinions
        is ripping their clients off and does not know how to configure
        a system?  Hello?

        Joe Rhett, you are out of line and I think you owe everyone on
        this list a big apology.  Responding to mail spam with mail bombing
        is a bad idea Joe, and any way you try to spin it, it is still a bad
        idea.

        Dave Stoddard
        US Net Incorporated
        dgs () us net
- - - - - - - - - - - - - - - - -