Re: SMTP in distributed DOS

[Adam McKenna <adam () flounder net>]

On Sun, Feb 20, 2000 at 03:41:06PM -0500, Valdis.Kletnieks () vt edu wrote:
> On Sun, 20 Feb 2000 11:59:42 PST, I Am Not An Isp <patrick () ianai net>  said:
> > This is the problem - a mail server stupid enough to send a bounce to an 
> > unverified host name, instead of the connecting IP address.
>
> Stupid or not, that's required by the RFCs.  Take a look at this mail,
> the original From: points at 'vt.edu', which is MX'ed to mail.vt.edu.
> However, that's NOT the address that the NANOG mailing list is receiving
> this mail from.
>
> For that matter, did the mail from 'ianai.net' arrive at the NANOG mailing
> list *from* ianai.net? I see this in the headers:
>
> Received: from pgilmore (PIX46.pgexch.com [208.217.23.46])  by pyrite.eod.onyx.net (8.9.3/8.9.3)
>
> Hmm.. Must be spam we should have rejected, since there's a case to be made
> that you shouldn't accept mail you can't send a bounce message back to, and
> your mail obviously came from an unverified IP address...

MTA's don't send bounces to host names in Received: headers, they send
bounces to RFC 822 envelope sender addresses.  (At least, that's what they're
SUPPOSED to do.)

Some MTA's will barf when given a bogus MAIL FROM ("Sender domain must 
resolve") but some will not.  The server that is getting deluged by bounces
is most likely getting them because the senders are using that domain in the
envelope sender, not because of the fake insertion into the Received:
headers.

--Adam