Re: SMTP non delivery notification DoS/DDoS Attacks

[Philip Rowlands <phr () doc ic ac uk>]

On Mon, 5 Apr 2004, Stefan Frei wrote:

> My colleagues and I have been doing some research into a mail-related
> vulnerabilities over the last month or two.  We discovered that a
> problem exists within the way non-delivery notifications are sent from
> many SMTP mail servers.

Stefan,

You mention in your paper (page 16),

"Organizations that had chosen to utilize the services of external
anti-spam and anti-virus organizations for the primary SMTP services
were more likely to respond with N factor NDN message responses."

I assume here you mean MessageLabs.

My curiosity in this is that only last week I was in contact with a
MessageLabs engineer, as my company [1] is an ML customer, to enquire
about this exact behaviour; i.e. that of non-authoritative MX servers,
or SMTP servers which will relay for a domain without authoritatively
knowing which local parts are valid.

I wonder if you could suggest, if identifiable from the greeting banner,
which MTAs exhibit the prefered behaviour of a single response to
Experiment B, when deployed in an "out of the box" configuration?

Where an MTA is not the final destination server, would you recommend
the use of techniques such as Exim's callouts and callout-caching [2]?


Cheers,
Phil

[1] "My company" is this context is *not* doc.ic.ac.uk, so noone should
go getting any ideas :)
[2] http://www.exim.org/exim-html-4.30/doc/html/spec_38.html#IX2313