[27452] in North American Network Operators' Group
SMTP in distributed DOS
daemon@ATHENA.MIT.EDU (Dirk Harms-Merbitz)
Sun Feb 20 14:06:23 2000
Message-ID: <20000220110421.A16950@noc.power.net>
Date: Sun, 20 Feb 2000 11:04:21 -0800
From: Dirk Harms-Merbitz <dirk@power.net>
To: qmail@list.cr.yp.to, nanog@merit.edu, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
SMTP bounces can be used in yet another form of Denial Of Service attack.
Just imagine what happens when some script kiddie uses a few ten
thousand trojaned cable/dsl connected home computers to send email
to tens of thousands of domains and they all bounce back to your
mail server!
Why don't we all just turn SMTP bounces OFF? Like return-receipts,
the information content in bounces is very low.
A database would be much more efficient if you just want to know
wether an email address is spelled correctly. Resending the entire
message after adding a few hundred bytes is just idiotic. Escpecially
if the attacker only has to send one message to generate 100 bounces.
We are currently seeing this first hand: Our real mail.power.net is
at 207.151.19.8. The attacker is sending individualized emails with
faked headers that contain "mail.power.net (unverified [209.26.14.22])".
The recipient computers are dumb enough to send their bounces to
the real mail.power.net.
This is a DOS because the innocent mail server a) gets millions of
bounces and b) might get black listed on various "anti-spam" lists.
Dirk
Received: from mail.power.net (unverified [209.26.14.22]) by mee.yjapt.co.kr
(EMWAC SMTPRS 0.83) with SMTP id <B0000119229@mee.yjapt.co.kr>;
Mon, 21 Feb 2000 01:20:18 +0900
Message-ID: <12PAIZTiA2Vyp.5wFyFudzDR_N8@mail.power.net>
From: FinancialJobs70972@power.net <FinancialJobs70972@power.net>
Bcc:
Subject: Private Consultants Needed for Venture Capital Firm
Date: Mon, 30 Mar 1998 10:04:48 -0400 (EDT)
