Not exactly a solution, but a fix is using a program like SpamProtect or SpamControl (even on a server that is not open to relays). Our mail servers will locally blackhole IPs from mail servers sending us far too much mail in far too short a time period. Certain large mail servers have higher thresholds. In the unlikely case a server (or several) are blackholed, our NOC is notified by the mail server for a human-intervention decision. This does not break legitimate SMTP mail, except possibly from the abused mail servers, and is context-sensitive filtering. Deepak Jain AiNET On Sun, 20 Feb 2000, Dirk Harms-Merbitz wrote:
SMTP bounces can be used in yet another form of Denial Of Service attack.
Just imagine what happens when some script kiddie uses a few ten thousand trojaned cable/dsl connected home computers to send email to tens of thousands of domains and they all bounce back to your mail server!
Why don't we all just turn SMTP bounces OFF? Like return-receipts, the information content in bounces is very low.
A database would be much more efficient if you just want to know wether an email address is spelled correctly. Resending the entire message after adding a few hundred bytes is just idiotic. Escpecially if the attacker only has to send one message to generate 100 bounces.
We are currently seeing this first hand: Our real mail.power.net is at 207.151.19.8. The attacker is sending individualized emails with faked headers that contain "mail.power.net (unverified [209.26.14.22])".
The recipient computers are dumb enough to send their bounces to the real mail.power.net.
This is a DOS because the innocent mail server a) gets millions of bounces and b) might get black listed on various "anti-spam" lists.
Dirk
Received: from mail.power.net (unverified [209.26.14.22]) by mee.yjapt.co.kr (EMWAC SMTPRS 0.83) with SMTP id <B0000119229@mee.yjapt.co.kr>; Mon, 21 Feb 2000 01:20:18 +0900 Message-ID: <12PAIZTiA2Vyp.5wFyFudzDR_N8@mail.power.net> From: FinancialJobs70972@power.net <FinancialJobs70972@power.net> Bcc: Subject: Private Consultants Needed for Venture Capital Firm Date: Mon, 30 Mar 1998 10:04:48 -0400 (EDT)