Joe Rhett writes:
If your systems are so badly configured that a mail bomb attack denies your users access, then you don't qualify as a "responsible ISP" yourself. In fact, you qualify under both "naive" and "intensely stupid".
Wow, thanks for clarifying that for me! And I had always thought the mail bombs were the problem ... If you think you can set the Ob class in sendmail.cf to block large amounts of incoming mail, you are wrong -- sendmail is stupid enough to eat the entire thing before applying the size rule, which bounces it to postmaster, leaving it on your server. This is just what a mail bomber wants it to do. You can use something other than sendmail, but you give up a huge amount of flexibility to a small amount of additional security. Sure, you can install filters in your routers to block access, but you need to know you are under attack before you can take action. If the attack comes at 2:00 am and you are asleep at the switch, your /var partition will fill up before you will know what happened. Most folks don't put quotas on root or support, so if the flood comes to those accounts, you are screwed. It won't bring your server down, but it will make your customers unhappy while mail is blocked and disk space is exausted. Once you know you have a problem, you can check your mail log, look for the source, and filter it. If the source is aol.com, you have a bigger problem on your hands because 1) they don't have a NOC you can talk to [you can sit on hold waiting for a tech support person], and 2) all other mail to/from AOL will be blocked at the same time [which WILL make your customers unhappy]. Not to mention the fact that AOL uses several mail servers, and you will need to filter all of them to get the attack to stop. The same goes for most of the national Internet providers. Just so you are in the loop, we use a network tool called NOCOL that monitors all of our systems and ports. One of our NOCOL monitors evaluates disk space on each system (I wrote it) -- we placed the disk monitor in the public domain and made it available on our system at ftp://ftp.us.net/pub/unix/monitors/nocol-usnet/diskmon. We also have code for a simple system to drive numeric pagers from a BSDI server running NOCOL (you can get it from the same directory). As a result, they never fill our /var partition on either of our mail servers before the monitor alerts us (and we have a 50 MB cusion on each server after the monitor is triggered). We also have written procedures for our 22 employees to follow in the event of an attack, and we have had the opportunity to place those procedures in action more than once, so we know they work. Of course, you won't need our software -- it's only for the other naive and intensely stupid ISP's out there that think mail bombing is a bad idea ... ;->
I don't agree with mailbombing, but it sounds like you are ripping your clients off, since you obviously don't know to configure a system.
If you don't agree with mail bombing, then why did you suggest it as a solution to mail spam on this list? And if your suggestion is supposed to be a "joke", why do you feel that ISPs that don't like dealing with mail bombing are naive and intensely stupid? And how do you make the leap that everyone that disagrees with your opinions is ripping their clients off and does not know how to configure a system? Hello? Joe Rhett, you are out of line and I think you owe everyone on this list a big apology. Responding to mail spam with mail bombing is a bad idea Joe, and any way you try to spin it, it is still a bad idea. Dave Stoddard US Net Incorporated dgs@us.net