"Michael Boev (TRIC)" <[EMAIL PROTECTED]> writes:

> I suspected of, and later verified a case, in which spamd in
> grey-trapping mode may be forced to a DOS.

I'd say rather that you have found a possible conflict between
greytrapping and milter-sender.  I see the backscatter bounces for
enough messages I or other users in my domains have never sent to
doubt the usefulness the technique it apparently uses (the url you
quoted doesn't work - www.milter.info appears to be mx.snert.net,
which does not appear to run a www service - and most of what I could
dig up concerns the fact that the FreeBSD port was removed due to
license issues), and the smartest solution would be to retire it.

> Conditions:
> 1) A malicious user on machine 'S', who wants to deny mail service to
> server 'A' on another server 'B'. This malicious user knows the
> '[EMAIL PROTECTED]' greytrapping address.
> 2) The server B is protected by spamd with greytrapping enabled.
> 3) The server A verifies addresses of all smtp-senders. In my case
> it's 'http://www.milter.info/sendmail/milter-sender/', although other
> solutions may exist. The smtp callback is made with an empty ('<>')
> return address.

What [EMAIL PROTECTED] does here is indistinguishable from the way spam is sent
these days.  Spambots send messages from wherever they can, using
return addresses in some unrelated domain, usually with made-up local
parts.  

Occasionally the made-up local part will match a user that actually
exists.  At other times, well, that's how my spammer bait address list 
(<http://www.bsdly.net/~peter/traplist.shtml>) was born.

>From where I'm sitting it looks like your setup includes a piece of
software that was written based on the same assumptions that spawned a
whole raft of "challenge-response" systems to annoy the world, and
fails for the exact same reason: as you have demonstrated, it is
possible to send email with a forged return address that may still be
a deliverable address.  Checking whether a particular return address
is deliverable doesn't buy you much by itself.  

spamd's greytrapping, on the other hand, is based on factors that are
actually under your control, ie what addresses /in your own domains/
are valid or not.  That's a whole world of difference.

My recommendation would be to stop using milter-sender.  It probably
generates more noise than useful information anyway, and while you're
at it, make extra sure nobody snuck in one of those annoying
challenge-response systems while you weren't looking.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply via email to