At 11:04 AM 2/20/00 -0800, Dirk Harms-Merbitz wrote:
>SMTP bounces can be used in yet another form of Denial Of Service attack.
This is nothing new.
>Just imagine what happens when some script kiddie uses a few ten
>thousand trojaned cable/dsl connected home computers to send email
>to tens of thousands of domains and they all bounce back to your
>mail server!
Those hosts would need to be open relays.
>Why don't we all just turn SMTP bounces OFF? Like return-receipts,
>the information content in bounces is very low.
I disagree. If my domainname is being forged in a spam, I'd like
to know about it. Bounces will get to me hours before any of the
complaints do.
>A database would be much more efficient if you just want to know
>wether an email address is spelled correctly. Resending the entire
>message after adding a few hundred bytes is just idiotic. Escpecially
>if the attacker only has to send one message to generate 100 bounces.
I don't see how 'a database' would solve this problem. How would a
sending mailserver know who to ask? And what would it do when the
emailaddress doesn't exist?
>We are currently seeing this first hand: Our real mail.power.net is
>at 207.151.19.8. The attacker is sending individualized emails with
>faked headers that contain "mail.power.net (unverified [209.26.14.22])".
>
>The recipient computers are dumb enough to send their bounces to
>the real mail.power.net.
You don't show the return-path, but they're also forging From:, and
one of those is causing your bounces, not the Received: line.
>This is a DOS because the innocent mail server a) gets millions of
>bounces and
Agreed. Relay-rape is criminal.
>b) might get black listed on various "anti-spam" lists.
Any admin that would blacklist mail.power.net on the basis of the
header below might as well turn SMTP off altogether.
Blocking the open relays used in the spam will alleviate some of
the load; mee.yjapt.co.kr is in RSS and ORBS.
>Dirk
>
>
>Received: from mail.power.net (unverified [209.26.14.22]) by mee.yjapt.co.kr
> (EMWAC SMTPRS 0.83) with SMTP id <[EMAIL PROTECTED]>;
> Mon, 21 Feb 2000 01:20:18 +0900
>Message-ID: <[EMAIL PROTECTED]>
>From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>Bcc:
>Subject: Private Consultants Needed for Venture Capital Firm
>Date: Mon, 30 Mar 1998 10:04:48 -0400 (EDT)
Vince.
