Not exactly a solution, but a fix is using a program like SpamProtect or
SpamControl (even on a server that is not open to relays). Our mail
servers will locally blackhole IPs from mail servers sending us far too
much mail in far too short a time period. Certain large mail servers have
higher thresholds.
In the unlikely case a server (or several) are blackholed, our NOC is
notified by the mail server for a human-intervention decision.
This does not break legitimate SMTP mail, except possibly from the abused
mail servers, and is context-sensitive filtering.
Deepak Jain
AiNET
On Sun, 20 Feb 2000, Dirk Harms-Merbitz wrote:
>
> SMTP bounces can be used in yet another form of Denial Of Service attack.
>
> Just imagine what happens when some script kiddie uses a few ten
> thousand trojaned cable/dsl connected home computers to send email
> to tens of thousands of domains and they all bounce back to your
> mail server!
>
> Why don't we all just turn SMTP bounces OFF? Like return-receipts,
> the information content in bounces is very low.
>
> A database would be much more efficient if you just want to know
> wether an email address is spelled correctly. Resending the entire
> message after adding a few hundred bytes is just idiotic. Escpecially
> if the attacker only has to send one message to generate 100 bounces.
>
> We are currently seeing this first hand: Our real mail.power.net is
> at 207.151.19.8. The attacker is sending individualized emails with
> faked headers that contain "mail.power.net (unverified [209.26.14.22])".
>
> The recipient computers are dumb enough to send their bounces to
> the real mail.power.net.
>
> This is a DOS because the innocent mail server a) gets millions of
> bounces and b) might get black listed on various "anti-spam" lists.
>
> Dirk
>
>
> Received: from mail.power.net (unverified [209.26.14.22]) by mee.yjapt.co.kr
> (EMWAC SMTPRS 0.83) with SMTP id <[EMAIL PROTECTED]>;
> Mon, 21 Feb 2000 01:20:18 +0900
> Message-ID: <[EMAIL PROTECTED]>
> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Bcc:
> Subject: Private Consultants Needed for Venture Capital Firm
> Date: Mon, 30 Mar 1998 10:04:48 -0400 (EDT)
>
>
