On Thu, Mar 02, 2000 at 11:34:11AM -0000,
Lorens Kockum <[EMAIL PROTECTED]> wrote:
> On the qmail list [EMAIL PROTECTED] wrote:
> >At 11:04 AM 2/20/00 -0800, Dirk Harms-Merbitz wrote:
> >>Just imagine what happens when some script kiddie uses a few ten
> >>thousand trojaned cable/dsl connected home computers to send email
> >>to tens of thousands of domains and they all bounce back to your
> >>mail server!
> >
> >Those hosts would need to be open relays.
>
> No they do not need to be open relays. If they are qmail
> servers that is perfect for the purpose.
You can use any system that won't know whether or not the message can be
delivered while processing the smtp transaction.
This would include MX's that don't do final deliverly and addresses that
result in failure at final deliverly (procmail rejections) under sendmail.
Other problems are autoresponders including trouble ticket responders and
vacation responders. Even rate limited vacation responders can probably
be tricked in to repeated sending mail to an address, as very few are really
aware of what the email address is, and only handle an encoded representation
of the address.
However none of these attacks gives much amplification. It may provide
some anonymity if the bounce or automated response doesn't include tracking
information from the original message.
The people most effected by MTA's that can't bounce email at the site
boundry are the postmasters. I have to wade through a lot of spam double
bounces here because messages typically come in on a different machine
than the one where the end users account is, so mail doesn't get bounced
until after one of our servers has accepted responsibility for the email.
