On Fri, 10 Mar 2000, Petr Novotny wrote:
> Adding one zillion system calls to validate the username is a DoS
> attack waiting to happen, too. Which one would you rather have?
Current implementation does not avoid the execution of "one zillion system
calls", it postpones it until qmail-send decides to deliver the message
later. Yes, there are benefits: reduced latency of qmail-smtpd, ability to
absorb briefs peaks of load but sooner or later, you have to do the
validation anyway.
Let us assume the implementation of "early validation" is simpleminded and
does the validation twice (both in qmail-smtpd, and in qmail-local or
whatever does the final delivery), and let us assume its installation X
collapses when fed with at least N deliveries per second. Then the same
installation with vanilla qmail collapses at no more than 2N deliveries
per second because it needs no less than 50 % of X's CPU time to do its
work. DoS attack waiting to happen? It depends. Unless you network link is
slow...
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
