Mate Wierdl wrote:
>
> On Wed, Nov 15, 2000 at 08:48:31AM +0100, Andre Oppermann wrote:
> > Another possible qmail attack is it's late bouncing for non-existent
> > users. Using a false envelope sender address you could fill up the
> > queue with double bounces. I consider this a more serious problem.
> > The decision to handle bouncing this way was appearently part of the
> > security and modularity concept of qmail.
>
> Vietse's attack was (modified a bit):
>
> while true; do
> qmail-queue&
> kill $!
> done
>
> This creates 0 length files in /var/qmail/queue/mess until inodes get
> exhausted. And manual intervention/recovery certainly seems needed.
Yes, unless qmail-clean would clean them up (as well as in queue/pid).
> Dan's response was that this is not completely anonymous since people
> are supposed to do process accounting. (On RH Linux, btwy, the user
> is easy to catch since users have their own group).
>
> My question is why is not it better for qmail-queue *immediately* write
> the "received" line identifying the user?
In theory this could be done. The problem is, you'll see this when you
look at the code, a race condition. A pid file is being created, then
inode number is taken and then the whole thing is linked/unlinked
(transaction) from queue/pid to queue/mess. I can't imagine a fix
other than cleaning up with qmail-clean.
--
Andre
