Greg Owen <[EMAIL PROTECTED]> writes:
> > Well I guess that this one is definitely elligible for the
> > "qmail security challenge".
> >
> > http://web.infoave.net/~dsill/qmail-challenge.html
>
> I don't think so. The challenge says:
Obviously, the purpose of reporting this bug wasn't to win the expired
qmail challenge. It's not a security bug, but a correctness bug, and
a DoS bug (it seriously horked our mail servers).
[ ... ]
> This attack merely causes messages to loop a bit before bouncing.
> This barely even qualifies as a DOS attack.
>
A message sent into the system, sent to a user at a 0.0.0.0 MX host,
from a user at a 0.0.0.0 MX host, passes through qmail-smtpd,
qmail-queue, qmail-send, and qmail-remote 60 times before it's gone
from your system (30 before it bounces, and another 30 trying to
deliver the bounce). That means that if you have 2% of your messages
addressed this way, deliberately or accidentally, you need 120% more
power (over twice as much) to process the bounces. It means that a
user sending a steady stream of 10 (small) messages/sec over a dialup
connection makes your system deal with 600 messages/sec, which would
normally take a T1. A user on a T1 or fast DSL sending 600
messages/sec makes your system deal with 36,000 messages/sec, which
would normally take 2 T3s. It makes it possible for a home user with
relatively few resources to take down a medium-sized qmail
installation with no real effort. And they can even do it
accidentally, if they're spamming or dealing with a mailing list.
Our mail system at OneMain.COM processes over 23 million messages a
day with no problem, and this bug brought it to its knees.
It's a serious bug.
But it's relatively easy to fix (in ipme.c), or to work around (don't
allow connections from 127.0.0.1 to qmail-smtpd).
-------ScottG.
