Hi,
To whom it may concern
I suspected of, and later verified a case, in which spamd in
grey-trapping mode may be forced to a DOS.
I use exactly this configuration, so I am concerned too. In this case I
am a FreeBSD user with a fresh
spamd-4.1.2 installed through ports(7).
Conditions:
1) A malicious user on machine 'S', who wants to deny mail service to
server 'A' on another server 'B'. This malicious user knows the
'[EMAIL PROTECTED]' greytrapping address.
2) The server B is protected by spamd with greytrapping enabled.
3) The server A verifies addresses of all smtp-senders. In my case it's
'http://www.milter.info/sendmail/milter-sender/', although other
solutions may exist. The smtp callback is made with an empty ('<>')
return address.
The scenario (as it really goes):
Dialogue 1:
[EMAIL PROTECTED] telnet A 25
220 A ESMTP MTA; Wed Oct 8 23:46:45 2008
HELO spammer.world
250 A Hello
MAIL FROM: <[EMAIL PROTECTED]>
at this time the server A makes the callback, and gets trapped.
Dialogue 2:
220 B ESMTP spamd IP-based SPAM blocker; Wed Oct 8 23:46:45 2008
HELO A
250 Hello, spam sender. Pleased to be wasting your time.
MAIL FROM: <>
250 You are about to try to deliver spam. Your time will be spent, for
nothing.
RCPT TO: <[EMAIL PROTECTED]>
250 This is hurting you more than it is hurting me.
In the end of these dialogues, [EMAIL PROTECTED] continues to send spam or opts to
disconnect, and
the server A gets GREYTRAPPED in the server B's /var/db/spamd
Imagine, a really malicious spammer can do a loop and organise a whole
bunch of this DOS situations.
It's pretty enough to know
(1) the '[EMAIL PROTECTED]' (recall that many users also
blacklist IP's which were greytrapped by this server!!!) and
(2) a list of servers that make callbacks
in order to disrupt their service.
Workaround:
if you are A: disable the callback software at your MX. At least do not
call back to ualberta.ca :)
if you are B: keep '[EMAIL PROTECTED]' address in secret, so it cannot be
abused.
Resolution:
Exclude sessions with empty (<>) MAIL FROM from greytrapping in spamd.
No patch at this time, sorry folks!
Really right solution:
Not aware of.
Before I disconnect,
please excuse me for this flood in the case it's already fixed somewhere
in -CURRENT. I really didn't look into.
--
Best regards,
Mikhail Boev
I'm not subscribed
