OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alex van den Bogaerdt (alex_at_ergens.op.HET.NET)
Date: Sun Jul 21 2002 - 16:24:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Wietse Venema wrote:

    > > Much UCE originates from open proxies -- which don't provide a convenient
    > > set of headers for tracking the origin. Many ISPs and sysadmins don't care
    > > that their customers are running open relays or open proxies. We seem to
    > > be getting more and more UCE.
    >
    > As the network grows, so does the number of mis-configured systems,
    > as long as there is no penalty for doing so.

    Exactly. So a penalty is proposed right now.

    > > What if there were tens of thousands of mailservers that used open relay
    > > lists and open proxy lists but instead of merely blocking the connection,
    > > they responded exceedingly slowly -- and tried to make the connection form
    > > the open proxy/relay last as long as possible?
    >
    > One would have to be careful not to make one's own SMTP server
    > overly susceptible to denial of service attacks.

    Indeed. Perhaps this could be done by only accepting some number
    of such sessions. Any more and "451 try again" (or whatever the
    right number is) could be given, but only to these kind of connections.
    This would leave resources available for normal mail processing.

    > > The intent would be to exhaust the system resources of the open
    > > proxy/relay because, after a time, the open proxy/relay would have
    > > thousands of open TCP connections.
    >
    > How long would that take? If the time to exhaust the machine is
    > longer than the average uptime of those systems, then the effect
    > would be near zero.

    The trick is that
    a) the number of messages relayed through such a system is reduced
    b) the uptime of such a machine is probably reduced

    Reasoning: such a system can only open a certain amount of sessions.
    The longer they take, the longer it takes to send out all spam. Also,
    as the system is most likely not up to date, the huge amount of open
    sessions will cause a blue screen or so.

    > Postfix would have to send the open file descriptor to some
    > non-Postfix process.

    This I don't understand. Postfix can handle multiple sessions
    concurrently?
    Why would a separate, non-postfix, process be necessary?

    I'm thinking of something like multi-line responses, character by
    character with a one second interval each time. Just feed enough
    data to keep the connection open. The multiline response could
    be explaining why the relaying of email by open relays is bad.

    cheers,
    Alex
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users