[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Doug attack scenarios without SPF
On Fri, Nov 10, 2006 at 11:34:20AM -0800, William Leibzon wrote:
> Now lets assume that as per Doug's scenario the email is sent using botnet
> to many mail servers [ ... ]
while I agree that there is some potential for a attack I don't see
it as a really big problem.
1) AFAIK no caching DNS server sends out to *all* servers in NS records
immediately. Some are rather clever in detecting identical DNS servers.
2) Caching helps even against lame delegations (ok - the botnet may use
3) Neither for the sender nor for the receiver does it make a real
difference how large the hostname in the query is as long as it fits
in one UDP packet. It's a packet on the wire. Compared to web
traffic hammering against busy webservers it is still peanuts.
4) It is easy for the MTA to check for the length of the EHLO argument
and ensure that it fits in one UDP packet
5) It is easy for the MTA to immediately establish temp. blocks for IPs
sending EHLO arguments that lead to errors
6) A lot of MTAs already now checks the domain of the 2821.MAILFROM so it
is already now possible to start that kind of attack. This is nothing
7) LHS wildcard blocks for abusive domains will also fix the problem
rather fast and can be automated. For the attack to work the attacker
must own the SLD (or sometimes 3rdLD) to be able to introduce lame
delegations. Also the DNS servers for those domains can be automatically
isolated or blocked.
As I said - there is a potential for attacks but no new one.