If an attacker fails when spoofing foo.com they can turn
around and spoof bar.com. If that fails too, they can keep
trying until they manage to get something cached.
Once something's cached they can spam all they like.
You always know where to spoof. You send the packets at
the SMTP server, since that's the machine that's going to
make a request of it's server.
Further, your estimate of the success ratio is probably overly
pessimistic. There are a bunch of layers to go through for
a valid response to be returned. The SMTP server makes a request
to it's local DNS server which asks the root server who's authorative
and then turns around and asks that server for the data.
That's several round trips versus a bunch of direct sends.
-----Original Message-----
From: Chris Lewis [mailto:clewis(_at_)nortelnetworks(_dot_)com]
Sent: Thursday, March 06, 2003 9:26 PM
Cc: ietf anti-spam research group
Jonathan Wilkins wrote:
Why is 65536 100 byte packets a lot? That's only 655k.
(a) it assumes you manage to guess the right packet before the real
server gets its answer thru. Let's be generous, and say that they beat
it 50% of the time. So, half of your spam run is toast.
(b) it's 65536 100 byte packets for _each_ MTA you're trying to get
around - _if_ you know where to flood. Worthwhile for attacking large
ISPs. Not small MTAs.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg