On Dec 23 2004, gep2(_at_)terabites(_dot_)com wrote:
I've been hit by 1500 zombie pc's simultaneously pumping the same
exact spam at us.
How cheap does cheap have to be to deal with an attack like that?
At SOME point, this is more a DDOS attack than a spam
issue... although if we go after unwanted/untrusted attachments and
HTML, we will go a long way towards solving the problem (at least
for E-mail vectors) of recruiting these zombie spambots.
That's the whole point. Spammers are DDOSing the SMTP servers. We're
discussing ways to protect against such DDOS attacks. But looking at
message contents is useless - by the time your SMTP server gets to see
the message, the resources are committed.
There is clearly NO (local) solution for DDOS attacks, because by
the time they arrive at your entrance portal the damage has already
been done.
Available information before that point is limited. You can refuse to
accept the connection based on IP address, or you can accept the
connection tentatively and do some cheap lookups. Before the message
DATA arrives, you have three pieces of information: a HELO (or EHLO)
identification string, the MAIL and RCPT strings (There's also VRFY or
EXPN but keep it simple). Once the DATA command is used, the
connection is no longer cheap, because the data can be arbitrarily
long, and doing any sort of analysis on it will cost unpredictable
resources anyway. So discussing body analysis is irrelevant for this
problem.
--
Laird Breyer.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg