ietf-mxcomp
[Top] [All Lists]

Re: Doug attack scenarios without SPF

2006-11-18 20:24:27

Hoi,

On Fri, Nov 10, 2006 at 11:34:20AM -0800, William Leibzon wrote:
Now lets assume that as per Doug's scenario the email is sent using botnet
to many mail servers [ ... ]

while I agree that there is some potential for a attack I don't see
it as a really big problem.
1) AFAIK no caching DNS server sends out to *all* servers in NS records
   immediately. Some are rather clever in detecting identical DNS servers.
2) Caching helps even against lame delegations (ok - the botnet may use
   random subdomains)
3) Neither for the sender nor for the receiver does it make a real
   difference how large the hostname in the query is as long as it fits
   in one UDP packet. It's a packet on the wire. Compared to web
   traffic hammering against busy webservers it is still peanuts.
4) It is easy for the MTA to check for the length of the EHLO argument
   and ensure that it fits in one UDP packet
5) It is easy for the MTA to immediately establish temp. blocks for IPs
   sending EHLO arguments that lead to errors
6) A lot of MTAs already now checks the domain of the 2821.MAILFROM so it
   is already now possible to start that kind of attack. This is nothing
   newly introduced.
7) LHS wildcard blocks for abusive domains will also fix the problem
   rather fast and can be automated. For the attack to work the attacker
   must own the SLD (or sometimes 3rdLD) to be able to introduce lame
   delegations. Also the DNS servers for those domains can be automatically
   isolated or blocked.

As I said - there is a potential for attacks but no new one.

        \Maex

<Prev in Thread] Current Thread [Next in Thread>