ietf-smtp
[Top] [All Lists]

Re: Keep Alive Response Codes

2005-09-17 03:46:16

On Sat, 17 Sep 2005 10:55:07 +0100, John Leslie <john(_at_)jlc(_dot_)net> wrote:
after DATA -- instead, IMHO, folks are saying that receiving SMTP
servers that _average_ more than a few seconds per email after DATA
risk running out of resources: thus you shouldn't do this unless you
know what you're doing.

Actually, they are saying that SMTP servers that average more than a few seconds per email after DATA risk *making the client* run out of resources.... The servers can manage resources easily enough by restricting incoming connections etc if they need to.

This is, potentially, a good DoS attack on the client.

If the 'keep alive' *trick* discussed here does work, you could potentially make a client at somewhere like Yahoo or somewhere open up 100 connections to a dummy mail server to receive mail. That mail server then 'keeps alive' those connections indefinitely, stopping the mail client from sending mail to anyone else.

That's why I think the RFC 2821 timeout should be specified as being to the *final* reply code. It doesn't look as if that's the way it's implemented at the moment in many cases, which could lead to a DoS attack as described above.