On Sat, 17 Sep 2005 10:55:07 +0100, John Leslie <john(_at_)jlc(_dot_)net> wrote:
after DATA -- instead, IMHO, folks are saying that receiving SMTP
servers that _average_ more than a few seconds per email after DATA
risk running out of resources: thus you shouldn't do this unless you
know what you're doing.
Actually, they are saying that SMTP servers that average more than a few
seconds per email after DATA risk *making the client* run out of
resources.... The servers can manage resources easily enough by
restricting incoming connections etc if they need to.
This is, potentially, a good DoS attack on the client.
If the 'keep alive' *trick* discussed here does work, you could
potentially make a client at somewhere like Yahoo or somewhere open up 100
connections to a dummy mail server to receive mail. That mail server then
'keeps alive' those connections indefinitely, stopping the mail client
from sending mail to anyone else.
That's why I think the RFC 2821 timeout should be specified as being to
the *final* reply code. It doesn't look as if that's the way it's
implemented at the moment in many cases, which could lead to a DoS attack
as described above.