On Wed, 26 May 2004, George Mitchell wrote:
This is not entirely true. The problem with callbacks is that they
come from hither and yon, making them effectively impossible to
block, as opposed to one machine generating a zillion SMTP sessions.
The amount of traffic is the same in either case, but one can be
trivially stopped and the other can't. -- George Mitchell
But if you were *trying* to DoS a machine, you *would* be sending the SMTP
sessions from hither and yon...in fact, with zombies being used to send
spam, that's usually what happens.
Most likely you'd skip SMTP altogether and just send lots of packets with
forged source addresses. That's how DoS attacks are usually carried out.
I can understand people having moral objections to CBV, but I don't think
the "it can be used as a DoS vector" rationalization is a realistic one.
Heck, you could make the same argument about reverse DNS lookups, or
identd, both of which seem to be widely accepted practices.