Wednesday, May 26, 2004, 11:30:18 PM, you wrote:
TS> On May 26, 2004, at 9:05 AM, Seth Goodman wrote:
From: Lars Dybdahl
Sent: Tuesday, May 25, 2004 3:53 AM
I've found that connecting to the mail server of the MAIL FROM:
address and attempting to initiate an email (up to the DATA stage)
successfully detects around 30% of all my "joe jobs" spam
shouldn't this be part of the wider scheme to prevent joejobbing ?
No. This would make it extremely easy to make a distributed
denial-of-service attack againt a mail server.
I respectfully disagree. Verizon and PoBox both use callbacks to help
qualify their incoming mail simply because it works. Virtually any
network
protocol, particularly those that are based on TCP, can be used to
engineer
a DoS attack. It is already fairly easy to engineer a DDoS against any
exposed node on the internet. Most of these methods take advantage of
the
peculiarities of TCP, they are have been shown to work time and time
again,
and they are extremely difficult to stop, even under ideal conditions.
The
offending traffic appears to be coming "from everywhere at once".
Blocking
it at the router is usually not a viable option. You may be able to
close
some of the connections early, but you still have to open a socket and
do
the requisite checking for each incoming request. Depending on the
size of
the zombie group and the amount of network bandwidth you have, they can
knock almost anyone off the net.
TS> The point is that they no longer need a "zombie group" nor do they need
TS> to compromise machines. Instead, you've decided to offer a service
TS> that allows them to have you beat the crap out of some innocent victim.
Dude - checking RCPT TO: doesn't offer any new DDoS tool they don't
already have - they could just as well send a million spams to as many
different SMTP hosts as they can dredge up, faking the sender address
to be that of the victim, then all the resultant bounce, DSN, MDN,
abuse, and other traffic's gunna take out their victim just the same:
heck - with a suitable selection of SMTP servers, they could amplify
their attack 10fold or more using DSN and C/R antispam services
alone...
RCPT TO: checking, if cached for a suitably small amount of time (or
4xx'd when using cached data), would actually prevent that more
dangerous form of DDoS...