spf-discuss
[Top] [All Lists]

Re: Re[2]: RCPT TO: rejecting

2004-05-26 17:56:07

On May 26, 2004, at 6:31 PM, Chris Drake wrote:

Dude - checking RCPT TO: doesn't offer any new DDoS tool they don't
already have - they could just as well send a million spams to as many
different SMTP hosts as they can dredge up, faking the sender address
to be that of the victim, then all the resultant bounce, DSN, MDN,
abuse, and other traffic's gunna take out their victim just the same:
heck - with a suitable selection of SMTP servers, they could amplify
their attack 10fold or more using DSN and C/R antispam services
alone...

RCPT TO: checking, if cached for a suitably small amount of time (or
4xx'd when using cached data), would actually prevent that more
dangerous form of DDoS...

One opinion is that other things are broken badly (as you mention above) so there is nothing wrong with embracing yet another thing that is broken as long as it is less broken. You may have that view and I don't. I am strongly against DSNs and C/R systems as well. If you choose to use a C/R system you contribute to the problem. If you choose to implement CBV you provide a mechanism for abusing innocent victims. This discussion was not about it being "less broken" or "less dangerous" than other mechanisms. It is an argument that CBV is dangerous, is known to allow abuse and yet some people think its okay to deploy it.

I'm ending this thread, on my part at least. My goal was not to win a fight it was to make a good argument. I believe I've done that for at least a few spectators -- hopefully some people that didn't think CBV was irresponsible already.

// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth


<Prev in Thread] Current Thread [Next in Thread>