Scott Kitterman wrote:
One virus infected (say it is in Russia) machine connects to ohmi.org.
It sends the the following 60-byte packet to port 25 at ohmi.org, and
goes on to the next target, without waiting for a response, or closing
the connection.
The packet reads:
"ehlo u
mail from: <a(_at_)kitterman(_dot_)com>
rcpt to: <radu(_at_)ohmi(_dot_)org>"
Lets go back to this premise and make sure it's correct. I'm not sure it
is...
I went back and looked over RFC 2821 some more:
http://www.ietf.org/rfc/rfc2821.txt
Particularly the first half of chapter 3 and appendix D.
From my reading of 2821, an RFC compliant SMTP server would discard that
packet and move on. Now that doesn't mean that your scenario can't happen,
just that it would be considerably more complex. Something like:
S: 220 ohmi.org Simple Mail Transfer Service Ready
C: EHLO u {Now at this point you could bail out, but in reality you
can't}
S: 250-ohmi.org greets u
S: 250-8BITMIME
S: 250-SIZE
S: 250-DSN
S: 250 HELP
C: MAIL FROM:<a(_at_)kitterman(_dot_)com>
S: 250 OK
C: RCPT TO:<radu(_at_)ohmi(_dot_)org>
S: 250 OK
Now he ought to go to at least RCPT TO: because SPF checks can be done
anytime before DATA and since RCPT TO: checks are much less expensive than
SPF checks, it makes sense to do them first.
Now at this point, he's had to build a TCP/IP connection, and not just UDP
that we're using almost exclusively in DNS. We know where he came from and
there's been a lot more than 60 bytes expended.
Now, what's the amplification factor for that?
That's for you to calculate and tell the rest of us. Make sure you state
all your assumptions, like I did.
Thanks.