Re: Re: DNS load research

Radu Hociung wrote:
> Leonard Mills wrote:
>
> > At about  Thu, 24 Mar 2005 16:01:16 -0500 (21:01 UTC)
> > Radu Hociung <radu(_at_)ohmi(_dot_)org> wrote:
> >
> >
> > > The packet I used is (smaller than 60). Since your ISP fixed their 
> > > SPF record, it generates much less DNS traffic:
> > > ehlo u
> > > mail from: <b(_at_)pobox(_dot_)com>
> > > rcpt to: <radu(_at_)ohmi(_dot_)org>
> >
> >
> > I would strongly suspect that most professionally-managed MTAs
> > would kill that connection.  Not waiting for the server response
> > is rather strong spam sign. A hobbyist system might want to
> > accept that kind of connection.  ymmv.  With recent versions of
> > sendmail refer to documentation on Local_greet_pause and
> > FEATURE(`greet_pause')
>
> You may be correct. There are also a lot of unprofessionally-managed 
> MTAs, as well as older versions.
> However, I suspect that some of the higher volume MTAs, like Hotmail or 
> yahoo, cannot afford delays like that. But that is only a suspicion.
> I would love to see a more realistic statistic of what's out there and 
> what is the worst it can get.
I just checked, and it appears that aol and yahoo do drop the connection 
as you predicted, but the following accept it:
hotmail.com
pobox.com
outblaze.com (large mail outsourcing service)
mail.global.bigfish.com (large mail outsourcing service)

I changed "ehlo u" to "ehlo hello.com" because some were rejecting it.

At a cursory look, it appears that some like it, some don't. Even if 
relatively few like it, it could still get pretty ugly.
The second amplifier factor, the "Time amplifier" is a function of how 
many SMTP sessions a virus can start per second. If it uses multiple 
threads, each thread waiting for a second after the hello, it will still 
use about the same bandwidth, but quite a bit more memory, since it has 
to maintain the open connections.
It still remains a question of how many proper SMTP sessions it can do 
per second.
Radu.