> > And qmail will send 26 individual bounce messages, one for each
> > nonexistent recipient at bar.com, back to our victim at foo.com.
>
> Where did you get this nonsense from? Please go ahead and test;
> qmail will return only ONE bounce message specifying all 26
> addresses. (I have tried, just now. Why haven't you?)
I did test, and it IS true with qmail forwarding in to an internal
mail store from the DMZ. I did not test where the qmail box is the final
delivery box, relay or no, because I'm not set up for that here. If it'll
make you happy, though...
<clickety click>
Yup. If you have one qmail box forwarding to a second qmail box
which is the mail store, you get this amplification.
> The only way for this attack to work is to talk to qmail on a
> secondary MX (and have primary MX generate 26 distinct
> bounces), but then the effect of the mailbomb is probably
> diminished by the (allegedly) poor line between secondary and
> primary (why would you care about secondary, otherwise?).
Lots of other reasons.
1) Many sites will have a relay machine in the DMZ which talks with
Internet hosts, and an internal mail store that only talks to the relay
machine. It's a pretty standard firewall layout. It improves security and
performance.
2) Some sites will have 1+n mail relays in the DMZ, so that a hard
drive failure won't knock mail out, and so that maintenance and upgrades are
non-disruptive.
3) Some sites have multiple high-bandwidth lines, and will have mail
relays at various sites. Think co-lo. If you're paying through the nose to
have your web servers at a hardened high-availability installation, why
wouldn't you throw a secondary or tertiary MX out there for redundancy? In
such a case, the bandwith on your secondary is BETTER than on your primary.
This attack doesn't work if you have a single mail server which is
your mail store and your primary internet SMTP conduit. I'd run something
like that at home, but not at work. Of course, I'm a little funny when it
comes to redundancy; I prefer having it over not having it.
> > I think ORBS is worrying too much, but that's just me.
>
> Yeah, sure. I mean, there is lot of other DoSes possible. Why
> would you care about too-many-emails? Is your computer really
> secured against any DoS possible (including DDoS), except
> mailbombing?
The big thing with this DOS is the multiplication. If you enter 100
bogus recipients at a total traffic of <1k, and enter one data component
equaling 1 meg, then at the cost of 1meg+1k you have created an attack
equaling 100 meg of data. DOS attacks in general usually focus more on
"many tiny packets," because they're harder to block. This attack creates
less, but larger, packets, and from less sources - which makes it easier to
block, which makes it less useful as a DOS, which is why I think ORBS is
worrying too much.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
