[jira] [Commented] (JAMES-1427) DoS scenario(s) in SMTP server

Mon, 23 Jul 2012 07:33:43 -0700 

    [ 
https://issues.apache.org/jira/browse/JAMES-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420677#comment-13420677
 ] 

Stefano Bagnara commented on JAMES-1427:
----------------------------------------

+1 for A and B
I don't like too much C because this way the client is not "aware" of the real 
error and is going to get it as a temporary network error and retry. Instead if 
you let it send the whole file and at the end you give it a permanent error it 
will stop trying. So it is better to receive and /dev/null 100MB once than 
receive 10 MB and disconnect for a dozen attempts in 5 days.

                
> DoS scenario(s) in SMTP server
> ------------------------------
>
>                 Key: JAMES-1427
>                 URL: https://issues.apache.org/jira/browse/JAMES-1427
>             Project: JAMES Server
>          Issue Type: Bug
>          Components: SMTPServer
>    Affects Versions: 3.0-beta3
>            Reporter: Andrzej Rusin
>
> 1. SMTP server allows unlimited number of invalid commands, which may waste 
> network bandwidth.
> 2. The invalid commands go straight to the logs with level INFO, which can 
> easily fill up the server disk.
> Additionally:
> 3. After the max message size is reached, the SMTP server denies the message, 
> but client keeps sending, which makes the remaining part of the message go 
> straight to the log because of 2.
> Ideas to fix:
> A. Do not log more than N invalid commands per connection - solve 2,
> B. Drop connection after Nth (consecutive?) invalid command - solve 1 and 2,
> C. (This one is questionable) Drop the connection after max message size is 
> reached - solve 3

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to