Joe Rhett writes:
If your systems are so badly configured that a mail bomb attack denies
your users access, then you don't qualify as a "responsible ISP"
yourself. In fact, you qualify under both "naive" and "intensely
stupid".
Wow, thanks for clarifying that for me! And I had always thought
the mail bombs were the problem ...
If you think you can set the Ob class in sendmail.cf to block
large amounts of incoming mail, you are wrong -- sendmail is
stupid enough to eat the entire thing before applying the size
rule, which bounces it to postmaster, leaving it on your server.
This is just what a mail bomber wants it to do. You can use
something other than sendmail, but you give up a huge amount
of flexibility to a small amount of additional security.
Sure, you can install filters in your routers to block access, but
you need to know you are under attack before you can take action.
If the attack comes at 2:00 am and you are asleep at the switch,
your /var partition will fill up before you will know what happened.
Most folks don't put quotas on root or support, so if the flood
comes to those accounts, you are screwed. It won't bring your
server down, but it will make your customers unhappy while mail
is blocked and disk space is exausted.
Once you know you have a problem, you can check your mail log,
look for the source, and filter it. If the source is aol.com,
you have a bigger problem on your hands because 1) they don't
have a NOC you can talk to [you can sit on hold waiting for a
tech support person], and 2) all other mail to/from AOL will be
blocked at the same time [which WILL make your customers unhappy].
Not to mention the fact that AOL uses several mail servers, and you
will need to filter all of them to get the attack to stop. The
same goes for most of the national Internet providers.
Just so you are in the loop, we use a network tool called NOCOL that
monitors all of our systems and ports. One of our NOCOL monitors
evaluates disk space on each system (I wrote it) -- we placed the disk
monitor in the public domain and made it available on our system
at ftp://ftp.us.net/pub/unix/monitors/nocol-usnet/diskmon. We
also have code for a simple system to drive numeric pagers from
a BSDI server running NOCOL (you can get it from the same directory).
As a result, they never fill our /var partition on either of our mail
servers before the monitor alerts us (and we have a 50 MB cusion on
each server after the monitor is triggered). We also have written
procedures for our 22 employees to follow in the event of an attack,
and we have had the opportunity to place those procedures in action
more than once, so we know they work.
Of course, you won't need our software -- it's only for the other
naive and intensely stupid ISP's out there that think mail bombing
is a bad idea ... ;->
I don't agree with mailbombing, but it sounds like you are ripping your
clients off, since you obviously don't know to configure a system.
If you don't agree with mail bombing, then why did you suggest it
as a solution to mail spam on this list? And if your suggestion is
supposed to be a "joke", why do you feel that ISPs that don't like
dealing with mail bombing are naive and intensely stupid? And how
do you make the leap that everyone that disagrees with your opinions
is ripping their clients off and does not know how to configure
a system? Hello?
Joe Rhett, you are out of line and I think you owe everyone on
this list a big apology. Responding to mail spam with mail bombing
is a bad idea Joe, and any way you try to spin it, it is still a bad
idea.
Dave Stoddard
US Net Incorporated
dgs@us.net