Wake Up! (was: spamspamspam)

Joe Rhett writes:

If your systems are so badly configured that a mail bomb attack denies
your users access, then you don't qualify as a "responsible ISP"
yourself. In fact, you qualify under both "naive" and "intensely

  Wow, thanks for clarifying that for me! And I had always thought
  the mail bombs were the problem ...

  If you think you can set the Ob class in sendmail.cf to block
  large amounts of incoming mail, you are wrong -- sendmail is
  stupid enough to eat the entire thing before applying the size
  rule, which bounces it to postmaster, leaving it on your server.
  This is just what a mail bomber wants it to do. You can use
  something other than sendmail, but you give up a huge amount
  of flexibility to a small amount of additional security.

  Sure, you can install filters in your routers to block access, but
  you need to know you are under attack before you can take action.
  If the attack comes at 2:00 am and you are asleep at the switch,
  your /var partition will fill up before you will know what happened.
  Most folks don't put quotas on root or support, so if the flood
  comes to those accounts, you are screwed. It won't bring your
  server down, but it will make your customers unhappy while mail
  is blocked and disk space is exausted.

  Once you know you have a problem, you can check your mail log,
  look for the source, and filter it. If the source is aol.com,
  you have a bigger problem on your hands because 1) they don't
  have a NOC you can talk to [you can sit on hold waiting for a
  tech support person], and 2) all other mail to/from AOL will be
  blocked at the same time [which WILL make your customers unhappy].
  Not to mention the fact that AOL uses several mail servers, and you
  will need to filter all of them to get the attack to stop. The
  same goes for most of the national Internet providers.

  Just so you are in the loop, we use a network tool called NOCOL that
  monitors all of our systems and ports. One of our NOCOL monitors
  evaluates disk space on each system (I wrote it) -- we placed the disk
  monitor in the public domain and made it available on our system
  at ftp://ftp.us.net/pub/unix/monitors/nocol-usnet/diskmon. We
  also have code for a simple system to drive numeric pagers from
  a BSDI server running NOCOL (you can get it from the same directory).
  As a result, they never fill our /var partition on either of our mail
  servers before the monitor alerts us (and we have a 50 MB cusion on
  each server after the monitor is triggered). We also have written
  procedures for our 22 employees to follow in the event of an attack,
  and we have had the opportunity to place those procedures in action
  more than once, so we know they work.

  Of course, you won't need our software -- it's only for the other
  naive and intensely stupid ISP's out there that think mail bombing
  is a bad idea ... ;->

I don't agree with mailbombing, but it sounds like you are ripping your
clients off, since you obviously don't know to configure a system.

  If you don't agree with mail bombing, then why did you suggest it
  as a solution to mail spam on this list? And if your suggestion is
  supposed to be a "joke", why do you feel that ISPs that don't like
  dealing with mail bombing are naive and intensely stupid? And how
  do you make the leap that everyone that disagrees with your opinions
  is ripping their clients off and does not know how to configure
  a system? Hello?

  Joe Rhett, you are out of line and I think you owe everyone on
  this list a big apology. Responding to mail spam with mail bombing
  is a bad idea Joe, and any way you try to spin it, it is still a bad

  Dave Stoddard
  US Net Incorporated