Wake Up! (was: spamspamspam)

David Stoddard dgs at us.net
Wed Nov 13 18:54:52 UTC 1996 

Joe Rhett writes:
> If your systems are so badly configured that a mail bomb attack denies
> your users access, then you don't qualify as a "responsible ISP"
> yourself. In fact, you qualify under both "naive" and "intensely
> stupid".

	Wow, thanks for clarifying that for me!  And I had always thought
	the mail bombs were the problem ...

	If you think you can set the Ob class in sendmail.cf to block
	large amounts of incoming mail, you are wrong -- sendmail is
	stupid enough to eat the entire thing before applying the size
	rule, which bounces it to postmaster, leaving it on your server.
	This is just what a mail bomber wants it to do.  You can use
	something other than sendmail, but you give up a huge amount
	of flexibility to a small amount of additional security.

	Sure, you can install filters in your routers to block access, but
	you need to know you are under attack before you can take action.
	If the attack comes at 2:00 am and you are asleep at the switch,
	your /var partition will fill up before you will know what happened.
	Most folks don't put quotas on root or support, so if the flood 
	comes to those accounts, you are screwed.  It won't bring your
	server down, but it will make your customers unhappy while mail
	is blocked and disk space is exausted.

	Once you know you have a problem, you can check your mail log,
	look for the source, and filter it.  If the source is aol.com,
	you have a bigger problem on your hands because 1) they don't
	have a NOC you can talk to [you can sit on hold waiting for a
	tech support person], and 2) all other mail to/from AOL will be
	blocked at the same time [which WILL make your customers unhappy].
	Not to mention the fact that AOL uses several mail servers, and you
	will need to filter all of them to get the attack to stop.  The
	same goes for most of the national Internet providers.

	Just so you are in the loop, we use a network tool called NOCOL that
	monitors all of our systems and ports.  One of our NOCOL monitors
	evaluates disk space on each system (I wrote it) -- we placed the disk
	monitor in the public domain and made it available on our system
	at ftp://ftp.us.net/pub/unix/monitors/nocol-usnet/diskmon.  We
	also have code for a simple system to drive numeric pagers from
	a BSDI server running NOCOL (you can get it from the same directory).
	As a result, they never fill our /var partition on either of our mail
	servers before the monitor alerts us (and we have a 50 MB cusion on
	each server after the monitor is triggered).  We also have written
	procedures for our 22 employees to follow in the event of an attack,
	and we have had the opportunity to place those procedures in action
	more than once, so we know they work.

	Of course, you won't need our software -- it's only for the other
	naive and intensely stupid ISP's out there that think mail bombing
	is a bad idea ...  ;->

> I don't agree with mailbombing, but it sounds like you are ripping your
> clients off, since you obviously don't know to configure a system.

	If you don't agree with mail bombing, then why did you suggest it
	as a solution to mail spam on this list?  And if your suggestion is
	supposed to be a "joke", why do you feel that ISPs that don't like
	dealing with mail bombing are naive and intensely stupid?  And how
	do you make the leap that everyone that disagrees with your opinions
	is ripping their clients off and does not know how to configure
	a system?  Hello?

	Joe Rhett, you are out of line and I think you owe everyone on
	this list a big apology.  Responding to mail spam with mail bombing
	is a bad idea Joe, and any way you try to spin it, it is still a bad
	idea.

	Dave Stoddard
	US Net Incorporated
	dgs at us.net

More information about the NANOG mailing list