[wplug] users sending to wrong email address

Bill Moran wmoran at potentialtech.com
Thu Jan 3 22:20:36 EST 2008 

Alexandros Papadopoulos <apapadop at alumni.cmu.edu> wrote:
>
> On Thursday 03 January 2008 20:12, Christopher DeMarco wrote:
> <snip>
> > to timeout.  I guess that one reason for silently dropping
> > connections, though, is to cost attackers time in portscanning.  It's
> > a teergrube.
> 
> ...which is a risk/cost worth taking. Slowing down illegitimate network 
> traffic is the only first-responder action every node should perform and 
> makes the life of legit connections marginally harder.

It's not marginal.  Sure, if you just measure the actual CPU cycles used, 
it looks that way.  But what software runs without limits?  If sendmail is
tied up waiting for connections to time out, then there are other mails
in the queue that are waiting behind that timing out connection to be
delivered.  If you RST that connection so it can close immediately, the
queue will process more efficiently and you'll need less horsepower to
handle the outgoing traffic.  Yes, in big companies (like ISPs) this is
a measurable expense.

> The CPU hours wasted on nonexistent sockets are a very small price to pay for 
> a few more minutes of Internet survivability against a flash worm.

Again.  Sure, if that were the only way to accomplish that survivability.
But it's not.  You even mention an excellent tool for reducing the need
for such foolish network configurations in your next sentence:

> See LaBrea for an excellent piece of code that does just that - slows things 
> down :-)

There's also spamd and pf, and probably a slew of commercial products
that have some real logic to their tarpitting, as opposed to tarpitting
every innocent daemon that tries to establish a legitimate connection.

Keep in mind that this is only half of the OPs problem.  The other half
is that the domain causing the trouble doesn't have a properly set up
MX, which means outgoing mail defaults to using the A record, so mail
delivery is trying to proceed with a server that isn't set up to do that.

-- 
Bill Moran
http://www.potentialtech.com

More information about the wplug mailing list