[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

press: The Joe Job DoS attack



http://www.theregister.co.uk/2004/04/06/joejoe_dos_attack/

By John Leyden
Published Tuesday 6th April 2004 17:30 GMT

A problem with the way that non-delivery notifications are sent by many
mail servers could be exploited to launch "mail bomb" denial of service
attacks.

Incorrectly configured mail servers may respond to mail delivery failure
with as many non-delivery reports as there are undeliverable cc: and
bcc: addresses contained in the original email. By forging the source of
an email, hackers could bombard systems with spurious emails.

[...]

Developers and mail administrators are urged to secure their SMTP mail
services, as explained here (PDF). The fix is simple enough: don't send
the attachment part of non-delivery receipt; and send one email in
response to every mail failure, rather than one for every intended
recipient.

This is a digitally signed message part