[Mimedefang] Deadline for SPF records *long w/morbid horoscope*

[Jeff Rife]

On 13 Aug 2004 at 8:41, Steffen Kaiser wrote:

> > It's an optional part of SMTP that doesn't have to be supported, and
> > does have some security issues.
> 
> Which ones?
> It simply triggers a queue run filtering mail for a target server.

Depending on the ability of your sendmail installation to determine 
spoofed connections, it *can* result in a DoS type of behavior.

Based on the "MinQueueAge" and "Timeout.hoststatus" in sendmail.cf, 
it's possible to use a spoofing system to keep e-mail from getting to 
the right place in a timely fashion.  Basically, you spoof to start the 
queue run and the server tries to send to the unconnected system.  This 
generates a "touch" of the queue and a refresh of the host status 
directory (to failure).

When the *real* place connects up to the Internet and calls to execute 
the ETRN, nothing gets sent because things had been tried sooner than 
the timeouts.  The system hangs up off the Internet assuming that there 
is no mail.  This could in theory go on long enough to result in a "non-
deliverable" e-mail.


--
Jeff Rife        | "You keep using that word.  I do not think it 
SPAM bait:       |  means what you think it means." 
AskDOJ at usdoj.gov |  
spam at ftc.gov     |         -- Inigo Montoya, "The Princess Bride"