[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spam closes Debian bugs!



On Mon, Mar 15, 2004 at 04:13:44PM +0100, Florian Weimer wrote:
> Wouter Verhelst wrote:
> > On Mon, Mar 15, 2004 at 03:44:00PM +0100, Florian Weimer wrote:
> > > Wouter Verhelst wrote:
> > > > So, you would like to see our mailservers DoSed because they need to
> > > > throw CPU power at anything that vaguely resembles a PGP signature?
> > > 
> > > All SMTP servers are an easy DoS target because of the large command
> > > timeouts.
> > 
> > That's a reason to make the situation worse?
> 
> I just wanted to put things into perspective.  If there's a real benefit
> if signatures are verified and it's implementable with the available
> resources, then go for it.  I don't think the DoS risk is a showstopper.

I think it is. It's trivial to create a mail message that vaguely looks
like a PGP-signed message, and send out spam that way. There's no way to
check whether a message has a valid PGP signature except for running gpg
or pgp, which is much more CPU-intensive than adding a random text that
has the look of a PGP signature. Implementing this is equal to creating
a *very* easy DoS attack vector.

-- 
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.

Attachment: signature.asc
Description: Digital signature


Reply to: