Re: spam closes Debian bugs!

[Florian Weimer <fw@deneb.enyo.de>]

Wouter Verhelst wrote:

> > I just wanted to put things into perspective.  If there's a real benefit
> > if signatures are verified and it's implementable with the available
> > resources, then go for it.  I don't think the DoS risk is a showstopper.
> 
> I think it is. It's trivial to create a mail message that vaguely looks
> like a PGP-signed message, and send out spam that way. There's no way to
> check whether a message has a valid PGP signature except for running gpg
> or pgp, which is much more CPU-intensive than adding a random text that
> has the look of a PGP signature. Implementing this is equal to creating
> a *very* easy DoS attack vector.

It's also very easy to write a Perl script that can DoS almost any SMTP
server on this planet.

Most potential DoS attacks just don't happen, and those that do happen
have a pretty clear motive.  Why should anyone want to DoS the BTS by
sending invalid mail messages?  It wouldn't stop the web server, so
it's not something to brag with among your peers because it's hardly
visible to the outside.

It's far more likely that some lunatic manipulates bug metadata
or adds offensive messages or reports to the BTS.

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.