-----Original Message----- From: Mariano Absatz [mailto:el.baby@gmail.com] Sent: Thursday, July 29, 2004 9:41 AM To: SURBL discussion list; SpamAssassin users list Subject: SURBL DoS possible?
I was wondering...
I didn't look at the source code for the SpamCopURI or the SA 3.0 plugin but I guess it just looks for URI's within the messages and issues a DNS query to the configured SURBLs for every different canonicalized domain name... is it?
What would happen if a spammer intentionally starts putting hundreds of different invisible random URIs within the message trying to DoS SURBL?
Does the SA plugins check for this condition? Or have a limit as to how many SURBL queries will it issue for a given message?
TIA
It picks a random sample of URLs. This was one of the main concerns when we started talking about this feature. We're always one step ahead of Mr. Spammy ;)
--Chris
On Thu, 2004-07-29 at 09:35, Chris Santerre wrote:
Mariano Absatz sez:
What would happen if a spammer intentionally starts putting hundreds of different invisible random URIs within the message trying to DoS SURBL?
It picks a random sample of URLs.
Suggestion for the SURBL Ninjas: you might want to skew the selection a bit toward checking longer domain names. Shorter domain names are probably more likely to be legitimate and less likely to contain random poison subdomains.
e.g. "ideologue.adulterously.coordaut.com" vs. "djn.org", "djn.com", etc.
'course, it's just as easy to fake long domain names as it is to fake short domain names.
-- John Hardin KA7OHZ johnh@aproposretail.com Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- If you smash a computer to bits with a mallet, that appears to count as encryption in the state of Nevada. - CRYPTO-GRAM 12/2001 -----------------------------------------------------------------------
-
Chris Santerre -
John Hardin