[Esd-l] badtrans ad infinitum

John D. Hardin jhardin at impsec.org
Wed Nov 28 11:12:01 PST 2001

On Wed, 28 Nov 2001, Christian Parigger wrote:

> just the way things seem to be in life. I fully appreciate your
> upgrades, yet certainly I am/ we are not 'infinitely' save.

No, the sanitizer is only one part of a multilayered defense system.
You still need firewalling, and antivirus, and so forth.

> One idea would include the use of portsentry-alike protection for
> flodding from certain sites, although I am not certain how to do
> that with email, viz. if more than so-many "active emails" come
> from a site per hour or day, block the site (I'd know how to that
> with attacks on ports to a reasonable degree).

I don't know that it would be useful for worms. A worm storm is more
along the lines of a DDoS attack - you're being nibbled to death by
ducks, rather than having one site flooding you.

> I/we have been flodded with Sircam back in July, whereby
> "overfloweth" resulted in my/our quarantine. Therefore, the milder
> solution would perhaps be to blackhole (or bit-bucket into
> /dev/null) active email received at a set rate from certain sites
> (rather than blocking the whole site).

Okay, that may be possible at a lighter weight than sanitizing each

How do you define "active email" ?

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                       pgpk -a jhardin at wolfenet.com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
   1070 days until the Presidential Election

More information about the esd-l mailing list