On Mon, 6 Jan 2003, Dean Brooks wrote:
> Just an observation, but is it necessary for the non-mail command
> limit to be configured right on the exact minimum threshold of needed
> commands in a normal mail session?
> Rather, couldn't you just set it to something arbitrary, say 15?
Then it would probabely be useless for the purpose for which it was
designed (see below).
> At least then it would catch any major abuse.
>
> Are non-mail commands being abused by spammers or DOSsers?
Yes. There is a security issue with some web servers whereby someone who
can access the web server can provoke it into sending data to the SMTP
port of a host to which it has access. The original caller may not have
access to that SMTP port. However, when this is done, the data starts
off with a smallish number of non-SMTP command lines. It was as defence
against this that the check was introduced into Exim. (I don't think I'm
giving much away by posting this information; I think the exploit is
probably well-known now.)
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
