On Mon, 28 Jul 2003 14:54:08 -0700, [EMAIL PROTECTED] (Justin Mason) writes:
> >Also, forcing the victim to burn a second for every 2kb is still
> >interesting. There's nothing that keeps the attacker from repeating
> >this sort of thing every paragraph, so a 60kb email takes >30 seconds.
>
> yeah, that's true.
And, stronger attacks may exist, or one can interleave several attacks
on different regexps into the same text. The regexp that I attack with
'.......' seems to be involved with Recieved processing, and may be
exempt from the 2k limit?
> I think though, that if 1 hand-crafted message takes 30 seconds, that's
> still acceptable.
I disagree. If it only takes 120 messages, 10mbyte of traffic, to lock
up *any* email server using SA for an hour, that is a *nasty* DoS. A
spammer can purposely seed their spam run with these messages of
doom. Now, the victims either get the spam (if they don't run SA) or
they don't get any email at all (if they do run SA). Given this
choice, mail admins would be forced to disable SA just so that their
email servers survive.
I've also traced this set of dodgy regexps, and found more of
them. They're all header tests, and it looks like it is possible to
hit more than one with the same header.
./lib/Mail/SpamAssassin/EvalTests.pm: my @address = ($to =~ m/([EMAIL
PROTECTED](?:[\w.-]+\.)+\w+)/g);
./lib/Mail/SpamAssassin/EvalTests.pm: while ($received =~ s/[\t ]+by[\t
]+(\w+([\w.-]+\.)+\w+)//i) {
./lib/Mail/SpamAssassin/EvalTests.pm: if ($received[$i] =~ s/\bby[\t ]+(\w+(?
:[\w.-]+\.)+\w+)//i) {
./lib/Mail/SpamAssassin/EvalTests.pm: if ($received[$i] =~ s/\bfrom[\t ]+(\w+
(?:[\w.-]+\.)+\w+)//i) {
Also for some more, see the $recieved[$i] matching taken from '_check_received_helos'
Design the 'Recieved:' lines to attack the above *AND* attack one or
two of the checks in '_check_received_helos', and the CPU time taken
could be triple the earlier test, to one second/kilobyte. This is
assuming a 2kb headerline limit. With a 10kb headerline limit, we're
talking 25 seconds/kilobyte.
Scott
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
