http://www.trimmail.com/ // comco-inc.com

Vernon Schryver vjs@calcite.rhyolite.com
Wed Oct 8 15:07:04 UTC 2003


> From: "VonEssen, John" <VonEssJ@intelihealth.com>
> To: <dcc@calcite.rhyolite.com>
> Cc: <bjg@comco-inc.com>


> I am not sure which is more disconcerting. The fact that they didn't
> know about firewall implications (obviously DCC communicates through
> some port, not just thin air), OR, the fact that they didn't even test
> to see if the SA Rules where being processed properly. After a few 1000
> messages, and not seeing any DCC_CHECK Rules, a light bulb should have
> gone on! 

Which "they" do you mean?  Of the top 35 anonymous clients of
z.dcc-servers.net, one of the 11 systems that answers anonymous requests
to to dcc*.dcc-servers.net, 15 have misconfigured firewalls.  On
Tuesday GMT they each sent 7,000 to 20,000 wasteful requests to each
of those public DCC servers for individual totals of 77,000 to 220,000.
Judging from reverse DNS names, some of those 15 IP addresses are
owned by  the same outfit.  For example one seems to be responsible
for a total of almost 400K useless requests.


> It looks like they sell a hardware application/appliance which probably
> acts as a sendmail frontend with SA+MD. Mail can then relayed to users
> on a backend mail system like Exchange. So every time they sell this box
> to a new customer, the customer plugs it in with no firewall changes,
> and voila, more abuse traffic is created.

Yes, except that applies to anyone else who installs SA+DCC without
paying attention to the results.

The SA+MD+DCC box vendors (plural) do bear more responsibility for
the problem because they generally sell their expertise and some hand
holding.  They ought to do the minimal sanity check of `cdcc info` on
their boxes before turning over the keys of a new installation.
They ought to at least get their FAQs on firewalls right.

Some of these vendors have run their DCC servers from the start of
the interest in the DCC.  Others have needed reminding.

If I were designing such boxes, I'd start with my own DCC servers as
well as DNS sever aggregators for DNS blacklists not only to avoid
dirty looks from people at the public resources but to ensure nothing
bad happens.  For example, I wonder how many of these "spam solutions"
have done bad things like bouncing all mail when famous DNS blacklists
were shut down.  Besides, having the boxes talk to my own DNS and
other servers would be a potential "revenue enhancement opportunity."


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.