[unisog] IPS

Keith Hunt keith at uakron.edu
Wed Feb 9 21:09:04 GMT 2005

On Wed, 2005-02-09 at 15:12, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 09 Feb 2005 13:25:30 CST, Ken Connelly said:
> > Hunt,Keith A wrote:
> > >I have been wondering about the implications of dropping an SMTP session
> > >like this. Could you expound on why you think this is not a good idea?
> > >  
> > >
> > Because if it's a bonafide server, the remote end will just start the 
> > SMTP session over again in 30 or 60 (or more) minutes.
> Even more importantly, there are bona fide servers out there running broken
> software that *fails* to wait the RFC-suggested 30-to-60, and retries right
> away.  So you suddenly get literally thousands of connections an hour as the
> other end does the fail/retry over and over.  LSoft's LSMTP product is one
> product that has had lots of issues in this area.
> ______________________________________________________________________
Hmm. That's an interesting consideration. I was actually pondering the
implications from another direction. The IPS can be set to reject the
combination of IP/port for a period of time, which would seem to mean
rejecting legitimate mail from that source, depending upon whether that
given connection would remain established for that purpose. For an
infected home PC, maybe not such a bad thing so long as the
malware-bearing messages are being sent directly. When it starts using
the ISP mail server (or the traffic is coming from a listserv machine),
then it might start to be a bit of a problem for legit mail.

Keith Hunt  330.972.7968  keith at uakron.edu
Internet & Server Systems
The University of Akron 

More information about the unisog mailing list