Version 2

    Fuzz Protection


    Target for M3


    Fuzz Protection is the enforcement of protocol concerns.  By deciding that clients that deviate seriously and repeatedly form the expected norms of reply and response we can decide they are malevolent and hang up on them.  Meaning if a client repeatedly sends \r when it is supposed to send an SMTP command, we'd wait until it had violated protocol n times and then just hang up.


    Types of Fuzz Protection


    • Strict - no devience allowed.  This should be an option but not a default.  This means that on any violation (unrecognized command) we'd drop carrier so to speak.  That isn't allowed by the SMTP spec but other mail servers (postfix) allow it as an option.  Do not even allow normal variants.

    • Stringent - no devience allowed, but allow normal variants.

    • Flexible - wait n times before dropping carrier.  Also optionally allow for recognizable but syntactically incorrect variants of the protocol (if we allow them normally).

    • Please denial of service attack me - no fuzz protection