[Mimedefang] Dictionary attacks, NDRs etc..
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Fri Dec 5 14:24:16 EST 2003
Sorry, premature "send"... anyway
Here's an idea - detect dictionary attacks and return 550's for *every*
email address once an attack has been detected.
For example, if f at example.com is valid but a through e aren't...
Legitimate email comes in:
MAIL FROM: legitimate at example.org (OK)
RCPT TO: a at example.com (let me check... doesn't exist, sorry - 550)
RCPT TO: f at example.com (let me check... go ahead - 200)
DATA (etc.)
Dictionary attack:
MAIL FROM: legitimate at example.org (OK)
RCPT TO: a at example.com (let me check... doesn't exist, sorry - 550)
RCPT TO: b at example.com (let me check... doesn't exist, sorry - 550)
RCPT TO: c at example.com (let me check... doesn't exist, sorry - 550)
RCPT TO: d at example.com (just a minute...
at this point the server should suspect, check for, and recognize a
dictionary attack.
All future RCPT's should be auto-550'd, and a warning message sent to the
administrator.
[Perhaps this RCPT TO: could be fake-200'd, and the message quarantined?]
anyway, doesn't exist, sorry
- 550
)
RCPT TO: e at example.com (I'm ignoring you... doesn't exist, sorry - 550)
RCPT TO: f at example.com (I'm ignoring you... doesn't exist, sorry - 550)
RCPT TO: g at example.com (I'm ignoring you... doesn't exist, sorry - 550)
Note f is fake-550'd even though it does exist
> -----Original Message-----
> From: WBrown at e1b.org [mailto:WBrown at e1b.org]
> Sent: Friday, December 05, 2003 10:53 AM
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Dictionary attacks, NDRs etc..
>
>
> mimedefang-bounces at lists.roaringpenguin.com wrote on
> 12/05/2003 12:24:30
> PM:
>
> >
> > I admit I have not read the RFC dealing with the above but,
> > in the above we are telling the spammer which addresses are good
> > and which are bad?
> >
> > This is a serious security breach. If I was a spammer I could write
> > a program to mine all good addresses using the same process.
> >
> > Would it not be better to do the LDAP lookup and simply remove
> > the recipient in @Recipients and not give the spammer any idea
> > which addresses are good or bad?
> >
> > It may violate an RFC but aren't we in a "War against SPAM"?
> > Maybe the RFC needs to be re-written. SPAM was not an issue
> > then like it is now I would think.
>
> Adelphia does not return delivery failures for addresses that
> are invalid,
> including no longer used addresses. If ham is not delivered,
> it should
> generate an NDR.
>
> I am just starting on implementation, but I anticipate returning perm
> failures on spam. The trick is detecting the dictionary
> harvest attack
> and blocking that server from further connections.
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
More information about the MIMEDefang
mailing list