[Mimedefang] Tarpit for dictionary attacks

listuser at numbnuts.net listuser at numbnuts.net
Tue May 20 23:59:03 EDT 2003 

I'd like to set up a SMTP tarpit of sorts.  I'd like to make every single
piece of mail to be deliverable for a given domain or two.  Let me explain
that a little better.

I have a number of domains on which I only use a handful of accounts.  I
get probed all the time with Rumplestiltskin attacks (proper pronoun
dictionary attack).  Of course only a handful of users actually exist and
none of them are variants of any proper pronouns I know of.  In the hopes
of letting the spammers do all the work of seeding my addresses in their
databases, I'd like any and all dictionary attacks for addresses in a few
specific domains to always be successful.  So when a spammer connects to
my mail server and tries to confirm if joe@, aaron@, bob@, sally@, etc
exist, he finds that all of them exist (or perhaps one is randomly denied
so as to not be too obvious).  I also need this mail to be delivered to an
account ultimately.  Can a milter like MIMEDefang assist with that?

Is a milter consulted at all when an EXPN or VRFY request comes in or only
when mail delivery is attempted?  Reenabling EXPN and VRFY on a production
MTA with lots of users wouldn't be wise but it wouldn't hurt to do that on
this particular box in this particular case.  Only a few users actually
exist.  What's the harm in a spammer confirming that the addresses I post
to mailing lists, newsgroups, and discussion boards exists anyhow?  There
isn't any.

To go along with this, is there an easy way to let MD work its magic on 
incoming mail where a local recipient actually exists and NOT try to 
spam/AV check mail where a local user doesn't exist?  No sense in wasting 
CPU time on that.  At some point and with some tool I'm going to need to 
write all the undeliverable mail to disk.  I'm guessing I can do that with 
procmail.

Does anyone have any thoughts on this?  I'm going to push all that spam 
into pyzor and razor (as time for manual processing allows).  It will also 
give me a nice corpus of spam to work with. :)  Any thoughts or 
suggestions on this would be welcomed.  I should probably ask the Sendmail 
crowd about this as well.  Now that I think about it, I could declare each 
of those spamtrap recipients to be a SPAMFRIEND to get mail addressed to 
them by Sendmail's spam checks.  I still need MD to give the OK for those 
though too.

Justin

More information about the MIMEDefang mailing list