[Mimedefang] Tarpit for dictionary attacks

Wed May 21 01:50:01 EDT 2003

On Tue, 20 May 2003, Jeffrey Goldberg wrote:

> On Tue, 20 May 2003 listuser at numbnuts.net wrote:
> 
> > I have a number of domains on which I only use a handful of accounts.  I
> > get probed all the time with Rumplestiltskin attacks (proper pronoun
> > dictionary attack).  Of course only a handful of users actually exist and
> > none of them are variants of any proper pronouns I know of.  In the hopes
> > of letting the spammers do all the work of seeding my addresses in their
> > databases, I'd like any and all dictionary attacks for addresses in a few
> > specific domains to always be successful.  So when a spammer connects to
> > my mail server and tries to confirm if joe@, aaron@, bob@, sally@, etc
> > exist, he finds that all of them exist (or perhaps one is randomly denied
> > so as to not be too obvious).  I also need this mail to be delivered to an
> > account ultimately.  Can a milter like MIMEDefang assist with that?
> 
> Why use MIMEDefang?  Just go through your logs for all of these "joe",
> "russ", "dan" etc names and set up aliases for them.

I could but these User Unknowns would also contain typoed addresses
directed at me.  Ie, instead of listuser at numbnuts.net someone (like
myself) might fat finger lisruser at numbnuts.net.  If I create an alias for
that fat fingered address, and direct it at an account that auto-forwards
to pyzor then I (or someone else mailing me) will be reporting my fat 
fingered mail to Pyzor.  Whoops!  I'd hate to do that.

As I was writing my question for the Sendmail folks it dawned on me that 
much of what I was writing was in some ways describing virtusertable and 
what it can do.  I needed to answer a question or two about it before I 
found out that it would work as I'd hoped.  With virtusertable I can 
create a catchall rule that will direct all mail without a local user to 
another user.  Works pretty slick.  Actually, I put all this in a reply to 
my own question so I won't rewrite it all here.  I've pretty much figured 
that end of things out though.  I still need to test delay_checks HATER 
to make sure it works as I predict.

> And if you don't want to accept them as spam traps, you can use sendmail's
> 
>   confBAD_RCPT_THROTTLE
> 
> to simply slow down when after some configured number of bad guesses.

I use that already.  I define 3 as my threshold.  I believe it works 
pretty well.

My goal with this is to not directly stop or even slow spam on this 
system for all users.  Only a handful of users (mostly my own) are in use 
on this particular system and with these domains.  I'll still filter the 
hell out of the spam being sent to those accounts.  My goal is to create 
as many spamtrap addresses as possible and seed them to hell and back.  
That part is easy.  Then the idea came to me with regards to the 
Rumplestiltskin attacks.  Why not put those annoys attacks to good use and 
let the spammers fill their own databases. :)  The more the query me the 
more they'll fill their databases with my spamtraps.  Woohoo!

> (I have no thoughts on the other questions you've raised).

Yeah, the way I asked it and was thinking about it made it way to complex.  
Rewriting the question and thinking about it a little longer simplified
the flaws in my logic to the point where it really wasn't that hard of a
thing to do.  Granted, I can't implement this on a production system with
a lot of users very easily (I'd have to declare everyone to be a
SPAMHATER, live with EXPN and VRFY queries, etc..) but it's not that hard
to do on a system with a handful of users.  If I can figure out that
greatly simplified MD side of things (only performing checks if the
recipient is one of a handful of users I define) then all will be well!

Thanks for the reply
 ustin