[Mimedefang] Tarpit for dictionary attacks

listuser at numbnuts.net listuser at numbnuts.net
Wed May 21 02:34:00 EDT 2003 

On Tue, 20 May 2003, Jeffrey Goldberg wrote:

> On Wed, 21 May 2003 listuser at numbnuts.net wrote:
> 
> > [...] If I create a catchall entry in my virtusertable for a domain,
> > all mail addressed to any user at that domain that doesn't have their own
> > virtusertable entry ends up matching the catchall line and whatever action
> > you specify with it.  That was simple enough.
> 
> Yes, but spammerware is smarter than you think.  If you look at logs you
> will see that a dictionary attack usually begins with
> 
>  RCPT TO:<some-unlikely-string at your.dom.ain>
> 
> 
> If that gets accepted the probe will figure that you catch everything for
> your domain.

This would be a problem.  I'd thought that if MD was involved then I could 
randomly reject a EXPN or VRFY.  If they actually take the approach you 
mention above then it will be quite hard to work around.  Perhaps the 
Sendmail folks have a solution for this.

> Again, I think that the thing to do is to actually set up aliases for
> common "guesses".  And those you can easily make SPAMFRIENDs

I was going to do this in the beginning until I had the idea of using the
Rumplestiltskin attacks against the spammers.  I was going to use a proper
pronoun list to generate common userids, combined with a random single
letter generator to simulate first name last initial userids.  This is
what I'll end up doing if I can't find a work around for the problem you
point out above.

> > I already use
> >
> > FEATURE(`delay_checks', `friend')
> >
> > With that I have to declare those that I want to bypass the checks.
> > Knowing how that works, I'm guessing that the opposite...
> >
> > FEATURE(`delay_checks', `hater')
> >
> > ...would let me define those that HATE spam and the rest have no checks
> > performed on them.  Am I correct in this assumption?
> 
> That is my (limited) understanding from the bat book.  So yes, you could
> do it that way by listing all (most) of your real users as HATERs.

Sheesh.  You know what?  I have the Bat Book sitting next to me and I
forgot about it.  Let me try and knock some sense into me with it.
*thump!*

> > [...] How do I configure MD to only
> > perform checks on mail if the recipient is one of a handful I define.
> 
> There was some discussion a few weeks back on "exempting" some users.  I'm
> fairly sure that some form of the word "exempt" was in the subject line.

I'll look back for it.  If I can't solve the problem you point out above
then it won't really matter.  It would be good to AV check incoming spam
just to make sure that I don't end up reporting infected email to the
Pyzor folks. :)  It won't really hurt anything if the SA checks are run on
bogus recipient spam.  I have a simple procmail rule to strip the SA
report and headers, my change to the subject line, and any ReSent lines
before calling pyzor anyhow.  It would still be useful to know how to not
check those messages though, besides saving some CPU cycles, but not 
critical.

Thanks for the input

Justin

More information about the MIMEDefang mailing list