[Mimedefang] relaying for multiple domains and servers and LDAP lookups

Kevin A. McGrail kmcgrail at pccc.com
Wed Apr 21 09:51:20 EDT 2004 

> > Another alternative would be to pull the information from all the end
mail
> > servers using LDAP and dump it all into one local LDAP directory.  I
could
> > then query that local server (which would not require remote server to
> > even be up).
>
> That's also a possibility.  You don't need the whole LDAP directory; all
> you need is a list of valid addresses.  You could dump that into an access
> table and do it all in Sendmail.

Since I am assuming by LDAP, you really mean MS LDAP or AD for Microsoft
Exchange, I *really* recommend the LDAP to Access table solution.

A) it's the most basic level to reject the connection with sendmail before
throwing the email to a 20MB+ program
B) we tried a LOT of routes and this is really a simple yet elegant and
long-term solution.  Many of the other solutions we tried are too fragile,
prone to delays, etc.
C) all the research and reading we have done tells us that an NT/2K/2K3
server will NOT withstand a dictionary attack that causes LDAP lookups
galore.  The concept of "lightweight" behooves Microsoft programmers ;-)  In
fact, the threshold was ridiculously low like 3 queries per second tying up
a 450Mhz PII server.  Granted you might have a better server but still,
that's ridiculous scalability.

In closing, a second solution I might suggest is the idea I had for the
check against SMTP server in MD.  In short, build a DB tie that caches
correct and incorrect answers on the fly and expires them periodically.
Unfortunately, because of dictionary attacks, this could lead to a
*potential* DoS if you get 4 billion incorrect requests on a server with 15
correct answers.

Your Mileage May Vary but I am seeing more eggregious and outlandish attacks
daily and withstanding virii that try and send 120K emails an hour is
getting to be routine.

I can also recommend, for those that haven't figured this out yet, do NOT
use first name emails (i.e. bob at bobsdomain.org).  Use's multi-name,
firstname.lastname, firstinitial.lastname, etc. etc.  We are DEFINITELY
seeing ratware that is taking SPAM lists and DOMAIN lists and lists of names
and combining it all into super dictionary attacks.  Think about entire days
filled with nothing but email addresses starting with
A?????????????????@mydomain.com...

<SCARY THOUGHT FOR DAY>
Additionally, here's my scary thought for the day.  Not really my thought
though as I was speaking with the lead sales guy at Pest Patrol yesterday
and we were discussing spyware problems we've seen/predict.  PestPatrol's
prediction is that someone will compromise a "popular" spyware program and
get a hold of the trickler (the program that trickles in exe's out of order
and low bandwidth to allow for program updates, etc.  A fairly common
practice in the spy/malware arena).

With this exploited capability, someone could install anything and do it
MUCH faster than viruses have.  Think about something like GAIN (running on
like 30 million computers) that gets exploited and the person now in control
triggers a SPAMMING program to trickle, install and run on all those
"zombie" spyware infested machines.

Some (all? many?) of these tricklers run at the SAME level that a firewall
software would run on the machine to bypass some of the more standard
firewall software.  And you typically can't find them through stateful
packet inspections because they run low-volume, out of order packets on port
80.
</SCARY THOUGHT FOR DAY>

<HAPPY THOUGHT FOR DAY>
If the above happened, the "legitimate" spyware programs would all look
REALLY bad and be lambasted by the media, FTC, consumer groups, consumers,
gophers, etc.
</HAPPY THOUGHT FOR DAY>

Regards,
KAM

More information about the MIMEDefang mailing list