[Mimedefang] relaying for multiple domains and servers and LDAP lookups
WBrown at e1b.org
WBrown at e1b.org
Wed Apr 21 11:18:09 EDT 2004
mimedefang-bounces at lists.roaringpenguin.com wrote on 04/21/2004 09:51:20
AM:
>
> Since I am assuming by LDAP, you really mean MS LDAP or AD for Microsoft
> Exchange, I *really* recommend the LDAP to Access table solution.
Actually, they are mostly Lotus Domino servers, but we are filtering for
one Exchange server already. They are all in seperate internet domains.
> A) it's the most basic level to reject the connection with sendmail
before
> throwing the email to a 20MB+ program
Thats why I was interested in building a single aggregatte LDAP and
pointing sendmail at it.
> C) all the research and reading we have done tells us that an NT/2K/2K3
> server will NOT withstand a dictionary attack that causes LDAP lookups
> galore. The concept of "lightweight" behooves Microsoft programmers ;-)
In
> fact, the threshold was ridiculously low like 3 queries per second tying
up
> a 450Mhz PII server. Granted you might have a better server but still,
> that's ridiculous scalability.
Somehow I amd not supprised. You mean "lightweight" doesn't mean
"collapse under slight load"? <g>
> In closing, a second solution I might suggest is the idea I had for the
> check against SMTP server in MD. In short, build a DB tie that caches
> correct and incorrect answers on the fly and expires them periodically.
> Unfortunately, because of dictionary attacks, this could lead to a
> *potential* DoS if you get 4 billion incorrect requests on a server with
15
> correct answers.
Sure, if I was more of a programmer!! I used to be, but have been on the
system admin (especially mail servers of late) side of things for quite a
while and the programming skills are pretty rusty! I'm still learning the
basics of perl. This sounds like it would be a bit of a project.
> I can also recommend, for those that haven't figured this out yet, do
NOT
> use first name emails (i.e. bob at bobsdomain.org). Use's multi-name,
> firstname.lastname, firstinitial.lastname, etc. etc. We are DEFINITELY
> seeing ratware that is taking SPAM lists and DOMAIN lists and lists of
names
> and combining it all into super dictionary attacks. Think about entire
days
> filled with nothing but email addresses starting with
> A?????????????????@mydomain.com...
for the most part, it's FisrtinitialLastname without a seperator. Makes
it easy to send someone email, but also easy for the spammers. I'm
convinced that sender authentication like SPF is the way to go. I was
reading the spooge from Microsoft about Domain keys, and he wants to
violate RFCs by using underscores in DNS records. Not to mention the
complexity of XML in DNS records. What's wrong with plain text in the
right format? (OK, getting off the soapbox now)
> <SCARY THOUGHT FOR DAY>
What's really scarry is I had the same thought about a GAIN type network
of spam zombies yesterday! Were you eavesdropping on my thoughts in the
shower? <VBG>
> <HAPPY THOUGHT FOR DAY>
> If the above happened, the "legitimate" spyware programs would all look
> REALLY bad and be lambasted by the media, FTC, consumer groups,
consumers,
> gophers, etc.
> </HAPPY THOUGHT FOR DAY>
Why can't spyware be prosecuted under current hacking laws (at least in
the US) as an illegal use of computer resources - CPU cycles if nothing
else? For that matter, do the same with virus writers.
More information about the MIMEDefang
mailing list