[Mimedefang] New spam technique

[Paul Murphy]

> > I think spammers have adapted by sending only a few addresses at
> > a time, perhaps from virus-owned zombie relays.
> 
> That was the logical next step.  It's practically impossible to fight
> that.  And honestly, until directory harvest attacks start overloading
> my machine or costing me bandwidth, I ignore them just like I 
> ignore most port scans.

One possible approach is to appear to accept all addresses, then check the
recipient address but take no action until the DATA phase - at which point you
can refuse the message with a 5xx error without indicating whether the address
exists or not.  

That way, they spend time compiling a list where all of their guesses appear to
work, but none of their messages get through - and they don't know whether its
because the user doesn't exist, or they are blacklisted, or your spam filter
caught them, etc.  In a good implementation, you could combine this with the
greylist database to permanently blacklist any sender/relay combination which
had three or more wrong addresses.

In the meantime, you have an easy way of identifying anyone using this
technique, as you can flag it for Graphdefang to analyse.

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________