email address probes

From: Andy Bastien (lists+incidents@yuggoth.net)
Date: 02/05/03

  • Next message: Kee Hinckley: "Re: email address probes"
    Date: Wed, 5 Feb 2003 20:54:19 +0000
    From: Andy Bastien <lists+incidents@yuggoth.net>
    To: incidents@securityfocus.com
    
    

    Where I work, we've getting lots of attempts to send email to random
    addresses at our domain. All of these attempts have been coming from
    valid servers operated by AOL, MSN, and Hotmail. I'm guessing that
    this is an attempt to find some spam targets, although I suppose that
    there could be something worse in store.

    I'd like to be able to stop these attempts, but I can't think of a way
    to do it. All of the attempts are coming from valid servers from some
    domains that we can't block. They do all have null reverse-paths
    (MAIL FROM:<>), but I don't think that we can reject on this criteria
    as null reverse-paths are used to send NDRs and other notifications
    which we don't want to block. I suppose that we could accept the
    emails and dump them to /dev/null (or to some tarpit account so that
    we can inspect them) instead of replying with a "550 User unknown,"
    but I suspect that this could cause us more headaches in the future.
    Does anyone have any suggestions as to how we could handle this
    problem?

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com