Re: Discovering users by RCPT TO

From: dmz (dmz_at_dmzs.com)
Date: 01/14/05

  • Next message: Cure, Samuel J: "RE: Sample Risk Assessment Report"
    Date: Fri, 14 Jan 2005 08:57:12 -0800
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I see spammers hitting my MTA daily with dictionary RCTP TO queries
    and there isn't much you can really do against it; however I have been
    thinking about a solution using real time blockers.

    The idea is to monitor the logfile of the MTA, looking for a host
    getting more than "X" failed destination addresses (I think 2 or 3 is
    a nice entry threshold). Then when they reach the threshold their IP
    gets put into a local DNS server that is used by the MTA to as a real
    time blocker.

    This wouldn't' require more than another RBL addition to the MTA and
    then an external script tied to either bind or djbdns.

    thoughts?
    dmz

    Vince Hoang wrote:

    |On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
    |
    |>I'd recommend disabling it unless you get flooded by such spam
    |>attacks. I would probably consider it unnecessary information
    |>disclosure, depending on the environment and reason (if any)
    |>for doing it that way.
    |
    |
    |Some MTAs allow permit you to drop the session after a certain
    |number of failures, but that only slows down the dictionary
    |attacks.
    |
    |You cannot disable RCPT TO because that is how the SMTP protocol
    |designates the recipients.
    |
    |-Vince
    |
    |
    |
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFB5/nolzAVE2tZub0RAm42AJ99EswcipKsDd3mn9fGo6623n9+HwCgv58+
    XznoJeXySxmgJFxFmy9cBgg=
    =/Zsq
    -----END PGP SIGNATURE-----


  • Next message: Cure, Samuel J: "RE: Sample Risk Assessment Report"