Re: Discovering users by RCPT TO

From: dmz (dmz_at_dmzs.com)
Date: 01/14/05

Next message: Cure, Samuel J: "RE: Sample Risk Assessment Report"

Previous message: Rainer Duffner: "Re: DoS/DDoS Attack"
In reply to: Vince Hoang: "Re: Discovering users by RCPT TO"
Next in thread: Matan Peled: "Re: Discovering users by RCPT TO"
Reply: Matan Peled: "Re: Discovering users by RCPT TO"
Reply: Faisal Khan: "Re: Discovering users by RCPT TO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 14 Jan 2005 08:57:12 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I see spammers hitting my MTA daily with dictionary RCTP TO queries
and there isn't much you can really do against it; however I have been
thinking about a solution using real time blockers.

The idea is to monitor the logfile of the MTA, looking for a host
getting more than "X" failed destination addresses (I think 2 or 3 is
a nice entry threshold). Then when they reach the threshold their IP
gets put into a local DNS server that is used by the MTA to as a real
time blocker.

This wouldn't' require more than another RBL addition to the MTA and
then an external script tied to either bind or djbdns.

thoughts?
dmz

Vince Hoang wrote:

|On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
|
|>I'd recommend disabling it unless you get flooded by such spam
|>attacks. I would probably consider it unnecessary information
|>disclosure, depending on the environment and reason (if any)
|>for doing it that way.
|
|
|Some MTAs allow permit you to drop the session after a certain
|number of failures, but that only slows down the dictionary
|attacks.
|
|You cannot disable RCPT TO because that is how the SMTP protocol
|designates the recipients.
|
|-Vince
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB5/nolzAVE2tZub0RAm42AJ99EswcipKsDd3mn9fGo6623n9+HwCgv58+
XznoJeXySxmgJFxFmy9cBgg=
=/Zsq
-----END PGP SIGNATURE-----

Next message: Cure, Samuel J: "RE: Sample Risk Assessment Report"

Previous message: Rainer Duffner: "Re: DoS/DDoS Attack"
In reply to: Vince Hoang: "Re: Discovering users by RCPT TO"
Next in thread: Matan Peled: "Re: Discovering users by RCPT TO"
Reply: Matan Peled: "Re: Discovering users by RCPT TO"
Reply: Faisal Khan: "Re: Discovering users by RCPT TO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: how can i turn /dev/null into an MTA?
... Why should every MUA implement the functionality of an MTA? ... Let your installer install one, then edit the config so the MTA aliases ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Re: lost input channel
... You need GnuPG to verify this message ... Pretty old/buggy kernel, RH 7.3 is outdated, some recent patches ... Never used, is squirrelmail your MTA? ...
(comp.os.linux.misc)
Re: Using Alpine
... pine. ... It came up talking about things but not about a "MTA". ... Karl F. Larsen, AKA K5DI ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(Ubuntu)
Re: how to extract attachments from an email?
... >>As they are passing through the MTA, or are they statically sitting ... messages come directly from MTA. ... I know procmail is my friend here ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(Debian-User)