>In this attack, an SMTP server is probed for common names, presumably >so that spam can the be targeted at them. The attacking machine >connects and issues hundreds of RCPT TO: commands, searching a long >list of common user names (e.g. susan) for ones that don't cause >errors. It then compiles a list of target addresses to spam. This is a good reason for sendmail users to add the following to their .cf files: O PrivacyOptions=goaway This will prevent VRFY and EXPN commands from functioning at all and releasing correct addresses. >Unfortunately, the attack -- besides allowing the perpetrator to spam >users -- also brings SMTP servers to their knees. This happens most >often if the server maintains lists of user names in a database where >looking up a name requires substantial disk activity or computational >overhead. While the 'goaway' option may not prevent the program from continuing to verify addresses, it will keep your users address from being picked up by the program. Perhaps someone with better sendmail experience could come up with an idea to automatically disconnect connections that are issuing more than 25 VRFY statements at a time? Cheers, John E. Martin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:27 PDT