This is a good idea, but the problem with this program is that it acts like it were sending mail to a user, not using the VRFY command, but the RCPT to: command, as any normal mail user agent would. I have been playing around with an idea that would send false rcpt to errors after a certain number of failures. This would, at the very least, not give the program any more information than the first couple rcpt to:, until a certain number of bad rcpt to:'s happen. there are other ways of doing this, that are not apporpriate for this use, that limit the total number of RCPT to:'s accepted. this can be done (at least in 8.9.3) using the : O MaxRecipientsPerMessage directive in the sendmail.cf file. Ryan Permeh At 09:36 AM 3/9/99 -0800, you wrote: >>In this attack, an SMTP server is probed for common names, presumably >>so that spam can the be targeted at them. The attacking machine >>connects and issues hundreds of RCPT TO: commands, searching a long >>list of common user names (e.g. susan) for ones that don't cause >>errors. It then compiles a list of target addresses to spam. > >This is a good reason for sendmail users to add the following to their .cf >files: > > >O PrivacyOptions=goaway > > >This will prevent VRFY and EXPN commands from functioning at all and >releasing correct addresses. > >>Unfortunately, the attack -- besides allowing the perpetrator to spam >>users -- also brings SMTP servers to their knees. This happens most >>often if the server maintains lists of user names in a database where >>looking up a name requires substantial disk activity or computational >>overhead. > >While the 'goaway' option may not prevent the program from continuing to >verify addresses, it will keep your users address from being picked up by >the program. > >Perhaps someone with better sendmail experience could come up with an idea >to automatically disconnect connections that are issuing more than 25 VRFY >statements at a time? > >Cheers, >John E. Martin > Ryan R Permeh E-MAIL: rrpermehat_private rrpermehat_private IS Engineer WEB : http://www.rconnect.com http://www.response.net Rural Connections / HELP : helpat_private Response Inc. FAQ : http://www.rconnect.com/help SALES : salesat_private salesat_private ------------------------------------------------------------ 120 First Street NE PHONE : (507) 281-5005 Rochester, MN 55906 FAX : (507) 281-9272
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:35 PDT