Re: email address probes

From: Brad Arlt (arltat_private)
Date: Wed Feb 05 2003 - 14:26:12 PST

Next message: Greg A. Woods: "Re: email address probes"

Previous message: Kee Hinckley: "Re: email address probes"
In reply to: Andy Bastien: "email address probes"
Next in thread: james: "Re: email address probes"
Next in thread: Greg A. Woods: "Re: email address probes"
Reply: james: "Re: email address probes"
Reply: Brad Arlt: "Re: email address probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 05, 2003 at 08:54:19PM +0000, Andy Bastien wrote:
> Where I work, we've getting lots of attempts to send email to random
> addresses at our domain.  All of these attempts have been coming from
> valid servers operated by AOL, MSN, and Hotmail.  I'm guessing that
> this is an attempt to find some spam targets, although I suppose that
> there could be something worse in store.
> 
> I'd like to be able to stop these attempts, but I can't think of a way
> to do it.  All of the attempts are coming from valid servers from some
> domains that we can't block.  They do all have null reverse-paths
> (MAIL FROM:<>), but I don't think that we can reject on this criteria
> as null reverse-paths are used to send NDRs and other notifications
> which we don't want to block.  I suppose that we could accept the
> emails and dump them to /dev/null (or to some tarpit account so that
> we can inspect them) instead of replying with a "550 User unknown,"
> but I suspect that this could cause us more headaches in the future.
> Does anyone have any suggestions as to how we could handle this
> problem?

Rumpelstilzchen is the fancy hax0r name for the problem.

We use Sendmail and Milter to make this less of an issue.  We have a
milter program that uses the number of correct addresses vs
number of incorrect addresses for each connecting IP address. If the
ratio exceeds a certain number all addresses are tempoararily
unavailable (return 4xx SMTP error code).

The first ten addresses in a connection are treated normally if the IP
address hasn't been marked as guessing too much (exceeded the ratio),
so 3 bad addresses can't block a server.

Sounds simple, but is shockingly effective.

We currently don't do automatic recovery, but have never had any
complaints in the 3+ months that this has been running (postmaster is
allowed through always).  Shouldn't be to hard to recover
automatically though.
-----------------------------------------------------------------------
   __o		Bradley Arlt			Security Team Lead
 _ \<_		arltat_private		University Of Calgary
(_)/(_) 	I should be biking right now.	Computer Science


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Greg A. Woods: "Re: email address probes"
Previous message: Kee Hinckley: "Re: email address probes"
In reply to: Andy Bastien: "email address probes"
Next in thread: james: "Re: email address probes"
Next in thread: Greg A. Woods: "Re: email address probes"
Reply: james: "Re: email address probes"
Reply: Brad Arlt: "Re: email address probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 08:52:58 PST