>the mess). I think the only reliable option in IMail is to force users to
>come from specific IP addresses, or use SMTP AUTH.
You have to use both: "Relay for Addresses" and "UNcheck Disable SMPT AUTH
reporting" is the best combo in Imail for anti-relay.
(However, the abvoe setup is useless for anti-spam defense of Imail local
accounts, which is a totally separate problem. Against that, Imail offers
only header and content filtering)
But note that Imail's "Relay for Addresses" is unreliable if the gateway
router is not also set up to block spoofing of the "inside" addresses in
Imail's list of relayed-for addresses.
(we had a guy in this list awhile back that was getting hijacked, we told
him to add Relay for Addresses, he did, but was still getting hijacked
because the spammer had spoofed the guy's relayed-for ip addresses and the
guy did not have his gateway router setup to block spoofing of his inside
ip's.)
> > In SMTP Security setting the check in the Disable SMTP VRFY Command
> > box prevents spammers from mass verifying Email addresses as valid
> > on your server.
>
>FYI, although this is very, very common (disabling VRFY), it doesn't do a
>thing!
It does do something, in that it slows down dictionary attacks, but, no,
not by very much.
>All you have to do is send a "MAIL FROM" command, and then a "RCPT TO"
>command, and you'll see whether or not the user exists.
This is still a dictionary attack, but without the tiny convenience and
protocol assist of SMTP VRFY. Mail account dictionary attacks, basically
in the DoS category, are a bitch to defend against in general, and Imail's
only defense is the "tarpitting" tactic of limiting the number of different ...
"RCPT TO: recipient@imaildomain"
... in a given SMTP session.
I would like to see an Imail log where such an attack was shortcircuited by
Imail limit. Does Imail log this event with a specific msgs? I would also
like Imail to push out an email to Postmaster@localhost to signal such an
event.
What SMTP command does Imail repond with when Imail hits the "RCPT TO:" limit?
Does Imail abort the session and continue "ldeliver" the msgs received up
to that point or does Imail drop (not deliver) all the msgs? I personally
would set the Imail limit low, like 20, since in our smallish operation,
it's extremely rare that any one mail server will be trying to deliver to
20+ of our mail accounts in one SMTP session.
OK, I just went log surfing and caught this valid instance in our logs:
HELO somespammer
MAIL FROM: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
Len: So what would Imail have done above if I would have had "7" as my
limit. The session is aborted? And the next step is not executed, ie, no
queuing to of msg body to an .smd file?
D:\IMAIL\spool\Da7cd176.SMD 58737
Len: immediately, an SMTP client prcoesss hops on the .smd queue file and
start local delivering:
processing D:\IMAIL\spool\Qa7cd176.SMD
ldeliver someplace.com alberto-main (1) <[EMAIL PROTECTED]> 58737
ldeliver someplace.com antonio-main (1) <[EMAIL PROTECTED]> 58737
ldeliver someplace.com marta-main (1) <[EMAIL PROTECTED]> 58737
>You can send multiple RCPT TO commands to check further users. Of course,
>spammers (or spammer program designers) may not know this.
I assure you, spammer program developers know that mutliple RCPT TO:
commands can be included in a single SMTP session. vbg This tactic is the
most efficient way to conduct an dictionary attack. The othey way, to (
open + test-send-one-RCPT TO: + close ) an SMTP session is much slower for
the address harvester program, but for us, it's impossible for Imail to
defend against and much heavier for Imail in DoS effect.
Len
http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 installable binary for NT4
http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
