Jose-Marcio Martins da Cruz put forth on 12/2/2010 2:40 AM: > Victor Duchovni wrote: >> On Wed, Dec 01, 2010 at 11:43:30PM -0600, Stan Hoeppner wrote: > >> The lookup is always a cache miss. Then an SMTP probe is sent. Dictionary >> attacks always yield cache misses. > >> You are forgetting that dictionary attacks are almost exclusively queries >> for non-existent users. Think clearly, and think outside the box about >> worst-case behaviour. > >> Because I am not thinking about normal loads that don't matter. One >> needs to survive hostile loads. >> > > Just to illustrate with numbers, what Viktor says, a daily activity on > one of our servers (not a big one) : from all connections reaching a > "RCPT To" step, 18313 are to real users and 76623 to non existing users. > Well, this is a daily normal activity, not even a hostile load. Clearly, > most checks are cache misses.
Whether 'most' would be cache misses would depend on how you have your verify(8) database cache configured (it does cache negative results), and the nature of those 76623 connections. Search those 76623 and see how many are duplicates. It's probably alot more than you'd think, because spammers have been spamming to scraped message IDs for years. I'll have to do some checking, but I'm pretty sure that at $mydomain about 80% of all spam addressed to non existent users is addressed to scraped message IDs or butchered variants of them. This happens when spammers pass/sell their lists amongst one another and don't take any care when exporting/copying the address data. In the case of message ID spam, the verify(8) cache would work well. Of note, I've never seen an actual 'dictionary' attack on any of my MX machines. Note I didn't say they don't occur, only that I've yet to see one. I have seen dictionary attacks against FTP and SSH ports, but not SMTP. Given how fruitless they are, I would suspect even dumb spammers probably avoid dictionary spamming today. -- Stan
