OK, by now I'm sure you've all heard about this thread that's
been going around about this program that connects to your
SMTP server, runs through a built in dictionary of addresses
verifying the validity of each address. It then takes the results
and sends emails to the ones it knows exists. It does something
like this.
On some other lists I'm on, people using Sendmail have been
going on and on about what can be done to fix it, why that fix
can cause other problems, blah, blah, blah. Me being the almighty
QMail supporter (notice I didn't say almighty QMail expert), decided
to put my $0.02 in about how QMail was better than Sendmail and
this spam program was an example of why QMail is better. Below,
you'll see a piece of the email I sent. I said that it was better because
it blindly acknowledges VRFY or RCPT requests. Then this guy emails
this response back (he's probably subscribed to this list).
I can see this guy's point, but I still feel that if you were subjected to
this attack, you'd be much better off with QMail than Sendmail, but I
can't really come up with any concrete facts as to why even though I'm
sure there are some. Does anyone know of any good reasons as to why
QMail is better suited to handle this attack? I'm sure there must be some
because no one on this list seems to worried about it.
Thanks,
Rick McMillin
I-Land Internet Services
-----Original Message-----
From: Bob Love <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, March 08, 1999 6:30 PM
Subject: RE: Your SMTP is about to be abused!
>>Yep, we run QMail and have been very happy with it. We
>>also received this message and ran some tests (like trying
>>the VRFY command) and it looks like QMail is not susceptible
>>to this type of spam attack.
>>
>>From what I've seen, it looks like what this spam program does
>>is connect to your SMTP server and use the VRFY command
>>to check to see if a certain email address is valid at your domain.
>
>Huh? Non susceptible? Rick... wake up and smell the coffee...
>
>telnet mail.internetland.net 25
>
>220 newton.internetland.net ESMTP
>vrfy ricklist
>252 send some mail, i'll try my best
>vrfy xyzzy
>252 send some mail, i'll try my best
>vrfy kjhfksjfdf
>252 send some mail, i'll try my best
>mail from:[EMAIL PROTECTED]
>250 ok
>rcpt to:ricklist
>250 ok
>rcpt to: xyzzy
>250 ok
>rcpt to kjhfksjfdf
>250 ok
>
>I'd worry, if I were you. For a start the program we're all speaking about
>doesn't use vrfy it uses rcpt
>
>In both cases on your server, if you're attacked, it will respond with a
>positive (or semi-positive in the case of vrfy) answer for EVERY word in
>their dictionary. Let's say they have a 500,000 word dictionary (I have no
>idea what size they use). Shortly after the harvesting attack, you're going
>to get 500,000 spams flooding into your mailserver (or more likely 5000
>messages with 100 BCC: recipients each?).
>
>Please don't take this as a personal message (my server's not much better)
>but I think we all need to worry about this scummy piece of software. It's
>already been suggested round here it could be used by our competition to
>harvest and target our users (ISP market is very small and competitive
>here). There's a lot more nasty uses for this software than just spam...
;-(
>
>Regards
>
>Bob
>
>
>
>_________________ • The ISP-TECH Discussion List • _________________
> To Remove, Send an Email to: mailto:[EMAIL PROTECTED]
> To Join, Send an Email to: mailto:[EMAIL PROTECTED]
>
>Make your POPs easier, more efficient, and smarter with a RAS solution
>from Ariel. For a limited time buy one RAS server and get a second for
>free. http://www.ariel.com/241 or call (888) RAS-3407.
>
>
>
>
>
>
