[Mimedefang] New spam technique
Recently spammers verified their mailing list using this SMTP dialogue. How do I add this to mimedefang? 220 scotty.example.com ESMTP Sendmail 8.12.11/8.12.11; Thu, 1 Jul 2004 15:08:21 -0700 HELO c-24-1-219-157.client.comcast.net 250 scotty.example.com Hello c-24-1-219-157.client.comcast.net [24.1.219.157], pleased to meet you MAIL FROM: <[EMAIL PROTECTED]> 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok RCPT TO: <[EMAIL PROTECTED]> 550 5.1.1 <[EMAIL PROTECTED]>... User unknown RCPT TO: <[EMAIL PROTECTED]> 250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok RCPT TO: <[EMAIL PROTECTED]> 250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Received: from 55.196.39.38 by 24.1.219.157; Thu, 20 Mar 2003 18:59:10 -0400 Message-ID: ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New spam technique
On Fri, 2 Jul 2004, Penelope Fudd wrote: > Recently spammers verified their mailing list using this SMTP dialogue. This is an old technique called a "dictionary attack" or "directory harvesting". Sendmail 8.13 has countermeasures, like closing a connection after N bad SMTP commands. I run a script from cron that parses the mail log and firewalls off directory harvesters. -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New spam technique
On Mon, 2004-07-05 at 09:50, David F. Skoll wrote: > > Recently spammers verified their mailing list using this SMTP dialogue. > > This is an old technique called a "dictionary attack" or "directory > harvesting". > > Sendmail 8.13 has countermeasures, like closing a connection after N bad > SMTP commands. I think spammers have adapted by sending only a few addresses at a time, perhaps from virus-owned zombie relays. I still have one box running qmail with port 25 open directly to the internet although it's MX is through a sendmail/mimedefang relay. It gets thousands of bad-address spams a day hitting its open port directly but in patterns of 6 or so from any one sender at a time. The domain is due to be moved elsewhere soon so I haven't done anything to try to fix the problem yet. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New spam technique
On Mon, 5 Jul 2004, Les Mikesell wrote: > I think spammers have adapted by sending only a few addresses at > a time, perhaps from virus-owned zombie relays. That was the logical next step. It's practically impossible to fight that. And honestly, until directory harvest attacks start overloading my machine or costing me bandwidth, I ignore them just like I ignore most port scans. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] New spam technique
> > I think spammers have adapted by sending only a few addresses at > > a time, perhaps from virus-owned zombie relays. > > That was the logical next step. It's practically impossible to fight > that. And honestly, until directory harvest attacks start overloading > my machine or costing me bandwidth, I ignore them just like I > ignore most port scans. One possible approach is to appear to accept all addresses, then check the recipient address but take no action until the DATA phase - at which point you can refuse the message with a 5xx error without indicating whether the address exists or not. That way, they spend time compiling a list where all of their guesses appear to work, but none of their messages get through - and they don't know whether its because the user doesn't exist, or they are blacklisted, or your spam filter caught them, etc. In a good implementation, you could combine this with the greylist database to permanently blacklist any sender/relay combination which had three or more wrong addresses. In the meantime, you have an easy way of identifying anyone using this technique, as you can flag it for Graphdefang to analyse. Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] New spam technique
On Mon, 5 Jul 2004, Paul Murphy wrote: > One possible approach is to appear to accept all addresses, then > check the recipient address but take no action until the DATA phase > - at which point you can refuse the message with a 5xx error without > indicating whether the address exists or not. That doesn't work if there is more than one recipient, some valid and some invalid. At the end of DATA, you can only indicate success or failure for the entire message and all recipients. Exchange does this by default; it's forced to generate NDN's for invalid recipients. Really, there needs to be an extension to SMTP that lets you return multiple success/failure codes after DATA (one code per recipient). Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] New spam technique
David wrote: > > One possible approach is to appear to accept all addresses, then > > check the recipient address but take no action until the DATA phase > > - at which point you can refuse the message with a 5xx error without > > indicating whether the address exists or not. > > That doesn't work if there is more than one recipient, some > valid and someinvalid. At the end of DATA, you can only indicate success > or failure for the entire message and all recipients. Bouncing the message for all recipients if one of the recipients is invalid could be a valid approach, depending on the site policy. Alternatively, bouncing it if more than a small number (e.g. 2 or 3) are invalid would catch dictionary attacks without unduly impacting on messages with a typo in manually-added addresses. Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New spam technique
I think spammers have adapted by sending only a few addresses at a time, perhaps from virus-owned zombie relays. Definitely. Over 1/10 our smtp connections have user unknowns. I am trying to find peace in the idea that they can waste their time building lists of addresses that are going to be useless when we reject the actual spam. Let 'em spin their wheels. Of course I'll change my mind when we identify a solution. Joseph Brennan Academic Technologies Group, Academic Information Systems (AcIS) Columbia University in the City of New York ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] New spam technique
[EMAIL PROTECTED] wrote on 07/05/2004 02:27:49 PM: > That doesn't work if there is more than one recipient, some valid and some > invalid. At the end of DATA, you can only indicate success or failure for > the entire message and all recipients. > > Exchange does this by default; it's forced to generate NDN's for invalid > recipients. > > Really, there needs to be an extension to SMTP that lets you return > multiple success/failure codes after DATA (one code per recipient). But if you return a code at the end that says [EMAIL PROTECTED] is invalid, but [EMAIL PROTECTED] is valid, have you really changed anything from when you failed it after RCPT TO? It doesn't seem that way. The spammers still know which addresses got through, and which ones were rejected and they can still clean their lists. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New spam technique
On Tue, 2004-07-06 at 07:52, Joseph Brennan wrote: > > I think spammers have adapted by sending only a few addresses at > > a time, perhaps from virus-owned zombie relays. > > Definitely. Over 1/10 our smtp connections have user unknowns. > > I am trying to find peace in the idea that they can waste their time > building lists of addresses that are going to be useless when we > reject the actual spam. Let 'em spin their wheels. The real problem is for relays that forward whole domains to otherwise firewalled servers where the relay accepts without checking the local address and is then forced to return a bounce when the real server rejects it. I'm getting enough that I'll have to fix it. I think greylisting will eliminate most of these when they hit mimedefang, but I still have that one box with qmail and things hitting it directly instead of following the MX. It isn't even a straight qmail install - it is an SMEserver with smtpfront accepting everything, then bouncing the bad addresses. --- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Re: [Mimedefang] New spam technique
We had a similar issue like this. We simply relayed everything to an internal MS exchange box. So we accepted everything at the front door, including randomly generated addresses that would never exist. We did it like this because we where lazy. And though I like the idea of wasting spammers bandwidth on addresses that dont exist, I dont enjoy wasting my bandwidth. So we bit the bullet and wrote a script to export active directory addresses and make a custom virtuser table in sendmail. Now we drop a couple thousand msgs a day just due to invalid addresses and only relay explicit addresses that are known to exist. -john >From : Les Mikesell <[EMAIL PROTECTED]> To : [EMAIL PROTECTED] Subject : Re: [Mimedefang] New spam technique Date : Tue, 06 Jul 2004 09:58:46 -0500 > On Tue, 2004-07-06 at 07:52, Joseph Brennan wrote: > > > I think spammers have adapted by sending only a few addresses at > > > a time, perhaps from virus-owned zombie relays. > > > > Definitely. Over 1/10 our smtp connections have user unknowns. > > > > I am trying to find peace in the idea that they can waste their time > > building lists of addresses that are going to be useless when we > > reject the actual spam. Let 'em spin their wheels. > > The real problem is for relays that forward whole domains to > otherwise firewalled servers where the relay accepts without > checking the local address and is then forced to return a bounce > when the real server rejects it. I'm getting enough that I'll > have to fix it. I think greylisting will eliminate most of these > when they hit mimedefang, but I still have that one box with > qmail and things hitting it directly instead of following the > MX. It isn't even a straight qmail install - it is an SMEserver > with smtpfront accepting everything, then bouncing the bad > addresses. > > --- > Les Mikesell >[EMAIL PROTECTED] > > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang