Re: Fw: Your SMTP is about to be abused!
Brad Shelton [EMAIL PROTECTED] writes: This whole thread has me wondering. I had a site start hitting on my smtp port a week or so ago. It just kept hitting the port, but didn't appear to be actually trying to negotiate any protocol transfers. There was no mail from or rcpt to, yet they just kept hitting the port, twice per second. When we've had that problem, it's been because the sending server has been trying to use LF instead of CRLF. Patching happens... /Jenny Holmberg
Re: Fw: Your SMTP is about to be abused!
On Tue, Mar 09, 1999 at 11:01:52AM -0500, Chris Johnson wrote: I may be giving them too much credit, I'm sure you do :-( However, "Fred Lindberg" [EMAIL PROTECTED] pointed out to me as an answer to my first post that there is a patch flying around (probably at http://www.qmai.org/) allowing restriction of the number of RCPT TOs within one single stream. This may be of help. \Maex -- SpaceNet GmbH | http://www.Space.Net/ | In a world without Research Development| mailto:[EMAIL PROTECTED] | walls and fences, Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0| who needs D-80807 Muenchen | Fax: +49 (89) 32356-299 | Windows and Gates?
Re: Fw: Your SMTP is about to be abused!
Rick McMillin writes: Does anyone know of any good reasons as to why QMail is better suited to handle this attack? Certainly something like this could happen. And yes, it would be a serious PITA because spammers rarely use a valid envelope sender, so the mail would all double-bounce. However, the whole point behind this program is for a spammer to use the information provided by rcpt-to to *avoid* having to send mail to every word in their dictionary. Since qmail doesn't provide any information, the first qmail site a spammer picks on will suck down all of their emailing capability, and they won't be successful in spamming, to the extent that spamming achieves any success. In both cases on your server, if you're attacked, it will respond with a positive (or semi-positive in the case of vrfy) answer for EVERY word in their dictionary. Let's say they have a 500,000 word dictionary (I have no idea what size they use). Shortly after the harvesting attack, you're going to get 500,000 spams flooding into your mailserver (or more likely 5000 messages with 100 BCC: recipients each?). -- -russ nelson [EMAIL PROTECTED] http://crynwr.com/~nelson Crynwr supports Open Source(tm) Software| PGPok | There is good evidence 521 Pleasant Valley Rd. | +1 315 268 1925 voice | that freedom is the Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | cause of world peace.
Re: Fw: Your SMTP is about to be abused!
On Wed, Mar 10, 1999 at 06:27:14PM -, Russell Nelson wrote: Rick McMillin writes: Does anyone know of any good reasons as to why QMail is better suited to handle this attack? This whole thread has me wondering. I had a site start hitting on my smtp port a week or so ago. It just kept hitting the port, but didn't appear to be actually trying to negotiate any protocol transfers. There was no mail from or rcpt to, yet they just kept hitting the port, twice per second. If I killed qmail-smtp and restarted, they would immediately jump over to the backup MX and start the same process. The problems I had with it seemed only two, filling up my syslog and hogging the smtp port, slowing down legitimate smtp activity. I ended up blocking them at the router. I wonder if this was in any way related to this rcpt to attack? -- Brad Shelton [EMAIL PROTECTED] On Line Exchange http://ole.net Detroit News http://detnews.com
Re: Fw: Your SMTP is about to be abused!
Russell Nelson writes: the mail would all double-bounce. However, the whole point behind this program is for a spammer to use the information provided by rcpt-to to *avoid* having to send mail to every word in their dictionary. Since qmail doesn't provide any information, the first qmail site a spammer picks on will suck down all of their emailing capability, and they won't be successful in spamming, to the extent that spamming achieves any success. I am not particularly concerned with how succesfull the spammer's spam run is. Frankly, I really don't care. My own concerns and priorities take precedence. Therefore, I am asked a whether receiving about a thousand separate messages, with an average of a hundred recipients each, most of them invalid, generating a hundred thousand separates bounces that I must mailbomb the forged sender with (and, if the forged domain's mail server is properly configured, mailbomb myself instead), is a price I'm willing to pay in order to make some trailer park trash's spam run less succesfull, by some marginal amount. The answer to me seems to be pretty clear -- it's not. You are assuming that the spammer will realize that something is wrong. Nope. Ninety nine times out of a hundred it won't. They're stupid, dumb, and they have only a vague idea how SMTP works. They fire up the harvest-o-matic, go to sleep, wake up in the morning, and piss all over themselves seeing how many valid addresses the harvest-o-matic has collected. With dollar signs in their eyes over the prospect of making riches from selling golf balls, or laundry detergents, to this highly-targeted audience, they'll simply take the file with the addresses, and plug it into the Super Stealth Cloak-O Blastomatic 2000 Express Mail Disseminator. -- Sam
Re: Fw: Your SMTP is about to be abused!
Rick McMillin [EMAIL PROTECTED] writes on 9 March 1999 at 09:30:22 -0600 OK, by now I'm sure you've all heard about this thread that's been going around about this program that connects to your SMTP server, runs through a built in dictionary of addresses verifying the validity of each address. It then takes the results and sends emails to the ones it knows exists. It does something like this. And qmail gives it a positive on every name it tries. This has up-sides and down-sides. If everybody did this, the attack wouldn't work at all and wouldn't be tried. It's sort-of like building one of those infinite mazes of web-pages with invalid addresses on every page to try to pollute the mailing lists of people harvesting web addresses. On the other hand, since people ARE trying this attack, it means you'll be getting double-bounces on 500,000 pieces of spam soon, which might not be so good. -- David Dyer-Bennet [EMAIL PROTECTED] http://www.ddb.com/~ddb (photos, sf) Minicon: http://www.mnstf.org/minicon http://ouroboros.demesne.com/ The Ouroboros Bookworms Join the 20th century before it's too late!
Re: Fw: Your SMTP is about to be abused!
On Tue, Mar 09, 1999 at 09:55:06AM -0600, [EMAIL PROTECTED] wrote: Rick McMillin [EMAIL PROTECTED] writes on 9 March 1999 at 09:30:22 -0600 OK, by now I'm sure you've all heard about this thread that's been going around about this program that connects to your SMTP server, runs through a built in dictionary of addresses verifying the validity of each address. It then takes the results and sends emails to the ones it knows exists. It does something like this. And qmail gives it a positive on every name it tries. This has up-sides and down-sides. If everybody did this, the attack wouldn't work at all and wouldn't be tried. It's sort-of like building one of those infinite mazes of web-pages with invalid addresses on every page to try to pollute the mailing lists of people harvesting web addresses. I may be giving them too much credit, but it's conceivable that this software considers a 100 percent positive rate as meaning what it does mean--that the results are meaningless. If that's the case, then qmail is immune to this attack. Chris