Chris,
Becomes a trade-off. It's easily possible to reject
on that basis, but the flavor of RH & Ensim Hosting OS on
each box allows for catch-all accounts. We've had to use
these for two reasons:
#1: Morons can't read and send e-mails just a few
hairs off and that mail is eaten. This was resulting in
a slew of calls and having our CSR's trying to explain to
brain dead individuals why they're not getting 'vital'
mail because their senders aren't addressing it right.
While this isn't an uncommon problem, we found handling
it in the fashion we're doing reduced that CSR load severely
and thus it's better in the long run. Entering in tons of
aliases isn't a solution either, just more workload.
#2: As I mentioned previously, users are habitually
lazy and don't implement the easily accessed spam controls
on their valid accounts. Thus tons of sludge gets into
valid accounts and we don't see it, they never complain
or forward any of it so we can write legitimate SA rules to
stem the balance of it (you know, all that fun drug, illegal
software and porn spam). So by picking up the sends to bogus
accounts, we get a look at the stuff and kill it off almost
instantly prior to the rest of it making it's way into our
user's accounts. This keeps them happy and paying the bill
when it arrives vs. comparing us to those who don't use this
practice. By the time SpamLords get their entire payload
out in small batches (to pass mass-mailing checks in place),
we've already stuck a new SA rule in place and we kill 90%
of them. High customer retention, minimal effort on our part.
The Con is we see tons of sludge when a dictionary
attack comes forth, if we had a method to simply reject that
with a 550 or other response that'd leave just the important
sludge so we can continue to write the SA rules and keep up
the pace.
We're using Sendmail as the MTA, nothing fancy there,
but it does pass through a Sendmail/MailScanner/ClamAV/SA
handling package prior to deleting, delivering or modifying
for notification delivery. That's worked quite well, don't
want to change that. Thus I asked what options we might have
for killing the large-scale dictionary attacks to the painfully
obvious garbage addresses.
David J. Duffner
VP Operations
NWC Corporation
NWCWEB.com
============================================
NWCWEB.com - Your Design & Hosting Solution!
Featuring Ensim Pro/Linux Servers, Hosted
Accounts, Web Design and e-Commerce services
NWC Corporation - Global e-Pay Solutions
============================================
> -----Original Message-----
> From: Christopher X. Candreva [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 26, 2004 12:25 PM
> To: [email protected]
> Subject: RE: slightly OT: sudden rise in Rumplestiltskin attacks?
>
>
> On Tue, 26 Oct 2004, Dave Duffner - NWCWEB.com wrote:
>
> > Is there a way, possibly with SpamAssassin, to
> > simply reject anything not going to a valid user account?
>
> I think the question is, why are you accepting mail that
> isn't going to a valid user account in the first place ? This should have
> happened in the SMTP dialog long before SA kicked in. As soon as the
sending site says
>
> rcpt to: [EMAIL PROTECTED]
>
> You reply
>
> 550 User unknown.
>
> end of story.
>
> If you have a multi-layer mail system, where the accepting
> SMTP host doesn't have a list of account -- that that's the solution, but
how
> to do it will depend on your MTA.
>
> ==========================================================
> Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816
> WestNet Internet Services of Westchester http://www.westnet.com/
--
Message scanned by MailScanner, and is believed to be clean.
CONFIDENTIALITY NOTICE: This transmission intended for the
specified destination and person. If this is not you, this
e-mail must be deleted immediately. www.nwcweb.com
