SPAMMERS getting recipients?

[Steve Thomas]

On Tue, Aug 26, 2003 at 03:21:30PM -0600, Derrick Georgiades is rumored to have said:
>
> I am running sendmail 8.12.9 and just created a new aliases.
> After only a day I am catching spam for this new address and it has not been
> used yet.
> How is it possible that they found the address?  I guess they could try the
> usual of the users first initial and last name.
> Do they just store a database like this: "jdoe, jsmith, etc" and then throw
> those against whatever domain they are trying to hit?
>

Check your log file. You'll probably see hundreds (thousands?) of "user unknown" errors. This type of "dictionary" attack is very common, from what I've seen on my servers.

At my office, things used to be configured so that the name checking wasn't happening until the local delivery phase, so all those messages got accepted, then bounced to the admin (me) when they were unreturnable to the forged spammer address. After a few of these attacks, I rearranged things a bit and stopped those attacks cold.

On my personal server, I hang the connection for 30 seconds after 5 bad RCPT TO:s in a single session. This is done with the BAD_RCPT_THROTTLE option in sendmail - the default is a 1 second timeout, but I changed it to 30 in the source before compiling.

--
"Luck is the residue of design."
- Branch Rickey - former owner of the Brooklyn Dodger Baseball Team