LDAP/MTA helping Spammers?

Chris Lyon cslyon at gmail.com
Tue Jan 11 04:53:45 GMT 2005


I have seen a few messages float around the list on this subject and
wanted to give some of my input on it. I have been tracking the "User
unknown"
messages for about a week now on one of my MailScanner systems and
have found something odd. About 90% of all the "User unknown" messages
are coming from different hosts not seen before. So in other words a
single IP address will open an SMTP connection, send a message
anywhere from 5 to 29 recipients and drop the connection. We will
generate the "User unknown" back to then during the connection since
they are not on the list. That same IP address will usually will do
this style of attack three or four times in a few seconds. Only about
10% of all the "User unknown" attacks show the same IP address again.
(This has only been a week and maybe this number will
change) The names they are using are standard dictionary stuff. bob@,
jeff@, todd at ...etc. So what are they hunting for? Are they trying to
get past the spam engine? Are they hunting for valid names?


I think they doing all of the above but am mainly hunting for names.
So with that said is using LDAP on the MTA giving too much information
back to the spammers as what addresses are good/bad?


Any feedback?

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list