LDAP/MTA helping Spammers?

Tue Jan 11 09:07:00 GMT 2005

Chris

We use something similar to this. I can't say that I've analysed where
the non-user errors are coming from, but 66% of all the inbound spam is
for non-existant users. So this keeps my server load down quite a bit..

Given the effectiveness of MS/SA/ClamAV/Sophos at trapping unwanted
emails I'm not that worried that the bad guys might be brute force
harvesting email addresses this way. In fact bring it on!

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

Chris Lyon wrote:
> I have seen a few messages float around the list on this subject and
> wanted to give some of my input on it. I have been tracking the "User
> unknown"
> messages for about a week now on one of my MailScanner systems and
> have found something odd. About 90% of all the "User unknown" messages
> are coming from different hosts not seen before. So in other words a
> single IP address will open an SMTP connection, send a message
> anywhere from 5 to 29 recipients and drop the connection. We will
> generate the "User unknown" back to then during the connection since
> they are not on the list. That same IP address will usually will do
> this style of attack three or four times in a few seconds. Only about
> 10% of all the "User unknown" attacks show the same IP address again.
> (This has only been a week and maybe this number will
> change) The names they are using are standard dictionary stuff. bob@,
> jeff@, todd at ...etc. So what are they hunting for? Are they trying to
> get past the spam engine? Are they hunting for valid names?
>
>
> I think they doing all of the above but am mainly hunting for names.
> So with that said is using LDAP on the MTA giving too much information
> back to the spammers as what addresses are good/bad?
>
>
> Any feedback?
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!