LDAP/MTA helping Spammers?

Steen, Glenn Glenn.Steen at AP1.SE
Tue Jan 11 09:46:10 GMT 2005 

I'd tend to agree with Martin here. Even if the domain would be mapped,
ATM this type of thing has more benefit than badness.

Also, the names you cite ring a bell... Some viruses "guess" names like
that, and there the sole purpose is spreading, not really "mapping out
the domain" (ie no "intelligence", nor "reporting" is really involved).

-- Glenn

> -----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Martin Hepworth
> Sent: den 11 januari 2005 10:07
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: LDAP/MTA helping Spammers?
> 
> 
> Chris
> 
> We use something similar to this. I can't say that I've analysed where
> the non-user errors are coming from, but 66% of all the 
> inbound spam is
> for non-existant users. So this keeps my server load down 
> quite a bit..
> 
> Given the effectiveness of MS/SA/ClamAV/Sophos at trapping unwanted
> emails I'm not that worried that the bad guys might be brute force
> harvesting email addresses this way. In fact bring it on!
> 
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
> 
> 
> Chris Lyon wrote:
> > I have seen a few messages float around the list on this subject and
> > wanted to give some of my input on it. I have been tracking 
> the "User
> > unknown"
> > messages for about a week now on one of my MailScanner systems and
> > have found something odd. About 90% of all the "User 
> unknown" messages
> > are coming from different hosts not seen before. So in other words a
> > single IP address will open an SMTP connection, send a message
> > anywhere from 5 to 29 recipients and drop the connection. We will
> > generate the "User unknown" back to then during the connection since
> > they are not on the list. That same IP address will usually will do
> > this style of attack three or four times in a few seconds. 
> Only about
> > 10% of all the "User unknown" attacks show the same IP 
> address again.
> > (This has only been a week and maybe this number will
> > change) The names they are using are standard dictionary 
> stuff. bob@,
> > jeff@, todd at ...etc. So what are they hunting for? Are they trying to
> > get past the spam engine? Are they hunting for valid names?
> >
> >
> > I think they doing all of the above but am mainly hunting for names.
> > So with that said is using LDAP on the MTA giving too much 
> information
> > back to the spammers as what addresses are good/bad?
> >
> >
> > Any feedback?
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> 
> **********************************************************************
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
> 
> **********************************************************************
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list