LDAP/MTA helping Spammers?

Tue Jan 11 16:28:40 GMT 2005

On Tue, 11 Jan 2005 10:46:10 +0100, Steen, Glenn <Glenn.Steen at ap1.se> wrote:
> I'd tend to agree with Martin here. Even if the domain would be mapped,
> ATM this type of thing has more benefit than badness.

I am not disagreeing that the benefit isn't there but from a security
standpoint it is always better to give less information that more
information. So either at the MTA or in MS wouldn't it be better to
just silently delete? Not sending any "User unknown"?

>
> Also, the names you cite ring a bell... Some viruses "guess" names like
> that, and there the sole purpose is spreading, not really "mapping out
> the domain" (ie no "intelligence", nor "reporting" is really involved).

I do recall a few of these virus but I would also think they would be
coming back from the same IP over and over. That accounts for only 10%
of the 5000 hits in a week on our system.

>
> -- Glenn
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Martin Hepworth
> > Sent: den 11 januari 2005 10:07
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: LDAP/MTA helping Spammers?
> >
> >
> > Chris
> >
> > We use something similar to this. I can't say that I've analysed where
> > the non-user errors are coming from, but 66% of all the
> > inbound spam is
> > for non-existant users. So this keeps my server load down
> > quite a bit..
> >
> > Given the effectiveness of MS/SA/ClamAV/Sophos at trapping unwanted
> > emails I'm not that worried that the bad guys might be brute force
> > harvesting email addresses this way. In fact bring it on!
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > Chris Lyon wrote:
> > > I have seen a few messages float around the list on this subject and
> > > wanted to give some of my input on it. I have been tracking
> > the "User
> > > unknown"
> > > messages for about a week now on one of my MailScanner systems and
> > > have found something odd. About 90% of all the "User
> > unknown" messages
> > > are coming from different hosts not seen before. So in other words a
> > > single IP address will open an SMTP connection, send a message
> > > anywhere from 5 to 29 recipients and drop the connection. We will
> > > generate the "User unknown" back to then during the connection since
> > > they are not on the list. That same IP address will usually will do
> > > this style of attack three or four times in a few seconds.
> > Only about
> > > 10% of all the "User unknown" attacks show the same IP
> > address again.
> > > (This has only been a week and maybe this number will
> > > change) The names they are using are standard dictionary
> > stuff. bob@,
> > > jeff@, todd at ...etc. So what are they hunting for? Are they trying to
> > > get past the spam engine? Are they hunting for valid names?
> > >
> > >
> > > I think they doing all of the above but am mainly hunting for names.
> > > So with that said is using LDAP on the MTA giving too much
> > information
> > > back to the spammers as what addresses are good/bad?
> > >
> > >
> > > Any feedback?
> > >
> > > ------------------------ MailScanner list ------------------------
> > > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > > 'leave mailscanner' in the body of the email.
> > > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> > >
> > > Support MailScanner development - buy the book off the website!
> >
> > **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **********************************************************************
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!