LDAP/MTA helping Spammers?

Vlad Mazek vlad at MAZEK.COM
Tue Jan 11 16:52:51 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Chris Lyon wrote:

>I am not disagreeing that the benefit isn't there but from a security
>standpoint it is always better to give less information that more
>information. So either at the MTA or in MS wouldn't it be better to
>just silently delete? Not sending any "User unknown"?
Definately not better to silently delete, unless you have unlimited

These are just probes off fresh machines, the second you accept the
email without an error code that email address is validated and sold and
you are placed in a second wave of attacks where they throw an even
bigger dictionary at you.

As per your direct email to me: Fresh (ie, not in a blacklist) owned
boxes are used to launch dictionary attacks first -- some RBLs run a
check against the IP for reverse dns, open proxy, rfc-ignorant, etc.
Spammers usually they try to load balance their attacks through the
entire block that the system has access to which is why you are seeing
such a low hit rate per IP. Try plotting the amount of hits against a
/24 instead of just a single ip.  After the dictionary attacks, they are
used to launch spam, then viruses and finally they are switched to open
relay where dozens of people who have purchased the spamming software
can use the compromised systems to launch their own content. The faster
and sooner you can block them, the better. If it is a legitimate system,
you will have the administrator contact you. At ExchangeDefender we
field about 2-3 trouble tickets per day from remote mail admins but we
block between 100-300 per day and slighly over 400 a day on weekends.

Think about it this way: What are the odds that a mail system with no
PTR will connect to my network and attempt to hit 20+ unknown recipients?

-Vlad Mazek

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list