I seriously don't think they would bother with the code needed to detect the difference between accepting everything in the dictionary and bouncing some or all addresses. A spammer using dictionary attacks may not be harvesting addresses, they may just be spamming a dictionary of addresses. The best way to handle them is to have some sort of detection routine to temporarily block them with temp errors so that legit mailers will retry. Imail is not capable of doing this, so either process a buch of postmaster bounces or trashcan them. Big drawback to using nobody to trashcan, if someone typoed an important email, they would never know.
Thank you, Chuck Frolick ArgoLink.net -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow Nick, I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way. The theory here is that domains which accept every E-mail address in the HELO won't be dictionary attacked past a few attempts because the attacker's software will quickly determine that the attack isn't exposing any addresses due to a catch all situation. So maybe adding the nobody alias back in, and redirecting that E-mail to an account that deletes each E-mail automatically will resolve the issue of dictionary attacks? I see this stuff in my logs on occasion, but it never happens for a prolonged period of time. I'm thinking this is because 90% of my domains had nobody aliases. Unless someone only wants to DOS my server, dictionary attacking a domain with a nobody alias is a waste of their processing power just like it is a waste of mine. Matt Nick Hayer wrote: >Hi Matt, > > >>Is anyone getting dictionary attacked for long periods of time on a >>domain with a nobody alias or something that is gatewayed? >> >>Thanks, >> >> >Yes. I get hammered everyday..; I got rid of the nobody alias, filter >the log files for the ip's that connected - and add them to my Imail >Access control list. Currently that list contains nearly 10,000 >ip's... > > -Nick Hayer > > > > > > > >>Matt >> >> >> >>Fritz Squib wrote: >> >> >> >>>Hey guys, this sounds like same problem that I have been >>>experiencing, however it has been a bunch of spam with c.c. 's to >>>non-existant mail addresses on my server (dictionary attack style) >>>..My DNS is working fine. >>> >>>I spent the weekend returning mail from the old spool to a new spool >>>that I had to create. >>> >>>I had around 67,000 of these buggers to deal with...no fun. >>> >>>All of the mail seems to be originating from dsl and cable modems >>>with forged return addresses. >>> >>>My server is swamped again today - started again about 2-3 hours ago. >>> >>>Fritz >>> >>>Frederick P. Squib, Jr. >>>Network Operations/Mail Administrator >>>Citizens Telephone Company of Kecksburg >>>http://www.wpa.net >>> >>>() ascii ribbon campaign - against html mail >>>/\ - against microsoft attachments >>> >>> >>> >>> >>> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.JunkMail mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >>"unsubscribe Declude.JunkMail". The archives can be found at >>http://www.mail-archive.com. >> >> >> --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
