I could be wrong. Perhaps I don't have a full understanding of how address harvesting works. Perhaps the harvesting software is "smart" enough to know that if 100% of the attacked addresses are accepted, that there must be a relay server in front of the true destination server, and it voids the attack? Does anyone have any thoughts on my theories? If I am wrong with my logic, please let me know. I think I am going to do some MX record changes this week and remove Postfix from one of the domains. It may take a very long time for me to notice any change in the email volume, as the harvesters clean their databases with my new Imail rejects in the SMTP envelope.
I can only go on my own logic here, but if I was looking to harvest addresses, I would consider getting a 100% accept rate on a dictionary attack to be an opportunity that didn't exist. Now of course there are some real boneheads out there that will just simply pound on a server with a fixed list regardless of what is returned, but that seems to be pretty rare. I don't monitor my logs for this type of thing, but I have seen it on occasion, and the duration is short from what I have seen, probably because I have no gateway, but the nobody alias configured currently for most of my domains which will of course accept everything. Note that all of my domains are 50 or less users with most of them being a lot less than that. If I was harvesting addresses, I would also be very selective about who I targeted, going after ISP's and large businesses exclusively, especially since attacking a domain with a single user would be as process intensive as attacking one with 100,000 users, but only holds 1/100,000 the potential.
Over time as this becomes more and more prevalent, and the tools become easier to find, I expect that I will see a lot more of this coming from 16 year olds that just want to try it out as they often do with their all-in-one Web server vulnerability exploiters which regularly pound on my Web sites. I fully expect though that there will be tools released which protect from this happening before it becomes a big issue.
Right now I am in the process of removing nobody aliases from individual domains, and I am also going to set up a gateway to act as the primary MX for all E-mail coming in, both for off-site gatewayed domains (sold as a service) as well as locally hosted accounts. Later then as funds permit, I will add a second gateway server so that I can remove my hosted account server from handling any external MX connections. I think this setup would offer the spammers little value in attacking, and the removal of the nobody aliases should protect from the rare occurrence when a dictionary attack might get through to an account.
On related question that I have is whether or not these attackers use BCC's for their attacks, in which case Declude's BCC test could be set to a level that wouldn't get reached under normal circumstances (wouldn't work though for larger domains since having 100 BCC's on a 1,000 user domain is much more likely to be legit than 100 BCC's on a 50 user domain. I would imagine though that dictionary attacks could come as simply multiple To addresses. I just don't know.
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
