The dictionary attacks don't send E-mail of any value, they are just used for harvesting addresses. So if the spammer only gets positive responses to every address, their harvesting time has been completely wasted. The only time when they dictionary attack a server that accepts everything would be when their software is not performing properly, or they are actually trying to DOS a server.
So until IMail delivers functionality that can detect a dictionary attack, it seems crucial that we leave the nobody aliases on for every local domain. Personally, I find the drawbacks of having a nobody alias pointed at me to be more harm than good, which is why I would like to auto-delete these messages. You raise an important point though about not having the messages bounced back. I'll have to look into possibly having an auto response set up in addition to the delete action, which would probably require two accounts with a single alias directed at it, or maybe forwarding would work with an autoresponder???
Matt
Charles Frolick wrote:
I seriously don't think they would bother with the code needed to detect the difference between accepting everything in the dictionary and bouncing some or all addresses. A spammer using dictionary attacks may not be harvesting addresses, they may just be spamming a dictionary of addresses. The best way to handle them is to have some sort of detection routine to temporarily block them with temp errors so that legit mailers will retry. Imail is not capable of doing this, so either process a buch of postmaster bounces or trashcan them. Big drawback to using nobody to trashcan, if someone typoed an important email, they would never know.
Thank you, Chuck Frolick ArgoLink.net
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow
Nick,
I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way.
The theory here is that domains which accept every E-mail address in the
HELO won't be dictionary attacked past a few attempts because the attacker's software will quickly determine that the attack isn't exposing any addresses due to a catch all situation. So maybe adding the nobody alias back in, and redirecting that E-mail to an account that
deletes each E-mail automatically will resolve the issue of dictionary attacks?
I see this stuff in my logs on occasion, but it never happens for a prolonged period of time. I'm thinking this is because 90% of my domains had nobody aliases. Unless someone only wants to DOS my server,
dictionary attacking a domain with a nobody alias is a waste of their processing power just like it is a waste of mine.
Matt
Nick Hayer wrote:
Hi Matt,
Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed?Yes. I get hammered everyday..; I got rid of the nobody alias, filter
Thanks,
the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's...
-Nick Hayer
Matt
Fritz Squib wrote:
Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine.
I spent the weekend returning mail from the old spool to a new spool that I had to create.
I had around 67,000 of these buggers to deal with...no fun.
All of the mail seems to be originating from dsl and cable modems with forged return addresses.
My server is swamped again today - started again about 2-3 hours ago.
Fritz
Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net
() ascii ribbon campaign - against html mail /\ - against microsoft attachments
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
