Thanks for your response, Len. Your stats are impressive, indeed, and your
point regarding blocking spam at the envelope level using a small box (850
MHz CPU, 512 MB RAM) running IMGate is well taken. However, I am still
wondering *theoretically* about emulating my employer's sendmail
configuration using IMail Server alone as I stated in my original post.
You are right in saying that the "counter-attack" that was implicit in my
posting is not nearly as effective as what you described. But then, I said
it was a theoretical question involving IMail only.
Regards,
Guy
----- Original Message -----
From: "Len Conrad" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, June 21, 2003 17:54
Subject: Re: [IMail Forum] Faking acceptance/validation of VRFY and RCPT TO:
>I am certainly not advocating the use of the "nobody" alias. Rather, I am
>asking how to configure IMail so that it *seems* to accept all mail and
>silently drop messages to invalid recipients and respond to VRFYs so that
it
>*seems* to validate non-existent recipients. The underlying idea is to
fight
>address harvesters
With sufficient defenses to block 95% of spam, one really doesn't care if
your accounts are harvested, simply because knowing a valid recipient is
hardly enough for a spammer to get his spam delivered to the recipient.
What really hurts about address harvesting is the long-term, high-volume
simultaneous STMP sessions from the attack and the resources it takes to
reject them. Yeah, you see the harvester attacking and you want him to
stop (you can�t and he won't), you want to punish/trick/kill him (you
can't).
But once the MX is hardened against that harvesting DoS, as you see here:
Per-Hour Traffic Summary
time received delivered deferred bounced rejected
--------------------------------------------------------------------
0000-0100 15950 1235 47 18 34007
0100-0200 11813 1142 43 10 20434
0200-0300 8195 1135 39 10 8133
0300-0400 11043 968 58 15 15873
0400-0500 9143 904 45 13 9447
0500-0600 10577 857 37 18 13936
0600-0700 9726 877 20 13 11726
0700-0800 9918 953 47 18 11656
0800-0900 18136 1120 67 7 39762
0900-1000 27345 1176 62 87 69738!!!!!
1000-1100 20327 1451 82 16 37466!!!!!
1100-1200 17339 1384 77 27 30840
1200-1300 12450 1220 49 17 21207
1300-1400 8818 1393 94 10 10969
1400-1500 10126 1240 99 13 13141
1500-1600 10689 1204 65 16 15717
1600-1700 11726 1146 88 8 18617
1700-1800 3847 90 0 3 10094
1800-1900 0 0 0 0 0
1900-2000 0 0 0 0 0
... where the bulk of the rejects are stopped by IMGate as being to unknown
users:
1 ACL mta_clients_onedict
2 ACL mta_clients_relay
2 SMTP invalid [EMAIL PROTECTED]
3 SMTP Exceeded Hard Error Limit after MAIL
3 ACL [EMAIL PROTECTED]
3 ETRN Mail theft attempt
4 SMTP Exceeded Hard Error Limit after HELO
7 ACL from_senders_clueless
12 ACL mta_clients_senders_regexp
15 Other
24 SMTP unauthorized pipelining
27 ACL helo_hostnames
29 SMTP invalid [EMAIL PROTECTED]
44 ACL mta_clients_slet
107 ACL to_recipients_dead
156 ACL mta_clients_blaksender
166 ACL mta_clients_bogus
195 ACL unauthorized relay
210 ACL to_local_recipients unknown recipient
419 ACL from_senders_nxdomain
739 SMTP Exceeded Hard Error Limit after DATA
799 ACL mta_clients_dead
919 ACL from_senders_black
953 DNS timeout for MTA PTR hostname (forged @sender.domain)
1116 SMTP sender address verification in progress
2089 ACL from_senders_slet
3618 DNS no A/MX for @sender.domain
4051 ACL from_senders_black_regexp
4249 ACL mta_clients_bw
4537 RBL rbl-plus.mail-abuse.org
4739 ACL from_senders_imgfx
5184 SMTP sender address undeliverable
6421 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
12961 SMTP sender address unverifiable
95377 SMTP Exceeded Hard Error Limit after RCPT <<<<<<<<<<<
339041 ACL to_relay_recipients unknown recipient <<<<<<<<<<
===========================
488222 TOTAL
The IMGate machine is an 850 MHz PIII with 512 MB RAM. During these
attacks, it hardly breaks a sweat due to the efficiency of the rejection
mechanism. The mailbox server of course sees nothing.
I haven't found any great advantage, even any advantage, in trying to
counter-attack. The harvesters get a few, even all, of your addresses, so
what? The spammer trying to deliver to a valid account still has to get
through all the anti-spam defenses, and when those are working well, he
will still be rejected.
btw, all you people who think AOL and I are totally BOFH nutz for wanting
to blanket block dsl/cable/DUL subnets and PTR subdomains, here's the IPs
and PTR hostnames where the above attacks are originating:
Host/Domain Summary: SMTPD Connections (top 30)
connections time conn. avg./conn. max. time host/domain
----------- ---------- ---------- --------- -----------
7297 22:03:40 11s 249s attbi.com
6432 16:28:08 9s 261s comcast.net
3062 3:33:21 4s 164s swbell.net
2699 1:43:17 2s 11s mail.cgocable.ca
2581 11:22:11 16s 94s t-dialin.net
2154 1:25:05 2s 13s intellispace.net
2136 3:52:04 7s 77s bezeqint.net
2103 5:21:37 9s 45s 203.126.110.34
2082 5:19:32 9s 103s rr.com
2031 2:06:20 4s 33s relais.videotron.ca
2008 15:42:34 28s 49s 213.33.101.19
1868 17:21:48 33s 285s rima-tde.net
1780 9:09:16 19s 272s dsl-verizon.net
1652 1:32:55 3s 79s <mycustomer>.net mailbox
server outbound!!!!
1598 7:24:27 17s 257s adelphia.net
1480 9:22:13 23s 249s prodigy.net.mx
1480 4:36:10 11s 257s bbtec.net
1419 4:44:37 12s 85s charter.com
1373 4:15:49 11s 253s btopenworld.com
1259 7:25:02 21s 143s verizon.net
1232 1:21:26 4s 67s tpcper.com
1202 7:29:48 22s 102s 212.174.227.129
1199 0:50:54 3s 34s cox.net
1138 0:51:55 3s 12s mx.kis.lt
1123 1:24:39 5s 244s optonline.net
1119 1:48:16 6s 20s 203.98.174.196
1076 1:34:29 5s 262s 211.162.0.131
994 3:12:25 12s 251s 61.159.235.36
931 0:45:15 3s 72s telus.net
yep, the report cuts off at the "Top 30", and we are still at 1000
connects/MTA at that point, which is only through 17:00 hours. Note that
his mailbox server (5000 accounts) has connected only 1650 times to send
outbound mail, and the big ISPs (assume legit mail) of AOL, MSN, Earthlink
didn't make the Top 30 MTAs.
Now try to tell me and AOL that this ISP should avoid blanket blocking of
cable/dsl/dialup and dynamic subnets so he can accept 0.0001% legit mail
from a tiny number of legit DSL mail servers. What kind of percentage play
is that?
Len
_____________________________________________________________________
http://MenAndMice.com/DNS-training: New York; Seattle; Chicago
IMGate.MEIway.com: anti-spam gateway, effective on 1000's of sites, free
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
