1) IMAIL server does not have a TARPITTING or DYNAMIC IP BLOCKING feature. So it is a real heaven for Harvesters trying to find your real users.
I've made the point several times on the IMGate list that knowing an email address is not sufficient to deliver mail to that address.
Harvesting isn't bad because it learns a (probably very tiny) number of your users. It's bad because, in sufficient intensity, it DoSes your server.
All credible anti-spam techniques block 95% of all spam to KNOWN users. So what's the big deal if harvesting learns a few of them? Obscurity of email addresses is not effective anti-spam defense.
In my logs i see a lot of connection like this. Mailfrom: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED]
Some harvesting is only probing with multiple RCPT TO per session and no DATA, while other harvesting is one RCPT TO followed by the spam DATA.
You can not find the line DATA in your log because the spammer is just checking the users.
Does Imail ever log DATA commands in non-debug mode?
2) Fake mails return address. If people start using your domain name to make some spam. Every bounce will come back to your server . And because there is no such a user in your domain the mail will get rejected at SMTPD level.
the best tactic.
The remote dumb server will try again and again wasting your bandwith and processor.
no, the unknown user is rejected with 5xx, so that msg should not re-tried.
A lot of dumb server will try 10 times to deliver the mail.
There's no defense against broken mail servers that keep re-trying the same msg after a 5xx. Most servers will drop a mailer-daemon msg (in blackhole) if it can't be delivered. What else could it do with it?
When Nobody alias is ACTIVE
1) The harvester will see OK for every mail address For nonexisting users and also existing user. The spammer will never be able to make a database of your real users.
see above.
2) When you start accepting mail for nonexisting users .
... you lose the WAN and disk bandwidth of msgs to unknown users. This can be 100's of MB/day.
The bounced mail from the spammer will get in once , and the dumb remote server wont make many retry attempts. I just saw the bandwith going down at time i activated the nobody alias.
correlation is not causality.
Figure out how many WAN bytes in/out to reject an unknown user with 5xx.
Then, figure how many WAN bytes AND disk i/o to accept 1000s of joe-job messages when each msg is 5 to 20 KB. It's clear that rejecting unknown users conserves huges qty of bandwidth vs nobody.
When IMAIL will integrate a TARPITTING feature , i will turn off the NOBODY alias
Be careful. You may be surprised who you hurt with your tarpitting.
Tarptitting would consume the very limited SMTPD bandwidth on your Imail server (see recent msgs here about Imail being overwhelmed and refusing mail, unless Imail would handle a tarpitted session differently than non-tarpitted) while pretending to hurt 1000s of attackers with tons more aggregate bandwidth.
IN fact i will turn off the nobody alias soon , i have a software which will analyse the log of imail for many unknown rcpt from a single ip then block it on the firewall.
IMGate advanced can do that, but it's already so efficient in blocking after RCPT TO and with all the new recent techniques IMGate has, dynamic blocking is not all that important to IMGate anymore.
If you have around 100 to 1000 users , you can forget using nobody alias But for 10.000 users and more ,think about it , harvesters can really make a database out of your system.
see above
Len
_____________________________________________________________________ http://MenAndMice.com/DNS-training: Seattle; London; San Jose; Wash DC IMGate.MEIway.com: anti-spam gateway, effective on 1000's of sites, free
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
