> > Another alternative would be to pull the information from all the end mail > > servers using LDAP and dump it all into one local LDAP directory. I could > > then query that local server (which would not require remote server to > > even be up). > > That's also a possibility. You don't need the whole LDAP directory; all > you need is a list of valid addresses. You could dump that into an access > table and do it all in Sendmail.
Since I am assuming by LDAP, you really mean MS LDAP or AD for Microsoft Exchange, I *really* recommend the LDAP to Access table solution. A) it's the most basic level to reject the connection with sendmail before throwing the email to a 20MB+ program B) we tried a LOT of routes and this is really a simple yet elegant and long-term solution. Many of the other solutions we tried are too fragile, prone to delays, etc. C) all the research and reading we have done tells us that an NT/2K/2K3 server will NOT withstand a dictionary attack that causes LDAP lookups galore. The concept of "lightweight" behooves Microsoft programmers ;-) In fact, the threshold was ridiculously low like 3 queries per second tying up a 450Mhz PII server. Granted you might have a better server but still, that's ridiculous scalability. In closing, a second solution I might suggest is the idea I had for the check against SMTP server in MD. In short, build a DB tie that caches correct and incorrect answers on the fly and expires them periodically. Unfortunately, because of dictionary attacks, this could lead to a *potential* DoS if you get 4 billion incorrect requests on a server with 15 correct answers. Your Mileage May Vary but I am seeing more eggregious and outlandish attacks daily and withstanding virii that try and send 120K emails an hour is getting to be routine. I can also recommend, for those that haven't figured this out yet, do NOT use first name emails (i.e. [EMAIL PROTECTED]). Use's multi-name, firstname.lastname, firstinitial.lastname, etc. etc. We are DEFINITELY seeing ratware that is taking SPAM lists and DOMAIN lists and lists of names and combining it all into super dictionary attacks. Think about entire days filled with nothing but email addresses starting with [EMAIL PROTECTED] <SCARY THOUGHT FOR DAY> Additionally, here's my scary thought for the day. Not really my thought though as I was speaking with the lead sales guy at Pest Patrol yesterday and we were discussing spyware problems we've seen/predict. PestPatrol's prediction is that someone will compromise a "popular" spyware program and get a hold of the trickler (the program that trickles in exe's out of order and low bandwidth to allow for program updates, etc. A fairly common practice in the spy/malware arena). With this exploited capability, someone could install anything and do it MUCH faster than viruses have. Think about something like GAIN (running on like 30 million computers) that gets exploited and the person now in control triggers a SPAMMING program to trickle, install and run on all those "zombie" spyware infested machines. Some (all? many?) of these tricklers run at the SAME level that a firewall software would run on the machine to bypass some of the more standard firewall software. And you typically can't find them through stateful packet inspections because they run low-volume, out of order packets on port 80. </SCARY THOUGHT FOR DAY> <HAPPY THOUGHT FOR DAY> If the above happened, the "legitimate" spyware programs would all look REALLY bad and be lambasted by the media, FTC, consumer groups, consumers, gophers, etc. </HAPPY THOUGHT FOR DAY> Regards, KAM _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
