> > I think spammers have adapted by sending only a few addresses at > > a time, perhaps from virus-owned zombie relays. > > That was the logical next step. It's practically impossible to fight > that. And honestly, until directory harvest attacks start overloading > my machine or costing me bandwidth, I ignore them just like I > ignore most port scans.
One possible approach is to appear to accept all addresses, then check the recipient address but take no action until the DATA phase - at which point you can refuse the message with a 5xx error without indicating whether the address exists or not. That way, they spend time compiling a list where all of their guesses appear to work, but none of their messages get through - and they don't know whether its because the user doesn't exist, or they are blacklisted, or your spam filter caught them, etc. In a good implementation, you could combine this with the greylist database to permanently blacklist any sender/relay combination which had three or more wrong addresses. In the meantime, you have an easy way of identifying anyone using this technique, as you can flag it for Graphdefang to analyse. Best Wishes, Paul. __________________________________________________ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 _______________________________________________________________________ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 _______________________________________________________________________
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
