On Fri, May 20, 2016 16:06, Tanstaafl wrote:
> On 5/19/2016 1:50 PM, James B. Byrne <byrn...@harte-lyne.ca> wrote:
>> We have a situation where some party is harvesting our employees'
>> mailbox names and using them for a directed brute force attack
>> against
>> our SMTP servers. In order dodge this we have undertaken to rename
>> of
>> user mailboxes.
>
> Trying for the life of me to figure out how or why you think this is a
> good way to mitigate such an attack...
>
> Failing miserably.
>
The issue is moot. I discovered the cause of the return path setting
was the user themselves and had them reconfigure their MUA to remove
that setting. The mailbox renaming exercise has to do do with single
logon. Our email addresses have had the same form since 1995 and from
that time user logon accounts were used as their mailbox and email
local address as well.
Since this information is already known we are simply moving all of
our user ids to something that does not show up in the email headers
and leaving the email addresses as they are.
It is most disconcerting to see an sasl attack on our relays which
only uses actual userids for our company employees, albeit they have a
lot of defunct userids in that list. If these names are no longer
anywhere in use as actual user ids then that is at least one attack
avenue that is forestalled.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
