Penetration Testing mailing list archives

Re: Discovering users by RCPT TO

From: Matan Peled <chaosite () gmail com>
Date: Sat, 15 Jan 2005 10:35:19 +0200

dmz wrote:

I see spammers hitting my MTA daily with dictionary RCTP TO queries
and there isn't much you can really do against it; however I have been
thinking about a solution using real time blockers.

The idea is to monitor the logfile of the MTA, looking for a host
getting more than "X" failed destination addresses (I think 2 or 3 is
a nice entry threshold). Then when they reach the threshold their IP
gets put into a local DNS server that is used by the MTA to as a real
time blocker.

This wouldn't' require more than another RBL addition to the MTA and
then an external script tied to either bind or djbdns.

thoughts?
dmz

But wouldn't that be vulnerable to a DoS attack, IE spoofing the IP and denyingservice to legitimate clients?


--
[Name      ]   ::  [Matan I. Peled    ]
[Location  ]   ::  [Israel            ]
[Public Key]   ::  [0xD6F42CA5        ]
[Keyserver ]   ::  [keyserver.kjsl.com]
encrypted/signed  plain text  preferred

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Discovering users by RCPT TO Andres Molinetti (Jan 12)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
  - Re: Discovering users by RCPT TO Martin Fallon (Jan 13)
- Re: Discovering users by RCPT TO Kiril Todorov (Jan 13)
  - Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
    - Re: Discovering users by RCPT TO Jay D. Dyson (Jan 14)
    - Re: Discovering users by RCPT TO Vince Hoang (Jan 14)
    - Re: Discovering users by RCPT TO dmz (Jan 14)
    - Re: Discovering users by RCPT TO Matan Peled (Jan 15)
    - Re: Discovering users by RCPT TO Faisal Khan (Jan 15)
- <Possible follow-ups>
- RE: Discovering users by RCPT TO Bassett, Mark (Jan 15)
  - Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)
    - Re: Discovering users by RCPT TO Tobias Glemser (Jan 20)
- Re: Discovering users by RCPT TO Marco Ivaldi (Jan 22)