Security Incidents mailing list archives

Re: email address probes

From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Wed, 5 Feb 2003 15:26:12 -0700

On Wed, Feb 05, 2003 at 08:54:19PM +0000, Andy Bastien wrote:

Where I work, we've getting lots of attempts to send email to random
addresses at our domain.  All of these attempts have been coming from
valid servers operated by AOL, MSN, and Hotmail.  I'm guessing that
this is an attempt to find some spam targets, although I suppose that
there could be something worse in store.

I'd like to be able to stop these attempts, but I can't think of a way
to do it.  All of the attempts are coming from valid servers from some
domains that we can't block.  They do all have null reverse-paths
(MAIL FROM:<>), but I don't think that we can reject on this criteria
as null reverse-paths are used to send NDRs and other notifications
which we don't want to block.  I suppose that we could accept the
emails and dump them to /dev/null (or to some tarpit account so that
we can inspect them) instead of replying with a "550 User unknown,"
but I suspect that this could cause us more headaches in the future.
Does anyone have any suggestions as to how we could handle this
problem?


Rumpelstilzchen is the fancy hax0r name for the problem.

We use Sendmail and Milter to make this less of an issue.  We have a
milter program that uses the number of correct addresses vs
number of incorrect addresses for each connecting IP address. If the
ratio exceeds a certain number all addresses are tempoararily
unavailable (return 4xx SMTP error code).

The first ten addresses in a connection are treated normally if the IP
address hasn't been marked as guessing too much (exceeded the ratio),
so 3 bad addresses can't block a server.

Sounds simple, but is shockingly effective.

We currently don't do automatic recovery, but have never had any
complaints in the 3+ months that this has been running (postmaster is
allowed through always).  Shouldn't be to hard to recover
automatically though.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

email address probes Andy Bastien (Feb 05)
- Re: email address probes Kee Hinckley (Feb 06)
- Re: email address probes Brad Arlt (Feb 06)
  - Re: email address probes james (Feb 06)
  - Re: email address probes Brad Arlt (Feb 07)
- Re: email address probes Greg A. Woods (Feb 06)
  - Re: email address probes Axel Beckert - ecos gmbh (Feb 06)
    - RE: email address probes Rob Shein (Feb 07)
- Re: email address probes Dave Laird (Feb 06)
- Re: email address probes Ned Fleming (Feb 06)
  - Re: email address probes Andy Bastien (Feb 07)
- <Possible follow-ups>
- RE: email address probes Johann Kruse (Feb 06)