Security Incidents mailing list archives
Re: email address probes
From: "Greg A. Woods" <woods () weird com>
Date: Wed, 5 Feb 2003 18:04:44 -0500 (EST)
[ On Wednesday, February 5, 2003 at 20:54:19 (+0000), Andy Bastien wrote: ]
Subject: email address probes I'd like to be able to stop these attempts, but I can't think of a way to do it.
If there's no local user for the "attempt" then the most correct way, and I suppose best and only proper way, to answer the invalid "RCPT TO:" is indeed with just a plain simple "550 User unknown" (or "550-5.1.1 User unknown" if your server supports ESMTP ESN). If the connections come fast and furious from the same remote server then you can introduce a delay before you send your reject reply status code, or even send a "550-User unknown" line, then pause for up to a minute or two, and finally a "550 Thanks for trying!" line. Some people call this scheme a "tar pit" -- it slows down a rabid sender because it forces it to wait for the last line of the multi-line 550 message. -- Greg A. Woods +1 416 218-0098; <g.a.woods () ieee org>; <woods () robohack ca> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- email address probes Andy Bastien (Feb 05)
- Re: email address probes Kee Hinckley (Feb 06)
- Re: email address probes Brad Arlt (Feb 06)
- Re: email address probes james (Feb 06)
- Re: email address probes Brad Arlt (Feb 07)
- Re: email address probes Greg A. Woods (Feb 06)
- Re: email address probes Axel Beckert - ecos gmbh (Feb 06)
- RE: email address probes Rob Shein (Feb 07)
- Re: email address probes Axel Beckert - ecos gmbh (Feb 06)
- Re: email address probes Dave Laird (Feb 06)
- Re: email address probes Ned Fleming (Feb 06)
- Re: email address probes Andy Bastien (Feb 07)
- <Possible follow-ups>
- RE: email address probes Johann Kruse (Feb 06)