Security Incidents mailing list archives
Re: SMTP username dictionary attack
From: Mike <mike () rockynet com>
Date: Thu, 06 Mar 2003 15:51:26 -0700
Garrett Sinfield wrote:
Actually, what you said about poisoning their spamlist would make for a entertaining read. Perhaps I'll set this up sometime :)
If you do so, I would advise only trying this on a honeypot for a domain that you never intend to use for real e-mail[0].
Back when SMTP dictionary attacks first emerged, setting a 'nobody' alias would effectively foil them. In fact, the first pieces of ratware specifically checked for a random string, and if it was accepted would terminate the attack under assumption that no useful data could be stolen.
Times have changed, and from what I can tell, no one does this anymore. Then spammers don't care. If their 'dictionary' has a million possible combinations, and you give it a million possible hits, look for regular (daily) spam runs attempting to deliver a million pieces of spam to you.
Setting up a nobody alias is a sure way to permanently taint the domain behind it.
Mike[0] Now, poisoning the spam harvest database using a throwaway domain, and then pointing an MX record for it to localhost sounds like fun ;)
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- SMTP username dictionary attack Rich Puhek (Mar 06)
- <Possible follow-ups>
- Re: SMTP username dictionary attack Garrett Sinfield (Mar 06)
- Re: SMTP username dictionary attack Mike (Mar 07)