Re: SMTP username dictionary attack

[Mike <mike () rockynet com>]

Garrett Sinfield wrote:
> Actually, what you said about poisoning their spamlist would make for a 
> entertaining read. Perhaps I'll set this up sometime :)

If you do so, I would advise only trying this on a honeypot for a domain 
that you never intend to use for real e-mail[0].

Back when SMTP dictionary attacks first emerged, setting a 'nobody' 
alias would effectively foil them. In fact, the first pieces of ratware 
specifically checked for a random string, and if it was accepted would 
terminate the attack under assumption that no useful data could be stolen.

Times have changed, and from what I can tell, no one does this anymore. 
Then spammers don't care. If their 'dictionary' has a million possible 
combinations, and you give it a million possible hits, look for regular 
(daily) spam runs attempting to deliver a million pieces of spam to you.

Setting up a nobody alias is a sure way to permanently taint the domain 
behind it.

Mike

[0] Now, poisoning the spam harvest database using a throwaway domain, 
and then pointing an MX record for it to localhost sounds like fun ;)


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>