Mailing List SIMS@mail.stalker.com Message #8049
From: Tod Fitch <Tod@FitchDesign.com>
Subject: Address harvesting incidents
Date: Wed, 04 Apr 2001 10:25:23 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
In the past three days I have had what appears to be three separate incidents of attempts at address harvesting. At least the IP addresses resolve to separate networks. In two of these incidents the harvester started sending requests via my secondary mail server when SIMS became obstinate about dealing with it (suspending the line, etc.).

Since the secondary does not know the account names it is unable to defend against this abuse. Since the secondary is a "trusted" IP address, SIMS will reject the mail as to a unknown user but will not black list it.

This lead me to the thought that a harvester could send all of its account name attempts via a secondary mail server and wait for the reject messages. Since the secondaries don't have the account information, they cannot directly blacklist the harvester and must forward the mail to the primary. Since SIMS (or any other primary mail server) should not black list its secondaries it will always respond with appropriate "unknown user" information. Thus the harvester will gain the account information it is looking for.

It seems to me that I need to drop the MX record that defines the secondary mail server and go it with no secondary to protect against this possible attack.

Am I wrong on this logic? I hope so. Could someone
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster