Mailing List SIMS@mail.stalker.com Message #8064
From: Peter Lalor <plalor@infoasis.com>
Subject: Re: Address harvesting incidents
Date: Thu, 5 Apr 2001 09:49:07 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
From: Tod Fitch <Tod@FitchDesign.com>

In the past three days I have had what appears to be three separate incidents of attempts at address harvesting. At least the IP addresses resolve to separate networks. In two of these incidents the harvester started sending requests via my secondary mail server when SIMS became obstinate about dealing with it (suspending the line, etc.).

Since the secondary does not know the account names it is unable to defend against this abuse. Since the secondary is a "trusted" IP address, SIMS will reject the mail as to a unknown user but will not black list it.

This lead me to the thought that a harvester could send all of its account name attempts via a secondary mail server and wait for the reject messages. Since the secondaries don't have the account information, they cannot directly blacklist the harvester and must forward the mail to the primary. Since SIMS (or any other primary mail server) should not black list its secondaries it will always respond with appropriate "unknown user" information. Thus the harvester will gain the account information it is looking for.

It seems to me that I need to drop the MX record that defines the secondary mail server and go it with no secondary to protect against this possible attack.

Yes, to protect against this you'll need to drop the secondary MX(s).

If this is unacceptable, consider "hardening" your secondary(ies) by using ORBS's various RBLs (if you don't already), statically blacklisting "bad" netblocks, etc. People should only hit your secondary if your primary is unreachable; look in your secondary's logs and see who's hitting it.

Also, allowing only a single connect per host will slow down harvesters. And limit the number of concurrent inbound SMTP connections.
--

Peter Lalor           Infoasis
plalor@infoasis.com   The San Francisco Bay Area's Macintosh
415-459-7991          Consultant and Internet Service Provider
415-459-7992 fax      http://www.infoasis.com/
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster