Date: Mon, 12 Apr 1999 18:31:30 -0400 From: "Gary Palmer" <gpalmer@freebsd.org> To: Ernie Elu <ernie@spooky.eis.net.au> Cc: freebsd-isp@freebsd.org Subject: Re: Bad sapm problem Message-ID: <17768.923956290@noop.colo.erols.net> In-Reply-To: Your message of "Tue, 13 Apr 1999 08:13:57 %2B1000." <199904122213.IAA90108@spooky.eis.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ernie Elu wrote in message ID <199904122213.IAA90108@spooky.eis.net.au>: > Somehow they have gotten hold of our a complete list of users email > addresses from 2 FreeBSD servers which don't have shell access, > and ftp is restricted to your home directory. They don't Its called a dictionary attack. They get a (LOOONG) list of possible usernames (normally culled from a list from many domains) and just send mail to all of those users at your domain, whether they exist or not. I bet if you check your mail logs, there will be tens of thousands of `User unknown' messages. The other way they can do this is by doing the SMTP negotiation to send a message, but not actually sending one. They can look at the return code from their dictionary attack and build up a list of valid usernames. I haven't seen that particular style of attack, but its possible. I personally don't think that spamware writers know what return codes are... (btw, its real ammusing watching a dictionary spammer try attacking your SMTP server when you have it configured to backoff accepting mail if they have invalid recipients :) ) Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17768.923956290>