From owner-freebsd-isp Mon Apr 12 15:34:28 1999 Delivered-To: freebsd-isp@freebsd.org Received: from noop.colo.erols.net (noop.colo.erols.net [207.96.1.150]) by hub.freebsd.org (Postfix) with ESMTP id 797AE15680 for ; Mon, 12 Apr 1999 15:34:14 -0700 (PDT) (envelope-from gjp@noop.colo.erols.net) Received: from localhost ([127.0.0.1] helo=noop.colo.erols.net) by noop.colo.erols.net with esmtp (Exim 2.12 #1) id 10WpEo-0004cb-00; Mon, 12 Apr 1999 18:31:30 -0400 To: Ernie Elu Cc: freebsd-isp@freebsd.org From: "Gary Palmer" Subject: Re: Bad sapm problem In-reply-to: Your message of "Tue, 13 Apr 1999 08:13:57 +1000." <199904122213.IAA90108@spooky.eis.net.au> Date: Mon, 12 Apr 1999 18:31:30 -0400 Message-ID: <17768.923956290@noop.colo.erols.net> Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ernie Elu wrote in message ID <199904122213.IAA90108@spooky.eis.net.au>: > Somehow they have gotten hold of our a complete list of users email > addresses from 2 FreeBSD servers which don't have shell access, > and ftp is restricted to your home directory. They don't Its called a dictionary attack. They get a (LOOONG) list of possible usernames (normally culled from a list from many domains) and just send mail to all of those users at your domain, whether they exist or not. I bet if you check your mail logs, there will be tens of thousands of `User unknown' messages. The other way they can do this is by doing the SMTP negotiation to send a message, but not actually sending one. They can look at the return code from their dictionary attack and build up a list of valid usernames. I haven't seen that particular style of attack, but its possible. I personally don't think that spamware writers know what return codes are... (btw, its real ammusing watching a dictionary spammer try attacking your SMTP server when you have it configured to backoff accepting mail if they have invalid recipients :) ) Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message