Re: OT - verify addresses

[ha...@t-online.de]

Hi,

I was not really aware of probes before I noticed a few sites that probe the sender before
accepting mail.
This led me to the idea of verifying myself, in a different context: people place orders on a webbsite,
and leave an emailaddress for order confirmation and shipping details
I had implemented a domain check since a long time (some people just write @hotmail
and hope that an operator completes it for them) but still get about half a dozen
failed addresses - often the spelling error is obvious.

As for lots of probes: I have implemented non-linear tarpitting which seems to do a good job

Wolfgang Hamann 

>> 
>> 
>> Nigel Frankcom wrote:
>> > On Thu, 05 Oct 2006 12:32:07 +0200, hamann.w@t-online.de wrote:
>> > 
>> >> back a few years, some mail servers (e.g. qmail) disabled the verify command
>> >> to avoid address probing - and as a consequence would send bounces.
>> >> Nowadays, the majority of mail servers (apart from aol :) rejects unknown
>> >> users with a 5xx response to RCPT TO and thereby re-enables verification.
>> >> Apart from tarpitting too many recipients, what is common practice for
>> >> a server that detects verification attempts (i.e. successful rcpt followed
>> >> by quit) .... ignore, blacklist, other?
>> 
>> Block the IP for a while. OSSEC HIDS, http://ossec.net/ or something 
>> similar can block the IP using iptables or hosts.deny. It will 
>> automatically un-block after a configurable time period. Useful for 
>> web/smtp/ftp/etc.. attacks also.
>> 
>> Ken A.
>> Pacific.Net
>> 
>> 
>> >>
>> >> Wolfgang Hamann
>> > 
>> > 
>> > I can't speak for others, but our server policy is to allow (n)
>> > probes; should they all prove to be bad addresses the IP is banned for
>> > 24 hours. The probes don't all have to come at once, just from the
>> > same IP within any 24 hour period. This system works very well for
>> > dictionary attacks as well.
>> > 
>> > Nigel
>> > 
>>