You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ha...@t-online.de on 2006/10/05 12:32:07 UTC
OT - verify addresses
back a few years, some mail servers (e.g. qmail) disabled the verify command
to avoid address probing - and as a consequence would send bounces.
Nowadays, the majority of mail servers (apart from aol :) rejects unknown
users with a 5xx response to RCPT TO and thereby re-enables verification.
Apart from tarpitting too many recipients, what is common practice for
a server that detects verification attempts (i.e. successful rcpt followed
by quit) .... ignore, blacklist, other?
Wolfgang Hamann
Re: OT - verify addresses
Posted by "Jack L. Stone" <ja...@sage-american.com>.
At 11:48 AM 10.5.2006 +0100, Nigel Frankcom wrote:
>On Thu, 05 Oct 2006 12:32:07 +0200, hamann.w@t-online.de wrote:
>
>I can't speak for others, but our server policy is to allow (n)
>probes; should they all prove to be bad addresses the IP is banned for
>24 hours. The probes don't all have to come at once, just from the
>same IP within any 24 hour period. This system works very well for
>dictionary attacks as well.
>
>Nigel
>
Nigel: Where & how do you set that probe -- ?? I like the sounds of that.
Thanks!
(^_^)
Happy trails,
Jack L. Stone
System Admin
Sage-american
Re: OT - verify addresses
Posted by Ken A <ka...@pacific.net>.
Nigel Frankcom wrote:
> On Thu, 05 Oct 2006 12:32:07 +0200, hamann.w@t-online.de wrote:
>
>> back a few years, some mail servers (e.g. qmail) disabled the verify command
>> to avoid address probing - and as a consequence would send bounces.
>> Nowadays, the majority of mail servers (apart from aol :) rejects unknown
>> users with a 5xx response to RCPT TO and thereby re-enables verification.
>> Apart from tarpitting too many recipients, what is common practice for
>> a server that detects verification attempts (i.e. successful rcpt followed
>> by quit) .... ignore, blacklist, other?
Block the IP for a while. OSSEC HIDS, http://ossec.net/ or something
similar can block the IP using iptables or hosts.deny. It will
automatically un-block after a configurable time period. Useful for
web/smtp/ftp/etc.. attacks also.
Ken A.
Pacific.Net
>>
>> Wolfgang Hamann
>
>
> I can't speak for others, but our server policy is to allow (n)
> probes; should they all prove to be bad addresses the IP is banned for
> 24 hours. The probes don't all have to come at once, just from the
> same IP within any 24 hour period. This system works very well for
> dictionary attacks as well.
>
> Nigel
>
Re: OT - verify addresses
Posted by Nigel Frankcom <ni...@blue-canoe.net>.
On Thu, 05 Oct 2006 12:32:07 +0200, hamann.w@t-online.de wrote:
>back a few years, some mail servers (e.g. qmail) disabled the verify command
>to avoid address probing - and as a consequence would send bounces.
>Nowadays, the majority of mail servers (apart from aol :) rejects unknown
>users with a 5xx response to RCPT TO and thereby re-enables verification.
>Apart from tarpitting too many recipients, what is common practice for
>a server that detects verification attempts (i.e. successful rcpt followed
>by quit) .... ignore, blacklist, other?
>
>Wolfgang Hamann
I can't speak for others, but our server policy is to allow (n)
probes; should they all prove to be bad addresses the IP is banned for
24 hours. The probes don't all have to come at once, just from the
same IP within any 24 hour period. This system works very well for
dictionary attacks as well.
Nigel