RE: Some Advice Please
- From: "David Sierra Fernandez" <SieFerDa@xxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Mon, 9 Jan 2006 11:58:59 +0100
There are two main problems with "harvest attack". The first is the consumtion
of your systems resources which sometimes can cause a total failure. The second
one is that the attack is only the start, I mean, you get a storm of mails
which try to discover what addresses really exist. If the attack is successful,
they have valid email addresses of your organization and they are able to spam
you anytime. But the worse is that they can sell and resell the list to other
spammers.
If the user does not exist in active directory Exchange shows an "550 5.1.1
User unknown" error. There are some antispam products that prevent of
forwarding that error.
Perhaps you can solve the storm problem but remember that it is possible that
the spammer has already the list of valid addresses. For those who are planning
a new email infrastructure it advisable to install antispammers at the
beggining and create mailboxes with large alias names in order to make the
attack more difficult.
-Sierr@-
________________________________
De: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Enviado el: viernes, 06 de enero de 2006 16:55
Para: [ExchangeList]
Asunto: [exchangelist] RE: Some Advice Please
Carácter: Privado
http://www.MSExchange.org/
http://www.vamsoft.com/orf/
John T
eServices For You
-----Original Message-----
From: Maglinger, Paul [mailto:PMAGLINGER@xxxxxxxx]
Sent: Friday, January 06, 2006 5:42 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Some Advice Please
Sensitivity: Private
http://www.MSExchange.org/
John - ORF?
________________________________
From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, January 05, 2006 17:10
To: [ExchangeList]
Subject: [exchangelist] RE: Some Advice Please
Sensitivity: Private
http://www.MSExchange.org/
If it is a harvesting or dictionary attack, your best bet is an automated way
to temporarily block connections from an IP after x amount of invalid
recipients or tarpit the IP after x amount of invalid recipients.
Some one else has posted a couple of links of how to do this on Exchange, but
IMHO you want to do this before your Exchange server unless you a small shop
and do not have other resources.
My clients Exchange servers sit behind my e-mail server which is acting as a
gateway for them which that server sits behind 3 MS SMTP servers with ORF
running.
ORF is actually a very good product that is growing but does not get mentioned
much. It can install on any server running IIS as it works directly with the
IIS SMTP service.
A harvest attack is where the attacking server(s) will "send" an e-mail to
every possible address at your domain from a through zzzzzzzzzzz (you get the
idea) to find out which are valid addresses. The proper way to fight this is
either block the IP after so many invalid recipients or to tarpit which means
waiting 30 to 60 seconds to respond with a 5.1.x indicating an invalid address.
John T
eServices For You
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
sieferda@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to info@xxxxxxxxxxxxxx
Other related posts:
