|
|
|
|
| |
An application called GeoList Professional exploits the SMTP protocol to retrieve a list of valid e-mail addresses in a domain. This address list can be later used to SPAM those users by professional SPAM companies.
Besides being a nuisance to local domain users, this can also create a real Denial-of-Service situation for domains using the qmail SMTP server. |
| |
Credit:
For a detailed explanation see: http://www.l8r.com/nwa/nwa1.htm
The recommended ways of dealing with this attack are:
* Patching the SMTP server's source to include a short delay before every response (this will make trying the whole dictionary infeasible)
* Using a commercial or non-commercial mail add-on package to block the attack. (For examples: Mail Shield)
* A few organizations provide a database of known IPs used by spammers, or mail-servers that are usually used by spammers. This information is usually given free:
MAPS
ORBS
DSSL
|
| |
This application uses the RCPT TO command to check if an e-mail address is valid. Using a dictionary this attack can find a list of users on the attacked domain.
This list is later used by spammers to SPAM the e-mail accounts.
The attack starts with the following command:
MAIL FROM: <info@savings.com>
(savings.com are not affiliated with this program. On later versions other FROM addresses are used)
Then, a RCPT TO command is issued:
RCPT TO: <user1@example.com>
If user1 exists on example.com, there will not be a response. If the user does not exist, the following response will be issued:
ERR 954 example.com invalid user <user1@example.com>
This way the application can create a list of verified users on example.com.
This attack (besides being a nuisance to the spammed accounts) can be a real Denial-of-Service attack.
The SMTP server's log will inflate, and in some situations (for example, if the server is using Qmail) all e-mail addresses will be validated, resulting in a huge number of SPAM e-mails sent to the default account.
|
|
|
|
|
|
|
|
|
|
