Bugtraq mailing list archives

sendmail 8.9.3 patches to curb RCPT harvesters

From: peterw () CLARK NET (Peter W)
Date: Thu, 11 Mar 1999 19:31:21 -0500


Aleph One wrote:

I am killing the spam address harvesting thread unless someone posts some
actual code.


Per Joseph's suggestion. Use these patches against sendmail 8.9.3 and add

O RCPTFailDelay=30

to sendmail.cf to make sendmail sleep() for 30 seconds before reporting any
"550" errors. Set the value to 0 for "normal"  behavior.

Note that RFC 1123 suggests RCPT responses be returned in less than 5 minutes
(if they're verified immediately -- 1123 allows verification of RCPT to be
deferred and notes that a "250" response does not guarantee the address is
legit). Eric Allman argues in doc/op/op.ps that sending SMTP agents ought to
wait an hour. Choose wisely.

This quick modification should at least frustrate current** RCPT abuse tools,
give admins more time to notice the failures in the maillog and react, and not
confuse mailers that legitimately send multiple RCPT commands to known
addresses.

-Peter

** Eventually I think sys admins would want to defer all RCPT verifications
until after the DATA transmission, erroring with 554 if there is a single
invalid RCPT address, to make SMTP username-harvesting visible. SMTP senders
would need to be sure they heeded RFC 1123 section 5.2.7 regarding the meaning
of a 250 response to RCPT.

--
Q: How could China track down and punish dissidents more effectively?
A: The new Pentium III chip!  http://www.privacy.org/bigbrotherinside/
    Intel doesn't care about your privacy. Join the boycott today.

$ diff -C 2 sendmail.h.orig sendmail.h
*** sendmail.h.orig     Thu Mar 11 07:57:42 1999
--- sendmail.h  Thu Mar 11 08:06:51 1999
***************
*** 1293,1296 ****
--- 1293,1298 ----
  EXTERN int    MaxMimeHeaderLength;    /* maximum MIME header length */
  EXTERN int    MaxMimeFieldLength;     /* maximum MIME field length */
+ EXTERN int    RCPTFailDelay;
+       /* delay before report user does not exist to inbound SMTP commands */

  extern int    errno;


$ diff -C 2 readcf.c.orig readcf.c
*** readcf.c.orig       Thu Mar 11 07:57:52 1999
--- readcf.c    Thu Mar 11 08:15:29 1999
***************
*** 1532,1535 ****
--- 1532,1537 ----
        { "MaxHeadersLength",           O_MAXHDRSLEN,   FALSE   },
  #endif
+ #define O_RCPTFAILDELAY       0xab
+       { "RCPTFailDelay",              O_RCPTFAILDELAY,        FALSE   },
        { NULL,                         '\0',           FALSE   }
  };
***************
*** 2211,2214 ****
--- 2213,2220 ----
          case O_MAXCHILDREN:   /* max # of children of daemon */
                MaxChildren = atoi(val);
+               break;
+
+         case O_RCPTFAILDELAY: /* delay before reporting user does not exist */

+               RCPTFailDelay = atoi(val);
                break;


$ diff -C 2 err.c.orig err.c
*** err.c.orig  Thu Mar 11 08:05:41 1999
--- err.c       Thu Mar 11 08:12:58 1999
***************
*** 526,529 ****
--- 526,532 ----
        eb += 4;
        spaceleft -= 4;
+
+       if ((num != NULL)  && (strncmp(num, "550", 3) == 0) )
+               sleep(RCPTFailDelay);

        /* output the file name and line number */

Current thread:

sendmail 8.9.3 patches to curb RCPT harvesters Peter W (Mar 11)
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Tim Pierce (Mar 12)
- <Possible follow-ups>
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Peter W (Mar 13)
- Re: sendmail 8.9.3 patches to curb RCPT harvesters Andy Church (Mar 13)
  - /usr/bin/doscmd on BSDI kasper (Mar 13)
    - Re: /usr/bin/doscmd on BSDI Warner Losh (Mar 17)
  - Re: sendmail 8.9.3 patches to curb RCPT harvesters Aggelos P. Varvitsiotis (Mar 15)
  - Lynx 2.8 overflow Mixter (Mar 15)
  - ISS Security Advisory: LDAP Buffer overflow against Microsoft X-Force (Mar 16)
  - Microsoft Security Bulletin (MS99-009) aleph1 () UNDERGROUND ORG (Mar 16)