Security Incidents mailing list archives

Re: email address probes

From: "james" <jamesh () cybermesa com>
Date: Thu, 6 Feb 2003 10:49:09 -0700

We drop all the mail that comes in to "not found" addresses to a black hole, 
via the virtusers db in /etc/mail:

@whatever.com      blackhole

At present the blackhole is a file but it could also be /dev/null

james

I'd like to be able to stop these attempts, but I can't think of a way
to do it.  All of the attempts are coming from valid servers from some
domains that we can't block.  They do all have null reverse-paths
(MAIL FROM:<>), but I don't think that we can reject on this criteria
as null reverse-paths are used to send NDRs and other notifications
which we don't want to block.  I suppose that we could accept the
emails and dump them to /dev/null (or to some tarpit account so that
we can inspect them) instead of replying with a "550 User unknown,"
but I suspect that this could cause us more headaches in the future.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

email address probes Andy Bastien (Feb 05)
- Re: email address probes Kee Hinckley (Feb 06)
- Re: email address probes Brad Arlt (Feb 06)
  - Re: email address probes james (Feb 06)
  - Re: email address probes Brad Arlt (Feb 07)
- Re: email address probes Greg A. Woods (Feb 06)
  - Re: email address probes Axel Beckert - ecos gmbh (Feb 06)
    - RE: email address probes Rob Shein (Feb 07)
- Re: email address probes Dave Laird (Feb 06)
- Re: email address probes Ned Fleming (Feb 06)
  - Re: email address probes Andy Bastien (Feb 07)
- <Possible follow-ups>
- RE: email address probes Johann Kruse (Feb 06)