Section 11.7 Sendmail Account Guessing

   


11.7 Sendmail Account Guessing

graphics/twodangerlevel.gif

A common technique of spammers is to find all systems with a sendmail listening on TCP port 25 and try to guess users' e-mail addresses and then proceed to spam them. They will use common first names, common last names, and common generic names such as sales, devel and development, president, etc. The most efficient way to do this, if you allow it, is to use sendmail's VRFY command to ask if each specified name is valid. VRFY should be turned off, of course, and this is discussed in "Sendmail Security Options" on page 179.

Failing this, most spammers simply will send mail to the generated list of guessed accounts. Because a long list of recipients may be specified for a single message, this too is almost as efficient for the spammer.

The solution is to limit the maximum number of recipients that may be specified. For further effect, modify sendmail so that when an invalid name is supplied it "sleeps" for some number of seconds using the sleep() system call. This will slow him down so that he uses fewer of your packets and computrons. If many sites did this, spamming would be less efficient. Limiting the maximum number of recipients is discussed in "Fortify sendmail to Resist DoS Attacks" on page 109. Another solution to reduce successful "hits" is not to use common e-mail addresses. Instead of jack and jane use jmeyers and jaustin. Also consult "Take Our Employees, Please" on page 286, which discusses confidential information on Web servers, such as employee e-mail addresses.


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net