Blank emails - Directory Harvesting Attacks

Chris Fortune cfortune at telus.net
Fri Jun 11 22:29:44 CEST 2004 

The entire problem of blank emails is not much different from Denial of Service attacks, in fact they are usually
called Directory Harvesting Attacks, and maybe they should be treated as such.  Can anybody recommend helpful software for detecting
DHA's and distributed DHA's???

The problem with blank emails is that the sender sends the DATA command followed by . QUIT, so there is no opportunity to reject
them based on message content.  I suppose it is possible to send a 550 response to the QUIT command, but not sure if this is RFC
legal or if it will have much effect.

Another approach is to apply bogofilter classification to the head of the email, before the data command.....  Could produce false
positives?  There is not much data to classify.  Has anybody tried this?



----- Original Message -----
From: "Peter Bishop" <pgb at adelard.com>
To: <bogofilter at bogofilter.org>
Sent: Friday, June 11, 2004 2:34 AM
Subject: Re: Blank emails


> On 10 Jun 2004 at 22:40, Tom Allison wrote:
>
> > I don't know if you can do multiple regex header checks  in one line
> > with postfix, but you could always do the logical NOT regex tests like
> > this:
> >
> > If Subject: does not match "" then OK
> > If From: does not match "" then OK
> > If To: does not match "undisclosed recipients" then OK
> > else REJECT
> >
> The actual blank email header looks a bit like this:
>
> Delivered-To: <pgb at adelard.com>
> Date: <valid_date>
> From: <the_spammer>
> Message-Id: <valid_message_id>
> Received: <some_random_string>
> Bcc:
> Status:
>
> The header is terminated by two returns but there is no body text at
> all.
> So there is no Subject line, and no proper To line (just a Bcc)
>
> So I guess the lack of a Subject line might be sufficient to detect
> such probes.
> "Proper" emails should have a Subject line - even if the sender
> forgets to fill it in.
>
> --
> Peter Bishop
> pgb at adelard.com
> pgb at csr.city.ac.uk
>
>
> _______________________________________________
> Bogofilter mailing list
> Bogofilter at bogofilter.org
> http://www.bogofilter.org/mailman/listinfo/bogofilter
>

More information about the Bogofilter mailing list