Blank emails - Directory Harvesting Attacks
Tom Anderson
tanderso at oac-design.com
Fri Jun 11 23:02:53 CEST 2004
From: "Chris Fortune" <cfortune at telus.net>
> The problem with blank emails is that the sender sends the DATA command
followed by . QUIT, so there is no opportunity to reject
> them based on message content. I suppose it is possible to send a 550
response to the QUIT command, but not sure if this is RFC
> legal or if it will have much effect.
This isn't really an issue of "blank emails" though... the same effect would
be had if the email body said "delete this message". I'm guessing that
having no body is simply a way for the spammer to send out more emails with
less bandwidth. They could easily add a few characters to the body if
people started filtering no-body emails, and still achieve their same goal.
So this remains a spam filtering problem, not a DOS problem.
> Another approach is to apply bogofilter classification to the head of the
email, before the data command..... Could produce false
> positives? There is not much data to classify. Has anybody tried this?
This would be interesting to apply bogofilter to the HELO, IP, rDNS, and
ASN. The TO addressee's wordlist could be used to make the determination
whether or not to return a "No Such User" response. This is of course very
dangerous by way of false positives, but if you get a 0.99+ spamicity on
those four values, it might be worth it. Anyone who _really_ needs to
contact you will know that their email didn't go through and will try a
different method, like a phone call. I've never tried MTA filtering because
I never wanted a binary decision process there, but using bogofilter at that
point would be cool if it could be done. I know lots of people use Postfix,
but I use Sendmail. Is the method of doing this similar in both?
Tom
>
>
> ----- Original Message -----
> From: "Peter Bishop" <pgb at adelard.com>
> To: <bogofilter at bogofilter.org>
> Sent: Friday, June 11, 2004 2:34 AM
> Subject: Re: Blank emails
>
>
> > On 10 Jun 2004 at 22:40, Tom Allison wrote:
> >
> > > I don't know if you can do multiple regex header checks in one line
> > > with postfix, but you could always do the logical NOT regex tests like
> > > this:
> > >
> > > If Subject: does not match "" then OK
> > > If From: does not match "" then OK
> > > If To: does not match "undisclosed recipients" then OK
> > > else REJECT
> > >
> > The actual blank email header looks a bit like this:
> >
> > Delivered-To: <pgb at adelard.com>
> > Date: <valid_date>
> > From: <the_spammer>
> > Message-Id: <valid_message_id>
> > Received: <some_random_string>
> > Bcc:
> > Status:
> >
> > The header is terminated by two returns but there is no body text at
> > all.
> > So there is no Subject line, and no proper To line (just a Bcc)
> >
> > So I guess the lack of a Subject line might be sufficient to detect
> > such probes.
> > "Proper" emails should have a Subject line - even if the sender
> > forgets to fill it in.
> >
> > --
> > Peter Bishop
> > pgb at adelard.com
> > pgb at csr.city.ac.uk
> >
> >
> > _______________________________________________
> > Bogofilter mailing list
> > Bogofilter at bogofilter.org
> > http://www.bogofilter.org/mailman/listinfo/bogofilter
> >
>
>
> _______________________________________________
> Bogofilter mailing list
> Bogofilter at bogofilter.org
> http://www.bogofilter.org/mailman/listinfo/bogofilter
>
More information about the Bogofilter
mailing list