Blank emails - Directory Harvesting Attacks

Chris Fortune cfortune at telus.net
Sat Jun 12 07:31:17 CEST 2004 

Not to beat this thread to death, but here are the three rejection codes that fit blank emails best (and all spam rejections for
that matter):

550 5.7.0  Other or undefined security status

550 5.7.1  Delivery not authorized, message refused (a bogofilter favorite)

550 5.7.7  Message integrity failure

(550 means "Requested action not taken: mailbox unavailable")

5.X.X   Permanent Failure

       A permanent failure is one which is not likely to be resolved by
       resending the message in the current form.  Some change to the
       message or the destination must be made for successful delivery

3.8 Security or Policy Status

       X.7.0   Other or undefined security status

          Something related to security caused the message to be
          returned, and the problem cannot be well expressed with any
          of the other provided detail codes.  This status code may
          also be used when the condition cannot be further described
          because of security policies in force.

       X.7.1   Delivery not authorized, message refused

          The sender is not authorized to send to the destination.
          This can be the result of per-host or per-recipient
          filtering.  This memo does not discuss the merits of any
          such filtering, but provides a mechanism to report such.
          This is useful only as a permanent error.

       X.7.7   Message integrity failure

          A transport system otherwise authorized to validate a
          message was unable to do so because the message was
          corrupted or altered.  This may be useful as a permanent,
          transient persistent, or successful delivery code.
http://www.faqs.org/rfcs/rfc1893.html



----- Original Message -----
From: "Tom Anderson" <tanderso at oac-design.com>
To: <bogofilter at bogofilter.org>
Sent: Friday, June 11, 2004 2:02 PM
Subject: Re: Blank emails - Directory Harvesting Attacks


> From: "Chris Fortune" <cfortune at telus.net>
> > The problem with blank emails is that the sender sends the DATA command
> followed by . QUIT, so there is no opportunity to reject
> > them based on message content.  I suppose it is possible to send a 550
> response to the QUIT command, but not sure if this is RFC
> > legal or if it will have much effect.
>
> This isn't really an issue of "blank emails" though... the same effect would
> be had if the email body said "delete this message".  I'm guessing that
> having no body is simply a way for the spammer to send out more emails with
> less bandwidth.  They could easily add a few characters to the body if
> people started filtering no-body emails, and still achieve their same goal.
> So this remains a spam filtering problem, not a DOS problem.
>
> > Another approach is to apply bogofilter classification to the head of the
> email, before the data command.....  Could produce false
> > positives?  There is not much data to classify.  Has anybody tried this?
>
> This would be interesting to apply bogofilter to the HELO, IP, rDNS, and
> ASN.  The TO addressee's wordlist could be used to make the determination
> whether or not to return a "No Such User" response.  This is of course very
> dangerous by way of false positives, but if you get a 0.99+ spamicity on
> those four values, it might be worth it.  Anyone who _really_ needs to
> contact you will know that their email didn't go through and will try a
> different method, like a phone call.  I've never tried MTA filtering because
> I never wanted a binary decision process there, but using bogofilter at that
> point would be cool if it could be done.  I know lots of people use Postfix,
> but I use Sendmail.  Is the method of doing this similar in both?
>
> Tom
>
>
> >
> >
> > ----- Original Message -----
> > From: "Peter Bishop" <pgb at adelard.com>
> > To: <bogofilter at bogofilter.org>
> > Sent: Friday, June 11, 2004 2:34 AM
> > Subject: Re: Blank emails
> >
> >
> > > On 10 Jun 2004 at 22:40, Tom Allison wrote:
> > >
> > > > I don't know if you can do multiple regex header checks  in one line
> > > > with postfix, but you could always do the logical NOT regex tests like
> > > > this:
> > > >
> > > > If Subject: does not match "" then OK
> > > > If From: does not match "" then OK
> > > > If To: does not match "undisclosed recipients" then OK
> > > > else REJECT
> > > >
> > > The actual blank email header looks a bit like this:
> > >
> > > Delivered-To: <pgb at adelard.com>
> > > Date: <valid_date>
> > > From: <the_spammer>
> > > Message-Id: <valid_message_id>
> > > Received: <some_random_string>
> > > Bcc:
> > > Status:
> > >
> > > The header is terminated by two returns but there is no body text at
> > > all.
> > > So there is no Subject line, and no proper To line (just a Bcc)
> > >
> > > So I guess the lack of a Subject line might be sufficient to detect
> > > such probes.
> > > "Proper" emails should have a Subject line - even if the sender
> > > forgets to fill it in.
> > >
> > > --
> > > Peter Bishop
> > > pgb at adelard.com
> > > pgb at csr.city.ac.uk
> > >
> > >
> > > _______________________________________________
> > > Bogofilter mailing list
> > > Bogofilter at bogofilter.org
> > > http://www.bogofilter.org/mailman/listinfo/bogofilter
> > >
> >
> >
> > _______________________________________________
> > Bogofilter mailing list
> > Bogofilter at bogofilter.org
> > http://www.bogofilter.org/mailman/listinfo/bogofilter
> >
>
> _______________________________________________
> Bogofilter mailing list
> Bogofilter at bogofilter.org
> http://www.bogofilter.org/mailman/listinfo/bogofilter
>

More information about the Bogofilter mailing list