IBM AH0QXML User Guide - Page 74

Protecting your Domino server from active address harvesting attacks

Get IBM AH0QXML - Lotus Domino Messaging PDF manuals and user guides View all IBM AH0QXML manuals
Add to My Manuals
Save this manual to your list of manuals

Page 74 highlights

4.5 Protecting your Domino server from active address harvesting attacks In this section we introduce some of the active address harvesting attack types that spammers use to obtain email addresses, and we give recommendations and instructions on how you can protect your Domino 6 server from these attacks. 4.5.1 SMTP harvesting attacks The most insidious types of attacks can occur when spammers attempt to use your SMTP mail server's directory against you. Spammers may use a "name" dictionary to send random name combinations as recipients of SMTP mail to your mail server. They then harvest responses to these "dictionary" mailings to build a list of valid e-mail addresses that can be sold or targeted for more spam in the future. For example, in its default setting, the Domino SMTP task attempts to return mail that is undeliverable to the sender with a delivery failure message. When Domino operates in this mode, the spammer can use returned information to "cleanse" their dictionary of bad addresses by tracking subject, sender, and recipient information. Addresses for which the spammer receives non-delivery reports can be removed from their spamming list; other addresses are maintained as valid spam targets. This is called an SMTP Harvesting attack. 4.5.2 Spam mail bombing In many cases the spammer is merely hoping that their e-mail address dictionary will happen to have some valid addresses. In this case the spammer does not usually provide valid return delivery information. This type of attack is known as spam mail bombing. It represents a Denial of Service (DoS) attack because it keeps your Domino SMTP server busy handling invalid e-mail addresses. Indeed, this type of DoS attack consumes CPU and disk space as well, since invalid e-mail that cannot be returned by Domino is marked as DEAD mail and accumulates in the mail.box file. 4.5.3 Direct SMTP RCPT TO harvesting Another variation of a harvesting attack occurs when a connecting e-mail sender tests the response of the SMTP server to the "RCPT TO" command. Spammers can use this automated technique to very quickly test thousands of addresses without sending any e-mail. Spammers test the SMTP server response to the RCPT TO command and when the response is "positive" for a good address, the 62 Lotus Domino 6 spam Survival Guide for IBM eServer

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
62
Lotus Domino 6 spam Survival Guide for IBM eServer
4.5
Protecting your Domino server from active address
harvesting attacks
In this section we introduce some of the active address harvesting attack types
that spammers use to obtain email addresses, and we give recommendations
and instructions on how you can protect your Domino 6 server from these
attacks.
4.5.1
SMTP harvesting attacks
The most insidious types of attacks can occur when spammers attempt to use
your SMTP mail server's directory against you. Spammers may use a
name
dictionary to send random name combinations as recipients of SMTP mail to
your mail server. They then harvest responses to these
dictionary
mailings to
build a list of valid e-mail addresses that can be sold or targeted for more spam in
the future.
For example, in its default setting, the Domino SMTP task attempts to return mail
that is undeliverable to the sender with a delivery failure message. When Domino
operates in this mode, the spammer can use returned information to
cleanse
their dictionary of bad addresses by tracking subject, sender, and recipient
information. Addresses for which the spammer receives non-delivery reports can
be removed from their spamming list; other addresses are maintained as valid
spam targets. This is called an SMTP Harvesting attack.
4.5.2
Spam mail bombing
In many cases the spammer is merely hoping that their e-mail address dictionary
will happen to have some valid addresses. In this case the spammer does not
usually provide valid return delivery information. This type of attack is known as
spam mail bombing. It represents a Denial of Service (DoS) attack because it
keeps your Domino SMTP server busy handling invalid e-mail addresses.
Indeed, this type of DoS attack consumes CPU and disk space as well, since
invalid e-mail that cannot be returned by Domino is marked as DEAD mail and
accumulates in the mail.box file.
4.5.3
Direct SMTP RCPT TO harvesting
Another variation of a harvesting attack occurs when a connecting e-mail sender
tests the response of the SMTP server to the
RCPT TO
command. Spammers
can use this automated technique to very quickly test thousands of addresses
without sending any e-mail. Spammers test the SMTP server response to the
RCPT TO command and when the response is
positive
for a good address, the