ReW: Spam and NDR

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"John" <john@> wrote in message news:ukBrqFMHGHA.3036@xxxxxxxxxxxxxxxxxxxxxxx
> Rich Matheisen raises so many good points. Somehow I suspect that you either
> have never heard of dictionary harvest attack or never seen one.

Maybe not to the extent others have, but I get e-mails on a daily basis that
have 10 or 20 non-existent e-mail accounts (in alphabetical order). I would
imagine over the course of a six month period all of these e-mails would equate
to a *very small* dictionary attack. I always suspected that because I have my
DRs and NDRs turned off, the spammers couldn't find a 'live' account, so they
just keep trying to get lucky and find one. But I guess I was wrong, from what
everyone is telling me.

And Yes, Rich seems to be a well educated and intelligent man with many good
points.

[snip]

>
> I also work for a small company (25 email users). I receive approximately
> 4000 to 7000 craps every weekend (directory harvest style email) which never
> hit my mail server because my firewall rejects non existent email addresses.
> It's very easy to manage when you only have 25 users.
>
> Let's see if you can say the same thing when someone directory harvest your
> mail server. Have fun sorting a pile of crap :-)
>

Wow, that's way too much. Over a weekend, I'll come back and see *maybe* 150
spam in my inbox. And *maybe* 10 of those were addressed to me (I'm sure that
is because people, or bots, scan these NGs for addresses) I didn't realize it
when I first subscribed, but I left my e-mail exposed to bot scans in these NGs.
Nothing can protect it from a person that can actually figure out they need to
remove I.DONT.WANT.YOUR.SPAM from
RobertW@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, but from what I understand,
the bots can't figure that out.

You've got bigger problems than just spam hitting you, someone wants in your
system. Or someone in your network has got to be visiting a site that should be
restricted, or you've got spyware on your network. You need to button down that
network, subscribe to a few BLs here and there, do something besides just sit
and watch that stuff bounce off your firewall, because one of them is going to
get through, and when it does you're gonna be hurtin'.

I must have my Exchange settings setup in a way that prevents me from getting
hit by major attacks, or maybe I've just been *really, really* lucky that it
hasn't happened yet. Or maybe it is a combination of my Exchange settings and
the RBLs, OrFilter (from http://www.martijnjongen.com ), my Linksys Firewall
Router, Symantec Corporate AV, Anti-spyware (MS and Spybot S&D), and the fact
that I keep every computer on my network up do date on a weekely basis. I make
sure that my BadMail folder gets emptied daily. I do an Exchange backup monthly
and remove all "commited" logs.

Since you appear to be more experienced at this than I am, I'm sure you wouldn't
like to hear about the software or settings I have. But, if you are interested,
I *might* think about sharing.

> >
> > Still don't think so, not for a small company. There is always a point
> > where
> > good outweighs bad, and vice versa. That decision is up to each
> > individual. I
> > just believe that everyone should hear facts from both side and make that
> > decision themselves, not have the decision made for them. All I was doing
> > here
> > was presenting a scenario for others to look at.
> >
>
>
> Unfortunately there's no good point in your scenario, sorry, but I agree
> with you... it is all up to you. If you're comfortable with it, keep up the
> 'good' work :-)
>

Actually sounds like you're having more problems than I am. Maybe you should
keep up the 'good' work ;-)

Good Luck

RW



.

Relevant Pages

  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • Suspect Sought in NYC Hacking Death
    ... Police hunted Wednesday for a man who entered a psychologist's office ... apparently bent from the attack, ... Investigators do not know the name of the suspect. ... The suspect walked into the suite waiting room, where a female patient ...
    (alt.true-crime)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)
  • [Full-disclosure] Re: RLA ("Remote LanD Attack")
    ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
    (Full-Disclosure)
  • RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
    ... The technology sounds interesting but I have doubts regarding the ... If I for example scan for port 80, ... How do you deal with real network problems that prevent legitimate ... put the product in alert mode waiting for an attack? ...
    (Focus-IDS)