Slashdot Mirror
Darkmail Attacks - The Next Network Threat?
An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"
This so-called darkmail isn't really new, it's merely a derivative of the age-old mailbomb. Certainly it can easily be defended against by using anti-mailbomb techniques like rate limiting and address limits. Too bad for you if you use Exchange but, the likels of Postfix or GroupWise make this idiot proof. The "problem" can further be mitigated by using RBLs at the SMTP level, before message transfer. That means, connect, check RBL, tell spammer 5.5.4 Piss Off, disconnect.
Even if your spam filtering has achieved 100% reliability, highly unlikely, why let them consume your bandwidth with stuff you'll throw away? Some people don't like the idea of RBL blocks at the SMTP level but, if you are going to use RBLs at all, why not at the SMTP level?
Basically, you configure spamdb to greylist unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.
GREYTRAPPING
Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.
Recent enhancements to 'pf' provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.
I do not deploy Linux. Ever.