[9906] in bugtraq
sendmail 8.9.3 patches to curb RCPT harvesters
daemon@ATHENA.MIT.EDU (Peter W)
Fri Mar 12 19:28:35 1999
Date: Thu, 11 Mar 1999 19:31:21 -0500
Reply-To: Peter W <peterw@CLARK.NET>
From: Peter W <peterw@CLARK.NET>
To: BUGTRAQ@NETSPACE.ORG
Aleph One wrote:
> I am killing the spam address harvesting thread unless someone posts some
> actual code.
Per Joseph's suggestion. Use these patches against sendmail 8.9.3 and add
O RCPTFailDelay=30
to sendmail.cf to make sendmail sleep() for 30 seconds before reporting any
"550" errors. Set the value to 0 for "normal" behavior.
Note that RFC 1123 suggests RCPT responses be returned in less than 5 minutes
(if they're verified immediately -- 1123 allows verification of RCPT to be
deferred and notes that a "250" response does not guarantee the address is
legit). Eric Allman argues in doc/op/op.ps that sending SMTP agents ought to
wait an hour. Choose wisely.
This quick modification should at least frustrate current** RCPT abuse tools,
give admins more time to notice the failures in the maillog and react, and not
confuse mailers that legitimately send multiple RCPT commands to known
addresses.
-Peter
** Eventually I think sys admins would want to defer all RCPT verifications
until after the DATA transmission, erroring with 554 if there is a single
invalid RCPT address, to make SMTP username-harvesting visible. SMTP senders
would need to be sure they heeded RFC 1123 section 5.2.7 regarding the meaning
of a 250 response to RCPT.
--
Q: How could China track down and punish dissidents more effectively?
A: The new Pentium III chip! http://www.privacy.org/bigbrotherinside/
Intel doesn't care about your privacy. Join the boycott today.
$ diff -C 2 sendmail.h.orig sendmail.h
*** sendmail.h.orig Thu Mar 11 07:57:42 1999
--- sendmail.h Thu Mar 11 08:06:51 1999
***************
*** 1293,1296 ****
--- 1293,1298 ----
EXTERN int MaxMimeHeaderLength; /* maximum MIME header length */
EXTERN int MaxMimeFieldLength; /* maximum MIME field length */
+ EXTERN int RCPTFailDelay;
+ /* delay before report user does not exist to inbound SMTP commands */
extern int errno;
$ diff -C 2 readcf.c.orig readcf.c
*** readcf.c.orig Thu Mar 11 07:57:52 1999
--- readcf.c Thu Mar 11 08:15:29 1999
***************
*** 1532,1535 ****
--- 1532,1537 ----
{ "MaxHeadersLength", O_MAXHDRSLEN, FALSE },
#endif
+ #define O_RCPTFAILDELAY 0xab
+ { "RCPTFailDelay", O_RCPTFAILDELAY, FALSE },
{ NULL, '\0', FALSE }
};
***************
*** 2211,2214 ****
--- 2213,2220 ----
case O_MAXCHILDREN: /* max # of children of daemon */
MaxChildren = atoi(val);
+ break;
+
+ case O_RCPTFAILDELAY: /* delay before reporting user does not exist */
+ RCPTFailDelay = atoi(val);
break;
$ diff -C 2 err.c.orig err.c
*** err.c.orig Thu Mar 11 08:05:41 1999
--- err.c Thu Mar 11 08:12:58 1999
***************
*** 526,529 ****
--- 526,532 ----
eb += 4;
spaceleft -= 4;
+
+ if ((num != NULL) && (strncmp(num, "550", 3) == 0) )
+ sleep(RCPTFailDelay);
/* output the file name and line number */
