[BlueOnyx:16521] Re: dfix
Ken Marcus
kenbxlist at precisionwebhosting.com
Fri Nov 21 22:10:05 -05 2014
Is it possible to have sendmail log actual dictionary attacks differently:
something like
authid=something password failure
That would be helpful for blocking attacks.
Ken Marcus
On 11/21/2014 6:27 AM, Michael Stauber wrote:
> Hi Steffan,
>
>> service74.mimecast.com [195.130.217.57] did not issue MAIL/EXPN/VRFY/ETRN
>> during connection to MTA
>>
>> dfix is checking fort hat line so i know why they get blokked.
>> But i dont understand why this is happening.
>> Is this a problem on my hand or is the problem by mimecast
> This happens when someone establishes a connection to Sendmail, but
> doesn't issue any of the usual commands that are related to sending an
> email. They just connect, check the response to see if the service is up
> and running and then disconnect.
>
> Certain dimwits such as mimecast apparently use this before email
> sending as part of a verification process to see if the recipient email
> address is valid. It's not even a proper verification by itself, because
> all they can confirm with this is that the IP/domain runs an MTA. It
> doesn't tell them if that user or alias even exists or if the MTA
> configuration allows them to deliver that email.
>
> So in itself it's a horrible practice with next to no gain. Dfix is
> blocking this, because the same mechanism is also used during probes
> from malicious people.
>
> Personally I've come to disable this rule in Dfix2 on my own boxes, as
> more and more dimwits are picking up on this horrible practice.
>
More information about the Blueonyx
mailing list