Hi, I was not really aware of probes before I noticed a few sites that probe the sender before accepting mail. This led me to the idea of verifying myself, in a different context: people place orders on a webbsite, and leave an emailaddress for order confirmation and shipping details I had implemented a domain check since a long time (some people just write @hotmail and hope that an operator completes it for them) but still get about half a dozen failed addresses - often the spelling error is obvious.
As for lots of probes: I have implemented non-linear tarpitting which seems to do a good job Wolfgang Hamann >> >> >> Nigel Frankcom wrote: >> > On Thu, 05 Oct 2006 12:32:07 +0200, [EMAIL PROTECTED] wrote: >> > >> >> back a few years, some mail servers (e.g. qmail) disabled the verify >> >> command >> >> to avoid address probing - and as a consequence would send bounces. >> >> Nowadays, the majority of mail servers (apart from aol :) rejects unknown >> >> users with a 5xx response to RCPT TO and thereby re-enables verification. >> >> Apart from tarpitting too many recipients, what is common practice for >> >> a server that detects verification attempts (i.e. successful rcpt followed >> >> by quit) .... ignore, blacklist, other? >> >> Block the IP for a while. OSSEC HIDS, http://ossec.net/ or something >> similar can block the IP using iptables or hosts.deny. It will >> automatically un-block after a configurable time period. Useful for >> web/smtp/ftp/etc.. attacks also. >> >> Ken A. >> Pacific.Net >> >> >> >> >> >> Wolfgang Hamann >> > >> > >> > I can't speak for others, but our server policy is to allow (n) >> > probes; should they all prove to be bad addresses the IP is banned for >> > 24 hours. The probes don't all have to come at once, just from the >> > same IP within any 24 hour period. This system works very well for >> > dictionary attacks as well. >> > >> > Nigel >> > >>
