SPAM - Stopping Rumpelstiltskin Attacks?

WaldoJ asks: "I often see spammers connecting to my mail servers and attempting to send mail to a series of common first names, usually a dozen or two at a time. A few get through, but most don't, and it's up to me to skim through my logs and manually block their IPs, since they'll inevitably return later on if I don't. Has anybody written a program to halt Rumpelstiltskin attacks after X failed addresses? Or, better yet, one that also automatically adds their IP to Sendmail's access database to block them from returning?"

Has this ever happened to a virtual domain?

[Anonymous Coward]

If a spammer would ever try this on a virtual domain, it would be a mess.

a@whatever.com -- accepted
b@whatever.com -- accepted
c@whatever.com -- accepted
...
zzzzz@whatever.com -- accepted

All of that mail would pile up in one mailbox, and then all those addresses would be sold to spammers as valid!

Re:CLOSE YOUR RELAY FIRST

[Anonymous Coward]

waldoj already addressed someone else that was confused on this point:

Well, I'll say it explicitly now: this is mail to local users. You're right, it would be stupid of me to permit relaying so, of course, I don't allow it.

The issue is not having an open relay. Someone is sending mail to his site, and is guessing at valid addresses at his site. For example, someone might starting sending mail to jim@tempestuous.net, mary@tempestuous.net, dorzak@tempestuous.net, bart@tempestuous.net to discover that dorzak has a mail account.

Last I heard, MAP [sic] doesn't sue, MAPS wants to be sued [mail-abuse.org]

More than 3 guesses

[Anonymous Coward]

There was once upon a time a poor miller who had a very beautiful daughter. Now it happened one day that he had an audience with the King, and in order to appear a person of some importance he told him that he had a daughter who could spin straw into gold. "Now that's a talent worth having," said the King to the miller; "if your daughter is as clever as you say, bring her to my palace tomorrow, and I'll put her to the test." When the girl was brought to him he led her into a room full of straw, gave her a spinning-wheel and spindle, and said: "Now set to work and spin all night till early dawn, and if by that time you haven't spun the straw into gold you shall die." Then he closed the door behind him and left her alone inside.

So the poor miller's daughter sat down, and didn't know what in the world she was to do. She hadn't the least idea of how to spin straw into gold, and became at last so miserable that she began to cry. Suddenly the door opened, and in stepped a tiny little man and said: "Good-evening, Miss Miller-maid; why are you crying so bitterly?"

"Oh!" answered the girl, "I have to spin straw into gold, and haven't a notion how it's done."

"What will you give me if I spin it for you?" asked the manikin.

"My necklace," replied the girl.

The little man took the necklace, sat himself down at the wheel, and whir, whir, whir, the wheel went round three times, and the bobbin was full. Then he put on another, and whir, whir, whir, the wheel went round three times, and the second too was full; and so it went on till the morning, when all the straw was spun away, and all the bobbins were full of gold.

As soon as the sun rose the King came, and when he perceived the gold he was astonished and delighted, but his heart only lusted more than ever after the precious metal. He had the miller's daughter put into another room full of straw, much bigger than the first, and bade her, if she valued her life, spin it all into gold before the following morning.

The girl didn't know what to do, and began to cry; then the door opened as before, and the tiny little man appeared and said: "What'll you give me if I spin the straw into gold for you?"

"The ring from my finger," answered the girl.

The manikin took the ring, and whir! round went the spinning-wheel again, and when morning broke he had spun all the straw into glittering gold.

The King was pleased beyond measure at the sights but his greed for gold was still not satisfied, and he had the miller's daughter brought into a yet bigger room full of straw, and said: "You must spin all this away in the night; but if you succeed this time you shall become my wife."

"She's only a miller's daughter, it's true," he thought; "but I couldn't find a richer wife if I were to search the whole world over."

When the girl was alone the little man appeared for the third time, and said: "What'll you give me if I spin the straw for you once again?"

"I've nothing more to give," answered the girl.

"Then promise me when you are Queen to give me your first child."

"Who knows what may not happen before that?" thought the miller's daughter; and besides, she saw no other way out of it, so she promised the manikin what he demanded, and he set to work once more and spun the straw into gold.

When the King came in the morning, and found everything as he had desired, he straightway made her his wife, and the miller's daughter became a queen.

When a year had passed a beautiful son was born to her, and she thought no more of the little man, till all of a sudden one day he stepped into her room and said: "Now give me what you promised."

The Queen was in a great state, and offered the little man all the riches in her kingdom if he would only leave her the child. But the manikin said: "No, a living creature is dearer to me than all the treasures in the world." Then the Queen began to cry and sob so bitterly that the little man was sorry for her, and said: "I'll give you three days to guess my name, and if you find it out in that time you may keep your child."

Then the Queen pondered the whole night over all the names she had ever heard, and sent a messenger to scour the land, and to pick up far and near any names he could come across. When the little man arrived on the following day she began with Kasper, Melchior, Belshazzar, and all the other names she knew, in a string, but at each one the manikin called out: "That's not my name."

The next day she sent to inquire the names of all the people in the neighborhood, and had a long list of the most uncommon and extraordinary for the little man when he made his appearance. "Is your name, perhaps, Sheepshanks Cruickshanks, Spindleshanks?" but he always replied: "That's not my name."

On the third day the messenger returned and announced: "I have not been able to find any new names, but as I came upon a high hill round the corner of the wood, where the foxes and hares bid each other good-night, I saw a little house, and in front of the house burned a fire, and round the fire sprang the most grotesque little man, hopping on one leg and crying:

"To-morrow I brew, to-day I bake, And then the child away I'll take; For little deems my royal dame That Rumpelstiltzkin is my name!"

You can imagine the Queen's delight at hearing the name, and when the little man stepped in shortly afterward and asked: "Now, my lady Queen, what's my name?" she asked first: "Is your name Conrad?" "No." "Is your name Harry?" "No." "Is your name perhaps, Rumpelstiltzkin?"

"Some demon has told you that! some demon has told you that!" screamed the little man, and in his rage drove his right foot so far into the ground that it sank in up to his waist; then in a passion he seized the left foot with both hands and tore himself in two.

By The Brothers Grimm

Add another mail server

[shagster]

The best way I found to stop this is to always have two mail servers. One that users use that only allows SMTP AUTH to send mail and one for relaying to that server. Yes, you have two servers, but the front one only stores and forwards. You can then add a bit more checking (virus scanning, type checking, spam check) without effect your users server. Usually I sync up the user database on the bankend server to virtusers on the front end and reject anything that isn't in virtusers. The front machine my get beat on a bit, but atleast the mail that is getting through to the users is valid emails.
Then just write a script that monitors the sendmail logs of many rejects and add that IP address to your access file, blocking it of course.

Re:Open Relays??

[TBone]

mail to a series of common first names, usually a dozen or two...

This implies to me that they are delivering to local users, since someone wouldn't be trying to run usernames on a relay server, they would just be dumping mail, and the methods for blocking relays have been, and still are, very readily available. Not once does he mention 'relaying' despite the fact that he knows what he's talking about in his last few sentences.

Re:Auto-block idea

[waldoj]

That's a wonderful idea. It's somewhat counter-intuitive, but quite helpful. I'll run a quick filter on my logs and figure out what the most common first name being tried is. Then I'll set up procmail to block the user.

Not the ideal solution, but an excellent one none the less.

-Waldo

Re:Open Relays??

[waldoj]

Well, I'll say it explicitly now: this is mail to local users. You're right, it would be stupid of me to permit relaying so, of course, I don't allow it. If my server is example.com, I would see attempts to send mail that look like this:

david@example.com
dan@example.com
mike@example.com
bill@example.com

And so on. It really bugs me.

Waldo

get a real MTA

[biot]

You could just upgrade to a modern MTA, such as Postfix, which will tarpit the remote end by default. There's very little reason to use something like sendmail these days.

Auto-block idea

[Black Perl]

Hmm... how about this:

Pick a common name that is NOT a valid user on your system (perhaps Aaron, since that may be one of the first they try). Set up a filter that blocks the sender of any mail to that name.

Re:"Rumpelstiltskin"

[Jethro]

Wow, finally my .sig is actually on-topic!!!


--

Re:Open Relays??

[mindstrm]

Well... they allow outside connections so yuor users can receive mail. They aren't talking about someone relaying off your server, we're talking about someone simply trying every common username AT your server, to try to deliver mail to your users.

Re:"Rumpelstiltskin"

[remande]

Of course, that wouldn't work, because your firstborn child is already given away as part of the Microsoft EULA.

RBL

[jfunk]

Just use the RBL.

I had this kind of attack done to me and I set up RBL in Sendmail (in SuSE, simply uncomment a few lines in /etc/mail/linux.mc and regenerate your sendmail.cf).

Haven't had a problem since, and not one spam has gotten through since.

Somewhat related: My RoadRunner account gets very little spam, maybe 2 or 3 a week, despite my publishing the address everywhere. The account for my local ISP (yes, I have RoadRunner in a different city. They let me host websites) gets a lot more spam, like 10 a week, despite my never having given it out ever. I just use it for getting service messages.

It seems that RoadRunner has some decent methods for preventing spam, but I don't know what they are. I wish every ISP used the RBL...

"Rumpelstiltskin"

[bolind]

Maybe my parents didn't read aloud enough Grimm tales when I was a kid, so I didn't know what it was, but dictionary.com [dictionary.com] says:

Rumpelstiltskin n : a dwarf in one of the fairy stories of the brothers Grimm; tells a woman he will not hold her to a promise if she can guess his name and when she discovers it he is so furious that he destroys himself

you could block dial up users

[toast0]

by using the MAPS Dial-up User List [mail-abuse.org]

assuming the spammers are using dialup this would force them to use a relay server (that is not listed as a dial up ip) to get mail to you, which most legitimate users mailing you would allready be doing.

of course if they use an open relay you're back to square one, but this is a decent first step.

Delay error responses

[nicwolff]

Postfix sleeps for 5 seconds (by default) before returning an SMTP error, which makes this kind of spam attack unprofitably slow. I assume other SMTP servers have this option...

have you seen this?

[crovax]

http://slashdot.org/article.pl?sid=01/04/19/041120 1&mode=flat [slashdot.org]

--
Spelling by m-w.com [m-w.com].

Decoys.

[TheLink]

If you're an ISP it could make sense to create decoy email accounts and get them onto spammer mail lists.

Any email that goes to decoy accounts can be deleted (not blocked) before it reaches ISP customers who subscribe to that service.

Basically you don't block, you just set things up so that all similar mail is deleted for the next X hours.

It is more costly for spammers to create more unique spam. Can't just Bcc hundreds at a go.

Cheerio,
Link.

Re:"Rumpelstiltskin"

[Cosmicbandito]

I assume they call it a Rumplestiltskin attack because the spammers are playing a name guessing game. Of course, if it were true to the story, they'd only get three chances to guess, and if they didn't guess right, you'd get their firstborn child.

Re:Open Relays??

[J'raxis]

Ah. He hadn't explicitly said they were trying to mail to his users on his server in his post; I'd assumed he meant they were trying dictionary/name attacks on, say, a large mail service like @hotmail.com, @aol.com or @yahoo.com-- where something like that would be moderately effective, seeing as how they have several thousand users -- and they were using his SMTP server as a relay.

...I am the Raxis.