Can I slow SMTP responses to bad commands?
I would like to be able to slow the responses from SMTP to bad commands. For instance, someone appears to be attempting to harvest addresses from my server by brute force and trying lots of combinations of names until they get the correct one.
The harvesting program typically creates multiple sessions to your server and attempts to send a message to lots of email addresses by sequencing through the alphabet. For example, the program may try "email@example.com", "firstname.lastname@example.org", "email@example.com", etc. When a successful response is returned by the server, the harvesting program notes the address and adds it to the list of known addresses to send spam to.
Stopping this activity completely will prevent all email from entering your system! However, there are some things you can do to significantly reduce the effects of the harvesting program:
- Under GMS Anti-Spam > AI Check > Receiver set limits on the RCPT clause. The messaging server will automatically identify systems that are issuing an unexpectedly high number of connections to your server and fail them immediately. This will stop the harvesting program immediately.
- In GMS Mail and/or GMS Webmail you can delay the response of your server to incorrect email addresses. This can be done by changing the value of a global variable called SMTPSlugBadRcpt. The default setting for this variable is 0 (zero) to indicate that no slugging (or slowing) should take place. The variable can be given values ranging between 1 and 8. This will give a delay of between 1 and 256 seconds per bad recipient. Gordano recommends a value of 4 which would give a 16 second delay. This will delay the harvesting program.
- In GMS set the maximum number of connections from a given IP address (for SMTP) to a value between 3 and 5. See Q0555 for more details. This will prevent the harvesting program using all the resources.
- Ban the sender altogether from your server. This can be achieved by updating the SMTPMaxConnectionsPerIP under GMS Anti-Spam > Connect > Max Recipients with an entry such as
assuming the harverster is running on IP a.b.c.d this totally prevents any connections from that IP.
- Finally you can simply use the GMS Anti-Spam > Connect > Banned Hosts option, to ban the IP the harvester is running on from your server.
Keywords:SMTP, slow, slug, responses, bad commands, harvesting, addresses