Re: [exim] conducive.org

John W. Baxter wrote:

> On 10/18/06 8:51 AM, "W B Hacker" <wbh@???> wrote:
>
>
>>If 'random' was once a good idea, it sure seems less so when dictionary
>>attacks
>>abound.
>
>
> On the other hand, the Exim-generated "random" address (really a pattern
> with a random component) could be tested for and not treated as unfriendly,
> without any significant failure to detect dictionary attacks.
>
> If you choose to, of course.
>
> --John (who doesn't do callouts)
>

Thanks for that!

Confirmed that it is now in use as a server-harvesting tool, at least by a few.

I have found 37 over a 12-month period, not quite evenly distributed, but
typically 3 a month. Not worth adding a parser for.

In any case, most hits (though fewer unique IP's) were from servers also turning
up in various RBL's.

The only other 'legit' hit besides Renee's that was apparent was Odhiambo
Washington's server.

The others are nearly all from servers we have no record of traffic to/from
during the year examined, (so why probe our server?) and nearly all on .ua or
.ru .tld's.

Checking a newer log, for a period where we were *may* drop early on rDNS fail &
dynamic-IP (and/or the DynDNS style domains), shows just ONE new hit in a litle
over a month, so 'probes' they are, in our view - not callouts related to
verifying any actual traffic.

A devel/R&D box that rigourously drops on rDNS fail / dynamic-IP has *zero* hits
over 13 months.

Now and then a turkey may wander in amongst the ducks, but they both roast nicely.

;-)

Bill