On 19 Oct 2006, at 21:12, Martin A. Brooks wrote:
> Marc Perkel wrote:
>
>> This person only has one user account for the domain with no plans to
>> ever have more. It's a domain for one person. But he's into IMAP and
>> likes the idea of direct folder delivery. So if he subscribes to some
>> new email list what he does is create a folder for that list and then
>> subscribe using the email address folder@???. The existence of
>> the folder makes the email address valid.
>
> I fail to see the difference between this and delivery to an arbitrary
> shared folder. Unless I've massively misunderstood what you're doing
> it's neither a trick, nor cool, it's just a function of your IMAP
> server.
What he is doing I thing is getting exim to automatically create a
new account for any local part it receives on the domains it servs.
That is quite clever.
However, Marc, there is a huge problem (Assuming I read this right).
When the domain gets its first dictionary attack (sending spam to
loads of random local parts)
You will create hundreds possibly thousands of new mail drops.
I think what you should do is only create the account if the email
originates from a trusted (+relay_from) IP
That way you have the same functionality pretty much for the user, he/
she can just mail their own domain to create a new account. But
without the danger of a dictionary attack.
I see this type of attack quite often, luckily for me working in a
non english speaking country mostly these attacks fail because the
local parts are too hard to guess :)
>
>
>
> --
> Martin A. Brooks | http://www.antibodymx.net/ | Anti-spam & anti-
> virus
> Consultant | martin@??? | filtering. Inoculate
> antibodymx.net | m: +447896578023 | your mail system.
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
