Re: [exim] Spamtrap harvesting idea using fake authenticatio…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Ian Eiloart
CC: exim-users@exim.org users
Subject: Re: [exim] Spamtrap harvesting idea using fake authentication
On 2013-06-07 at 15:42 +0100, Ian Eiloart wrote:
> It might be better to accept only, say, 1% of authentication attempts.
> That would prevent the hacker from trivially detecting your trap (by
> authenticating to the same account with two different passwords). You
> could use the rate limit facility to increase the likelihood of
> success. Exim doesn't have, as far as I know, a random number
> generator, but you could perhaps use a hash of the
> username/password/date string.


As of Exim 4.70 (from 2009):

----------------------------8< cut here >8------------------------------
${randint:<n>}

    This operator returns a somewhat random number which is less than the
    supplied number and is at least 0. The quality of this randomness depends
    on how Exim was built; the values are not suitable for keying material. If
    Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.


    If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used,
    for versions of GnuTLS with that function.


    Otherwise, the implementation may be arc4random(), random() seeded by
    srandomdev() or srandom(), or a custom implementation even weaker than
    random().
----------------------------8< cut here >8------------------------------


The GnuTLS provider only came in with the GnuTLS revamp in 4.80.

-Phil