Email delivery problems never seem to go away. Every day, we process support requests dealing with email delivery delays, spam or other problems. A key source of these issues is poorly configured mail transfer agents (MTAs) or end user accounts. One attack that can be particularly damaging is a dictionary attack.
What is a Dictionary Attack?
A dictionary attack (which used to be commonly called a Rumpelstiltskin attack up until a few years ago) is an attack where the sender floods your server with usernames selected from a dictionary. Role-based accounts, such as billing, sales and support, are often targeted, but you ever peek at your logs, you will see thousands of attempts to send email to unknown users. It is as if the attacker picked up the latest Baby Names book and just started flooding your server with all of the names.
Sending Email to Unknown Users? Why Bother?
The intent is always debated but two reasons are frequently tossed about. The first is that this is just another spamming technique. Rather than buying a list they just spam to any possible name they can generate. This seems rather inefficient but sending email is cheap. The second reasons, which is more likely the case, is that spammers use these techniques to generate lists of valid email accounts. This allows them to either sell these lists of “verified” emails or be more accurate in their other spamming activities.
The Impact
The impact of a dictionary attack can be severe if your server is not properly configured. Though several issues can arise two key issues occur over and over: Email Delivery Delays and Blacklisting.
If your server is configured to bounce email to unknown users instead of rejecting it, then your system can quickly become overloaded with email. Bouncing email means you send a Non-Delivery Report (NDR), which is the proper thing to do according to section 3.7 of RFC 2821.
Sending a NDR or bounce just generates more work for your server and can lead to your IP being blacklisted by places like SpamCop. Spamcop may blacklist your IP because spammers often spoof the reply to information. Your server essential sends a bounce to a person that never sent you an email to being with. This is called backscatter.
Many MTAs can be configured to reject not bounce email. Rejecting email occurs at an earlier stage in the process. If you reject email to unknown users, your server will first check to see if a user is valid and then if not, reject the senders message. This is done before the email is ever accepted into your system. As a result a bounce is not generated and the email does not enter your mail queue. By rejecting emails to unknown users, you can lower the load on your system and prevent backscatter.
Dictionary Attack Prevention
So what can you do? You must assure that your MTA rejects emails to unknown users. All major control panel systems, Plesk, Ensim and cPanel have options to assure that you reject not bounce email to unknown users. cPanel and Plesk have options within their control panels. Ensim is rather cumbersome in that it by default creates a catch-all account that should be removed.
Sendmail has a nice feature called BadRcptThrottle that can aid it mitigating a dictionary attack. This option will rate-limit connection from senders that try to send to unknown users.