Re: [Exim] Dictionary attack defence ideas?

Top Page
Delete this message
Reply to this message
Author: Peter N Lewis
Date:  
To: Juha Saarinen, exim-users
Subject: Re: [Exim] Dictionary attack defence ideas?
At 14:48 +1200 8/7/02, Juha Saarinen wrote:

>Some happy chappie decided to run a dictionary attack against my Exim 4.04
>installation earlier:


I get these continuously for one of my domains, but weirdly not in
any order, and not from the same host. For example:

2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@???> rejected RCPT <mstuder@???>:
unknown user
2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@???> rejected RCPT <brandonh@???>:
unknown user
2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@???> rejected RCPT <mount@???>: unknown
user
2002-07-08 10:11:48 H=(mail.accucon.com) [194.198.208.46]
F=<john@???> rejected RCPT <yoneyama@???>:
unknown user
...
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@???> rejected RCPT <rclegg@???>: unknown
user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@???> rejected RCPT <qm@???>: unknown user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@???> rejected RCPT <bathory@???>: unknown
user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@???> rejected RCPT <aissa@???>: unknown user
2002-07-08 09:00:01 H=(mta.epix.net) [194.198.208.46]
F=<john@???> rejected RCPT <murfoid@???>: unknown
user
...
etc.

Basically, batches of 29 from john@<somewhere> (and other cases, but
this is common).

Shrug. I don't know why or how to stop them.

From a single host, you can blacklist the host with:

host_reject_connection = /Users/exim/exim/blacklist-hosts

and then in the file list (one per line) the IP address for each host
you dont want connections from (or domain names, but list them after
all IPs).

>I've searched Google, and the mailing list archives, but drawn a blank on
>finding anything that might be useful to combat dictionary attacks.
>
>Is there a way to e.g. teergrube idiots who bombard your server with lots
>of connections? Max_connections_per_host or something?


Since mine come in batches from different servers, I don't think
anything will work. I guess if I could set up Exim to reject
connections for the next 24 hours from any host that sent two "user
unknown" rcpts in a connection (I run a private site so user unknown
should be unusual), then I could try that. Shrug, mostly I guess I
can just ignore it, the only problem is if they are using this
technique to gather email addresses into spam lists, in which case
the user unknown is actually helping them, but I don't see what can
be done of that either.

Any ideas?
    Peter.
--
<http://www.interarchy.com/>  <http://download.interarchy.com/>