[Exim] Re: Dictionary attack defence ideas?

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Derrick 'dman' Hudson
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: [Exim] Re: Dictionary attack defence ideas?
--
On Mon, Jul 08, 2002 at 02:48:20PM +1200, Juha Saarinen wrote:
| Some happy chappie decided to run a dictionary attack against my Exim 4.04
| installation earlier:

|
| 2002-07-08 00:57:35 H=pcp01631504pcs.tybout01.de.comcast.net
| (mx.spamcop.net) [68.82.4.229] F=<webmaster@???> rejected RCPT
| <amber@???>: Unrouteable address

[...]
| ... etc, ad nauseam.

|
| I've searched Google, and the mailing list archives, but drawn a blank on
| finding anything that might be useful to combat dictionary attacks.

|
| Is there a way to e.g. teergrube idiots who bombard your server with lots
| of connections? Max_connections_per_host or something?


That was more than likely a single connection. There is a max rcpts
option, but I think it only applies to successful recipients.

You could accept all rcpts at RCPT time and reject/bounce the message
later. If the attacker is merely trying to build a spam list and
quits before DATA, then you've just given a whole list of "verified"
but bogus addresses to them. If you get some spam with a bogus return
address you're stuck unless you do the rejection after DATA.

Hmm, with a host like that they may be in the DUL. If you want you
can reject mail from DUL-listed hosts and tell them to use their ISP's
smarthost instead.

I keep getting hit from a DSL-connected spammer in spain, and in
addition to my address they also try "ga16040" and
"ga11581@???". Repeatedly. No amount of rejection makes
them go away. Since their spam got through SA, I added their host to
a reject list. (If you want it : 217.127.31.182 , 217.125.79.217)
They still won't go away. At least I'm not crunched for that
bandwidth =p. (If I was I'd add them to my nimbda-based IP-level
blocking.)

-D

--

If we claim to be without sin, we deceive ourselves and the truth is not
in us.
        I John 1:8


http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--