Re: [Exim] Re: Dictionary attack defence ideas?

Top Page
Delete this message
Reply to this message
Author: Juha Saarinen
Date:  
To: Derrick 'dman' Hudson
CC: exim-users@exim.org
Subject: Re: [Exim] Re: Dictionary attack defence ideas?
On Sun, 7 Jul 2002, Derrick 'dman' Hudson wrote:

> That was more than likely a single connection. There is a max rcpts
> option, but I think it only applies to successful recipients.
>
> You could accept all rcpts at RCPT time and reject/bounce the message
> later. If the attacker is merely trying to build a spam list and
> quits before DATA, then you've just given a whole list of "verified"
> but bogus addresses to them.


Bummer. That's annoying.

> Hmm, with a host like that they may be in the DUL. If you want you
> can reject mail from DUL-listed hosts and tell them to use their ISP's
> smarthost instead.


Hmmm... might be worth the trouble to fill out the MAPS form for
individual sites then.

> I keep getting hit from a DSL-connected spammer in spain, and in
> addition to my address they also try "ga16040" and
> "ga11581@???". Repeatedly. No amount of rejection makes
> them go away. Since their spam got through SA, I added their host to
> a reject list. (If you want it : 217.127.31.182 , 217.125.79.217)
> They still won't go away. At least I'm not crunched for that
> bandwidth =p. (If I was I'd add them to my nimbda-based IP-level
> blocking.)


Too bad. The Spanish (almost wrote "Spammish") ISP won't take action
against their customer?

Anyway, need to think about this one.

--
Juha Saarinen