On Thu, 22 Aug 2002, Chris Edwards wrote:
> Thanks to everyone for suggestions. Looks like checking sender_helo_name
> contains *something* does the trick:
>
> deny message = "HELO/EHLO required by SMTP RFC"
> condition = ${if eq{$sender_helo_name}{}{yes}{no}}
This is working great now for us.
One observation seems to be relevant, however. (I'll come to it in a
moment. I think it may be useful first to set the scene.) Both
before and after the change, we were logging:
rejected HELO from [n.n.n.n]: syntactically invalid argument(s): $domain
at the start of this kind of dictionary attack. It appears that the
attacks are made through open socks proxies. The attacker disregards
our response to HELO, and goes on to systematically try a series of
local addresses, while purporting to use a sender address which is the
first one on the list (see example below).
The difference between before and after is that before, we were
dutifully responding to the requests and telling the attacker that the
addresses did not exist; afterwards (i.e with the v4 recipe from
Chris) we're logging e.g (linewrapped for comfort):
2002-08-24 10:50:46 rejected HELO from mail.synergics.com
[63.216.107.218]: syntactically invalid argument(s): $domain
2002-08-24 10:50:48 H=mail.synergics.com [63.216.107.218]
F=<bigbrother@???> rejected RCPT
<bigbrother@???>: RFCs mandate HELO/EHLO before mail can be sent.
2002-08-24 10:50:49 H=mail.synergics.com [63.216.107.218]
F=<bigbrother@???> rejected RCPT
<bjacobs@???>: RFCs mandate HELO/EHLO before mail can be sent.
2002-08-24 10:50:49 H=mail.synergics.com [63.216.107.218]
F=<bigbrother@???> rejected RCPT
<blinkie@???>: RFCs mandate HELO/EHLO before mail can be sent.
and so on. The addresses are tried in alphabetical order.
Here's the point, however. If I investigate the number of occurrences
of the "rejected HELO ... $domain" message in our _archived_ logs, I
get 52, spread over a period of a couple of months. However, in the
current log since 18th August (i.e about a week) there are over 100,
from quite a number of different IPs (open socks proxies). So the
attacks have suddenly got much more intense. By the way, the number
of addresses tested per incident does not seem to be a constant, but
seem to be typically less than a couple of dozen.
This shouldn't be confused with the (apparently-notorious)
194.198.208.46, whose attacks do not begin with the '$domain' error in
the log and (our observations agree with nanae) tries exactly 29
addresses per attack. They routinely present a sender address of
john@???, with ever-changing "some.domain" but the email name
seems to be a constant "john". Also, their target addresses aren't
tried in alphabetical order. They've apparently been doing this for
many months (according to Osirusoft and nanae) - I don't know why they
aren't thoroughly RBL'ed already. There's also a comment in nanae:
http://groups.google.com/groups?selm=ujp2atm35362d5%40corp.supernews.com
that they are failing to conform to pipelining rules, and that postfix
catches them out on that.
best regards
