[Exim] Throttling mail from users (stopping DoS attacks)

Top Pagina
Delete this message
Reply to this message
Auteur: Douglas Gray Stephens
Datum:  
Aan: exim-users
Onderwerp: [Exim] Throttling mail from users (stopping DoS attacks)
Hi,

Recently I had a problem with an individual using a brute force attack
trying to send a variant of a well known extortion message to hundreds
of thousands of recipients, e.g. in one connection
amvv@[my-domain]
amvw@[my-domain]
amvx@[my-domain]
amvy@[my-domain]
amvz@[my-domain]
amw@[my-domain]
amwa@[my-domain]
amwb@[my-domain]
amwc@[my-domain]
amwd@[my-domain]
amwe@[my-domain]
amwf@[my-domain]
amwg@[my-domain]
amwh@[my-domain]
amwi@[my-domain]
amwj@[my-domain]
amwk@[my-domain]
amwl@[my-domain]
amwm@[my-domain]
amwn@[my-domain]
amwo@[my-domain]
amwp@[my-domain]
amwq@[my-domain]
amwr@[my-domain]

A short term fix was to block messages with the specified subject from
that particular domain.

I am looking at something that stops what could be considered denial
of service attacks (for the implementation in question, each recipient
address filtered through to 8 LDAP lookups on an already heavily
loaded multi-purpose server).

I would like to implement a filter that counts connections (or
delivery addresses) from a each user (or may be domain), and if there
were too many messages from a user within a given period, then the
mail would be rejected.

I realise that some spam filters do operate such algorithms, and so
can quarantine this type of message, but is is possible to do this
within exim? (There was a short thread on this topic in 2001:
http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010319/025140.html
)



Thanks,

Douglas.

--

================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================