At 21:00 +0000 2003/02/16, Alan J. Flavell wrote:
[...]
>
>Typical scenario was, the attacker connected, tried about three dozen
>RCPT TOs for random usernames, and disconnected. Some 20-30mins later
>he'd be back and try the same with a fresh bunch of random usernames.
>And so on.
>
>I used the rate-limiting to spin the three dozen attempts out over
>hours, but the attacker still opened a fresh call after 20-30 minutes,
>so that eventually we had several of these probe series going in
>parallel, and the total number of addresses probed per day seemed no
>different than before. Since the attacker kept switching to different
>open proxies, we could only deduce that it was the same attacker by
>the modus operandi and the pattern of names being probed.
>
>Mostly the only answer he got from us was that his IP was blacklisted
>for being an open proxy, but just occasionally he'd strike lucky and
>we would confirm or deny the existence of a couple of user addresses
>via our reply to his RCPT TO.
one way of making dictionary attacks useless is to deny at RCPT once
a certain number of recipients have been denied (for whatever
reason). I use 1 for this value... It is important though that the
deny message includes the reason, like "denied: too many unacceptable
recipients in smtp transaction". And perhaps even delay the response
by a fixed (or variable) amount of time. I also have this rule kick
off at the DATA phase, where I reject the message, just in case they
got a positive (2XX) response to their first RCPT. This is very
useful if you disseminate trap addresses.
I can do this because I do not serve an inordinate amount of users..
Giuliano
--
H U M P H
|| |||
software
Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/