Re: [Exim] Dictionary attack defense

Pàgina inicial
Delete this message
Reply to this message
Autor: Alan J. Flavell
Data:  
A: Exim users list
Assumpte: Re: [Exim] Dictionary attack defense
On Tue, 9 Sep 2003, Odhiambo G. Washington wrote:

> I am making an attempt at discouraging dictionary attacks (and I see many)


Yes, I've been trying a bit too hard to do that, and caused two quite
embarrassing situations as a result.

I think you'll find the story of the first accident in the archive of
this list.

The second one happened when osirusoft went pear-shaped recently due
to DDoS, and they set it to blacklist every query submitted to it.
For about an hour, until the problem was recognised, we were rejecting
almost every mail: so far, so bad. BUT, what I hadn't realised was
that at one point during that hour, we had been offered mail for a
long list of recipients from a rather important source. As each one
was rejected in the RCPT ACL due to the unearned blacklisting, it was
counted as a failed recipient, and so, after a certain number was
reached, the logic of the ACL blacklisted this rather important source
of mail as being a dictionary attacker. It took some time before this
error then came to light, meantime we were refusing all non-postmaster
mail from that source. OUCH. So take care.

[...]

> In the logs I see this:
>
> 2003-09-09 13:09:03 H=(printerserver) [61.152.210.131] F=<umzu3mdy@???> \
> rejected RCPT <muchene@???>: Dictionary scan! 3 failed recipient attempts


Looks as if it's all happening, then.

> The part that leaves me stumped is why the script does not run!


Are you sure it does not "run" ???

> When I run a debug test with one of the ips I get from the log, I see that the
> rule is working, it even goes ahead to effect the delay, but never does it
> put the offending IP in the file.


So it's quite possible that the script runs, but is unable to write to
the file, no?

> Log snippet:


Yes, but what's in that script? You _do_ test I/O operations for
success and report an error if they failed, don't you?

all the best