Author: Alan J. Flavell Date: To: Exim users list Subject: Re: [Exim] Dictionary attack defense
On Wed, 10 Sep 2003, Rossz Vamos-Wentworth wrote:
> Wouldn't it be a good idea to send a message to yourself (or whomever
> is responsible) whenever someone is blacklisted for a dictionary
> attack?
Speaking for us, anyway: when we started this, dictionary-attack open
relays were writing themselves into the blacklist every few minutes,
so a mail for every one would have been out of the question.
But I did, after all, concede that I'd been trying a bit too hard to
block these jokers. Back to that in a moment.
Now that the blacklist has pretty-much stabilised (and the addresses
in there tend to appear in the public open-relay blacklists within
hours - or at most a day or two - of blacklisting themselves with us)
we're adding just half a dozen fresh ones a day now, roughly, so an
alert would be feasible.
> I'd also suggest not tying your anti-dictionary
> attack script to blacklist results to avoid this happening again.
> The script should ONLY count attempts at sending to non-existent
> accounts.
Yes, I'm afraid this was an unintended consequence of the logic of the
ACL as written. Mea culpa.
OK, so what's the threat? Seems to me there are three kinds of
activity going on here, and we "on the receiving end" don't
necessarily know how to categorise an individual request:
1. spammers are hammering their way through random localparts in the
hope of hitting a few which exist - and dropping spam on them. We'd
hope to catch those few hits at spam-rating time if they haven't been
caught by the DNSBLs which we use, so this isn't the prime motivation
for b/listing dictionary attackers.
2. spammers are trying to validate entries in their address lists for
future spamming campaigns and for selling-on. Since we check the
localpart (it's cheap to do that) and refuse the mail before we go to
the trouble of looking in the DNSBLs, they'd get away with this, and
this was the idea which originally motivated me to take some action.
However, as I say, it now seems I was trying a bit too hard.
3. innocent third parties are trying to validate addresses presented
to them as counterfeited senders in our domain, via callbacks. It's
pretty clear that the rate of third parties attempting these checks is
escalating, and one can certainly sympathise with it. Normally they'd
do that with a null envelope sender, and only one recipient, and we
would respond honestly to them. But the potential for misuse by
spammers under item 2 is all too obvious, and there seems no obvious
defence. Or rather, the cure would be worse than the disease.
Maybe the answer is to move the DNSBL checks before checking the
localpart, and relying on the open-relay blacklisting to avoid
co-operating with too many addresslist-verification campaigns. That's
assuming, of course, that dns-based RBLs are kept usable in the face
of the attacks. Otherwise, local blacklists will become inevitable,
and Heaven help those who have to get themselves out of them, one by
one across the Internet, instead of just a few well-known services.
