Re: [Exim] Different Teergrub/Dictinary Attack

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Tony Earnshaw
Date:  
À: Exim users list
Sujet: Re: [Exim] Different Teergrub/Dictinary Attack
Alan J. Flavell wrote:

> A limit of 1 seems rather strong. An inadvertent obsolete address in
> an otherwise bona fide list would trigger it, right?
>
> As we discussed here recently, though, this approach (no matter what
> limit you set) permits of a trivial workaround for the spammers: they
> just have to use RSET.


That's what the man wanted. Personally, I have 5.

> I was preparing to move towards counting in the call-wide acl_c
> variables... i.e I had inserted a "warn" to find out what it would do,
> preparatory to using it instead of the existing checks - which are
> based on $rcpt_count (the number of attempted rcpt) and
> $recipients_count (the number of good recipients), so as not to
> penalise just the occasional obsolete address in a large but otherwise
> bona-fide addressee list.
>
> [However, I haven't finished that, and this mass worm-fighting
> business has taken its toll, so I can't report any results yet.]


Look forward to it ;)
>
> Of course, neither option will help if the spammers take to using a
> fresh call for each victim address.


>>>          !verify     = recipient
>>>          delay       = ${eval: ($rcpt_fail_count) * 60}s
>>>          log_message = $rcpt_fail_count failed recipient attempts

>
> In our experience, if we delayed by > 5 minutes then the attacker
> would disconnect from their side, and try again.


Which is the default.

> Some of them were
> seen to be retrying the same portion of their address list, over and
> over and over, in this situation - thus making things worse than they
> had been before, rather than better. So keep a close eye on the
> consequences of whatever you're trying ;-)


Regularly reading logs or arranging for a script to do so is paramount.

> Don't forget that if you _do_ decide to finish the party by refusing
> to talk SMTP to them, or even dropping them at the firewall, then
> a bona fide sender who has been misidentified has no way to even
> contact the postmaster to discuss the problem.


Why? I've cut off dictionary attacks. Mail to postmaster *or* abuse
should be accepted, whatever happens. My dialect's SA-Exim 3.1

Tonni

--
Tony Earnshaw

Looking backwards is always easy with hindsight

http://www.billy.demon.nl
Mail: tonni@???