RE: [Exim] FW: Defending Against Rumplestiltskin Attacks???

Pàgina inicial
Delete this message
Reply to this message
Autor: Mike 'Fraz' White
Data:  
A: 'Ilan Aisic', exim-users
Assumpte: RE: [Exim] FW: Defending Against Rumplestiltskin Attacks???
Probably not the best solution and no doubt there are a million and one
reasons why you shouldn't do it (but hey I'm no expert!!)

I have a 'catchall' at the end of my 'Directors'

# This director sends all unknown local parts to a specific mailbox

catchall:
driver = redirect
data = ${lookup{$local_part}lsearch*{/etc/exim/aliases.wild}}
file_transport = address_file
pipe_transport = address_pipe



Currently the alias.wild has one alias of

*: spamtrap

although you could use

*: /dev/null


Doesn't stop them connecting but on the other hand .............

--
Mike 'Fraz' White
www.smartowner.co.uk


> -----Original Message-----
> From: exim-users-admin@??? [mailto:exim-users-admin@exim.org] On
> Behalf Of Ilan Aisic
> Sent: 09 May 2004 16:12
> To: exim-users@???
> Subject: [Exim] FW: Defending Against Rumplestiltskin Attacks???
>
> Hi list,
> I was wondering if there's a way to configure Exim so that spammers or
> computers trying to flood us with DDoS attacks,
> can be treated to a special slow connection (See below postfix setup).
>
> --
> Ilan Aisic
>
> -----Original Message-----
> From: Jon [mailto:groups@ez15loan.com]
> Sent: Saturday, May 08, 2004 9:17 AM
> To: spamassassin-users@???
> Subject: Re: Defending Against Rumplestiltskin Attacks???
>
>
> Also, if your running postfix as your MTA, you could set:
>
> smtpd_error_sleep_time = 60
> smtpd_soft_error_limit = 3
> smtpd_hard_error_limit = 6
>
> or simular in main.cf (adjust these numbers to suit your boxes

needs/mail
> volume). This creates a sudo tarpit effect.
> I got attacked a while back for about 3 days, then they gave up.

Whois
> showed the IP range was from a university (go
> figure).
>
> --
> Regards,
> Jon
>
> Mike Hatz said:
> > Hi,
> >
> > This might not be the right place to ask for this help, but since I

am
> under a spam-based attack, I figured the collective group might be

able to
> help out or have defended against such
> nonsense.
> >
> > My mail server is a linux machine running RH9. It has been getting
> wailed on by rumplestiltskin attacks for weeks now. I have modded my
> sendmail.cf pretty heavily to help fight against
> it with various RBLs and BAD RCPT throttles.
> >
> > However, my friends who are acting as my secondary mail spoolers are
> getting flattened by the volume of the attack, since I suspect that it
> might actually be attempting to attack and relay
> through the secondary MX records besides hitting the primary MX

record.
> >
> > I have spent hours googling around to look for solutions, even a
> solution that would use iptables and simply drop the inbound smtp
> connections for say 24-hours, if it triggers a
> throttle or a 550 response in sendmail.
> >
> > How can I determine the root of all of this?
> >
> > How can I keep the secondary's from getting pummeled?
> >
> > Thanks for any help. I'll post a summary of all the things I have
> > done
> so far, as well as your answers.
> >
> > Mike
> >
>
>
>
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users

Exim
> details at http://www.exim.org/ ##