RE: [Exim] FW: Defending Against Rumplestiltskin Attacks???

I should probably have mentioned that I run Exim 4.32 + Exiscan + SpamAssassin + ClamAV.
How don't see how the 'catchall' clause in the Exim configure file can shorten the session with the offensive remote MTA
or lessen the adverse affect on our bandwidth in case of a dictionary attack.

--ilan



> -----Original Message-----
> From: Mike 'Fraz' White [mailto:fraz@smartowner.co.uk]
> Sent: Sunday, May 09, 2004 5:04 PM
> To: 'Ilan Aisic'; exim-users@???
> Subject: RE: [Exim] FW: Defending Against Rumplestiltskin Attacks???
>
>
> Probably not the best solution and no doubt there are a
> million and one reasons why you shouldn't do it (but hey I'm
> no expert!!)
>
> I have a 'catchall' at the end of my 'Directors'
>
> # This director sends all unknown local parts to a specific mailbox
>
> catchall:
> driver = redirect
> data = ${lookup{$local_part}lsearch*{/etc/exim/aliases.wild}}
> file_transport = address_file
> pipe_transport = address_pipe
>
>
>
> Currently the alias.wild has one alias of
>
> *: spamtrap
>
> although you could use
>
> *: /dev/null
>
>
> Doesn't stop them connecting but on the other hand .............
>
> --
> Mike 'Fraz' White
> www.smartowner.co.uk
>
>
> > -----Original Message-----
> > From: exim-users-admin@???
> [mailto:exim-users-admin@exim.org] On
> > Behalf Of Ilan Aisic
> > Sent: 09 May 2004 16:12
> > To: exim-users@???
> > Subject: [Exim] FW: Defending Against Rumplestiltskin Attacks???
> >
> > Hi list,
> > I was wondering if there's a way to configure Exim so that
> spammers or
> > computers trying to flood us with DDoS attacks, can be treated to a
> > special slow connection (See below postfix setup).
> >
> > --
> > Ilan Aisic
> >
> > -----Original Message-----
> > From: Jon [mailto:groups@ez15loan.com]
> > Sent: Saturday, May 08, 2004 9:17 AM
> > To: spamassassin-users@???
> > Subject: Re: Defending Against Rumplestiltskin Attacks???
> >
> >
> > Also, if your running postfix as your MTA, you could set:
> >
> > smtpd_error_sleep_time = 60
> > smtpd_soft_error_limit = 3
> > smtpd_hard_error_limit = 6
> >
> > or simular in main.cf (adjust these numbers to suit your boxes
> needs/mail
> > volume). This creates a sudo tarpit effect.
> > I got attacked a while back for about 3 days, then they gave up.
> Whois
> > showed the IP range was from a university (go
> > figure).
> >
> > --
> > Regards,
> > Jon
> >
> > Mike Hatz said:
> > > Hi,
> > >
> > > This might not be the right place to ask for this help,
> but since I
> am
> > under a spam-based attack, I figured the collective group might be
> able to
> > help out or have defended against such
> > nonsense.
> > >
> > > My mail server is a linux machine running RH9. It has
> been getting
> > wailed on by rumplestiltskin attacks for weeks now. I have
> modded my
> > sendmail.cf pretty heavily to help fight against it with
> various RBLs
> > and BAD RCPT throttles.
> > >
> > > However, my friends who are acting as my secondary mail
> spoolers are
> > getting flattened by the volume of the attack, since I
> suspect that it
> > might actually be attempting to attack and relay through
> the secondary
> > MX records besides hitting the primary MX
> record.
> > >
> > > I have spent hours googling around to look for solutions, even a
> > solution that would use iptables and simply drop the inbound smtp
> > connections for say 24-hours, if it triggers a throttle or a 550
> > response in sendmail.
> > >
> > > How can I determine the root of all of this?
> > >
> > > How can I keep the secondary's from getting pummeled?
> > >
> > > Thanks for any help. I'll post a summary of all the
> things I have
> > > done
> > so far, as well as your answers.
> > >
> > > Mike
> > >
> >
> >
> >
> >
> >
> > --
> >
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users
> Exim
> > details at http://www.exim.org/ ##
>
>
>
>