Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???

Página Inicial
Delete this message
Reply to this message
Autor: Tim Jackson
Data:  
Para: exim-users
Novos Tópicos: [Exim] More Re. Defending Against Rumplestiltskin Attacks
Assunto: Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???
Hi Mike, on Sun, 9 May 2004 16:22:14 +0100 you wrote:

> Admittedly it won't stop/reduce the incoming bandwidth but it saves
> your system having to send out an unknown/high number of bounce
> messages.


Bear in mind that a properly configured system won't generate bounces for
non-existent users in the first place though. If you are accepting all
mail and generating bounces, then that certainly will send your load
rocketing if you get a bad dictionary attack.

To the OP: there are various "teergrube" type things you can do, though I
wouldn't rely too much on their effectiveness since depending on how long
the sender waits for timeouts etc. they may be of limited use. Using Exim
itself, various people have posted to this mailing list before suggesting
ACL rules to add variable delays for dictionary attacks. For example,
alongside the "deny" which rejects bad recipients, you might have
something like this:

delay = ${if >{$rcpt_fail_count}{2} {${eval:20*$rcpt_fail_count}}{0}}s

That will cause increasing delays (20 seconds * bad_recipients) in this
case) in sending SMTP responses, starting with the fourth bad recipient.
You can of course customise this to your taste.

Additionally, if you use the SA-Exim patch, there are options in there to
"tarpit" senders where the spam score exceeds a certain value.


On a different topic, setting smtp_accept_max_per_host will prevent a
single sending machine tying up too many of your resources, but of course
this won't help with a dictionary attack distributed across multiple
source IPs.


Tim