Thanks for your suggestion.
I have another idea:
I'm checking the domain a message comes from during RCPT and rejects using the following 2 lines in my exim config:
deny message = Your host ($sender_host_address) was blocked by
http://www.stearns.org/sa-blacklist/
hosts = partial()lsearch;/usr/exim/rejections/sa-blacklist.current.domains
However, the correctness of addressee name is checked earlier, probably before the RCPT command.
The documentation states that it's unwise to refuse connection before the RCPT because most MTA will retry few times.
But ratware usually doesn't retry. Therefore, I suggest that a bounce message on a "Unknown user" should only be sent
if the sender is not in a blacklist.
Has anyone done that? I'm not sure how to set this up without messing up my exim configuration.
Regards,
--
Ilan Aisic
> -----Original Message-----
> From: exim-users-admin@???
> [mailto:exim-users-admin@exim.org] On Behalf Of Tim Jackson
> Sent: Sunday, May 09, 2004 5:38 PM
> To: exim-users@???
> Subject: Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???
>
>
> Hi Mike, on Sun, 9 May 2004 16:22:14 +0100 you wrote:
>
> > Admittedly it won't stop/reduce the incoming bandwidth but
> it saves
> > your system having to send out an unknown/high number of bounce
> > messages.
>
> Bear in mind that a properly configured system won't generate
> bounces for non-existent users in the first place though. If
> you are accepting all mail and generating bounces, then that
> certainly will send your load rocketing if you get a bad
> dictionary attack.
>
> To the OP: there are various "teergrube" type things you can
> do, though I wouldn't rely too much on their effectiveness
> since depending on how long the sender waits for timeouts
> etc. they may be of limited use. Using Exim itself, various
> people have posted to this mailing list before suggesting ACL
> rules to add variable delays for dictionary attacks. For
> example, alongside the "deny" which rejects bad recipients,
> you might have something like this:
>
> delay = ${if >{$rcpt_fail_count}{2} {${eval:20*$rcpt_fail_count}}{0}}s
>
> That will cause increasing delays (20 seconds *
> bad_recipients) in this
> case) in sending SMTP responses, starting with the fourth bad
> recipient. You can of course customise this to your taste.
>
> Additionally, if you use the SA-Exim patch, there are options
> in there to "tarpit" senders where the spam score exceeds a
> certain value.
>
>
> On a different topic, setting smtp_accept_max_per_host will
> prevent a single sending machine tying up too many of your
> resources, but of course this won't help with a dictionary
> attack distributed across multiple source IPs.
>
>
> Tim
>
> --
>
> ## List details at
> http://www.exim.org/mailman/listinfo/exim-users Exim details
> at http://www.exim.org/ ##
>
>
