Re: [Exim] Rumplestiltskin attacks anyway to combat them?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Tim Jackson at <-
MMJeremy Harris at ->
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: cjackson
CC: lists, exim-users
Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
>Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
>From: Craig Jackson <cjackson@???>
>Reply-To: cjackson@???
>To: lists <lists@???>
>Cc: exim-users@???
>Date: Wed, 23 Jun 2004 19:06:10 -0500
>
>On Wed, 2004-06-23 at 18:54, lists wrote:
>> I have a mail gateway running 4.34 clamd and spamassasin with a
>> smart_route to a internal exim box. I am getting rumplestiltskin
>> attack to the point that I can honestly say that over 4k of
>> messages that hit the gateway get bounced with a 550 unknown user
>> or at least try till the timers on frozen messages get them in 5
>> minutes. Has anyone found a good way to combat this problem. I
>> have googled on "rumplestiltskin attack" and for a few hacked
>> perl scripts nothing else really. I know this was brought up
>> in here a few months ago but google doesn't seem to index the
>> archives very well. I wish I could think if a way to check the
>> internal boxes user list before the ext. gateway passes the
>> message on. I turned on verify_recipient but that did not seem
>> to change anything.
>
>What is rumpelstitskin? Is that DDOS?

It's where an attacker tries to guess email addresses in your domain
and harvest the usable ones for later use. You'll find a good
description of this in Brett Glass's paper:

http://www.brettglass.com/spam.html

where countermeasures are also discussed.

I see rumplestiltskin attacks against my servers. So one
countermeasure I use is to introduce delays if I see more than a
certain number of failed addresses during a single connection.
This technique has been discussed on this list before.

I'm slighty amused at the patience of these people. For example
today's log on one of my servers shows:

2004-06-24 09:48:32 H=mailer02.mckinsey.com (na-mailer02.mckinsey.com) [157.191.3.31] F=<> temporarily rejected RCPT <IPSAENGFERRUH.GURTAS@???>: 157.191.3.31 bad recipients 24, delay 7864320

The delay is in seconds, so the above is ~91 days!

I also double the delay for each bad recipient. So the same mail
server's logs show:

2004-06-24 03:54:08 H=mailwall2.statoil.com [143.97.143.25] F=<> temporarily rejected RCPT <ENGLMARIANI@???>: 143.97.143.25 bad recipients 16, delay 30720
2004-06-24 09:48:32 H=mailwall2.statoil.com [143.97.143.25] F=<> temporarily rejected RCPT <ENGMAPPEL@???>: 143.97.143.25 bad recipients 17, delay 61440

One disadvantage of doing this is you have a persistent connection
that's open for a very long time. So dedicated offenders need to be
restricted to a single connection. It should be easy to automate
this, although I currently set this up by hand.

I also let these connections run for as long as the client is happy
to remain connected. Although it would be easy to just drop the
connection after a certain number of bad recipients. Persistent
prats would then just get to play in a recurring tarpit with every
connection.


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Usernames containing the @ characterRE: [Exim] Authenticated SMTP load->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)