Re: [Exim] Rumplestiltskin attacks anyway to combat them?

Góra strony
Delete this message
Reply to this message
Autor: Lars Schimmer
Data:  
Dla: Dennis Davis
CC: cjackson, lists, exim-users
Temat: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
Dennis Davis schrieb:
|>Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
|>From: Craig Jackson <cjackson@???>
|>Reply-To: cjackson@???
|>To: lists <lists@???>
|>Cc: exim-users@???
|>Date: Wed, 23 Jun 2004 19:06:10 -0500
|>
|>On Wed, 2004-06-23 at 18:54, lists wrote:
|>
|>>I have a mail gateway running 4.34 clamd and spamassasin with a
|>>smart_route to a internal exim box. I am getting rumplestiltskin
|>>attack to the point that I can honestly say that over 4k of
|>>messages that hit the gateway get bounced with a 550 unknown user
|>>or at least try till the timers on frozen messages get them in 5
|>>minutes. Has anyone found a good way to combat this problem. I
|>>have googled on "rumplestiltskin attack" and for a few hacked
|>>perl scripts nothing else really. I know this was brought up
|>>in here a few months ago but google doesn't seem to index the
|>>archives very well. I wish I could think if a way to check the
|>>internal boxes user list before the ext. gateway passes the
|>>message on. I turned on verify_recipient but that did not seem
|>>to change anything.
|>
|>What is rumpelstitskin? Is that DDOS?
|
|
| It's where an attacker tries to guess email addresses in your domain
| and harvest the usable ones for later use. You'll find a good
| description of this in Brett Glass's paper:

|
| http://www.brettglass.com/spam.html

|
| where countermeasures are also discussed.

|
| I see rumplestiltskin attacks against my servers. So one
| countermeasure I use is to introduce delays if I see more than a
| certain number of failed addresses during a single connection.
| This technique has been discussed on this list before.

|
| I'm slighty amused at the patience of these people. For example
| today's log on one of my servers shows:

|
| 2004-06-24 09:48:32 H=mailer02.mckinsey.com (na-mailer02.mckinsey.com)

[157.191.3.31] F=<> temporarily rejected RCPT
<IPSAENGFERRUH.GURTAS@???>: 157.191.3.31 bad recipients 24, delay
7864320
|
| The delay is in seconds, so the above is ~91 days!

|
| I also double the delay for each bad recipient. So the same mail
| server's logs show:

|
| 2004-06-24 03:54:08 H=mailwall2.statoil.com [143.97.143.25] F=<>

temporarily rejected RCPT <ENGLMARIANI@???>: 143.97.143.25 bad
recipients 16, delay 30720
| 2004-06-24 09:48:32 H=mailwall2.statoil.com [143.97.143.25] F=<>

temporarily rejected RCPT <ENGMAPPEL@???>: 143.97.143.25 bad
recipients 17, delay 61440
|
| One disadvantage of doing this is you have a persistent connection
| that's open for a very long time. So dedicated offenders need to be
| restricted to a single connection. It should be easy to automate
| this, although I currently set this up by hand.

|
| I also let these connections run for as long as the client is happy
| to remain connected. Although it would be easy to just drop the
| connection after a certain number of bad recipients. Persistent
| prats would then just get to play in a recurring tarpit with every
| connection.


Yeah, tarpitting is nice.
Do You have any conf example for this? I also plan to tarpit these
"harvesters".
I'm using exim4 and sa-exim from debianunstable.
So tarpitting is available but right now I'm a bit confused how to
tarpit in these ACLs...

Cya &thx
Lars
- --
- -----------------------------------------------------------------
Technische Universität Braunschweig, Institut für Computergraphik
Tel.: +49 531 391-2109            E-Mail: schimmer@???
PGP-Key-ID: 0xB87A0E03