RE: [Exim] Rumplestiltskin attacks anyway to combat them?

Top Page
Delete this message
Reply to this message
Author: lists
Date:  
To: 'Lars Schimmer', exim-users
Subject: RE: [Exim] Rumplestiltskin attacks anyway to combat them?
-> -----Original Message-----
-> From: exim-users-admin@???
-> [mailto:exim-users-admin@exim.org] On Behalf Of Lars Schimmer
-> Sent: Wednesday, June 30, 2004 8:06 AM
-> To: Dennis Davis
-> Cc: cjackson@???; lists; exim-users@???
-> Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
->
->
-> -> Dennis Davis schrieb:
-> |>Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
-> |>From: Craig Jackson <cjackson@???>
-> |>Reply-To: cjackson@???
-> |>To: lists <lists@???>
-> |>Cc: exim-users@???
-> |>Date: Wed, 23 Jun 2004 19:06:10 -0500
-> |>
-> |>On Wed, 2004-06-23 at 18:54, lists wrote:
-> |>
-> |>>I have a mail gateway running 4.34 clamd and spamassasin with a
-> |>>smart_route to a internal exim box.  I am getting rumplestiltskin
-> |>>attack to the point that I can honestly say that over 4k
-> of messages
-> |>>that hit the gateway get bounced with a 550 unknown user
-> or at least
-> |>>try till the timers on frozen messages get them in 5
-> minutes.  Has
-> |>>anyone found a good way to combat this problem. I have googled on
-> |>>"rumplestiltskin attack" and for a few hacked perl
-> scripts nothing
-> |>>else really.  I know this was brought up in here a few
-> months ago but
-> |>>google doesn't seem to index the archives very well.  I
-> wish I could
-> |>>think if a way to check the internal boxes user list
-> before the ext.
-> |>>gateway passes the message on.  I turned on
-> verify_recipient but that
-> |>>did not seem to change anything.
-> |>
-> |>What is rumpelstitskin? Is that DDOS?
-> |
-> |
-> | It's where an attacker tries to guess email addresses in
-> your domain
-> | and harvest the usable ones for later use.  You'll find a good
-> | description of this in Brett Glass's paper:
-> |
-> | http://www.brettglass.com/spam.html
-> |
-> | where countermeasures are also discussed.
-> |
-> | I see rumplestiltskin attacks against my servers.  So one
-> | countermeasure I use is to introduce delays if I see more than a
-> | certain number of failed addresses during a single
-> connection. This
-> | technique has been discussed on this list before.
-> |
-> | I'm slighty amused at the patience of these people.  For example
-> | today's log on one of my servers shows:
-> |
-> | 2004-06-24 09:48:32 H=mailer02.mckinsey.com
-> (na-mailer02.mckinsey.com)
-> [157.191.3.31] F=<> temporarily rejected RCPT
-> <IPSAENGFERRUH.GURTAS@???>: 157.191.3.31 bad
-> recipients 24, delay 7864320
-> |
-> | The delay is in seconds, so the above is ~91 days!
-> |
-> | I also double the delay for each bad recipient.  So the same mail
-> | server's logs show:
-> |
-> | 2004-06-24 03:54:08 H=mailwall2.statoil.com [143.97.143.25] F=<>
-> temporarily rejected RCPT <ENGLMARIANI@???>:
-> 143.97.143.25 bad recipients 16, delay 30720
-> | 2004-06-24 09:48:32 H=mailwall2.statoil.com [143.97.143.25] F=<>
-> temporarily rejected RCPT <ENGMAPPEL@???>:
-> 143.97.143.25 bad recipients 17, delay 61440
-> |
-> | One disadvantage of doing this is you have a persistent connection
-> | that's open for a very long time.  So dedicated offenders
-> need to be
-> | restricted to a single connection.  It should be easy to automate
-> | this, although I currently set this up by hand.
-> |
-> | I also let these connections run for as long as the client
-> is happy to
-> | remain connected.  Although it would be easy to just drop the
-> | connection after a certain number of bad recipients.
-> Persistent prats
-> | would then just get to play in a recurring tarpit with every
-> | connection.
->
-> Yeah, tarpitting is nice.
-> Do You have any conf example for this? I also plan to tarpit
-> these "harvesters". I'm using exim4 and sa-exim from
-> debianunstable. So tarpitting is available but right now I'm
-> a bit confused how to tarpit in these ACLs...
->
-> Cya &thx
-> Lars
-> - --
-> - -----------------------------------------------------------------
-> Technische Universität Braunschweig, Institut für Computergraphik
-> Tel.: +49 531 391-2109            E-Mail: schimmer@???
-> PGP-Key-ID: 0xB87A0E03
->
->
-> 
->
-> --
->
-> ## List details at
-> http://www.exim.org/mailman/listinfo/exim--> users Exim details
-> at http://www.exim.org/ ##


Nice idea but the spammer just trashed my box last night by overloading SA
to the point of panic. It seem that they were pumping something thru that
killed clamd and then ate spamassassin for lunch I had 108 copies of spamd
running with each take a ton of memory. I have tons of reports of to many
connection right before everything went to hell. The box was luckly behind
a firewall with only port 25 open to it. I guess the Rumplestiltskin attack
were attempt to feel me out or something.

So till I can get something backup there that will not die on me I am
running with just clamd on my main server with no bastion box infront of
exim 4.31 exiscan and clam