RE: [Exim] Rumplestiltskin attacks anyway to combat them?

-> |>Subject: Re: [Exim] Rumplestiltskin attacks anyway to combat them?
-> |>From: Craig Jackson <cjackson@???>
-> |>Reply-To: cjackson@???
-> |>To: lists <lists@???>
-> |>Cc: exim-users@???
-> |>Date: Wed, 23 Jun 2004 19:06:10 -0500
-> |>
-> |>On Wed, 2004-06-23 at 18:54, lists wrote:
-> |>
-> |>>I have a mail gateway running 4.34 clamd and spamassasin with a
-> |>>smart_route to a internal exim box.  I am getting rumplestiltskin
-> |>>attack to the point that I can honestly say that over 4k
-> of messages
-> |>>that hit the gateway get bounced with a 550 unknown user
-> or at least
-> |>>try till the timers on frozen messages get them in 5
-> minutes.  Has
-> |>>anyone found a good way to combat this problem. I have googled on
-> |>>"rumplestiltskin attack" and for a few hacked perl
-> scripts nothing
-> |>>else really.  I know this was brought up in here a few
-> months ago but
-> |>>google doesn't seem to index the archives very well.  I
-> wish I could
-> |>>think if a way to check the internal boxes user list
-> before the ext.
-> |>>gateway passes the message on.  I turned on
-> verify_recipient but that
-> |>>did not seem to change anything.
-> |>
-> |>What is rumpelstitskin? Is that DDOS?
-> |
-> |
-> | It's where an attacker tries to guess email addresses in
-> your domain
-> | and harvest the usable ones for later use.  You'll find a good
-> | description of this in Brett Glass's paper:
-> |
-> | http://www.brettglass.com/spam.html
-> |
-> | where countermeasures are also discussed.
-> |
-> | I see rumplestiltskin attacks against my servers.  So one
-> | countermeasure I use is to introduce delays if I see more than a
-> | certain number of failed addresses during a single
-> connection. This
-> | technique has been discussed on this list before.
-> |
-> | I'm slighty amused at the patience of these people.  For example
-> | today's log on one of my servers shows:
-> |
-> | 2004-06-24 09:48:32 H=mailer02.mckinsey.com
-> (na-mailer02.mckinsey.com)
-> [157.191.3.31] F=<> temporarily rejected RCPT
-> <IPSAENGFERRUH.GURTAS@???>: 157.191.3.31 bad
-> recipients 24, delay 7864320
-> |
-> | The delay is in seconds, so the above is ~91 days!
-> |
-> | I also double the delay for each bad recipient.  So the same mail
-> | server's logs show:
-> |
-> | 2004-06-24 03:54:08 H=mailwall2.statoil.com [143.97.143.25] F=<>
-> temporarily rejected RCPT <ENGLMARIANI@???>:
-> 143.97.143.25 bad recipients 16, delay 30720
-> | 2004-06-24 09:48:32 H=mailwall2.statoil.com [143.97.143.25] F=<>
-> temporarily rejected RCPT <ENGMAPPEL@???>:
-> 143.97.143.25 bad recipients 17, delay 61440
-> |
-> | One disadvantage of doing this is you have a persistent connection
-> | that's open for a very long time.  So dedicated offenders
-> need to be
-> | restricted to a single connection.  It should be easy to automate
-> | this, although I currently set this up by hand.
-> |
-> | I also let these connections run for as long as the client
-> is happy to
-> | remain connected.  Although it would be easy to just drop the
-> | connection after a certain number of bad recipients.
-> Persistent prats
-> | would then just get to play in a recurring tarpit with every
-> | connection.
->
-> Yeah, tarpitting is nice.
-> Do You have any conf example for this? I also plan to tarpit
-> these "harvesters". I'm using exim4 and sa-exim from
-> debianunstable. So tarpitting is available but right now I'm
-> a bit confused how to tarpit in these ACLs...
->
-> Cya &thx
-> Lars
-> - --
-> - -----------------------------------------------------------------
-> Technische Universität Braunschweig, Institut für Computergraphik
-> Tel.: +49 531 391-2109            E-Mail: schimmer@???
-> PGP-Key-ID: 0xB87A0E03
->
->
->

Esta mensagem é parte da seguinte discussão:
	a lista completa das discussões ordenadas por data
	Lars Schimmer em
	Craig Jackson em