[exim] Dealing with dictionary attacks

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jonathan Vanasco
Dátum:  
Címzett: Exim-users
Tárgy: [exim] Dealing with dictionary attacks

We get about 3 dictionary attacks on our servers each day. Its really
annoying.

I'm trying to come up with a way to combat them -- can anyone drop me
some pointers they use, or help me flesh out the following idea:

Here's my proposed idea
----
under acl_check_rcpt:
    if a "rejected RCPT $ADDRESS: Unrouteable address" error is tripped, 
we log the timestamp/datetime in two dbs -- once with the senderIP, 
another with the senderAddress


under acl_check_connect:
    we query the 2 dbs to see if there were 10 or more entries for the ip 
or sender address within the last 3 minutes


this assumes that a dictionary attack will have 10+ guesses in 3
minutes. usually, they seem to work in 1,3,8 second intervals against
our servers

the senderaddress blocking might be too much, in case its spoofed.
maybe it would be either IP or sender_address + ip, as our spammers
tend to not cycle the sender address

comments? suggestions on how to pull it off?