[exim] Dealing with dictionary attacks

Góra strony
Delete this message
Reply to this message
Autor: Jonathan Vanasco
Data:  
Dla: Exim-users
Temat: [exim] Dealing with dictionary attacks

We get about 3 dictionary attacks on our servers each day. Its really
annoying.

I'm trying to come up with a way to combat them -- can anyone drop me
some pointers they use, or help me flesh out the following idea:

Here's my proposed idea
----
under acl_check_rcpt:
    if a "rejected RCPT $ADDRESS: Unrouteable address" error is tripped, 
we log the timestamp/datetime in two dbs -- once with the senderIP, 
another with the senderAddress


under acl_check_connect:
    we query the 2 dbs to see if there were 10 or more entries for the ip 
or sender address within the last 3 minutes


this assumes that a dictionary attack will have 10+ guesses in 3
minutes. usually, they seem to work in 1,3,8 second intervals against
our servers

the senderaddress blocking might be too much, in case its spoofed.
maybe it would be either IP or sender_address + ip, as our spammers
tend to not cycle the sender address

comments? suggestions on how to pull it off?